Lesson 7 & 8 Internal Controls Concepts Knowledge PDF

Summary

This document covers internal control concepts, including the types, objectives, and systems of internal controls. It explains how internal controls are used to achieve organizational objectives.

Full Transcript

IT AUDIT AND CONTROL
Internal Controls Concepts
Knowledge

Lesson 7 & 8 BY: DANDREF C. REYES
 INTERNAL CONTROLS
Confusion commonly arises as to what exactly a control is. A control
may be defined as any action taken by management to enhance the
likelihood that established objectives and goals will be achieved. It
results from management’s planning, organizing, and directing, and
the many variants (e.g., management control, internal control, etc.)
can be incorporated within the generic term. Management controls
are intended to ensure that an organization is working toward its
stated objectives:

– Corporate objectives and goals are the statement of corporate intent
– Management objectives define how the corporate objectives will be
met
– Internal control ensures that programs to ensure management
objectives are properly planned and executed
 INTERNAL CONTROLS
The level of control needed will be affected by overall objectives.
Corporate objectives and goals are the statement of corporate intent and
are generally very broad, while Management objectives define how the
corporate objectives will be met and they are normally much more
detailed. Internal control is designed to ensure that programs to ensure
management objectives are properly planned and executed.

Control responsibility is clearly management’s job and encompasses
planning, organizing, and directing. Planning in this case is taken to mean
the establishing of objectives and goals as well as choosing the preferred
methods of utilizing resources.

Organizing involves the gathering of the required resources and arranging
them in such a way that the objectives may be attained. The directing
process of management includes the authorizing, instructing, and
monitoring performance as well as periodically comparing actual to
planned performance.
 INTERNAL CONTROLS
Within the IS environment, this involves ensuring that
systems function as intended, data integrity is maintained,
confidentiality is maintained, systems are available as and
when required, data accuracy and completeness are
maintained, and access is granted only on an authorized
basis.

Management decisions may be classified as Strategic,
Tactical, or Operational and all decisions at whatever level
are impacted by the IS designed to provide the basis upon
which the decisions are made. IS Audit must then ensure
that the system of internal control will be effective, and
functions as intended.
 INTERNAL CONTROL OBJECTIVES
Overall, Internal Control Objectives, at a detailed level, can be seen to
encompass:

Reliability and Integrity of Information. If management cannot
trust the reliability and integrity of the information held and
processed within the IS, then all information must be deemed
suspect and, in some cases, this may be more detrimental to the
organization than a loss of information systems.

Compliance with Policies, Plans, Procedures, Laws, and
Regulations. Laws and regulations are imposed externally and must
be complied with. Inadequate information systems may lead to the
organization inadvertently breaching the laws of the country with
result of losses in terms of fines, penalties, and possibly
imprisonment for corporate officers.
 INTERNAL CONTROL OBJECTIVES
Safeguarding of Assets. Loss of assets is typically one
of the most visible risks an organization can face and
typically these lead to the implementation of the most
visible controls, such as locks on doors, safes, security
guards, and so forth.

Effectiveness and Efficiency of Operations.
Effectiveness involves the achievement of established
objectives and should be the ultimate focus of all
operations and controls. Many information systems, at
the time of the original design, were focused upon
achieving the corporate objectives.
 TYPES OF INTERNAL CONTROLS

Internal controls can be classified into various types, and it is the combination of these
controls that go to make up the overall system of internal controls designed to achieve
the general control objectives. Such controls can be classified into:

1. Preventative controls, which occur before the fact but can never be 100%
effective and therefore cannot be wholly relied upon. These could include
controls such as restrictions on users, requirements for passwords, and separate
authorization of transactions.

2. Detective controls, which detect irregularities after occurrence and may be
cheaper than checking every transaction with a preventative control. Such
controls could include effective use of audit trails and the use of exception
reports.

3. Corrective controls ensure the correction of problems identified by detective
controls and normally require human intervention within the IS. Controls in this
area may include such processes as Disaster Recovery Plans and transaction
reversal capabilities. Corrective controls are themselves highly error-prone
because they occur in unusual circumstances and typically require a human
decision to be made, and an action decided upon and implemented.
 TYPES OF INTERNAL CONTROLS
4. Directive controls are designed to produce positive results and
encourage acceptable behavior. They do not themselves prevent
undesirable behavior and are normally used where there is human
discretion in a situation. Thus, informing all users of personal
computers that it is their responsibility to ensure adequate
backups are taken and stored appropriately does not, of itself,
enforce compliance. Nevertheless, such a directive control can be
monitored and action taken where the control is breached.

5. Compensating controls can be seen to exist where a weakness in
one control may be compensated by a control elsewhere. They
are used to limit risk exposure and may trap the unwary evaluator.
This is particularly true where the auditors are faced with complex
integrated systems and the control structures involve a mixture of
system-driven and human controls scattered over a variety of
operational areas.
 SYSTEMS OF INTERNAL CONTROL

It is the overall combination of the individual elements of
control that go to make up the Systems of Internal Control.
This may be defined as the overall infrastructure within
which the other control elements will function and
establishes the conditions under which the rest of the
Internal Controls will operate.

The Control Framework includes the policies and
procedures that describe the scope of a function, its
activities, interrelationships with other departments, as
well as the external influences of laws and regulations,
customs, union agreements, and its competitive
environment.
 STANDARDS FOR THE PROFESSIONAL
PERFORMANCE OF INTERNAL AUDITING
The Standards themselves have been regrouped and redefined into
Attribute, Performance, and Implementation Standards:

Attribute Standards. These address the attributes of organizations
and individuals performing internal audit services and apply to all
internal audit services.

Performance Standards. These describe the nature of internal audit
services provided and provide quality criteria against which the
performance of these services can be measured.

Implementation Standards. These prescribe Standards applicable
to specific types of engagements in a variety of industries as well as
specialist areas of service delivery.
ELEMENTS OF INTERNAL CONTROL
Given the overall control objectives noted in the preceding section, control
structures must be designed in order to ensure:

1. Segregation of duties. Controls to ensure that those who physically
handle assets are not those who record asset movements. Within a
modern computer system this is normally achieved by a combination of
user identification, user authentication, and user authorization.

2. Competence and integrity of people. Underpinning the control system
are the people who enforce it. In order for controls to be effective, those
who exercise control must be capable of doing so and honest enough to
consistently do so.

3. Appropriate levels of authority. A common mistake in control structures
is the granting of too much authority within control boundaries.
Authorities should only be granted on a need-to have basis. If there is no
need for a particular individual to have specific authorities, they should
not be granted.
ELEMENTS OF INTERNAL CONTROL
4. Accountability. For all decisions, transactions, and actions
taken, there must be controls that will allow the
determination of who did what with an acceptable degree
of confidence. This normally involves the use of control
logs and audit trails.

5. Adequate resources. Controls that are attempted with
inadequate resources will typically fail whenever they
come under stress. Adequate resources include
manpower, finance, equipment, materials, and
methodologies.

6. Supervision and review. Adequate supervision of the
appropriate type is fundamental to the implementation of
sound internal control.
 AUTOMATED SYSTEMS
Within our information systems there are two primary software
components that add to or subtract from control. These components are:

Systems Software. Systems software includes computer programs and
routines controlling computer hardware, processing, and non-user
functions. This category includes the Operating Systems,
telecommunications software, and data management software.

Applications Software. Applications software includes computer programs
written to support business functions such as the General Ledger, Payroll,
Stock Systems, Order Processing, and other such line-of-business
functions.

End-User Systems. End-user systems are special types of application
systems that are generated outside the IS organization to meet specific
user needs. These include micro-based packages as well as user-
developed systems.
 CONTROL PROCEDURES
In order to ensure that control over the corporate computer investment is
adequate, a range of controls is required, including:

General IS Controls. Covering the environment within which the computer systems
are utilized

Computer Operations. Covering the day-to-day operations of the machine

Physical Security. Covering the security of the physical hardware, software,
buildings, and staff

Logical Security. Covering the manner in which data and software are protected
from access via the systems themselves

Program change control. To ensure that systems that are correct and functional
continue to be so

Systems development. To ensure that the systems in use by the organization are
effective, efficient, and economical
 CORPORATE IT GOVERNANCE
The importance of good governance has become a
watchword internationally and has been driven by the
requirements of the global economy for transparency and
accountability in organizational stewardship.

Corporate governance involves the mechanisms by which a
business enterprise is directed and controlled. It concerns
the mechanisms through which corporate management is
held accountable for corporate conduct and performance
and provides the framework within which the objectives of
the company are set, and the means of attaining those
objectives and monitoring performance are determined.
 COSO AND INFORMATION TECHNOLOGY
The Committee of Sponsoring Organizations (COSO) was
established in 1985 by five of the largest accounting, auditing, and
finance oversight committees in the United States. The committee
aimed to sponsor the National Committee on Fraudulent Financial
Reporting. The National Committee was independent of COSO, so
there were no conflicts of interest. The National Committee
included representatives from regulatory agencies, public
companies, and educational institutions.

COSO is a committee composed of representatives from five
organizations:

– American Accounting Association
– American Institute of Certified Public Accountants
– Financial Executives International
– Institute of Management Accountants
– Institute of Internal Auditors
WHAT IS THE COSO FRAMEWORK?
The original COSO framework was developed in 1992, with
the most recent version published in 2013. To understand
the framework, you must understand what it covers.
According to COSO, internal control:

– Focuses on achieving objectives in operations, reporting and/or
compliance
– Is an ongoing process
– Depends on people’s actions, not merely written policies and
procedures
– Provides assurance senior management of security to a
reasonable degree
– Can be adapted to the needs of the whole organization as well
as each department, unit or process
 INTERNAL CONTROL GOALS
The COSO framework divides internal control objectives into
three categories: operations, reporting and compliance.

Operations objectives, such as performance goals and securing the
organization’s assets against fraud, focus on the effectiveness and
efficiency of your business operations.

Reporting objectives, including both internal and external financial
reporting as well as non-financial reporting, relate to transparency,
timeliness and reliability of the organization’s reporting habits.

Compliance objectives are internal control goals based around
adhering to laws and regulations that the organization must comply
with.
 MIDTERM: ACTIVITY 2
Elaborate your answers.
Minimum of two (2) paragraphs each.

1. Why do you think there should be a
standard in performing IS audit?

2. How important are these standards in the
process of IS Auditing?