Download - Lecture 1-5 is Audit and Internal Controls
-
7/31/2019 Lecture 1-5 is Audit and Internal Controls
1/82
Auditing-
Software System Auditing
1
-
7/31/2019 Lecture 1-5 is Audit and Internal Controls
2/82
Audit Independent reviewand examination of records
and activities to assess the adequacy of internal
controls, to ensure compliance with established
policies and operational procedures, and torecommend necessary changes in controls,
policies, or procedures.
2
-
7/31/2019 Lecture 1-5 is Audit and Internal Controls
3/82
Audit An audit is an evaluation of a person, organization,
system, process, enterprise, project or product.
The term most commonly refers to audits in accounting,
but similar concepts also exist in project management,
quality management, and energy conservation.
3
-
7/31/2019 Lecture 1-5 is Audit and Internal Controls
4/82
IT/IS Audit The process of collecting and evaluating evidence to
determine whether computer system safeguards assets,
maintains data integrity, achieves organizational goalseffectively and consumes resources effectively.
An Information Technology audit, or Information Systems
audit, is an examination of the management controlswithin an IT infrastructure.
4
-
7/31/2019 Lecture 1-5 is Audit and Internal Controls
5/82
IT/IS Audit The evaluation of obtained evidence determines if the
Information Systems are safeguarding assets, maintaining
data integrity, and operating effectively to achieve the
organization's goals or objectives.
These reviews may be performed in conjunction with a
financial statement audit, internal audit, or other form ofattestation engagement.
5
-
7/31/2019 Lecture 1-5 is Audit and Internal Controls
6/82
IT/IS Audit
Information Systems audit is a part of the overall auditprocess, which is one of the facilitators for goodcorporate governance.
While there is no single universal definition of IS audit,we can define it as:
The process of collecting and evaluating evidence todetermine whether a computer system (InformationSystem) safeguards assets, maintains data integrity,achieves organizational goals effectively and consumes
resources efficiently 6
-
7/31/2019 Lecture 1-5 is Audit and Internal Controls
7/82
Software Audit Software Audits provide an independent evaluation of
software products or processes to ascertain compliance
to standards, specifications, and procedures based on
objective criteria that included documents that specify:
The form or content of the product to be produced.
The process by which the products shall be produced. How compliance to standards or guidelines shall be
measured.
7
-
7/31/2019 Lecture 1-5 is Audit and Internal Controls
8/82
Software Audit Software audits include checking software products
and processes to verify that they comply with the
applicable procedures and standards.
8
-
7/31/2019 Lecture 1-5 is Audit and Internal Controls
9/82
Categories of Software Audits Software audits can be categorized as:
A software licensing audit, where use of thesoftware is audited for license compliance
A software quality assurance, where a piece ofsoftware is audited for quality
A software audit review, where a group of peopleexternal to a software development organization
examines a software product
A physical configuration audit
A functional configuration audit
9
-
7/31/2019 Lecture 1-5 is Audit and Internal Controls
10/82
Need for IS Control & Audit
Reliance on computersystems
Survival oforganization
Costs of data loss
Costs of errors
Inability to function Possibility of
incorrect decisions
10
-
7/31/2019 Lecture 1-5 is Audit and Internal Controls
11/82
Need for IS Control & Audit
Security & abuse - from
inside & outside: hacking,
viruses, access
Destruction & theft ofassets
Modification of assets
Disruption of operations
Unauthorized use ofassets
Physical harm
Privacy violations
11
-
7/31/2019 Lecture 1-5 is Audit and Internal Controls
12/82
What triggers an audit..? Quality Assurance Plan
Event
Date Requests from management
Requests from developers
Requests from customers
Integration with process improvement activities
Outside requirements regulatory
Gut feeling
12
-
7/31/2019 Lecture 1-5 is Audit and Internal Controls
13/82
IT audits are also known as Automated Data Processing(ADP) audits" and Computer Audits". They were formerly
called Electronic Data Processing (EDP) audits
Sometimes IS Auditing has another objective- namely,ensuring that an organization complies with some
regulation, rule, or condition. IS Auditing is conceived as
being a force that enables organizations to better achieve
four major objectives.
13
-
7/31/2019 Lecture 1-5 is Audit and Internal Controls
14/82
Objectives of IT/IS Audit
IT/ISAudit
Safeguarding ofAssets
Improved DataIntegrity
Improved SystemEffectiveness
Improved SystemEfficiency
Source: Ron Weber 14
-
7/31/2019 Lecture 1-5 is Audit and Internal Controls
15/82
Asset Safeguarding Objectives The IS assets of an organization include:
Hardware
Software
Facilities People (knowledge)
Data files
System documentation and
Supplies.
Like all assets they must be protected by a system ofinternal control.
15
-
7/31/2019 Lecture 1-5 is Audit and Internal Controls
16/82
Data integrity objectives Data integrity is a fundamental concept in IS auditing. It is
a state implying data has certain attributes;
Completeness, Soundness, Purity and Veracity.
If data integrity is not maintained, an organization no
longer has a true representation of itself or of events.
Moreover if the integrity of an organizations data is low, itcould suffer from loss of competitive advantage.
16
-
7/31/2019 Lecture 1-5 is Audit and Internal Controls
17/82
Three major factors affect the value of a data item to anorganization:
1. The value of the information content of the data item for
individual decision makers
2. The extent to which the data item is shared among
decision makers
3. The value of the data item to competitors.
17
-
7/31/2019 Lecture 1-5 is Audit and Internal Controls
18/82
Purpose of IT Audit An IT audit is different from a financial statement
audit. While a financial audit's purpose is to
evaluate whether an organization is adhering to
standard accounting practices, the purpose of an IT
audit is to evaluate the system's internal control
design and effectiveness.
This includes, but is not limited to, efficiency and
security protocols, development processes, and IT
governance or oversight.
18
-
7/31/2019 Lecture 1-5 is Audit and Internal Controls
19/82
Types ofInformation System Audits
Various authorities have created differing taxonomies to
distinguish the various types of IT audits. Goodman & Lawless
state that there are three specific systematic approaches to
carry out an IT audit:
Technological Innovation Process Audit. This audit constructs a
risk profile for existing and new projects. The audit will assess
the length and depth of the company's experience in its chosen
technologies, as well as its presence in relevant markets, the
organization of each project, and the structure of the portion of
the industry that deals with this project or product,
organization and industry structure.
19
-
7/31/2019 Lecture 1-5 is Audit and Internal Controls
20/82
Types of Information System Audits
Innovative Comparison Audit. This audit is an analysis of the
innovative abilities of the company being audited, in comparison
to its competitors. This requires examination of company's
research and development facilities, as well as its track record inactually producing new products.
Technological Position Audit: This audit reviews the technologies
that the business currently has and that it needs to add.Technologies are characterized as being either "base", "key",
"pacing" or "emerging".
20
-
7/31/2019 Lecture 1-5 is Audit and Internal Controls
21/82
Types of Information System Audits
Others describe the spectrum of IT audits with five
categories of audits:
1. Systems and Applications.
2. Information Processing Facilities.
3. Systems Development.
4. Management of IT and Enterprise Architecture.
5. Client/Server, Telecommunications, Intranets, and
Extranets.
21
-
7/31/2019 Lecture 1-5 is Audit and Internal Controls
22/82
Types of Information System Audits
Systems and Applications: An audit to verify that systems andapplications are appropriate, efficient, and adequately controlledto ensure valid, reliable, timely, and secure input, processing, andoutput at all levels of a system's activity.
Information Processing Facilities: An audit to verify that theprocessing facility is controlled to ensure timely, accurate, andefficient processing of applications under normal and potentiallydisruptive conditions.
Systems Development: An audit to verify that the systems underdevelopment meet the objectives of the organization, and toensure that the systems are developed in accordance withgenerally accepted standards for systems development.
22
-
7/31/2019 Lecture 1-5 is Audit and Internal Controls
23/82
Types of Information System Audits
Management of IT and Enterprise Architecture: An audit to
verify that IT management has developed an organizational
structure and procedures to ensure a controlled and efficient
environment for information processing.
Client/Server, Telecommunications, Intranets, and Extranets: An
audit to verify that telecommunications controls are in place on
the client (computer receiving services), server, and on thenetwork connecting the clients and servers.
23
-
7/31/2019 Lecture 1-5 is Audit and Internal Controls
24/82
Elements IT/IS Audit
1. Physical and Environmental
2. System Administration
3. Application Software
4. Application Development
5. Network Security
6. Business Continuity
7. Data Integrity
24
-
7/31/2019 Lecture 1-5 is Audit and Internal Controls
25/82
What Tools do IT Auditors require?
25
-
7/31/2019 Lecture 1-5 is Audit and Internal Controls
26/82
Audit Process
26
-
7/31/2019 Lecture 1-5 is Audit and Internal Controls
27/82
Audit- Main Steps Initial Review:
A preliminary investigation by the auditors todetermine how the audit should be conducted.
Controls Review:
Detailed controls are appraised both in their necessityand presence.
Compliance Testing:
Determines whether controls actually exist andfunction as specified in the documentation.
Substantive Testing:
Determining if the system data actually representsreality. 27
-
7/31/2019 Lecture 1-5 is Audit and Internal Controls
28/82
Internal vs External Audit Audit function can be performed Internallyor
Externally
Internal audit is an independent appraisal of
operations, conducted under the direction ofmanagement, to assess the effectiveness of internal
administrative and accounting controls and help
ensure conformance with managerial policies.
External Audit is an audit conducted by an individualof a firm that is independent of the company being
audited.
28
-
7/31/2019 Lecture 1-5 is Audit and Internal Controls
29/82
Internal Audit Internal auditing is an independent, objective
assurance and consulting activity designed to addvalue and improve an organization's operations.
It helps an organization accomplish its objectives bybringing a systematic, disciplined approach toevaluate and improve the effectiveness of riskmanagement, control, and governance processes.
29
-
7/31/2019 Lecture 1-5 is Audit and Internal Controls
30/82
Internal Audit Internal auditing is a catalyst for improving an
organizations effectiveness and efficiency byproviding insight and recommendations based onanalyses and assessments of data and businessprocesses.
With commitment to integrity and accountability,internal auditing provides value to governing
bodies and senior management as an objectivesource of independent advice.
Professionals called internal auditors are employedby organizations to perform the internal auditing
activity. 30
-
7/31/2019 Lecture 1-5 is Audit and Internal Controls
31/82
Scope of Internal Audit The scope of internal auditing within an organization is
broad and may involve topics such as:
Efficacy of operations.
Reliability of financial reporting.
Deterring and investigating fraud.
Safeguarding assets, and
Compliance with laws and regulations.
31
-
7/31/2019 Lecture 1-5 is Audit and Internal Controls
32/82
Scope of Internal Audit
Internal auditing frequently involves measuringcompliance with the entity's policies andprocedures. However, Internal auditors are not
responsible for the execution of company activities;they advise management and the Board of Directors(or similar oversight body) regarding how to betterexecute their responsibilities.
As a result of their broad scope of involvement,internal auditors may have a variety of highereducational and professional backgrounds.
32
-
7/31/2019 Lecture 1-5 is Audit and Internal Controls
33/82
Scope of Internal Audit Publicly traded corporations typically have an
Internal Auditing Department, led by a Chief Audit
Executive (CAE) who generally reports to the
Audit Committee of the Board of Directors, with
administrative reporting to the Chief Executive
Officer.
33
-
7/31/2019 Lecture 1-5 is Audit and Internal Controls
34/82
Internal Audit Reporting Structure
Non-IT Audit TeamMembers
CEO
Board Audit Committee
Head of Audit Dept
Head of Non-IT AuditHead of IT Audit
IT Audit Team Members
34
-
7/31/2019 Lecture 1-5 is Audit and Internal Controls
35/82
Role of Internal Audit in Risk Management
Internal auditing professional standards require the
function to monitor and evaluate the effectiveness
of the organization's risk management processes.
Risk management relates to how an organization
sets objectives, then identifies, analyzes, and
responds to the risks that could potentially impact
its ability to realize its objectives.
35
-
7/31/2019 Lecture 1-5 is Audit and Internal Controls
36/82
Motivation for Control & Audit Major business fraud cases
Enron
Worldcom
The Didnt know these things were happening
syndrome
Comprehensive ethical/control programs do matter to
corporate stakeholders
Need for ethical/control
Standards
Internal reporting process
Highest level responsibility 36
-
7/31/2019 Lecture 1-5 is Audit and Internal Controls
37/82
Objectives Audit and Control Need to control & audit info systems
IS AUDITING = collecting & evaluating evidence to
determine if system accomplishes its organizational tasks
effectively & efficiently
Understanding the organization & environment
Understanding systems
EDP in particular Understanding the Control Approach
Control - a system that prevents, detects, or corrects
unlawful, undesirable or improper events37
-
7/31/2019 Lecture 1-5 is Audit and Internal Controls
38/82
The Auditing Environment External vs. Internal auditors
External auditors provide increased assurance
Fairness of financial statements
Frauds & Irregularities
Ability to survive
Internal auditors appraise and evaluate adequacy &
effectiveness of controls Control - a system that prevents, detects, or corrects
unlawful, undesirable or improper events
Reporting and responsibility to Board of Directors
38
-
7/31/2019 Lecture 1-5 is Audit and Internal Controls
39/82
The Auditing Environmentcontined.
Types of audit procedures To gain understanding of controls.
Test of controls.
Substantive tests of details of transactions.
Substantive tests of balances and overall results.
Analytic review procedures.
39
-
7/31/2019 Lecture 1-5 is Audit and Internal Controls
40/82
Assessing Reliability
By controls
By transaction
By errors
40
-
7/31/2019 Lecture 1-5 is Audit and Internal Controls
41/82
Internal Auditors
Responsible to Board of Directors.
An internal control function.
Assist the organization in measurement and evaluation
of:
Effectiveness of Internal Controls.
Achievement of organizational objectives.
Economics & efficiency of activities.
Compliance with laws and regulations.
Operational audits.
41
-
7/31/2019 Lecture 1-5 is Audit and Internal Controls
42/82
Internal Auditors Scope of
Work- SCARE
Safeguarding assets.
Compliance with policies and plans. Accomplishment of established objectives.
Reliability & integrity of information.
Economics & efficient use of resources.
42
-
7/31/2019 Lecture 1-5 is Audit and Internal Controls
43/82
External Auditors Responsible to stockholders and public
Via Board of Directors
Assess financial statement assertions (transactions)
Existence or occurrence. Completeness.
Valuation and allocation.
Presentation and disclosure.
Rights and obligations.
Must test compliance with laws and regulations.
Must test for fraud and improprieties.
Relies on internal control structure for planning of audit.43
-
7/31/2019 Lecture 1-5 is Audit and Internal Controls
44/82
External Auditors
Audit (material misstatement) risk = product of
Inherent (assertion could be materially misstated) risk
Control risk (misstatement will not be prevented ordetected on a timely basis by internal controls)
Detection risk
Inversely related to control and inherent risks
44
-
7/31/2019 Lecture 1-5 is Audit and Internal Controls
45/82
Internal Controls In auditing Internal Control is defined as a process effected by
an organization's structure, work and authority flows, people
and Management Information Systems, designed to help the
organization accomplish specific goals or objectives.
Internal controls are a MEANS by which an organization's
resources are directed, monitored, and measured.
It plays an important role in preventing and detecting fraud
and protecting the organization's resources.
45
-
7/31/2019 Lecture 1-5 is Audit and Internal Controls
46/82
Internal Controls Internal controls are designed to provide reasonable assurance
regarding the achievement of objectives in the following
categories:
1. Effectiveness and efficiency of operations.2. Reliability of financial reporting.
3. Compliance with applicable laws and regulations.
46
-
7/31/2019 Lecture 1-5 is Audit and Internal Controls
47/82
Internal Controls - Continued...
Controls - System of activities:
Preventive
Detective Corrective
Affect reliability
Reduce failure probability
Reduce expected loss in failure
Reasonable assurance
Based on cost-benefit considerations
47
-
7/31/2019 Lecture 1-5 is Audit and Internal Controls
48/82
Internal Controls Continued... Internal controls can be Detective, Corrective, or Preventive by
nature.
1. Detective Controls are designed to detect errors or
irregularities that may have occurred.
2. Corrective controls are designed to correct errors or
irregularities that have been detected.
3. Preventive controls on the other hand, are designed to keep
errors or irregularities from occurring in the first place.
48
-
7/31/2019 Lecture 1-5 is Audit and Internal Controls
49/82
Internal Controls consist of five interrelated components.
These are derived from the way management runs a
business, and are integrated with the management
process.
Although the components apply to all entities, small and
mid-size companies may implement them differently than
large ones. Its controls may be less formal and lessstructured, yet a small company can still have effective
internal control. The components are:
49
-
7/31/2019 Lecture 1-5 is Audit and Internal Controls
50/82
1. Control Environment:The control environment sets the tone of an organization,
influencing the control consciousness of its people. It is
the foundation for all other components of internalcontrol, providing discipline and structure. Control
environment factors include the integrity, ethical values
and competence of the entity's people; management's
philosophy and operating style; the way managementassigns authority and responsibility, and organizes and
develops its people; and the attention and direction
provided by the board of directors.
50
-
7/31/2019 Lecture 1-5 is Audit and Internal Controls
51/82
2. Risk AssessmentEvery entity faces a variety of risks from external and
internal sources that must be assessed. A precondition to
risk assessment is establishment of objectives, linked at
different levels and internally consistent. Risk assessment
is the identification and analysis of relevant risks to
achievement of the objectives, forming a basis for
determining how the risks should be managed. Because
economic, industry, regulatory and operating conditionswill continue to change, mechanisms are needed to
identify and deal with the special risks associated with
change.
51
-
7/31/2019 Lecture 1-5 is Audit and Internal Controls
52/82
3. Control ActivitiesControl activities are the policies and procedures that
help ensure management directives are carried out. They
help ensure that necessary actions are taken to address
risks to achievement of the entity's objectives. Control
activities occur throughout the organization, at all levels
and in all functions. They include a range of activities as
diverse as approvals, authorizations, verifications,
reconciliations, reviews of operating performance,security of assets and segregation of duties.
52
-
7/31/2019 Lecture 1-5 is Audit and Internal Controls
53/82
4. Information &Communication
Pertinent information must be identified, captured andcommunicated in a form and timeframe that enable people
to carry out their responsibilities. Information systemsproduce reports, containing operational, financial andcompliance-related information, that make it possible torun and control the business. They deal not only with
internally generated data, but also information aboutexternal events, activities and conditions necessary toinformed business decision-making and external reporting.
53
-
7/31/2019 Lecture 1-5 is Audit and Internal Controls
54/82
Information & Communication-
ContinuedEffective communication also must occur in a broader
sense, flowing down, across and up the organization. All
personnel must receive a clear message from topmanagement that control responsibilities must be taken
seriously. They must understand their own role in the
internal control system, as well as how individual
activities relate to the work of others. They must have ameans of communicating significant information
upstream. There also needs to be effective
communication with external parties, such as customers,
suppliers, regulators and shareholders. 54
-
7/31/2019 Lecture 1-5 is Audit and Internal Controls
55/82
5. MonitoringInternal control systems need to be monitored--a process that
assesses the quality of the system's performance over time.
This is accomplished through ongoing monitoring activities,
separate evaluations or a combination of the two. Ongoingmonitoring occurs in the course of operations. It includes
regular management and supervisory activities, and other
actions personnel take in performing their duties. The scope
and frequency of separate evaluations will depend primarilyon an assessment of risks and the effectiveness of ongoing
monitoring procedures. Internal control deficiencies should be
reported upstream, with serious matters reported to top
management and the board.
55
-
7/31/2019 Lecture 1-5 is Audit and Internal Controls
56/82
The Internal Controls
Framework Separation of duties
Delegation of authority & responsibility System of authorizations
Documentation & records
Physical control over assets & records
Management supervision
Independent checks
Recruitment & training
56
-
7/31/2019 Lecture 1-5 is Audit and Internal Controls
57/82
Internal Control Objectives Internal Control objectives are desired goals or conditions for aspecific event cycle which, if achieved, minimize the potential that
waste, loss, unauthorized use or misappropriation will occur. They
are conditions which we want the system of internal control to
satisfy. For a control objective to be effective, compliance with it
must be measurable and observable.
Internal Audit evaluates internal control by accessing the ability of
individual process controls to achieve seven pre-defined controlobjectives. The control objectives include authorization,
completeness, accuracy, validity, physical safeguards and security,
error handling and segregation of duties.
57
-
7/31/2019 Lecture 1-5 is Audit and Internal Controls
58/82
Authorization
The objective is to ensure that all transactions are approved byresponsible personnel in accordance with specific or generalauthority before the transaction is recorded.
CompletenessThe objective is to ensure that no valid transactions have been
omitted from the accounting records. Accuracy
The objective is to ensure that all valid transactions are accurate,consistent with the originating transaction data and informationis recorded in a timely manner.
ValidityThe objective is to ensure that all recorded transactions fairlyrepresent the economic events that actually occurred, are lawfulin nature, and have been executed in accordance withmanagement's general authorization.
58
-
7/31/2019 Lecture 1-5 is Audit and Internal Controls
59/82
Physical Safeguards & Security
The objective is to ensure that access to physical assets and
information systems are controlled and properly restricted toauthorized personnel.
Error handling
The objective is to ensure that errors detected at any stage of
processing receive prompt corrective action and are reported
to the appropriate level of management.
Segregation of Duties
The objective is to ensure that duties are assigned toindividuals in a manner that ensures that no one individual
can control both the recording function and the procedures
relative to processing the transaction.
A well designed process with appropriate internal controls
should meet most, if not all of these control objectives.
59
-
7/31/2019 Lecture 1-5 is Audit and Internal Controls
60/82
IT Controls Information Technology controls (or IT controls) arespecific activities performed by persons or systems
designed to ensure that business objectives are met.
They are a subset of an enterprise's internal control.
IT control objectives relate to the confidentiality,integrity, and availability of data and the overall
management of the IT function of the business
enterprise.
60
-
7/31/2019 Lecture 1-5 is Audit and Internal Controls
61/82
IT Controls
IT controls are often described in two categories:
1. IT General Controls ITGC and
2. IT Application Controls.
ITGC include controls over the Information Technology
(IT) environment, computer operations, access to
programs and data, program development and program
changes.
IT Application Controls refer to transaction processing
controls, sometimes called "input-processing-output"
controls.
61
-
7/31/2019 Lecture 1-5 is Audit and Internal Controls
62/82
The COBITFramework(Control Objectives for Information
Technology) is a widely-used framework promulgated by
the IT Governance Institute, which defines a variety of
ITGC and application control objectives andrecommended evaluation approaches.
IT departments in organizations are often led by a Chief
Information Officer (CIO), who is responsible for ensuringeffective information technology controls are utilized.
62
-
7/31/2019 Lecture 1-5 is Audit and Internal Controls
63/82
ITGC ITGC represent the foundation of the IT control structure. They
help ensure the reliability of data generated by IT systems and
support the assertion that systems operate as intended and that
output is reliable. ITGC usually include the following types of
controls:
Control Environment: Those controls designed to shape the
corporate culture or "tone at the top. Provides the foundation
for the other components. Encompasses such factors asmanagements philosophy and operating style.
Change Management procedures: Controls designed to ensure
changes meet business requirements and are authorized.63
-
7/31/2019 Lecture 1-5 is Audit and Internal Controls
64/82
Control Activities: Consists of the policies and procedures that
ensure employees carry out managements directions. Types of
control activities an organization must implement are preventative
controls (controls intended to stop an error from occurring),
detective controls (controls intended to detect if an error hasoccurred), and mitigating controls (control activities that can
mitigate the risks associated with a key control not operating
effectively).
Information and Communication: Ensures the organization obtains
pertinent information, and then communicates it throughout the
organization.
Monitoring Reviewing the output generated by control activities
and conducting special evaluations.
ITGC
64
-
7/31/2019 Lecture 1-5 is Audit and Internal Controls
65/82
ITGC Source code/document version control procedures - controls
designed to protect the integrity of program code
Software development life cycle standards - controls designed
to ensure IT projects are effectively managed.
Logical Access policies, standards and processes - controlsdesigned to manage access based on business need.
Incident management policies and procedures - controlsdesigned to address operational processing errors.
Problem management policies and procedures - controlsdesigned to identify and address the root cause of incidents.
65
-
7/31/2019 Lecture 1-5 is Audit and Internal Controls
66/82
ITGC Technical support policies and procedures - policies to help usersperform more efficiently and report problems.
Hardware/software configuration, installation, testing,management standards, policies and procedures.
Disaster recovery/backup and recovery procedures, to enable
continued processing despite adverse conditions.
Physical Security - controls to ensure the physical security of
information technology from individuals and from environmental
risks.
66
-
7/31/2019 Lecture 1-5 is Audit and Internal Controls
67/82
IT Application Controls IT Application Controls or Program Controls are fully-
automated controls (i.e., performed automatically by the
systems) designed to ensure the complete and accurate
processing of data, from input through output.
These controls vary based on the business purpose of the
specific application. These controls may also help ensure
the privacy and security of data transmitted between
applications.
67
-
7/31/2019 Lecture 1-5 is Audit and Internal Controls
68/82
Completeness checks - controls that ensure all records were
processed from initiation to completion.
Validity checks - controls that ensure only valid data is input orprocessed.
Identification - controls that ensure all users are uniquely and
irrefutably identified.
Authentication - controls that provide an authentication
mechanism in the application system.
IT Application Controls
68
-
7/31/2019 Lecture 1-5 is Audit and Internal Controls
69/82
Categories of IT application controls may include:
Authorization - controls that ensure only approved
business users have access to the application system.
Input controls - controls that ensure data integrity fed
from upstream sources into the application system.
IT Application Controls
69
-
7/31/2019 Lecture 1-5 is Audit and Internal Controls
70/82
Application controls may be compromised by the following
application risks:
Weak security.
Unauthorized access to data and unauthorized remote access. Inaccurate information and erroneous or falsified data input.
Misuse by authorized end users.
Incomplete processing and/or duplicate transactions.
Untimely processing.
Communication system failure.
Inadequate training and support.
IT Application Controls
70
-
7/31/2019 Lecture 1-5 is Audit and Internal Controls
71/82
Internal Control Frameworks -
COBIT
COBIT is a widely-utilized framework containing best
practices for both ITGC and application controls. Itconsists of domains and processes.
The basic structure indicates that IT processes satisfy
business requirements, which is enabled by specific IT
control activities. It also recommends best practices and
methods of evaluation of an enterprise's IT controls.
71
-
7/31/2019 Lecture 1-5 is Audit and Internal Controls
72/82
The Committee of Sponsoring Organizations of the Treadway
Commission (COSO) identifies five components of internal control:
1. control environment
2. risk assessment
3. control activities
4. information and communication
5. monitoring
These controls need to be in place to achieve financial reporting
and disclosure objectives;
Internal Control Frameworks -
COSO
72
-
7/31/2019 Lecture 1-5 is Audit and Internal Controls
73/82
Internal Control Frameworks COBIT provides a similar detailed guidance for IT, while theinterrelated Val IT concentrates on higher-level IT governance
and value-for-money issues.
The five components of COSO can be visualized as the
horizontal layers of a three-dimensional cube, with the COBIT
objective domains-applying to each individually and in
aggregate.
The four COBIT major domains are: plan and organize, acquire
and implement, deliver and support, and monitor and
evaluate. 73
-
7/31/2019 Lecture 1-5 is Audit and Internal Controls
74/82
Roles and Responsibilities in
Internal Controls According to the COSO Framework, everyone in an organization has
responsibility for internal control to some extent.
Virtually all employees produce information used in the internal
control system or take other actions needed to affect control. Also,
all personnel should be responsible for communicating upward
problems in operations, noncompliance with the code of conduct, orother policy violations or illegal actions.
Each major entity in corporate governance has a particular role to
play:74
-
7/31/2019 Lecture 1-5 is Audit and Internal Controls
75/82
Management: The Chief Executive Officer (the top manager) of the organization
has overall responsibility for designing and implementing effectiveinternal control.
More than any other individual, the chief executive sets the "tone atthe top" that affects integrity and ethics and other factors of apositive control environment. In a large company, the chiefexecutive fulfills this duty by providing leadership and direction tosenior managers and reviewing the way they're controlling thebusiness.
Senior managers, in turn, assign responsibility for establishment ofmore specific internal control policies and procedures to personnelresponsible for the unit's functions.
75
-
7/31/2019 Lecture 1-5 is Audit and Internal Controls
76/82
In a smaller entity, the influence of the chief executive,
often an owner-manager, is usually more direct. In any
event, in a cascading responsibility, a manager is
effectively a chief executive of his or her sphere ofresponsibility. Of particular significance are financial
officers and their staffs, whose control activities cut
across, as well as up and down, the operating and other
units of an enterprise.
76
-
7/31/2019 Lecture 1-5 is Audit and Internal Controls
77/82
Board of Directors: Management is accountable to the board of directors, which
provides governance, guidance and oversight. Effective boardmembers are objective, capable and inquisitive.
They also have a knowledge of the entity's activities andenvironment, and commit the time necessary to fulfill theirboard responsibilities. Management may be in a position tooverride controls and ignore or stifle communications fromsubordinates, enabling a dishonest management which
intentionally misrepresents results to cover its tracks. A strong,active board, particularly when coupled with effective upwardcommunications channels and capable financial, legal andinternal audit functions, is often best able to identify andcorrect such a problem.
77
-
7/31/2019 Lecture 1-5 is Audit and Internal Controls
78/82
Auditors: The Internal Auditors and External Auditors of the organization also
measure the effectiveness of internal control through their efforts.
They assess whether the controls are properly designed,implemented and working effectively, and make recommendations
on how to improve Internal Controls.
They may also review Information Technology controls, which relate
to the IT systems of the organization.
78
-
7/31/2019 Lecture 1-5 is Audit and Internal Controls
79/82
Limitations of Internal Controls:
No matter how well internal controls are designed, they can only
provide reasonable assurance that objectives have been
achieved. Some limitations are inherent in all internal control
systems. These include:
1. Judgment:The effectiveness of controls will be limited by decisions made with
human judgment under pressures to conduct business based on
the information at hand.
2. Breakdowns:
Even well designed internal controls can break down. Employees
sometimes misunderstand instructions or simply make
mistakes. Errors may also result from new technology and the
complexity of computerized information systems. 79
-
7/31/2019 Lecture 1-5 is Audit and Internal Controls
80/82
Limitations of Internal Controls:
3. ManagementOverride:
High level personnel may be able to override prescribed policies and
procedures for personal gain or advantage. This should not be
confused with management intervention, which representsmanagement actions to depart from prescribed policies and
procedures for legitimate purposes.
4. Collusion:
Control systems can be circumvented by employee
collusion. Individuals acting collectively can alter financial data or
other management information in a manner that cannot be
identified by control systems.
80
-
7/31/2019 Lecture 1-5 is Audit and Internal Controls
81/82
Limitations of Internal Controls: Internal control can provide reasonable, not absolute,
assurance that the objectives of an organization will bemet. The concept of reasonable assurance implies a high
degree of assurance, constrained by the costs andbenefits of establishing incremental control procedures.
Effective internal control implies the organizationgenerates reliable reporting and substantially complieswith the laws and regulations that apply to it.
81
-
7/31/2019 Lecture 1-5 is Audit and Internal Controls
82/82
Limitations of Internal Controls: However, whether an organization achieves operational
and strategic objectives may depend on factors outside
the enterprise, such as competition or technological
innovation.
These factors are outside the scope of internal control;
therefore, effective Internal Controls provides only timely
information or feedback on progress towards the
achievement of operational and strategic objectives, but
cannot guarantee their achievement.