Module 1: Introduction to IT Auditing, Fraud & Internal Controls PDF

Summary

This document is a module on Introduction to IT Auditing, Fraud, and Internal Controls for the 2nd semester of the 2024-2025 academic year at San Beda University. It defines key terms and concepts in IT auditing, fraud detection, and internal controls, and explores the different aspects of managing and securing information systems.

Full Transcript

Department of Accountancy and Taxation
COLLEGE OF ARTS AND SCIENCES
San Beda University

AUDCIS – 3AAC Prof. Charles Johnson G. Tan
MODULE I HANDOUT 2nd SEMESTER A.Y. 2024-2025

MODULE I - INTRODUCTION TO IT AUDITING, FRAUD AND INTERNAL CONTROLS

At the end of this module, the students are expected to:
Define basic auditing and information technology (IT) terms
Explain basic auditing and information technology (IT) concepts and procedures
Differentiate attest services and advisory services related to information systems and technology.
Discuss internal control in terms of the elements stated in the COSO framework.
Describe the relationship among general controls, application controls, and financial data integrity.
Identify issues pertaining to business ethics.
Describe what constitutes fraudulent behaviour.
Explain the fraud-motivating forces.
Discuss typical fraud schemes (Computer Fraud) perpetrated using computer-based systems.
Explore fraud detection techniques

The Information Technology (IT) Environment and Basic Concepts:

The term “IT environment” refers to the infrastructure, hardware, software, and systems that a business
relies on every day while using information technology (IT). Some of the commonly used resources in an
IT environment include computers, internet access, peripheral devices, etc. Here’s a breakdown of the three
different IT environment components:
Hardware: Refers to the physical and visible components of the system such as a monitor, CPU,
keyboard, mouse, personal computers, servers, and data centers.
Software: Refers to a set of instructions which enable the hardware to perform a specific set of tasks.
These could range from web servers and applications that make hardware connections effective and
more practical.
Networking: Refers to interconnected computing devices that can exchange data and share resources
with each other. These could range from routers, switches, hubs, firewalls, cables, and other
components which facilitate internal and external communication in a business.

In today’s environment, organizations must integrate their IT with business strategies to attain their overall
objectives, get the most value out of their information, and capitalize on the technologies available to them.
Where IT was formerly viewed as an enabler of an organization’s strategy, it is now regarded as an
integral part of that strategy to attain profitability and service. At the same time, issues such as IT
governance, international information infrastructure, security, and privacy and control of public and
organization information have driven the need for self-review and self-assurance.

1
Information Systems (IS) vs. Information Technology (IT):

Figure 1 - IS vs. IT (Excerpts from Angel R. Otero)

Information Systems (IS) is defined as the set of formal procedures by which data are collected, processed
into information, and distributed to users.
For an information system to function in support of business objectives, three main ingredients should exist
and support each other: People, Processes and Information Technology (IT), which will integrate
hardware, software, networking and other facilities to support the management of data.

The Auditing Profession:

1. Financial Auditing - encompasses all activities and responsibilities concerned with the rendering of an
opinion on the fairness of financial statements. The basic rules governing audit opinions indicate clearly
that the scope of an audit covers all equipment and procedures used in processing significant data.

2. IT Auditing - formal, independent, and objective examination of an organization’s IT infrastructure to
determine whether the activities (e.g., procedures, controls, etc.) involved in gathering, processing,
storing, distributing, and using information comply with guidelines, safeguard assets, maintain data
integrity, and operate effectively and efficiently to achieve the organization’s objectives. IT auditing
provides reasonable assurance (never absolute) that the information generated by applications within the
organization is accurate, complete, and supports effective decision making consistent with the nature and
scope of the engagement previously agreed.

Types of Audit Functions:

1. Internal Audit (IA)
a. An independent, objective assurance and consulting activity designed to add value and improve an
organization’s operations.
b. IA brings organizations a systematic and disciplined approach to assess and enhance their risk
management, control, and governance processes, as well as to accomplish their goals and
objectives. IT audits is one of the areas of support for IA.
c. The primary purpose of the IA function is to assure that management-authorized controls are being
applied effectively.
d. IA department performs all year long monitoring and testing of IT activities within the control of the
organization. Of particular concern to private corporations is the processing of data and the
generation of information of financial relevance or materiality.
e. Given management’s large part to play in the effectiveness of an IA function, their concern with the
reliability and integrity of computer-generated information from which decisions are made is
critical.

2
 f. IA departments are typically led by a Chief Audit Executive (CAE), who directly reports to the Audit
Committee of the Board of Directors. The CAE also reports to the organization’s Chief
Executive Officer (CEO).

Roles and Responsibility of Audit Committee of the Board of Directors:
✓ Provide input and approve the written charter for the internal audit function, including periodic review
and updating.
✓ Understand, discuss and approve the company’s risk assessment and internal audit plan results. As
appropriate, review, discuss and approve changes to the audit plan during the year.
✓ At least annually, evaluate the internal audit function in relation to meeting the needs of the company
and the audit committee, including compliance with its written charter.
✓ Hold executive sessions with the company’s chief audit executive.
✓ Provide input and direction to the appropriate escalation protocols for significant findings and issues.
✓ Review, discuss and approve the compensation of the CAE, any changes therein and the hiring or
termination of the CAE.
✓ Understand, discuss and approve the funding level for the internal audit function, and discuss its
appropriateness and adequacy with management and the CAE.
✓ Review ongoing activities of the internal audit function, including its reports, and inquire as to any other
matters that should be brought to the committee’s attention.
✓ Direct the internal audit function, as necessary, to perform special reviews on behalf of management or
the audit committee, including investigations of fraud or suspected fraud.
✓ Participate with internal audit to design and provide control, governance and ethics training to
employees.

2. External Audit
a. Evaluates the reliability and the validity of systems controls in all forms. The principal objective in
such evaluation is to minimize the amount of substantial auditing or testing of transactions
required to render an opinion on the financial statements.
b. External auditors are provided by public accounting firms and exist in government as well. Deloitte,
Ernst & Young, PricewaterhouseCoopers, and KPMG (altogether referred to as the “Big
Four”) provide these types of external audit services worldwide.
c. The external auditor is responsible for testing the reliability of client IT systems and should have a
special combination of skills and experience. Such an auditor must be thoroughly familiar with the
audit attest function. The attest function encompasses all activities and responsibilities associated
with the rendering of an audit opinion on the fairness of the financial statements. Besides the
accounting and auditing skills involved in performing the attest function, these external auditors also
must have substantial IT audit experience.

Need for IT Audit
Initially, IT auditing evolved as an extension of traditional auditing. The need for an IT audit came from several
directions:
Auditors realized that computers had impacted their ability to perform the attestation function.
Corporate and information processing management recognized that computers were key resources for
competing in the business environment and similar to other valuable business resource within the
organization, and therefore, the need for control and auditability were critical.
Professional associations and organizations, and government entities recognized the need for IT control
and auditability.

IT auditing became an integral part of the audit function because it supports the auditor’s judgment on the quality
of the information processed by computer systems. Auditors with IT audit skills were viewed as the technological
resource for the audit staff. The audit staff often looked to them for technical assistance.

3
ROLES OF AN IT AUDITOR:

Roles Description
Counselor (Advisory IT auditors must take an active role in assisting organizations in developing policies,
capacity) procedures, standards, and/or best practices on safeguarding of the information, auditability,
control, testing, etc.
Partner of Senior Although the IT auditor’s roles of counselor and skilled technician are vital to successful
Management company operation, they may be irrelevant if the auditor fails to view auditing in relation to
(Assurance or Advisory the organization. A system that appears well controlled may be inconsistent with the
capacity / Agreed-Upon) operation of a business. Thus, management needs the support of a skilled computer staff
that understands the organization’s requirements, and IT auditors are in such a position to
provide that information. They can provide management with an independent assessment of
the effect of IT decisions on the business. In addition, the IT auditor can verify that all
alternatives for a given project have been considered, all risks have been accurately
assessed, the technical hardware and software solutions are correct, business needs will be
satisfied, and costs are reasonable.
Investigator IT auditors can work in the field of computer forensics or work side by side with a computer
(Investigative capacity) forensics specialist, supplying insight into a particular system or network. The specialists can
ask the IT audit professionals questions pertaining to the system and get responses faster
than having to do research and figure everything out on their own. The awareness and use
of computer-assisted tools and techniques in performing forensic support work have
provided new opportunities for the IT auditor, IT security personnel, and those within law
enforcement and investigation.

INFORMATION SYSTEMS AUDIT AND CONTROLS ASSOCIATION (ISACA)

ISACA is an international professional association focused on IT (information technology) governance. ISACA
currently offers 8 certification programs, as well as other micro-certificates. One of which is the Certified
Information Systems Auditor (CISA) certification, a globally recognized certification for IS audit control,
assurance and security professionals.

INTERNATIONAL STANDARDS OF AUDITING (ISA) 315 SELECTED PROVISIONS RELATIVE TO
INFORMATION TECHNOLOGY USAGE / IT AUDIT:

A52. When management makes extensive use of information technology in making an accounting estimate,
identified controls in the control activities component are likely to include general IT controls and information
processing controls. Such controls may address risks related to:
Whether the IT applications or other aspects of the IT environment information technology system has the
capability and is appropriately configured to process large volumes of data;
Complex calculations in applying a method. When diverse IT applications systems are required to process
complex transactions, regular reconciliations between the IT applications systems are made, in particular
when the IT applications do not have automated interfaces or may be subject to manual intervention;
Whether the design and calibration of models is periodically evaluated;
The complete and accurate extraction of data regarding accounting estimates from the entity’s records or
from external information sources;
Data, including the complete and accurate flow of data through the entity’s information system, the
appropriateness of any modification to the data used in making accounting estimates, the maintenance of
the integrity and security of the data. When using external information sources, risks related to processing
or recording the data;
Whether management has controls around access, change and maintenance of individual models to
maintain a strong audit trail of the accredited versions of models and to prevent unauthorized access or
amendments to those models; and
Whether there are appropriate controls over the transfer of information relating to accounting estimates into
the general ledger, including appropriate controls over journal entries.

4
The entity’s use of information technology in the information system

Why does the auditor understand the IT environment relevant to the information system

A140. The auditor’s understanding of the information system includes the IT environment relevant to the flows
of transactions and processing of information in the entity’s information system because the entity’s use of IT
applications or other aspects in the IT environment may give rise to risks arising from the use of IT.

A141. The understanding of the entity’s business model and how it integrates the use of IT may also provide
useful context to the nature and extent of IT expected in the information system.

Understanding the entity’s use of IT
A142. The auditor’s understanding of the IT environment may focus on identifying, and understanding the nature
and number of, the specific IT applications and other aspects of the IT environment that are relevant to the flows
of transactions and processing of information in the information system. Changes in the flow of transactions, or
information within the information system may result from program changes to IT applications, or direct changes
to data in databases involved in processing, or storing those transactions or information.

A143. The auditor may identify the IT applications and supporting IT infrastructure concurrently with the auditor’s
understanding of how information relating to significant classes of transactions, account balances and
disclosures flows into, through and out the entity’s information system.

BUSINESS ETHICS, FRAUD AND INTERNAL CONTROLS:

Review of basic terminologies (AIS by James Hall):
Ethics are the principles of conduct that individuals use in making choices that guide their behavior in
situations involving the concepts of right and wrong.
Business ethics pertains to the principles of conduct that individuals use in making choices and guiding
their behavior in situations that involve the concepts of right and wrong.
Computer ethics is the analysis of the nature and social impact of computer technology and the
corresponding formulation and justification of policies for the ethical use of such technology. This
includes details about software as well as hardware and concerns about networks connecting computers
as well as computers themselves.
Fraud is the false representation of a material fact made by one party to another party, with the intent
to deceive and induce the other party to justifiably rely on the material fact to his or her detriment.
Employee fraud is the performance fraud by nonmanagement employees generally designed to directly
convert cash or other assets to the employee’s personal benefit.
Management fraud is the performance fraud that often uses deceptive practices to inflate earnings or
to forestall the recognition of either insolvency or a decline in earnings.

THE FRAUD TRIANGLE

Figure 2 - Fraud Triangle (Excerpts from Corporate Finance Institute)

5
The Fraud Triangle is a triad of factors associated with management and employee fraud:
Situational pressure - includes personal or job-related stresses that could coerce an individual to act
dishonestly.
Opportunity - involves direct access to assets and/ or access to information that controls assets.
Rationalization - pertains to one’s character and degree of moral opposition to acts of dishonesty.

CONCEPTS OF COMPUTER FRAUD
Computer fraud is a subcategory of computer crime that involves theft, misuse, or misappropriation of
assets by altering computer-readable records and files, or by altering the logic of computer software; the illegal
use of computer-readable information; or the intentional destruction of computer software or hardware. Also
defined as any deception or embezzlement accomplished by tampering with computer programs, data files,
operations, equipment, or media which result in financial losses to the organization whose computer system
has been manipulated.

EXAMPLES OF COMPUTER FRAUD:

Crimes involving the use of false pretenses to obtain confidential information, personal information,
or unauthorized access. Phishing to obtain account details or other proprietary information are examples
of this type of crime.
Crimes involving altering electronic data. Creating fake websites designed to obtain money or proprietary
information are examples of this type of crime.
Crimes intended to transmit or provide false or misleading information. Sending spam emails or
participating in online auction fraud are examples of this type of computer fraud crime. The goal is often
to convince people to part with money by misleading them.
Crimes intended to obtain unlawful use of a computer or of a computer system. Botnet crimes are an
example of this type of computer fraud. Botnets are networks of computers which have been compromised
with malware. Malware programs are written by knowledgeable coders and are usually installed on
computers through backdoors, trojan horse, worms, and viruses. Once the computers are infected, the
person in charge- called the bot herder or botmaster- has almost complete control over all of the infected
computers. The computers can be used to perpetrate other fraud schemes, to wage distributed denial of
service attacks, to log keystrokes, and to send spam, among other things. Trojan horse scams also require
sophisticated programming knowledge. Programs are created which seem useful or desirable, but actually
steal information from the computer, harm the computer system, or permit the owner of the trojan horse to
take control of the computer system and use it for other purposes.

OTHER FORMS OF COMPUTER CRIMES/FRAUD: (Internet Crime)
Forms Description
Business Email Compromise Sophisticated scam targeting businesses working with foreign suppliers and/or
(BEC) businesses who regularly perform wire transfer payments.
Ransomware a form of malware targeting both human and technical weaknesses in an effort to deny
the availability of critical data and/or systems.
Tech Support Fraud occurs when the subject claims to be associated with a computer software or security
company, or even a cable or Internet company, offering technical support to the victim.
Government Impersonation This type of Internet crime involves posing as government, law enforcement officials, or
E-mail Scam simply someone pretending to have certain level of authority in order to persuade
unaware victims to provide their personal information.
Intimidation/Extortion This type of crime utilizes demands for money, property, assets, etc. through undue
Scam exercise of authority (i.e., threats of physical harm, criminal prosecution, or public
exposure) in order to extort and intimidate.
Confidence Fraud/ This type of crime refers to schemes designed to look for companionship, friendship, or
Romance Scam romance via online resources.

RESPONSIBILITY FOR FRAUD PREVENTION AND DETECTION BASED ON THE INTERNATIONAL
STANDARDS OF AUDITING (ISA) 240

….
4. The primary responsibility for the prevention and detection of fraud rests with both those charged with
governance of the entity and management. It is important that management, with the oversight of those
charged with governance, place a strong emphasis on fraud prevention, which may reduce opportunities for
fraud to take place, and fraud deterrence, which could persuade individuals not to commit fraud because of the
6
likelihood of detection and punishment. This involves a commitment to creating a culture of honesty and ethical
behavior which can be reinforced by an active oversight by those charged with governance. Oversight by those
charged with governance includes considering the potential for override of controls or other inappropriate
influence over the financial reporting process, such as efforts by management to manage earnings in order to
influence the perceptions of analysts as to the entity’s performance and profitability.

5. An auditor conducting an audit in accordance with ISAs is responsible for obtaining reasonable assurance
that the financial statements taken as a whole are free from material misstatement, whether caused by
fraud or error. Owing to the inherent limitations of an audit, there is an unavoidable risk that some material
misstatements of the financial statements may not be detected, even though the audit is properly planned and
performed in accordance with the ISAs.

6. As described in ISA 200, the potential effects of inherent limitations are particularly significant in the case of
misstatement resulting from fraud. The risk of not detecting a material misstatement resulting from fraud
is higher than the risk of not detecting one resulting from error. This is because fraud may involve
sophisticated and carefully organized schemes designed to conceal it, such as forgery, deliberate failure to
record transactions, or intentional misrepresentations being made to the auditor. Such attempts at concealment
may be even more difficult to detect when accompanied by collusion. Collusion may cause the auditor to believe
that audit evidence is persuasive when it is, in fact, false. The auditor’s ability to detect a fraud depends on
factors such as the skillfulness of the perpetrator, the frequency and extent of manipulation, the degree of
collusion involved, the relative size of individual amounts manipulated, and the seniority of those individuals
involved. While the auditor may be able to identify potential opportunities for fraud to be perpetrated, it is difficult
for the auditor to determine whether misstatements in judgment areas such as accounting estimates are caused
by fraud or error.

7. Furthermore, the risk of the auditor not detecting a material misstatement resulting from management
fraud is greater than for employee fraud, because management is frequently in a position to directly or
indirectly manipulate accounting records, present fraudulent financial information or override control procedures
designed to prevent similar frauds by other employees.

8. When obtaining reasonable assurance, the auditor is responsible for maintaining professional
skepticism throughout the audit, considering the potential for management override of controls and
recognizing the fact that audit procedures that are effective for detecting error may not be effective in
detecting fraud. The requirements in this ISA are designed to assist the auditor in identifying and assessing
the risks of material misstatement due to fraud and in designing procedures to detect such misstatement.

ANTI-FRAUD DETECTION TECHNIQUES

Traditional fraud detection

Traditionally, fraud detection has principally hinged on rule-based systems and manual review
processes. These methods involve creating a set of rules or patterns that define fraudulent behavior and
manually reviewing transactions that deviate from these predefined norms. While they have proven effective
in some scenarios, they can be slow and inefficient when dealing with the volume and complexity of data in
today’s digital space.
Moreover, these systems are based on known fraud patterns; they often falter when faced with evolving
fraudulent activities. Modern fraudsters are clever and sophisticated, always finding new ways to steal card
numbers, payment information and manipulate payment details. This shows that the current systems have
their limitations. For instance, when fraudsters change the shipping address or credit card details, the slow
speed and inflexibility of these conventional methods often lead to threat detection and the inability to
prevent fraudulent payments swiftly and adequately.
Also, the traditional fraud detection methods tend to generate a lot of false positives, which increases the
workload for risk or fraud analysts who have to manually review these alerts. Furthermore, these systems
cannot adapt and learn from new threats, which makes them less effective against emerging fraud
techniques. Therefore, the escalating need for speed, efficiency, and adaptability in the battle against fraud
necessitates the inclusion of sophisticated techniques and state-of-the-art technologies into the detection
systems.

7
Advanced fraud detection refers to the use of modern technologies and sophisticated models to identify and
prevent fraudulent activities in a more precise and efficient manner than traditional methods. This scientific
approach aims to swiftly detect, prevent and respond to every type of fraud that could harm businesses,
especially in the finance sector like banks and credit unions.

Typically, advanced fraud detection involves using Artificial Intelligence (AI) and Machine Learning (ML)
algorithms, which are designed to analyze vast amounts of data and identify patterns or anomalies. These
patterns or irregularities can help signal suspicious or fraudulent activities in real-time. This means that even
newly evolved and complex fraud types can be detected and preempted early.
Advanced fraud detection also leverages predictive analytics and data modelling. By using historic and
real-time data, these technologies make intelligent predictions about potential fraud risks. For example,
suppose a series of transactions originating from a single shipping address suddenly exhibits different
buying behaviors. In that case, the system could alert the company to potential fraud, allowing for quick
action.
Lastly, advanced fraud detection involves a technique known as fraud orchestration. This process uses
AI to manage the different detection tools, thereby streamlining the detection process. It can evaluate the
genuineness of transactions in real time and take appropriate measures to protect the business.

AUDIT RISK

According to the IAASB Glossary of Terms (1), audit risk is defined as follows:

“The risk that the auditor expresses an inappropriate audit opinion when the financial statements are
materially misstated. Audit risk is a function of material misstatement and detection risk.”

Audit risk is fundamental to the audit process because auditors cannot and do not attempt to check all
transactions. Students should refer to any published accounts of large companies and think about the vast
number of transactions in a statement of comprehensive income and a statement of financial position. It would
be impossible to check all these transactions, and no one would be prepared to pay for the auditors to do so,
hence the importance of the risk-based approach toward auditing. Traditionally, auditors have used a risk-based
approach in order to minimize the chance of giving an inappropriate audit opinion, and audits conducted in
accordance with ISAs must follow the risk-based approach, which should also help to ensure that audit work is
carried out efficiently, using the most effective tests based on the audit risk assessment. Auditors should direct
audit work to the key risks (sometimes also described as significant risks), where it is more likely that errors in
transactions and balances will lead to a material misstatement in the financial statements. It would be inefficient
to address insignificant risks in a high level of detail, and whether a risk is classified as a key risk or not is a
matter of judgment for the auditor.

RISKS APPLICABLE TO IT AUDIT

IT audit risks are the probability of negative events or circumstances occurring within an organization’s IT
systems, leading to significant financial losses, reputational damage, legal consequences, or regulatory non-
compliance. These risks can arise from various sources, such as internal control weaknesses, inadequate
security measures, unauthorized access to sensitive data, or insufficient disaster recovery plans.

CONCEPTS OF INTERNAL CONTROLS

The internal control system is a set of policies a firm employs to safeguard the firm’s assets, ensure accurate
and reliable accounting records and information, promote efficiency, and measure compliance with established
policies.

Modifying Assumptions

Management responsibility is the concept under which the responsibility for the establishment and
maintenance of a system of internal control falls to management.
Reasonable assurance is an assurance provided by the internal control system that the four broad
objectives of internal control are met in a cost-effective manner.

8
The Preventive-Detective-Corrective Internal Control Model

Preventive controls are passive techniques designed to reduce the frequency of the occurrence of
undesirable events.
Detective controls are devices, techniques, and procedures designed to identify and expose undesirable
events that elude preventive controls.
Corrective controls are actions taken to reverse the effects of errors detected.

Committee of Sponsoring Organizations of the Treadway Commission (COSO) Internal Control
Framework

The COSO Framework is a system used to establish internal controls to be integrated into business processes.
Collectively, these controls provide reasonable assurance that the organization is operating ethically,
transparently and in accordance with established industry standards. It is heavily used by publicly traded
companies and accounting and financial firms. The framework seeks to put internal controls in place that
formalize the way in which key business processes are performed. This helps organizations to adhere to legal
and ethical requirements, while also focusing on risk assessment and management. In addition to integrating
such controls into key business processes, the framework places a heavy emphasis on monitoring and
reporting, especially as it relates to using internal auditors to monitor adherence to established controls.

5 Components of COSO Framework:
Component Description
Control environment The control environment seeks to make sure that all business processes are based on the
use of industry-standard practices. This can help ensure that the business is run in a
responsible way. It may also reduce an organization's legal exposure if the organization is
able to prove that its business processes are all based around industry standard practices.
Additionally, the control environment can help with making sure that an organization is
adhering to regulatory compliance requirements.
Risk assessment and Risk assessment and management -- which is sometimes referred to as enterprise risk
management management -- is based on the idea that risk is an inherent part of doing business. However,
those same risks can sometimes cause a business to suffer adverse consequences. As
such, organizations commonly adopt risk management plans that help them to identify risks
and either reduce or eliminate risks deemed to pose a threat to the organization's well-being.
Control activities Control activities are also tied to the concept of risk management. They are essentially
internal controls that are put into place to make sure that business processes are performed
in a way that helps an organization to meet its business objectives without introducing
unnecessary risks into the process.
Information and Communications rules are put in place to make sure that both internal and external
communications communications adhere to legal requirements, ethical values and standard industry
practices. For example, private sector organizations commonly adopt privacy policies
establishing how customer data can be used.
Monitoring At a minimum, monitoring is performed by an internal auditor who makes sure that
employees are adhering to established internal controls. However, in the case of public
companies, it is relatively common for an outside auditor to evaluate the organization's
regulatory compliance. In either case, the audit results are usually reported to the board of
directors.

2 BROAD TYPES OF COMPUTER AND INFORMATION SYSTEM CONTROLS:

General Computer Controls (“general controls” or “ITGC”) - include examining policies and
procedures that relate to many applications and supports the effective functioning of application controls.
General controls cover the IT infrastructure and support services, including all systems and applications.
General controls commonly include controls over information systems operations, information
security, and change control management (i.e., system software acquisition, change and maintenance,
program change, and application system acquisition, development, and maintenance).

9
 Application Controls - examine procedures specific and unique to the application. Application controls
are also referred as “automated controls.” They are concerned with the accuracy, completeness,
validity, and authorization of the data captured, entered, processed, stored, transmitted, and reported.
Examples of application controls include validating data input, checking the mathematical accuracy
of records, and performing numerical sequence checks, among others.

Figure 3 - Relationship of ITGC and Application Controls (Excerpts from Angel R. Otero)

OTHER TYPES OF IT CONTROLS:

IT Entity Level Controls - refers to high-level controls within an organization's information technology system
that impact the entire entity, overseeing policies and procedures across all levels of the system, essentially
setting the "tone at the top" for IT operations and ensuring consistent risk management practices throughout
the organization; they include aspects like the control environment, risk assessment, communication, and
monitoring processes related to IT systems.

Key points about IT entity-level controls:

Broad impact: Unlike application-level controls which focus on specific software, entity-level controls
influence the overall IT infrastructure and operations across the organization.

Management oversight: These controls are primarily driven by management, setting the standards for how
IT risks are identified, assessed, and mitigated.

Components of internal control: Entity-level controls encompass all five components of an internal control
system: control environment, risk assessment, control activities, information and communication, and
monitoring. (COSO Framework)

10
Examples of IT entity-level controls:

Access controls: Policies governing user access to critical systems, including strong password
management, multi-factor authentication, and segregation of duties.
Change management process: Strict procedures for implementing system updates and changes to
minimize disruption and potential security risks.
Data backup and recovery strategies: Robust backup systems to ensure data integrity and availability in
case of system failures.
Incident response plan: Defined procedures for handling IT security incidents, including breach notification
and remediation steps.
IT governance framework: A set of guidelines and policies defining how IT is managed within the
organization, including roles and responsibilities.
Vendor management process: Controls to assess and manage risks associated with third-party IT
vendors.
Why are entity-level controls important?

Reduced risk: By establishing a strong control environment at the highest level, the organization can better
mitigate potential risks across the entire IT landscape.
Improved compliance: Effective entity-level controls can help an organization comply with relevant IT
security regulations and standards.
Enhanced operational efficiency: Clear policies and procedures set at the entity level can streamline IT
operations and improve overall system reliability.
IT-Dependent Manual (ITDM) Controls - processes that combine manual work with computer-generated
information. They are a type of internal control that involves both human input and technology. IT-dependent
manual controls help ensure the security, reliability, and integrity of a company's information systems. They are
often used when judgment and discretion are required.

Examples of ITDM controls:

Manual data entry oversight: Verifying the accuracy of manually entered data
Physical security measures: Using locks, security guards, and access badges to control access to data
centers and information systems
Employee training: Teaching employees about cybersecurity best practices and manual procedures
Reviewing reports: Reviewing reports generated by the system, such as income statement deviation
reports

11