Professional Documents
Culture Documents
Internal Control
The establishment and maintenance of a system of internal
control is an important management obligation.
A fundamental aspect of managements stewardship
responsibility is to provide shareholders with reasonable
assurance that the business is adequately controlled.
Additionally, management has a responsibility to furnish
shareholders and potential investors with reliable financial
information on a timely basis. (Sarbanes-Oxley act)
An adequate system of internal control is necessary to
managements discharge of these obligations.
- Securities and Exchange Commission
Internal Control in Concept
Internal control system comprises policies, practices, and
procedures employed by the organization to achieve four
broad objectives:
To safeguard assets of the firm.
To ensure the accuracy and reliability of accounting records
and information.
To promote efficiency in the firms operations.
To measure compliance with managements prescribed
policies and procedures
Exposure and Risk
Internal control shield (Figure 1-4) to protect firms from
numerous undesirable events
Attempts at unauthorized access to firms assets (including
information)
Fraud perpetrated by persons both in and outside the firm
Errors due to employee incompetence, faulty computer
programs, corrupted input data
Exposure and Risk
Internal control shield (Figure 1-4) to protect firms from
numerous undesirable events
Mischievous acts, such as unauthorized access by computer
hackers and threats from computer viruses that destroy
programs and databases
Exposure and Risk
Absence or weakness of a control is called exposure
Exposures increase firms risk to financial loss or injury from
undesirable events.
Exposure and Risk
A weakness in internal control may expose the firm to one or
more of the following types of risks:
Destruction of assets (both physical assets and information)
Theft of assets
Corruption of information or the information system
(containing errors or alterations)
Disruption of information system (to break or burst; rupture )
3 Levels of Control
Preventive controls, detection controls, and corrective controls
(Fig. 1-5)
Preventive Controls
First line of defense in the control structure
Passive techniques designed to reduce the frequency of
occurrence of undesirable events
Preventing errors and fraud is far more cost-effective than
detecting and correcting problems after they occur
In information security: firewall
Preventive Controls
For example, a well-designed data entry screen is an example
of a preventive control
Not all problems can be anticipated and prevented.
Detective Controls
Second line of defense
Devices, techniques, and procedures designed to identify and
expose undesirable events that elude preventive controls
In information security: Intrusion detection
Corrective Controls
Corrective actions taken to reverse the effects of detected
errors
Detective controls identify undesirable events and draw
attention to the problem; corrective controls fix the problem.
Statement on Auditing Standards No. 78 (SAS 78)
Current authoritative document for specifying internal control
objectives and techniques.
Control Risk
is the likelihood that control structure is flawed because
controls are either absent or inadequate to prevent or detect
errors in the accounts
Auditors reduce level of control risk by performing tests of
internal controls, e.g., running test transactions and seeing if
erroneous transactions can be detected
CHAPTER 2Auditing IT Governance Controls
Information technology (IT) governance is a relatively
new subset of corporate governance that focuses on the
management and assessment of strategic IT resources. Key
objectives of IT governance are to reduce risk and ensure that
investments in IT resources add value to the corporation.
IT Governance Controls
This controls focus on:
1. Organizational structure of the IT function
2. Computer center operations
3. Disaster recovery planning
STRUCTURE OF THE INFORMATION TECHNOLOGY FUNCTION
The organization of the IT function has implications for the
nature and effectiveness of internal controls, which, in turn,
has implications for the audit.
Centralized Data Processing
Under the centralized data processing model, all data
processing is performed by one or more large computers
housed at a central site that serves users throughout the
organization.
Centralized Data Processing Approach
Org Chart of a Centralized IT Function
Related Terms
Database Administration
Centrally organized companies maintain their data resources
in a central location that is shared by all end users. In this
shared data arrangement, an independent group headed by
the database administrator (DBA) is responsible for the
security and integrity of the database.
Data Processing
The data processing group manages the computer resources
used to perform the day-to-day processing of transactions. It
consists of the following organizational functions: data
conversion, computer operations, and the data library.
Data Conversion. The data conversion function transcribes
transaction data from hard-copy source documents into
computer input. For example, data conversion could involve
keystroking sales orders into a sale order application in
modern systems, or transcribing data into magnetic media
(tape or disk) suitable for computer processing in legacy type
systems.
Computer Operations. The electronic files produced in data
conversion are later processed by the central computer, which
is managed by the computer operations groups. Accounting
applications are usually executed according to a strict
schedule that is controlled by the central computers
operating system.
Data Library. The data library is a room adjacent to the
computer center that provides safe storage for the off-line
data files. Those files could be backups or current data files.
For instance, the data library could be used to store backup
data on DVDs, CD-ROMs, tapes, or other storage devices.
Systems Development
The information systems needs of users are met by two
related functions: system development and systems
maintenance.
Systems Development is responsible for analyzing user needs
and for designing new systems to satisfy those needs. The
participants in system development activities include systems
professionals, end users, and stakeholders.
Systems professionals include systems analysts, database
designers, and programmers who design and build the
system. Systems professionals gather facts about the users
problem, analyze the facts, and formulate a solution. The
product of their efforts is a new information system.
End users are those for whom the system is built. They are
the managers who receive reports from the system and the