Chapter 5: Auditing Fundamentals in South Africa PDF
Document Details
null
2014
Oxford
null
Tags
Related
- Post-Graduate Certificate in Advanced Professional Accounting PDF
- Post-Graduate Certificate in Advanced Professional Accounting - Auditing Fundamentals - CSAC 4551 PDF
- Post-Graduate Certificate in Advanced Professional Accounting PDF
- Post-Graduate Certificate in Advanced Professional Accounting - Auditing Fundamentals PDF
- Module 1 Fundamentals Of Auditing And Assurance Services PDF
- Fundamentals Of Auditing And Assurance Services PDF
Summary
This document is a chapter from a book on auditing fundamentals in a South African context. The chapter covers introduction to risks and internal controls in a computerised environment, including topics such as ICT, networks, software, and accounting systems.
Full Transcript
Chapter 5: Intro to Risks and Internal Controls in a Computerised Environment Chapter 5 Introduction to risks and Internal controls in a Computerised environment Chapter 5: Intro to Risks and Internal Controls in a Computerised Environment 5.1 Introduction 5.1 Introduction Information and C...
Chapter 5: Intro to Risks and Internal Controls in a Computerised Environment Chapter 5 Introduction to risks and Internal controls in a Computerised environment Chapter 5: Intro to Risks and Internal Controls in a Computerised Environment 5.1 Introduction 5.1 Introduction Information and Communication Technology (ICT) is an integral part of modern business ICT is a strategic resource For example, It impacts how companies do business, how they interact with clients, and how business controls their processes. Internal controls must be implemented to address risks The chapter addresses entry-level technology and ICT principles. Slide 2 (C) Oxford University Press Southern Africa (Pty) Ltd 2014 Chapter 5: Intro to Risks and Internal Controls in a Computerised Environment 5.1 Introduction 5.1 Introduction Network – Two or more computers connected in one or multiple locations. Local Area Network (LAN) – Computers connected in one location. Wide Area Network (WAN) - Computers connected in different locations. Networks are formed by means of, for example, cables, wireless connections or over the internet., Computer consists of hardware and software Software is the program that gives computer instructions to perform tasks. Software types = system software (i.e. Microsoft Windows) and application software (i.e. MS Word). Accounting packages (application software) Databases consist of transaction files, data and transaction details stored in master files or transaction files. Master files store permanent data or standing data such as customer details. Transaction files are used to record transaction details. Real-time vs batch processing systems. Slide 3 (C) Oxford University Press Southern Africa (Pty) Ltd 2014 Chapter 5: Intro to Risks and Internal Controls in a Computerised Environment 5.2 How has Information Technology evolved? 5.2 Evolution of IT Traditionally Personal computers were used on standalone basis (i.e. not connected to each other) Documents were printed extensive manual controls Currently Network allows for computers to be connected. Many automated controls replaced manual controls Internet allowed on-line transacting Slide 4 (C) Oxford University Press Southern Africa (Pty) Ltd 2014 Chapter 5: Intro to Risks and Internal Controls in a Computerised Environment 5.2 How has Information Technology evolved? 5.2 Evolution of IT Trends changing the modern IT landscape Distributed networks (decentralisation, end-user) Mobility (and related risks) Open-source software Image processing (e.g. barcode, fingerprint scanning) Convergence (hardware, software integration) Cloud computing. Fourth industrial revolution examples include: Artificial intelligence (AI) – a computer’s ability to mimic or duplicate the functions of the human brain. Machine learning – computers’ ability to learn from prior activities. Big Data, robotics and blockchain technology Slide 5 (C) Oxford University Press Southern Africa (Pty) Ltd 2014 Chapter 5: Intro to Risks and Internal Controls in a Computerised Environment 5.3 How and why do companies have to govern their computer information systems? 5.3 Information system governance King IV, principle 12: IT governance framework, risk management, internal controls IT impact both the business’ operational and strategic levels. Advantages of good IT governance practices include, for example: Better risk management Greater level of compliance with laws and obligations Risks from not implementing sound IT governance include, for example: Loss of information. Inappropriate use of IT Slide 6 (C) Oxford University Press Southern Africa (Pty) Ltd 2014 Chapter 5: Intro to Risks and Internal Controls in a Computerised Environment 5.3 How and why do companies have to govern their computer information systems? 5.3 Information system governance King IV: IT poses a significant risk to businesses. Five Components of internal controls. Components of internal controls The board is responsible for control environment, and Overseeing IT governance implementation. Ethics principles should be in place. Board can delegate: IT governance (risk assessment) to Chief Information Officer (CIO) Slide 7 (C) Oxford University Press Southern Africa (Pty) Ltd 2014 Chapter 5: Intro to Risks and Internal Controls in a Computerised Environment 5.3 How and why do companies have to govern their computer information systems? 5.3 Information system governance Control activities enforce strategies and policies to achieve control objectives. Two levels of control activities: Entire system: “general controls” Particular application: “application controls” Impact financial information: – Initiate, record, process, report. Monitoring of controls. Slide 8 (C) Oxford University Press Southern Africa (Pty) Ltd 2014 Chapter 5: Intro to Risks and Internal Controls in a Computerised Environment 5.4 What is the impact of upgrading a manual accounting system to an electronic accounting system? 5.4 Impact of upgrading a manual accounting system to electronic accounting system Effect on business’s risk profile i.e. Hackers Additional risks can arise Three principles in identifying IT risks: Complexities that do not exist in a manual system Effect on management objectives Controls Respond to risks to achieve control objectives. Slide 9 (C) Oxford University Press Southern Africa (Pty) Ltd 2014 Chapter 5: Intro to Risks and Internal Controls in a Computerised Environment 5.4 Manual accounting system to electronic accounting system Benefits and risks in computerised system Benefits Risks Unwarranted reliance Complex calculations Unauthorised data access Consistency of Unauthorised data processing changes Data volumes Unintentional amendments Monitoring of Failure to make changes Input, processing errors activities Manual override Less control Data loss: process, circumvention transmit Duplicate, incomplete Segregation of duties data Overreliance Slide 10 (C) Oxford University Press Southern Africa (Pty) Ltd 2014 Chapter 5: Intro to Risks and Internal Controls in a Computerised Environment 5.4 Manual accounting system to electronic accounting system General characteristics of a computer system Increased risk (risk of error, omission or fraud) in relation to: Easy to access data from multiple locations, data and functions are concentrated Breakdown of segregation of duties Lack of documentation trail Automatic initiation and processing of transactions. Reduced risk in relation to: Consistency of processing, Minimal opportunity for user manipulation processing power (large volumes), assist in decision-making. Improve management monitoring and supervision. Slide 11 (C) Oxford University Press Southern Africa (Pty) Ltd 2014 Chapter 5: Intro to Risks and Internal Controls in a Computerised Environment 5.5 What are the key components of a computer information system? 5.5 Components of Computer Information Systems (CIS) Information systems can include: Hardware Physical infrastructure (i.e. Keyboards and printers) Software Programs that exist in hardware (i.e. Pastel) People Anyone that interacts with CIS Procedures Instructions used to collect, store and process data. Data. All data stored in the hardware. I.e. list of Slide 12 suppliers. (C) Oxford University Press Southern Africa (Pty) Ltd 2014 Chapter 5: Intro to Risks and Internal Controls in a Computerised Environment 5.6 How does a computerised accounting system operate? Flow of transactions in a computerised environment Capture data on manual Initiate Transaction source document Input source Record [Source document document] into system Accounting Process Process records: transaction Master file Journals, amendme general ledger, nt and trial balance storage Report etc. Output Financial statements Slide 13 (C) Oxford University Press Southern Africa (Pty) Ltd 2014 Chapter 5: Intro to Risks and Internal Controls in a Computerised Environment 5.6 How does a computerised accounting system operate? Flow of transactions in a computerised environment Input Capture data on the source document Processing Processing controls: computerised. (checks, comparisons, calculations etc.) Output Stored in master files (standing data / totals) and transaction files (underlying transactions). Storage devices. Slide 14 Print: manual output. (C) Oxford University Press Southern Africa (Pty) Ltd 2014 Chapter 5: Intro to Risks and Internal Controls in a Computerised Environment 5.6 How does a computerised accounting system operate? Input and processing environments Examples of Input and processing environments Batch entry and batch processing Online entry, batch processing Online entry, real-time processing Shadow processing Any environment: errors/fraud can occur Implement controls to address risks in order to achieve control objectives of validity, accuracy and completeness. Slide 15 (C) Oxford University Press Southern Africa (Pty) Ltd 2014 Chapter 5: Intro to Risks and Internal Controls in a Computerised Environment 5.7 How are computer controls classified? 5.7 Two broad categories in IT environment Accounting system consists of a manual and computerized (IT) environment IT environment controls are divided into two: 1. General information technology controls (ITGC) (General controls) Framework of overall control for CIS Pervasive throughout CIS In place irrespective of whether any transactions processed Includes Access controls, Application system acquisition, System software acquisition controls, and data Centre and network operations controls. 2. Information processing controls (Application controls) Controls over manual or automated information processing at the application level (I.E., Accounting software). Slide 16 (C) Oxford University Press Southern Africa (Pty) Ltd 2014 Chapter 5: Intro to Risks and Internal Controls in a Computerised Environment 5.7 How are computer controls classified? General and application controls Impact on the system when faulty general controls vs faulty application controls I.e. Faulty Inventory and debtors Application system. – Issues limited on the two accounts Some controls are dual-purpose (either ITGC and Application control), e.g. access controls Nature of controls: Preventative, i.e., Passwords. detective and corrective, i.e., Review of bank reconciliation. Slide 17 (C) Oxford University Press Southern Africa (Pty) Ltd 2014 Chapter 5: Intro to Risks and Internal Controls in a Computerised Environment 5.8 How are general controls classified? Categories of general controls Organisatio nal controls and personnel practices System Access developme controls nt controls Operating Change controls controls Business continuity controls Slide 18 (C) Oxford University Press Southern Africa (Pty) Ltd 2014 Chapter 5: Intro to Risks and Internal Controls in a Computerised Environment 5.8 How are general controls classified? 5.8.1 Organisational controls and personnel practices Controls on how the CIS department is structured and managed Includes the IT staff practices Clear organisational structure in place. Allocates/delegates responsibility (Segregation of duties) Clear reporting lines Proper Appointment, ongoing staff development Risks if proper organisational structure is not in place Refer to examples in Auditing Fundamentals Top-down approach: ethical culture/control Slide 19environment. (C) Oxford University Press Southern Africa (Pty) Ltd 2014 Chapter 5: Intro to Risks and Internal Controls in a Computerised Environment 5.8 How are general controls classified? 5.8.1 Organisational controls and personnel practices 1. Delegation of responsibility King IV recommends that: Ethical IT governance environment Board take responsibility for IT and IT governance. Action taken where all employees are non-compliant Delegation structure. The board can delegate IT governance to the computer steering committee. The committee should have IT-skilled members. Clear reporting lines and levels of Authority. The company must appoint a Chief Information Officer (CIO). Responsible for IT and reporting to the board. Day-to-day IT management delegated to the IT manager. Slide 20 (C) Oxford University Press Southern Africa (Pty) Ltd 2014 Chapter 5: Intro to Risks and Internal Controls in a Computerised Environment 5.8 How are general controls classified? 5.8.1 Organisational controls and personnel practices 2. Segregation of duties Staff members should not perform incompatible functions. Incompatible functions –functions that would put a person in a position to commit fraud or make mistakes. Initiation, authorisation, execution, recording, and assets control functions should be segregated. Segregation of incompatible duties: Between the IT department and user departments Within the IT department Slide 21 (C) Oxford University Press Southern Africa (Pty) Ltd 2014 Chapter 5: Intro to Risks and Internal Controls in a Computerised Environment 5.8 How are general controls classified? 5.8.1 Organisational controls and personnel practices 3. Reporting, supervision and review Request to IT staff must be initiated by the user department. Users can perform the below check to ensure the integrity of the data: High-level review – i.e. Financial performance review Analytical reviews and ratios Reconciliation of data with independent or external data. i.e. Bank recon. Independent Review – Review of logs, registers and transaction trails. Senior IT members should review system activity logs and registers. 4. Personnel practices Appointment of Competent staff, training, performance reviews Employment policies and practices. i.e., Dismissals and training policies. 22Prevent overreliance. Slide (C) Oxford University Press Southern Africa (Pty) Ltd 2014 Chapter 5: Intro to Risks and Internal Controls in a Computerised Environment 5.8 How are general controls classified? 5.8.2 System development and change controls Controls for a new computer programme, or significant change to existing systems Objective: new system or change meet users’ needs, and is cost efficient Any system changes and system development must go through five stages of system development life cycle (SDLC) 1. Request submission, needs assessment and selection 2. Planning and design 3. System development and testing 4. Implementation and 5. Post-Implementation review and training Consequences if controls not in place/fail… What if errors during development (impact)? Ongoing impact. Slide 23 (C) Oxford University Press Southern Africa (Pty) Ltd 2014 Chapter 5: Intro to Risks and Internal Controls in a Computerised Environment 5.8 How are general controls classified? 5.8.2 System development and change controls Difference between concepts System development and acquisition System developments – process followed when new system is developed inhouse System acquisition - process followed when new system is acquired from the vendor Usually large projects with high cost Program changes (program maintenance) o Changes or amendments to an existing system/program. o Usually cost-effective. Slide 24 (C) Oxford University Press Southern Africa (Pty) Ltd 2014 Chapter 5: Intro to Risks and Internal Controls in a Computerised Environment 5.8 How are general controls classified? 5.8.2 System development and change controls System development and acquisition The nature of controls of System development and acquisition and program changes are fundamentally the same. o But detailed controls may differ as o Risk for System development and acquisition is higher than program changes SDLC (System development life cycle) phases 1. Request submission, needs assessment and selection Project should originate from Written user request or Business need (strategic in nature) Investigate and approve – by Board or committees Feasibility study. Slide 25 (C) Oxford University Press Southern Africa (Pty) Ltd 2014 Chapter 5: Intro to Risks and Internal Controls in a Computerised Environment 5.8 How are general controls classified? 5.8.2 System development and change controls SDLC phases (continued) 2. Planning and design Project team (team to manage the project) Made up of IT personnel and user department affected. Work should follow programming standards and control framework Project plan Monitor progress (Contains deadlines and milestones). Users’ needs requirements Including Internal and external auditors needs Signed off by heads of users departments. Slide 26 (C) Oxford University Press Southern Africa (Pty) Ltd 2014 Chapter 5: Intro to Risks and Internal Controls in a Computerised Environment 5.8 How are general controls classified? 5.8.2 System development and change controls SDLC phases (continued) 3. System development and testing Must be divided into three areas: 1. Development area Used to program and develop the system. Independent of live system 2. Test area Testing of the developed program Independent of live system Test include, program test user acceptance testing, stress/tension test, system test, and string/series test 3. Production area (live system) Slide 27 (C) Oxford University Press Southern Africa (Pty) Ltd 2014 Chapter 5: Intro to Risks and Internal Controls in a Computerised Environment 5.8 How are general controls classified? 5.8.2 System development and change controls SDLC phases (continued) 4. Implementation Controls: system conversion and transfer of data – Conversion: parallel, direct shut down, and phased (Modular) Senior experienced staff – Supervise the process Training of users System documentation. Slide 28 (C) Oxford University Press Southern Africa (Pty) Ltd 2014 Chapter 5: Intro to Risks and Internal Controls in a Computerised Environment 5.8 How are general controls classified? 5.8.2 System development and change controls SDLC phases (continued) 5. Post-implementation review After implementation review/assess whether: System meets objectives Controls have been implemented Errors detected and resolved System development process was effective. And System documentation and training material is sufficient. Slide 29 (C) Oxford University Press Southern Africa (Pty) Ltd 2014 Chapter 5: Intro to Risks and Internal Controls in a Computerised Environment 5.8 How are general controls classified? 5.8.2 System development and change controls 2. Change controls (program changes) Where a less significant change to the existing system Objective: changes made are accurate in an efficient manner and address user needs Also follow the five stages of SDLC. However: o Less resource intensive o Less time needed to implement the change o Less levels of approvals are needed. More documentation and tracking of requests. o High volume of request may be received Slide 30 (C) Oxford University Press Southern Africa (Pty) Ltd 2014 Chapter 5: Intro to Risks and Internal Controls in a Computerised Environment 5.8 How are general controls classified? 5.8.3 Access controls Controls (Physical or computerized) to: prevent unauthorised access Limit authorized persons to authorized areas. Information = asset Risk from hackers/other unauthorised access Consequences if risks materialize i.e., Loss of information Importance of the “least-privilege” principle Controls to prevent and detect unauthorised access Physical and logical access controls. Slide 31 (C) Oxford University Press Southern Africa (Pty) Ltd 2014 Chapter 5: Intro to Risks and Internal Controls in a Computerised Environment 5.8 How are general controls classified? 5.8.3 Access controls 1. Preventative controls Security management policy Culture of security awareness. Policy should be widely distributed to all employees Physical access controls Access to the premises, computer terminals, sensitive information and IT department i.e., use of security guards and locked doors Logical access controls – Identification – i.e., username – Authentication - i.e., unique Password, Password controls. – Authorisation i.e., Access on need basis Slide 32 (C) Oxford University Press Southern Africa (Pty) Ltd 2014 Chapter 5: Intro to Risks and Internal Controls in a Computerised Environment 5.8 How are general controls classified? 5.8.3 Access controls 2. Detective and corrective controls Logs, activity registers and security violation reports Logs, registers and reports must be reviewed by the senior person. 3. Other important security controls Library function: Appointing data librarian Data communication controls: Encryption Firewalls Call back facility Assurance logos Antivirus and malware programs Regular software updates Slide 33 (C) Oxford University Press Southern Africa (Pty) Ltd 2014 Chapter 5: Intro to Risks and Internal Controls in a Computerised Environment 5.8 How are general controls classified? 5.8.4 Business continuity controls Business continuity controls: Ensure the continuity of processing (and operations) Prevent system interruptions Limit the impact of interruptions 1. Preventative controls Controls to prevent: Non-physical dangers i.e., unauthorised access to data (logical access controls). Physical dangers I.e., Fire (control – Fire Alarms) Slide 34 (C) Oxford University Press Southern Africa (Pty) Ltd 2014 Chapter 5: Intro to Risks and Internal Controls in a Computerised Environment 5.8 How are general controls classified? 5.8.4 Business continuity controls 2. Detective and corrective controls To limit interruptions, an entity should have: i. Data backups Formal data backup policy, regular backups - stored securely and tested frequently. ii. Emergency Disaster Recovery plan Plan to recover information after a disaster. iii. Mitigating the impact i.e., Insurance Slide 35 (C) Oxford University Press Southern Africa (Pty) Ltd 2014 Chapter 5: Intro to Risks and Internal Controls in a Computerised Environment 5.8 How are general controls classified? 5.8.5 Operating and system maintenance controls Sets standards for how to manage IT resources by: Scheduling for effective use Maintenance, use of assets Ensuring that library controls are in place Maintaining Logs and registers of software/hardware usage and review by management Implementing policies on best user practices. Slide 36 (C) Oxford University Press Southern Africa (Pty) Ltd 2014 Chapter 5: Intro to Risks and Internal Controls in a Computerised Environment 5.9 Which controls relate to the computerised processing of business transactions? 5.9.1 Application controls: Background Application controls defined What is an application? Manual and automated controls Within a particular application (e.g. sales, debtors) Provide reasonable assurance that recorded transactions are: Valid Accurate Complete Slide 37 (C) Oxford University Press Southern Africa (Pty) Ltd 2014 Chapter 5: Intro to Risks and Internal Controls in a Computerised Environment 5.9 Controls over computerised processing of business transactions 5.9.1 Application controls: Background The primary objective of application controls To prevent or detect and correct misstatements arising when a transaction is: Input Processed Output generated Thus, application controls implemented around: Input: capturing and recording of information Processing of data within computer Distribution of output Slide 38 (C) Oxford University Press Southern Africa (Pty) Ltd 2014 Chapter 5: Intro to Risks and Internal Controls in a Computerised Environment 5.9 Controls over computerised processing of business transactions 5.9.2 Manual vs computer controls Three types of application controls in this context: Independent manual e.g. Authorizing hard copy order. IT-dependent manual e.g. Authorizing order online. Programmed (Automated) e.g. validation controls. Both (manual and computer control) strive to achieve same control objectives Slide 39 (C) Oxford University Press Southern Africa (Pty) Ltd 2014 Chapter 5: Intro to Risks and Internal Controls in a Computerised Environment 5.9 Controls over computerised processing of business transactions 5.9.3 Overview of application controls Chapters 6 to 10 (Business cycles): practical application of detailed application controls Never viewed in isolation to general controls! Application controls are dependent on general IT controls. Key areas in application controls: Processi Input Output ng Master file changes Slide 40 (C) Oxford University Press Southern Africa (Pty) Ltd 2014 Chapter 5: Intro to Risks and Internal Controls in a Computerised Environment 5.9 Controls over computerised processing of business transactions 5.9.3 Overview of application controls 1. Input controls Objective: data entered and Masterfile amendments are valid, accurate and complete E.g. correct information, no duplications, not fictitious, all input entered. Must also address rejected input. Rejected information must be identified, investigated and corrected and re-entered. Consequences if input controls fail, includes i.e.: Unauthorized transactions Information/data loss Errors Slide 41 (C) Oxford University Press Southern Africa (Pty) Ltd 2014 Chapter 5: Intro to Risks and Internal Controls in a Computerised Environment 5.9 Controls over computerised processing of business transactions 5.9.3 Overview of application controls 1. Input controls (continued) Recording of data Input controls are necessary over: – Data capturer (person) – Input documentation (including hard-copy documents) – Computer “screen” (Screen aids) – Checking of validity, accuracy, and completeness of input (logical programmed controls) – Management review of captured data. Slide 42 (C) Oxford University Press Southern Africa (Pty) Ltd 2014 Chapter 5: Intro to Risks and Internal Controls in a Computerised Environment 5.9 Controls over computerised processing of business transactions 5.9.3 Overview of application controls 1. Input controls (continued) Input controls are achieved through the following: User-related controls (i.e. training, dedicated employees doing specific job, segregation of duties and logical access) Documentation (Doc custody and acceptable doc standards) Screen aids (i.e. drop down list, and compulsory field) Logical programmed controls ─ Test the input of data against predetermined rules, to validate the input. ─ E.g. validity test, limit, alphanumeric, Slide 43 reasonability etc. (C) Oxford University Press Southern Africa (Pty) Ltd 2014 Chapter 5: Intro to Risks and Internal Controls in a Computerised Environment 5.9 Controls over computerised processing of business transactions 5.9.3 Overview of application controls 1. Input controls (continued) Error correction process Ways to correct an error: Error Made while capturing data Immediate correction, use of logical programmed controls. Error identified on the original source document System must delete the rejected transaction Review and correction of rejected transaction Control total on batch control sheet differs from control total calculated by the computer Control totals = batch control sheet totals Review of transactions (each) Slide 44 (C) Oxford University Press Southern Africa (Pty) Ltd 2014 Chapter 5: Intro to Risks and Internal Controls in a Computerised Environment 5.9 Controls over computerised processing of business transactions 5.9.3 Overview of application controls 2. Processing controls Occurs in computer: little/no user intervention Objectivity: Ensure Integrity of data while being processed Consequences if processing controls fail could include i.e.: Data being lost Duplicated data Calculation/accounting errors Logical and rounding errors Invalid data added during processing Incorrect version of the program or data file being used. Slide 45 (C) Oxford University Press Southern Africa (Pty) Ltd 2014 Chapter 5: Intro to Risks and Internal Controls in a Computerised Environment 5.9 Controls over computerised processing of business transactions 5.9.3 Overview of application controls 2. Processing controls (continued) Controls to be implemented User-related controls Correct program and file (i.e. backups, appointing data librarian, etc.) Computer control totals and reports (i.e. financial fields, hash totals and record counts) Controls during processing (i.e. completeness test and file sequence investigation) Review, reporting and exception monitoring Error correction process Slide 46 (C) Oxford University Press Southern Africa (Pty) Ltd 2014 Chapter 5: Intro to Risks and Internal Controls in a Computerised Environment 5.9 Controls over computerised processing of business transactions 5.9.3 Overview of application controls 3. Output controls Involves distribution of data from stored to viewed i.e. Hard-copy document, email format or on- screen display etc. Objective: Output valid, prepared accurately and completely; distributed to authorised parties only. Consequences, if output controls fail, could include i.e.: Output distributed to unauthorised persons Output being incomplete or inaccurate Slide 47 (C) Oxford University Press Southern Africa (Pty) Ltd 2014 Chapter 5: Intro to Risks and Internal Controls in a Computerised Environment 5.9 Controls over computerised processing of business transactions 5.9.3 Overview of application controls 3. Output controls (continued) Controls over output includes: User-related controls (i.e. Access controls) Controls around the distribution of output (i.e. Written policy) Controls applicable when receiving output (i.e. reconcile input to output, etc.) Review, reporting and exception monitoring Error correction process. Slide 48 (C) Oxford University Press Southern Africa (Pty) Ltd 2014 Chapter 5: Intro to Risks and Internal Controls in a Computerised Environment 5.9 Controls over computerised processing of business transactions 5.9.3 Overview of application controls 4. Master file change controls When standing data changed, added, deleted E.g.: Debtors/creditors details, price lists, inventory details Requested by user, not computer Master file data is captured once, and then used repeatedly when transactions processed If data error in master file: data errors in all affected transactions i.e. error in price list = incorrect sales value Consequences if master file change controls fail. Slide 49 (C) Oxford University Press Southern Africa (Pty) Ltd 2014 Chapter 5: Intro to Risks and Internal Controls in a Computerised Environment 5.9 Controls over computerised processing of business transactions 5.9.3 Overview of application controls 4. Master file change controls (continued) Controls over master file amendments User-related controls (i.e. Senior person approval) Request forms (i.e. Masterfile amendments request form) Input controls Review, reporting and exception monitoring (i.e. Review of logs and registers) Slide 50 (C) Oxford University Press Southern Africa (Pty) Ltd 2014 Chapter 5: Intro to Risks and Internal Controls in a Computerised Environment 5.9 Controls over computerised processing of business transactions 5.9.3 Overview of application controls 5. Other controls Data communication Electronic data transmission from sender to receiver. Fixed-line, wireless (Wi-Fi and Bluetooth), etc. Controls that should be in place over data communication Similar controls to processing control Specialized software (i.e., encryption and firewalls) Specialized communication management software that manages communication Physical cable protection Slide 51 (C) Oxford University Press Southern Africa (Pty) Ltd 2014 Chapter 5: Intro to Risks and Internal Controls in a Computerised Environment 5.10 How are controls identified in advanced technologies? 5.10 Controls for advanced technologies Substance of controls remains same in advanced system Process to follow when implementing/evaluating controls over any form of technology: Understanding Technology Identify Risks Identify and evaluate Existing controls Break down technology into components (i.e. input, processing and reviews) Actual vs theoretical Evaluate impact of existing controls and risk Select suitable controls to mitigate remaining risks. Slide 52 (C) Oxford University Press Southern Africa (Pty) Ltd 2014 Chapter 5: Intro to Risks and Internal Controls in a Computerised Environment 5.10 How are controls identified in advanced technologies? 5.10.1 Electronic commerce, electronic funds transfers and other data communication Electronic commerce (online trading): buying/selling over electronic platform Electronic Communications and Transactions Act, 2002. Examples of primary risks with electronic communication. Authenticating users Correct and accurate capturing of data Communication between the internet service provider and the company. Slide 53 (C) Oxford University Press Southern Africa (Pty) Ltd 2014 Chapter 5: Intro to Risks and Internal Controls in a Computerised Environment 5.10 How are controls identified in advanced 5.10.1 Electronic commerce, technologies? electronic funds transfers and other data communication Controls: Input controls (at capturing) Restricting, authenticating user Data transfer internet Legal matters Continuity Logs and reviews Other. Slide 54 (C) Oxford University Press Southern Africa (Pty) Ltd 2014 Chapter 5: Intro to Risks and Internal Controls in a Computerised Environment 5.10 How are controls identified in advanced technologies? 5.10.2 Service organisations, outsourcing and data warehousing Outsourcing: performed by 3rd party (“service organisation” - SO) rather than company itself Data warehousing: Data stored on third party’s server for a fee Most important issues relating to data: Transfer from company to SO Ownership Security, protection at SO Losses. Slide 55 (C) Oxford University Press Southern Africa (Pty) Ltd 2014 Chapter 5: Intro to Risks and Internal Controls in a Computerised Environment Appendix: Electronic Funds Transfer controls EFT controls: Components Capturing of data Restricting access of users and authenticating users Transfer of data over the internet Protecting against losses Policies and procedures Logs and reviews Other specialised controls. Refer to Appendix of Auditing Fundamentals for risks, objectives and detailed controls. Slide 56 (C) Oxford University Press Southern Africa (Pty) Ltd 2014 Chapter 5: Intro to Risks and Internal Controls in a Computerised Environment Any questions?