CONTROL ACTIVITIES AND MONITORING

Control activities
- Are the policies and procedures that reduce risks that may undermine
the achievement of management objectives.
- Policies establish what should be done and serve as a basis for the
procedures that are needed to comply with the policies.
- These activities help ensure that managements identified risk
responses are carried out.
- A major task for an organization is to identify what control activities are
desirable for that particular organization.
Underlying concepts of control activities
1. Isolation data, programs, documentation and information processing
facilities should be isolated to protect them from potential hazards, and
access privileges should be restricted and monitored.
2. Redundancy backup copies of programs and data should be made for
security reasons.
3. Comparison comparisons between data provide a check on accuracy
and may signal problems to be investigated.
4. Assistance control problems often result from the inability to handle a
job, inadequate training and lack of ongoing guidance.
5. Oversight supervision of employees, internal audits, and external
audits encourage careful work and reduce the likelihood that
inappropriate activity that will occur.
6. Accountability holding employees accountable for their actions
promotes compliance with established control activities.
Placement of control activities
- The effectiveness of many control activities depends on their existence
in both computer software and human operating procedures.
- A current trend with respect to control placement is automated
controls. This is a movement away from controls in human operating
procedures and toward controls programmed into computer software.
Limitations of control activities
- Control activities cannot provide absolute assurance that all risks
associated with the achievement of entity objectives will be eliminated.
- Control activities require additional costs to implement and may result
in decrease in operational efficiency.
Types of control activities:
1. Preventive controls deal with or stop potential problems through the
controls in place
2. Detective controls provide feedback regarding violations of control in
place.
3. Corrective controls remedy violations detected
Classification scheme for control activities

1. Performance review designed to mitigate risks that can have an

adverse effect on meeting objectives in the broad category of
effectiveness and efficiency of operations.
2. Physical controls include devices and measures that protect computer
hardware and other assets, such as cash, inventories, securities, fixed
assets, mechanical signers, and signature plates.
3. Segregation of duties ensures that a single individual cannot both
perpetrate and conceal an error or an inappropriate act and mandates
that the following duties should be segregated:
Authorization of transactions and other event
Custody of assets
Record keeping and modification of related data and program files
4. Information processing control activities in the information processing
category designed to mitigate risks that have an adverse effect on
achieving objectives in all four categories supporting the
organizations vision or mission, ensuring the quality of operations, and
complying with applicable laws and regulations.
Information Processing general controls
- Relate to reliability and consistency of the overall information
processing environment, and they support application controls.
- Information processing general controls include:
a. Access security deals with who can access what.
Users should be granted access to the following elements of
an accounting system on a need-to-know basis:
File server or host computer
Operating systems
System software
Database management system
Application programs
Data files
An attempted access violation should cause a warning or error
message to appear on the screen and result in either
termination of processing or shutdown of a workstation.
Several ways of restricting access are through:
1. User identification is a personal identification code that
tells the system who the user is.
2. Author authentication is the way a user proves to the
system that the user is who the user says he or she is.
Authentication is commonly provided by a password that is
entered by a user when logging on to system.
3. User rights rights to access files, directories and tables, or
functions based on specific authorization. Users can be
granted or denied rights in a variety of ways.
4. Directory and file attributes these attributes can be used
to override user access rights. For example, if a user has
been explicitly granted the erase right to a file, but a readonly attribute has been assigned to a file, the user cannot
erase the file.

5. Cryptography is the process of transforming, or

encrypting data (usually by scrambling) into a code.
When the recipient receives the data, it must be
decrypted, or restored to its original state.
It is a fairly reliable method of protecting all Internetrelated activity as well as the information that a
company physically maintains.
6. Transmission medium
Networks
present
additional
concerns
over
unauthorized access to transmitted data because the
transmission medium can be violated.
Some
results
of
unauthorized
access
are
eavesdropping on data in transit, alteration of data in
transit, and the introduction of unauthorized
instructions, particularly viruses, into the network.
7. Firewalls consists of hardware and software that work
together to channel all Internet communications through a
control gateway and filter messages coming into the
private network.
The firewall knows where all messages originate
because all have an Internet address.
The firewall will allow only messages from addresses
that have been approved to pass through it.
8. Automatic log off
Procedures can be established for the automatic log
off, or disconnection, of a workstation from a file
server or host computer if there has been no activity
for a given period of time.
Network and Data Service Center Operations Control
1. Backup controls all files should be backed up routinely and the
backup copies should be stored in secure, off-site locations and tested
regularly for readability.
2. Downtime controls to reduce the amount of downtime, maintenance
schedules should be established for all computer hardware.
3. Recovery controls deal with prompt recovery from equipment failure
and natural disasters that could put the information processing
facilities out of operation for an extended period.
A disaster recovery plan documents recovery procedures to
quickly and smoothly restore an organizations processing
capabilities after a catastrophic incident.
Information Processing Application Controls
1. Input controls refer to the authorization, entry and verification of data
entering the system.
2. Processing controls refer to accurate and complete processing of
transactions and other events.
3. Output controls relate to providing output to the appropriate people
and using the output appropriately.

Monitoring
- Internal control needs to be monitored to determine whether it is
adequate and effective.
- Includes the modification of existing controls or the design of new ones
to minimize those risks where deficiencies in control have been
discovered.
- IT Auditing is an important monitoring activity.
Methods of conducting IT audits:
a. Auditing around the computer requires that the audit trail be
followed until the data enters the computer.
This method assumes that the accurate output is the
result of proper processing and ignores the control
procedures within the IT environment.
b. Auditing with the computer also referred to as computerassisted audit techniques (CAATs). The auditor uses
microcomputer to perform substantive tests and limited testing
controls.
c. Auditing through the computer involves testing the
automated processing steps, program logic, edit routines and
programmed controls.
This method is well suited to testing complex IT systems.