Internal Audit Control Overview

Questions and Answers

What is the definition of control according to The IIA Glossary?

Control is any action taken by management, the board, and other parties to manage risk and increase the likelihood that established objectives and goals will be achieved.

What are the elements included in the control environment?

Assignment of authority and responsibility (correct)

Integrity and ethical values (correct)

Management's philosophy and operating style (correct)

Competence of personnel (correct)

Control can provide absolute assurance of achieving objectives.

False

Which type of control alerts the proper people after an unwanted event?

Detective controls

Automated processing _______________ subjects similar transactions to the same processing instructions.

uniformly

Corrective controls aim to prevent the occurrence of unwanted events.

False

Match the following types of controls with their descriptions:

Preventive controls = Deter the occurrence of unwanted events Detective controls = Alert the proper people after an unwanted event

Online, real-time processing systems are commonly referred to as online ____________ processing (OLTP) systems.

transaction

What kind of controls manage situations where two or more users attempt to access or update a file or database simultaneously?

Concurrency controls

What is the purpose of the hash total in a batch of invoices?

To verify the completeness of data

Preformatting of data entry screens mimics the layout of printed forms to aid data entry.

True

What is the purpose of check digits in data entry?

extra reference number that follows an identification code and has a mathematical relationship to the other digits

Concurrency controls manage situations where two or more users attempt to access or update a _ simultaneously.

file

Match the following classes of objectives with their corresponding areas of control:

Operations = Achieving financial performance and safeguarding assets Reporting = Providing reliable and timely financial information for stakeholders Compliance = Ensuring adherence to laws, rules, and regulations

Which of the following components of internal control specifies objectives with sufficient clarity to enable the identification and assessment of risks relating to five types of objectives?

Risk assessment

The COBIT framework was originally focused on controls for specific IT processes.

True

What is the mnemonic aid for remembering the components of the CoCo model?

Purpose Police, Commitment Can, Capability Catch, Monitoring Many, Learning Lawbreakers

The information systems enable the organization to obtain, generate, use, and communicate information to maintain accountability and __________ performance.

measure and review

What does COBIT 5 do for IT-related goals after establishing enterprise goals?

Translates the generic enterprise goals into IT-related goals

COBIT 5 describes seven categories of __________ that support comprehensive IT governance and management.

enablers

According to COBIT 5, enablers are standalone elements with no interconnections.

False

How does COBIT 5 suggest governance and management should be treated in the modern enterprise?

As separate and distinct activities

What is the objective of VAL IT?

establish best practices that contribute to the process of value creation

Match the following eSAC IT business assurance objectives with their descriptions:

Availability = Ensure information, processes, and services are available at all times Capability = Ensure reliable and timely completion of transactions Functionality = Ensure systems are designed to user specifications to fulfill business requirements Protectability = Prevent unauthorized access to system data Accountability = Ensure transactions are processed under firm principles of data ownership, identification, and authentication

What methodology provides guidance for assessing the scope of IT general controls using a top-down and risk-based approach?

GAIT

Study Notes

Overview of Control

• Control is any action taken to manage risk and increase the likelihood of achieving objectives and goals.
• Control processes include policies, procedures, and activities designed to ensure risks are contained within an acceptable level.
• Control environment includes:
  • Integrity and ethical values
  • Management's philosophy and operating style
  • Organizational structure
  • Assignment of authority and responsibility
  • Human resource policies and practices
  • Competence of personnel

The Control Process

• The control process involves:
  • Establishing standards
  • Measuring performance
  • Examining and analyzing deviations
  • Taking corrective action
  • Reappraising standards
• An evaluation-reward system should be implemented to encourage compliance.
• Internal control only provides reasonable assurance, not absolute assurance, due to inherent limitations:
  • Human judgment is faulty
  • Management may override internal controls
  • Controls can be circumvented by collusion
  • Cost of internal control must not be greater than its benefits

Characteristics of Automated Processing

• Automated processing has fundamental effects on business transactions, procedures, and risks.
• Characteristics of automated processing include:
  • Transaction trails may exist only for a short time or in computer-readable form.
  • Uniform processing of transactions eliminates clerical errors.
  • Segregation of functions may be concentrated in computer systems.
  • Potential for errors and fraud is increased.
  • Potential for increased management supervision.

Roles of Internal Auditors in Control

• The internal audit activity must assist the organization in maintaining effective controls.
• Internal auditors must evaluate the effectiveness and efficiency of controls and promote continuous improvement.
• Internal auditors must:
  • Clearly understand control and typical control processes
  • Consider risk appetite, risk tolerance, and risk culture
  • Understand critical risks and controls
  • Evaluate the effectiveness and efficiency of controls
  • Promote continuous improvement of controls

Types of Controls

• Primary controls:
  • Preventive controls (e.g., storing petty cash in a locked safe)
  • Detective controls (e.g., batch processing rejection)
  • Corrective controls (e.g., justifying cost variances)
  • Directive controls (e.g., policy and procedure manuals)
• Secondary controls:
  • Compensatory controls (e.g., supervisor reconciliation of cash count)
  • Complementary controls (e.g., separating functions of accounting for and custody of cash receipts)

Two Basic Processing Modes

• Batch processing:
  • Accumulating transactions for processing on a delayed basis
  • User cannot influence the process once the job has begun
  • Efficient for large numbers of routine transactions
• Online, real-time processing:
  • Updating database immediately upon entry of the transaction
  • Crucial for systems requiring up-to-date information

IT General Controls and Application Controls

• IT general controls:
  • Logical access controls
  • System development life cycle controls
  • Program change management controls
  • Physical security controls
  • System and data backup and recovery controls
• Application controls:
  • Ensure input data is accurate, complete, authorized, and correct
  • Ensure data is processed as intended
  • Ensure data stored is accurate and complete
  • Ensure outputs are accurate and complete
  • Maintain a record of data processing### Controls: Types and Frameworks

Batch Input Controls

• Financial totals: summarize monetary amounts in a group of records to compare with manual totals
• Record counts: track the number of records processed to compare with user expectations
• Hash totals: control totals without a defined meaning, used to verify data completeness

Online Input Controls

• Preformatting: data entry screens designed to imitate printed forms, aiding correct field entry
• Field/format checks: verify character types in fields (e.g., rejecting alphabetic characters in Social Security number fields)
• Validity checks: compare data with valid values in tables (e.g., vendor numbers and approved invoices)
• Limit (reasonableness) and range checks: ensure data falls within known limits (e.g., hours worked per week)
• Check digits: extra reference numbers with a mathematical relationship to other digits, used for verification
• Sequence checks: ensure files are sorted correctly before processing
• Zero balance checks: reject transactions or batches with non-zero debits and credits

Processing Controls

• Ensure data completeness and accuracy during updating
• Concurrency controls: manage multiple user access to files or databases, ensuring correct results and quick processing

Output Controls

• Ensure processing results are complete, accurate, and properly distributed
• User review: an important output control, allowing users to determine incomplete or unreasonable output

Integrity Controls

• Monitor data in processing and storage to ensure consistency and correctness

Management Trail (or Audit Trail)

• Processing history controls that enable management to track transactions from source to output

Time-Based Classification

• Feedback controls: report on completed activities to improve future performance
• Concurrent controls: adjust ongoing processes to prevent deviations from standards
• Feedforward controls: anticipate and prevent problems with a long-term perspective

Financial vs. Operating Controls

• Financial controls: based on established accounting principles, with objectives including proper authorization, recordkeeping, and compliance
• Operating controls: based on management principles and methods, applied to production and support activities

People-Based vs. System-Based Controls

• People-based controls: dependent on human intervention, such as regular performance of bank reconciliations
• System-based controls: executed automatically, without human intervention, such as code in a computerized purchasing system

Use of a Control Matrix

• Controls do not necessarily match risks one-to-one, and a control matrix can be used to match controls with risks

Control Frameworks

• Available frameworks: COSO, CoCo, Turnbull Report, and others
• COSO framework: defines internal control, objectives, and components of internal control

COSO Framework

• Definition of internal control: a process to provide reasonable assurance regarding the achievement of objectives
• Objectives: operations, reporting, and compliance
• Components of internal control: control environment, risk assessment, control activities, information and communication, and monitoring

Control Environment

• A set of standards, processes, and structures that affect the system of internal control
• Five principles: commitment to integrity and ethical values, board independence, management structure, attracting and retaining competent individuals, and individual accountability### Management and the Board
• Enforce accountability through structures, authorities, and responsibilities
• Establish performance measures, incentives, and rewards
• Evaluate performance measures, incentives, and rewards for ongoing relevance
• Consider excessive pressures
• Evaluate performance and reward or discipline individuals

Risk Assessment

• Identify risks to the achievement of objectives across the entity
• Analyze risks to determine how they should be managed
• Consider the potential for fraud in assessing fraud risks
• Identify and assess changes that could significantly affect the system of internal control
• Evaluate risks in terms of operations, external financial reporting, external non-financial reporting, internal reporting, and compliance

Control Activities

• Select and develop control activities that contribute to the mitigation of risks to the achievement of objectives
• Select and develop general control activities over technology to support the achievement of objectives
• Deploy control activities through policies that establish what is expected and procedures that put policies into action

Information and Communication

• Obtain or generate and use relevant, quality information to support the functioning of internal control
• Internally communicate information, including objectives and responsibilities for internal control
• Communicate with external parties regarding matters affecting the functioning of internal control

Monitoring Activities

• Select, develop, and perform ongoing or separate evaluations to determine whether the components of internal control are present and functioning
• Evaluate and communicate control deficiencies in a timely manner
• Maintain an effective monitoring program to ensure the internal control system remains capable of achieving its objectives

Relationship of Objectives, Components, and Organizational Structure

• The COSO model displays the relationship between objectives, components, and organizational structure as a cube
• The CoCo model is thought to be more suited for internal auditing purposes and consists of 20 criteria grouped into 4 components: Purpose, Commitment, Capability, and Monitoring and Learning

COBIT Framework

• COBIT is a framework for IT governance and management that addresses information technology
• COBIT 5 asserts that value creation is the most basic stakeholder need and is achieved by balancing three components: realization of benefits, optimization of risk, and optimal use of resources
• COBIT 5 recognizes that stakeholder needs are not fixed and evolve under the influence of internal and external factors
• COBIT 5 supplies 17 generic enterprise goals that are tied directly to the balanced scorecard model
• The goals cascade of COBIT 5 can be depicted graphically as follows:
  • Stakeholder needs → Enterprise goals → IT-related goals → Enablers

COBIT 5 Principles

• Principle 1: Meeting Stakeholder Needs
• Principle 2: Covering the Enterprise End-to-End
• Principle 3: Applying a Single, Integrated Framework
• Principle 4: Enabling a Holistic Approach
• Principle 5: Separating Governance from Management

Other Frameworks

• VAL IT: based on and complements COBIT, measures, monitors, and maximizes the realization of business value from investment in IT
• eSAC Model: accepts inputs and produces outputs, influenced by the COSO Framework
• GAIT (Guides to the Assessment of IT Risks): gives management and auditors guidance for assessing the scope of IT general controls using a top-down and risk-based approach
• Soft Controls: emphasize the importance of soft controls, such as communication of ethical values and fostering of mutual trust, in the COSO and CoCo models

Description

Quiz on control definitions and processes according to the IIA Glossary. Learn about management's role in managing risk and achieving objectives. Covers control policies, procedures, and actions.