Internal Control Concepts Knowledge

Best Practices for IT Governance

• IT Governance Structure of Relationship• Audit Role in IT Governance

Internal Control Objectives

• Safeguarding of information technology assets• Compliance to corporate policies or legal

requirements• Authorization/input• Accuracy and completeness of processing of

transactions• Output• Reliability of process• Backup/recovery• Efficiency and economy of operations

Information Systems Control Objectives

• Safeguarding assets• Assuring the integrity of general operational system environments• Assuring the integrity of sensitive and critical application system

environments– Authorization of the input– Accuracy and completeness of processing of transactions– Reliability of overall information processing activities– Accuracy, completeness and security of the output– Database Integrity

• Ensuring the efficiency and effectiveness of operations (operationnal objectives)

• Complying with the users' requirements, organizational policies and procedures, and applicable laws and regulations (compliance objectives)

• Developing business continuity and disaster recovery plans• Developing an incident response and handling plan

COBIT

• 34 high level control objectives • 4 domains

– Plan and organize– Acquire and implement– Deliver and support– Monitor and evaluate

Other Internal Control Standards

• ITIL• ISO IEC 1799• Sarbanes - Oxley• COSO

Procedures

• Strategy and direction• General organizational

and management• Access to data and

programs• Systems development

methodologies and change control

• Data processing operations

• Systems programming and technical support functions

• Data processing quality assurance procedures

• Physical access controls• Business

Continuity/Disaster Recovery Planning

• Network and Communications

• Database administration

Application Controls

• Function• To ensure• Auditor task

Function

• Input• Processing• Output

Input

• Input Authorization • Batch Control and Balancing• Error reporting and handling• Techniques

Input Authorization

• Signatures on batch forms or source documents• Online access controls• Unique password• Terminal or client workstation identification• Source documents

– Standard headings – Title and instructions– Layouts

• Emphasize ease of use and readability• Group similar fields together to facilitate input• Provide predetermined input codes to reduce errors• Contain appropriate cross-reference numbers or a comparable

identifiier to facilitate research and tracing• Use boxes to identify field size errors• Include an appropriate area for management to document authorization

Batch Control and Balancing

• Types of batch control• Types of batch balancing

Types of batch control

• Total monetary amount• Total items• Total documents• Hash totals

Types of batch balancing

• Batch registers• Control accounts• Computer agreement

Error reporting and handling

• Rejecting only transactions with errors• Rejecting the whole batch of transactions• Holding the batch in suspense• Accepting the batch and flagging error transactions

Techniques

• Transaction log• Reconsilition of data• Documentation• Error correction procedures• Anticipation• Transmittal log• Cancellation of source documents

Error correction procedures

• Logging of errors• Timely corrections• Upstream resubmission• Approval of corrections• Suspence file• Error file• Validity of corrections

Processing

• Data Validation and Editing Procedures• Techniques• Data file control procedures

Techniques

• Manual recalculations• Editing• Run to run totals• Programmed controls• Reasonableness verification of calculated

amounts• Limit checks on calculated amounts• Reconciliation of file totals• Exception reports

Data file control procedures

• System control parameters• Standing data• Master data/balance data• Transaction files

Output

• Logging and storage of negotiable, sensitive and critical forms in a secure place

• Computer generation of negotiable instruments, forms, and signatures

• Report distribution• Balancing and reconciling• Output error handling• Output report retention• Verification of receipt of reports

To ensure

• Only complete, accurate, and valid data are entered and updated in a computer system

• Processing accomplishes the correct task• Processing results meet expectations• Data are maintained

Auditor task

• Identifying the significant application component and the flow of transactions throught the system and gaining a detailed understanding of the application by reviewing the availability documentation and interviewing appropriate personnel

• Identifying the application control strenghts, and evaluation the impact of the control weaknesses on the development of a testing strategy by analyzing the accumulated information

• Testing the controls to ensure their functionality and effectiveness by applying appropriate audit procedures

• Evaluating the control environment to determine that control objectives were achieved through analyzing the test results and other audit evidence

• Considering the operational aspects of the application to ensure its efficiency and effectiveness by comparing the system with efficient programming standards, analyzing procedures used and comparing them to management's objectives for the systems