Professional Documents
Culture Documents
Control Activities and Monitoring
Control Activities and Monitoring
Control Activities and Monitoring
Control activities
- Are the policies and procedures that reduce risks that may undermine
the achievement of management objectives.
- Policies establish what should be done and serve as a basis for the
procedures that are needed to comply with the policies.
- These activities help ensure that managements identified risk
responses are carried out.
- A major task for an organization is to identify what control activities are
desirable for that particular organization.
Underlying concepts of control activities
1. Isolation data, programs, documentation and information processing
facilities should be isolated to protect them from potential hazards, and
access privileges should be restricted and monitored.
2. Redundancy backup copies of programs and data should be made for
security reasons.
3. Comparison comparisons between data provide a check on accuracy
and may signal problems to be investigated.
4. Assistance control problems often result from the inability to handle a
job, inadequate training and lack of ongoing guidance.
5. Oversight supervision of employees, internal audits, and external
audits encourage careful work and reduce the likelihood that
inappropriate activity that will occur.
6. Accountability holding employees accountable for their actions
promotes compliance with established control activities.
Placement of control activities
- The effectiveness of many control activities depends on their existence
in both computer software and human operating procedures.
- A current trend with respect to control placement is automated
controls. This is a movement away from controls in human operating
procedures and toward controls programmed into computer software.
Limitations of control activities
- Control activities cannot provide absolute assurance that all risks
associated with the achievement of entity objectives will be eliminated.
- Control activities require additional costs to implement and may result
in decrease in operational efficiency.
Types of control activities:
1. Preventive controls deal with or stop potential problems through the
controls in place
2. Detective controls provide feedback regarding violations of control in
place.
3. Corrective controls remedy violations detected
Classification scheme for control activities
Monitoring
- Internal control needs to be monitored to determine whether it is
adequate and effective.
- Includes the modification of existing controls or the design of new ones
to minimize those risks where deficiencies in control have been
discovered.
- IT Auditing is an important monitoring activity.
Methods of conducting IT audits:
a. Auditing around the computer requires that the audit trail be
followed until the data enters the computer.
This method assumes that the accurate output is the
result of proper processing and ignores the control
procedures within the IT environment.
b. Auditing with the computer also referred to as computerassisted audit techniques (CAATs). The auditor uses
microcomputer to perform substantive tests and limited testing
controls.
c. Auditing through the computer involves testing the
automated processing steps, program logic, edit routines and
programmed controls.
This method is well suited to testing complex IT systems.