DEMAS TAUFIQ SUGANDA - 185020307141012

7.5 IT Risk and Controls

7-7 IT controls are often described in two categories: IT general controls (ITGC) and IT application
controls. ITGC include controls over the Information Technology (IT) environment, computer
operations, access to programs and data, program development and program changes.

ITGC represent the foundation of the IT control structure. They help ensure the reliability of data
generated by IT systems and support the assertion that systems operate as intended and that output
is reliable. IT application or program controls are fully automated (i.e., performed automatically by
the systems) designed to ensure the complete and accurate processing of data, from input through
output. These controls vary based on the business purpose of the specific application.

7-8 the auditor may perform walkthroughs as part of obtaining an understanding of internal control
over financial reporting. For example, the auditor may perform walkthroughs in connection with
understanding the flow of transactions in the information system relevant to financial reporting,
evaluating the design of controls relevant to the audit, and determining whether those controls have
been implemented. In performing a walkthrough, the auditor follows a transaction from origination
through the company's processes, including information systems, until it is reflected in the
company's financial records, using the same documents and IT that company personnel use.
Walkthrough procedures usually include a combination of inquiry, observation, an inspection of
relevant documentation, and re-performance of controls.

7.6 Components of Internal Control

7-9 Control Environment: How has management put into place policies and procedures that guide
the organization? What kind of tone has management set in the organization so that everyone
knows that they are supposed to make sure that your controls are operating effectively and are
achieving the results that they expect?

Risk Assessment: How does your organization assess risk to identify the things that threaten the
achievement of their objectives?
Information and Communication: How does management communicate to their internal and
external users what is expected of them? How do you make sure that you receive an
acknowledgment from those people that they understand what you’re asking them to do?

Monitoring Activities: How does management oversee the functioning of the entire organization?
How do you identify when things aren’t working correctly and correct those deficiencies as quickly as
you possibly can?

Existing Control Activities: What are the controls that you currently have in place? Were they in
place and operating effectively over some time?

7.7 Control Environment

7.10 it is important because create the parameters enabling the board of directors to carry out its
governance oversight responsibilities; the organizational structure and assignment of authority and
responsibility; the process for attracting, developing, and retaining competent individuals; and the
rigor around performance measures, incentives, and rewards to drive accountability for
performance. The resulting control environment has a pervasive impact on the overall system of
internal control.

7.11 The control environment is one of the key components of an entity’s internal control; it sets the
tone of an entity, influences the control consciousness of people within an organization and is the
foundation for all other components of the internal control system.management and independent
auditors will find some suggestions for addressing one of the most challenging requirements of
assessing internal control: evaluating the effectiveness of the control environment.

7.12 Tone at the top, commonly referred to in auditing, is used to define a company’s management
and board of director’s leadership and their commitment to being honest and ethical. The tone at
the top sets forth a company’s cultural environment and corporate values.

The tone at the top outlines that the board of directors and management team should embody and
not merely pay “lip service” to compliance and upholding ethics. It states that those at the top of the
organization should be honest, show integrity, and uphold an ethically-correct corporate culture.

7.8 Risk Assessment

7-13 Both of these functions have a role in ensuring the effectiveness of the organization's risk
management implementation. The basic difference between the two functions lies in the delegation
of responsibility. The risk management function is to direct the company's risk management
practices to the organization, especially to deal with the main risks that can interfere with the
organization's goals. On the other hand, the internal audit function is to monitor, integrate, and
assess internal control and risk management

7-14 Audit risk model (ARM)

Audit risk includes 3 components: inherent risk, control risk and detection risk. The interconnection
of the three components of the audit risk, can be seen in the figure below (Hayes et al., 2005),
expressing how much audit evidence should be collected (or not) by the auditor for providing that
“reasonable assurance”.
In practice, the auditors used an audit risk model, also known as ARM, for assess the way the audit
should

be performed and how long it should be given for the following step.

One of the relations that we run across is:

AR=RMM x DR (1)

Where:

AR=Audit risk

RMM=Risk of material misstatement

DR=Detection risk

Risk of material misstatement it is:

RMM=IR × CR (2)

Where:

IR=Inherent risk

CR=Control risk

In this situation:

AR= IR × CR × DR (3)