Internal Control Concepts Knowledge. Best Practices for IT Governance IT Governance Structure of...
-
date post
19-Dec-2015 -
Category
Documents
-
view
220 -
download
1
Transcript of Internal Control Concepts Knowledge. Best Practices for IT Governance IT Governance Structure of...
Internal Control Concepts Knowledge
Best Practices for IT Governance
• IT Governance Structure of Relationship• Audit Role in IT Governance
Internal Control Objectives
• Safeguarding of information technology assets• Compliance to corporate policies or legal
requirements• Authorization/input• Accuracy and completeness of processing of
transactions• Output• Reliability of process• Backup/recovery• Efficiency and economy of operations
Information Systems Control Objectives
• Safeguarding assets• Assuring the integrity of general operational system environments• Assuring the integrity of sensitive and critical application system
environments– Authorization of the input– Accuracy and completeness of processing of transactions– Reliability of overall information processing activities– Accuracy, completeness and security of the output– Database Integrity
• Ensuring the efficiency and effectiveness of operations (operationnal objectives)
• Complying with the users' requirements, organizational policies and procedures, and applicable laws and regulations (compliance objectives)
• Developing business continuity and disaster recovery plans• Developing an incident response and handling plan
COBIT
• 34 high level control objectives • 4 domains
– Plan and organize– Acquire and implement– Deliver and support– Monitor and evaluate
Other Internal Control Standards
• ITIL• ISO IEC 1799• Sarbanes - Oxley• COSO
Procedures
• Strategy and direction• General organizational
and management• Access to data and
programs• Systems development
methodologies and change control
• Data processing operations
• Systems programming and technical support functions
• Data processing quality assurance procedures
• Physical access controls• Business
Continuity/Disaster Recovery Planning
• Network and Communications
• Database administration
Application Controls
• Function• To ensure• Auditor task
Function
• Input• Processing• Output
Input
• Input Authorization • Batch Control and Balancing• Error reporting and handling• Techniques
Input Authorization
• Signatures on batch forms or source documents• Online access controls• Unique password• Terminal or client workstation identification• Source documents
– Standard headings – Title and instructions– Layouts
• Emphasize ease of use and readability• Group similar fields together to facilitate input• Provide predetermined input codes to reduce errors• Contain appropriate cross-reference numbers or a comparable
identifiier to facilitate research and tracing• Use boxes to identify field size errors• Include an appropriate area for management to document authorization
Batch Control and Balancing
• Types of batch control• Types of batch balancing
Types of batch control
• Total monetary amount• Total items• Total documents• Hash totals
Types of batch balancing
• Batch registers• Control accounts• Computer agreement
Error reporting and handling
• Rejecting only transactions with errors• Rejecting the whole batch of transactions• Holding the batch in suspense• Accepting the batch and flagging error transactions
Techniques
• Transaction log• Reconsilition of data• Documentation• Error correction procedures• Anticipation• Transmittal log• Cancellation of source documents
Error correction procedures
• Logging of errors• Timely corrections• Upstream resubmission• Approval of corrections• Suspence file• Error file• Validity of corrections
Processing
• Data Validation and Editing Procedures• Techniques• Data file control procedures
Techniques
• Manual recalculations• Editing• Run to run totals• Programmed controls• Reasonableness verification of calculated
amounts• Limit checks on calculated amounts• Reconciliation of file totals• Exception reports
Data file control procedures
• System control parameters• Standing data• Master data/balance data• Transaction files
Output
• Logging and storage of negotiable, sensitive and critical forms in a secure place
• Computer generation of negotiable instruments, forms, and signatures
• Report distribution• Balancing and reconciling• Output error handling• Output report retention• Verification of receipt of reports
To ensure
• Only complete, accurate, and valid data are entered and updated in a computer system
• Processing accomplishes the correct task• Processing results meet expectations• Data are maintained
Auditor task
• Identifying the significant application component and the flow of transactions throught the system and gaining a detailed understanding of the application by reviewing the availability documentation and interviewing appropriate personnel
• Identifying the application control strenghts, and evaluation the impact of the control weaknesses on the development of a testing strategy by analyzing the accumulated information
• Testing the controls to ensure their functionality and effectiveness by applying appropriate audit procedures
• Evaluating the control environment to determine that control objectives were achieved through analyzing the test results and other audit evidence
• Considering the operational aspects of the application to ensure its efficiency and effectiveness by comparing the system with efficient programming standards, analyzing procedures used and comparing them to management's objectives for the systems