What is meant by control?
An approach to testing complex systems
Management and knowledge
By Berthold Weghaus, Essen
The development in the field of document management systems tends towards more and more efficient and complexly organized systems. This means that auditors, auditors and controlling departments are increasingly confronted with the verifiability and ongoing controllability of such systems. The following article presents a basic audit concept with the components process documentation, internal control system and audit techniques.
The most important components of open systems can be characterized by the flow of the considered flow variables through a system (see Fig. 1). The flow variables flow into a system under consideration (input), are then processed (process) and then leave the system again (output). A control mechanism (control), which is the subject of cybernetics1, is intended to ensure through regulatory interventions that the system works according to the objectives [Föll, Lüsch, Unbe].
Fig. 1: Components of open systems (representation according to DIN 66001)
The term information is only precisely defined with the aid of the terms "data" and "messages". An information system can thus also be understood as an ordered network of elements that exchange information with one another based on formalized communication processes.
Regulatory mechanisms in the information system
In order to find an approach to how control mechanisms work in open information systems, cybernetics with its independently operating regulation and feedback mechanisms must be used again (see Fig. 2).
Figure 2: Basic model of a control loop Information systems can now be described as a single higher-level control loop.
The operational sequence of the so-called control loops should generally ensure that the system to be controlled reaches a desired target value (reference variable w). For this purpose, the controller R acts on the process to be controlled (controlled system S) via a manipulated variable y; however, this process is also subject to the disturbance variable z. The actual state of the controlled system S is communicated by the controller R via the controlled variable x. If the controller now determines that there are deviations e = w-x between the controlled variable x and the reference variable w, it has a corrective effect on the process via the manipulated variable y.
Examination and control
Since there is no uniform definition of the term examination in the theoretical examination literature, "examination" is defined as follows: Examination is:
- a process-independent person ("neutral third party") ascertaining the actual status of a certain monitored or test object,
- Deriving a system of specific target values as a yardstick (test standards or criteria) for a subsequent target / actual comparison,
- Transformation of the deviations determined during the comparison, depending on their significance, into a judgment (e.g. "test report") and notification (e.g. "certification certificate") of the judgment to the intended addressees.
In addition, the term audit must be distinguished from the two terms "control" and "internal control system". Controls are all those measures that are directly built into the operational processes, i.e. process-dependent or accompanying processes, which not only provide information about the existence of target-actual deviations, but also independently trigger corrective measures and thus correct the consequences of incorrect developments or even of can avoid in advance.
The decisive difference between testing and control is that controls take place during the process and that they do not end with the issuing of judgments about determined deviations from target and actual values. Based on the definition of the test, the control process can be expanded to include the phase of initiating corrective measures, with the additional difference, however, that tests are process-independent and controls are process-dependent, i.e. parallel to the controlling operational processes. The test, on the other hand, is primarily a snapshot.
Internal control system
If controls are coordinated with one another for a large number of operational processes, i.e. if different controls have relationships with one another, then the entirety of these controls can also be referred to as a control system. Since this always refers to internal controls, the term "internal control system" based on the term "internal control", which is commonly used in the USA, has become generally accepted in the literature.
A more detailed description of the tasks of an internal control system is provided by the definition of "Internal Control" in the Statement on Auditing Standards (SAS) No. 1 of the American Institute of Certified Public Accountants (AICPA). Accordingly, an internal control system is understood to mean the entirety of all coordinated internal measures and methods that serve to:
- to protect the assets against losses,
- to ensure the accuracy and reliability of the (billing) data,
- to increase operational efficiency and
- to support compliance with the prescribed business policy.
Since this description of tasks goes beyond the scope of corporate accounting, the AICPA divides the internal control system again into the two blocks "Accounting Controls" (areas of responsibility of the first two mirror points) and "Administrative Controls" (areas of responsibility of the other two). If the term internal control system is used in the further course of this article, it should always refer only to the areas of responsibility of the first two, whereby the focus will be on the second task complex (ensuring the accuracy and reliability of the (accounting) data).
In this context, it is still necessary to draw a distinction between internal control and internal auditing. Although the literature predominantly takes the view that the internal audit is part of the internal control system, the two forms of monitoring are to be strictly separated in the following in accordance with the previous definitions. On the one hand, they clearly differ from one another through the criterion of process independence, which has already been highlighted as an essential feature for differentiating between the terms test and control; On the other hand, it is precisely one of the tasks of the internal auditing department to check the functionality of the internal control system, which would amount to a self-examination if the internal auditing department was part of internal control.
Representation of an overall monitoring system
The three central forms of monitoring operational processes - the internal audit, the internal control system and the external audit of the annual financial statements - as an audit carried out by persons outside the company on a private basis and based on statutory audit standards, should finally be represented as monitoring systems with the help of control loop analogies.
On the basis of the above basic considerations, a distinction can be made between three basic types of monitoring systems to which specific operational forms of monitoring can be assigned; They are briefly described in the following, in order to finally be able to derive the model of an overall operational monitoring system using the example of a safety management system from these three basic types [Zille].
Type 1 monitoring system:
Internal control system
Type 1 shown in Figure 3 represents the simplest form of a monitoring system and represents a mere interpretation of the basic model of a control loop shown in Figure 2. The controlled system corresponds to the monitored object, the manipulated variable corresponds to the decisions that control the monitored object, and information about the actual Status of the monitored object to the monitoring instance (controller); In the end, system-internal specified target standards function as a reference variable and all influences on the monitored object that cannot be controlled by the controller as a disturbance variable.
Figure 3: Type 1 surveillance system
This monitoring system is characterized by the identity of review and decision-making bodies, i. In other words, the target / actual comparisons as well as the corrective decisions required in the event of discrepancies are taken from the same point. This monitoring instance thus fulfills all the described characteristics of a control, so that this type 1 monitoring system corresponds to the definition of an internal control system.
Type 2 monitoring system: internal audit
A type 2 monitoring system differs from type 1 essentially in that the monitoring instance is now split up into a review and decision-making body. The auditing body is organizationally subordinate to the decision-making body and receives target norms for carrying out target / actual comparisons, which are derived from a defined system-internal overall objective; Determined target / actual deviations are communicated to the decision-making authority as a review judgment, which can then exert a corrective influence on the monitored object. An internal audit department assigned directly to the company management as an auditing body represents the typical case of such a type 2 monitoring system shown in Figure 4.
Figure 4: Type 2 surveillance system
Type 3 monitoring system: annual audit
The third type of possible monitoring system is based on the organizational separation of the monitoring function into an auditing and decision-making body, but also removes the audit tasks from the sphere of influence of the internal company bodies making the corrective decisions. This is done by locating the auditing body outside of the system to be monitored, carrying out audits on the basis of externally specified target standards and reporting the results to the decision-making body in the form of an audit opinion.
Figure 5: Type 3 surveillance system
Such a type of monitoring, as it presents itself, for example, in the form of an annual audit, primarily serves an independent audit in the interest of those persons who cannot exert any direct influence on the monitored object itself.
Building on the described control loop analogies, a model can now be derived which represents a monitoring system that encompasses all three types and thus, in relation to operational applications, the internal control system (type 1), the internal audit (type 2) and the annual financial statement audit (type 3) involves. Figure 6 shows the corresponding control loop model graphically.
Figure 6: Model of an overall monitoring system
The model is taken up in connection with the TÜViT acceptance of safety management systems (SMS), to be characterized in more detail below, and discussed with regard to its elements and the possible relationships between the various monitoring bodies.
Mapping to a safety management system (SMS)
The entirety of all safety-related activities and goals planned, carried out and controlled by company management is referred to below as safety management (SM).
From a management point of view, the conception and implementation of security measures lead to the achievement and maintenance of an appropriate security level in the provision of services. The possible consequences of the loss of security make the following management tasks obvious [Idw]:
- Defining IT security goals, strategies and policies, taking legal and business aspects into account;
- Analyzing the security requirements;
- Identify threats and analyze risks;
- Specifying measures;
- Implementation of security measures;
- Developing awareness and training programs;
- Checking as well as maintaining and maintaining security measures;
- Detecting and resolving incidents.
The security policy, understood as comprehensive intentions and objectives for security, is implemented through security management.
The security concept describes the necessary and sufficient security measures in terms of security policy. It must also contain a description of the process organization of the activity and an overview of the technical components used. The security concept also includes a description of the specific threats and risks in the company.
From the point of view of security, it is crucial that the measures outlined are appropriate, clearly justified and implemented as described. In addition, information is required on how this implementation is achieved and maintained during ongoing operations. The organizational structures, procedures, processes and resources required to implement security management form the security management system (SMS, see Figure 7).
Figure 7: Model of an overall operational monitoring system for safety management
Thus, the focus of the consideration of the security concept is extended to the security management system. The security concept is accordingly a means of security management for the implementation of the security policy, whereby the security management makes use of the security management system for this purpose. The security concept therefore plays a central role. It not only serves to explain the security measures, but also to justify them in a comprehensible and traceable manner. In addition, as a system description, it represents the basis for checking the system implementation.
Based on and analogous to the qualification of an ICS, an SMS can also be validated by a "neutral third party". On the basis of the necessary procedural documentation [Kam1, Kam2]. a test statement about the SMS can be determined by means of a system-technical qualification (system test) on the basis of defined criteria.
Thus, the audit goals or audit goals correctness, (functional) safety, economic efficiency, quality (and legal) of the SMS can be determined.
Dipl.-Ing. Berthold Weghaus is responsible for information security at TÜV Informationstechnik GmbH. He is Deputy Head of Information Security and Head of the Testing Center for "Electronic Payment Transactions".
- "Control engineering - introduction to the methods and their application"; Otto Foellinger; Dr. A. Hüthig Verlag, Heidelberg 1985, ISBN 3-7785.1137-8
- "Principles for Correct Data Processing (GoDV)"; IT revision manual; 5th revised and considerably expanded edition; Rainer Schuppenhauer; IDW-Verlag GmbH, Düsseldorf 1998
- "Principles of Electronic Archiving"; Code of Practice for audit-proof archiving; Second revised and expanded edition; Dr. Ulrich Kampffmeyer, Jörg Rogalla; VOI Association of Optical Information Systems e.V .; VOI series of publications Compendium Volume 3; 1997
- "Principles of procedural documentation according to GoBS"; Code of Practice for audit-proof archiving; First edition; Karl-Georg Henstorf, Dr. Ulrich Kampffmeyer, Jan Prochnow; VOI Association of Optical Information Systems e.V .; VOI series of publications Compendium Volume 4; 1999
- Edgar Lüscher; "Piper's Book of Modern Physics"; R. Piper & Co. Verlag; Munich 1978, ISBN 3-492-02241-3
- Prof. Dr.-Ing. Rolf Unbehauen; "Systems Theory - A Representation for Engineers"; R. Oldenbourg Verlag, Munich 1983, ISBN 3-486-38454-6
- Dr. W. Zillessen; "System auditing of database-supported information systems - basics for system documentation, internal control system and computer-based auditing techniques from the perspective of the annual audit under stock corporation law"; Erich Schmidt Verlag, Berlin 1985, ISBN 3-503-02475-1
© SecuMedia-Verlags-GmbH, D-55205 Ingelheim,
KES 3/2000, page 75
Back to content
- What are the steps in adult education
- Why are missiles so complex
- Who are the top ten legendary Pokemon?
- Are vegetables poisonous
- What does neuroscience say about reading
- How hard do USC students learn
- What is the largest and slowest cache
- Who deserves more recognition
- FileVault disk encryption slows down the Mac
- May boys like K Pop
- What is your cat's favorite taste of Dreamies
- What can replace urls
- How can you be a professional cricketer
- What does Va beh mean in Italian
- What does constructive punishment mean in prison?
- Which is the easiest IB biology option
- All asexually reproductive organisms are female
- What can philosophy teach machine learning?
- Are Budapest and Prague similar
- What is a permeable concrete surface
- Will gravity bring it all back together someday?
- What is a critical position in chess
- All good musicians are automatically good singers
- How long will Star Trek Discovery last
- Does a bank account cost money
- How is prenatal development related to psychology?
- How many flavors does coffee contain?
- Why do computers slow down
- How does Maine lobster taste
- What's your favorite part about StackExchange
- Are judges not elected bureaucrats
- Why is ethical selfishness not true morality
- Did Jesus speak in the Old Testament
- What was your most perfect day ever