Christian Joy Aribas C11

Internal Control Objectives According to AICPA SAS

1. Safeguard assets of the firm
2. Ensure accuracy and reliability of accounting records and information
3. Promote efficiency of the firm’s operations
4. Measure compliance with management’s prescribed policies and procedures

Modifying Assumptions to the Internal Control Objectives

- Management Responsibility
The establishment and maintenance of a system of internal control is the responsibility
of management.
- Reasonable Assurance
The cost of achieving the objectives of internal control should not outweigh its benefits.
- Methods of Data Processing
The techniques of achieving the objectives will vary with different types of technology.

Limitations of Internal Controls

1. Possibility of honest errors
2. Circumvention via collusion
3. Management override
4. Changing conditions--especially in companies with high growth

Exposures of Weak Internal Controls (Risk)

1. Destruction of an asset
2. Theft of an asset
3. Corruption of information
4. Disruption of the information system

SAS 78 / COSO
Describes the relationship between the firm’s:
a. internal control structure,
b. auditor’s assessment of risk; and
c. the planning of audit procedures

The weaker the internal control structure, the higher the assessed level of risk; the higher the risk,
the more auditor procedures applied in the audit.

Five Internal Control Components: SAS 78 / COSO

1. Control environment
2. Risk assessment
3. Information and communication
4. Monitoring
5. Control activities
 Control environment

1. Integrity and ethics of management

2. Organizational structure
3. Role of the board of directors and the audit committee
4. Management’s policies and philosophy
5. Delegation of responsibility and authority
6. Performance evaluation measures
7. External influences—regulatory agencies
8. Policies and practices managing human resources

Risk assessment

Identify, analyze and manage risks relevant to financial reporting:

1. changes in external environment

2. risky foreign markets
3. significant and rapid growth that strain internal controls
4. new product lines
5. restructuring, downsizing
6. changes in accounting policies

Information and communication

 identifies and records all valid transactions

 provides timely information in appropriate detail to permit proper classification and financial
reporting
 accurately measures the financial value of transactions
 accurately records transactions in the time period in which they occurred

Auditors must obtain sufficient knowledge of the IS to understand:

 the classes of transactions that are material

 how these transactions are initiated [input]
 the associated accounting records and accounts used in processing [input]
 the transaction processing steps involved from the initiation of a
transaction to its inclusion in the financial statements [process]
 the financial reporting process used to compile financial statements,
disclosures, and estimates [output]

Monitoring

The process for assessing the quality of internal control design and operation
 Separate procedures—test of controls by internal auditors
Ongoing monitoring:
 computer modules integrated into routine operations
 management reports which highlight trends and exceptions from normal performance
 Control activities

Policies and procedures to ensure that the appropriate actions are taken in response to identified
risks

Fall into two distinct categories:

 IT controls—relate specifically to the computer environment
 Physical controls—primarily pertain to human activities

Two Types of IT Controls

 General controls—pertain to the entitywide computer environment

 Examples: controls over the data center, organization databases, systems
development, and program maintenance
 Application controls—ensure the integrity of specific systems
Examples: controls over sales order processing, accounts payable, and payroll applications

Six Types of Physical Controls

 Transaction Authorization
 Segregation of Duties
 Supervision
 Accounting Records
 Access Control
 Independent Verification

Sarbanes-Oxley Act
The 2002 Sarbanes-Oxley (SOX) Act established new corporate governance rules
 Created company accounting oversight board
 Increased accountability for company officers and board of directors
 Increased white collar crime penalties
 Prohibits a company’s external audit firms from providing financial information systems

SOX Section 302

Section 302—in quarterly and annual financial statements, management must:
 certify the internal controls (IC) over financial reporting
 state responsibility for IC design
 provide reasonable assurance as to the reliability of the financial reporting process
 disclose any recent material changes in IC

SOX Section 404

Section 404—in the annual report on IC effectiveness, management must:
 state responsibility for establishing and maintaining adequate financial reporting IC
 assess IC effectiveness
 reference the external auditors’ attestation report on management’s IC assessment
  provide explicit conclusions on the effectiveness of financial reporting IC
 identify the framework management used to conduct their IC assessment, e.g., COBIT

IT Controls & Financial Reporting

 Modern financial reporting is driven by information technology (IT)
 IT initiates, authorizes, records, and reports the effects of financial transactions.
- Financial reporting IC are inextricably integrated to IT.

SOX Audit Implications

 Pre-SOX, audits did not require IC tests.
- Only required to be familiar with client’s IC
- Audit consisted primarily of substantive tests
 SOX – radically expanded scope of audit
- Issue new audit opinion on management’s IC assessment
- Required to test IC affecting financial information, especially IC to prevent fraud
- Collect documentation of management’s IC tests and interview management on IC
changes

Types of Audit Tests

Tests of controls – tests to determine if appropriate IC are in place and functioning
effectively
Substantive testing – detailed examination of account balances and transactions

Organizational Structure IC
 Audit objective – verify that individuals in incompatible areas are segregated to minimize
risk while promoting operational efficiency

Two organizational structures applies:

 Centralized model
 Distributed model

Segregation of Duties
 Transaction authorization is separate from transaction processing.
 Asset custody is separate from record-keeping responsibilities.
 The tasks needed to process the transactions are subdivided so that fraud requires
collusion.

Distributed IT Structure
Despite its many advantages, important IC implications are present:
 incompatible software among the various work centers
 data redundancy may result
 consolidation of incompatible tasks
 difficulty hiring qualified professionals
 lack of standards

Organizational Structure IC
A corporate IT function alleviates potential problems associated with distributed IT
organizations by providing:
 central testing of commercial hardware and software
 a user services staff
 a standard-setting body
 reviewing technical credentials of prospective systems professionals

Audit Procedures
 Review the corporate policy on computer security
- Verify that the security policy is communicated to employees
 Review documentation to determine if individuals or groups are performing incompatible
functions
 Review systems documentation and maintenance records
- Verify that maintenance programmers are not also design programmers

 Observe if segregation policies are followed in practice.

- E.g., check operations room access logs to determine if programmers enter for reasons
other than system failures
 Review user rights and privileges
- Verify that programmers have access privileges consistent with their job descriptions

Disaster Recovery Planning

Disaster recovery plans (DRP) identify:
 actions before, during, and after the disaster
 disaster recovery team
 priorities for restoring critical applications

Audit objective – verify that DRP is adequate and feasible for dealing with disasters

What is an IT Audit?
IT audits:
 focus on the computer-based aspects of an organization’s information system
 assess the proper implementation, operation, and control of computer resources

Elements of an IT Audit
 Systematic procedures are used
 Evidence is obtained
- tests of internal controls
- substantive tests
 Determination of materiality for weaknesses found
 Prepare audit report & audit opinion

Audit Risk:
the probability the auditor will issue an unqualified (clean) opinion when in fact the financial
statements are materially misstated.\
Three Components of Audit Risk
Inherent risk – associated with the unique characteristics of the business or industry of the client
Control risk – the likelihood that the control structure is flawed because controls are either absent
or inadequate to prevent or detect errors in the accounts
Detection risk – the risk that errors not detected or prevented by the control structure will also
not be detected by the auditor

IT Controls Part II: Security and Access

Operating Systems

Perform three main tasks:

 translates high-level languages into the machine-level language
 allocates computer resources to user applications
 manages the tasks of job scheduling and multiprogramming

Requirements for Effective Operating Systems Performance

 Protect itself from tampering from users

 Prevent users from tampering with the programs of other users
 Safeguard users’ applications from accidental corruption
 Safeguard its own programs from accidental corruption
 Protect itself from power failures and other disasters

Operating Systems Security

 Log-On Procedure
- first line of defense – user IDs and passwords
 Access Token
- contains key information about the user
 Access Control List
- defines access privileges of users
 Discretionary Access Control
- allows user to grant access to another user

Access Privileges
 Audit objectives: verify that access privileges are consistent with separation of
incompatible functions and organization policies

Audit procedures: review or verify…

- policies for separating incompatible functions
- a sample of user privileges, especially access to data and programs
- security clearance checks of privileged employees
- formally acknowledgements to maintain confidentiality of data
 - users’ log-on times

Password Control
 Audit objectives: ensure adequacy and effectiveness password policies for controlling
access to the operating system

Audit procedures: review or verify…

- passwords required for all users
- password instructions for new users
- passwords changed regularly
- password file for weak passwords
- encryption of password file
- password standards
- account lockout policies

Malicious & Destructive Programs

 Audit objectives: verify effectiveness of procedures to protect against programs such as
viruses, worms, back doors, logic bombs, and Trojan horses

Audit procedures: review or verify…

- training of operations personnel concerning destructive programs
- testing of new software prior to being implemented
- currency of antiviral software and frequency of upgrades

Audit Trail Controls

 Audit objectives: whether used to (1) detect unauthorized access, (2) facilitate event
reconstruction, and (3) promote accountability

Audit procedures: review or verify…

- how long audit trails have been in place
- archived log files for key indicators
- monitoring and reporting of security violations

Two crucial database control issues:

Access controls
 Audit objectives: (1) those authorized to use databases are limited to data needed to
perform their duties and (2) unauthorized individuals are denied access to data
Backup controls
 Audit objectives: backup controls can adequately recovery lost, destroyed, or corrupted
data

Access Controls
 User views - based on sub-schemas
 Database authorization table - allows greater authority to be specified
  User-defined procedures - user to create a personal security program or routine
 Data encryption - encoding algorithms
 Biometric devices - fingerprints, retina prints, or signature characteristics

Internet and Intranet Risks

Communications is a unique aspect of the computer networks:

- different than processing (applications) or data storage (databases)

Network topologies – configurations of:

- communications lines (twisted-pair wires, coaxial cable, microwaves, fiber optics)
- hardware components (modems, multiplexers, servers, front-end processors)
- software (protocols, network control systems)

Sources of Internet & Intranet Risks

Internal and external subversive activities

Audit objectives:
- prevent and detect illegal internal and Internet network access
- render useless any data captured by a perpetrator
- preserve the integrity and physical security of data connected to the network

Equipment failure
Audit objective: the integrity of the electronic commerce transactions by determining that
controls are in place to detect and correct message loss due to equipment failure

Risks from Subversive Threats

Include:
- unauthorized interception of a message
- gaining unauthorized access to an organization’s network
- a denial-of-service attack from a remote location

IC for Subversive Threats

Firewalls provide security by channeling all network connections through a control gateway.

 Network level firewalls

- Low cost and low security access control
- Do not explicitly authenticate outside users
- Filter junk or improperly routed messages
- Experienced hackers can easily penetrate the system
 Application level firewalls
- Customizable network security, but expensive
- Sophisticated functions such as logging or user authentication

Auditing Procedures for Subversive Threats

  Review firewall effectiveness in terms of flexibility, proxy services, filtering, segregation of
systems, audit tools, and probing for weaknesses.
 Review data encryption security procedures
 Verify encryption by testing
 Review message transaction logs
 Test procedures for preventing unauthorized calls

IC for Equipment Failure

Line errors are data errors from communications noise.

Two techniques to detect and correct such data errors are:
- echo check - the receiver returns the message to the sender
- parity checks - an extra bit is added onto each byte of data similar to check digits

Using a sample of a sample of messages from the transaction log:

- examine them for garbled contents caused by line noise
- verify that all corrupted messages were successfully retransmitted

Electronic Data Interchange

Electronic data interchange (EDI) uses computer-to-computer communications technologies to
automate B2B purchases.
 Audit objectives:
1. Transactions are authorized, validated, and in compliance with the trading partner
agreement.
2. No unauthorized organizations can gain access to database
3. Authorized trading partners have access only to approved data.

Adequate controls are in place to ensure a complete audit trail.

EDI Risks
 Authorization
- automated and absence of human intervention
 Access
- need to access EDI partner’s files
 Audit trail
- paperless and transparent (automatic) transactions

EDI Controls
 Authorization
- use of passwords and value added networks (VAN) to ensure valid partner
 Access
- software to specify what can be accessed and at what level
 Audit trail
- control log records the transaction’s flow through each phase of the transaction
processing
Auditing Procedures for EDI
 Tests of Authorization and Validation Controls
- Review procedures for verifying trading partner identification codes
- Review agreements with VAN
- Review trading partner files
 Tests of Access Controls
- Verify limited access to vendor and customer files
- Verify limited access of vendors to database
- Test EDI controls by simulation
 Tests of Audit Trail Controls
- Verify exists of transaction logs are key points
- Review a sample of transactions