A COMPARISON OF INTERNAL CONTROLS, WITH

SPECIFIC REFERENCE TO
COBIT, SAC, COSO, AND SAS 55/78

by
SUZANNE STEYN

SHORT DISSERTATION
SUBMITTED FOR THE PARTIAL FULFILMENT OF THE
REQUIREMENTS FOR
THE DEGREE OF
MASTER OF COMMERCE

in
COMPUTER AUDITING

in the
FACULTY OF ECONOMIC AND MANAGEMENT SCIENCES

at the
RAND AFRIKAANS UNIVERSITY

STUDY LEADER: PROF. A. DU TOIT

NOVEMBER 1997
 CONTENTS

CHAPTER PAGE

LIST OF ACRONYMS AND ABBREVIATIONS

OPSOMMING IN AFRIKAANS II

SYNOPSIS VIII

INTRODUCTION 1

A SUMMARY OF SAS55178, COBIT, COSO AND SAC 14

A COMPARISON BETWEEN SAS55/78, COBIT, 28

COSO AND SAC

AN INTEGRATED REFERENCE FRAMEWORK 72

FOR INTERNAL CONTROL

CONCLUSION 89

BIBLIOGRAPHY 92
 LIST OF ACRONYMS AND ABBREVIATIONS

AICPA - American Institute of Certified Public Accountants

COBIT - Control Objectives for Information and related Technology

IC - Internal Control

IT - Information Technology

COSO - Committee of Sponsoring Organizations of the Treadway Commission

SAC - Systems Auditability and Control

SAS - Statement on Auditing Standards

SDLCM - System Development Life Cycle Methodology

ISACF - Information System Audit and Control Foundation

 'N VERGELYKING VAN INTERNE
BEHEERMAATREELS MET SPESIFIEKE VERWYSING NA
COBIT, SAC, COSO EN SAS 55/78

deur
SUZANNE STEYN

OPSOMMING VAN DIE SKRIPSIE

INGEDIEN VIR
DIE GRAAD
MAGISTER COMMERCII

in
REKENAAROUDITERING

in die
FAKULTEIT EKONOMIESE EN BESTUURSWETENSKAPPE

aan die
RANDSE AFRIKAANSE UNIVERSITEIT

STUDIELEIER: PROF. A. DU TOIT

NOVEMBER 1997

II
Die doel met die opsomming is om die agtergrond, metodiek en gevolgtrekking, van die
navorsing oor die vergelyking van interne beheermaatreels, met spesifieke verwysing na
CobiT, COSO, SAC en SAS55/78, weer te gee. Hierdie opsomming word onder die volgende
hoofde uiteengesit:

PROBLEEMOMSKRYWING EN DOEL MET HIERDIE NAVORSING

NAVORSINGMETODIEK EN BEPERKINGS
RESULTATE
GEVOLGTREKKING

1. PROBLEEMOMSKRYWING EN DOEL MET HIERDIE NAVORSING

Oor die afgelope jare het 'n groot behoefte aan 'n verwysingsraamwerk vir interne beheer en
sekuritiet in 'n rekenaaromgewing ontstaan. Hierdie behoefte het onstaan nadat die Nasionale
Kommissie van Bedrieglike Finansiele Verslagdoening bevind het dat die mees algemene
redes vir die ineenstorting van sakeondernemings the swak verslagdoening is the, maar swak
etiek, korrupsie by topbestuur, swak kommunikasie en onbekwaamheid.

`n Balans moet gevind word tussen koste en risikobeheer in 'n rekenaaromgewing. Dit is
duidefilc dat daar 'n behoefte bestaan vir 'n raamwerk vir algemeen aanvaarbare
rekenaarsekuriteit- en beheerpraktyke. Bestuur kan sodandige raamwerk as 'n hulpmiddel
gebruik waarteen hulle hul bestaande of 'n beplande nuwe rekenaarbeheeromgewing kan
meet. Die raamwerk kan aan gebruikers die versekering gee dat daar voldoende sekuriteit en
beheer bestaan, terwyl ouditeure die raamwerk kan gebruik om hul ouditmening te stag

Verskeie organisasies het al onderneem om, die behoefte aan 'n algemeen aanvaarde
raamwerk, op te los. Elk van hierdie organisasies het egter 'n ander idee van hoe so 'n
raamwerk daar moet uitsien, wat verwarring veroorsaak. ITSEC, TCSEC, IS09000 en
COSO stel elk 'n ander evaluasiemetode voor, met die gevolg dat die implementering van
goeie interne rekenaarbeheer in die wiele gery word.

Ten einde die verwarring uit die weg te probeer ruim, het spesialiste van dwarsoor die w'ereld
deelgeneem in 'n intensiewe navorsingspoging om 'n internasionale raamwerk te ontwikkel
wat die standaarde van 18 primere bronne harmoniseer. Die resultaat van hierdie poging is

III
CobiT.

Vier ander gepubliseerde dokumente was ook die resultaat van voortgesette pogings om 'n
verbeterde interne beheeromgewing te definieer. Die Institute of Internal Auditors Research
Foundation het 'n dokument genaamd SAC ontwikkel. So ook het die Committee of
Sponsoring Organisations of the Treadway Commission 'n geintegreerde raamwerk
gepubliseer wat hulle COSO genoem het, terwyl die American Institute of Certified Public
Auditors twee dokumente gepubliseer het naamlik SAS55 en SAS78.

CobiT, COSO, SAC en SAS55/78 fokus elk op 'n ander faset van interne beheer, aangesien
elk 'n ander groep professionele mense aanspreek. Die doel van hierdie skripsie, is om te
bepaal of CobiT die ander dokumente kan vervang, aangesien dit koste oneffektief sou wees
om 'n addisionele raamwerk te ontwikkel as 'n bestaande dokument reeds die behoefte aan 'n
algemeen aanvaarbare dokument bevredig. CobiT word vergelyk met elk van die ander
dokumente ten einde te bepaal of CobiT inderdaad 'n oplossing bied vir al die interne
beheerprobleme wat tans deur ouditeursfirmas en ander organisasies ervaar word.

Deur die vier dokumente te vergelyk, en insette uit ander ander dokumente te gebruik, is 'n
matriks ontwikkel wat as raamwerk gebruik kan word vir die keuse van interne
beheermaatreels.

2. NAVORSINGSMETODIEK EN BEPERKINGS

Die skripsie fokus op die vergelyking van van interne beheermaatreels. Alhoewel daar
verskeie dokumente bestaan wat interne beheer behandel, is daar slegs op die volgende vyf
dokumente gekonsentreer:

CobiT The Information Systems Audit and Control Foundation;

SAC The Institute of Internal Auditors Research Foundation;
COSO The Committee of Sponsoring Organisation of the Treadway Commission;
SAS55 The American Institute of Certified Public Accountants; en
SAS78 The American Institute of Certified Public Accountants.

IV
Metodiek

'n Literatuurstudie van bestaande gesaghebbende literatuur oor interne beheerraamwerke

is uitgevoer. 'n Matriks is uit die bestaande raamwerke ontwikkel, wat as hulpmiddel dien
om die mees toepaslike raamwerk te kies.

Nadat al die inligting verkry is, is 'n vergelyking getref tussen die inteme beheermaatreels
wat deur CobiT en die ander dokumente gepropageer word. 'n Gevolgtrekking is gemaak
dat CobiT inderdaad die beste raamwerk uit 'n ouditeursoogpunt is om te gebruik.

Ten einde die studieveld of te baken en sodoende 'n betekenisvolle studie te kon doen, is die
volgende uitgesluit:

Alle dokumente, gesprekke, raamwerke, riglyne, kodes, praktyk benaderings oor

interne beheer, met die uitsondering van die volgende wat wel ingesluit is:

CobiT The Information Systems Audit and Control Foundation;

SAC The Institute of Internal Auditors Research Foundation;
COSO The Committee of Sponsoring Organisations of the Treadway
Commission; en
SAS55/78 The American Institute of Certified Public Accountants;

COSO se rapportering aan eksteme partye;

SAC modules 11-13

Module 11: Toekomstige tegnologie;
Module 12: Die meester indeks;
Module 13: Gevorderde tegnologie aanhangsel; en

CobiT: die raamwerk en uitvoerende opsomming.

3. RESULTATE EN GEVOLGTRE1UUNGS

1-lierdie skripsie bled 'n opsomming van elk van die vier dokumente ten einde elke dokument
beter te kan verstaan. Die dokumente word vergelyk en prosedures word vasgestel om dit
moontlik te maak om tussen tussen die vier raamwerke te kies. Die prosedures word in 'n
matriks saamgevat waarin die dokumente teen mekaar opgeweeg word na gelang van die
fokuspunt wat vooropgestel word.

Die studie verloop soos volg:

3.1 'n Opsonuning van elk van die vier raamwerke;

3.2 'n Vergelykking van die vier dokumente; en
3.3 Die resultate van die vergelyking en die ontwikkeling van die matriks.

3.1 'n Opsonuning van elk van die vier dokumente

`n Opsomming word van elk van die vier dokumente gemaak ten einde lesers van die nodige
inligting te voorsien om dit vir hulle moontlik te maak om die vergelyking van die dokumente
ten voile te begryp en om verskille tussen die dokumente te identifiseer.

3.2 'n Vergelyking van die vier dokumente

Die rede vir die vergelyking word vasgestel en eksteme ouditeure se behoeftes word ontleed
ten einde te bepaal wafter fokuspunte vir hulle van belang sal wees. Ongeveer dertig
fokuspunte word geidentifiseer vir vergelyking. Die dertig fokuspunte word in tabelformaat
uiteengesit en die vier dokumente word vervolgens aan die hand van elke fokuspunt ontleed.
Op die manier word die sterk en swak punte van elke dokument geldentifiseer.

In sekere gevalle beklemtoon al vier dokumente verskillende aspekte met betrekking tot 'n
spesifieke fokuspunt, wat nogtans almal ewe belangrik is. In so geval sal 'n kombinasie van
die vier dokumente die ideale beheermaatreel vorm. In ander gevalle skenk slegs twee van die
vier dokumente aandag aan 'n spesifieke fokuspunt, wat dus as 'n swakpunt geidentifiseer
word in die twee dokumente wat die betrokke fokuspunt buite rekening hat.

VI
3.3 Die resultate van die vergelyking en die ontwikkeling van die matriks.

Die dertig fokuspunte word in vyftien groepe ingedeel en die resultate van die vergelyking
bespreek. Uit die vergelyking was dit maklik om te bepaal watter dokument elk van die
fokuspunte die beste adresseer. 'n Matriks word ontwikkel wat aandui wafter dokument om
te gebruik met water fokuspunt in gedagte. Uit die matriks is vasgestel dat CobiT 25 van die
dertig fokuspunte aanspreek, SAC 15, COSO 12 en SAS 13.

4. GEVOLGTREKKING

Alhoewel daar gevalle sal wees waar een van die ander dokumente beter standaarde sal stel vir
interne beheer, wil dit voorkom of CobiT die ander tot 'n groot mate kan vervang.

Die ander dokumente se sterkpunte is soos volg:

Geen ander dokument beskryf die ouditproses beter as SAS nie.

SAC identifiseer sekere gevallestudies, en bespreek dan interne beheer aan die hand
van hierdie gevallestudies. Indien een van hierdie gevallestudies spesifiek op 'n
organisasie van toepassing is, sal geen dokument die beheermaatreels beter bespreek as
SAC the .

COSO is 'n waardevolle hulpmiddel vir persone sonder enige agtergrond in interne
beheer, deurdat dit hulle van noodsaaklike evaluasiehulpmiddels voorsien.

Hierdie skipsie bied dus 'n voorbeeld van hoe om 'n keuse uit te oefen tussen die verskillende
raamwerke vir 'n spesifieke organisasie. Die matriks probeer geensins om rigiede reels neer te
le wat noodwendig gevolg moet word om 'n keuse oor 'n gepaste raamwerk uit te oefen the.
Dit is slegs 'n hulpmiddel wat deur 'n ouditeur gebruik kan word om 'n besluit te neem oor die
mees gepaste 'n raamwerk vir 'n gegewe organisasie.

VII
 SYNOPSIS

I. PROBLEM DESCRIPTION AND OBJECTIVE OF THIS SHORT DISSERTATION

Internal control has come under the attention of many organizations, and each has its own
views on the most appropriate framework and evaluation methods to be adopted for specific
purposes. As a result of the confusion arising from the different evaluation methods that are in
vogue, the implementation of good information technology controls is hampered.

Experts from around the world have participated in exhaustive research to develop an
internationally acceptable tool that harmonizes standards. Their work has culminated in the
development of CobiT.

SAC , COSO, SAS 55 and SAS78 were also the result of continuing efforts to define, assess,
report on and improve internal control, but each of these documents addresses a different
audience, and therefore focuses on different aspects of internal control, and may even
completely disregard some areas which may be of crucial importance to other users.

It has been suggested that CobiT can replace COSO, SAC, and SAS 55/78, and there is a need
to determine whether this is indeed the case. This short dissertation attempts to answer this
question, while also putting in place a matrix to aid auditors in deciding which framework to
use for a given application.

2. RESEARCH METHODOLOGY

A literature survey has been done on existing authoritative text books and other literature,
such as material available on the Internet.

The information obtained in the literature survey established a sound basis for a
comparison of CobiT, COSO, SAC and SAS55/78, and the construction of a decision-
making matrix.

VIII
3. SCOPE AND LIMITATIONS

This short dissertation focuses on the comparison of internal controls. Although different
documents deal with this topic, this project focuses on five authoritative source documents
recently released by well-known institutions:

CobiT - The Information Systems Audit and Control Foundation;

SAC - The Institute of Internal Auditors Research Foundation;
COSO - The Committee of Sponsoring Organizations of the Treadway Commission;
SAS55 - The American Institute of Certified Public Accountants; and
SAS78 - The American Institute of Certified Public Accountants.

The following exclusions apply to this short dissertation:

All documents, discussions, frameworks, guidelines, and codes of practice dealing with
internal controls, and all approaches to the subject, except:
— CobiT, SAC, COSO, SAS55/78;
COSO Reporting to External Parties ;
SAC modules 11-13; and
CobiT.
— Framework
— Executive Summary.

4. RESULTS AND CONCLUSION

In summary, this research has provided a basis for understanding each of the five source
documents, as well as a procedure for deciding which framework to use for a given purpose.
A summary of each document was made to establish a basis for the identification of the
differences between the documents, after which thirty focus points were identified. The five
source documents were compared with reference to each focus point. From the comparison it
was easy to determine the strengths and weaknesses of each document.

Finally, a matrix was constructed indicating which document to use for each focus point. It

IX
was also determined that CobiT dealt effectively with twenty-five of the focus points, while
SAC dealt with fifteen, COSO with twelve, and SAS with thirteen. From these results one
could conclude that CobiT can indeed replace the other documents as a universal framework
for internal control.

5. CONCLUSION

The research merely sought to provided an example of how to decide which framework to use
for a specific organization or purpose. No effort has been made to establish a rigid set of rules
to follow in all cases in order to decide on a framework. Nevertheless, the author believes that
this study can assist auditors in deciding on the most appropriate framework and methodology
to adopt for a given purpose, and will provide them with arguments to convince management
of the soundness of their decision.
 CHAPTER 1

INTRODUCTION

CONTENTS PAGE

1.1. BACKGROUND 2

1.1.1 Internal control 2

1.1.2 A comparison of a few control concepts 3

1.2. PROBLEM DESCRIPTION 5

1.3. OBJECTIVE OF THIS RESEARCH 6

1.4. SCOPE, LIMITATIONS AND EXCLUSIONS 6

1.4.1 The predefined environment 6

1.4.2 Limitations/exclusions 7

1.5. DEFINITIONS AND METHODOLOGY 7

1.5.1 Definitions 7

1.5.2 Methodology 10

1.6. RESEARCH APPROACH 11

1.7. SUMMARY OF RESULTS 11

1.8. CONCLUSION 12

1
1.1 BACKGROUND

1.1.1 Internal Control

For many companies and organisations the documents SAC, COSO, SAS55/78 and CobiT set
the standards for internal control. The problem is that these documents were all developed by
different bodies who were concerned with providing them with frameworks and evaluation
methods for internal control appropriate to the needs of their own audiences. It is therefore
unavoith. le that some discrepancies and disparities may exist between these documents,
although they all deal with essentially the same aspects of internal control.

The four documents define internal control as follows:

SAC: A set of processes, functions, activities, subsystems, and people who are grouped
together or consciously segregated to ensure the effective achievement of specific
objectives which has to be translated into measurable goals.

COSO: A process, effected by an entity's board of directors, management, and other

personnel, designed to provide reasonable assurance regarding the achievement of
objectives in the following categories:

Effectiveness and efficiency of operations;

Reliability of financial reporting; and
Compliance with applicable laws and regulations.

• SAS78: A process, effected by an entity's board of directors, management, and other

personnel, designed to provide reasonable assurance regarding the achievement of
objectives in the following categories:

Reliability of financial reporting;

Effectiveness and efficiency of operations; and
Compliance with applicable laws and regulations.

2
• CobiT: The policies, procedures, practices, and organisational structures designed to
provide reasonable assurance that business objectives will be achieved and that
undesired events will be prevented or detected and corrected.

From the definitions one can conclude that SAC views internal control as a system (a set of
functions and people and their interrelationship). It identifies people as an integral part of the
internal control system. SAC also states that objectives should be translated into measurable
goals. Although COSO also accentuates internal control as a process that is an integrated part
of business activities, it notes that the people involved are members of the board of directors,
management or other entity personnel. COSO places objectives into three categories called
operational, financial reporting, and compliance.

The SAS definition is exactly the same as the COSO definition, but it emphasises the
importance of reliable financial reporting, while COSO shifts the emphasis to effectiveness and
efficiency of operations. The CobiT definition emphasises the importance of internal control
as a process that includes organisational structures, policies, practices and procedures that
support business processes. It classifies people as a primary resource that is managed by
various information technology processes. CobiT also states that processes support
operational objectives, that these processes are in turn supported by information through IT
resources, and that business requirements for that information are only satisfied through
adequate control measures.

From the definitions one can conclude that all four documents are familiar with the concept of
reasonable assurance in relation to internal control and acknowledge the concept of
cost/benefit, and that they are equally conscious of the negative result that could flow from not
implementing all controls effectively.

1.1.2 A comparison of a few control concepts

The easiest way to identify the strengths and weaknesses of each of these documents is to
compare them. This is proved by Table 1.1.

3
Table 1.1 Comparison of Control Concepts (Colbert & Bowen, 1996: 26).

ti
CobiT SAC COSO SAS's 55/78
Primary Management, users, Internal auditors Management External auditors
Audience information system
auditors
IC viewed as a Set of processes Set of processes, Process Process
including policies, subsystems, and
procedures, people.
practices, and
organizational
structures.
IC Objectives Effective & efficient Effective and Effective and Reliable financial
organizational operations efficient efficient reporting
Confidentiality, operations operations Effective and
Integrity and Reliable financial Reliable financial efficient
availability of reporting reporting operations
information. Compliance with Compliance with Compliance with
Reliable financial laws & laws & laws & regulations
reporting regulations regulations
Compliance with
laws & regulations
Components Domains: Components: Components: Components:
or Domains Planning and Control Control Control
organization Environment Environment Environment Risk
Acquisition and Manuals & Risk Assessment
implementation Automated Management Control
Delivery and support System Control Control Activities
Monitoring Procedures Activities Information
Information & &Communication
Communication Monitoring
Monitoring
Focus Information Information Overall Entity Financial
Technology Technology Statement
IC For a period of time For a period of At a point in For a period of
Effectiveness time time time.
Evaluated
Responsibility Management Management Management Management
for IC system
Size 187 pages in four 1193 pages in 12 353 pages in 63 pages in two
documents modules four volumes documents

From this comparison in table 1.1 it is clear that SAC offers assistance to internal auditors on
the control and audit of IT, while COSO tells management how to evaluate, report, and
improve control systems. SAS55 and SAS78 guide external auditors on the impact of internal
control on planning and performing an audit of an organisation's financial statements. CobiT
is a tool for business process owners to discharge their computer control responsibilities

4
(Colbert & Bowen, 1996:26).

1.2. PROBLEM DESCRIPTION

1.2.1 Introduction

In the past few years, it has become evident to lawmakers, regulators, users of IT and service

providers that there is a need for a reference framework for security and control in an

information technology (IT) environment. This became evident when the National

Commission on Fraudulent Financial Reporting (Treadway) revealed that the most common

causes of breakdown were not poor record keeping but bad ethics, corruption at the top,
incompetence and poor communication (ISACF, 1996: 12).

Management has to find a balance between risk control in an IT environment and the costs

involved. They therefore need a framework for generally accepted IT security and control

practices to benchmark their existing and planned IT environment. Users of IT services, on

the other hand, need to be assured, by the performance of audits, that adequate security and

control exist and, last but not least, auditors need a framework to substantiate their opinion on

internal control to management (ISACF, 1996).

Many organizations have become aware of the need for reliable internal control, but each has

its own ideas of the most appropriate framework and evaluation methods to be used. The

implementation of good IT controls is hampered by the confusion arising from the different

evaluation methods advocated by ITSEC, TCSEC, IS09000 and the emerging COSO

methodology.

To overcome this confusion, experts from around the world have participated in exhaustive

research to develop an international tool that harmonizes standards from 18 different primary

sources world-wide. These people were instrumental in the development of the Information

System Audit and Control Foundation's CobiT.

The four other documents with which this dissertation deals were also the result of continuing

efforts to define, assess, report on and improve internal control,. They are:

5
 System Auditability and Control, drafted by the Institute of Internal Auditors Research
Foundation;

Internal Control-Integrated Framework, drafted by the Committee of Sponsoring

Organizations of the Treadway Commission;

Consideration of the Internal Control Structure in a Financial Statement Audit (SAS 55),
drafted by the American Institute of Certified Public Accountants; and

The latter was amended by Consideration of Internal Control in a Financial Audit: An

Amendment to SAS 55 (SAS 78).

1.3 OBJECTIVE OF THIS RESEARCH

There exists a need to determine whether CobiT can indeed replace COSO, SAC, and SAS
55/78. In order to prevent the expensive process of reinventing a similar product it is
important to subject the CobiT project to a detailed study. CobiT should also be compared
with other documents to see if the approach it advocates will indeed resolve all the internal
control discrepancies currently experienced by audit firms and other organizations.

By comparing the four documents, and drawing on other documents, a matrix will be prepared
that will serve as a framework and evaluating method for internal control.

1.4 SCOPE, LIMITATIONS AND EXCLUSIONS

1.4.1 The predefined environment

This short dissertation focuses on the comparison of internal controls. Although there are
many documents that deal with this topic, this project focuses on five documents recently
released by well-known institutes, and which have already been referred to above, i.e.:
• CobiT The Information Systems Audit and Control Foundation;
• SAC The Institute of Internal Auditors Research Foundation;
• COSO The Committee of Sponsoring Organizations of the Treadway Commission;
• SAS55 The American Institute of Certified Public Accountants; and
• SAS78 The American Institute of Certified Public Accountants.

6
1.4.2 Limitations and exclusions

Because of the limitations imposed on the length of this dissertation, the study is restricted to
the five documents published by the four bodies mentioned above, in other words:

CobiT The Information Systems Audit and Control Foundation;

SAC The Institute of Internal Auditors Research Foundation;
COSO The Committee of Sponsoring Organizations of the Treadway
Commission; and
SAS55/78 The American Institute of Certified Public Accountants.

With the exception of these five documents, no other document, discussions, frameworks,
guidelines, or codes of practice were considered. The following documents emanating from
these four bodies have also been excluded:

COSO Reporting to External Parties (September 1992);

SAC modules 11-13

- Module 11: Emerging Technologies (June 1994)
- Module 12: Master index (December 1991)
- Module 13: Advanced Technology Supplement (June 1994); and

CobiT
- Framework
- Executive Summary.

1.5 DEFINITIONS AND METHODOLOGY

1.5.1 Definitions

CobiT defines control as: The policies, procedures, practices, and organizational
structures, designed to provide reasonable assurance that

7
 business objectives will be achieved and that undesired events
will be prevented or detected and corrected (CobiT, 1996:9).

From an auditing perspective, it is necessary to enquire whether there are policies and
procedures in place to ensure that an entity will record, process, summarize, and report
financial data in a manner consistent with the assertions embodied in its financial statements
(SAS55,1988: 4). In a computerized environment data is captured by entering "events", in the
form of "messages", onto a data application system which draws on computer technology,
facilities and people to deliver information, usually referred to as the system's "service
output" (see below for definitions of words in italics).

COSO defines control as: Exercising, restraining, or directing influence; power or authority
to guide or manage direction, regulation and co-ordination of
business activities; and a mechanism used to regulate or guide
the operation of a system (COSO, 1992:101).

Internal: Existing or situated within the limits or surface of something

(for the purposes of this study the "something" is an entity or
enterprise) (COSO, 1992:101).

Data: Data is defined in its widest sense. It can be external or internal,

structured or unstructured, and it can be in the form of text,
graphics, sound etc. (CobiT, 1996:9).

Application system: The sum of manual and programmed procedures (CobiT,

1996:9).

Technology: Computer hardware, operating systems, database management

systems, networking, multimedia etc. (CobiT, 1996:9).

Facilities: Resources to house and support information systems (CobiT,

1996:9).

8
People: Staff skills, awareness and productivity appropriate for the
planning, organizing, acquisition, delivery, support and
monitoring of information systems and services (CobiT, 1996:9).

Certain control objectives should be kept in mind when constructing internal control policies
and procedures for a computerized environment.

Control objective: A statement of the desired result or purpose to be achieved

by implementing control procedures in a particular activity
(CobiT, 1996:9).

The control objective should make provision for:

COMPLETENESS of input, processing, file-updating and output .

ACCURACY of input, processing, file-updating and output.

INTEGRITY of data both in a transient (being manipulated) and

a static (having been updated) state.

AUTHORITYNALIDITY of business processing.

CONTINUITY: ensuring that the products is operating, and is

capable of continuing to operate in accordance with business
practice and management expectations" (Diamianides, 1991:5).

CobiT determines that information needs to conform to seven criteria, or business

requirements, to satisfy business objectives (CobiT, 1996:9):

Effectiveness: Whether the information is pertinent to the business process and

is delivered in a timely, correct, consistent and usable manner.

Efficiency: Whether the information is being provided by using resources

optimally, i.e. in the most productive and economical way.

9
 Confidentiality: Whether sensitive information is adequately protected from
unauthorized disclosure.

Integrity: Whether the information is valid and sufficiently accurate and

complete to satisfy business values and expectations.

Availability: Whether information is available when required by the business

process and whether the resources and associated capabilities

needed in order to make the information available, are

adequately safeguarded.

Compliance: Whether the entity is complying with externally imposed

business criteria, such as laws, regulations and contractual

arrangements to which the business process is subject.

Reliability of Information: Whether appropriate information is made available to enable

management to operate the entity and exercise its financial and

compliance reporting responsibilities.

1.5.2 Methodology

The following methodology has been used:

In this chapter, the need for research to compare the internal controls propagated by SAC,

COSO, CobiT and SAS55/78 respectively has been established, and it has also been

established that there is a need to determine whether any of these is able to satisfy current
needs in full, or whether two or more of them may have to be used in concert.

In chapter 2 and 3 a comparison will be made between CobiT, SAS 55/78, COSO and SAC

with the emphasis on their respective strengths and weaknesses and their appropriateness for

the purposes of an auditing firm. Chapter 4 will consists of a framework developed from the

research, summarizing the results of the previous chapters. Chapter 5 will conclude the short

dissertation, and indicate whether its objectives have been met.

10
1.6 RESEARCH APPROACH

A literature survey has been undertaken of existing authoritative documents and other
background material, as well as discussions with people with technical knowledge, on the
SAC, COSO, SAS and CobiT frameworks.

With all the information obtained in the literature survey a comparison has been made between
the internal controls propagated by CobiT and the internal controls advocated in each of the
tidier frameworks. A conclusion was then drawn whether CobiT is the most appropriate
framework to adopt by an auditing firm.

1.7 SUMMARY OF RESULTS

The main problem identified is the choice to make between four well-known frameworks for
internal control. Each of these documents was developed by a different organization with a
specific audience in mind, which has resulted in many discrepancies between the four
documents.

In summary, this research provides a basis for understanding each of these documents, as well
as providing a procedure for deciding which framework to use.

In chapter 2 each document is summarized in order to provide the reader with background
information regarding the documents. The summaries also expand the reader's knowledge
regarding internal control, thus preparing readers for the comparison in chapter 3. The
summaries establish a basis for the identification of the differences between the documents.

In chapter 3 more penetrating reasons for a comparison of the documents are identified. This
research focuses on an external auditor's point of view, and thirty points of focus of particular
interest to internal auditors are identified from the four documents. These thirty focus points
were captured in a table and the four documents were compared with reference to each focus
point. This seemed to be the best way to identify the strengths and weaknesses of each
document. In some instances all four documents devoted considerable attention to the same
focus points, but concentrated on different, though equally important, aspects. In such
instances a combination of the documents would have provided one with an ideal framework.
11
In other instances, only two of the four documents dealt with a given focus point, and in these
instances it seems clear that the documents omitting this particular focus point could be
regarded as flawed by the omission.

In chapter 4 the thirty points of focus were grouped together into fifteen groups, and the
results of the comparison discussed for each group individually. From the comparison it was
easy to determine which document provided the best approach to the focus point and a
conclusion could thus be reached after each group was discussed.

In the conclusion of chapter 4 a matrix is presented indicating which documents to use for
which focus points. We conclude that CobiT provides the best approach for 25, SAC for 15,
COSO for 12 and SAS for 13 of the focus points. From these results one could conclude that
CobiT can indeed replace the other documents in most cases as a basis for internal control.

There are indeed still instances where the other documents will set better standards for internal
control than CobiT. Because SAS is solely focused on the audit process, none of the other
document is better able to explain the audit process than SAS. Because SAC identifies certain
scenarios and discusses in detail the internal control procedures that would be appropriate to
these scenarios, no other document would be able to explain the control issues better than
SAC in cases where one of these scenarios is applicable to a specific organization. COSO,
again, is a very helpful document for a person without an audit background because it
provides evaluation tools with examples of how to use them.

It is therefore not always easy to determine which document to use for a particular purpose.
The research therefore merely provides guidelines on how to decide which framework to use
for a specific organization. The research in no way attempts to provide a rigid set of rules
prescribing which framework to use. Nevertheless, it will almost certainly assist auditors in
deciding on an appropriate framework as well as providing them with a rational basis to
convince management of the appropriateness of their choice.

1.8 CONCLUSION

The objective of this short dissertation has been met; that is to help the auditor to decide
which document or combination of documents to use as a guideline for internal control, and to

12
determine whether CobiT can indeed replace COSO, SAC and SAS55/78 for most or all
purposes.

By using the comparison of the four documents in chapter 3, an auditor will be able to
determine which document or documents are most suitable for a specific control objective.
This will aid auditors in deciding which framework to use for their own work, as well as
providing them with sound arguments to convince a client which framework to use for internal
control in a given case.

By using the matrix developed in chapter 4 auditors can now:

Determine which document to use, depending on what their focus point is going to be;
Decide which document to recommend to their customers, taking into account the focus
points of the customer; and
Determine whether CobiT is suitable to replace the other four documents.

The matrix and comparison do not attempt to provide auditors with a rigid set of rules to
follow when making a decision regarding the documents, but merely set an example of how to
make such a decision.

It is hoped that this short dissertation will open new fields for academic research in the area of
internal control. A specific organization can be identified, focus points for that organization
can be determined, and an investigation can then be undertaken into which document will be
most suitable for the purposes of the organization being studied.

This research focused on an auditor's perspective. Research can also be performed from
management's perspective or from the Information System department's perspective. The
points of focus were not compared in detail. Academic research can also be performed in
more detail on specific points of focus.

13
 CHAPTER 2

A SUMMARY OF SAS55/78, COBIT, COSO AND SAC

CONTENTS PAGE

2.1. OBJECTIVE 15

2.2. NATURE OF THE LITERATURE SURVEY 15

2.3 SCOPE, LIMITATIONS AND EXCLUSIONS 16

1.3.1 Scope 16

2.3.2 Limitations and exclusions 16

2.4 BACKGROUND 17

2.5 SUMMARY OF COBIT 18

2.6 SUMMARY OF SAS55/78 20

2.7 SUMMARY OF SAC 22

2.8 SUMMARY OF COSO 24

2.9 CONCLUSION 26

14
2.1 OBJECTIVE

In order to derive maximum benefit from the literature survey, the objectives have been
defined to allow comparative analysis of references and to facilitate the analysis of strengths
and weaknesses in frameworks for internal control. The objectives for this chapter are to
obtain authoritative views on:

• CobiT;
• SAS 55/78;
SAC; and
• COSO.

2.2 NATURE OF THE LITERATURE SURVEY

To ensure credibility and acceptance of the findings and proposals of this short dissertation, it
is essential that the underlying concepts should be based on authoritative views and be
generally accepted among business and computer auditing professionals. Theory based on an
individual's experience without taking generally accepted professional views into account may
be subject to personal bias. Other factors which may introduce bias are the individual's
background and the absence of formal research. To avoid these problems, references have
been restricted to documents mainly used by auditors and auditing firms and to authoritative
frameworks (Lubbe, 1995: 15). The main sources of these documents are:

The Institute of Internal Auditors Research Foundation;

The Information Systems Audit and Control Foundation;
The Committee of Sponsoring Organisations of the Treadway Commission; and
The American Institute of Certified Public Accountants.

The reasons for choosing these sources are the following:

In their publications, they present most of the internationally accepted guidelines and
frameworks for internal control.

15
 The emphasis on auditor-related sources provides more and better background for
finding risks relevant to the auditor involved in auditing internal controls.
In total, their documented findings represent a properly balanced view of internal
controls and frameworks needed to evaluate it in an entity.

Each of the documents will be discussed and, where necessary, material drawn from the
sources representing the different views on internal control, will also be included.

2.3 SCOPE, LIMITATIONS AND EXCLUSIONS

2.3.1 Scope

Existing internal control frameworks, or principles governing internal controls, with various
focus points had to be surveyed in order to establish a representative framework for internal
control. The purpose when examining existing frameworks and documentation was not to
attempt to include every possible point of view on internal control, but rat* to identify the
basic focus points of internal control about which there was some degree of consensus in the
literature. Each of the documents examined deals in some detail with internal control
principles, objectives, risks, the control environment, the audit process and the monitoring of
internal control, and these issues had to be analysed in greater depth in our main sources.

Once the main source documents, CobiT, COSO, SAS55/78 and SAC had been examined,
other relevant literature was then surveyed for the absence or presence of any important
information on internal control from an auditor's point of view. These points were compared
and only the strengths of each document were included in the final representative framework.

2.3.2 Limitations and Exclusions

To achieve the objectives of the literature survey, it was necessary to examine and analyse
control frameworks from as many points as view and in as much detail as possible. However,
in the context of a short dissertation, the following limitations and exclusions had to be placed
on the scope of the literature survey:

16
• Only issues raised in discussions dealing with non-technical aspects of internal control
were included. Sections in the sources which dealt with technical issues, such as
telecommunications, business systems, end-user departments, etc. were thus excluded.
Because the objectives of the survey require authoritative references, sources of
doubtful authority, as well as individual opinions, were ignored.
Because this short dissertation is principally concerned with a comparison of SAC,
COSO, CobiT and SAS, only comparative information was considered. Certain
detailed areas of discussion which were exclusive to particular documents, such as
SAC's continuity planning and COSO's reporting to external parties, therefore had to
be excluded.

A great deal of preparatory work was done to ensure that the short dissertation would be
based on sound theory. The limitations and exclusions imposed on the author did not detract
from the overall objectives of the study; in fact, they imposed a discipline on the work by
narrowing the investigation down to the principal issues which are relevant in a short
dissertation of this nature.

2.4 BACKGROUND

The source material was briefly surveyed to identify the principles for internal control in as
detailed a manner as possible, bearing in mind the objectives of this survey. The idea of
comparing the four documents, SAC, COSO, CobiT and SAS 55/78, in order to determine
which one provides us with the most generally acceptable framework, was conceived by Janet
L. Colbert, and Paul L. Bowen in 1996. When the three documents COSO, SAC and CobiT
were compared with the auditing guidelines for internal control provided by SAS55/78, a
proper link between these documents and audit-related references was found. The objective
of these guidance notes in this chapter is to introduce the four documents to a computer
auditor and highlight the basic differences between them. It will also assist the computer
auditor in making a decision about which model to use, and it contains summaries of CobiT,
SAS55/78, SAC and COSO.

17
2.5 SUMMARY OF COBIT (CONTROL OBJECTIVES FOR
INFORMATION AND RELATED TECHNOLOGY)

The design objective of CobiT was that it should:

Serve as a framework of generally applicable good practice governing information

services security and the control of information technology.
Establish a benchmark for management against which they can measure their security
and control practices in the information technology environment.
Assure users of information technology services that adequate security and control
exist to enable auditors to substantiate their opinions on internal control and to advise
management on information technology security and control matters .
Facilitate the development of clear policy and good practices for information
technology control throughout industry world wide (Colbert & Bowen, 1996: 26).

The contents of CobiT consists of an Executive Summary, a Framework for Control of

Information Technology, a list of Control Objectives, and a set of Audit Guidelines. The audit
guidelines and control objectives are referenced back to the framework (Colbert & Bowen,
1996: 26).

Like SAS78, CobiT adapted part of its definition of control from COSO. The policies,
procedures, practices, and organisational structures are designed to provide reasonable
assurance that business objectives will be achieved, and that undesired events will be prevented
or detected and corrected. The rest of CobiT's definition was adapted from that part of
SAC's definition which stipulates the desired result or purpose to be achieved by implementing
control procedures in a particular information technology activity (Colbert & Bowe;
1996: 26).

The CobiT documentation classifies information technology resources as follows:

(See Colbert & Bowen, 1996: 26, and paragraph 1.5.1 of chapter 1 of this dissertation)

Data (numbers, text, dates, graphics and sound);

Application systems (a set of manual and programmed procedures);
Technology (hardware, operating systems, networking equipment, and the like);
18
 Facilities (resources used to house and support information systems); and
People (individuals' skills and abilities to plan, organise, acquire, deliver, support, and
monitor information systems and services).

To satisfy business objectives, CobiT also requires that information should conform to the
following criteria:

Effectiveness;
Efficiency;
Confidentiality;
Integrity;
Availability;
Compliance; and
Reliability.

CobiT combines the principles embedded in existing reference models in the three broad
categories of quality, fiduciary responsibility, and security. The quality requirement includes
not only quality itself, but also cost and delivery. The fiduciary requirements are drawn from
COSO, and include effectiveness and efficiency of operations, reliability of information, and
compliance with laws and regulations. Security requirements include confidentiality, integrity
and availability.

CobiT classifies information technology processes into four domains:

Planning and organisation;

Acquisition and implementation;
Delivery and support; and
Monitoring.

Planning and organisation: This domain covers strategy and tactics and concerns the
identification of the way information technology can best contribute to the achievement of the
business objectives. Furthermore, the realization of the strategic vision needs to be planned,
communicated and managed for different perspectives. Finally, a proper organisational as well

19
as technological infrastructure must be put in place (CobiT, 1996: 15).

Acquisition and implementation: To realize an organization's information technology

strategy, information technology solutions need to be identified, developed or acquired, as
well as implemented and integrated into the business process. In addition, changes in and
maintenance of existing systems are covered by this domain (CobiT, 1996: 15).

Delivery and support: In this domain one is concerned with the actual delivery of required
services, which range from traditional operations over security and continuity aspects to
training. In order to deliver services the necessary support processes must be established.
This domain includes the actual processing of data by application systems, often classified
under application controls (CobiT, 1996: 15).

Monitoring: All information technology processes need to be regularly assessed for quality
and compliance with control requirements (CobiT, 1996: 15).

CobiT presents a framework of control for business process owners, but the responsibility and
authority for business processes is still in the hands of management. CobiT includes
definitions of both internal control and information technology control objectives, four
domains of processes, 271 control objectives referenced to those 32 processes, and audit
guidelines linked to the control objectives (Colbert & Bowen, 1996: 26).

Framework: The CobiT framework provides a high-level control statement for certain
information technology processes. It also identifies the business need satisfied by the control
statement, identifies the information technology resources managed by the processes, states
the enabling controls and lists the major applicable control objectives (Colbert & Bowen,
1996: 26).

2.6 SUMMARY OF SAS55/78

SAS55 and SAS78 are statements of auditing standards published by the Auditing Standards
Board of AICPA (American Institute of Certified Public Accountants). These documents
define internal control, describe its components and provide guidance on the impact of
controls when planning and performing financial statement audits (Colbert & Bowen,
20
1996: 30).

SAS55 and SAS78 include the following:

A definition: SAS 78 replaces the definition of the internal control structure in SAS 55 with
that of COSO. The only difference between the COSO and SAS definitions is that SAS 78
emphasises the reliability of financial reporting by placing it first in their definition of internal
control.

A process, effected by an entity's board of directors, management, and other personnel,

designed to provide reasonable assurance regarding the achievement of objectives in the
following categories (Colbert & Bowen, 1996: 30):

Reliability of financial reporting;

Effectiveness and efficiency of operations; and
Compliance with applicable laws and regulations.

SAS55/78 focus primarily on controls that affect the scrutiny of the reliability of an entity's
financial reporting. This is proved through discussions on the components, impact and
opinion of S AS55/78.

Components: SAS78 replaces the three elements of the internal control structure
(control environment, the accounting system, and the control procedures) with the five
components of the internal control system presented in COSO, i.e. the control
environment, risk assessment, control activities, information and communication, and
monitoring (Colbert & Bowen, 1996: 30).

Impact: SAS 55/78 requires of the external auditor to perform procedures to obtain a
sufficient understanding of each of the five components to plan the audit. The auditor
should analyse and understand the design of the entity's policies and procedures, and
determine whether the design has been put into operation. Because the opinion
rendered by auditors refers to financial statements which cover a period of time,
external auditors are interested in controls affecting the capture and processing of
financial information for the entire period under review, and not just the date on which

21
 the audit is carried out. External auditors are forced to provide the audit committee

with reports on any significant internal control deficiencies that could affect financial
reporting (AICPA, 1988: SAS 60). They also have the option to communicate other

control matters to the entity, for example proposals to improve certain systems
(Colbert & Bowen, 1996: 30).

• Opinion: The auditor must draft an opinion assessing the extent to which controls
aimed at assuring the reliability of account balances, the correct allocation of

transactions to income and expenditure categories, and full and proper disclosure of
financial statements are exposed to risk. The auditor may assess control risk at the

maximum level, which implies that the probability that a material misstatement in the

financial statements will not be prevented or detected on a timely basis by an entity's

internal control structure is at a maximum. Such an opinion will only be rendered if the

auditor believes that policies and procedures are unlikely to be effective or because

evaluating their effectiveness would be inefficient. Alternatively, the auditor might

decide to perform tests to support a lower assessed level of control risk. The auditor

uses the knowledge provided by the understanding of the internal control structure and

the assessed level of control risk in determining the nature, timing, and extent of

substantive tests for financial statement assertions (AICPA, 1988: SAS 55).

2.7 SUMMARY OF SAC

The SAC report defines internal control, describes its components, provides several

classifications of controls, defines control objectives and risks, and defines the internal

auditor's role. The report provides guidance on using, managing, and protecting information

technology resources, and discusses the effects of end-user computing, telecommunications,

and emerging technologies on the auditor (Colbert & Bowen, 1996:29).

The definition of SAC defines a system of internal control as: a set of processes, functions,

activities, subsystems, and people who are grouped together or consciously segregated to

ensure the effective achievement of objectives and goals (Colbert & Bowen, 1996:29).

The report emphasises the role and impact of computerised information systems on the system

of internal controls. It stresses the need to assess risks, to weigh costs and benefits, and to

22
build controls into systems in the design phase rather than adding them on after
implementation (Colbert & Bowen, 1996: 29).

According to the SAC documentation, the system of internal control consists of three
components:

The control environment;

Manual and automated systems; and
Control procedures.

The control environment is made up of an organisational structure, a control framework,

policies and procedures and external influences. The automated system consist of systems and
application software. SAC discusses the control risks associated with end-user and
departmental system, but neither describes nor defines manual systems. According to the SAC
documents, control procedures consist of general, application, and compensating controls
(Colbert & Bowe; 1996: 29).

SAC provides five classification schemes for internal controls in information systems.

Preventive, detective, and corrective;

Discretionary and non-discretionary;
Voluntary and mandated;
Manual and automated; and
Application and general controls.

These schemes focus on when the control is applied, whether the control can be bypassed,
who wanted the control, how the control was implemented, and where in the software the
control was implemented (Colbert & Bowen, 1996: 29).

Control objectives and risks: SAC describes risks as fraud, errors, business interruptions, and
inefficient and ineffective use of resources. Appropriate control objectives seek to reduce
these risks and to assure information integrity, security, and compliance. Information integrity
is guarded by quality controls governing input, processing, output and software. Security
measures include data, physical, and program security controls. Compliance controls ensure

23
conformance with laws and regulations, accounting and auditing standards, and internal
policies and procedures (Colbert & Bowen, 1996: 29).

SAC defines the role of the internal auditor as follows: The responsibilities of internal

auditors include ensuring the adequacy of the system of internal control, the reliability of data,

and the efficient use of the organisation's resources. They should also be concerned with

preventing and detecting fraud, and coordinating activities with external auditors. The

integration of auditing and information system skills and an understanding of the impact of

information technology on the auditing process are necessary for internal auditors. These

professionals now perform financial, operational and information system audits (Colbert &
Bowen, 1996: 29).

2.8 Summary of COSO

The COSO report also defines internal control, describes its components, and provides criteria

against which control systems can be evaluated. The report provides materials that

management, auditors, and others can use to evaluate an internal control system. It also offers
guidance for public reporting on internal control. The report has two major goals (Colbert &
Bowen, 1996: 29):

to establish a common definition of internal control that serves many different parties;
and

to provide a standard against which organisations can assess their control systems and
determine how to improve them.

The report emphasises that the internal control system is a tool of, but not a substitute for,

management and that controls should be built into, rather than built onto, operating activities.

The report recommends the evaluating of the effectiveness of internal control as of a point in
time and not for a period of time (Colbert & Bowen, 1996: 29).

24
According to COSO, the internal control system consists of five interrelated components:

Control environment;
Risk assessment;
Control activities;
Information and communication; and
Monitoring.

The control environment provides the foundation for the other components. It encompasses
such factors as management's operating style, philosophy, human resource policies and
practices, the integrity and ethical values of employees, the attention and direction of the board
of directors, and the organisational structure (Colbert & Bowen, 1996: 29).

COSO describes risk assessment as the identification and analysis of risk. Risk identification
includes examining the potential risks that could arise from external factors, such as
technological developments, competition, and economic changes, and from internal factors
such as personnel quality, the nature or the entity's activities, and the characteristics of
information system processing. Risk analysis involves estimating the significance of the risk,
assessing the likelihood of the risk occurring, and considering how to manage the risk should it
occur (Colbert & Bowen, 1996: 29).

Control activities consist of the policies and procedures that ensure that employees will carry
out management directives. Control activities include reviews of the control system, physical
controls, segregation of duties, and information system controls. Information system controls
include general and application controls. General controls are those covering access,
software, and system development. Application controls are those which prevent errors from
entering the system or detect and correct errors present in the system (Colbert & Bowen,
1996: 29).

Any entity should obtain pertinent information and communicate it throughout the
organisation. The information system identifies, captures, and reports financial and operating
information that is useful to control the organisation's activities. Within the organisation,
personnel must receive the message that they must understand their roles in the internal
control system, take their internal control responsibilities seriously and, if necessary, report
25
problems to higher levels of management. Outside the entity, individuals and organisations
supplying or receiving goods or services must clearly understand that the entity will not
tolerate improper actions (Colbert & Bowen, 1996: 30).

By conducting special evaluations and by reviewing the output generated by regular control
activities, management can monitor the control system. Regular control activities include
comparing physical assets with recorded data, training seminars, and examinations by internal
and external auditors. Deficiencies found during regular control activities are usually reported
to the supervisor in charge; deficiencies located during special evaluations are normally
com•unicated to higher levels of the organisation (Colbert & Bowen, 1996: 30),

Other concepts included in the COSO report include the limitations inherent in an internal
control system and the roles and responsibilities of the parties that affect a system. Limitations
include faulty human judgment, misunderstanding of instruction, human errors, management
overriding of controls, collusion, and cost versus benefit considerations. The COSO report
defines deficiencies as "conditions within an internal control system worthy of attention."
Deficiencies should be reported to the person responsible for the activity and to management
at least one level above the individual responsible (Colbert & Bowen, 1996: 30).

The effectiveness of an internal control system is judged on the basis of how well an entity
performs with regard to operations, financial reporting and compliance.

2.9 CONCLUSION

One of the objectives of the literature survey is to compare CobiT, COSO, SAC and
SAS55/78 with each other. To make it possible to accomplish this objective, it is important to
have good background knowledge and a basic understanding of each of the documents. Not
all the references to the literature in this dissertation relate directly to the objectives, but they
are necessary to enable one to understand the comparison between the documents. Some
references are also made in order to explain terms used by the authors.

In the writer's opinion, the objectives of the literature survey have been achieved. No further
background information regarding documents that have not been specifically excluded, should
be further exposed.
26
In chapter three, the four basic source documents will be compared in order to emphasise the
strengths and weaknesses of each. In chapter four we shall attempt to satisfy the objectives of
this short dissertation by drawing on the strengths of all four documents and distilling an ideal
reference module, while identifying the document which is most suitable to be used for a wide
range of purposes.

27
 CHAPTER 3

A COMPARISON BETWEEN SAS55/78, COBIT, COSO AND SAC

CONTENTS PAGE

3.1 OBJECTIVE 29

3.2 SCOPE, LIMITATIONS AND EXCLUSIONS 29

3.2.1 Scope 29
3.2.2 Limitations and exclusions 29

3.3 A COMPARISON OF SAS55/78, COBIT, SAC, AND COSO 29

3.4 CONCLUSION 71

28
3.1 OBJECTIVE

The objective of this chapter is to compare the most important features of CobiT, COSO,
SAC and SAS55/78 in order to point out the strengths and weaknesses of each document.

3.2 SCOPE, LIMITATIONS AND EXCLUSIONS

3.2.1 Scope
Existing frameworks for internal control and current internal control structures have had to be
surveyed, but it had to be from an external auditor's point of view. The objective of the
survey was to decide which framework will be best suited for external auditing purposes and
to create a framework for internal control.

3.2.2 Limitations and exclusions

To achieve the objectives of the literature survey, it has been necessary to examine and analyse
the internal control frameworks and control structures of CobiT, SAC, COSO and SAS55/78.
Consequently the following limitations and exclusions have been placed on the scope of the
literature survey:
Only issues which deal with the perspective from an external auditor's point of view
have been included. Sections in the references which deal with any other party's
involvement in the process have this been excluded.

SAC module 2, chapter 4 "The Internal Auditor's role" has thus been excluded.
A great deal of preparatory work was done to ensure that the short dissertation would be
based on sound theory. The limitations and exclusions imposed on the author did not detract
from the overall objectives of the study; in fact, they imposed a discipline on the work by
narrowing the investigation down to the principal issues which are relevant in a short
dissertation of this nature.

3.3 Detailed comparison of CobiT, SAS 55/78, COSO and SAC

The comparison between CobiT, COSO, SAC and SAS55/78 is set out in table 3.1

29
 -0 -0 0 I.
g ai -. 5. g 0si 0
ci.
C ›-■ ?I,' c- go .. CO ej
. c
>1' g 0 -c)
. g h; . 9. a ST g .... .0 . .; ›.;i0 g
' 0-.0 ca .3 g .4 %E.
It ,,E z..s I' 6 E 0 4) 00 -0 ug 73 6 . :1
t g 2 0 EE ... 1g. 32
5 a 1 . -`6' a).-?".Ece v-.E ° gt. 'a SI
0 " +4 1.1 0 .... ng al .--. I' m "

(COSO, 1 992: I)
.-4 ..c fai C., e Jai ' 01. o a “. o 03 a) E ..•
2 — ..0 0 g r.3., '0 vj 2 •ti .0 E i•-,,, .c o
4E' (8. E. 0 t) ..0 g e .8 g
0.3.) a, Nb . .4-. 0 0,.....ota..) -
d 'N 2 ..; 1). 4.6.4 23 g
a --'4 2 E . g .c • p E a.) ca 0
..; ...
'EE 2it, 0in;.'0 •.2= E-I. -a
ca c g ■g, E :zc i...
-
0 ..,
2 8 0 e., 0 7,..12
2 g 15 :E c c'rt 0 5 ca' . a •-• 0=T,P.T.; 0 = 0 a E go
c 8 t,
S -ao, 2 ' 3 (;) 8 5 0 0. a 0 ,....c tc .
Ta ble 3. 1 The comparison between SAS55/78, Cob iT, SAC and COSO per point offocus.

SAS55 an d78
 Cl

0'
cA

9O 0
0
:1 2
OD CDCD
cd .0
g 0
c
Cl

U
cr)

rI

:5
0
U
SAS 55a n d 78

ca
E
Ci .o
VQ
 :€ cti 0
0 "
-00
g
a, •-• ci.
O t. E 0
tal 0 ° ›.. 0 °
u) -c
co_. a of -0 ...-• Tt.
g a c a -0 •2
celC id
.-, ed 0

9 Z0
Cli tn.
v, - co .—
0 C."
0 0t
0 ytors E r.,
.2 2 C
C
O 0 .a
M
" •C
0 te 4
0" -C 1
ca. 4-1 -
Q.) gr
Ls 0 ,C,
aE En
.,,., a)
04
" 61) 51 c>.
6 Y. sa
1 4Z 0 C
1.1 ..c '0 *4
g tC
0 AS 0 0 11 c.) 0 ••• 0 p
0 g -0 2 0 :a 4.) -0 Le a.) ti
5 E g E 5.1 o -5 g -6 'el a
•

(Colbert &Bowen, 1996: 29)

• • •

.0

2 . :a.
Cd 0 16
.se .0 ..c a)
a.) ..) ct ...., oa
..5 g C :I.= of et
SAS55 and 78

.2; .4 tis 00 0 g
.,.., es c
0 )..
... z
a) it 4.. a) •g =boE.0
.0
-..... T.) a
E-, 0 ..- ,2 •a
. -0
CA 0 (4"i Ggr. Ur 2 .-1
1'1
0 •1:3 0 ij 0 a •-•
CA • ". 0
rn
<I ›, cn 0 .1+ d, VI
...Sid *a >-• td C) d.) -0 .07
CA 6 ...a 4.) • ..W
+E; g -.5, se,:c.; .n
•
 C.... vi cti
0 00 0
es 2
cri
0 255
5 = 0
c 4) 0 0 -6
c 1...
0 E 8 45.
.
0 6
0a
to0
C
0 a
>
cn 1g 2 -
0 • °
,10 2
a£ o2- % =00 a
n=
-12I i 3 !

ug _ccu ..c
trs 5 0 •, ;4, ..- )--
(et
0 c..) ,.-:. cn ca ...
• • •

en
Control activities are the
SAS55 and78

(AICPA, 1 995: 3)

•
 ca
as., o Ts las
E
4)
-§
0'
..cto ..c ui 0 TA ea
o = a.) -a -4- 0
0E u>J ' a 8
p a ..c
E-1 % 1:$
E r,
.2 as ....
r, - E go —9: 45
Information and , E ..t.
ta
) -7 —
.1.
in os
—
0 mi
44 s L7') a

(Colbert & Bowen,

'et - 0 8 -c F.
C 4.-.. 2 g
41 ..c.
t0rosivact,
>-•
.,
0 0 0 •= 0 „ c 0 _
5
g
C
. 0
..c
ba >,
.c
.2 D.'« •a . 0 4-
.4..-. . cc 00 cd cr, ca

6 C .Et 0 - a
.g 2 • 2 2 C) 5
v (I a 0 0. . a „,
. :50 .'t■zi.00 -c 0 ao
. F. :ts 1... 0 0 0 ± cd .o>' so
Ficg
• •

0
U

Mt% 111:11;:r
SAS55 and 78
 I-. •—•
“,
-2 3
-c, <4., C
0 0 o
3 o 0 ..,_
0 ••= — .c. cg—
..c — 0 .cn =
cs, -0 E

C 2 cii '2 >, rj .2 ..;

control system.
---.,
v-, .2_ 1” . 2 ' I. = 0

(COSO, 1 992: 6)
C 13 14 2 4! lig 1 !
e‘i 0 C
oN
oN
_. -a 1.. c co 0 _co 0
0 0 , 0 ..
E :7). v, c 'a '''
0- 0
...■
r
C =. S2
C.) En
50.2-). 4
CI `"
Ch C 0 >,0 E 4.)
›
. 0 C4-. tn 0
0
U •
*
to
C.) C
rA ...... 0
QS -0
= 0
0 al .,?; 0
-5_, "0 trl 5
a c-
0
z4 ..5
. 14
C: :
!C6 .!
rj Li
ct, _ 5 4
:
-5
06 „. r-
b° I ' 2:
:o:3 .Ea ‘0. .a . .,
0
P. .§ g
o 12
0 WI,. . - 43 Si 16..-P.
, .) CO I
F "00 sr.-C 0 Ct. Z
0 Cy. ...,
CI) ..., 8
0 0 CA 0 C4.A
[—, 0 c a .—
• HI al ci 0 ....
• • •
SAS55 a nd 78
 00

• •
>-• TD X
ce
.0
X
.0 4..1 .,-,
(4
cd
c0
c
au
I-.
1 .§.;
0 0 0 e -0 0 4.,
...; 0 .-t,
... gg
g "Cl g C ..c ,.., .13 id
a g -a 6`)
..
0 ›, .0 ,_, 0 0 .r. 0 Ty
'0 0 I" 4-I

(ISACF, 1 996: 8)
4- -• 0 6 5 ro a V "4
as .c
z -a > 0 (4_, 4.) o Oa
..0 0
CU
co .0o _0 co.0 ii0 r.,
.0
ti 610 t
r-. e 1
4.. ,....
7od0 4-4
iti 42z>3 ti..ar0) 5F.. 40'82"
rd. P. .° ,9,
§ 8 E .10 . 5
F. . . = g — c. 8 8 -c 0
SAS55 and 78
 0
0
U
SAS 55and 78

Cin
U
0
0
U

resources

(COSO, 1 992: 5)

r
-
 :E
E-

U
0
SAS 55 and 78

0
Ct
 ▪

(Colbert &Bowen, 1996: 26)

Top level review.

O
U

(Colbert & Bowen, 1996: 26) COI ....I • [Si

Integrity ofinformation
O
ath c0
4
...cli. N c ,,i
4.) .2 c
Ee 6.
d Q • o >,
— ..-■
`e' 872. g .
.-,
■•••
,-, 0 .5 5 _ .c., 0 -

I'd .k520
c..) -a -0 0 0 > 8 g
U le d d Ct tt g "'
ct) 2.). ,, o g1 o g .0
.4 , V E %It . •-• (1) G.) .1., IE
E 0-=4- - .09 cu
'5 2 T) E e bb
03 o g
". 0 CI 0 th C
'0 o
4

a,“ 0c 0 0 n e CU c
> Sb
731 c 4) ° 0 tiltri 0 ° 00
A .7. a. a ,... li: te a o n a
• • • 1■ 1 ■••••1 • I I I I

rn
01

E-1
U

(a
with laws and
SAS 55 and 78

(Colbert & Bowen,

(AICPA, 1996: 11)

• • • •
:I ...o .3 t tik
2:et.ts —
o c L.oo ba' PI ., 4 o —c ti.,
zi C *4.. ,-, E t g 1 at EE e. c
o .a-43 iu &
g re, 42 a tatj
"ci 1;1
(..) . ... (4,41/.. g 2: E . . -tit -t v ....,
tl Clo SZI. PC e is• t9 .s. v. .`E rel -E 1
0
 •

C
TO ii
v,
1-4 2. -or.

Information processing:
u i 'c
fn
it
ce-.) .2 vc ..c
0 — ,.,
0 13 cn

ca co — = t 0 — .., =
0 6 se co
-
i....o-01
._
0 -0 cd as 0 ...:

C ..= t V0 g ", 0 5 Is'

0 0 ea ui :
> -5, .0 0 ..c
r 8
U 0 u, c ;.,
- -■ cu
O. 0 •„..
(4- .f.)., co
0.) .- ...- 0
O -0 C .") : ^ ° "a 't5 6
>. V 0 as 0 ‘I) " V 1-
Z) 0 u)
aE t2 RE _ g . —02
•• ' .. "
0
a
> E 0 1.., CL g
cr. 0 0
`C3 co re 0

•
Oc6
a) 7
i
et eti C 1-
oii lett o
.- t
-C3 0 • . C a X 'CI rs. 0
CC
0 et 46)0 &•0 .5 o 0 0 a.)
0 40-
"
in N0 ./ -6 % cill = x 4:::,i
0 oi 0
N X u, 174 ..E E
N ..2 • es
" "R "0 "0 col
. .0 ....A. 4.4 C)
0.) €1.) -o iti ..... a
.P .0 0 E
0 03 • I-. t.)
ca. ca
Ca
u -a -0 >
{5 0 0 ‘.
4
° +0 "i 7 ra 2 -0
0 TT
.0 al 0 g 5 ° N '- it
.1-• >1 90 .,... 46 g > 0 ct)
et
9 ."' v = "ro
E
y "g .2 - o wi a
bi) 4., .111vti 0 0 ca tu 0 x
cl 4-• p ts o fzi
cn
,,,,
= t2 E
o -. .--.
vi grcitatuooitra
„, 0 05 00 00• c
0 a.)
4.) . -0
0 = 0 I-. C
ej . E 1 = 5 0. I
! "8 >) 0
0 u a E oo .2.-)
, . -6 33
4)
0 c 6.
0 0 0 lal 410 '.47,1 tija 'th' 2 v g 4 0 C >
2 0 2 Lei V 0 ezi en 0 0 Z 0
0 sm. 0 ta c.) o.,
■ 0V) ;4 = 1.41.44c40 Ou
2 >1., 15 > 0
a. cl) E.90
I .111

cr.

:3
U
SAS55and 78
 I CA
0 ....
°
ca
."'
al 0
•-• >, 0
a
'0 ,_, - >

Segregation ofduties.
Eital
l

c)
c-
0 z'
, _g„:„ '—8 ifi
"e 4,9 -el- •-•:
". in
c 4a
0

(COSO, 1992: 46)

O. c-) c-)
..a. g 6 ...a- -0 En
8 0 C ..0 CA 0 CO
g be 14 t C CI (1)
8 to .2 c.)
! :61 to ° rcs. —— to co0 vi
`€) 00 0 6: e bb a a)
a.) %Lis 114
,_ ..c
.... ac
0 02 o >
a ..- c 1-
— 0 o •-• c .o .=
_4.)
4 ca. o c•-a ,...- c.) c.)
• -= 0 c o .= as cc:

•
Ca
0
>11
cci E to-13•5
c
.‘;
;, 0 0 0 .a •= ,,
0-) =
-0
0
:20 e4)
i on C
t E a)k •--a
g ,., 0 4.) ..,66 ;€, eCI) 0 0 2 .ty C
1:14 0 ••-. •—. •-• 0
›, .4.:;' '—' 0 .2 0 0 V M E
al OS P ..0 •-. Mt g
t 'a t 00 a ,--. 5:1 0.0 9
ei. t II+)
Z . .40 Z C 0 ,.. . 5 .o t.:5 ch..
t. o o
0 0 v t,' o J-.) (.2 .5 ri -o °
r. 0) ma ' t ta.
c " "Cc 0) • C t.:,
E ° '19 "8

C4
v
C4

1•11
0
S
c 1

•
8
:2
0V 0 ni C.0 55 rn 0 fa 8 . c
co 0 c•I t4_, 0 (1)
to c4 2 c..) ;.-A. c4 .5 c) as a,
SAS55 and 78
 "c) y
'a
' E
,...0..04., t.
gt 'a 2
.

u 2 4, oc. . if,. g
9
0 s.a o E
> 11
6-0 00 .... 200.
c 0, ,, . 0
:E

Program security
• Physical security

c„, -5, ,„
0 curo) „Ea o
t.) ..c
cu _, 13. 4 . 9C >‘
lil ++) 8 C ,t -0 a ts ..a isr,
0
0 1 z : .,20 ..a .
4

2 .co E ..c.i, : . 4,— : O.>

° 0 1E' t
' -a .1:3
en 's •• ° o u,
a .._, „, to, o 0 = -0 .0
8c) St' ' • E—cr.. ,r, 0o oE °-o'ro
2.• 8., _ _ _1
0 to 2 ,t
¢ 1...
l" •— — ?..) -.E. ..t( 2 g a 1.. III IL g
•
SAS55and 78
 C 00 ,- c.,- 4-. 0 0
..9 .2 c4, t "0
o JD gm= wie,
0 ..= 0
ti 1 1 E a Vi
..5 4 g Cip = Ri Cfl
V cp E 4) 0
r.,
4) .....■c) 0
'-' = C a CU 1). ea
0)
n ' C =
e0
8— > •-• — 0 2 1 .,84 § 0 .§ K,.. 0 0
0
4-4 "0 .
0 0 40) 1 c4. O C 4-g ._. 2 . a -00 .9 x4., tes
_= - Ls •,-- ca ....
ro
4.)
9 "
a.) En > 0 le ttt c.) G
te e us- co t. a gi ca t e "'
8 2 'a
0 4-1 .0 1Z) 0
"0 C
E-. ra' .9 °) c u, _ .3 73 a 0̀a "Cdt en. ° al PA
v)
4)
- 1- 0 -o
6= 00
a g0.
-. ...,
4) 6- rn" 0 tu
a C (-2 "i 0 CL I-. ' IA E •""
- ,...
° ..c
° 2 'n
o tel . c 0 o = c.) . n -
,-, CL.
> 0 ce
C.O.
,6 c0.-..C ,c2. $.,4)C 0 •,las "
0 +0 0 .0, T 0o 1 2 <2
,.., 1 L2 0 L 2 . , . € .,
>
•— ie., Go gi, 0.0 0 I-, 0 co
0 00.a CA 0 -6 • c 4.9. C ctS 0 0 "En '2> 0 ...a „,
71 ra
ca 1,-, t...) 6 .4 gi
Cl) g ........ a ..0 , .= 03 V
-0 0 0 .- _0 c ....
lai

0 03 -o „, (13 i0 e=
0 1" •C
c Hn 'C U ."Pg z -0=0o0oo ..c 0 t -.E,
0 E ci *-2 (,-) ° 8 % 8 cin os ... (4- a. rn 0 a E-1 0. to 0

I I I

01
cr.

a
SAS55and78
 •

v CE a, C
c, -0 .... 0. 2
viz
= 2
. v 0 ea c
..e 0
0 4-.) •
. ,./2
.
g -0
44 -E, ,r. '5 0
• a 0
cn 0
0
■-. 4.)
,
2 4..-
.,_, .1.9 .0 2
(4z. 7--1
0 44
o >r, 0
6c
1-1
g c 0-5
.._
-

Ca -..o r, ... •-
a."6
ov co> g
cu 0 .t; c
. al .....
= ..c .174 cu
0 E '- 3 g. L' ° -5 c ' 0 ..0 0

(COSO, 1 992: 3)
0 C.)
os - -ED .4 E000..7° t .5 c v ,a I 2 . b) ii.
0 4.) • --, o 0) ch., g c... 0 0 -

U 0 0 cf) 0
U3 0 0, a
C) 0C) 0 0 ' '-' >
8 = .,:, .„-,-en CA co-
8 I. 0 0 ..., c °$.) g
0 co •- c. - o t'
,..
..0 0 p.., 0„, ,c 0. C-0
0 u,
vi 0
• "2 (L)
0 0.) nz' ..,
2 '0 -re
bo u)
'C. ••,;..1
o., 0 o. Us 9 a..
tt, ' 0 0 0 ". ca'' 00 chl •iio
c C
..8 .. ... 1. 0....
0 '0 • C 0 mi — -0irtl 1.) 8 crw o -6,.,...
, i 1 pi'
— 0
g I.0: et
4.. u) 1-:„.. ... 0 .5
: 78, ,2" , 0 I- - —

I o
rt
,-, 0 0 .7 —
0a ...;(..alii...c
.;.1 :30:, `.) cdei a) cl
0 •g g ti; •ri,
41c Li CA +.1 4)

NI

••

.. .

00J1:11 ,
w
•••- i
SAS55and 78

L•s1; :":

' • '' NV1 g

 C
..0 -0
Clf I-, c)•-"
fa u. c.....
o 0 1.4 a)
0 40 .a?4 0 .6 co
.5 ..C a;
a) 0 cs ••- -0 ...
-• 0
c f+--
v 0 0 3 0 cA -0 en I-. = En
V -

0 'a' a -§, 4-
800 .3 v -0 0 0
-5 - c 5 •- ctt 0..
0 „, c. in t 0 ra. a
. •-•
00 .4- 4.•
00
b- s- o .2 -88.S350.5.
(.... o co so E e - no w‘pa2a,
C a.) C 0 CA 75 LIS t 0 4 ..2 .41 ..4" "" X
.... a to 0 o ,.., te ,,, 0 V a.
-•o 00 .-. o -0 AC
f.9)
x ryi E
ci)
O
0 IC) En ce, To I.. sat
s
-0' cn - OOVAC...
21, F u5 0
C C.)
7)
.2 g
t) c)
tn 40-
y
=
7 4.) "S ..LE-i,
a; 0 1/20 no La, co
=, 0 cd 4?, . -0
, co
•c)
ad 0 0 ca co"
..E c
7,
0
. 0 a
o u tp 0 ,4 ,7 in
U0 a 0 s' 0v' -c ri a7 .4 ' E 7 i6.
ca cc"
(2 •1 i.42 g a
c"cn 0E 2
c -a E eu ad c.)
O. -10 =s".•a;cc ..-;
c 0 a=
4.) 1-. . ...?
4's
-. g .2. 4-9 7.) ch.
° 0 0
a2-- =
..-. 0 ti° 2.0)
0 to.= m > - TA
0 5. s... 0. g 2 -eo ..-,„• (4.
0 •-0- 4I-,co-1
o
"2<4.0000 u)
> o 7,,, _.
0, = c ." --
0:1 =I
r.)) 0 ° g o-• 0 ,., s., 4)...0 c°0 0.4
0 0 Li 0 4-1 4) 4) •
sti .0 • -•
E 4) 4 = 4 0. ri)
4-) 44 ..c•
0
E
-C) `12,
te
o '0 ° 0'0 = 0 0 000
vi
8 3., zi cti Ce-• t. 0 0. F o. a.) 1-• co

LC)
SAS 55and 78

(AICPA, 1 995: 10)

environment:
 •

C 0
i...
«, M 0 141
4as
. c *4 -8 t 0)
5
c $ .2 0 0-2 t = -ch. 15
0 = 6.
1-
2 0 2 ("
> P. .. c
*E b- tu
E cre) 5 c It' 6 c . c •0-ca,ca. ) „,—o c
al. . op. ,... ti i g . - 0 2
0 i ,,, 0 5 :o
4)',02 ..0
c.) (-. 0 ctIl ..-. 8 .0 0

(COSO, 1 992: 3)
CCS ca >b 0 02 .
O -a it i. ,) i. O.) Ce
U '0 • C 0 0- I- 43-12. 4 g -C) "1 8 r14
-
--.
EL 5 bi 2 °3 ° o 0 u0 e.
(4-I 0 -0 .2 `n c.... !
0 ,-.o 0 "0 id 0 ce "0 o • > -o 0..0 oS
C) 0. RI
CI ce g t c L. 47; CO C4a 0

'a s , r.Hz?, a) 0-) 2 Lai ' 2 'a F.) .“,- 0

c
71; 0 CC G.
.7
, 0 .... ..-, I to,
2 g r; ,.... .- E c
_r! r•
@E
E.-.oc..)
o ,-.
rt....co
= o a) u -Ze 9,- .2 8 'E 8 ra .m. 0

.........................

.:.
Lium))44 .. .

0.11111MINIMI;!:: .....

.
7)W 591E1
... • it, "" - kr1:4': kr,
cM

0
U
. . 5 51 .... ... ... .... '
.... OMB!
E,, .............
.......... .
. .................................. . . ... Harapiammlamire.5;:::::maininuu
.. ........ .. ...... .. . ..

. • ........ . ...... ..... ... • .. ..

te
C '!
0 0
IC. =
M C
0 2 '0 °3
'0 -0
ao 0 .2 = g,, g
3i,..E.g
0
72 8 60
SAS55 and 78

--En' co)"
Ta0,.. in 03
7; CI. 6.
(AICPA, 1995: 17)

6 sm. — 03 z: 0 tip
= 2 44 00 0
C 0 ias -0 0 . c o.
.2 I% o g u ..is 1...
4...
al sy) 5 -a 1.)
—E0 0 c.) _ =
:r.: ..“.: cn 000 cti
..c C•I■. 0
= C.) ›, 0 0 al •-•-•
1■•• CZ CA C..) C.) in.., CA 0 =

•
 0

0.
SAS55 and 78

.L.
ts
t
tu E
. "s
cc
-.1 t. a ti. tic c t3 t
-

140 0 to
,s, 0 .S. 1 ;4' C14 k:
-a ,„.
)"'
a ti *C m z a' •Ste E ,P.,
t N- ta {„,, *tr.
ut ..t -t -E, :A_ t, 1
Nal WI I% ..:1 .. ,
a ca 44 .2J. -$. La 6-, .s. zi
P."
 0

Organization structure.
- Controlframework.
en

.
-. cis .0

. r.,;.s. ;_.'5!. '.li.

1 a 4-1 .
m g a to g
....
V CI
c. . S. §i . c4
tott a
et-.9l 21
ca 0 g
8 CO

E.• its o . 0 a 0
... to I., En 1., v
p„ E ...+4 = .-. c
B
co 8
0., 8
“.
.0
o c
r
ti Cr • E 4 E a C {A
0 ta. (ISACF, 1996: 20)
C.) „E I. 0 0 ejj I-, 0 s... '0
.C... 6.0 -0 ". .C3
4) E *■ • 0 g
- -

ea) t t
c v
1...s 5., 4.1
C
7
,.. T., 01)
Q? CA
(.1 .,1= MS = '773
" 0
CA • ....
g .

4a arts ::: .C)1 ° t_g....1r3 E 00.1. ,,:t

)
IS .b 14...i
0 t
CO Z 0 'a 0 4-, 0 I-1 is 0
Fa MI 03 U sa • 21 .1.7:1 0 r:4 al ■1
0 ftR, 0)
01 I i i I I I I
a..) .0
e.t) 0 I-.
C :45 >1 g V)
= V ... o ..0
0 a t a. 112 t` • 5
sm. 1.., .2 2 a .o —
-a 2 o ri o 0 2 o
SAS 55and78

uowta. :-A02-ta n•
:2 0 ° — 8 E)" Q. 's. %. — =
Ca crj
r.) — ti t . - „ a ,,,, 2 v -
'z' 2 a ei &I° ° Z.' °
g cl) 'a 0 0 .:.-J . 0 a :-.: 2 c,3
.41
c E
t.0:e' g 0.21 ; -211
1 mo : 1 =i Eg .43
V
00 n C. .00 0 c A.
r
la' 0 0 0 "CI C5I) CO
M Vi
Ci 1 ""
..t le) 0:1 a g a < E.) = g
 •

4, t0
.0
ES . C-)
a
nc; (
10 0 ea -0
0 „yr, 9-
4. g
o 0c. -0 .5,c,
g,z, -,:,Q., -,.,c
., N0-0.u,. 03
..-5 - -..:-. - n g cs
r, .5 8 . 0 !F
.c. 0
5. g „a. 5z' O 41.) 0 -5 0. — go .1. i -5 ...
9 'Ti = 0 u.f cn -4-, , 0 1 S
ta ED C8 C1)
O 1...t.00b
0 t•-•
cn co ctIcn,
! '
coos -Cg 4
0.,En c
0 01... 4) 1:1
U -00 00 ‘0) .50)0(1.0 >O0'.... 4
s ca, ,2
.al-,` S t 1... c
. c . , al 0 .c
. cn ...., an, 2 r .4, . 2 t.4 .::: --

_t) a rs.3.) E R—o z .-a t•- ›.,.`nnvut

S mg.!! 0„ -3.
3.) .._. " .... oi - a., ..... 0E .z.
A., Cid )
OE /00I-.0
5
A!...= o f-. E N ig '6' o o..23. o .- 1. -c3 o o

aut
c te
*C ki...., 'a
c
M
C
CZ
4-.1
c3
1.4
Si
Col ty
Ate 0.)
s
I.) "ti c til ir„,, 5t
- •... .
72
10
V *ill E c c i.. ' ‘.--, 3 ca -o
E. .9. mo Cog „I)
Gn a` cc
o c0 g
‘t-' a, I "!; "ti isse iss,
i'1 ,
* E E il 1 E t %,-„, .. c
(..)
aa - c cz c;-; 8 cn>, -....
_.9.1.4
c v)‘A
c7 `4, a 4. cre: t t it.
v c
L.. 00
CC on
ao .....0
0 .2 cm
C 2 ;En
2 ti
',t .E4) • •-•t5
t to * 5 TO. rn
32 me
'0 0 0
Cr M
CI. -g o Cr
CV
C4-4 0 4-1 0 4-4 4-4 = ,---.
:3 0 cvs
cn
0 a 0 7) 0 . CA
co) 0 ca in ca Sn
co,
U ta t
4) 0
c., 4—cia
co —.
a) 0 v -0 41 .5. •—•
c.,
8A 0 i0e c...) = 4,,
a, r a.
ee7 5 E
00 0 .2 2 -0 40
"FE g
SAS55 and 78
 0
.0 ., , I c co

consistent with established

G c..) e ,... 0 =

whether the operations of

-13

objectives and goals, and

03 c, . -,
rn • .- c 4-
i - 1•4
2 >•-, t" u 2 Iv

programs to ascertain
ca

- Review operations or
-0 g .2 „,c c in g t.. 0 il-q ,,,,

whether results are

0 -- --' 0 0 --0 -a ...a
.h. ¢ ° 2 '
in ticg.:4'

U c .-I-■ --Q au " o. 0 o o

6. as as — c-,
`1-1 c tu &I I-
It "C 0 0 g
Vss 0 8 5 vg ..., ....., L. <IN,
0
V -

C) Ca 0 0 G. ° ,_,e,
Uen
. a 4-,
ce) Ce-,
0 .5. E 0 ie 0 -a CO 0
v, c 4.3 .....; ›“C 0. I.. = ,_, u, Cl)
poca6 -&-ootgra 0
U Oh ,3` ;) g'' g tt.' 8 E '.7) ›• (-)

, of
..4
.—e 4)
= -ea"' g
ti vi 0
oo 0 cf cn
0
U2
t- 0
c.) t tl 0
0 -C • - '
■15 ° 4-
0 1-1 t
4-.
t..
[-C:
le c a C 0 0 CNi
co, y 0o 4 000
c-) 0 bp
-0 cn 0 •-• • > c
>., a. c -
c co o$ 000 la .4m ..".
cg
C e..5 E I-; M
ul 22 t.■ ill eh C
-0
0 C o 5. tura 9,
.„. i tali 8 i .
(-) "
--.
V) >, 0
0 0 cd -0
as 0
0
i luipa,,,a;:i.„ . ,
gr" c, . -------ao
. ''''
O
,.. LI)

„„„:“ ....

14i .
-
yy .: j.
.•••
...
:
ID
i
.... t
” .. ...
. ,.. : .
..
00 n
.i C CD
0) 00 00 4=' E
C 0 2 c
- .. . ::-. 0 .?, 0, —6 •— • — .- .4% R
C.) " .a. C 4a 41)
SAS55and 78

15
co. 0
0
n 7 O 8 Ia. 8 8 ±4 ..;-
P ;
acuc,
0.. 7,000.0.)00.0
Es e...g _ u I. ..v u cn uj
it
5 ..t
.... c`l .9., "
:: C02 ..a.o,_. ,.. 6.)
Q.
= 8 g 1
to
c.- on .--
:.i ... ° os
co c cd
2± ot -8
=
0 o 5 t >•-. c>
a u. .5 rn t v3 '1:1 cu ..0
°' 0
a? ''' •-•
0 t a.) I..
Eteo c:Boe e.=0.
..... d .-
o
n .-0 4? t-t & 0 E 2 0 0 —6
0 • a I.
E
in E ou E .- v—0-o :-.. •-•
<b° 0 2 0E°C"'.45c
En 2? cn .= ,...) G.) ec‘ c to g'," o 8
-cer) v IS v
hE hE
h
a ...:2 tk in`
0 0 .4
0
in
V
0 c) 2a.
4•••• 0 m 0 t 4-., 1-••• C =
es es m -es .1.,
tta F. t g E cysc t . t . h t16a.
a ta = cJ IA € ti V M
c:6 ...5 CJ., 0.. .‘as b t 1..
t..) cy
61
4.; %C
P3/4.1 1
 _tic ui
CA i... 75
...,<Io
O c ..-.1- :3N
4-•

I...
Uc.)
.
oE I-
lai

Application controls
0 0
Q. >-. rn g 0

(COSO, 1992: 48)

'C-• >-.
En .,_.
0
0 o 7 c = 6
U o 8 0 O g
C • rn En 7.: C
0.) cl) r y 00 a C
U U 0 = u, a) 0 v
as ■-• a.) 4.) r.•,.. T.) ti
-• "" 4-1 u Ci. > •
P. et t
8
u)
a @
43 E
-

c 0 c:ii ¢' ¢
a I I I

II
t ISACF, 1 996; 13
SAS 55and 78

(AICPA; 1995: 1 7, 18)

(AICPA, 1 988: 10)
 PC
F

U
SAS 55 and 78

U
Ct

04
 "0
ed)
C 1 g 0
. 40 0 5 r, -5
—cux 'd22 1-. .3,) go ro' .E
r, 4a. Jo
c 0 0
o 4- 0 F-R1 : R 5 -2 0 c u 3,5
a;
c - a
0E-g -8 ›,._ ,,, et-
co 047,00 0
ct ,?.:,
0 ,-. ..--i s.). :ma - 1,-3 2 0 —
_ 4-03
— c .E. 3 (0 -a c 0 a.
E -411 ' • 9.
1 g r.,, a a2 E r. gi E
= ./...• 0 -6. 4 .- , •,
- >, a
0
..0 a
0 +4 Ea Ci. "t" C.) U) Ca al
El ii 5 r. i =
0 Tr! "g'0
6) cd
t 0
>
0
0.

er)
f

-0

. z el/. ca r, ,2
SAS55and 78

- i-
0
(AICPA, 1988: 26, 39)

"a , ig . r.7) -W ''''

c 5 .`62 I k9 a
=0 .00
0 .40 .0 0 P V
.c .2
E t IC;
'Ea, 2 su •-d g 8 ra 0
E= .5 c; `Ic)=
0 ..... • 7, o
t. -a
.5 O.-
o .c c9o—ct
0 (4. 2 o c c's) c c 0
0 01730 8 13 = cocll
I I
 :..2
C
0
(....
o >, E
- -a a.) 0

• 1-
to. —
§g 0 1-.
X 0 0 tci '0
ui
CI r.) E E.0
'0 C c .0 2 C.,

(COSO, 1 992: 69)

3
g ..... C?
>,a cu ry
ag C 9 C ..=
I-, ... I-. p. En
° •0... C
3 0 0 • -• ..= 0

e z .se8 tra. =
VS' ° o
- = •-
.r.
° 0 = .n 0 -a '0
r
-
i—, -a0 3.."
c n7as
.0 > -0
a., as

ct
SAS 55 and 78

(AICPA: 1 996, 5)
 O 00
00
O
U

O
co.)
C
U

0
0 c:
8
o
.c

(IIA EF, 1991: 915)

In
U a e
'0) -Th
Ct
Physical security

0•■
8
0 'a'
0 0
E
0-0
c.) g
. r.-8 • 5
>,
■-• iT4
a. ix.
I I I

LI)
u)

:3
0
U
SAS 55 and 78
 0
U

- Computer viruses.

U
(/)

LI)

E-1
:15
U

00 CO :Y.
c ^
1
+4
..' •?:.%
0 c. con
g +.
= 00
SAS 55 and 78

w O. v y= 2 <6.) C
cn I— G ea t 4—• 0 in
4-.
,... 0 .4
0.
on b —„, •10
„in E). .4-•R g
0. cc;
0- -- 0)
r
0 %I a Q.
.4
—
I-. its 4-• E ❑ 0
c tu• o A
rn 0
0., tg c 0
0 g CU
.1-.
C4-• 0
<et 0 5 i.. 0.3 .0) —
.N 2 2
t-,
6 g <15) t "I
00O ai " E
al
.0 la
us
oo r
gt a' 2 0 0 A . 2 a..
>, —
2
.4 ).
od° 't
-. ...:
= E O ZZ Z'
vi e g 1 — li
Go
al 6 11 I I I I I

N
 E"

U
•C
tin
U
U
©
SAS55 and 78

I
I
I
(AICPA, 1 996: 10)

N
In
 en

SG .....;

o 8 . `6) g
"aa g v oo
-0 v
. ..= E tri .0
g 0
0
o
ui • — — 0

> 4a .E ■
rn
I'60°Oaci
co
WI•g°
u, .a. u u,
c •—
-•i t .15 m, a
g -> Ili 0o.2D
c /2 =
112 wi cd ,1)
.m :Es 0 t.1 0 0 2 ..= o 5
E 0
CI . . •. - • 14"
)
1. 7
:, I
"00 " tiI n1 fa 0
I -, t
..= - • c 2 8 2 I 2 t
0 0
cd
4.1 0 I 1 I I
SAS 55a nd 78

cal

eNi
 IC
SAS55 and 78
 0

-a 2
8 c.:10
>> g , -ca.)
a.) t ...z; .c g
7..) 80., -c=- E g 2- 15 g
°
SAS55 and78

E t 8 ,,,, i g . 4.
3-tr) CO
rn 0 DS° ;5, -Ccia "lo :74 — .F_,
:-,
>"‘ .. 6
ca
C 0
1) c.0' .7S
4' Ca CO
-- in° cw
or a
51
= ...
o to. to V V En I- 0
' - 0 SS • - 0 0 '1.' 0 co).
ry " IC ca ca 0 tr•■ 0 4-

00g° ..-,. .0C_," 0CL) ,. CL)

t
OC
0 1- .0 2
0 O. 4.
c) ca
si
= = cc;
t)
,=
" C •c2 'la
'-' = ...a
0 0tii I-.
.1z) I-.
c0 at . i rt3 1
rg
E—• 2! ,)' M 2 2 E F. g
`15, 1/2-
0t, t
t3

c E
°a 0 b.) `le
E E che
_ E
tia ItE
Lc ag
t wiz cla "
41(4-'‘R t‘m
E •E c E o ce
 • ▪

-0
o :s. • o
•-•
t) g
E
SAS 55and 78

° • E u,
>, r>,Z
2w).-Eo±tm
co, oj 03 45 a.)
wtgul000
0
4-049.9.0013.
c oo CS. <tr
Crt cri 0‘.°t
g
208.t-ca
E.V. Eeg2
ft

co "to
*t

U
*

co)
 O
O

U
•te

E-1

U
SAS 55 and78

"ar'l o c "ii
d t ty E 4.)
„,
E
ot
E .t a
i... it
•••
a(1) E
ISA t
"t' ” t
ea
‘a
SA S55an d78

"c? '22 rtt

wet t
c 1; c il.
%ILE ts, c tck t
E
&CI tt
E
'a rc
tie
E
e
Ca. to,

C
Et (LI"
ors et vt
f PS. -41 e,E -4 4
J.: t
i`JtE
..
t . tha -E3
z "ts
g § i fig r °S. .S §P.1
 O
O

PC
U
SAS55a nd78

tu ‘.5 t --
"et
c -,.a., . ,4 ri
.
.E, ..„, cc
,c., E
t w
t to
t „,
-c, ., -...
.0- ts E ,,,..)
t ej zti ta b cu •
z r".• 0 t pi
'
"est ta C4. •-) c.....a wa:s. tec %a's.
144 41 8 1:1- 4 . a PE -1 t *S. E t
(NI
 SAS55 and 78

(AICPA, 1995: 12)

 Cl)
0
SAS55and 78
 0
SAS55 a nd 78
 00 ■ -•
0 ,...
0 0 —0" 'A t„ 1
.0 ,-. ,17) 0
1
0 go yr 'as — 'a'
V .2 _vrdogE
2,
-ao
.--. °.]g
. .6
-E , „,
-0 0 -5
.0
■.

C2 " . Ir. = . a 0 . . . 0 E. il E4 c 4) 0 c
Ea VI
E s
cn > tu •••• -= ts, cc •

4.) 'it of) 0 `'. c c 4? E to o. 4.) 0 >, 4)

, 0 erf C.) E a 0 .en.g o m 0 t° • 0C -00 r.i>,-. :: ..o ii, c"
a ui 00g00 0 (4-1
I-. cn •ti ..3 0
6)
( i .2
....
tg ., 00 a.) 45 .
........, (4...0„„
° "E E -8 -2- e.,2 +6 .g al .0 Es 4) g P. ta 42r.
o. __ 0 ui -0 .
.c E 00 4.) c.-. r0 4E a. Ts -o a .a
48 a; 1.-
.;-,
.... o0 ...0
0 re IN 0 .E Ea = 0 0 2 0 0, L. .4u a. .2 a 0 cc
-1. -ct
0
0 ul
-0 00 4-'• c
crl LI .-. 5gE E -8 L.13, tcj 2 4.-at ..g g .`,..,
t . a co 0 ' ° CI.ui
— oo ° g al. is ca)
at 0 *0
0.) c — u C
0 •S =, 0
,., 0 , v 0 0....c,..).
0 4.) ni — ,..- ..0
00 to..-
r0■ t
o ,.§ It
cil 0 4E00 cif 0 ■...1 0 C.) OD ... ...,
"gm rot cd 0 .... 'V I-1 .... 0 03
o»0
o
, 0. " . r.
•
. ar a bi )-g .

. Ev
2 = n•-- . - at
-,N .4r.,
4) 1
0
8" tri i 41 .0 00 0
0
0 -ri &n, 1-.1, 0 E c... *4-1
2 g) fd
-49 g
on_ Ou O
c., Is. .0 n 0 1-4 ct E
.,2 .I >,.
-00 r 0c a. 00 —
(.... . „.
0
(49. fra it; c 0 -0 -a
03 {4
th rd -:.-. ... ... a
cg ._.,, ck. o as o 0 0Ea)‘,3• '''
E -o
z o ,t2 .z.- E tat 0 E a, .• f...
Es) 4.)=00
as . 8 -a --..:: . c: ti.o 5
c
2 .) = '6 °
`"
› Alt 73 0 ' IS
; = '2
2 43 2 .14 73
0 11
es..0 I- .-•
4) cn >,
0 V) 'CI > Oa
.0 . p -c
0.4 it 7 cn cd 5 I-4 0 f-i
SA S 55and 78
 •

cu 00 ,n.4
..0 c my 0 4., 00
(0
-0 a.) g • I ...t 01 ..= 1

• coo6
Ct. 0 ."
,,,
a E e.2 0 -=
4 g .ii
>cli .0
iS 'L
4)
>, >,
..9..0 0.
E c.„
401 147) 8 0
0
— as
,42
.2
c ed. ..c co 0) GI

O
U
X

g 2 a) ...c
E a)
.2

i
r,
a
.., c3

00 co • 0
0 ca ,/, _e ..0 -0
.9 E c 'a' [t 0 1

be .4 ru
0
tii q o
3 -a vi
o >, g
"a -.
.4 6,›
0
5=
.c
"0
,
tvo .F.c.ogoe• 46
c
...ctIst € i,i
1) ; 0 >, ° • • 7, '5 E it ct) ° ' t) 0 .0
0 ° MI 0 • 0
.0 0 al 2 CPI 0 ° “ ° 5, 0 0 C
cr9 112 tn F iLI °{1)2 lal . ° 8 at 0. ox 7-— °o o r. ci
rip 0 =
0 ti -R
1 I I U4.1 t

U
In

rn
lD

.0
0
U
SAS 55 and78

42;
 ©
U

.0

U
SAS 55 and 78

es
et ta
v ,
v, tt, t Ns ia .b "Ct1.., c m pc
if. ., 'ts, , `4 E tc :-:: ta cy. t ni . S czZ
C , v E C V C M t:1 4 ti es t
cu
te ,..
.c ts
z".2 -a rtl .,,,
— g :

ra ct, ..c. 42 t, 1, E es > {.) esc •.5. c\* -el

cs
M
5. CONCLUSION

To enable management to develop a proper internal control structure which will meet their
expectations, and to help them to benchmark their current internal control system, COSO,
SAS and CobiT were developed. To provide guidance on the independent auditor's
consideration of an entity's internal control in and audit of financial statements in accordance
with generally accepted auditing standards, SAS55 and SAS 78 , CobiT, COSO and SAC
were developed.

These four documents were compared in order to determine the strengths and weaknesses of
each, but also to determine which document is the most suitable from an auditing perspective.
A table was drawn up capturing the most important points in each document. Each of these
points was compared with similar points in each of the other documents. From the
comparison it is clear that each document has a different focus point and emphasizes different
internal control issues. It is therefore clear that each document has certain strengths and
weaknesses regarding the defining of an ideal internal control structure.

In chapter 4 conclusions will be reached regarding the strengths and weaknesses of each
document. A module will be developed indicating which document to use under a given set
of circumstances.

71
 CHAPTER 4

AN INTEGRATED REFERENCE FRAMEWORK FOR INTERNAL CONTROL

CONTENTS PAGE

4.1 OBJECTIVE 74

4.2 BACKGROUND 74

4.3 SCOPE, LIMITATIONS AND EXCLUSIONS 74

4.3.1 Scope 74
4.3.1 Limitations and exclusions 74

4.4 RESULTS 75

4. 4. 1 The premise of an internal control structure and the audience it

addresses 76
4.4.2 The definition of internal control 76
4.4.3 The components of internal control 77
4.4.4 The purpose an internal control framework will serve for auditors,
management and an IS department 78
4.4.5 The internal control objectives and activities expected in an internal
control structure 79
4.4.6 The accepted structure of the auditing process, and auditing in an information
technology environment 80
4.4.7 The control environment, accounting system, control procedure
and monitoring as part of the internal control structure 80
4.4.8 Classification of controls 81
4.4.9 The assessment of control risk 82
4.4.10 The documentation of auditing work performed and the safeguarding
of assets 82

72
4.4.11 The risks to which a company is vulnerable 83
4.4.12 The focus of the internal control structure 83
4.4.13 Management's responsibility regarding internal control, the management
of information and the development of systems 84
4.4.14 The impact of technology trends on application systems, and the
impact of communication and end-user and departmental
computing on the internal control structure. 84
4.4.15 Contingency planning as part of the internal control structure 85

4.5 CONCLUSION 86

73
4.1 OBJECTIVE

The objective of this chapter is to establish a framework that will indicate which document to

use under a given set of circumstances. This will be done by highlighting the strengths and

weaknesses of the documents when applied under different circumstances.

4.2 BACKGROUND

The referencing material used for the study have been briefly surveyed in an as much detail as
is necessary to identify those references which represent a framework for internal control. The

study performed in chapter 3 has been used as a basis for developing a reference framework
for the use of SAS55/78, COSO, SAC and CobiT in different situations.

4.3 SCOPE, LIMITATIONS AND EXCLUSIONS

4.3.1 Scope

Existing frameworks for internal control and current internal control structures have had to be

surveyed, but it has to be from an external auditor's point of view as this is the objective of the
dissertation. These frameworks are compared to determine the strengths and weaknesses of

each. The objective of the comparison is to decide which framework will be best suited for

external auditing purposes in general, and also to establish a reference framework for decision

making on which framework to use in special circumstances.

4.3.2 Limitations and exclusions

To achieve the objectives of the literature survey, it has been necessary to re-examine and

analyse the comparison of the five documents, made in chapter 3. Consequently the following

limitation has been placed on the scope of the literature survey:

• Only the issues addressed in the comparison have been included. Sections in the four

74
 documents that deal with other issues have thus been excluded.

A great deal of preparatory work has been done to ensure that the short dissertation is based
on sound theory and that exclusions imposed do not detract from the overall objective of this
chapter. In fact the limitation enforces a discipline on the discussion, which will ensure that
only those issues which are strictly relevant are taken into consideration.

4.4 RESULTS

The analysis comprises the following sections:

4.4.1 The premise of an internal control structure and the audience it addresses.
4.4.2 The definition of internal control.
4.4.3 The components of internal control.
4.4.4 The purpose an internal control framework will serve for auditors, management and an
Information System department.
4.4.5 The internal control objectives and activities expected in an internal control structure.
4.4.6 The accepted structure of the auditing process, and auditing in an information
technology environment.
4.4.7 The control environment, accounting system, control procedure and monitoring as part
of the internal control structure.
4.4.8 Classification of controls.
4.4.9 The assessment of control risk
4.4.10 The documentation of auditing work performed and the safeguarding of assets.
4.4.11 The risks to which a company is vulnerable.
4.4.12 The focus of the internal control structure.
4.4.13 Management's responsibility regarding internal control, the management of
information and the development of systems.
4.4.14 The impact of technology trends on application systems, and the impact of
communication and end-user and departmental computing on the internal control
structure.
4,4.13 Contingency planning as part of the internal control structure.

75
4.4.1 The premise of an internal control structure and the audience it
addresses

Before making a decision on which document to use as a framework for internal control, it is
important to determine what the premise is. If the internal control framework is needed to
obtain information to plan the audit and to determine the nature, timing and extent of tests to
be performed, then SAS55/78 is probably the most appropriate framework for this purpose, as
it is mainly focused on the requirements of external auditors. However, CobiT, SAC, and
COSO can also be used, because all three of them share the premise of achieving adequate
control to provide the information that an enterprises needs to achieve its objectives.

It is important to know that SAC focuses on internal auditors as an audience, while COSO
focuses on management. Therefore, when any questions of an external auditing nature need to
be taken into account when examining internal control, these documents cannot be used on
their own.

CobiT focuses on three audiences: management, users of information technology and

information auditors. CobiT is therefore not restricted to a specific premise or audience and
can be used to obtain sufficient information regarding internal control for auditing purposes,
but it can also be used by management to create an internal control structure or to benchmark
their current internal control structure (Chapter 3.3.1 paragraph 1, 2).

4.4.2 The definition of internal control

Al four documents view internal control as a process, but SAC further extends the meaning of
the concept by defining internal control as a set of processes, subsystems and people, and
CobiT defines it as a set of processes which include procedures, practices and organisational
structures (Chapter 3.3.1 paragraph 3).

Although CobiT defines the processes included in internal control very thoroughly, it does not
define the objectives of internal control as well as it is done in the definitions of COSO and
SAS55/78 (Chapter 3.3.1 paragraph 4).

76
Taking the foregoing into account, the following definition can be distilled from the source
document/ from COSO, SAS and CobiT.

A process, effected by and entity's board of directors, management, and other personnel, and
which includes policies, procedures, and organisational structures which are designed to
provide reasonable assurance regarding the achievement of objectives in the following
categories:

reliability of financial reporting;

effectiveness and efficiency of operations; and
compliance with applicable laws and regulations.

4.4.3 The components of internal control

SAS55/78 and COSO both divide internal control into the same five components:

the control environment;

risk assessment;
control activities;
information and communication; and
monitoring.

SAS55/78 focuses on the external auditor, while COSO focuses on management; as a result of
this the components are used by both audiences.

The domains used by CobiT are divided into a chronological sequence of

planning and organisation;

acquisition and implementation;
delivery and support; and
monitoring

that makes it more sensible.

77
CobiT addresses the control environment, in processes that is linked to each of these domains
(See chapter 3.3.1 paragraph 15 and chapter 4 4.7). It addresses the risk assessment process
separately and also as part of each and every process. Each process has illustrative tests to
perform to substantiate the risk of control objectives not being met (Chapter 3.3.1 paragraph
18).

Control activities is addressed by CobiT as a division in each process, and it is the evaluating
of the controls with examples for that specific process (Chapter 4 paragraph 4.5).

The communication process is also included in each of the processes under the section
"evaluating the controls". Examples of control are noted here, but the impact of
telecommunication on internal control is discussed within CobiT (Chapter 4, paragraph 4.14).

The last component included by SAS55/78 and COSO is also included as a domain in CobiT.

We can hereby conclude that all the components included in SAS55/78 and COSO also appear
in CobiT, not necessarily as separate components, but rather as part of the domains.

A chronological tracking of processes as they happen seems to be the best way to identify
components, therefore CobiT seems to be the best framework to use to identify components
as it also includes components of the other documents.

4.4.4 The purpose an internal control framework will serve for auditors,
management and an Information System department

SAS55/78 will help auditors to plan the auditing of an internal control structure, while CobiT,
SAC and COSO provide practitioners with specific guidelines and technical reference material
to evaluate the internal control structure. SAC provides auditors with specific examples to
assist them in performing their evaluation, while CobiT deals with general processes.

To aid auditors in evaluating a control structure a combination of SAS55/78 and CobiT or

SAC seems to be a realistic option. SAS sets the standards for the auditing process, while
CobiT makes it applicable to general control environments and SAC makes it applicable to
78
specific environments. The standards for auditing as set by SAS are also included in CobiT,
which makes it possible for auditors to use CobiT on its own (Chapter 4, paragraph 4.6, and
chapter 3.3.1, paragraph 6).

SAS55/78 will be of no help to management or the Information System department as it is

solely focused on the requirements of an external auditor. COSO's evaluating tools and
CobiT's control objectives will be the best aid for management in evaluating and
benchmarking their internal control (Chapter 3.3.1, paragraph 7,8).

To assist the Information System department to evaluate internal control issues, SAC wrote
separate modules. CobiT integrated the issues regarding the Information System department
into the four domains. Therefore, when focusing solely on the IS department, SAC will be the
best document to use. When focusing on the internal control structure as a whole including
the IS department CobiT is the best document to use (Chapter 3.4.1, paragraph 8).

4.4.5 The internal control objectives and activities expected in an internal

control structure

Control objectives: SAS55/78, CobiT, COSO and SAC have the same three control
objectives, i.e. reliable financial reporting, effective and efficient operations and compliance
with laws and regulations. CobiT introduced additional control objectives, i.e. the
confidentiality, integrity and availability of information. It is therefore clear that CobiT has the
most comprehensive control objectives (Chapter 3.3.1, paragraph 9).

Control activities: SAS55/78 identified four control activities which are relevant to an audit,
while SAC divided control activities into integrity of information and security. COSO divided
control activities into top-level review, direct functional or activity management, information

processing, physical controls, performance indicators and segregation of duties. Although

COSO and SAC are rather comprehensive regarding the control activities, CobiT is the most
comprehensive because it identifies factors to consider with respect to each of the thirty-two
processes (See chapter 3.41, paragraph 10). Therefore it is recommended to use CobiT to
identify control activities.

79
4.4.6 The accepted structure of the auditing process, and auditing in an
information technology environment

The accepted structure of the auditing process: SAS55/78 is the only document that focuses
exclusively on the external auditor. Therefore the structure as defined by this document is
accepted as the structure of the auditing process. SAC suggests that that internal auditor
should use current auditing approaches and methodologies, but neither SAC nor COSO
discusses the auditing process. All the points identified by SAS55/78 are more or less
addressed by CobiT. CobiT can therefore be used as an alternative for SAS55/78 to define the
accepted structure for the auditing process (See chapter 3.3.1, paragraph 11).

Auditing in an information technology environment: Although SAS55/78 is focused on the

external auditor, there is not much focus placed on auditing in an information technology
environment. COSO is not focused on auditors but rather management. CobiT was
specifically designed to illustrate how to audit in an information technology environment,
while SAC module 3 discusses how to make use of information technology in the auditing
process.

For auditing in an information technology environment, CobiT will provide the best guidelines
while SAC will provide the best guidelines for making use of information technology in the
auditing process (Chapter 3.3.1, paragraph 12).

4.4.7 The control environment, accounting system, control procedure and

monitoring as part of the internal control structure

The control environment SAS55/78 and CobiT both identified seven conditions which
define the control environment, while SAC identifies only four, and COSO as many as nine
conditions. It is therefore clear that COSO's definitions of the control environment is the most
comprehensive (Chapter 3.3.1, paragraph 14).

The accounting system: According to 5A555/78, in order to understand the accounting

system as a whole one has to understand the classes of transactions, how transactions are
initiated, the records and accounts used in the processing and reporting of transactions, and
80
the accounting processes. SAC identifies three factors that should be taken into account when
evaluating the accounting system: system software, application system and end-user or
departmental systems. COSO merely states the internal auditor's responsibility regarding the
accounting system in general terms. CobiT identifies five domains that are relevant to the
accounting system: the processes used to define the information architecture, to determine the
technological direction, to identify automated solutions, to acquire and maintain application
software, and to acquire and maintain technology architecture. One can therefore conclude
that, although all the documents express opinions regarding the accounting system,
SAS55/78's definition of the internal control structure is the most comprehensive (Chapter
3.3.1, paragraph 15).

Control procedures: SAS55 mentions that control procedures are integrated in specific
components of the control environment and accounting system. As auditors obtain and
understanding of the control environment and accounting system, they will obtain more
knowledge about the control procedures. SAC classifies controls into six categories, while
COSO classifies it into two broad categories. CobiT is the only document that evaluates the
appropriateness of control measure for the process under review by considering clearly
identified criteria and industry standard practices, and applying professional auditing
judgements (Chapter 3.3.1, paragraph 16).

Monitoring: SAS55/78 expresses general ideas on monitoring which are in line with the ideas
expressed in COSO. CobiT devotes a domain with two modules to monitoring. SAC does
not identify monitoring as one of the components of the internal control structure, and
therefore does not elaborated much on the monitoring process. When addressing this
component in a internal control structure any of the three documents CobiT, COSO or SAS
can be used. It is recommended that all three be used in conjunction with each other for best
results (Chapter 3.3.1, paragraph 29).

4.4.8 Classification of controls

SAS55/78 classifies controls into four categories, called performance reviews, information
processing, physical controls, and segregation of duties. CobiT moves the classification to a
higher level by dividing it into three categories called activities and tasks, processes and
domains. COSO classifies it into two categories called application controls and general
81
controls. SAC provides the most comprehensive classification of controls by dividing it into
five categories, called preventive, detective and corrective controls, discretionary and non-

discretionary controls, voluntary and mandated controls, manual and automated controls and
application and general controls (Chapter 3.3.1, paragraph 17).

4.4.9 The assessment of control risk

SAS55 discusses in detail how to assess control risk either at maximum or less than maximum
level, or even at a lower level. It identifies factors which have to be taken into account when
deciding at what level risk should be assessed, such as policies and procedures, results of tests,
and additional evidential matters.

CobiT identifies certain auditing steps to be performed to ensure that the control measure
established are working consistently and continuously as prescribed. This is done by obtaining
direct or indirect evidence for selected items, and performing limited and more extensive
analytical reviews. SAC states that the most effective method of evaluating a control
procedure is by means of classification.

COSO identifies external factors as potential risk factors. All four documents differ on their
statements regarding the assessment of risk, and each has a valid point regarding control risk.
All four documents can be used for the assessment of control risk (Chapter 3.3.1, paragraph
18).

4.4.10 The documentation of auditing work performed and the safeguarding

of assets

The documentation of auditing work performed: SAS55/78 states that the understanding of
the internal control structure and the conclusion about the assessed level of control risk should
be documented. CobiT takes it one step further by stating that the actual and potential impact
should also be documented. SAC and COSO do not include specific documentation
procedures regarding external auditors. The focus of these two documents is on the evaluator
and internal auditor. From an external auditor's point of view, CobiT provides the best
approach, but from an internal auditor's point of view SAC provides a better approach

82
(Chapter 3.3.1, paragraph 19).

The safeguarding of assets: SAS55/78 and COSO merely include a paragraph regarding the
safeguarding of assets. SAC, on the other hand, sets a high standard for the safeguarding of
assets by providing a whole module on security. Topics like security management, physical
security and logical security are addressed in this module. CobiT includes a process (D55)
addressing topics like authentication and access, security of on-line access to data, user
account management, data classification, central identification, violation reports, incident
handling, re-accreditation, cryptography, and virus prevention. The best documents to use for
the implementation of procedures for the safeguarding or assets are CobiT and SAC since
be.n these documents have modules dedicated to the topic (Chapter 3.3.1, paragraph 20).

44.11The risks to which a company is vulnerable

SAS55/78 identifies a few risks, but CobiT identifies risk for each or the thirty-two processes.
SAC identifies risks for very specific circumstances, such as computer aided software,
application programming, telecommunication, operating systems, knowledge-based systems,
image processing, database management and application packaging. COSO makes provision
for evaluation tools in the form of a documented process of evaluating a control structure, and
part of these tools are the evaluation of risks.

In deciding on the most appropriate tool to use for the identification of risks, CobiT will be the
most comprehensive document to use. COSO can be used as an alternative, while SAC can be
used in very specific circumstances (Chapter 3.3.1, paragraph 21).

4.4.12 The focus of the internal control structure

The focus of the evaluation of the internal control structure will determine which document
will be used. When focusing on the financial statements, SAS55/78 will be used as a
guideline, and when focusing on information technology, CobiT or SAC will be used. When
focusing on the overall entity COSO is the ideal guideline to use (Chapter 3.3.1, paragraph
22).

83
4.4.13 Management's responsibility regarding internal control, the
management of information and the development of systems

Management's responsibility regarding internal control: SAC provides a short description

of the responsibility of management which is nevertheless very extensive. CobiT discusses
management's responsibility by including it into the processes, but does not separately discuss
management's responsibility. SAS55/78's description of management's responsibility agrees
with the description in COSO. COSO gives a detailed description of management's
responsibility regarding internal control (Chapter 3.3.1, paragraph 25). The best documents to
use are therefore SAS and COSO.

The management of information and the development of systems: SAS55/78 does not go
into too much detail, but the other three documents do. CobiT has four processes dedicated
to this topic (P01-PO4). SAC has a separate module dedicated to the topic, and COSO has a
separate chapter addressing the topic. Therefore one can accept that all three these documents
can be used to develop and benchmark an entity's internal controls for the management of
information and the development of systems (Chapter 3.3.1, paragraph 26).

4.4.14 The impact of technology trends on application systems, and the

impact of communication and end-user and departmental computing,
on the internal control structure

The impact of technology trends on application systems: SAS55/78 does not address this
issue, and COSO only briefly describes the controls relating to the development and
maintenance controls. SAC module 6 chose six application systems that have a broad appeal
for both the business community and the auditing community to discuss the impact of
technology trends on application systems. CobiT domain Al2 sets certain control objectives
regarding the acquiring and maintenance of application software. No specific applications are
highlighted as was the case with SAC, but this makes it easier to apply to any application and
omits long discussions on a specific application (Chapter 3.3.1, paragraph 13). Again, CobiT
seems to be the document to use to determine the impact of technology trends on application
systems. For the specific applications discussed in SAC, SAC will be the best document to
use.
84
The impact of communication and telecommunication on the internal control structure:

SAS55/78 only states that the auditor should obtain sufficient knowledge of the means that the
entity uses to communicate financial reporting roles and responsibilities and significant matters
relating to financial reporting. COSO elaborates on the impact of communication on the
information systems and identifies two types of communications. Neither of these two
documents addresses the impact of telecommunication on the internal control structure. SAC
again dedicated a module to this topic. Module 8 identifies the auditing issues related to
telecommunication systems by concentrating on the risks and controls of each component.
Each chapter begins with a basic technical discussion and continues by relating the technical
issues to risk and control considerations. CobiT, on the other hand, identifies auditing issues
related to telecommunication in DS5. This is the normal process of system security, but it
includes certain points on telecommunication (Chapter 3.3.1, paragraph 28). When trying to
evaluate the impact of communication and telecommunication on the internal control
structure, COSO is the best to use for communication and SAC the best for
telecommunication. CobiT can also be used as an alternative guideline for the impact of
telecommunication because it addresses all the important issues.

The impact of end-user and departmental computing on the internal control structure:

SAS55/78 and COSO do not address the impact of end-user and departmental computing on
the internal control structure. SAC presents this issue in module 7 by using several EUC
scenarios With relevant auditing guidance. CobiT does not use scenarios, but deals with the
issue in a process called the acquiring and maintenance of application software (Chapter 3.3.1,
paragraph 27). SAC will be the best document to use if the specific scenario applicable is
discussed in SAC, in other cases CobiT will be the best instrument to use in order to determine
the impact of EUC on the internal control structure.

4.4.15 Contingency planning as part of the internal control structure

SAC module 10 and CobiT DS4 both discuss the contingency plan process, strategy,
documentation, and testing. SAC also discusses risk analysis, risks and controls, and auditing
considerations, while CobiT discusses backup processes, training, applications that are critical,
backup sites and hardware, and file recovery procedures. To obtain the best guideline for

85
 contingency planning, the use of both documents is recommended. Neither SAS55/78 nor
COSO expresses an opinion regarding the contingency plan (Chapter 3.3.1, paragraph 30).

4.5 CONCLUSION

Table 4.4 will serve as a summary of this chapter, as well as a conclusion regarding which
document an external auditor should use for a given point of focus.

The table identifies the points of focus in column two, and there is a column for each
document compared. A symbol in a document's column indicates that the document is
considered appropriate for the specific point of focus. In some instances only one document is
recommended, in other instances all four are usable. To get the best results from this table it
will be necessary to refer back to the text in this chapter, and the necessary text references are
therefore given in the first column.

Table 4.4 Matrix for comparison between SAS55/78, CobiT, SAC and COSO

1i
1 Ref. Point of focus SAS55/78 CobiT SAC COSO
4.1 Premise and # #
Audience # #
4.2 I Defining internal control #

View of internal control # #

4.3 Dividing internal control into components

4.4 Aid for auditors # #

Aid for management #

Aid for IS department # #

4.5 Setting control objectives #

Defining control activities #

86
 Ref. Point of focus SAS55/78 CobiT SAC COSO
4.6 Planning a structure for the auditing process # I#
Aid for auditing in an information technology # #
environment

4.7 Defining the control environment #

Defining the accounting system #

Identifying control procedures #

Determining procedures to monitor Internal . # # #

Control

4.8 Classification of controls . ft

4.9 How to assess control risk # # ft #

4.10 How to document auditing work # #

Best procedures to safeguard assets #

1---
4.11 Identifying risks # # #
I
4.12 I Focus of internal control and # # # #

Evaluating of effectiveness of internal control # # At #

For a period in time or specific time # # # #

4.13 Identifying management's responsibilities # #

Identifying controls to manage information # # #

and to develop systems.

4.14 Determining the impact of technology on ... # #

application systems and setting procedures
I--- ---,-
Determining the impact of communication # # #
and telecommunication on the internal
control structure and setting controls

Determining the impact of end-user and # #

departmental computing on the internal
control structure and identifying procedures

87
r •

i
Ref. Point of focus SAS55/78 CobiT I SAC COSO
4.15 Defining contingency planning procedures # I#

Total 13 25 i 15 12
1

The comparison of the principles of the four documents SAS55/78, CobiT, COSO, and SAC
has been successfully completed. By comparing the documents, the strengths and weaknesses
of each were identified. The application of the comparison's results to any control
environment can assist the auditor in determining which document to use. The objective of
this short dissertation, as set in chapter 1, has therefore been met. It is clear from the matrix
that CobiT can indeed replace the other three documents, as CobiT addressed twenty-five of
the focus points while SAC addressed only fifteen, COSO twelve and SAS thirteen.

88
 CHAPTER 5

CONCLUSION

CONTENTS PAGE

5.1 CONCLUSION 90

89
5.1 CONCLUSION

The objective of this short dissertation has been met, in other words to help the auditor to
decide which document or combination of documents to use as a guideline for internal control,
and to determine whether CobiT can indeed replace COSO, SAC and SAS55/78. A matrix
was presented in chapter 4 indicating which document or combination of documents to use for
which focus points. The validity of this matrix has been proved by the procedure followed to
create it.

The matrix was created as follows:

A total of thirty focus points which are important from an external auditing point of
view were identified from the four documents.

• These thirty points were compared in chapter 3 in order to determine the strengths and
weaknesses of each of the documents. It was found that, with the exception of CobiT,
not all the documents provided satisfactory approaches to all thirty focus points, and
this was identified as a weakness in these documents.

A matrix were prepared indicating which document to use for which focus points.

The main problem identified has been the fact that, although SAC, COSO, SAS55/78 and
CobiT is believed to set the standards for internal control, each of them was developed by a
different body. As a result it addresses the needs of different audiences. By using the
comparison of the four documents in chapter 3 an auditor can determine what document or
documents addresses the specific control objective the best. This will aid the auditor in
deciding which framework to use himself as well as aid him in convincing client what
framework to use for internal control.

By using the matrix developed in chapter 4 auditors can now:

Determine which document to use, depending on what their focus point is going to be.

Decide which document to recommend to their customers, taking into account the

90
 focus points of the customer.

• Determine if CobiT can replace the other three documents.

The comparison in chapter 3 is in no way a complete comparison of the four documents. Only
thirty focus points which are important from an auditor's perspective were identified. As a
result, the matrix is also not a perfect aid to making a decision regarding the documents.
Nevertheless, it will still be useful to assist the auditor in making a decision. It also provides
important background information.

T us short dissertation opens new fields for academic research in the area of internal control.
A specific organisation can be identified, focus points for that organisation can be determined,
and a study can then be performed on which document will be most appropriate for the
purposes of this entity .

This research focused on an auditor's perspective. Research can also be performed from
management's perspective, or from the Information System department's perspective. In this
short dissertation the points of focus could not be compared in detail, and considerable scope
remains for more detailed academic research into specific points of focus.

This short dissertation provides the basic tools (comparison and matrix) which can be used by
different audiences for different focus points in order to determine which documents or
combination of documents to use in order to develop, evaluate and benchmark their current
internal control structures.

91
BIBLIOGRAPHY

AMERICAN INSTITUTE OF CERTIFIED PUBLIC ACCOUNTANTS 1988: Consideration of the

Internal Control Structure in a Financial Statement Audit. New York: AICPA

AMERICAN INSTITUTE OF CERTIFIED PUBLIC ACCOUNTANTS 1995: Consideration of

Internal Control in a Financial Statement Audit: An Amendment to SAS No. 55. Jersey City: AICPA

COLBERT, J. L. & BOWEN, P.L.1996: A Comparison of Internal Controls: CobiT, SAC, COSO
and SAS55/78. IS Audit &Control Journals volume 4 1996: 26-35.

COMMITTEE OF SPONSORING ORGANISATIONS OF THE TREADWAY COMMISSION

1992: Integrated Control — Integrated framework. Jersey City: COSO.

DAMIANIDES, M. 1991: A control model for the evaluation and analysis of control facilities in a
simple path context model in a MVS/XA environment. Johannesburg: Rand Afrikaans University (M
Com dissertation).

INFORMATION SYSTEMS AUDIT AND CONTROL FOUNDATION 1996: Control objectives

for information and related technology. Illinois: ISACF

INSTITUTE OF INTERNAL AUDITORS RESEARCH FOUNDATION 1991: Systems Auditability

and Control. Ahamonte Springs: IIA RF

GELINAS, J. & MAKOSZ, P. 1996: CobiT: Control objectives for information and related
technology. IS Audit &Control Journal, volume 4 1996: 12-13.

LAINHART, J. W. 1996: Arrival of CobiT helps refine the valuable role of IS Audit and Control in
the Enterprise. IS Audit &Control Journal, volume 4 1996:20-23.

LUBBE, J. 1995: A Value-for-money audit approach to LAN's with specific reference to Novell
Netware. Johannesburg: Rand Afrikaans University (M. Com dissertation)

92