| ๐ Back to Exam Syllabus | ๐บ RooCloud on YouTube | ๐ RooCloud Practice Exams |
Types of Controls & Considerations
This episode of the ISACA Certified Information Systems Auditor (CISA) exam prep series explores the internal control landscape that every IS auditor must understand. It covers how controls are defined, how they are grouped by method and by purpose, how they live inside business applications, and how they connect directly back to risk.
What this episode covers
- Internal controls defined โ the mix of policies, procedures, and structures that reduce risk and give management reasonable assurance objectives will be met.
- Control objectives and measures โ how a stated desired result translates into an activity assigned to a specific role.
- Controls by method โ managerial, technical (logical), and physical controls, and why a balanced mix across all three is essential.
- Controls by purpose โ preventive, deterrent, detective, corrective, and compensating, and which is considered the strongest.
- Application-level controls โ how controls are built into modern systems and evaluated at the process and task level.
- Compensating controls โ when and how an alternative control can substitute for an ideal one that cannot be implemented.
- Evaluating the control environment โ the auditorโs independent judgment of whether controls meet their objectives, supplemented by managementโs own monitoring.
Watch the full episode above for the worked examples and detailed explanations of each concept.
Frequently Asked Questions
What are the three methods used to classify internal controls?
Internal controls are classified as managerial (administrative controls such as policies, procedures, training, and compliance reporting), technical (also called logical controls, implemented through technology such as firewalls, intrusion detection, and passwords), or physical (controls that physically limit access to buildings or devices, such as access badges and locks).
What are the five control types classified by purpose?
The five purpose-based types are preventive (stops a violation before it happens), deterrent (warns people off an attempt), detective (signals that something happened without blocking it), corrective (fixes damage once a problem is found), and compensating (offsets a weakness that cannot be fixed directly). Preventive controls are generally considered the strongest because they stop the threat before it occurs.
What is a compensating control, and when is one used?
A compensating control is used when a technical or business limitation prevents implementing the ideal control. It must achieve the same protective result as the original control it replaces โ for example, isolating a vulnerable system behind strong perimeter defences when the system itself cannot be patched.
How do controls connect back to risk?
Risk is addressed through controls, and every control earns its place by the risk it counters โ the relationship is direct and two-way. Management must document and implement controls based on its risk assessment; if residual risk still exceeds tolerance, additional controls must be added or a compensating control must achieve the same protective result.
๐ Master the ISACA CISA Exam!
Ready to test your knowledge? Access chapter-specific Multiple Choice Questions (MCQs) and full-length practice exams for the ISACA CISA certification at RooCloud.com. Solve the chapter-wise questions to reinforce this lesson before moving to the next episode.
Reference: This article is based on concepts discussed in Types of Controls & Considerations.