Controls are widely used in business and are often related to information technology (IT) because IT systems are used to implement business controls and because the introduction of IT entails additional control concerns. Thus, control aspects should be part of information systems analysis and design. Furthermore, information systems need to be examined for completeness and correctness of their controls. However, despite the importance of IT controls, no general, well formalized framework is available to guide the analysis of controls requirements, the design of controls in systems, and the audit of existing systems. This paper presents a conceptual framework of controls based on an ontological foundation and an extended typology of IT controls. The framework can be used to analyze IT control issues and manage IT control assets. An initial evaluation of the typology using a published control framework and an example indicates its potential usefulness.