Professional Documents
Culture Documents
PDF Document
PDF Document
SPECIFIC REFERENCE TO
COBIT, SAC, COSO, AND SAS 55/78
by
SUZANNE STEYN
SHORT DISSERTATION
SUBMITTED FOR THE PARTIAL FULFILMENT OF THE
REQUIREMENTS FOR
THE DEGREE OF
MASTER OF COMMERCE
in
COMPUTER AUDITING
in the
FACULTY OF ECONOMIC AND MANAGEMENT SCIENCES
at the
RAND AFRIKAANS UNIVERSITY
CHAPTER PAGE
OPSOMMING IN AFRIKAANS II
SYNOPSIS VIII
INTRODUCTION 1
CONCLUSION 89
BIBLIOGRAPHY 92
LIST OF ACRONYMS AND ABBREVIATIONS
IC - Internal Control
IT - Information Technology
deur
SUZANNE STEYN
in
REKENAAROUDITERING
in die
FAKULTEIT EKONOMIESE EN BESTUURSWETENSKAPPE
aan die
RANDSE AFRIKAANSE UNIVERSITEIT
II
Die doel met die opsomming is om die agtergrond, metodiek en gevolgtrekking, van die
navorsing oor die vergelyking van interne beheermaatreels, met spesifieke verwysing na
CobiT, COSO, SAC en SAS55/78, weer te gee. Hierdie opsomming word onder die volgende
hoofde uiteengesit:
Oor die afgelope jare het 'n groot behoefte aan 'n verwysingsraamwerk vir interne beheer en
sekuritiet in 'n rekenaaromgewing ontstaan. Hierdie behoefte het onstaan nadat die Nasionale
Kommissie van Bedrieglike Finansiele Verslagdoening bevind het dat die mees algemene
redes vir die ineenstorting van sakeondernemings the swak verslagdoening is the, maar swak
etiek, korrupsie by topbestuur, swak kommunikasie en onbekwaamheid.
`n Balans moet gevind word tussen koste en risikobeheer in 'n rekenaaromgewing. Dit is
duidefilc dat daar 'n behoefte bestaan vir 'n raamwerk vir algemeen aanvaarbare
rekenaarsekuriteit- en beheerpraktyke. Bestuur kan sodandige raamwerk as 'n hulpmiddel
gebruik waarteen hulle hul bestaande of 'n beplande nuwe rekenaarbeheeromgewing kan
meet. Die raamwerk kan aan gebruikers die versekering gee dat daar voldoende sekuriteit en
beheer bestaan, terwyl ouditeure die raamwerk kan gebruik om hul ouditmening te stag
Verskeie organisasies het al onderneem om, die behoefte aan 'n algemeen aanvaarde
raamwerk, op te los. Elk van hierdie organisasies het egter 'n ander idee van hoe so 'n
raamwerk daar moet uitsien, wat verwarring veroorsaak. ITSEC, TCSEC, IS09000 en
COSO stel elk 'n ander evaluasiemetode voor, met die gevolg dat die implementering van
goeie interne rekenaarbeheer in die wiele gery word.
Ten einde die verwarring uit die weg te probeer ruim, het spesialiste van dwarsoor die w'ereld
deelgeneem in 'n intensiewe navorsingspoging om 'n internasionale raamwerk te ontwikkel
wat die standaarde van 18 primere bronne harmoniseer. Die resultaat van hierdie poging is
III
CobiT.
Vier ander gepubliseerde dokumente was ook die resultaat van voortgesette pogings om 'n
verbeterde interne beheeromgewing te definieer. Die Institute of Internal Auditors Research
Foundation het 'n dokument genaamd SAC ontwikkel. So ook het die Committee of
Sponsoring Organisations of the Treadway Commission 'n geintegreerde raamwerk
gepubliseer wat hulle COSO genoem het, terwyl die American Institute of Certified Public
Auditors twee dokumente gepubliseer het naamlik SAS55 en SAS78.
CobiT, COSO, SAC en SAS55/78 fokus elk op 'n ander faset van interne beheer, aangesien
elk 'n ander groep professionele mense aanspreek. Die doel van hierdie skripsie, is om te
bepaal of CobiT die ander dokumente kan vervang, aangesien dit koste oneffektief sou wees
om 'n addisionele raamwerk te ontwikkel as 'n bestaande dokument reeds die behoefte aan 'n
algemeen aanvaarbare dokument bevredig. CobiT word vergelyk met elk van die ander
dokumente ten einde te bepaal of CobiT inderdaad 'n oplossing bied vir al die interne
beheerprobleme wat tans deur ouditeursfirmas en ander organisasies ervaar word.
Deur die vier dokumente te vergelyk, en insette uit ander ander dokumente te gebruik, is 'n
matriks ontwikkel wat as raamwerk gebruik kan word vir die keuse van interne
beheermaatreels.
2. NAVORSINGSMETODIEK EN BEPERKINGS
Die skripsie fokus op die vergelyking van van interne beheermaatreels. Alhoewel daar
verskeie dokumente bestaan wat interne beheer behandel, is daar slegs op die volgende vyf
dokumente gekonsentreer:
IV
Metodiek
Nadat al die inligting verkry is, is 'n vergelyking getref tussen die inteme beheermaatreels
wat deur CobiT en die ander dokumente gepropageer word. 'n Gevolgtrekking is gemaak
dat CobiT inderdaad die beste raamwerk uit 'n ouditeursoogpunt is om te gebruik.
Ten einde die studieveld of te baken en sodoende 'n betekenisvolle studie te kon doen, is die
volgende uitgesluit:
1-lierdie skripsie bled 'n opsomming van elk van die vier dokumente ten einde elke dokument
beter te kan verstaan. Die dokumente word vergelyk en prosedures word vasgestel om dit
moontlik te maak om tussen tussen die vier raamwerke te kies. Die prosedures word in 'n
matriks saamgevat waarin die dokumente teen mekaar opgeweeg word na gelang van die
fokuspunt wat vooropgestel word.
`n Opsomming word van elk van die vier dokumente gemaak ten einde lesers van die nodige
inligting te voorsien om dit vir hulle moontlik te maak om die vergelyking van die dokumente
ten voile te begryp en om verskille tussen die dokumente te identifiseer.
Die rede vir die vergelyking word vasgestel en eksteme ouditeure se behoeftes word ontleed
ten einde te bepaal wafter fokuspunte vir hulle van belang sal wees. Ongeveer dertig
fokuspunte word geidentifiseer vir vergelyking. Die dertig fokuspunte word in tabelformaat
uiteengesit en die vier dokumente word vervolgens aan die hand van elke fokuspunt ontleed.
Op die manier word die sterk en swak punte van elke dokument geldentifiseer.
In sekere gevalle beklemtoon al vier dokumente verskillende aspekte met betrekking tot 'n
spesifieke fokuspunt, wat nogtans almal ewe belangrik is. In so geval sal 'n kombinasie van
die vier dokumente die ideale beheermaatreel vorm. In ander gevalle skenk slegs twee van die
vier dokumente aandag aan 'n spesifieke fokuspunt, wat dus as 'n swakpunt geidentifiseer
word in die twee dokumente wat die betrokke fokuspunt buite rekening hat.
VI
3.3 Die resultate van die vergelyking en die ontwikkeling van die matriks.
Die dertig fokuspunte word in vyftien groepe ingedeel en die resultate van die vergelyking
bespreek. Uit die vergelyking was dit maklik om te bepaal watter dokument elk van die
fokuspunte die beste adresseer. 'n Matriks word ontwikkel wat aandui wafter dokument om
te gebruik met water fokuspunt in gedagte. Uit die matriks is vasgestel dat CobiT 25 van die
dertig fokuspunte aanspreek, SAC 15, COSO 12 en SAS 13.
4. GEVOLGTREKKING
Alhoewel daar gevalle sal wees waar een van die ander dokumente beter standaarde sal stel vir
interne beheer, wil dit voorkom of CobiT die ander tot 'n groot mate kan vervang.
COSO is 'n waardevolle hulpmiddel vir persone sonder enige agtergrond in interne
beheer, deurdat dit hulle van noodsaaklike evaluasiehulpmiddels voorsien.
Hierdie skipsie bied dus 'n voorbeeld van hoe om 'n keuse uit te oefen tussen die verskillende
raamwerke vir 'n spesifieke organisasie. Die matriks probeer geensins om rigiede reels neer te
le wat noodwendig gevolg moet word om 'n keuse oor 'n gepaste raamwerk uit te oefen the.
Dit is slegs 'n hulpmiddel wat deur 'n ouditeur gebruik kan word om 'n besluit te neem oor die
mees gepaste 'n raamwerk vir 'n gegewe organisasie.
VII
SYNOPSIS
Internal control has come under the attention of many organizations, and each has its own
views on the most appropriate framework and evaluation methods to be adopted for specific
purposes. As a result of the confusion arising from the different evaluation methods that are in
vogue, the implementation of good information technology controls is hampered.
Experts from around the world have participated in exhaustive research to develop an
internationally acceptable tool that harmonizes standards. Their work has culminated in the
development of CobiT.
SAC , COSO, SAS 55 and SAS78 were also the result of continuing efforts to define, assess,
report on and improve internal control, but each of these documents addresses a different
audience, and therefore focuses on different aspects of internal control, and may even
completely disregard some areas which may be of crucial importance to other users.
It has been suggested that CobiT can replace COSO, SAC, and SAS 55/78, and there is a need
to determine whether this is indeed the case. This short dissertation attempts to answer this
question, while also putting in place a matrix to aid auditors in deciding which framework to
use for a given application.
2. RESEARCH METHODOLOGY
A literature survey has been done on existing authoritative text books and other literature,
such as material available on the Internet.
The information obtained in the literature survey established a sound basis for a
comparison of CobiT, COSO, SAC and SAS55/78, and the construction of a decision-
making matrix.
VIII
3. SCOPE AND LIMITATIONS
This short dissertation focuses on the comparison of internal controls. Although different
documents deal with this topic, this project focuses on five authoritative source documents
recently released by well-known institutions:
All documents, discussions, frameworks, guidelines, and codes of practice dealing with
internal controls, and all approaches to the subject, except:
— CobiT, SAC, COSO, SAS55/78;
COSO Reporting to External Parties ;
SAC modules 11-13; and
CobiT.
— Framework
— Executive Summary.
In summary, this research has provided a basis for understanding each of the five source
documents, as well as a procedure for deciding which framework to use for a given purpose.
A summary of each document was made to establish a basis for the identification of the
differences between the documents, after which thirty focus points were identified. The five
source documents were compared with reference to each focus point. From the comparison it
was easy to determine the strengths and weaknesses of each document.
Finally, a matrix was constructed indicating which document to use for each focus point. It
IX
was also determined that CobiT dealt effectively with twenty-five of the focus points, while
SAC dealt with fifteen, COSO with twelve, and SAS with thirteen. From these results one
could conclude that CobiT can indeed replace the other documents as a universal framework
for internal control.
5. CONCLUSION
The research merely sought to provided an example of how to decide which framework to use
for a specific organization or purpose. No effort has been made to establish a rigid set of rules
to follow in all cases in order to decide on a framework. Nevertheless, the author believes that
this study can assist auditors in deciding on the most appropriate framework and methodology
to adopt for a given purpose, and will provide them with arguments to convince management
of the soundness of their decision.
CHAPTER 1
INTRODUCTION
CONTENTS PAGE
1.1. BACKGROUND 2
1.4.2 Limitations/exclusions 7
1.5.1 Definitions 7
1.5.2 Methodology 10
1.8. CONCLUSION 12
1
1.1 BACKGROUND
For many companies and organisations the documents SAC, COSO, SAS55/78 and CobiT set
the standards for internal control. The problem is that these documents were all developed by
different bodies who were concerned with providing them with frameworks and evaluation
methods for internal control appropriate to the needs of their own audiences. It is therefore
unavoith. le that some discrepancies and disparities may exist between these documents,
although they all deal with essentially the same aspects of internal control.
SAC: A set of processes, functions, activities, subsystems, and people who are grouped
together or consciously segregated to ensure the effective achievement of specific
objectives which has to be translated into measurable goals.
2
• CobiT: The policies, procedures, practices, and organisational structures designed to
provide reasonable assurance that business objectives will be achieved and that
undesired events will be prevented or detected and corrected.
From the definitions one can conclude that SAC views internal control as a system (a set of
functions and people and their interrelationship). It identifies people as an integral part of the
internal control system. SAC also states that objectives should be translated into measurable
goals. Although COSO also accentuates internal control as a process that is an integrated part
of business activities, it notes that the people involved are members of the board of directors,
management or other entity personnel. COSO places objectives into three categories called
operational, financial reporting, and compliance.
The SAS definition is exactly the same as the COSO definition, but it emphasises the
importance of reliable financial reporting, while COSO shifts the emphasis to effectiveness and
efficiency of operations. The CobiT definition emphasises the importance of internal control
as a process that includes organisational structures, policies, practices and procedures that
support business processes. It classifies people as a primary resource that is managed by
various information technology processes. CobiT also states that processes support
operational objectives, that these processes are in turn supported by information through IT
resources, and that business requirements for that information are only satisfied through
adequate control measures.
From the definitions one can conclude that all four documents are familiar with the concept of
reasonable assurance in relation to internal control and acknowledge the concept of
cost/benefit, and that they are equally conscious of the negative result that could flow from not
implementing all controls effectively.
The easiest way to identify the strengths and weaknesses of each of these documents is to
compare them. This is proved by Table 1.1.
3
Table 1.1 Comparison of Control Concepts (Colbert & Bowen, 1996: 26).
ti
CobiT SAC COSO SAS's 55/78
Primary Management, users, Internal auditors Management External auditors
Audience information system
auditors
IC viewed as a Set of processes Set of processes, Process Process
including policies, subsystems, and
procedures, people.
practices, and
organizational
structures.
IC Objectives Effective & efficient Effective and Effective and Reliable financial
organizational operations efficient efficient reporting
Confidentiality, operations operations Effective and
Integrity and Reliable financial Reliable financial efficient
availability of reporting reporting operations
information. Compliance with Compliance with Compliance with
Reliable financial laws & laws & laws & regulations
reporting regulations regulations
Compliance with
laws & regulations
Components Domains: Components: Components: Components:
or Domains Planning and Control Control Control
organization Environment Environment Environment Risk
Acquisition and Manuals & Risk Assessment
implementation Automated Management Control
Delivery and support System Control Control Activities
Monitoring Procedures Activities Information
Information & &Communication
Communication Monitoring
Monitoring
Focus Information Information Overall Entity Financial
Technology Technology Statement
IC For a period of time For a period of At a point in For a period of
Effectiveness time time time.
Evaluated
Responsibility Management Management Management Management
for IC system
Size 187 pages in four 1193 pages in 12 353 pages in 63 pages in two
documents modules four volumes documents
From this comparison in table 1.1 it is clear that SAC offers assistance to internal auditors on
the control and audit of IT, while COSO tells management how to evaluate, report, and
improve control systems. SAS55 and SAS78 guide external auditors on the impact of internal
control on planning and performing an audit of an organisation's financial statements. CobiT
is a tool for business process owners to discharge their computer control responsibilities
4
(Colbert & Bowen, 1996:26).
1.2.1 Introduction
In the past few years, it has become evident to lawmakers, regulators, users of IT and service
providers that there is a need for a reference framework for security and control in an
information technology (IT) environment. This became evident when the National
Commission on Fraudulent Financial Reporting (Treadway) revealed that the most common
causes of breakdown were not poor record keeping but bad ethics, corruption at the top,
incompetence and poor communication (ISACF, 1996: 12).
Management has to find a balance between risk control in an IT environment and the costs
involved. They therefore need a framework for generally accepted IT security and control
the other hand, need to be assured, by the performance of audits, that adequate security and
control exist and, last but not least, auditors need a framework to substantiate their opinion on
Many organizations have become aware of the need for reliable internal control, but each has
its own ideas of the most appropriate framework and evaluation methods to be used. The
implementation of good IT controls is hampered by the confusion arising from the different
evaluation methods advocated by ITSEC, TCSEC, IS09000 and the emerging COSO
methodology.
To overcome this confusion, experts from around the world have participated in exhaustive
research to develop an international tool that harmonizes standards from 18 different primary
sources world-wide. These people were instrumental in the development of the Information
The four other documents with which this dissertation deals were also the result of continuing
efforts to define, assess, report on and improve internal control,. They are:
5
System Auditability and Control, drafted by the Institute of Internal Auditors Research
Foundation;
Consideration of the Internal Control Structure in a Financial Statement Audit (SAS 55),
drafted by the American Institute of Certified Public Accountants; and
There exists a need to determine whether CobiT can indeed replace COSO, SAC, and SAS
55/78. In order to prevent the expensive process of reinventing a similar product it is
important to subject the CobiT project to a detailed study. CobiT should also be compared
with other documents to see if the approach it advocates will indeed resolve all the internal
control discrepancies currently experienced by audit firms and other organizations.
By comparing the four documents, and drawing on other documents, a matrix will be prepared
that will serve as a framework and evaluating method for internal control.
This short dissertation focuses on the comparison of internal controls. Although there are
many documents that deal with this topic, this project focuses on five documents recently
released by well-known institutes, and which have already been referred to above, i.e.:
• CobiT The Information Systems Audit and Control Foundation;
• SAC The Institute of Internal Auditors Research Foundation;
• COSO The Committee of Sponsoring Organizations of the Treadway Commission;
• SAS55 The American Institute of Certified Public Accountants; and
• SAS78 The American Institute of Certified Public Accountants.
6
1.4.2 Limitations and exclusions
Because of the limitations imposed on the length of this dissertation, the study is restricted to
the five documents published by the four bodies mentioned above, in other words:
With the exception of these five documents, no other document, discussions, frameworks,
guidelines, or codes of practice were considered. The following documents emanating from
these four bodies have also been excluded:
CobiT
- Framework
- Executive Summary.
1.5.1 Definitions
CobiT defines control as: The policies, procedures, practices, and organizational
structures, designed to provide reasonable assurance that
7
business objectives will be achieved and that undesired events
will be prevented or detected and corrected (CobiT, 1996:9).
From an auditing perspective, it is necessary to enquire whether there are policies and
procedures in place to ensure that an entity will record, process, summarize, and report
financial data in a manner consistent with the assertions embodied in its financial statements
(SAS55,1988: 4). In a computerized environment data is captured by entering "events", in the
form of "messages", onto a data application system which draws on computer technology,
facilities and people to deliver information, usually referred to as the system's "service
output" (see below for definitions of words in italics).
COSO defines control as: Exercising, restraining, or directing influence; power or authority
to guide or manage direction, regulation and co-ordination of
business activities; and a mechanism used to regulate or guide
the operation of a system (COSO, 1992:101).
8
People: Staff skills, awareness and productivity appropriate for the
planning, organizing, acquisition, delivery, support and
monitoring of information systems and services (CobiT, 1996:9).
Certain control objectives should be kept in mind when constructing internal control policies
and procedures for a computerized environment.
9
Confidentiality: Whether sensitive information is adequately protected from
unauthorized disclosure.
1.5.2 Methodology
In this chapter, the need for research to compare the internal controls propagated by SAC,
COSO, CobiT and SAS55/78 respectively has been established, and it has also been
established that there is a need to determine whether any of these is able to satisfy current
needs in full, or whether two or more of them may have to be used in concert.
In chapter 2 and 3 a comparison will be made between CobiT, SAS 55/78, COSO and SAC
with the emphasis on their respective strengths and weaknesses and their appropriateness for
the purposes of an auditing firm. Chapter 4 will consists of a framework developed from the
research, summarizing the results of the previous chapters. Chapter 5 will conclude the short
10
1.6 RESEARCH APPROACH
A literature survey has been undertaken of existing authoritative documents and other
background material, as well as discussions with people with technical knowledge, on the
SAC, COSO, SAS and CobiT frameworks.
With all the information obtained in the literature survey a comparison has been made between
the internal controls propagated by CobiT and the internal controls advocated in each of the
tidier frameworks. A conclusion was then drawn whether CobiT is the most appropriate
framework to adopt by an auditing firm.
The main problem identified is the choice to make between four well-known frameworks for
internal control. Each of these documents was developed by a different organization with a
specific audience in mind, which has resulted in many discrepancies between the four
documents.
In summary, this research provides a basis for understanding each of these documents, as well
as providing a procedure for deciding which framework to use.
In chapter 2 each document is summarized in order to provide the reader with background
information regarding the documents. The summaries also expand the reader's knowledge
regarding internal control, thus preparing readers for the comparison in chapter 3. The
summaries establish a basis for the identification of the differences between the documents.
In chapter 3 more penetrating reasons for a comparison of the documents are identified. This
research focuses on an external auditor's point of view, and thirty points of focus of particular
interest to internal auditors are identified from the four documents. These thirty focus points
were captured in a table and the four documents were compared with reference to each focus
point. This seemed to be the best way to identify the strengths and weaknesses of each
document. In some instances all four documents devoted considerable attention to the same
focus points, but concentrated on different, though equally important, aspects. In such
instances a combination of the documents would have provided one with an ideal framework.
11
In other instances, only two of the four documents dealt with a given focus point, and in these
instances it seems clear that the documents omitting this particular focus point could be
regarded as flawed by the omission.
In chapter 4 the thirty points of focus were grouped together into fifteen groups, and the
results of the comparison discussed for each group individually. From the comparison it was
easy to determine which document provided the best approach to the focus point and a
conclusion could thus be reached after each group was discussed.
In the conclusion of chapter 4 a matrix is presented indicating which documents to use for
which focus points. We conclude that CobiT provides the best approach for 25, SAC for 15,
COSO for 12 and SAS for 13 of the focus points. From these results one could conclude that
CobiT can indeed replace the other documents in most cases as a basis for internal control.
There are indeed still instances where the other documents will set better standards for internal
control than CobiT. Because SAS is solely focused on the audit process, none of the other
document is better able to explain the audit process than SAS. Because SAC identifies certain
scenarios and discusses in detail the internal control procedures that would be appropriate to
these scenarios, no other document would be able to explain the control issues better than
SAC in cases where one of these scenarios is applicable to a specific organization. COSO,
again, is a very helpful document for a person without an audit background because it
provides evaluation tools with examples of how to use them.
It is therefore not always easy to determine which document to use for a particular purpose.
The research therefore merely provides guidelines on how to decide which framework to use
for a specific organization. The research in no way attempts to provide a rigid set of rules
prescribing which framework to use. Nevertheless, it will almost certainly assist auditors in
deciding on an appropriate framework as well as providing them with a rational basis to
convince management of the appropriateness of their choice.
1.8 CONCLUSION
The objective of this short dissertation has been met; that is to help the auditor to decide
which document or combination of documents to use as a guideline for internal control, and to
12
determine whether CobiT can indeed replace COSO, SAC and SAS55/78 for most or all
purposes.
By using the comparison of the four documents in chapter 3, an auditor will be able to
determine which document or documents are most suitable for a specific control objective.
This will aid auditors in deciding which framework to use for their own work, as well as
providing them with sound arguments to convince a client which framework to use for internal
control in a given case.
Determine which document to use, depending on what their focus point is going to be;
Decide which document to recommend to their customers, taking into account the focus
points of the customer; and
Determine whether CobiT is suitable to replace the other four documents.
The matrix and comparison do not attempt to provide auditors with a rigid set of rules to
follow when making a decision regarding the documents, but merely set an example of how to
make such a decision.
It is hoped that this short dissertation will open new fields for academic research in the area of
internal control. A specific organization can be identified, focus points for that organization
can be determined, and an investigation can then be undertaken into which document will be
most suitable for the purposes of the organization being studied.
This research focused on an auditor's perspective. Research can also be performed from
management's perspective or from the Information System department's perspective. The
points of focus were not compared in detail. Academic research can also be performed in
more detail on specific points of focus.
13
CHAPTER 2
CONTENTS PAGE
2.1. OBJECTIVE 15
1.3.1 Scope 16
2.4 BACKGROUND 17
2.9 CONCLUSION 26
14
2.1 OBJECTIVE
In order to derive maximum benefit from the literature survey, the objectives have been
defined to allow comparative analysis of references and to facilitate the analysis of strengths
and weaknesses in frameworks for internal control. The objectives for this chapter are to
obtain authoritative views on:
• CobiT;
• SAS 55/78;
SAC; and
• COSO.
To ensure credibility and acceptance of the findings and proposals of this short dissertation, it
is essential that the underlying concepts should be based on authoritative views and be
generally accepted among business and computer auditing professionals. Theory based on an
individual's experience without taking generally accepted professional views into account may
be subject to personal bias. Other factors which may introduce bias are the individual's
background and the absence of formal research. To avoid these problems, references have
been restricted to documents mainly used by auditors and auditing firms and to authoritative
frameworks (Lubbe, 1995: 15). The main sources of these documents are:
In their publications, they present most of the internationally accepted guidelines and
frameworks for internal control.
15
The emphasis on auditor-related sources provides more and better background for
finding risks relevant to the auditor involved in auditing internal controls.
In total, their documented findings represent a properly balanced view of internal
controls and frameworks needed to evaluate it in an entity.
Each of the documents will be discussed and, where necessary, material drawn from the
sources representing the different views on internal control, will also be included.
2.3.1 Scope
Existing internal control frameworks, or principles governing internal controls, with various
focus points had to be surveyed in order to establish a representative framework for internal
control. The purpose when examining existing frameworks and documentation was not to
attempt to include every possible point of view on internal control, but rat* to identify the
basic focus points of internal control about which there was some degree of consensus in the
literature. Each of the documents examined deals in some detail with internal control
principles, objectives, risks, the control environment, the audit process and the monitoring of
internal control, and these issues had to be analysed in greater depth in our main sources.
Once the main source documents, CobiT, COSO, SAS55/78 and SAC had been examined,
other relevant literature was then surveyed for the absence or presence of any important
information on internal control from an auditor's point of view. These points were compared
and only the strengths of each document were included in the final representative framework.
To achieve the objectives of the literature survey, it was necessary to examine and analyse
control frameworks from as many points as view and in as much detail as possible. However,
in the context of a short dissertation, the following limitations and exclusions had to be placed
on the scope of the literature survey:
16
• Only issues raised in discussions dealing with non-technical aspects of internal control
were included. Sections in the sources which dealt with technical issues, such as
telecommunications, business systems, end-user departments, etc. were thus excluded.
Because the objectives of the survey require authoritative references, sources of
doubtful authority, as well as individual opinions, were ignored.
Because this short dissertation is principally concerned with a comparison of SAC,
COSO, CobiT and SAS, only comparative information was considered. Certain
detailed areas of discussion which were exclusive to particular documents, such as
SAC's continuity planning and COSO's reporting to external parties, therefore had to
be excluded.
A great deal of preparatory work was done to ensure that the short dissertation would be
based on sound theory. The limitations and exclusions imposed on the author did not detract
from the overall objectives of the study; in fact, they imposed a discipline on the work by
narrowing the investigation down to the principal issues which are relevant in a short
dissertation of this nature.
2.4 BACKGROUND
The source material was briefly surveyed to identify the principles for internal control in as
detailed a manner as possible, bearing in mind the objectives of this survey. The idea of
comparing the four documents, SAC, COSO, CobiT and SAS 55/78, in order to determine
which one provides us with the most generally acceptable framework, was conceived by Janet
L. Colbert, and Paul L. Bowen in 1996. When the three documents COSO, SAC and CobiT
were compared with the auditing guidelines for internal control provided by SAS55/78, a
proper link between these documents and audit-related references was found. The objective
of these guidance notes in this chapter is to introduce the four documents to a computer
auditor and highlight the basic differences between them. It will also assist the computer
auditor in making a decision about which model to use, and it contains summaries of CobiT,
SAS55/78, SAC and COSO.
17
2.5 SUMMARY OF COBIT (CONTROL OBJECTIVES FOR
INFORMATION AND RELATED TECHNOLOGY)
Like SAS78, CobiT adapted part of its definition of control from COSO. The policies,
procedures, practices, and organisational structures are designed to provide reasonable
assurance that business objectives will be achieved, and that undesired events will be prevented
or detected and corrected. The rest of CobiT's definition was adapted from that part of
SAC's definition which stipulates the desired result or purpose to be achieved by implementing
control procedures in a particular information technology activity (Colbert & Bowe;
1996: 26).
To satisfy business objectives, CobiT also requires that information should conform to the
following criteria:
Effectiveness;
Efficiency;
Confidentiality;
Integrity;
Availability;
Compliance; and
Reliability.
CobiT combines the principles embedded in existing reference models in the three broad
categories of quality, fiduciary responsibility, and security. The quality requirement includes
not only quality itself, but also cost and delivery. The fiduciary requirements are drawn from
COSO, and include effectiveness and efficiency of operations, reliability of information, and
compliance with laws and regulations. Security requirements include confidentiality, integrity
and availability.
Planning and organisation: This domain covers strategy and tactics and concerns the
identification of the way information technology can best contribute to the achievement of the
business objectives. Furthermore, the realization of the strategic vision needs to be planned,
communicated and managed for different perspectives. Finally, a proper organisational as well
19
as technological infrastructure must be put in place (CobiT, 1996: 15).
Delivery and support: In this domain one is concerned with the actual delivery of required
services, which range from traditional operations over security and continuity aspects to
training. In order to deliver services the necessary support processes must be established.
This domain includes the actual processing of data by application systems, often classified
under application controls (CobiT, 1996: 15).
Monitoring: All information technology processes need to be regularly assessed for quality
and compliance with control requirements (CobiT, 1996: 15).
CobiT presents a framework of control for business process owners, but the responsibility and
authority for business processes is still in the hands of management. CobiT includes
definitions of both internal control and information technology control objectives, four
domains of processes, 271 control objectives referenced to those 32 processes, and audit
guidelines linked to the control objectives (Colbert & Bowen, 1996: 26).
Framework: The CobiT framework provides a high-level control statement for certain
information technology processes. It also identifies the business need satisfied by the control
statement, identifies the information technology resources managed by the processes, states
the enabling controls and lists the major applicable control objectives (Colbert & Bowen,
1996: 26).
SAS55 and SAS78 are statements of auditing standards published by the Auditing Standards
Board of AICPA (American Institute of Certified Public Accountants). These documents
define internal control, describe its components and provide guidance on the impact of
controls when planning and performing financial statement audits (Colbert & Bowen,
20
1996: 30).
A definition: SAS 78 replaces the definition of the internal control structure in SAS 55 with
that of COSO. The only difference between the COSO and SAS definitions is that SAS 78
emphasises the reliability of financial reporting by placing it first in their definition of internal
control.
SAS55/78 focus primarily on controls that affect the scrutiny of the reliability of an entity's
financial reporting. This is proved through discussions on the components, impact and
opinion of S AS55/78.
Components: SAS78 replaces the three elements of the internal control structure
(control environment, the accounting system, and the control procedures) with the five
components of the internal control system presented in COSO, i.e. the control
environment, risk assessment, control activities, information and communication, and
monitoring (Colbert & Bowen, 1996: 30).
Impact: SAS 55/78 requires of the external auditor to perform procedures to obtain a
sufficient understanding of each of the five components to plan the audit. The auditor
should analyse and understand the design of the entity's policies and procedures, and
determine whether the design has been put into operation. Because the opinion
rendered by auditors refers to financial statements which cover a period of time,
external auditors are interested in controls affecting the capture and processing of
financial information for the entire period under review, and not just the date on which
21
the audit is carried out. External auditors are forced to provide the audit committee
with reports on any significant internal control deficiencies that could affect financial
reporting (AICPA, 1988: SAS 60). They also have the option to communicate other
control matters to the entity, for example proposals to improve certain systems
(Colbert & Bowen, 1996: 30).
• Opinion: The auditor must draft an opinion assessing the extent to which controls
aimed at assuring the reliability of account balances, the correct allocation of
transactions to income and expenditure categories, and full and proper disclosure of
financial statements are exposed to risk. The auditor may assess control risk at the
maximum level, which implies that the probability that a material misstatement in the
internal control structure is at a maximum. Such an opinion will only be rendered if the
auditor believes that policies and procedures are unlikely to be effective or because
decide to perform tests to support a lower assessed level of control risk. The auditor
uses the knowledge provided by the understanding of the internal control structure and
the assessed level of control risk in determining the nature, timing, and extent of
substantive tests for financial statement assertions (AICPA, 1988: SAS 55).
The SAC report defines internal control, describes its components, provides several
classifications of controls, defines control objectives and risks, and defines the internal
auditor's role. The report provides guidance on using, managing, and protecting information
The definition of SAC defines a system of internal control as: a set of processes, functions,
activities, subsystems, and people who are grouped together or consciously segregated to
ensure the effective achievement of objectives and goals (Colbert & Bowen, 1996:29).
The report emphasises the role and impact of computerised information systems on the system
of internal controls. It stresses the need to assess risks, to weigh costs and benefits, and to
22
build controls into systems in the design phase rather than adding them on after
implementation (Colbert & Bowen, 1996: 29).
According to the SAC documentation, the system of internal control consists of three
components:
SAC provides five classification schemes for internal controls in information systems.
These schemes focus on when the control is applied, whether the control can be bypassed,
who wanted the control, how the control was implemented, and where in the software the
control was implemented (Colbert & Bowen, 1996: 29).
Control objectives and risks: SAC describes risks as fraud, errors, business interruptions, and
inefficient and ineffective use of resources. Appropriate control objectives seek to reduce
these risks and to assure information integrity, security, and compliance. Information integrity
is guarded by quality controls governing input, processing, output and software. Security
measures include data, physical, and program security controls. Compliance controls ensure
23
conformance with laws and regulations, accounting and auditing standards, and internal
policies and procedures (Colbert & Bowen, 1996: 29).
SAC defines the role of the internal auditor as follows: The responsibilities of internal
auditors include ensuring the adequacy of the system of internal control, the reliability of data,
and the efficient use of the organisation's resources. They should also be concerned with
preventing and detecting fraud, and coordinating activities with external auditors. The
integration of auditing and information system skills and an understanding of the impact of
information technology on the auditing process are necessary for internal auditors. These
professionals now perform financial, operational and information system audits (Colbert &
Bowen, 1996: 29).
The COSO report also defines internal control, describes its components, and provides criteria
against which control systems can be evaluated. The report provides materials that
management, auditors, and others can use to evaluate an internal control system. It also offers
guidance for public reporting on internal control. The report has two major goals (Colbert &
Bowen, 1996: 29):
to establish a common definition of internal control that serves many different parties;
and
to provide a standard against which organisations can assess their control systems and
determine how to improve them.
The report emphasises that the internal control system is a tool of, but not a substitute for,
management and that controls should be built into, rather than built onto, operating activities.
The report recommends the evaluating of the effectiveness of internal control as of a point in
time and not for a period of time (Colbert & Bowen, 1996: 29).
24
According to COSO, the internal control system consists of five interrelated components:
Control environment;
Risk assessment;
Control activities;
Information and communication; and
Monitoring.
The control environment provides the foundation for the other components. It encompasses
such factors as management's operating style, philosophy, human resource policies and
practices, the integrity and ethical values of employees, the attention and direction of the board
of directors, and the organisational structure (Colbert & Bowen, 1996: 29).
COSO describes risk assessment as the identification and analysis of risk. Risk identification
includes examining the potential risks that could arise from external factors, such as
technological developments, competition, and economic changes, and from internal factors
such as personnel quality, the nature or the entity's activities, and the characteristics of
information system processing. Risk analysis involves estimating the significance of the risk,
assessing the likelihood of the risk occurring, and considering how to manage the risk should it
occur (Colbert & Bowen, 1996: 29).
Control activities consist of the policies and procedures that ensure that employees will carry
out management directives. Control activities include reviews of the control system, physical
controls, segregation of duties, and information system controls. Information system controls
include general and application controls. General controls are those covering access,
software, and system development. Application controls are those which prevent errors from
entering the system or detect and correct errors present in the system (Colbert & Bowen,
1996: 29).
Any entity should obtain pertinent information and communicate it throughout the
organisation. The information system identifies, captures, and reports financial and operating
information that is useful to control the organisation's activities. Within the organisation,
personnel must receive the message that they must understand their roles in the internal
control system, take their internal control responsibilities seriously and, if necessary, report
25
problems to higher levels of management. Outside the entity, individuals and organisations
supplying or receiving goods or services must clearly understand that the entity will not
tolerate improper actions (Colbert & Bowen, 1996: 30).
By conducting special evaluations and by reviewing the output generated by regular control
activities, management can monitor the control system. Regular control activities include
comparing physical assets with recorded data, training seminars, and examinations by internal
and external auditors. Deficiencies found during regular control activities are usually reported
to the supervisor in charge; deficiencies located during special evaluations are normally
com•unicated to higher levels of the organisation (Colbert & Bowen, 1996: 30),
Other concepts included in the COSO report include the limitations inherent in an internal
control system and the roles and responsibilities of the parties that affect a system. Limitations
include faulty human judgment, misunderstanding of instruction, human errors, management
overriding of controls, collusion, and cost versus benefit considerations. The COSO report
defines deficiencies as "conditions within an internal control system worthy of attention."
Deficiencies should be reported to the person responsible for the activity and to management
at least one level above the individual responsible (Colbert & Bowen, 1996: 30).
The effectiveness of an internal control system is judged on the basis of how well an entity
performs with regard to operations, financial reporting and compliance.
2.9 CONCLUSION
One of the objectives of the literature survey is to compare CobiT, COSO, SAC and
SAS55/78 with each other. To make it possible to accomplish this objective, it is important to
have good background knowledge and a basic understanding of each of the documents. Not
all the references to the literature in this dissertation relate directly to the objectives, but they
are necessary to enable one to understand the comparison between the documents. Some
references are also made in order to explain terms used by the authors.
In the writer's opinion, the objectives of the literature survey have been achieved. No further
background information regarding documents that have not been specifically excluded, should
be further exposed.
26
In chapter three, the four basic source documents will be compared in order to emphasise the
strengths and weaknesses of each. In chapter four we shall attempt to satisfy the objectives of
this short dissertation by drawing on the strengths of all four documents and distilling an ideal
reference module, while identifying the document which is most suitable to be used for a wide
range of purposes.
27
CHAPTER 3
CONTENTS PAGE
3.1 OBJECTIVE 29
3.2.1 Scope 29
3.2.2 Limitations and exclusions 29
3.4 CONCLUSION 71
28
3.1 OBJECTIVE
The objective of this chapter is to compare the most important features of CobiT, COSO,
SAC and SAS55/78 in order to point out the strengths and weaknesses of each document.
3.2.1 Scope
Existing frameworks for internal control and current internal control structures have had to be
surveyed, but it had to be from an external auditor's point of view. The objective of the
survey was to decide which framework will be best suited for external auditing purposes and
to create a framework for internal control.
SAC module 2, chapter 4 "The Internal Auditor's role" has thus been excluded.
A great deal of preparatory work was done to ensure that the short dissertation would be
based on sound theory. The limitations and exclusions imposed on the author did not detract
from the overall objectives of the study; in fact, they imposed a discipline on the work by
narrowing the investigation down to the principal issues which are relevant in a short
dissertation of this nature.
The comparison between CobiT, COSO, SAC and SAS55/78 is set out in table 3.1
29
-0 -0 0 I.
g ai -. 5. g 0si 0
ci.
C ›-■ ?I,' c- go .. CO ej
. c
>1' g 0 -c)
. g h; . 9. a ST g .... .0 . .; ›.;i0 g
' 0-.0 ca .3 g .4 %E.
It ,,E z..s I' 6 E 0 4) 00 -0 ug 73 6 . :1
t g 2 0 EE ... 1g. 32
5 a 1 . -`6' a).-?".Ece v-.E ° gt. 'a SI
0 " +4 1.1 0 .... ng al .--. I' m "
(COSO, 1 992: I)
.-4 ..c fai C., e Jai ' 01. o a “. o 03 a) E ..•
2 — ..0 0 g r.3., '0 vj 2 •ti .0 E i•-,,, .c o
4E' (8. E. 0 t) ..0 g e .8 g
0.3.) a, Nb . .4-. 0 0,.....ota..) -
d 'N 2 ..; 1). 4.6.4 23 g
a --'4 2 E . g .c • p E a.) ca 0
..; ...
'EE 2it, 0in;.'0 •.2= E-I. -a
ca c g ■g, E :zc i...
-
0 ..,
2 8 0 e., 0 7,..12
2 g 15 :E c c'rt 0 5 ca' . a •-• 0=T,P.T.; 0 = 0 a E go
c 8 t,
S -ao, 2 ' 3 (;) 8 5 0 0. a 0 ,....c tc .
Ta ble 3. 1 The comparison between SAS55/78, Cob iT, SAC and COSO per point offocus.
SAS55 an d78
Cl
0'
cA
9O 0
0
:1 2
OD CDCD
cd .0
g 0
c
Cl
U
cr)
rI
:5
0
U
SAS 55a n d 78
ca
E
Ci .o
VQ
:€ cti 0
0 "
-00
g
a, •-• ci.
O t. E 0
tal 0 ° ›.. 0 °
u) -c
co_. a of -0 ...-• Tt.
g a c a -0 •2
celC id
.-, ed 0
9 Z0
Cli tn.
v, - co .—
0 C."
0 0t
0 ytors E r.,
.2 2 C
C
O 0 .a
M
" •C
0 te 4
0" -C 1
ca. 4-1 -
Q.) gr
Ls 0 ,C,
aE En
.,,., a)
04
" 61) 51 c>.
6 Y. sa
1 4Z 0 C
1.1 ..c '0 *4
g tC
0 AS 0 0 11 c.) 0 ••• 0 p
0 g -0 2 0 :a 4.) -0 Le a.) ti
5 E g E 5.1 o -5 g -6 'el a
•
.0
2 . :a.
Cd 0 16
.se .0 ..c a)
a.) ..) ct ...., oa
..5 g C :I.= of et
SAS55 and 78
.2; .4 tis 00 0 g
.,.., es c
0 )..
... z
a) it 4.. a) •g =boE.0
.0
-..... T.) a
E-, 0 ..- ,2 •a
. -0
CA 0 (4"i Ggr. Ur 2 .-1
1'1
0 •1:3 0 ij 0 a •-•
CA • ". 0
rn
<I ›, cn 0 .1+ d, VI
...Sid *a >-• td C) d.) -0 .07
CA 6 ...a 4.) • ..W
+E; g -.5, se,:c.; .n
•
C.... vi cti
0 00 0
es 2
cri
0 255
5 = 0
c 4) 0 0 -6
c 1...
0 E 8 45.
.
0 6
0a
to0
C
0 a
>
cn 1g 2 -
0 • °
,10 2
a£ o2- % =00 a
n=
-12I i 3 !
ug _ccu ..c
trs 5 0 •, ;4, ..- )--
(et
0 c..) ,.-:. cn ca ...
• • •
en
Control activities are the
SAS55 and78
(AICPA, 1 995: 3)
•
ca
as., o Ts las
E
4)
-§
0'
..cto ..c ui 0 TA ea
o = a.) -a -4- 0
0E u>J ' a 8
p a ..c
E-1 % 1:$
E r,
.2 as ....
r, - E go —9: 45
Information and , E ..t.
ta
) -7 —
.1.
in os
—
0 mi
44 s L7') a
6 C .Et 0 - a
.g 2 • 2 2 C) 5
v (I a 0 0. . a „,
. :50 .'t■zi.00 -c 0 ao
. F. :ts 1... 0 0 0 ± cd .o>' so
Ficg
• •
0
U
Mt% 111:11;:r
SAS55 and 78
I-. •—•
“,
-2 3
-c, <4., C
0 0 o
3 o 0 ..,_
0 ••= — .c. cg—
..c — 0 .cn =
cs, -0 E
control system.
---.,
v-, .2_ 1” . 2 ' I. = 0
(COSO, 1 992: 6)
C 13 14 2 4! lig 1 !
e‘i 0 C
oN
oN
_. -a 1.. c co 0 _co 0
0 0 , 0 ..
E :7). v, c 'a '''
0- 0
...■
r
C =. S2
C.) En
50.2-). 4
CI `"
Ch C 0 >,0 E 4.)
›
. 0 C4-. tn 0
0
U •
*
to
C.) C
rA ...... 0
QS -0
= 0
0 al .,?; 0
-5_, "0 trl 5
a c-
0
z4 ..5
. 14
C: :
!C6 .!
rj Li
ct, _ 5 4
:
-5
06 „. r-
b° I ' 2:
:o:3 .Ea ‘0. .a . .,
0
P. .§ g
o 12
0 WI,. . - 43 Si 16..-P.
, .) CO I
F "00 sr.-C 0 Ct. Z
0 Cy. ...,
CI) ..., 8
0 0 CA 0 C4.A
[—, 0 c a .—
• HI al ci 0 ....
• • •
SAS55 a nd 78
00
• •
>-• TD X
ce
.0
X
.0 4..1 .,-,
(4
cd
c0
c
au
I-.
1 .§.;
0 0 0 e -0 0 4.,
...; 0 .-t,
... gg
g "Cl g C ..c ,.., .13 id
a g -a 6`)
..
0 ›, .0 ,_, 0 0 .r. 0 Ty
'0 0 I" 4-I
(ISACF, 1 996: 8)
4- -• 0 6 5 ro a V "4
as .c
z -a > 0 (4_, 4.) o Oa
..0 0
CU
co .0o _0 co.0 ii0 r.,
.0
ti 610 t
r-. e 1
4.. ,....
7od0 4-4
iti 42z>3 ti..ar0) 5F.. 40'82"
rd. P. .° ,9,
§ 8 E .10 . 5
F. . . = g — c. 8 8 -c 0
SAS55 and 78
0
0
U
SAS 55and 78
Cin
U
0
0
U
resources
(COSO, 1 992: 5)
r
-
:E
E-
U
0
SAS 55 and 78
0
Ct
▪
Integrity ofinformation
O
ath c0
4
...cli. N c ,,i
4.) .2 c
Ee 6.
d Q • o >,
— ..-■
`e' 872. g .
.-,
■•••
,-, 0 .5 5 _ .c., 0 -
I'd .k520
c..) -a -0 0 0 > 8 g
U le d d Ct tt g "'
ct) 2.). ,, o g1 o g .0
.4 , V E %It . •-• (1) G.) .1., IE
E 0-=4- - .09 cu
'5 2 T) E e bb
03 o g
". 0 CI 0 th C
'0 o
4
a,“ 0c 0 0 n e CU c
> Sb
731 c 4) ° 0 tiltri 0 ° 00
A .7. a. a ,... li: te a o n a
• • • 1■ 1 ■••••1 • I I I I
rn
01
E-1
U
(a
with laws and
SAS 55 and 78
• • • •
:I ...o .3 t tik
2:et.ts —
o c L.oo ba' PI ., 4 o —c ti.,
zi C *4.. ,-, E t g 1 at EE e. c
o .a-43 iu &
g re, 42 a tatj
"ci 1;1
(..) . ... (4,41/.. g 2: E . . -tit -t v ....,
tl Clo SZI. PC e is• t9 .s. v. .`E rel -E 1
0
•
C
TO ii
v,
1-4 2. -or.
Information processing:
u i 'c
fn
it
ce-.) .2 vc ..c
0 — ,.,
0 13 cn
ca co — = t 0 — .., =
0 6 se co
-
i....o-01
._
0 -0 cd as 0 ...:
•
Oc6
a) 7
i
et eti C 1-
oii lett o
.- t
-C3 0 • . C a X 'CI rs. 0
CC
0 et 46)0 &•0 .5 o 0 0 a.)
0 40-
"
in N0 ./ -6 % cill = x 4:::,i
0 oi 0
N X u, 174 ..E E
N ..2 • es
" "R "0 "0 col
. .0 ....A. 4.4 C)
0.) €1.) -o iti ..... a
.P .0 0 E
0 03 • I-. t.)
ca. ca
Ca
u -a -0 >
{5 0 0 ‘.
4
° +0 "i 7 ra 2 -0
0 TT
.0 al 0 g 5 ° N '- it
.1-• >1 90 .,... 46 g > 0 ct)
et
9 ."' v = "ro
E
y "g .2 - o wi a
bi) 4., .111vti 0 0 ca tu 0 x
cl 4-• p ts o fzi
cn
,,,,
= t2 E
o -. .--.
vi grcitatuooitra
„, 0 05 00 00• c
0 a.)
4.) . -0
0 = 0 I-. C
ej . E 1 = 5 0. I
! "8 >) 0
0 u a E oo .2.-)
, . -6 33
4)
0 c 6.
0 0 0 lal 410 '.47,1 tija 'th' 2 v g 4 0 C >
2 0 2 Lei V 0 ezi en 0 0 Z 0
0 sm. 0 ta c.) o.,
■ 0V) ;4 = 1.41.44c40 Ou
2 >1., 15 > 0
a. cl) E.90
I .111
cr.
:3
U
SAS55and 78
I CA
0 ....
°
ca
."'
al 0
•-• >, 0
a
'0 ,_, - >
Segregation ofduties.
Eital
l
c)
c-
0 z'
, _g„:„ '—8 ifi
"e 4,9 -el- •-•:
". in
c 4a
0
•
Ca
0
>11
cci E to-13•5
c
.‘;
;, 0 0 0 .a •= ,,
0-) =
-0
0
:20 e4)
i on C
t E a)k •--a
g ,., 0 4.) ..,66 ;€, eCI) 0 0 2 .ty C
1:14 0 ••-. •—. •-• 0
›, .4.:;' '—' 0 .2 0 0 V M E
al OS P ..0 •-. Mt g
t 'a t 00 a ,--. 5:1 0.0 9
ei. t II+)
Z . .40 Z C 0 ,.. . 5 .o t.:5 ch..
t. o o
0 0 v t,' o J-.) (.2 .5 ri -o °
r. 0) ma ' t ta.
c " "Cc 0) • C t.:,
E ° '19 "8
C4
v
C4
1•11
0
S
c 1
•
8
:2
0V 0 ni C.0 55 rn 0 fa 8 . c
co 0 c•I t4_, 0 (1)
to c4 2 c..) ;.-A. c4 .5 c) as a,
SAS55 and 78
"c) y
'a
' E
,...0..04., t.
gt 'a 2
.
u 2 4, oc. . if,. g
9
0 s.a o E
> 11
6-0 00 .... 200.
c 0, ,, . 0
:E
Program security
• Physical security
c„, -5, ,„
0 curo) „Ea o
t.) ..c
cu _, 13. 4 . 9C >‘
lil ++) 8 C ,t -0 a ts ..a isr,
0
0 1 z : .,20 ..a .
4
0 03 -o „, (13 i0 e=
0 1" •C
c Hn 'C U ."Pg z -0=0o0oo ..c 0 t -.E,
0 E ci *-2 (,-) ° 8 % 8 cin os ... (4- a. rn 0 a E-1 0. to 0
I I I
01
cr.
a
SAS55and78
•
v CE a, C
c, -0 .... 0. 2
viz
= 2
. v 0 ea c
..e 0
0 4-.) •
. ,./2
.
g -0
44 -E, ,r. '5 0
• a 0
cn 0
0
■-. 4.)
,
2 4..-
.,_, .1.9 .0 2
(4z. 7--1
0 44
o >r, 0
6c
1-1
g c 0-5
.._
-
Ca -..o r, ... •-
a."6
ov co> g
cu 0 .t; c
. al .....
= ..c .174 cu
0 E '- 3 g. L' ° -5 c ' 0 ..0 0
(COSO, 1 992: 3)
0 C.)
os - -ED .4 E000..7° t .5 c v ,a I 2 . b) ii.
0 4.) • --, o 0) ch., g c... 0 0 -
U 0 0 cf) 0
U3 0 0, a
C) 0C) 0 0 ' '-' >
8 = .,:, .„-,-en CA co-
8 I. 0 0 ..., c °$.) g
0 co •- c. - o t'
,..
..0 0 p.., 0„, ,c 0. C-0
0 u,
vi 0
• "2 (L)
0 0.) nz' ..,
2 '0 -re
bo u)
'C. ••,;..1
o., 0 o. Us 9 a..
tt, ' 0 0 0 ". ca'' 00 chl •iio
c C
..8 .. ... 1. 0....
0 '0 • C 0 mi — -0irtl 1.) 8 crw o -6,.,...
, i 1 pi'
— 0
g I.0: et
4.. u) 1-:„.. ... 0 .5
: 78, ,2" , 0 I- - —
I o
rt
,-, 0 0 .7 —
0a ...;(..alii...c
.;.1 :30:, `.) cdei a) cl
0 •g g ti; •ri,
41c Li CA +.1 4)
NI
••
.. .
00J1:11 ,
w
•••- i
SAS55and 78
L•s1; :":
0 'a' a -§, 4-
800 .3 v -0 0 0
-5 - c 5 •- ctt 0..
0 „, c. in t 0 ra. a
. •-•
00 .4- 4.•
00
b- s- o .2 -88.S350.5.
(.... o co so E e - no w‘pa2a,
C a.) C 0 CA 75 LIS t 0 4 ..2 .41 ..4" "" X
.... a to 0 o ,.., te ,,, 0 V a.
-•o 00 .-. o -0 AC
f.9)
x ryi E
ci)
O
0 IC) En ce, To I.. sat
s
-0' cn - OOVAC...
21, F u5 0
C C.)
7)
.2 g
t) c)
tn 40-
y
=
7 4.) "S ..LE-i,
a; 0 1/20 no La, co
=, 0 cd 4?, . -0
, co
•c)
ad 0 0 ca co"
..E c
7,
0
. 0 a
o u tp 0 ,4 ,7 in
U0 a 0 s' 0v' -c ri a7 .4 ' E 7 i6.
ca cc"
(2 •1 i.42 g a
c"cn 0E 2
c -a E eu ad c.)
O. -10 =s".•a;cc ..-;
c 0 a=
4.) 1-. . ...?
4's
-. g .2. 4-9 7.) ch.
° 0 0
a2-- =
..-. 0 ti° 2.0)
0 to.= m > - TA
0 5. s... 0. g 2 -eo ..-,„• (4.
0 •-0- 4I-,co-1
o
"2<4.0000 u)
> o 7,,, _.
0, = c ." --
0:1 =I
r.)) 0 ° g o-• 0 ,., s., 4)...0 c°0 0.4
0 0 Li 0 4-1 4) 4) •
sti .0 • -•
E 4) 4 = 4 0. ri)
4-) 44 ..c•
0
E
-C) `12,
te
o '0 ° 0'0 = 0 0 000
vi
8 3., zi cti Ce-• t. 0 0. F o. a.) 1-• co
LC)
SAS 55and 78
C 0
i...
«, M 0 141
4as
. c *4 -8 t 0)
5
c $ .2 0 0-2 t = -ch. 15
0 = 6.
1-
2 0 2 ("
> P. .. c
*E b- tu
E cre) 5 c It' 6 c . c •0-ca,ca. ) „,—o c
al. . op. ,... ti i g . - 0 2
0 i ,,, 0 5 :o
4)',02 ..0
c.) (-. 0 ctIl ..-. 8 .0 0
(COSO, 1 992: 3)
CCS ca >b 0 02 .
O -a it i. ,) i. O.) Ce
U '0 • C 0 0- I- 43-12. 4 g -C) "1 8 r14
-
--.
EL 5 bi 2 °3 ° o 0 u0 e.
(4-I 0 -0 .2 `n c.... !
0 ,-.o 0 "0 id 0 ce "0 o • > -o 0..0 oS
C) 0. RI
CI ce g t c L. 47; CO C4a 0
.........................
.:.
Lium))44 .. .
0.11111MINIMI;!:: .....
.
7)W 591E1
... • it, "" - kr1:4': kr,
cM
0
U
. . 5 51 .... ... ... .... '
.... OMB!
E,, .............
.......... .
. .................................. . . ... Harapiammlamire.5;:::::maininuu
.. ........ .. ...... .. . ..
--En' co)"
Ta0,.. in 03
7; CI. 6.
(AICPA, 1995: 17)
6 sm. — 03 z: 0 tip
= 2 44 00 0
C 0 ias -0 0 . c o.
.2 I% o g u ..is 1...
4...
al sy) 5 -a 1.)
—E0 0 c.) _ =
:r.: ..“.: cn 000 cti
..c C•I■. 0
= C.) ›, 0 0 al •-•-•
1■•• CZ CA C..) C.) in.., CA 0 =
•
0
0.
SAS55 and 78
.L.
ts
t
tu E
. "s
cc
-.1 t. a ti. tic c t3 t
-
140 0 to
,s, 0 .S. 1 ;4' C14 k:
-a ,„.
)"'
a ti *C m z a' •Ste E ,P.,
t N- ta {„,, *tr.
ut ..t -t -E, :A_ t, 1
Nal WI I% ..:1 .. ,
a ca 44 .2J. -$. La 6-, .s. zi
P."
0
Organization structure.
- Controlframework.
en
.
-. cis .0
E.• its o . 0 a 0
... to I., En 1., v
p„ E ...+4 = .-. c
B
co 8
0., 8
“.
.0
o c
r
ti Cr • E 4 E a C {A
0 ta. (ISACF, 1996: 20)
C.) „E I. 0 0 ejj I-, 0 s... '0
.C... 6.0 -0 ". .C3
4) E *■ • 0 g
- -
ea) t t
c v
1...s 5., 4.1
C
7
,.. T., 01)
Q? CA
(.1 .,1= MS = '773
" 0
CA • ....
g .
uowta. :-A02-ta n•
:2 0 ° — 8 E)" Q. 's. %. — =
Ca crj
r.) — ti t . - „ a ,,,, 2 v -
'z' 2 a ei &I° ° Z.' °
g cl) 'a 0 0 .:.-J . 0 a :-.: 2 c,3
.41
c E
t.0:e' g 0.21 ; -211
1 mo : 1 =i Eg .43
V
00 n C. .00 0 c A.
r
la' 0 0 0 "CI C5I) CO
M Vi
Ci 1 ""
..t le) 0:1 a g a < E.) = g
•
4, t0
.0
ES . C-)
a
nc; (
10 0 ea -0
0 „yr, 9-
4. g
o 0c. -0 .5,c,
g,z, -,:,Q., -,.,c
., N0-0.u,. 03
..-5 - -..:-. - n g cs
r, .5 8 . 0 !F
.c. 0
5. g „a. 5z' O 41.) 0 -5 0. — go .1. i -5 ...
9 'Ti = 0 u.f cn -4-, , 0 1 S
ta ED C8 C1)
O 1...t.00b
0 t•-•
cn co ctIcn,
! '
coos -Cg 4
0.,En c
0 01... 4) 1:1
U -00 00 ‘0) .50)0(1.0 >O0'.... 4
s ca, ,2
.al-,` S t 1... c
. c . , al 0 .c
. cn ...., an, 2 r .4, . 2 t.4 .::: --
aut
c te
*C ki...., 'a
c
M
C
CZ
4-.1
c3
1.4
Si
Col ty
Ate 0.)
s
I.) "ti c til ir„,, 5t
- •... .
72
10
V *ill E c c i.. ' ‘.--, 3 ca -o
E. .9. mo Cog „I)
Gn a` cc
o c0 g
‘t-' a, I "!; "ti isse iss,
i'1 ,
* E E il 1 E t %,-„, .. c
(..)
aa - c cz c;-; 8 cn>, -....
_.9.1.4
c v)‘A
c7 `4, a 4. cre: t t it.
v c
L.. 00
CC on
ao .....0
0 .2 cm
C 2 ;En
2 ti
',t .E4) • •-•t5
t to * 5 TO. rn
32 me
'0 0 0
Cr M
CI. -g o Cr
CV
C4-4 0 4-1 0 4-4 4-4 = ,---.
:3 0 cvs
cn
0 a 0 7) 0 . CA
co) 0 ca in ca Sn
co,
U ta t
4) 0
c., 4—cia
co —.
a) 0 v -0 41 .5. •—•
c.,
8A 0 i0e c...) = 4,,
a, r a.
ee7 5 E
00 0 .2 2 -0 40
"FE g
SAS55 and 78
0
.0 ., , I c co
programs to ascertain
ca
- Review operations or
-0 g .2 „,c c in g t.. 0 il-q ,,,,
C) Ca 0 0 G. ° ,_,e,
Uen
. a 4-,
ce) Ce-,
0 .5. E 0 ie 0 -a CO 0
v, c 4.3 .....; ›“C 0. I.. = ,_, u, Cl)
poca6 -&-ootgra 0
U Oh ,3` ;) g'' g tt.' 8 E '.7) ›• (-)
, of
..4
.—e 4)
= -ea"' g
ti vi 0
oo 0 cf cn
0
U2
t- 0
c.) t tl 0
0 -C • - '
■15 ° 4-
0 1-1 t
4-.
t..
[-C:
le c a C 0 0 CNi
co, y 0o 4 000
c-) 0 bp
-0 cn 0 •-• • > c
>., a. c -
c co o$ 000 la .4m ..".
cg
C e..5 E I-; M
ul 22 t.■ ill eh C
-0
0 C o 5. tura 9,
.„. i tali 8 i .
(-) "
--.
V) >, 0
0 0 cd -0
as 0
0
i luipa,,,a;:i.„ . ,
gr" c, . -------ao
. ''''
O
,.. LI)
„„„:“ ....
14i .
-
yy .: j.
.•••
...
:
ID
i
.... t
” .. ...
. ,.. : .
..
00 n
.i C CD
0) 00 00 4=' E
C 0 2 c
- .. . ::-. 0 .?, 0, —6 •— • — .- .4% R
C.) " .a. C 4a 41)
SAS55and 78
15
co. 0
0
n 7 O 8 Ia. 8 8 ±4 ..;-
P ;
acuc,
0.. 7,000.0.)00.0
Es e...g _ u I. ..v u cn uj
it
5 ..t
.... c`l .9., "
:: C02 ..a.o,_. ,.. 6.)
Q.
= 8 g 1
to
c.- on .--
:.i ... ° os
co c cd
2± ot -8
=
0 o 5 t >•-. c>
a u. .5 rn t v3 '1:1 cu ..0
°' 0
a? ''' •-•
0 t a.) I..
Eteo c:Boe e.=0.
..... d .-
o
n .-0 4? t-t & 0 E 2 0 0 —6
0 • a I.
E
in E ou E .- v—0-o :-.. •-•
<b° 0 2 0E°C"'.45c
En 2? cn .= ,...) G.) ec‘ c to g'," o 8
-cer) v IS v
hE hE
h
a ...:2 tk in`
0 0 .4
0
in
V
0 c) 2a.
4•••• 0 m 0 t 4-., 1-••• C =
es es m -es .1.,
tta F. t g E cysc t . t . h t16a.
a ta = cJ IA € ti V M
c:6 ...5 CJ., 0.. .‘as b t 1..
t..) cy
61
4.; %C
P3/4.1 1
_tic ui
CA i... 75
...,<Io
O c ..-.1- :3N
4-•
I...
Uc.)
.
oE I-
lai
Application controls
0 0
Q. >-. rn g 0
c 0 c:ii ¢' ¢
a I I I
II
t ISACF, 1 996; 13
SAS 55and 78
U
SAS 55 and 78
U
Ct
04
"0
ed)
C 1 g 0
. 40 0 5 r, -5
—cux 'd22 1-. .3,) go ro' .E
r, 4a. Jo
c 0 0
o 4- 0 F-R1 : R 5 -2 0 c u 3,5
a;
c - a
0E-g -8 ›,._ ,,, et-
co 047,00 0
ct ,?.:,
0 ,-. ..--i s.). :ma - 1,-3 2 0 —
_ 4-03
— c .E. 3 (0 -a c 0 a.
E -411 ' • 9.
1 g r.,, a a2 E r. gi E
= ./...• 0 -6. 4 .- , •,
- >, a
0
..0 a
0 +4 Ea Ci. "t" C.) U) Ca al
El ii 5 r. i =
0 Tr! "g'0
6) cd
t 0
>
0
0.
er)
f
-0
. z el/. ca r, ,2
SAS55and 78
- i-
0
(AICPA, 1988: 26, 39)
• 1-
to. —
§g 0 1-.
X 0 0 tci '0
ui
CI r.) E E.0
'0 C c .0 2 C.,
e z .se8 tra. =
VS' ° o
- = •-
.r.
° 0 = .n 0 -a '0
r
-
i—, -a0 3.."
c n7as
.0 > -0
a., as
ct
SAS 55 and 78
(AICPA: 1 996, 5)
O 00
00
O
U
O
co.)
C
U
0
0 c:
8
o
.c
0•■
8
0 'a'
0 0
E
0-0
c.) g
. r.-8 • 5
>,
■-• iT4
a. ix.
I I I
LI)
u)
:3
0
U
SAS 55 and 78
0
U
- Computer viruses.
U
(/)
LI)
E-1
:15
U
00 CO :Y.
c ^
1
+4
..' •?:.%
0 c. con
g +.
= 00
SAS 55 and 78
w O. v y= 2 <6.) C
cn I— G ea t 4—• 0 in
4-.
,... 0 .4
0.
on b —„, •10
„in E). .4-•R g
0. cc;
0- -- 0)
r
0 %I a Q.
.4
—
I-. its 4-• E ❑ 0
c tu• o A
rn 0
0., tg c 0
0 g CU
.1-.
C4-• 0
<et 0 5 i.. 0.3 .0) —
.N 2 2
t-,
6 g <15) t "I
00O ai " E
al
.0 la
us
oo r
gt a' 2 0 0 A . 2 a..
>, —
2
.4 ).
od° 't
-. ...:
= E O ZZ Z'
vi e g 1 — li
Go
al 6 11 I I I I I
N
E"
U
•C
tin
U
U
©
SAS55 and 78
I
I
I
(AICPA, 1 996: 10)
N
In
en
SG .....;
o 8 . `6) g
"aa g v oo
-0 v
. ..= E tri .0
g 0
0
o
ui • — — 0
> 4a .E ■
rn
I'60°Oaci
co
WI•g°
u, .a. u u,
c •—
-•i t .15 m, a
g -> Ili 0o.2D
c /2 =
112 wi cd ,1)
.m :Es 0 t.1 0 0 2 ..= o 5
E 0
CI . . •. - • 14"
)
1. 7
:, I
"00 " tiI n1 fa 0
I -, t
..= - • c 2 8 2 I 2 t
0 0
cd
4.1 0 I 1 I I
SAS 55a nd 78
cal
eNi
IC
SAS55 and 78
0
-a 2
8 c.:10
>> g , -ca.)
a.) t ...z; .c g
7..) 80., -c=- E g 2- 15 g
°
SAS55 and78
E t 8 ,,,, i g . 4.
3-tr) CO
rn 0 DS° ;5, -Ccia "lo :74 — .F_,
:-,
>"‘ .. 6
ca
C 0
1) c.0' .7S
4' Ca CO
-- in° cw
or a
51
= ...
o to. to V V En I- 0
' - 0 SS • - 0 0 '1.' 0 co).
ry " IC ca ca 0 tr•■ 0 4-
c E
°a 0 b.) `le
E E che
_ E
tia ItE
Lc ag
t wiz cla "
41(4-'‘R t‘m
E •E c E o ce
• ▪
-0
o :s. • o
•-•
t) g
E
SAS 55and 78
° • E u,
>, r>,Z
2w).-Eo±tm
co, oj 03 45 a.)
wtgul000
0
4-049.9.0013.
c oo CS. <tr
Crt cri 0‘.°t
g
208.t-ca
E.V. Eeg2
ft
co "to
*t
U
*
co)
O
O
U
•te
E-1
U
SAS 55 and78
"ar'l o c "ii
d t ty E 4.)
„,
E
ot
E .t a
i... it
•••
a(1) E
ISA t
"t' ” t
ea
‘a
SA S55an d78
C
Et (LI"
ors et vt
f PS. -41 e,E -4 4
J.: t
i`JtE
..
t . tha -E3
z "ts
g § i fig r °S. .S §P.1
O
O
PC
U
SAS55a nd78
tu ‘.5 t --
"et
c -,.a., . ,4 ri
.
.E, ..„, cc
,c., E
t w
t to
t „,
-c, ., -...
.0- ts E ,,,..)
t ej zti ta b cu •
z r".• 0 t pi
'
"est ta C4. •-) c.....a wa:s. tec %a's.
144 41 8 1:1- 4 . a PE -1 t *S. E t
(NI
SAS55 and 78
C2 " . Ir. = . a 0 . . . 0 E. il E4 c 4) 0 c
Ea VI
E s
cn > tu •••• -= ts, cc •
. Ev
2 = n•-- . - at
-,N .4r.,
4) 1
0
8" tri i 41 .0 00 0
0
0 -ri &n, 1-.1, 0 E c... *4-1
2 g) fd
-49 g
on_ Ou O
c., Is. .0 n 0 1-4 ct E
.,2 .I >,.
-00 r 0c a. 00 —
(.... . „.
0
(49. fra it; c 0 -0 -a
03 {4
th rd -:.-. ... ... a
cg ._.,, ck. o as o 0 0Ea)‘,3• '''
E -o
z o ,t2 .z.- E tat 0 E a, .• f...
Es) 4.)=00
as . 8 -a --..:: . c: ti.o 5
c
2 .) = '6 °
`"
› Alt 73 0 ' IS
; = '2
2 43 2 .14 73
0 11
es..0 I- .-•
4) cn >,
0 V) 'CI > Oa
.0 . p -c
0.4 it 7 cn cd 5 I-4 0 f-i
SA S 55and 78
•
cu 00 ,n.4
..0 c my 0 4., 00
(0
-0 a.) g • I ...t 01 ..= 1
• coo6
Ct. 0 ."
,,,
a E e.2 0 -=
4 g .ii
>cli .0
iS 'L
4)
>, >,
..9..0 0.
E c.„
401 147) 8 0
0
— as
,42
.2
c ed. ..c co 0) GI
O
U
X
g 2 a) ...c
E a)
.2
i
r,
a
.., c3
00 co • 0
0 ca ,/, _e ..0 -0
.9 E c 'a' [t 0 1
be .4 ru
0
tii q o
3 -a vi
o >, g
"a -.
.4 6,›
0
5=
.c
"0
,
tvo .F.c.ogoe• 46
c
...ctIst € i,i
1) ; 0 >, ° • • 7, '5 E it ct) ° ' t) 0 .0
0 ° MI 0 • 0
.0 0 al 2 CPI 0 ° “ ° 5, 0 0 C
cr9 112 tn F iLI °{1)2 lal . ° 8 at 0. ox 7-— °o o r. ci
rip 0 =
0 ti -R
1 I I U4.1 t
U
In
rn
lD
.0
0
U
SAS 55 and78
42;
©
U
.0
U
SAS 55 and 78
es
et ta
v ,
v, tt, t Ns ia .b "Ct1.., c m pc
if. ., 'ts, , `4 E tc :-:: ta cy. t ni . S czZ
C , v E C V C M t:1 4 ti es t
cu
te ,..
.c ts
z".2 -a rtl .,,,
— g :
To enable management to develop a proper internal control structure which will meet their
expectations, and to help them to benchmark their current internal control system, COSO,
SAS and CobiT were developed. To provide guidance on the independent auditor's
consideration of an entity's internal control in and audit of financial statements in accordance
with generally accepted auditing standards, SAS55 and SAS 78 , CobiT, COSO and SAC
were developed.
These four documents were compared in order to determine the strengths and weaknesses of
each, but also to determine which document is the most suitable from an auditing perspective.
A table was drawn up capturing the most important points in each document. Each of these
points was compared with similar points in each of the other documents. From the
comparison it is clear that each document has a different focus point and emphasizes different
internal control issues. It is therefore clear that each document has certain strengths and
weaknesses regarding the defining of an ideal internal control structure.
In chapter 4 conclusions will be reached regarding the strengths and weaknesses of each
document. A module will be developed indicating which document to use under a given set
of circumstances.
71
CHAPTER 4
CONTENTS PAGE
4.1 OBJECTIVE 74
4.2 BACKGROUND 74
4.3.1 Scope 74
4.3.1 Limitations and exclusions 74
4.4 RESULTS 75
72
4.4.11 The risks to which a company is vulnerable 83
4.4.12 The focus of the internal control structure 83
4.4.13 Management's responsibility regarding internal control, the management
of information and the development of systems 84
4.4.14 The impact of technology trends on application systems, and the
impact of communication and end-user and departmental
computing on the internal control structure. 84
4.4.15 Contingency planning as part of the internal control structure 85
4.5 CONCLUSION 86
73
4.1 OBJECTIVE
The objective of this chapter is to establish a framework that will indicate which document to
use under a given set of circumstances. This will be done by highlighting the strengths and
4.2 BACKGROUND
The referencing material used for the study have been briefly surveyed in an as much detail as
is necessary to identify those references which represent a framework for internal control. The
study performed in chapter 3 has been used as a basis for developing a reference framework
for the use of SAS55/78, COSO, SAC and CobiT in different situations.
4.3.1 Scope
Existing frameworks for internal control and current internal control structures have had to be
surveyed, but it has to be from an external auditor's point of view as this is the objective of the
dissertation. These frameworks are compared to determine the strengths and weaknesses of
each. The objective of the comparison is to decide which framework will be best suited for
external auditing purposes in general, and also to establish a reference framework for decision
To achieve the objectives of the literature survey, it has been necessary to re-examine and
analyse the comparison of the five documents, made in chapter 3. Consequently the following
• Only the issues addressed in the comparison have been included. Sections in the four
74
documents that deal with other issues have thus been excluded.
A great deal of preparatory work has been done to ensure that the short dissertation is based
on sound theory and that exclusions imposed do not detract from the overall objective of this
chapter. In fact the limitation enforces a discipline on the discussion, which will ensure that
only those issues which are strictly relevant are taken into consideration.
4.4 RESULTS
75
4.4.1 The premise of an internal control structure and the audience it
addresses
Before making a decision on which document to use as a framework for internal control, it is
important to determine what the premise is. If the internal control framework is needed to
obtain information to plan the audit and to determine the nature, timing and extent of tests to
be performed, then SAS55/78 is probably the most appropriate framework for this purpose, as
it is mainly focused on the requirements of external auditors. However, CobiT, SAC, and
COSO can also be used, because all three of them share the premise of achieving adequate
control to provide the information that an enterprises needs to achieve its objectives.
It is important to know that SAC focuses on internal auditors as an audience, while COSO
focuses on management. Therefore, when any questions of an external auditing nature need to
be taken into account when examining internal control, these documents cannot be used on
their own.
Al four documents view internal control as a process, but SAC further extends the meaning of
the concept by defining internal control as a set of processes, subsystems and people, and
CobiT defines it as a set of processes which include procedures, practices and organisational
structures (Chapter 3.3.1 paragraph 3).
Although CobiT defines the processes included in internal control very thoroughly, it does not
define the objectives of internal control as well as it is done in the definitions of COSO and
SAS55/78 (Chapter 3.3.1 paragraph 4).
76
Taking the foregoing into account, the following definition can be distilled from the source
document/ from COSO, SAS and CobiT.
A process, effected by and entity's board of directors, management, and other personnel, and
which includes policies, procedures, and organisational structures which are designed to
provide reasonable assurance regarding the achievement of objectives in the following
categories:
SAS55/78 and COSO both divide internal control into the same five components:
SAS55/78 focuses on the external auditor, while COSO focuses on management; as a result of
this the components are used by both audiences.
Control activities is addressed by CobiT as a division in each process, and it is the evaluating
of the controls with examples for that specific process (Chapter 4 paragraph 4.5).
The communication process is also included in each of the processes under the section
"evaluating the controls". Examples of control are noted here, but the impact of
telecommunication on internal control is discussed within CobiT (Chapter 4, paragraph 4.14).
The last component included by SAS55/78 and COSO is also included as a domain in CobiT.
We can hereby conclude that all the components included in SAS55/78 and COSO also appear
in CobiT, not necessarily as separate components, but rather as part of the domains.
A chronological tracking of processes as they happen seems to be the best way to identify
components, therefore CobiT seems to be the best framework to use to identify components
as it also includes components of the other documents.
4.4.4 The purpose an internal control framework will serve for auditors,
management and an Information System department
SAS55/78 will help auditors to plan the auditing of an internal control structure, while CobiT,
SAC and COSO provide practitioners with specific guidelines and technical reference material
to evaluate the internal control structure. SAC provides auditors with specific examples to
assist them in performing their evaluation, while CobiT deals with general processes.
To assist the Information System department to evaluate internal control issues, SAC wrote
separate modules. CobiT integrated the issues regarding the Information System department
into the four domains. Therefore, when focusing solely on the IS department, SAC will be the
best document to use. When focusing on the internal control structure as a whole including
the IS department CobiT is the best document to use (Chapter 3.4.1, paragraph 8).
Control objectives: SAS55/78, CobiT, COSO and SAC have the same three control
objectives, i.e. reliable financial reporting, effective and efficient operations and compliance
with laws and regulations. CobiT introduced additional control objectives, i.e. the
confidentiality, integrity and availability of information. It is therefore clear that CobiT has the
most comprehensive control objectives (Chapter 3.3.1, paragraph 9).
Control activities: SAS55/78 identified four control activities which are relevant to an audit,
while SAC divided control activities into integrity of information and security. COSO divided
control activities into top-level review, direct functional or activity management, information
79
4.4.6 The accepted structure of the auditing process, and auditing in an
information technology environment
The accepted structure of the auditing process: SAS55/78 is the only document that focuses
exclusively on the external auditor. Therefore the structure as defined by this document is
accepted as the structure of the auditing process. SAC suggests that that internal auditor
should use current auditing approaches and methodologies, but neither SAC nor COSO
discusses the auditing process. All the points identified by SAS55/78 are more or less
addressed by CobiT. CobiT can therefore be used as an alternative for SAS55/78 to define the
accepted structure for the auditing process (See chapter 3.3.1, paragraph 11).
For auditing in an information technology environment, CobiT will provide the best guidelines
while SAC will provide the best guidelines for making use of information technology in the
auditing process (Chapter 3.3.1, paragraph 12).
The control environment SAS55/78 and CobiT both identified seven conditions which
define the control environment, while SAC identifies only four, and COSO as many as nine
conditions. It is therefore clear that COSO's definitions of the control environment is the most
comprehensive (Chapter 3.3.1, paragraph 14).
Control procedures: SAS55 mentions that control procedures are integrated in specific
components of the control environment and accounting system. As auditors obtain and
understanding of the control environment and accounting system, they will obtain more
knowledge about the control procedures. SAC classifies controls into six categories, while
COSO classifies it into two broad categories. CobiT is the only document that evaluates the
appropriateness of control measure for the process under review by considering clearly
identified criteria and industry standard practices, and applying professional auditing
judgements (Chapter 3.3.1, paragraph 16).
Monitoring: SAS55/78 expresses general ideas on monitoring which are in line with the ideas
expressed in COSO. CobiT devotes a domain with two modules to monitoring. SAC does
not identify monitoring as one of the components of the internal control structure, and
therefore does not elaborated much on the monitoring process. When addressing this
component in a internal control structure any of the three documents CobiT, COSO or SAS
can be used. It is recommended that all three be used in conjunction with each other for best
results (Chapter 3.3.1, paragraph 29).
SAS55/78 classifies controls into four categories, called performance reviews, information
processing, physical controls, and segregation of duties. CobiT moves the classification to a
higher level by dividing it into three categories called activities and tasks, processes and
domains. COSO classifies it into two categories called application controls and general
81
controls. SAC provides the most comprehensive classification of controls by dividing it into
five categories, called preventive, detective and corrective controls, discretionary and non-
discretionary controls, voluntary and mandated controls, manual and automated controls and
application and general controls (Chapter 3.3.1, paragraph 17).
SAS55 discusses in detail how to assess control risk either at maximum or less than maximum
level, or even at a lower level. It identifies factors which have to be taken into account when
deciding at what level risk should be assessed, such as policies and procedures, results of tests,
and additional evidential matters.
CobiT identifies certain auditing steps to be performed to ensure that the control measure
established are working consistently and continuously as prescribed. This is done by obtaining
direct or indirect evidence for selected items, and performing limited and more extensive
analytical reviews. SAC states that the most effective method of evaluating a control
procedure is by means of classification.
COSO identifies external factors as potential risk factors. All four documents differ on their
statements regarding the assessment of risk, and each has a valid point regarding control risk.
All four documents can be used for the assessment of control risk (Chapter 3.3.1, paragraph
18).
The documentation of auditing work performed: SAS55/78 states that the understanding of
the internal control structure and the conclusion about the assessed level of control risk should
be documented. CobiT takes it one step further by stating that the actual and potential impact
should also be documented. SAC and COSO do not include specific documentation
procedures regarding external auditors. The focus of these two documents is on the evaluator
and internal auditor. From an external auditor's point of view, CobiT provides the best
approach, but from an internal auditor's point of view SAC provides a better approach
82
(Chapter 3.3.1, paragraph 19).
The safeguarding of assets: SAS55/78 and COSO merely include a paragraph regarding the
safeguarding of assets. SAC, on the other hand, sets a high standard for the safeguarding of
assets by providing a whole module on security. Topics like security management, physical
security and logical security are addressed in this module. CobiT includes a process (D55)
addressing topics like authentication and access, security of on-line access to data, user
account management, data classification, central identification, violation reports, incident
handling, re-accreditation, cryptography, and virus prevention. The best documents to use for
the implementation of procedures for the safeguarding or assets are CobiT and SAC since
be.n these documents have modules dedicated to the topic (Chapter 3.3.1, paragraph 20).
SAS55/78 identifies a few risks, but CobiT identifies risk for each or the thirty-two processes.
SAC identifies risks for very specific circumstances, such as computer aided software,
application programming, telecommunication, operating systems, knowledge-based systems,
image processing, database management and application packaging. COSO makes provision
for evaluation tools in the form of a documented process of evaluating a control structure, and
part of these tools are the evaluation of risks.
In deciding on the most appropriate tool to use for the identification of risks, CobiT will be the
most comprehensive document to use. COSO can be used as an alternative, while SAC can be
used in very specific circumstances (Chapter 3.3.1, paragraph 21).
The focus of the evaluation of the internal control structure will determine which document
will be used. When focusing on the financial statements, SAS55/78 will be used as a
guideline, and when focusing on information technology, CobiT or SAC will be used. When
focusing on the overall entity COSO is the ideal guideline to use (Chapter 3.3.1, paragraph
22).
83
4.4.13 Management's responsibility regarding internal control, the
management of information and the development of systems
The management of information and the development of systems: SAS55/78 does not go
into too much detail, but the other three documents do. CobiT has four processes dedicated
to this topic (P01-PO4). SAC has a separate module dedicated to the topic, and COSO has a
separate chapter addressing the topic. Therefore one can accept that all three these documents
can be used to develop and benchmark an entity's internal controls for the management of
information and the development of systems (Chapter 3.3.1, paragraph 26).
The impact of technology trends on application systems: SAS55/78 does not address this
issue, and COSO only briefly describes the controls relating to the development and
maintenance controls. SAC module 6 chose six application systems that have a broad appeal
for both the business community and the auditing community to discuss the impact of
technology trends on application systems. CobiT domain Al2 sets certain control objectives
regarding the acquiring and maintenance of application software. No specific applications are
highlighted as was the case with SAC, but this makes it easier to apply to any application and
omits long discussions on a specific application (Chapter 3.3.1, paragraph 13). Again, CobiT
seems to be the document to use to determine the impact of technology trends on application
systems. For the specific applications discussed in SAC, SAC will be the best document to
use.
84
The impact of communication and telecommunication on the internal control structure:
SAS55/78 only states that the auditor should obtain sufficient knowledge of the means that the
entity uses to communicate financial reporting roles and responsibilities and significant matters
relating to financial reporting. COSO elaborates on the impact of communication on the
information systems and identifies two types of communications. Neither of these two
documents addresses the impact of telecommunication on the internal control structure. SAC
again dedicated a module to this topic. Module 8 identifies the auditing issues related to
telecommunication systems by concentrating on the risks and controls of each component.
Each chapter begins with a basic technical discussion and continues by relating the technical
issues to risk and control considerations. CobiT, on the other hand, identifies auditing issues
related to telecommunication in DS5. This is the normal process of system security, but it
includes certain points on telecommunication (Chapter 3.3.1, paragraph 28). When trying to
evaluate the impact of communication and telecommunication on the internal control
structure, COSO is the best to use for communication and SAC the best for
telecommunication. CobiT can also be used as an alternative guideline for the impact of
telecommunication because it addresses all the important issues.
The impact of end-user and departmental computing on the internal control structure:
SAS55/78 and COSO do not address the impact of end-user and departmental computing on
the internal control structure. SAC presents this issue in module 7 by using several EUC
scenarios With relevant auditing guidance. CobiT does not use scenarios, but deals with the
issue in a process called the acquiring and maintenance of application software (Chapter 3.3.1,
paragraph 27). SAC will be the best document to use if the specific scenario applicable is
discussed in SAC, in other cases CobiT will be the best instrument to use in order to determine
the impact of EUC on the internal control structure.
SAC module 10 and CobiT DS4 both discuss the contingency plan process, strategy,
documentation, and testing. SAC also discusses risk analysis, risks and controls, and auditing
considerations, while CobiT discusses backup processes, training, applications that are critical,
backup sites and hardware, and file recovery procedures. To obtain the best guideline for
85
contingency planning, the use of both documents is recommended. Neither SAS55/78 nor
COSO expresses an opinion regarding the contingency plan (Chapter 3.3.1, paragraph 30).
4.5 CONCLUSION
Table 4.4 will serve as a summary of this chapter, as well as a conclusion regarding which
document an external auditor should use for a given point of focus.
The table identifies the points of focus in column two, and there is a column for each
document compared. A symbol in a document's column indicates that the document is
considered appropriate for the specific point of focus. In some instances only one document is
recommended, in other instances all four are usable. To get the best results from this table it
will be necessary to refer back to the text in this chapter, and the necessary text references are
therefore given in the first column.
Table 4.4 Matrix for comparison between SAS55/78, CobiT, SAC and COSO
1i
1 Ref. Point of focus SAS55/78 CobiT SAC COSO
4.1 Premise and # #
Audience # #
4.2 I Defining internal control #
86
Ref. Point of focus SAS55/78 CobiT SAC COSO
4.6 Planning a structure for the auditing process # I#
Aid for auditing in an information technology # #
environment
87
r •
i
Ref. Point of focus SAS55/78 CobiT I SAC COSO
4.15 Defining contingency planning procedures # I#
Total 13 25 i 15 12
1
The comparison of the principles of the four documents SAS55/78, CobiT, COSO, and SAC
has been successfully completed. By comparing the documents, the strengths and weaknesses
of each were identified. The application of the comparison's results to any control
environment can assist the auditor in determining which document to use. The objective of
this short dissertation, as set in chapter 1, has therefore been met. It is clear from the matrix
that CobiT can indeed replace the other three documents, as CobiT addressed twenty-five of
the focus points while SAC addressed only fifteen, COSO twelve and SAS thirteen.
88
CHAPTER 5
CONCLUSION
CONTENTS PAGE
5.1 CONCLUSION 90
89
5.1 CONCLUSION
The objective of this short dissertation has been met, in other words to help the auditor to
decide which document or combination of documents to use as a guideline for internal control,
and to determine whether CobiT can indeed replace COSO, SAC and SAS55/78. A matrix
was presented in chapter 4 indicating which document or combination of documents to use for
which focus points. The validity of this matrix has been proved by the procedure followed to
create it.
A total of thirty focus points which are important from an external auditing point of
view were identified from the four documents.
• These thirty points were compared in chapter 3 in order to determine the strengths and
weaknesses of each of the documents. It was found that, with the exception of CobiT,
not all the documents provided satisfactory approaches to all thirty focus points, and
this was identified as a weakness in these documents.
A matrix were prepared indicating which document to use for which focus points.
The main problem identified has been the fact that, although SAC, COSO, SAS55/78 and
CobiT is believed to set the standards for internal control, each of them was developed by a
different body. As a result it addresses the needs of different audiences. By using the
comparison of the four documents in chapter 3 an auditor can determine what document or
documents addresses the specific control objective the best. This will aid the auditor in
deciding which framework to use himself as well as aid him in convincing client what
framework to use for internal control.
Determine which document to use, depending on what their focus point is going to be.
Decide which document to recommend to their customers, taking into account the
90
focus points of the customer.
The comparison in chapter 3 is in no way a complete comparison of the four documents. Only
thirty focus points which are important from an auditor's perspective were identified. As a
result, the matrix is also not a perfect aid to making a decision regarding the documents.
Nevertheless, it will still be useful to assist the auditor in making a decision. It also provides
important background information.
T us short dissertation opens new fields for academic research in the area of internal control.
A specific organisation can be identified, focus points for that organisation can be determined,
and a study can then be performed on which document will be most appropriate for the
purposes of this entity .
This research focused on an auditor's perspective. Research can also be performed from
management's perspective, or from the Information System department's perspective. In this
short dissertation the points of focus could not be compared in detail, and considerable scope
remains for more detailed academic research into specific points of focus.
This short dissertation provides the basic tools (comparison and matrix) which can be used by
different audiences for different focus points in order to determine which documents or
combination of documents to use in order to develop, evaluate and benchmark their current
internal control structures.
91
BIBLIOGRAPHY
COLBERT, J. L. & BOWEN, P.L.1996: A Comparison of Internal Controls: CobiT, SAC, COSO
and SAS55/78. IS Audit &Control Journals volume 4 1996: 26-35.
DAMIANIDES, M. 1991: A control model for the evaluation and analysis of control facilities in a
simple path context model in a MVS/XA environment. Johannesburg: Rand Afrikaans University (M
Com dissertation).
GELINAS, J. & MAKOSZ, P. 1996: CobiT: Control objectives for information and related
technology. IS Audit &Control Journal, volume 4 1996: 12-13.
LAINHART, J. W. 1996: Arrival of CobiT helps refine the valuable role of IS Audit and Control in
the Enterprise. IS Audit &Control Journal, volume 4 1996:20-23.
LUBBE, J. 1995: A Value-for-money audit approach to LAN's with specific reference to Novell
Netware. Johannesburg: Rand Afrikaans University (M. Com dissertation)
92