What is meant by control?

An approach to testing complex systems

Management and knowledge

Internal control

By Berthold Weghaus, Essen

The development in the field of document management systems tends towards more and more efficient and complexly organized systems. This means that auditors, auditors and controlling departments are increasingly confronted with the verifiability and ongoing controllability of such systems. The following article presents a basic audit concept with the components process documentation, internal control system and audit techniques.

The most important components of open systems can be characterized by the flow of the considered flow variables through a system (see Fig. 1). The flow variables flow into a system under consideration (input), are then processed (process) and then leave the system again (output). A control mechanism (control), which is the subject of cybernetics1, is intended to ensure through regulatory interventions that the system works according to the objectives [Föll, Lüsch, Unbe].

Fig. 1: Components of open systems (representation according to DIN 66001)

The term information is only precisely defined with the aid of the terms "data" and "messages". An information system can thus also be understood as an ordered network of elements that exchange information with one another based on formalized communication processes.

Regulatory mechanisms in the information system

In order to find an approach to how control mechanisms work in open information systems, cybernetics with its independently operating regulation and feedback mechanisms must be used again (see Fig. 2).

Figure 2: Basic model of a control loop Information systems can now be described as a single higher-level control loop.

The operational sequence of the so-called control loops should generally ensure that the system to be controlled reaches a desired target value (reference variable w). For this purpose, the controller R acts on the process to be controlled (controlled system S) via a manipulated variable y; however, this process is also subject to the disturbance variable z. The actual state of the controlled system S is communicated by the controller R via the controlled variable x. If the controller now determines that there are deviations e = w-x between the controlled variable x and the reference variable w, it has a corrective effect on the process via the manipulated variable y.

Examination and control

Since there is no uniform definition of the term examination in the theoretical examination literature, "examination" is defined as follows: Examination is:

  • a process-independent person ("neutral third party") ascertaining the actual status of a certain monitored or test object,
  • Deriving a system of specific target values ​​as a yardstick (test standards or criteria) for a subsequent target / actual comparison,
  • Transformation of the deviations determined during the comparison, depending on their significance, into a judgment (e.g. "test report") and notification (e.g. "certification certificate") of the judgment to the intended addressees.

In addition, the term audit must be distinguished from the two terms "control" and "internal control system". Controls are all those measures that are directly built into the operational processes, i.e. process-dependent or accompanying processes, which not only provide information about the existence of target-actual deviations, but also independently trigger corrective measures and thus correct the consequences of incorrect developments or even of can avoid in advance.

The decisive difference between testing and control is that controls take place during the process and that they do not end with the issuing of judgments about determined deviations from target and actual values. Based on the definition of the test, the control process can be expanded to include the phase of initiating corrective measures, with the additional difference, however, that tests are process-independent and controls are process-dependent, i.e. parallel to the controlling operational processes. The test, on the other hand, is primarily a snapshot.

Internal control system

If controls are coordinated with one another for a large number of operational processes, i.e. if different controls have relationships with one another, then the entirety of these controls can also be referred to as a control system. Since this always refers to internal controls, the term "internal control system" based on the term "internal control", which is commonly used in the USA, has become generally accepted in the literature.

A more detailed description of the tasks of an internal control system is provided by the definition of "Internal Control" in the Statement on Auditing Standards (SAS) No. 1 of the American Institute of Certified Public Accountants (AICPA). Accordingly, an internal control system is understood to mean the entirety of all coordinated internal measures and methods that serve to:

  • to protect the assets against losses,
  • to ensure the accuracy and reliability of the (billing) data,
  • to increase operational efficiency and
  • to support compliance with the prescribed business policy.

Since this description of tasks goes beyond the scope of corporate accounting, the AICPA divides the internal control system again into the two blocks "Accounting Controls" (areas of responsibility of the first two mirror points) and "Administrative Controls" (areas of responsibility of the other two). If the term internal control system is used in the further course of this article, it should always refer only to the areas of responsibility of the first two, whereby the focus will be on the second task complex (ensuring the accuracy and reliability of the (accounting) data).

In this context, it is still necessary to draw a distinction between internal control and internal auditing. Although the literature predominantly takes the view that the internal audit is part of the internal control system, the two forms of monitoring are to be strictly separated in the following in accordance with the previous definitions. On the one hand, they clearly differ from one another through the criterion of process independence, which has already been highlighted as an essential feature for differentiating between the terms test and control; On the other hand, it is precisely one of the tasks of the internal auditing department to check the functionality of the internal control system, which would amount to a self-examination if the internal auditing department was part of internal control.

Representation of an overall monitoring system

The three central forms of monitoring operational processes - the internal audit, the internal control system and the external audit of the annual financial statements - as an audit carried out by persons outside the company on a private basis and based on statutory audit standards, should finally be represented as monitoring systems with the help of control loop analogies.

On the basis of the above basic considerations, a distinction can be made between three basic types of monitoring systems to which specific operational forms of monitoring can be assigned; They are briefly described in the following, in order to finally be able to derive the model of an overall operational monitoring system using the example of a safety management system from these three basic types [Zille].

Type 1 monitoring system:
Internal control system

Type 1 shown in Figure 3 represents the simplest form of a monitoring system and represents a mere interpretation of the basic model of a control loop shown in Figure 2. The controlled system corresponds to the monitored object, the manipulated variable corresponds to the decisions that control the monitored object, and information about the actual Status of the monitored object to the monitoring instance (controller); In the end, system-internal specified target standards function as a reference variable and all influences on the monitored object that cannot be controlled by the controller as a disturbance variable.

Figure 3: Type 1 surveillance system

This monitoring system is characterized by the identity of review and decision-making bodies, i. In other words, the target / actual comparisons as well as the corrective decisions required in the event of discrepancies are taken from the same point. This monitoring instance thus fulfills all the described characteristics of a control, so that this type 1 monitoring system corresponds to the definition of an internal control system.

Type 2 monitoring system: internal audit

A type 2 monitoring system differs from type 1 essentially in that the monitoring instance is now split up into a review and decision-making body. The auditing body is organizationally subordinate to the decision-making body and receives target norms for carrying out target / actual comparisons, which are derived from a defined system-internal overall objective; Determined target / actual deviations are communicated to the decision-making authority as a review judgment, which can then exert a corrective influence on the monitored object. An internal audit department assigned directly to the company management as an auditing body represents the typical case of such a type 2 monitoring system shown in Figure 4.

Figure 4: Type 2 surveillance system

Type 3 monitoring system: annual audit

The third type of possible monitoring system is based on the organizational separation of the monitoring function into an auditing and decision-making body, but also removes the audit tasks from the sphere of influence of the internal company bodies making the corrective decisions. This is done by locating the auditing body outside of the system to be monitored, carrying out audits on the basis of externally specified target standards and reporting the results to the decision-making body in the form of an audit opinion.

Figure 5: Type 3 surveillance system

Such a type of monitoring, as it presents itself, for example, in the form of an annual audit, primarily serves an independent audit in the interest of those persons who cannot exert any direct influence on the monitored object itself.

Building on the described control loop analogies, a model can now be derived which represents a monitoring system that encompasses all three types and thus, in relation to operational applications, the internal control system (type 1), the internal audit (type 2) and the annual financial statement audit (type 3) involves. Figure 6 shows the corresponding control loop model graphically.

Figure 6: Model of an overall monitoring system

The model is taken up in connection with the TÜViT acceptance of safety management systems (SMS), to be characterized in more detail below, and discussed with regard to its elements and the possible relationships between the various monitoring bodies.

Mapping to a safety management system (SMS)

The entirety of all safety-related activities and goals planned, carried out and controlled by company management is referred to below as safety management (SM).

From a management point of view, the conception and implementation of security measures lead to the achievement and maintenance of an appropriate security level in the provision of services. The possible consequences of the loss of security make the following management tasks obvious [Idw]:

  • Defining IT security goals, strategies and policies, taking legal and business aspects into account;
  • Analyzing the security requirements;
  • Identify threats and analyze risks;
  • Specifying measures;
  • Implementation of security measures;
  • Developing awareness and training programs;
  • Checking as well as maintaining and maintaining security measures;
  • Detecting and resolving incidents.

The security policy, understood as comprehensive intentions and objectives for security, is implemented through security management.

The security concept describes the necessary and sufficient security measures in terms of security policy. It must also contain a description of the process organization of the activity and an overview of the technical components used. The security concept also includes a description of the specific threats and risks in the company.

From the point of view of security, it is crucial that the measures outlined are appropriate, clearly justified and implemented as described. In addition, information is required on how this implementation is achieved and maintained during ongoing operations. The organizational structures, procedures, processes and resources required to implement security management form the security management system (SMS, see Figure 7).

Figure 7: Model of an overall operational monitoring system for safety management

Extended focus

Thus, the focus of the consideration of the security concept is extended to the security management system. The security concept is accordingly a means of security management for the implementation of the security policy, whereby the security management makes use of the security management system for this purpose. The security concept therefore plays a central role. It not only serves to explain the security measures, but also to justify them in a comprehensible and traceable manner. In addition, as a system description, it represents the basis for checking the system implementation.


Based on and analogous to the qualification of an ICS, an SMS can also be validated by a "neutral third party". On the basis of the necessary procedural documentation [Kam1, Kam2]. a test statement about the SMS can be determined by means of a system-technical qualification (system test) on the basis of defined criteria.

Thus, the audit goals or audit goals correctness, (functional) safety, economic efficiency, quality (and legal) of the SMS can be determined.

Dipl.-Ing. Berthold Weghaus is responsible for information security at TÜV Informationstechnik GmbH. He is Deputy Head of Information Security and Head of the Testing Center for "Electronic Payment Transactions".


"Control engineering - introduction to the methods and their application"; Otto Foellinger; Dr. A. Hüthig Verlag, Heidelberg 1985, ISBN 3-7785.1137-8
"Principles for Correct Data Processing (GoDV)"; IT revision manual; 5th revised and considerably expanded edition; Rainer Schuppenhauer; IDW-Verlag GmbH, Düsseldorf 1998
"Principles of Electronic Archiving"; Code of Practice for audit-proof archiving; Second revised and expanded edition; Dr. Ulrich Kampffmeyer, Jörg Rogalla; VOI Association of Optical Information Systems e.V .; VOI series of publications Compendium Volume 3; 1997
"Principles of procedural documentation according to GoBS"; Code of Practice for audit-proof archiving; First edition; Karl-Georg Henstorf, Dr. Ulrich Kampffmeyer, Jan Prochnow; VOI Association of Optical Information Systems e.V .; VOI series of publications Compendium Volume 4; 1999
Edgar Lüscher; "Piper's Book of Modern Physics"; R. Piper & Co. Verlag; Munich 1978, ISBN 3-492-02241-3
Prof. Dr.-Ing. Rolf Unbehauen; "Systems Theory - A Representation for Engineers"; R. Oldenbourg Verlag, Munich 1983, ISBN 3-486-38454-6
Dr. W. Zillessen; "System auditing of database-supported information systems - basics for system documentation, internal control system and computer-based auditing techniques from the perspective of the annual audit under stock corporation law"; Erich Schmidt Verlag, Berlin 1985, ISBN 3-503-02475-1

© SecuMedia-Verlags-GmbH, D-55205 Ingelheim,
KES 3/2000, page 75

Back to content