Professional Documents
Culture Documents
Lecture 1-5 Is Audit and Internal Controls
Lecture 1-5 Is Audit and Internal Controls
Audit
Independent review and examination of records
and activities to assess the adequacy of internal controls, to ensure compliance with established policies and operational procedures, and to recommend necessary changes in controls, policies, or procedures.
Audit
An audit is an evaluation of a person, organization,
but similar concepts also exist in project management, quality management, and energy conservation.
IT/IS Audit
The process of collecting and evaluating evidence to
determine whether computer system safeguards assets, maintains data integrity, achieves organizational goals effectively and consumes resources effectively.
An Information Technology audit, or Information Systems
IT/IS Audit
The evaluation of obtained evidence determines if the
Information Systems are safeguarding assets, maintaining data integrity, and operating effectively to achieve the organization's goals or objectives.
These reviews may be performed in conjunction with a
IT/IS Audit
Information Systems audit is a part of the overall audit
we can define it as: The process of collecting and evaluating evidence to determine whether a computer system (Information System) safeguards assets, maintains data integrity, achieves organizational goals effectively and consumes resources efficiently
6
Software Audit
Software Audits provide an independent evaluation of
software products or processes to ascertain compliance to standards, specifications, and procedures based on objective criteria that included documents that specify:
The form or content of the product to be produced. The process by which the products shall be produced.
measured.
7
Software Audit
Software audits include checking software products
and processes to verify that they comply with the applicable procedures and standards.
software is audited for license compliance A software quality assurance, where a piece of software is audited for quality A software audit review, where a group of people external to a software development organization examines a software product A physical configuration audit A functional configuration audit
9
systems Survival of organization Costs of data loss Costs of errors Inability to function Possibility of incorrect decisions
10
inside & outside: hacking, viruses, access Destruction & theft of assets Modification of assets Disruption of operations Unauthorized use of assets Physical harm Privacy violations
11
(ADP) audits" and Computer Audits". They were formerly called Electronic Data Processing (EDP) audits
Sometimes IS Auditing has another objective- namely,
ensuring that an organization complies with some regulation, rule, or condition. IS Auditing is conceived as being a force that enables organizations to better achieve four major objectives.
13
Safeguarding of Assets
IT/IS Audit
Hardware Software Facilities People (knowledge) Data files System documentation and Supplies.
internal control.
15
a state implying data has certain attributes; Completeness, Soundness, Purity and Veracity.
If data integrity is not maintained, an organization no
longer has a true representation of itself or of events. Moreover if the integrity of an organizations data is low, it could suffer from loss of competitive advantage.
16
organization:
1. The value of the information content of the data item for
individual decision makers 2. The extent to which the data item is shared among decision makers 3. The value of the data item to competitors.
17
Purpose of IT Audit
An IT audit is different from a financial statement
audit. While a financial audit's purpose is to evaluate whether an organization is adhering to standard accounting practices, the purpose of an IT audit is to evaluate the system's internal control design and effectiveness.
This includes, but is not limited to, efficiency and
distinguish the various types of IT audits. Goodman & Lawless state that there are three specific systematic approaches to carry out an IT audit:
Technological Innovation Process Audit. This audit constructs a
risk profile for existing and new projects. The audit will assess the length and depth of the company's experience in its chosen technologies, as well as its presence in relevant markets, the organization of each project, and the structure of the portion of the industry that deals with this project or product, organization and industry structure.
19
innovative abilities of the company being audited, in comparison to its competitors. This requires examination of company's research and development facilities, as well as its track record in actually producing new products.
Technological Position Audit: This audit reviews the technologies
that the business currently has and that it needs to add. Technologies are characterized as being either "base", "key", "pacing" or "emerging".
20
categories of audits:
1. Systems and Applications. 2. Information Processing Facilities. 3. Systems Development. 4. Management of IT and Enterprise Architecture. 5. Client/Server, Telecommunications, Intranets, and
Extranets.
21
applications are appropriate, efficient, and adequately controlled to ensure valid, reliable, timely, and secure input, processing, and output at all levels of a system's activity.
Information Processing Facilities: An audit to verify that the
processing facility is controlled to ensure timely, accurate, and efficient processing of applications under normal and potentially disruptive conditions.
Systems Development: An audit to verify that the systems under
development meet the objectives of the organization, and to ensure that the systems are developed in accordance with generally accepted standards for systems development.
22
verify that IT management has developed an organizational structure and procedures to ensure a controlled and efficient environment for information processing.
Client/Server, Telecommunications, Intranets, and Extranets: An
audit to verify that telecommunications controls are in place on the client (computer receiving services), server, and on the network connecting the clients and servers.
23
Physical and Environmental System Administration Application Software Application Development Network Security Business Continuity Data Integrity
24
25
Audit Process
26
determine how the audit should be conducted. Controls Review: Detailed controls are appraised both in their necessity and presence. Compliance Testing: Determines whether controls actually exist and function as specified in the documentation. Substantive Testing: Determining if the system data actually represents reality.
27
Externally Internal audit is an independent appraisal of operations, conducted under the direction of management, to assess the effectiveness of internal administrative and accounting controls and help ensure conformance with managerial policies. External Audit is an audit conducted by an individual of a firm that is independent of the company being audited.
28
Internal Audit
Internal auditing is an independent, objective
assurance and consulting activity designed to add value and improve an organization's operations.
It helps an organization accomplish its objectives by
bringing a systematic, disciplined approach to evaluate and improve the effectiveness of risk management, control, and governance processes.
29
Internal Audit
Internal auditing is a catalyst for improving an
organizations effectiveness and efficiency by providing insight and recommendations based on analyses and assessments of data and business processes. internal auditing provides value to governing bodies and senior management as an objective source of independent advice.
30
broad and may involve topics such as: Efficacy of operations. Reliability of financial reporting. Deterring and investigating fraud. Safeguarding assets, and Compliance with laws and regulations.
31
compliance with the entity's policies and procedures. However, Internal auditors are not responsible for the execution of company activities; they advise management and the Board of Directors (or similar oversight body) regarding how to better execute their responsibilities.
As a result of their broad scope of involvement,
internal auditors may have a variety of higher educational and professional backgrounds.
32
Internal Auditing Department, led by a Chief Audit Executive (CAE) who generally reports to the Audit Committee of the Board of Directors, with administrative reporting to the Chief Executive Officer.
33
Head of IT Audit
function to monitor and evaluate the effectiveness of the organization's risk management processes.
Risk management relates to how an organization
sets objectives, then identifies, analyzes, and responds to the risks that could potentially impact its ability to realize its objectives.
35
syndrome Comprehensive ethical/control programs do matter to corporate stakeholders Need for ethical/control Standards Internal reporting process Highest level responsibility
36
determine if system accomplishes its organizational tasks effectively & efficiently Understanding the organization & environment Understanding systems EDP in particular Understanding the Control Approach Control - a system that prevents, detects, or corrects unlawful, undesirable or improper events
37
effectiveness of controls Control - a system that prevents, detects, or corrects unlawful, undesirable or improper events Reporting and responsibility to Board of Directors
38
39
Assessing Reliability
By controls
By transaction By errors
40
Internal Auditors
Responsible to Board of Directors. An internal control function. Assist the organization in measurement and evaluation
of:
Effectiveness of Internal Controls.
Achievement of organizational objectives. Economics & efficiency of activities.
Operational audits.
41
42
External Auditors
Responsible to stockholders and public
Via Board of Directors
Completeness.
Valuation and allocation. Presentation and disclosure.
Must test compliance with laws and regulations. Must test for fraud and improprieties. Relies on internal control structure for planning of audit.
43
External Auditors
Audit (material misstatement) risk = product of
Inherent (assertion could be materially misstated) risk Control risk (misstatement will not be prevented or
detected on a timely basis by internal controls) Detection risk Inversely related to control and inherent risks
44
Internal Controls
In auditing Internal Control is defined as a process effected by
an organization's structure, work and authority flows, people and Management Information Systems, designed to help the organization accomplish specific goals or objectives.
Internal controls are a MEANS by which an organization's
Internal Controls
Internal controls are designed to provide reasonable assurance
regarding the achievement of objectives in the following categories: 1. Effectiveness and efficiency of operations. 2. Reliability of financial reporting. 3. Compliance with applicable laws and regulations.
46
Corrective
Affect reliability
Reduce failure probability Reduce expected loss in failure
nature. 1. Detective Controls are designed to detect errors or irregularities that may have occurred.
2.
Corrective controls are designed to correct errors or irregularities that have been detected. Preventive controls on the other hand, are designed to keep errors or irregularities from occurring in the first place.
48
3.
These are derived from the way management runs a business, and are integrated with the management process.
Although the components apply to all entities, small and
mid-size companies may implement them differently than large ones. Its controls may be less formal and less structured, yet a small company can still have effective internal control. The components are:
49
1.
Control Environment:
The control environment sets the tone of an organization, influencing the control consciousness of its people. It is the foundation for all other components of internal control, providing discipline and structure. Control environment factors include the integrity, ethical values and competence of the entity's people; management's philosophy and operating style; the way management assigns authority and responsibility, and organizes and develops its people; and the attention and direction provided by the board of directors.
50
2. Risk Assessment
Every entity faces a variety of risks from external and internal sources that must be assessed. A precondition to risk assessment is establishment of objectives, linked at different levels and internally consistent. Risk assessment is the identification and analysis of relevant risks to achievement of the objectives, forming a basis for determining how the risks should be managed. Because economic, industry, regulatory and operating conditions will continue to change, mechanisms are needed to identify and deal with the special risks associated with change.
51
3. Control Activities
Control activities are the policies and procedures that help ensure management directives are carried out. They help ensure that necessary actions are taken to address risks to achievement of the entity's objectives. Control activities occur throughout the organization, at all levels and in all functions. They include a range of activities as diverse as approvals, authorizations, verifications, reconciliations, reviews of operating performance, security of assets and segregation of duties.
52
4. Information &
Communication
Pertinent information must be identified, captured and communicated in a form and timeframe that enable people to carry out their responsibilities. Information systems produce reports, containing operational, financial and compliance-related information, that make it possible to run and control the business. They deal not only with internally generated data, but also information about external events, activities and conditions necessary to informed business decision-making and external reporting.
53
54
5. Monitoring
Internal control systems need to be monitored--a process that assesses the quality of the system's performance over time. This is accomplished through ongoing monitoring activities, separate evaluations or a combination of the two. Ongoing monitoring occurs in the course of operations. It includes regular management and supervisory activities, and other actions personnel take in performing their duties. The scope and frequency of separate evaluations will depend primarily on an assessment of risks and the effectiveness of ongoing monitoring procedures. Internal control deficiencies should be reported upstream, with serious matters reported to top management and the board.
55
System of authorizations
Documentation & records Physical control over assets & records
Management supervision
Independent checks Recruitment & training
56
specific event cycle which, if achieved, minimize the potential that waste, loss, unauthorized use or misappropriation will occur. They are conditions which we want the system of internal control to satisfy. For a control objective to be effective, compliance with it must be measurable and observable.
Internal Audit evaluates internal control by accessing the ability of
individual process controls to achieve seven pre-defined control objectives. The control objectives include authorization, completeness, accuracy, validity, physical safeguards and security, error handling and segregation of duties.
57
Authorization
The objective is to ensure that all transactions are approved by responsible personnel in accordance with specific or general authority before the transaction is recorded.
Completeness
The objective is to ensure that no valid transactions have been omitted from the accounting records.
Accuracy
The objective is to ensure that all valid transactions are accurate, consistent with the originating transaction data and information is recorded in a timely manner.
Validity
The objective is to ensure that all recorded transactions fairly represent the economic events that actually occurred, are lawful in nature, and have been executed in accordance with management's general authorization.
58
Error handling
The objective is to ensure that errors detected at any stage of processing receive prompt corrective action and are reported to the appropriate level of management.
Segregation of Duties
The objective is to ensure that duties are assigned to individuals in a manner that ensures that no one individual can control both the recording function and the procedures relative to processing the transaction. A well designed process with appropriate internal controls should meet most, if not all of these control objectives.
59
IT Controls
Information Technology controls (or IT controls) are
specific activities performed by persons or systems designed to ensure that business objectives are met.
They are a subset of an enterprise's internal control. IT control objectives relate to the confidentiality,
integrity, and availability of data and the overall management of the IT function of the business enterprise.
60
IT Controls
IT controls are often described in two categories:
1. IT General Controls ITGC and 2. IT Application Controls. ITGC include controls over the Information Technology
(IT) environment, computer operations, access to programs and data, program development and program changes. IT Application Controls refer to transaction processing controls, sometimes called "input-processing-output" controls.
61
Technology) is a widely-used framework promulgated by the IT Governance Institute, which defines a variety of ITGC and application control objectives and recommended evaluation approaches.
IT departments in organizations are often led by a Chief
Information Officer (CIO), who is responsible for ensuring effective information technology controls are utilized.
62
ITGC
ITGC represent the foundation of the IT control structure. They
help ensure the reliability of data generated by IT systems and support the assertion that systems operate as intended and that output is reliable. ITGC usually include the following types of controls:
Control Environment: Those controls designed to shape the
corporate culture or "tone at the top. Provides the foundation for the other components. Encompasses such factors as managements philosophy and operating style.
Change Management procedures: Controls designed to ensure
ITGC
Control Activities: Consists of the policies and procedures that
ensure employees carry out managements directions. Types of control activities an organization must implement are preventative controls (controls intended to stop an error from occurring), detective controls (controls intended to detect if an error has occurred), and mitigating controls (control activities that can mitigate the risks associated with a key control not operating effectively). Information and Communication: Ensures the organization obtains pertinent information, and then communicates it throughout the organization. Monitoring Reviewing the output generated by control activities and conducting special evaluations.
64
ITGC
Source code/document version control procedures - controls
ITGC
Technical support policies and procedures - policies to help users
IT Application Controls
IT Application Controls or Program Controls are fully-
automated controls (i.e., performed automatically by the systems) designed to ensure the complete and accurate processing of data, from input through output.
These controls vary based on the business purpose of the
specific application. These controls may also help ensure the privacy and security of data transmitted between applications.
67
IT Application Controls
Completeness checks - controls that ensure all records were
processed.
Identification - controls that ensure all users are uniquely and
irrefutably identified.
Authentication - controls that provide an authentication
IT Application Controls
Categories of IT application controls may include:
Authorization - controls that ensure only approved
69
IT Application Controls
Application controls may be compromised by the following application risks: Weak security. Unauthorized access to data and unauthorized remote access. Inaccurate information and erroneous or falsified data input. Misuse by authorized end users. Incomplete processing and/or duplicate transactions. Untimely processing. Communication system failure. Inadequate training and support.
70
practices for both ITGC and application controls. It consists of domains and processes.
The basic structure indicates that IT processes satisfy
business requirements, which is enabled by specific IT control activities. It also recommends best practices and methods of evaluation of an enterprise's IT controls.
71
2.
3. 4. 5.
Commission (COSO) identifies five components of internal control: control environment risk assessment control activities information and communication monitoring These controls need to be in place to achieve financial reporting and disclosure objectives;
72
horizontal layers of a three-dimensional cube, with the COBIT objective domains-applying to each individually and in aggregate.
The four COBIT major domains are: plan and organize, acquire
73
control system or take other actions needed to affect control. Also, all personnel should be responsible for communicating upward problems in operations, noncompliance with the code of conduct, or other policy violations or illegal actions.
Each major entity in corporate governance has a particular role to
play:
74
Management:
The Chief Executive Officer (the top manager) of the organization has overall responsibility for designing and implementing effective internal control.
More than any other individual, the chief executive sets the "tone at
the top" that affects integrity and ethics and other factors of a positive control environment. In a large company, the chief executive fulfills this duty by providing leadership and direction to senior managers and reviewing the way they're controlling the business.
Senior managers, in turn, assign responsibility for establishment of
more specific internal control policies and procedures to personnel responsible for the unit's functions.
75
often an owner-manager, is usually more direct. In any event, in a cascading responsibility, a manager is effectively a chief executive of his or her sphere of responsibility. Of particular significance are financial officers and their staffs, whose control activities cut across, as well as up and down, the operating and other units of an enterprise.
76
Board of Directors:
Management is accountable to the board of directors, which
provides governance, guidance and oversight. Effective board members are objective, capable and inquisitive.
They also have a knowledge of the entity's activities and
environment, and commit the time necessary to fulfill their board responsibilities. Management may be in a position to override controls and ignore or stifle communications from subordinates, enabling a dishonest management which intentionally misrepresents results to cover its tracks. A strong, active board, particularly when coupled with effective upward communications channels and capable financial, legal and internal audit functions, is often best able to identify and correct such a problem.
77
Auditors:
The Internal Auditors and External Auditors of the organization also
implemented and working effectively, and make recommendations on how to improve Internal Controls.
They may also review Information Technology controls, which relate
78
2. Breakdowns: Even well designed internal controls can break down. Employees sometimes misunderstand instructions or simply make mistakes. Errors may also result from new technology and the complexity of computerized information systems.
79
4. Collusion:
Control systems can be circumvented by employee collusion. Individuals acting collectively can alter financial data or other management information in a manner that cannot be identified by control systems.
80
assurance that the objectives of an organization will be met. The concept of reasonable assurance implies a high degree of assurance, constrained by the costs and benefits of establishing incremental control procedures.
Effective internal control implies the organization
generates reliable reporting and substantially complies with the laws and regulations that apply to it.
81
and strategic objectives may depend on factors outside the enterprise, such as competition or technological innovation.
These factors are outside the scope of internal control;
therefore, effective Internal Controls provides only timely information or feedback on progress towards the achievement of operational and strategic objectives, but cannot guarantee their achievement.
82