THE STUDY & EVALUATION OF
INTERNAL CONTROL
• Definition• Professional Standards• Data-Oriented
Small, simple systemsWeaker controls
• System-OrientedLarge, complexStrong controls
• Advanced Systems or Audits
SYSTEMS-ORIENTED vs DATA-ORIENTED
Chronology of an Audit of Computer-based
Accounting System
document systems and
controls
plan and perform tests of systems and controls
assess and document
adequacy of systems and
controls
extend tests of systems, transactions
and/or balances
internal control letter
use of/provide third party report for service bureau
Chronology of an Audit of a
Computer-based Accounting System
Documentsystems and
controls
Plan andperform testsof systems
and controls
Assess anddocument
adequacy ofsystems and
controls
Extend testsof systems,transactions
and/orbalances
InternalControl letter
• Understand and document IT environment
• Review and document application• Perform “walk - throughs”
DOCUMENT SYSTEMS & CONTROLS
• IT Strategic Plan• IT Business Plan• Organization Chart• Information Security Policy• Technology Summary• Application Summary
DOCUMENT IT ENVIRONMENT
• Change Controls• Logical access controls• Business continuity plans• System development policies• Operation policies and procedures
DOCUMENT IT ENVIRONMENT
• Prepare Summary Flowchart• Detailed flowcharts• Narrative description• Summary Processing Chart• Summary Run Structure Chart
REVIEW & DOCUMENT APPLICATION
Document Systems and Controls
• document
• applications,
hardware, software,
how EDP costs are accounted for/allocations,
organization, policies and procedures, and any
special risks
• review general computer controls
• document the results of the review
Document Systems and Controls
• document application processing procedures• prepare/update summary flowchart then manual phase
• document computer processing phase• update of master files,
• summarization of data,
• arith calcs,
• sorting/merging data,
• extraction of data from one/more files
• printing
• prepare EDP processing report
• Confirm understanding of system • Tests should cover:
key transactions typesrelated control informationerror correction procedures
LIMITED TESTS OR “WALK-THROUGHS”
Document Tests of Transaction Flows
• do walk-throughs • to ensure that documentation accumulated to
date reflects actual system in place• trace computer phase
• recalc invoices, test ageing• trace control info and balance procedures
• obtain and check batch totals
Document Tests of Transaction Flows
• trace error correction procedures• select a few errors and check back to original source documents
• done to determine nature and
that error was identified on exception report
• ensure properly rejected and properly corrected
• Identify risks - ‘What Could Go Wrong’
• Identify controls to mitigate risks• Design appropriate tests• Document test results
PERFORM TESTS OF SYSTEMS & CONTROLS
• What is the control objective• What could happen to defeat objective• Is there significant risk• Identify key controls
WHAT COULD GO WRONG
• Identify controls to rely on• High level versus low level controls• Controls covering multiple control
objective• Interdependency of Controls
DESIGN APPROPRIATE TESTS
• Review of Error/Exception Reportsstarts with reported errorpoint in time testuse of suspense accounts
• Replicate data entry• Recompute procedure• Use of test data
PROGRAMMED ACCOUNTING PROCEDURES & CONTROLS
1. Interval testing
2. Reliance on Program Change Controlsauthorisedtestedimplemented correctly
EXTENT OF PROGRAMMED CONTROL TESTING
• Make clear it is programmed controls• Extent of tests• Reliance on change control
DOCUMENTATION OF TESTS
• Objective is to assess overall adequacy of internal control in areas to be relied on
• Assessment made at both general controls and application controls levels
ASSESS ADEQUACY OF SYSTEMS & CONTROLS
• Has each primary control objective been achieved
• If not:document on weakness evaluation scheduleassess impact on individual applications
• Direct impact objectives:logical access controlsprogram change controls
EVALUATE GENERAL CONTROLS
• Use of Evaluation Guides• Could material error occur?• Id. system efficiencies
ADEQUACY OF CONTROLS BY SYSTEM
Planning and Performing Tests of Systems
and Controls • determine whether reliance warranted
• cost/benefit vs substantive
• ID key controls where reliance is appropriate
• consider overlapping manual controls
• look at related application controls
Planning and Performing Tests of Systems
and Controls •design and record tests
• arith accuracy (prog errors would be the cause)
• key totals having no documentary evidence (such as review/existence of a control group)
• key controls evidenced by completed accounting routines (monthly totals, error logs)
• key controls evidenced by signatures,initials (initially master file changes)
Assessing and Documenting Adequacy of
Systems and Controls• evaluate adequacy of general and financial controls
• use computer control evaluation guide
• assess impact of deficiencies
• use control weakness evaluation schedule
• evaluate adequacy of controls in each major system
• application controls
• master file changes, data controls, error controls
• use application control evaluation guide
• document conclusions
• General Computer Control Weaknesses• Application Control Weakness
reliance on preventive controlsreliance on detective controls
• Absent Control vs Ineffective Control• Specific period control breakdown• Reporting to management
EXTENDED TESTS & REPORTING
Extended Tests of Systems, Transactions,
Balances
• general control weaknesses • must evaluate in light of each accounting application
• if preventive -
• need to look at associated detective controls
• if detective-
• may need to do procedure to check for evidence of errors
• CAATs, review transactions, reconciliations
• entire - vs specific period
Internal Control Letter
• basic information• risks• service opportunities
• general control weaknesses
• application control weaknesses
• practical recommendations
Chronology of an Audit of a
Computer-based Accounting System
Documentsystems and
controls
Plan andperform testsof systems
and controls
Assess anddocument
adequacy ofsystems and
controls
Extend testsof systems,transactions
and/orbalances
InternalControl letter
Top Related