Professional Documents
Culture Documents
Objective: Session 16 - Internal Control and Security
Objective: Session 16 - Internal Control and Security
OVERVIEW
Objective
¾ To describe the basic concepts of internal control and security of information systems.
INTERNAL ¾ Overview
CONTROL ¾ Components
¾ Alternative categories
¾ Control risk
COMPUTER
INFORMATION DATA SECURITY
SYSTEMS
¾ Risks ¾ Threats
¾ General IT controls ¾ Physical risks
¾ Application controls ¾ Environmental risks
¾ Unauthorised access
¾ Hacking
¾ Viruses
¾ Encryption
¾ Software audit trail
1601
SESSION 16 – INTERNAL CONTROL AND SECURITY
1 INTERNAL CONTROL
¾ Financial and accounting system controls were considered in Session 13 when dealing
with specific accounting systems and cycles. This session deals with the whole concept
of internal control and places the controls dealt with in Session 13 into context.
1.1 Overview
Definition
Internal control is the process designed, and effected by, those charged with
governance and management, to provide reasonable assurance about:
The internal control system includes all the policies and procedures (internal
records) adopted by the directors and management of an entity to succeed in
their objective of ensuring, as far as practicable, the:
orderly and efficient conduct of the business;
adherence to internal policies;
safeguarding of the assets of the business;
prevention and detection of fraud and error within the business;
accuracy and completeness of the business accounting records;
timely preparation of financial information.
Auditing Practices Board of the (UK’s) FRC
¾ The external auditor’s primary consideration is whether, and how, a specific control
prevents, or detects and corrects, material misstatements in the financial statements,
rather than its classification into any particular component.
1602
SESSION 16 – INTERNAL CONTROL AND SECURITY
1.2 Components
INTERNAL CONTROL
CONTROL
MONITORING
¾ Strongly relates to how management (and governance) has created a culture of honesty
and ethical behaviour, supported by appropriate controls to prevent and detect fraud
and error, through:
1603
SESSION 16 – INTERNAL CONTROL AND SECURITY
¾ A strong control environment may be a positive influence when assessing, for example,
the risk of fraud. However, the elements must be considered collectively (e.g.
enforcement of ethical values together with appropriate recruitment policies for
financial reporting staff will not mitigate aggressive earnings reporting by senior
management).
¾ How the entity’s management identify business risks and how they decide to address
those risks and review the results of doing so.
Definition
Business risk is the risk that the entity will not be able to achieve its objectives
and execute its strategies
¾ Business risks arise from the way the entity is managed, its operating environment,
products, customer base, employee base, ownership, legal and regulatory regimes and
the very fact that it operates in a dynamic and adaptive environment.
¾ There are many classifications of business risk including: liquidity, interest rate, foreign
exchange, procurement, production, brands, reputation, human resources, treasury,
information systems, legislation, regulation, legal liabilities.
Example 1
Suggest FIVE business risks that may impact on the production of the financial
statements.
Solution
1604
SESSION 16 – INTERNAL CONTROL AND SECURITY
¾ Includes the accounting system and consists of the procedures and records established
to:
The above encompasses recording the correct monetary value of transactions and that
the transactions are recorded in the correct accounting period (i.e. cut-off)
¾ Transactions may be standard (e.g. within the normal course of business – sales,
purchases, accruals, depreciation) or non-standard (e.g. asset impairment, bad debt
write off, related party transactions). How the information systems deals with both
standard and non-standard transactions must be understood, e.g. raising and
authorising journal entries.
¾ The information system must also be able to deal with errors and incorrect processing.
Is a suspense account used and regularly checked and cleared? Is it possible to override
the system or bypass controls? If so, how does the management deal with such matters.
¾ Management must be able to demonstrate that they understand the individual roles and
responsibilities of those within the information system.
¾ Individuals within the system must also understand their roles and responsibilities and
how they relate to others within the system.
1605
SESSION 16 – INTERNAL CONTROL AND SECURITY
¾ The policies and procedures that help ensure that management directives are carried
out, e.g. that actions are taken to address risks that threaten the achievement of the
entity’s objectives.
¾ They have various objectives and are applied at various organisational and functional
levels. Often referred to as internal checks.
¾ More than one control activity may be necessary in order to achieve a given control
objective.
¾ At the financial statement assertion level, control objectives aim to ensure that only:
⇒ Mnemonic CAVE:
1606
SESSION 16 – INTERNAL CONTROL AND SECURITY
¾ Ongoing monitoring activities are often built into the normal recurring activities of an
entity and include regular management and supervisory activities.
¾ These are controls that are designed to prevent a particular risk happening.
Authorisation, segregation of duties, recruiting, training, supervision, passwords and
validation are examples of preventative controls.
1607
SESSION 16 – INTERNAL CONTROL AND SECURITY
¾ Detective controls are designed to detect errors should they have occurred and have not
been prevented. Examples include reconciliations, exception reporting, physical
counting of assets, supervision, quality controls.
¾ Corrective controls aim to minimise or negate the impact of errors. Examples include
follow up procedures, management action, security backups of data, re-training,
contingency planning.
Definition
Control risk is the risk that a material error could occur and not be prevented,
detected and corrected by the internal control system.
¾ Because of the inherent nature of internal control, there will always be some control
risk. No internal control system, no matter how well designed and operated, can
provide management with conclusive evidence that objectives are reached. Only
reasonably high, not absolute, assurance can be achieved.
Example 2
Solution
¾ A determined fraudster will always find ways around the control systems. In many
cases, the very presence of controls establishes a challenge.
1608
SESSION 16 – INTERNAL CONTROL AND SECURITY
¾ Because of the pervasive nature of information systems within the vast majority of
organisations, computer information systems (CIS) present a whole series of particular
business risks, e.g.
Inappropriate or lack of manual intervention, e.g. failure to act upon error reports
produced by a system.
Potential loss of data or inability to access data as required, e.g. system crash, denial
of service attack, prolonged downtime.
1609
SESSION 16 – INTERNAL CONTROL AND SECURITY
The audit trail of the transactions may be fragmented, in that it may exist only for a
short time.
¾ Because of the specialised nature of CIS, two sets of control procedures have been
developed within the overall control framework – general controls and application
controls.
Definition
The policies and procedures that relate to many applications and support the
effective functioning of application controls by helping to ensure the continued
operational integrity and security of data and information systems
¾ They aim to establish a framework of overall control and commonly address the risks
noted above, e.g. controls over:
1610
SESSION 16 – INTERNAL CONTROL AND SECURITY
¾ Alternatively:
Definition
¾ Provide reasonable assurance that all transactions are authorised and recorded, and are
processed completely, accurately and on a timely basis.
1611
SESSION 16 – INTERNAL CONTROL AND SECURITY
3 DATA SECURITY
3.1 Threats
¾ Information security protects the interests of those relying on information (and the
information systems and communications that deliver the information) from harm
resulting from hacking, operational error, sabotage and other threats
¾ Security and privacy are very closely related, and it is often difficult to determine
whether a particular risk relates to security or privacy. What is clear, however, is that
security relates to the whole of the system whereas privacy only relates to the data held
within the system.
¾ Examples include:
1612
SESSION 16 – INTERNAL CONTROL AND SECURITY
Fire
Flood
Weather
Natural disaster
Terrorist attack
Accidental damage
Deliberate damage
Theft.
heat and water pipes (check ceiling ducting and floor above)
under flight paths near airports
earthquake zones or below river levels
¾ Staffing arrangements
1613
SESSION 16 – INTERNAL CONTROL AND SECURITY
security guards
time controls (eg only allowed access between certain times)
electronic door locks (PIN, card or bio data entry)
¾ Theft control
high risk systems physically attached to secure points (eg laptops chained to a fixed
point)
ID marking – company logo, inventory tag – and tracking
regular inventory checks
¾ There are a number of risks to computerised systems which relate to the environment in
and around the location of the hardware, e.g.
Temperature
Humidity
Power supply
Spillage and accidental damage
¾ The best way to control these risks is to isolate the computer system from the outside
world by placing it in a specially designed computer room or building. Obviously this
is possible for a large central computer, but not for PCs.
1614
SESSION 16 – INTERNAL CONTROL AND SECURITY
¾ The logical access system is the system of facilities developed and maintained to protect
data or software from the potential threats of unauthorised access.
¾ Risks include:
¾ Access must be limited to those with the appropriate authority through for example:
3.5 Hacking
¾ Hacking is the deliberate unauthorised access to a system and the data within that
system.
¾ The term was originally used to describe the activity of individuals who saw systems
security as a challenge and wished to show that they were able to breach whatever
security was in place. It is now a term used to also describe the criminal activity of
stealing (also includes reading) or changing data or any other aspect of a system (e.g.
changing programs, adding additional routines).
¾ Threats include
1615
SESSION 16 – INTERNAL CONTROL AND SECURITY
Physical security
Logical security
System logs and audit trails
Sentinels (“watch dog” programs that check for unusual activity)
Data encryption
Strong quality control and risk analysis procedures in developing programs and
web sites
Commentary
Many of the alterations made to organisations’ websites (for example) are due to the
poor programming and security features of the web pages and sites that allow access to
the system behind the web pages.
3.6 Viruses
¾ A virus is a (rogue) program that spreads throughout a computer system usually with
the aim of (at least) causing inconvenience or (at worse) destroying and altering data,
disrupting processing and memory systems.
¾ The damage that can be caused is only limited by the ingenuity of the virus
programmer.
File/execute – infects a program file so that every time the program is executed, so
is the virus.
Worms – viruses that “burrow” through the system usually over networks using
the system’s distributed resources.
Time bombs – same concept as a logic bomb, except that the trigger event is a time
or date (eg Friday 13th).
1616
SESSION 16 – INTERNAL CONTROL AND SECURITY
Installation of sentinels, eg virus detection programs, that check all vulnerable files
on boot-up of the system or all files that are imported to the system, eg through
floppy discs, the internet, e-mails. Such programs can only detect known viruses
and must be constantly updated.
A strongly enforced organisation policy on the use of external programs and the
internet.
3.7 Encryption
¾ The principle of encryption is to make any intelligible data, unintelligible – which can
then only be read by using the decryption key.
¾ This process prevents unauthorised access to, or understanding of, (for example) the
data being transmitted or stored.
Authentication – the ability of each party to the transmission of the data to verify
each other.
Message integrity – the ability to detect if the message has been read or altered in
any way.
Electronic signatures – a digital code attached to a message to verify the origins and
contents of a message. Enables the recipient to check who sent the data and that it
was not altered after transmission.
¾ A record of significant data about each transaction, e.g. audit record, user and terminal
identifications, the time and date of the transaction, transaction type (eg despatch),
quantities and values, cross-references to related transactions (eg invoice).
¾ The software audit trail records information about on-line transactions so that the
transaction and its path (both back and forward) can be inspected and verified by third
parties, eg internal auditors, system analysts.
errors to be investigated by tracing back through the system via each stage of the
transaction process;
1617
SESSION 16 – INTERNAL CONTROL AND SECURITY
FOCUS
You should now be able to:
¾ identify and describe features for protecting the security of IT systems and software
within business;
1618
SESSION 16 – INTERNAL CONTROL AND SECURITY
EXAMPLE SOLUTIONS
Solution 1 — Business risks
1619
SESSION 16 – INTERNAL CONTROL AND SECURITY
1620