Lesson 7 & 8 Internal Controls Concepts Knowledge PDF

Document Details

Uploaded by Deleted User

Philippine Women's University - CDCEC

Dandref C. Reyes

Tags

internal controls IT audit corporate governance business

Summary

This document covers internal control concepts, including the types, objectives, and systems of internal controls. It explains how internal controls are used to achieve organizational objectives.

Full Transcript

IT AUDIT AND CONTROL Internal Controls Concepts Knowledge Lesson 7 & 8 BY: DANDREF C. REYES INTERNAL CONTROLS Confusion commonly arises as to what exactly a control is. A control may be defined as any action taken by man...

IT AUDIT AND CONTROL Internal Controls Concepts Knowledge Lesson 7 & 8 BY: DANDREF C. REYES INTERNAL CONTROLS Confusion commonly arises as to what exactly a control is. A control may be defined as any action taken by management to enhance the likelihood that established objectives and goals will be achieved. It results from management’s planning, organizing, and directing, and the many variants (e.g., management control, internal control, etc.) can be incorporated within the generic term. Management controls are intended to ensure that an organization is working toward its stated objectives: – Corporate objectives and goals are the statement of corporate intent – Management objectives define how the corporate objectives will be met – Internal control ensures that programs to ensure management objectives are properly planned and executed INTERNAL CONTROLS The level of control needed will be affected by overall objectives. Corporate objectives and goals are the statement of corporate intent and are generally very broad, while Management objectives define how the corporate objectives will be met and they are normally much more detailed. Internal control is designed to ensure that programs to ensure management objectives are properly planned and executed. Control responsibility is clearly management’s job and encompasses planning, organizing, and directing. Planning in this case is taken to mean the establishing of objectives and goals as well as choosing the preferred methods of utilizing resources. Organizing involves the gathering of the required resources and arranging them in such a way that the objectives may be attained. The directing process of management includes the authorizing, instructing, and monitoring performance as well as periodically comparing actual to planned performance. INTERNAL CONTROLS Within the IS environment, this involves ensuring that systems function as intended, data integrity is maintained, confidentiality is maintained, systems are available as and when required, data accuracy and completeness are maintained, and access is granted only on an authorized basis. Management decisions may be classified as Strategic, Tactical, or Operational and all decisions at whatever level are impacted by the IS designed to provide the basis upon which the decisions are made. IS Audit must then ensure that the system of internal control will be effective, and functions as intended. INTERNAL CONTROL OBJECTIVES Overall, Internal Control Objectives, at a detailed level, can be seen to encompass: Reliability and Integrity of Information. If management cannot trust the reliability and integrity of the information held and processed within the IS, then all information must be deemed suspect and, in some cases, this may be more detrimental to the organization than a loss of information systems. Compliance with Policies, Plans, Procedures, Laws, and Regulations. Laws and regulations are imposed externally and must be complied with. Inadequate information systems may lead to the organization inadvertently breaching the laws of the country with result of losses in terms of fines, penalties, and possibly imprisonment for corporate officers. INTERNAL CONTROL OBJECTIVES Safeguarding of Assets. Loss of assets is typically one of the most visible risks an organization can face and typically these lead to the implementation of the most visible controls, such as locks on doors, safes, security guards, and so forth. Effectiveness and Efficiency of Operations. Effectiveness involves the achievement of established objectives and should be the ultimate focus of all operations and controls. Many information systems, at the time of the original design, were focused upon achieving the corporate objectives. TYPES OF INTERNAL CONTROLS Internal controls can be classified into various types, and it is the combination of these controls that go to make up the overall system of internal controls designed to achieve the general control objectives. Such controls can be classified into: 1. Preventative controls, which occur before the fact but can never be 100% effective and therefore cannot be wholly relied upon. These could include controls such as restrictions on users, requirements for passwords, and separate authorization of transactions. 2. Detective controls, which detect irregularities after occurrence and may be cheaper than checking every transaction with a preventative control. Such controls could include effective use of audit trails and the use of exception reports. 3. Corrective controls ensure the correction of problems identified by detective controls and normally require human intervention within the IS. Controls in this area may include such processes as Disaster Recovery Plans and transaction reversal capabilities. Corrective controls are themselves highly error-prone because they occur in unusual circumstances and typically require a human decision to be made, and an action decided upon and implemented. TYPES OF INTERNAL CONTROLS 4. Directive controls are designed to produce positive results and encourage acceptable behavior. They do not themselves prevent undesirable behavior and are normally used where there is human discretion in a situation. Thus, informing all users of personal computers that it is their responsibility to ensure adequate backups are taken and stored appropriately does not, of itself, enforce compliance. Nevertheless, such a directive control can be monitored and action taken where the control is breached. 5. Compensating controls can be seen to exist where a weakness in one control may be compensated by a control elsewhere. They are used to limit risk exposure and may trap the unwary evaluator. This is particularly true where the auditors are faced with complex integrated systems and the control structures involve a mixture of system-driven and human controls scattered over a variety of operational areas. SYSTEMS OF INTERNAL CONTROL It is the overall combination of the individual elements of control that go to make up the Systems of Internal Control. This may be defined as the overall infrastructure within which the other control elements will function and establishes the conditions under which the rest of the Internal Controls will operate. The Control Framework includes the policies and procedures that describe the scope of a function, its activities, interrelationships with other departments, as well as the external influences of laws and regulations, customs, union agreements, and its competitive environment. STANDARDS FOR THE PROFESSIONAL PERFORMANCE OF INTERNAL AUDITING The Standards themselves have been regrouped and redefined into Attribute, Performance, and Implementation Standards: Attribute Standards. These address the attributes of organizations and individuals performing internal audit services and apply to all internal audit services. Performance Standards. These describe the nature of internal audit services provided and provide quality criteria against which the performance of these services can be measured. Implementation Standards. These prescribe Standards applicable to specific types of engagements in a variety of industries as well as specialist areas of service delivery. ELEMENTS OF INTERNAL CONTROL Given the overall control objectives noted in the preceding section, control structures must be designed in order to ensure: 1. Segregation of duties. Controls to ensure that those who physically handle assets are not those who record asset movements. Within a modern computer system this is normally achieved by a combination of user identification, user authentication, and user authorization. 2. Competence and integrity of people. Underpinning the control system are the people who enforce it. In order for controls to be effective, those who exercise control must be capable of doing so and honest enough to consistently do so. 3. Appropriate levels of authority. A common mistake in control structures is the granting of too much authority within control boundaries. Authorities should only be granted on a need-to have basis. If there is no need for a particular individual to have specific authorities, they should not be granted. ELEMENTS OF INTERNAL CONTROL 4. Accountability. For all decisions, transactions, and actions taken, there must be controls that will allow the determination of who did what with an acceptable degree of confidence. This normally involves the use of control logs and audit trails. 5. Adequate resources. Controls that are attempted with inadequate resources will typically fail whenever they come under stress. Adequate resources include manpower, finance, equipment, materials, and methodologies. 6. Supervision and review. Adequate supervision of the appropriate type is fundamental to the implementation of sound internal control. AUTOMATED SYSTEMS Within our information systems there are two primary software components that add to or subtract from control. These components are: Systems Software. Systems software includes computer programs and routines controlling computer hardware, processing, and non-user functions. This category includes the Operating Systems, telecommunications software, and data management software. Applications Software. Applications software includes computer programs written to support business functions such as the General Ledger, Payroll, Stock Systems, Order Processing, and other such line-of-business functions. End-User Systems. End-user systems are special types of application systems that are generated outside the IS organization to meet specific user needs. These include micro-based packages as well as user- developed systems. CONTROL PROCEDURES In order to ensure that control over the corporate computer investment is adequate, a range of controls is required, including: General IS Controls. Covering the environment within which the computer systems are utilized Computer Operations. Covering the day-to-day operations of the machine Physical Security. Covering the security of the physical hardware, software, buildings, and staff Logical Security. Covering the manner in which data and software are protected from access via the systems themselves Program change control. To ensure that systems that are correct and functional continue to be so Systems development. To ensure that the systems in use by the organization are effective, efficient, and economical CORPORATE IT GOVERNANCE The importance of good governance has become a watchword internationally and has been driven by the requirements of the global economy for transparency and accountability in organizational stewardship. Corporate governance involves the mechanisms by which a business enterprise is directed and controlled. It concerns the mechanisms through which corporate management is held accountable for corporate conduct and performance and provides the framework within which the objectives of the company are set, and the means of attaining those objectives and monitoring performance are determined. COSO AND INFORMATION TECHNOLOGY The Committee of Sponsoring Organizations (COSO) was established in 1985 by five of the largest accounting, auditing, and finance oversight committees in the United States. The committee aimed to sponsor the National Committee on Fraudulent Financial Reporting. The National Committee was independent of COSO, so there were no conflicts of interest. The National Committee included representatives from regulatory agencies, public companies, and educational institutions. COSO is a committee composed of representatives from five organizations: – American Accounting Association – American Institute of Certified Public Accountants – Financial Executives International – Institute of Management Accountants – Institute of Internal Auditors WHAT IS THE COSO FRAMEWORK? The original COSO framework was developed in 1992, with the most recent version published in 2013. To understand the framework, you must understand what it covers. According to COSO, internal control: – Focuses on achieving objectives in operations, reporting and/or compliance – Is an ongoing process – Depends on people’s actions, not merely written policies and procedures – Provides assurance senior management of security to a reasonable degree – Can be adapted to the needs of the whole organization as well as each department, unit or process INTERNAL CONTROL GOALS The COSO framework divides internal control objectives into three categories: operations, reporting and compliance. Operations objectives, such as performance goals and securing the organization’s assets against fraud, focus on the effectiveness and efficiency of your business operations. Reporting objectives, including both internal and external financial reporting as well as non-financial reporting, relate to transparency, timeliness and reliability of the organization’s reporting habits. Compliance objectives are internal control goals based around adhering to laws and regulations that the organization must comply with. MIDTERM: ACTIVITY 2 Elaborate your answers. Minimum of two (2) paragraphs each. 1. Why do you think there should be a standard in performing IS audit? 2. How important are these standards in the process of IS Auditing?

Use Quizgecko on...
Browser
Browser