Control and Audit System

AQ016-3-3
INTERNAL CONTROL IN CIS
ENVIRONMENT

IT AUDITS
IT audits: provide audit services where
processes or data, or both, are embedded in
technologies.
Subject to ethics, guidelines, and standards of the
profession (if certified)
CISA
Most closely associated with ISACA
Joint with internal, external, and fraud audits
Scope of IT audit coverage is increasing
Characterized by CAATTs
IT governance as part of corporate governance
AQ016-3-3-CAS

IIC in CIS Environment

FRAUD AUDITS
Fraud audits: provide investigation services
where anomalies are suspected, to develop
evidence to support or deny fraudulent
activities.
Auditor is more like a detective
No materiality
Goal is conviction, if sufficient evidence of fraud
exists
CFE
ACFE

AQ016-3-3-CAS

IIC in CIS Environment

EXTERNAL AUDITS
External auditing: Objective is that in all material
respects, financial statements are a fair
representation of organizations transactions
and account balances.
SECs role
Sarbanes-Oxley Act
FASB - PCAOB
CPA
AICPA

AQ016-3-3-CAS

IIC in CIS Environment

ATTEST vs. ASSURANCE

ASSURANCE
Professional services that are designed to improve
the quality of information, both financial and nonfinancial, used by decision-makers

IT Audit Groups in Big Four (e.g. Final Four)

IT Risk Management
I.S. Risk Management
Operational Systems Risk Management
Technology & Security Risk Services
Typically a division of assurance services

AQ016-3-3-CAS

IIC in CIS Environment

 ATTEST definition
Written assertions
Practitioners written report
Formal establishment of measurement criteria
or their description
Limited to:
Examination
Review
Application of agreed-upon procedures

6
AQ016-3-3-CAS

IIC in CIS Environment

THE IT ENVIRONMENT
There has always been a need for an effective
internal control system.
The design and oversight of that system has
typically been the responsibility of accountants.
The I.T. Environment complicates the paper
systems of the past.
Concentration of data
Expanded access and linkages
Increase in malicious activities in systems vs. paper
Opportunity that can cause management fraud (i.e.,
override)
AQ016-3-3-CAS

IIC in CIS Environment

IT Investigative and Forensic

Techniques for Auditors
Purpose
To assist auditors in developing the
knowledge, skills, and abilities to provide
reasonable assurance for the security,
availability, integrity and management of
information systems and resources.

AQ016-3-3-CAS

IIC in CIS Environment

The IT Audit
An IT audit is the process of collecting and
evaluating evidence of an organization's
information systems, practices, and operations.
The evaluation of obtained evidence determines
if the information systems are safeguarding
assets, maintaining data integrity, and operating
effectively and efficiently to achieve the
organization's goals or objectives.

AQ016-3-3-CAS

IIC in CIS Environment

The IT Audit
These reviews may be performed in conjunction
with a financial statement audit, an internal
audit, or other form of attestation engagement.
External auditors can accept the result of an
internal audit only if the function reports to the
audit committee.
External auditors may use and rely upon a 3 rd
party IT audit firm.

AQ016-3-3-CAS

IIC in CIS Environment

IT Audit Process: 8 Steps

1.
2.
3.
4.
5.
6.
7.
8.
AQ016-3-3-CAS

Plan the audit

Hold kickoff meeting
Gather data/test IT controls
Remediate identified deficiencies (organization)
Test remediated controls
Analyze and report findings
Respond to findings (organization)
Issue final report (auditor)
IIC in CIS Environment

INTERNAL CONTROL
is policies, practices, procedures
designed to
safeguard assets
ensure accuracy and reliability
promote efficiency
measure compliance with policies

AQ016-3-3-CAS

IIC in CIS Environment

BRIEF HISTORY - SEC

SEC acts of 1933 and 1934
All corporations that report to the SEC are
required to maintain a system of internal
control that is evaluated as part of the
annual external audit.

AQ016-3-3-CAS

IIC in CIS Environment

BRIEF HISTORY - Copyright

Federal Copyright Act 1976
1. Protects intellectual property in the U.S.
2. Has been amended numerous times since
3. Management is legally responsible for violations of
the organization
4. U.S. government has continually sought
international agreement on terms for protection of
intellectual property globally vs. nationally

AQ016-3-3-CAS

IIC in CIS Environment

BRIEF HISTORY - FCPA

Foreign Corrupt Practices Act 1977
1. Accounting provisions

FCPA requires SEC registrants to establish and maintain books,

records, and accounts.
It also requires establishment of internal accounting controls
sufficient to meet objectives.
1. Transactions are executed in accordance with managements
general or specific authorization.
2. Transactions are recorded as necessary to prepare financial
statements (i.e., GAAP), and to maintain accountability.
3. Access to assets is permitted only in accordance with management
authorization.
4. The recorded assets are compared with existing assets at
reasonable intervals.

2. Illegal foreign payments

AQ016-3-3-CAS

IIC in CIS Environment

BRIEF HISTORY - COSO

Committee on Sponsoring Organizations - 1992
1. AICPA, AAA, FEI, IMA, IIA
2. Developed a management perspective model
for internal controls over a number of years
3. Is widely adopted

AQ016-3-3-CAS

IIC in CIS Environment

BRIEF HISTORY S-OX

Sarbanes-Oxley Act - 2002
1. Section 404: Management Assessment of Internal
Control
Management is responsible for establishing and maintaining
internal control structure and procedures.
Must certify by report on the effectiveness of internal control
each year, with other annual reports.

2. Section 302: Corporate Responsibility for Incident

Reports
Financial executives must disclose deficiencies in internal
control, and fraud (whether fraud is material or not).

AQ016-3-3-CAS

IIC in CIS Environment

EXPOSURES AND RISK

Exposure (definition)
Risks (definition)
Types of risk
Destruction of assets
Theft of assets
Corruption of information or the I.S.
Disruption of the I.S.

AQ016-3-3-CAS

IIC in CIS Environment

THE P-D-C MODEL

Preventive controls
Detective controls
Corrective controls
Which is most cost effective?
Which one tends to be proactive measures?
Can you give an example of each?

Predictive controls

AQ016-3-3-CAS

IIC in CIS Environment

COSO (Treadway Commission)

The five components of internal control are:

The control environment

Risk assessment
Information & communication
Monitoring
Control activities
AQ016-3-3-CAS

IIC in CIS Environment

SAS 78
The Auditing Standards Board of the
American Institute of Certified Public
Accountants (AICPA) incorporated the
components of internal control presented
in the COSO Report in its Statement on
Auditing Standards No. 78 (SAS 78),
entitled Consideration of Internal Control
in a Financial Statement Audit.

AQ016-3-3-CAS

IIC in CIS Environment

SAS 78
(#1:Control Environment -- elements)
Describe how each one could adversely
affect internal control.

The integrity and ethical values

Structure of the organization
Participation of audit committee
Managements philosophy and style
Procedures for delegating
AQ016-3-3-CAS

IIC in CIS Environment

SAS 78
(#1:Control Environment -elements)
Managements methods of assessing
performance
External influences
Organizations policies and practices for
managing human resources

AQ016-3-3-CAS

IIC in CIS Environment

SAS 78
(#1:Control Environment -techniques)
Describe possible activity or tool for each.
Assess the integrity of organizations
management
Conditions conducive to management fraud
Understand clients business and industry
Determine if board and audit committee are
actively involved
Study organization structure

AQ016-3-3-CAS

IIC in CIS Environment

SAS 78
(#2:Risk Assessment)
Changes in environment
Changes in personnel
Changes in I.S.
New ITs
Significant or rapid growth
New products or services (experience)
Organizational restructuring
Foreign markets
New accounting principles
AQ016-3-3-CAS

IIC in CIS Environment

SAS 78
(#3:Information & Communication-elements)
Initiate, identify, analyze, classify and record
economic transactions and events.

Identify and record all valid economic

transactions
Provide timely, detailed information
Accurately measure financial values
Accurately record transactions

AQ016-3-3-CAS

IIC in CIS Environment

SAS 78
(#3:Information & Communicationtechniques)

Auditors obtain sufficient knowledge of

I.S.s to understand:
Classes of transactions that are material
Accounting records and accounts used
Processing steps:initiation to inclusion in
financial statements (illustrate)
Financial reporting process (including
disclosures)

AQ016-3-3-CAS

IIC in CIS Environment

SAS 78
(#4: Monitoring)
By separate procedures (e.g., tests of
controls)
By ongoing activities (Embedded Audit
Modules EAMs and Continuous Online
Auditing - COA)

AQ016-3-3-CAS

IIC in CIS Environment

SAS 94
The Effect of Information Technology on the Auditors Consideration of
Internal Control in a Financial Statement Audit

Provides auditors with guidance on ITs effect on internal

control and on the auditors understanding of internal
control and the assessment of control risk.
Requires the auditor to consider how an organizations IT
use affects his or her audit strategy.
Where a significant amount of information is electronic,
the auditor may decide it is not practical or possible to
limit detection risk to an acceptable level by performing
only substantive tests for one or more financial
statement assertions. In such cases, the auditor should
gather evidence about the effectiveness of both the
design and operation of controls intended to reduce the
assessed level of control risk.
AQ016-3-3-CAS

IIC in CIS Environment

SAS 78
AQ016-3-3-CAS

(#5: Control Activities)

IIC in CIS Environment

30

 Physical Controls (1-3)

Transaction authorization
Example:
Sales only to authorized customer
Sales only if available credit limit

Segregation of duties
Examples of incompatible duties:
Authorization vs. processing [e.g., Sales vs. Auth. Cust.]
Custody vs. recordkeeping [e.g., custody of inventory vs.
DP of inventory]
Fraud requires collusion [e.g., separate various steps in
process]

Supervision
Serves as compensating control when lack of segregation
of duties exists by necessity
AQ016-3-3-CAS

IIC in CIS Environment

 Physical Controls (4-6)

Accounting records (audit trails; examples)
Access controls
Direct (the assets)
Indirect (documents that control the assets)
Fraud
Disaster Recovery

Independent verification
Management can assess:
The performance of individuals
The integrity of the AIS
The integrity of the data in the records
Examples

AQ016-3-3-CAS

IIC in CIS Environment

IT Risks Model
Operations
Data management systems
New systems development
Systems maintenance
Electronic commerce (The Internet)
Computer applications

AQ016-3-3-CAS

IIC in CIS Environment