SESSION 16 – INTERNAL CONTROL AND SECURITY

OVERVIEW
Objective

¾ To describe the basic concepts of internal control and security of information systems.

INTERNAL ¾ Overview
CONTROL ¾ Components
¾ Alternative categories
¾ Control risk

COMPUTER
INFORMATION DATA SECURITY
SYSTEMS
¾ Risks ¾ Threats
¾ General IT controls ¾ Physical risks
¾ Application controls ¾ Environmental risks
¾ Unauthorised access
¾ Hacking
¾ Viruses
¾ Encryption
¾ Software audit trail

1601
SESSION 16 – INTERNAL CONTROL AND SECURITY

1 INTERNAL CONTROL
¾ Financial and accounting system controls were considered in Session 13 when dealing
with specific accounting systems and cycles. This session deals with the whole concept
of internal control and places the controls dealt with in Session 13 into context.

1.1 Overview

Definition

Internal control is the process designed, and effected by, those charged with
governance and management, to provide reasonable assurance about:

‰ the achievement of the entity’s objectives with regard to reliability of

managerial and financial reporting;
‰ the effectiveness and efficiency of its operations; and
‰ the entity’s compliance with applicable laws and regulations
Committee of Sponsoring Organisations (COSO)

Internal controls are the actions taken by management to enhance the

likelihood that established objectives and goals will be achieved. Management
plans, organises and directs the performance of sufficient actions to provide
reasonable assurance that objectives and goals will be achieved. Thus, control
is the result of proper planning, organising and directing by management.
Institute of Internal Auditors

The internal control system includes all the policies and procedures (internal
records) adopted by the directors and management of an entity to succeed in
their objective of ensuring, as far as practicable, the:
‰ orderly and efficient conduct of the business;
‰ adherence to internal policies;
‰ safeguarding of the assets of the business;
‰ prevention and detection of fraud and error within the business;
‰ accuracy and completeness of the business accounting records;
‰ timely preparation of financial information.
Auditing Practices Board of the (UK’s) FRC

¾ The external auditor’s primary consideration is whether, and how, a specific control
prevents, or detects and corrects, material misstatements in the financial statements,
rather than its classification into any particular component.

¾ The internal auditor’s consideration will be focused on all business controls in

operation, not just those related to the financial statements.

1602
 SESSION 16 – INTERNAL CONTROL AND SECURITY

1.2 Components

INTERNAL CONTROL

CONTROL RISK INFORMATION CONTROL

ENVIRONMENT ASSESSMENT SYSTEMS ACTIVITIES

CONTROL
MONITORING

1.2.1 The control environment

Governance and management functions

Attitude, Awareness and Actions

¾ Sets the tone of an organization, influencing the control consciousness of its

management and employees. It is the foundation for effective internal control,
providing discipline and structure.

¾ Strongly relates to how management (and governance) has created a culture of honesty
and ethical behaviour, supported by appropriate controls to prevent and detect fraud
and error, through:

‰ Communication and enforcement of integrity and ethical values;

‰ Cascade effect (i.e. following management’s example);
‰ Commitment to competence (eg only those with the appropriate skills and
knowledge are considered for each position);
‰ Participation by those charged with governance;
− independent from the entity and management;
− experienced and prepared to be a sounding board for management;
− prepared to work with, but stand up to, management;
− demanding and challenging of management decisions;
− access to documents and information as required;
− effective interaction with internal and external auditors;
− operation of ‘whistle blower’ procedures, independent of management

‰ Management’s philosophy and operating style (including approach to risk

management and application of accounting policies);

1603
SESSION 16 – INTERNAL CONTROL AND SECURITY

‰ Organizational structure (e.g. open and transparent or closed and opaque);

‰ Assignment of authority and responsibility (e.g. clearly defined);
‰ Human resource policies and practices (e.g. commitment to best practice in
recruitment, training, appraisal, counselling, progression, compensation and
remedial actions).

¾ A strong control environment may be a positive influence when assessing, for example,
the risk of fraud. However, the elements must be considered collectively (e.g.
enforcement of ethical values together with appropriate recruitment policies for
financial reporting staff will not mitigate aggressive earnings reporting by senior
management).

1.2.2 Risk assessment procedures

¾ How the entity’s management identify business risks and how they decide to address
those risks and review the results of doing so.

Definition

Business risk is the risk that the entity will not be able to achieve its objectives
and execute its strategies

¾ Business risks arise from the way the entity is managed, its operating environment,
products, customer base, employee base, ownership, legal and regulatory regimes and
the very fact that it operates in a dynamic and adaptive environment.

¾ There are many classifications of business risk including: liquidity, interest rate, foreign
exchange, procurement, production, brands, reputation, human resources, treasury,
information systems, legislation, regulation, legal liabilities.

Example 1

Suggest FIVE business risks that may impact on the production of the financial
statements.

Solution

1604
 SESSION 16 – INTERNAL CONTROL AND SECURITY

¾ The concept of risk management is critical to good corporate governance.

1.2.3 Information system

¾ The information system consists of:

‰ physical and hardware (if IT based) infrastructure;

‰ software (if IT based);
‰ people;
‰ procedures; and
‰ data.

¾ Includes the accounting system and consists of the procedures and records established
to:

‰ initiate (e.g. manually or by programmed procedures);

‰ record (e.g. identify, capture and record valid transactions and relevant
information on a timely basis, including information for disclosure);
‰ process (e.g. edit, validate, calculate, measure, summarise, reconcile and
classify);
‰ report (e.g. preparation of financial and other statements so that the
transactions, disclosures and other information are correctly
presented); and
‰ maintain accountability (for the related assets, liabilities, and equity).

of the records and information necessary to satisfy reporting objectives.

The above encompasses recording the correct monetary value of transactions and that
the transactions are recorded in the correct accounting period (i.e. cut-off)

¾ Transactions may be standard (e.g. within the normal course of business – sales,
purchases, accruals, depreciation) or non-standard (e.g. asset impairment, bad debt
write off, related party transactions). How the information systems deals with both
standard and non-standard transactions must be understood, e.g. raising and
authorising journal entries.

¾ The information system must also be able to deal with errors and incorrect processing.
Is a suspense account used and regularly checked and cleared? Is it possible to override
the system or bypass controls? If so, how does the management deal with such matters.

¾ Management must be able to demonstrate that they understand the individual roles and
responsibilities of those within the information system.

¾ Individuals within the system must also understand their roles and responsibilities and
how they relate to others within the system.

¾ The means of reporting exceptions to a higher authority must be clear and

unambiguous. This includes reporting channels to management, those charged with
governance (e.g. the audit committee) and if necessary to an external authority (eg
regulators).

1605
SESSION 16 – INTERNAL CONTROL AND SECURITY

1.2.4 Control activities

¾ The policies and procedures that help ensure that management directives are carried
out, e.g. that actions are taken to address risks that threaten the achievement of the
entity’s objectives.

¾ They have various objectives and are applied at various organisational and functional
levels. Often referred to as internal checks.

¾ More than one control activity may be necessary in order to achieve a given control
objective.

¾ At the financial statement assertion level, control objectives aim to ensure that only:

‰ authorised (Valid - V) transactions are

‰ promptly recorded (Complete - C) in the
‰ correct (Accurate - A) amount in the
‰ appropriate (A) accounts in the
‰ proper (Correct Cut-off – C) accounting period and that
‰ recorded assets exist (Existence – E).

⇒ Mnemonic CAVE:

¾ Examples of appropriate control activities include:

‰ Authorisation, (basically, “if it can move, authorise it”) e.g.:
− purchase or disposal of non-current assets
− new suppliers
− journals
− payments
− bad debt write-offs

‰ Performance reviews, e.g.:

− actual against budget, prior year and variance analysis
− analytical review, internal verses external data
− functional or activity performance in that activities that should take place,
actually took place

‰ Information processing, (accuracy, completeness and authorisation) e.g.:

− checking arithmetical accuracy (e.g. of documents, records)
− maintaining and reviewing accounts and trial balances
− carrying out reconciliations (e.g. bank, supplier statements)
− sequence checks (of pre-numbered documents, e.g. despatch notes)
− completeness checks (e.g. that all documents have been processed)
− follow up of error reports (includes taking appropriate action)
− IT application and general controls

1606
 SESSION 16 – INTERNAL CONTROL AND SECURITY

‰ Physical controls, e.g.:

− secured access to assets and records
− password access to computer systems
− comparing book to physical (e.g. inventory, petty cash, non-current assets))

‰ Segregation of duties, e.g.:

− separation of the authorising, recording and custody functions
− actions of one employee are checked by another

1.2.5 Monitoring controls

¾ Without monitoring control systems and receiving feedback on the performance of

those controls, the entity’s management will have no idea if a control, whilst still
operating, is actually effective.

¾ Monitoring is therefore a process to assess the effectiveness of internal control

performance over time. It involves assessing the design and operation of controls on a
timely basis and taking necessary corrective actions for changes in conditions.

¾ Ongoing monitoring activities are often built into the normal recurring activities of an
entity and include regular management and supervisory activities.

¾ Examples of monitoring activities include:

‰ checking that activities (e.g. bank reconciliations) are carried out;

‰ reports are produced when expected and actions carried out (e.g. follow up on
exception reports);
‰ customers paying amounts as stated on their statements or complaining about
being overcharged;
‰ external regulators reporting on aspects of the internal controls relating to
regulations, e.g. financial services;
‰ internal audit evaluations of the effectiveness of internal control and business risk
procedures;
‰ external audit management letters and reports;
‰ business activity and management accounts discussed at monthly board meetings
and challenged by non-executive directors and those charged with governance

1.3 Alternative categories

1.3.1 Preventative controls

¾ These are controls that are designed to prevent a particular risk happening.
Authorisation, segregation of duties, recruiting, training, supervision, passwords and
validation are examples of preventative controls.

1607
SESSION 16 – INTERNAL CONTROL AND SECURITY

1.3.2 Detective controls

¾ Detective controls are designed to detect errors should they have occurred and have not
been prevented. Examples include reconciliations, exception reporting, physical
counting of assets, supervision, quality controls.

1.3.3 Corrective controls

¾ Corrective controls aim to minimise or negate the impact of errors. Examples include
follow up procedures, management action, security backups of data, re-training,
contingency planning.

1.4 Control risk

Definition

Control risk is the risk that a material error could occur and not be prevented,
detected and corrected by the internal control system.

¾ Because of the inherent nature of internal control, there will always be some control
risk. No internal control system, no matter how well designed and operated, can
provide management with conclusive evidence that objectives are reached. Only
reasonably high, not absolute, assurance can be achieved.

Example 2

Identify five potential limitations within an internal control system?

Solution

¾ A determined fraudster will always find ways around the control systems. In many
cases, the very presence of controls establishes a challenge.

1608
 SESSION 16 – INTERNAL CONTROL AND SECURITY

2 COMPUTER INFORMATION SYSTEMS

2.1 Risks

¾ Because of the pervasive nature of information systems within the vast majority of
organisations, computer information systems (CIS) present a whole series of particular
business risks, e.g.

‰ Reliance on systems or programs that are inaccurately processing data (e.g.

programming error resulting in all like transactions being incorrectly processed),
processing inaccurate data (e.g. incorrectly captured or transferred from a previous
process) or both.

‰ Unauthorized access (hacking) to transaction data that may result in the

destruction, corruption or changes to that data, particularly where multi- access
(internal and/or external) is allowed to the database, e.g.

− recording of unauthorized transactions

− recording transactions that have not occurred, or
− inaccurate recording of transactions.

‰ IT personnel gaining unauthorised access privileges (e.g. hacking) resulting in a

breakdown of the IT segregation of duties, e.g. an analyst gaining access to a
programme being modified by a programmer.

‰ Unauthorized changes to standing data in master files, e.g. adding non-existent

employees; changing salary details.

‰ Unauthorized changes to systems or programs, e.g. a programmer making

unscheduled/unauthorised changes to a program.

‰ Inappropriate controls within the systems development lifecycle, e.g. failure to

adequately test each development stage resulting in a program that does not meet
user requirements.

‰ Lack of appropriate system changeover procedures to ensure completeness and

accuracy of transferring data from an old system to the new.

‰ Inappropriate or lack of manual intervention, e.g. failure to act upon error reports
produced by a system.

‰ Failure to make necessary changes to systems or programs when required (can be

by management or IS personnel) e.g. to meet customer needs; upgrading software
to maintain competitive advantage.

‰ Potential loss of data or inability to access data as required, e.g. system crash, denial
of service attack, prolonged downtime.

‰ Automatic initiation or execution of transactions (e.g. interest/discount

calculations). Authorisation may not be documented, but implicit in management’s
acceptance of the design of the system.

1609
SESSION 16 – INTERNAL CONTROL AND SECURITY

‰ The audit trail of the transactions may be fragmented, in that it may exist only for a
short time.

¾ Because of the specialised nature of CIS, two sets of control procedures have been
developed within the overall control framework – general controls and application
controls.

2.2 General IT controls

Definition

The policies and procedures that relate to many applications and support the
effective functioning of application controls by helping to ensure the continued
operational integrity and security of data and information systems

¾ They aim to establish a framework of overall control and commonly address the risks
noted above, e.g. controls over:

‰ the data centre and network operations;

‰ system software acquisition, change and maintenance;
‰ development of computer applications;
‰ access security;
‰ system acquisition, development, and maintenance;

¾ There are various classification of general controls, e.g.

Administration controls Systems development controls

¾ Segregation of duties** between ¾ Standard procedures and

development (analysts and
programmers), maintenance (librarian)
and operation.
¾ Logical access controls (e.g. passwords)** ¾
to enter systems.
¾ Automatic computer log of program
changes (independently reviewed by IT
manager).
¾ Restricted physical access ** (e.g. to
computer room).
¾ Firewall and virus update protection.
¾ Regular file copying (“dumping”).
¾ Job scheduling.
¾ Back up power resources.
¾ Disaster recovery procedures.
¾ Maintenance and insurance.
documentation – including feasibility
study and systems specification with
flowcharts or data flow diagrams
System and program testing (test and
actual data). Usually pilot operation.
¾ File conversion – requires a complete
print out and check of file contents
before setting up operational master
files.
¾ Acceptance and authorisation
procedures – e.g. by a responsible
official of the project steering
committee.
¾ Training of user staff.
** Often classified as Physical controls

1610
 SESSION 16 – INTERNAL CONTROL AND SECURITY

¾ Alternatively:

ORGANIZATION APPLICATION COMPUTER SYSTEMS DATA ENTRY

AND SYSTEMS
MANAGEMENT DEVELOPMENT OPERATION SOFTWARE AND PROGRAM

¾ Policies & ¾ Testing, ¾ Authorisation – ¾ Authorisation ¾ Authorisation

procedures conversion, personnel and and testing structure
documentation programs
¾ Segregation of ¾ Restricted ¾ Off-site back-up
incompatible ¾ Restricted ¾ Processing errors access to
functions (eg access are detected and utilities that
¾ Recovery
procedures
preparing corrected may not leave
input, an audit trail
programming)

2.3 Application controls

Definition

Manual or automated procedures that typically operate at a business process

level. Can be preventative or detective in nature and are designed to ensure
the integrity of the accounting records and information. Relate to procedures
used to initiate, record, process and report transactions or other financial data.

¾ Provide reasonable assurance that all transactions are authorised and recorded, and are
processed completely, accurately and on a timely basis.

¾ Can be classified as:

Input Processing Output Master file

¾ Passwords (to ¾ Check digits ¾ Checking control ¾ Periodic print-out of

terminals)
¾ Validation checks
¾ Verification checks
¾ ¾
Batch totals
¾ Error investigation
and feedback
procedures
¾ Document counts
totals standing data and
¾ Reasonableness
comparison to inde-
(“range”) checks ¾ Investigating rejected
pendent control
items
¾ Existence checks totals and data
¾ Reviewing accounts
⇒ mis-match reports
and trial balances
¾ Authorization of
(“file no data” or master file standing
“data no file”) data updates.
¾ Sequence checks ¾ Exception reporting
¾ Format checks (and authorisation)
of all changes made
¾ “Run-to-run” to standing data.
controls to ensure no
data lost

1611
SESSION 16 – INTERNAL CONTROL AND SECURITY

¾ Alternatively as 2 types of classification:

Transaction controls File controls

Aim to ensure Aim to ensure
‰ completeness ‰ file continuity
‰ accuracy
‰ asset protection, eg
‰ validity
– keys, security-coded entry
– approval and recording
– data security (eg library)
procedures

3 DATA SECURITY
3.1 Threats
¾ Information security protects the interests of those relying on information (and the
information systems and communications that deliver the information) from harm
resulting from hacking, operational error, sabotage and other threats

¾ Information privacy is the right of an individual to participate in decision making

regarding the collection, use and disclosure of information personally identifiable to
that individual. It is the restriction of knowledge to authorised persons. Privacy was
dealt with in Session 12.

¾ Security and privacy are very closely related, and it is often difficult to determine
whether a particular risk relates to security or privacy. What is clear, however, is that
security relates to the whole of the system whereas privacy only relates to the data held
within the system.

¾ Threats to information systems may arise from:

‰ intentional or unintentional acts;

‰ internal and external sources.

¾ Examples include:

‰ Technical conditions (eg program bugs, disk crashes)

‰ Natural disasters (eg fire, flood)
‰ Environmental conditions (eg power surges)
‰ Human factors (eg lack of training, errors, omissions)

1612
 SESSION 16 – INTERNAL CONTROL AND SECURITY

3.2 Physical risks

¾ Physical risks threaten the physical elements of the system – the hardware, software and
computer facilities such as buildings. There are a number of risks which must be
identified and understood, e.g.

‰ Fire
‰ Flood
‰ Weather
‰ Natural disaster
‰ Terrorist attack
‰ Accidental damage
‰ Deliberate damage
‰ Theft.

3.2.1 Control examples

¾ Fire systems and procedures

‰ inert gas extinguishing system, NOT water based

‰ fire doors
‰ heat resistant safes
‰ fire prevention and safety rules

¾ Location of hardware away from sources of risk

‰ heat and water pipes (check ceiling ducting and floor above)
‰ under flight paths near airports
‰ earthquake zones or below river levels

¾ Regular building maintenance

‰ checking for faulty electrical circuits

‰ fire systems maintenance
‰ lagged piping (eg water pipes to prevent freezing)

¾ Training of all staff in computer security and safety procedures

‰ attitude of mind (eg integrity, carefulness, security aware)

‰ strong security culture within organisation

¾ Staffing arrangements

‰ authorisation for access and change routines to programs

‰ segregation of duties (programmers should not have access to live programs)
‰ thorough vetting of job applicants before being employed
‰ sensitive staff banned from premises when sacked (and security passes
withdrawn/disabled)
‰ risk analysis on sensitive staff (eg to identify low moral, poor motivation, potential
“grudge” bearers)

1613
SESSION 16 – INTERNAL CONTROL AND SECURITY

¾ Physical access controls

‰ security guards
‰ time controls (eg only allowed access between certain times)
‰ electronic door locks (PIN, card or bio data entry)

¾ Theft control

‰ high risk systems physically attached to secure points (eg laptops chained to a fixed
point)
‰ ID marking – company logo, inventory tag – and tracking
‰ regular inventory checks

¾ Proven backup and restore capabilities

‰ son, father, grandfather system

‰ ensure restore works

¾ Regular testing of fail safe systems

‰ “pull the plug” and see what happens

‰ testing of recovery plans

3.3 Environmental risks

¾ There are a number of risks to computerised systems which relate to the environment in
and around the location of the hardware, e.g.

‰ Temperature
‰ Humidity
‰ Power supply
‰ Spillage and accidental damage

¾ The best way to control these risks is to isolate the computer system from the outside
world by placing it in a specially designed computer room or building. Obviously this
is possible for a large central computer, but not for PCs.

¾ Control examples include:

‰ Heating and air-conditioning systems

‰ Smoothed power supplies
‰ Uninterruptible power supplies (UPS)
‰ Banning drinks and food in computer areas
‰ Training in procedures, awareness and damage limitation

1614
 SESSION 16 – INTERNAL CONTROL AND SECURITY

3.4 Unauthorised access

¾ The logical access system is the system of facilities developed and maintained to protect
data or software from the potential threats of unauthorised access.

¾ Risks include:

‰ Errors within data

‰ Falsification of data
‰ Loss of data
‰ Disclosure of information to unauthorised individuals

¾ Access must be limited to those with the appropriate authority through for example:

‰ Physical access controls

‰ System passwords
‰ Usage logs (usually computer generated)
‰ Storage of diskettes and tapes in secure locations

3.5 Hacking

¾ Hacking is the deliberate unauthorised access to a system and the data within that
system.

¾ The term was originally used to describe the activity of individuals who saw systems
security as a challenge and wished to show that they were able to breach whatever
security was in place. It is now a term used to also describe the criminal activity of
stealing (also includes reading) or changing data or any other aspect of a system (e.g.
changing programs, adding additional routines).

¾ Hacking usually takes one of two forms:

‰ Authorisation attack – password cracking usually through the use of computer

programs that work through dictionaries and other sources to generate passwords
for repeated sending to the system until the right password is found.

‰ Trapdoor/backdoor attacks – utilising existing weakness within the program code

of the system. Sometimes these are deliberately programmed into the system by
the programmer who can then, for example, bypass the password system at a later
date.

¾ Threats include

‰ Data corruption including alteration of, and addition to, data

‰ Introduction of viruses
‰ Access to sensitive data
‰ Access to password files and the password generation code
‰ Loss of system’s operational ability

1615
SESSION 16 – INTERNAL CONTROL AND SECURITY

¾ Prevention procedures include:

‰ Physical security
‰ Logical security
‰ System logs and audit trails
‰ Sentinels (“watch dog” programs that check for unusual activity)
‰ Data encryption
‰ Strong quality control and risk analysis procedures in developing programs and
web sites

Commentary

Many of the alterations made to organisations’ websites (for example) are due to the
poor programming and security features of the web pages and sites that allow access to
the system behind the web pages.

3.6 Viruses

¾ A virus is a (rogue) program that spreads throughout a computer system usually with
the aim of (at least) causing inconvenience or (at worse) destroying and altering data,
disrupting processing and memory systems.

¾ A virus may be implanted within the system by an employee (e.g. a programmer) or by

infection from an outside source, most notable from files and e-mails downloaded via
the internet.

¾ The damage that can be caused is only limited by the ingenuity of the virus
programmer.

¾ Types of viruses include:

‰ Boot sector – runs every time the system is booted (started).

‰ File/execute – infects a program file so that every time the program is executed, so
is the virus.

‰ Overwriting/duplicating – overwrites programs so the program no longer operates

or adds to a program or file so eventually the storage capacity is fully used.

‰ Trojan – embodied in a host program that appears to be carrying out a normal

function, whilst the Trojan virus carries out a totally different function often
unbeknown to the user.

‰ Worms – viruses that “burrow” through the system usually over networks using
the system’s distributed resources.

‰ Logic bombs – a traditional programmer’s virus, usually hidden within a normal

program, that is activated on the occurrence of a particular event (eg a certain
balance on an account is reached).

‰ Time bombs – same concept as a logic bomb, except that the trigger event is a time
or date (eg Friday 13th).

1616
 SESSION 16 – INTERNAL CONTROL AND SECURITY

¾ Virus attacks can be prevented or minimised through:

‰ Installation of sentinels, eg virus detection programs, that check all vulnerable files
on boot-up of the system or all files that are imported to the system, eg through
floppy discs, the internet, e-mails. Such programs can only detect known viruses
and must be constantly updated.

‰ A strongly enforced organisation policy on the use of external programs and the
internet.

‰ Quality control procedures and segregation of duties over accessing, developing

and amending computer programs.

3.7 Encryption

¾ The principle of encryption is to make any intelligible data, unintelligible – which can
then only be read by using the decryption key.

¾ This process prevents unauthorised access to, or understanding of, (for example) the
data being transmitted or stored.

¾ Areas in which encryption technology is being used includes:

‰ Authentication – the ability of each party to the transmission of the data to verify
each other.

‰ Message integrity – the ability to detect if the message has been read or altered in
any way.

‰ Electronic signatures – a digital code attached to a message to verify the origins and
contents of a message. Enables the recipient to check who sent the data and that it
was not altered after transmission.

3.8 Software audit trail

¾ A record of significant data about each transaction, e.g. audit record, user and terminal
identifications, the time and date of the transaction, transaction type (eg despatch),
quantities and values, cross-references to related transactions (eg invoice).

¾ The software audit trail records information about on-line transactions so that the
transaction and its path (both back and forward) can be inspected and verified by third
parties, eg internal auditors, system analysts.

¾ The use of audit trails enables:

‰ any unusual transaction or events (eg fraud) to be investigated (often by producing

a log of activity or exception report);

‰ sensitive data to be monitored;

‰ errors to be investigated by tracing back through the system via each stage of the
transaction process;

1617
SESSION 16 – INTERNAL CONTROL AND SECURITY

‰ user interface problems to be identified; and

‰ systems to be thoroughly tested during project development and routine

maintenance (both paper based and audit software ).

FOCUS
You should now be able to:

¾ explain internal control and internal check;

¾ explain the importance of internal financial controls in an organisation;

¾ describe the responsibilities of management for internal financial control;

¾ describe the features of effective internal financial control procedures in an organisation;

¾ identify and describe features for protecting the security of IT systems and software
within business;

¾ describe general and application systems controls in business.

1618
 SESSION 16 – INTERNAL CONTROL AND SECURITY

EXAMPLE SOLUTIONS
Solution 1 — Business risks

¾ Changes in regulatory or operating environment. Changes in the regulatory or operating

environment can, for example, result in changes in competitive pressures and
significantly different risks. Such risks have to be identified and their impact
quantified.
¾ New personnel. Will depend on their seniority or the position they hold within finance as
to the potential risk. New personnel may have a different focus on understanding and
applying internal control; they will need to learn new processes and may attempt to
change or ignore existing controls.
¾ New or upgraded information systems. Significant and rapid changes in information
systems can change the risk relating to internal control, e.g. previous controls may no
longer be effective, new controls are not enacted. The change process in itself is a
significant risk in that data may not be correctly converted or the new system does not
function as intended.
¾ Rapid growth. Significant and rapid expansion of operations can strain controls and
increase the risk of a breakdown in controls, e.g. overtrading, strained gearing and loss
of direction by the entity.
¾ New technology. Incorporating new technologies into production processes or
information systems may change the risk associated with internal control.
¾ New business models, products, or activities. Entering into business areas or transactions
with which an entity has little experience may introduce new risks associated with
internal control.
¾ Corporate restructurings. Restructurings may be accompanied by staff reductions and
changes in supervision and segregation of duties that may change the risk associated
with internal control. Management time spent on restructuring and making every effort
to ensure it works means that less time can be spent on running other areas of the
business.
¾ Expanded foreign operations. The expansion or acquisition of foreign operations carries
new and often unique risks that may affect internal control, for example, additional or
changed risks from foreign currency transactions.
¾ New accounting pronouncements. Adoption of new accounting principles or changing
accounting principles may affect risks in preparing financial statements, especially in
relation to recognition, measurement and disclosure requirements.

Solution 2 — Inherent limitations

¾ Cost of internal control should not exceed benefits derived;

¾ Non-routine transactions may not go through the normal processes;
¾ Human error/machine/IT breakdown;
¾ Use of inexperienced or untrained staff;
¾ Collusion by employees or management (to circumvent controls);
¾ Abuse of responsibility (e.g. management overriding internal control);
¾ Changes in conditions, deterioration in compliance;
¾ Poor monitoring.

1619
SESSION 16 – INTERNAL CONTROL AND SECURITY

1620