2. Internal Control and is Audit

Session 2Internal Control and Information System Audit

Agenda1. Control Framework of COBIT2. Control Classification3. Information System Control Procedures4. Computer Assisted Audit Tools and Techniques (CAAT’s)

Management Expectations of IT

• Re-Engineered Processes• Right-Sizing• Distributed Processing• Flattened Organizations• Outsourcing

Management Responsibilities for IT• Safeguarding Assets

• Information as Most Valuable Asset

Both need a Control

Framework

Control

OBjectives

for Information

and Related Technology

Mission:To research, develop, publicize, and promote an authoritative, up-to-date, international set of generally accepted IT control objectives for day-to-day use by business managers and auditors.

COBITCOBIT

Who Needs COBIT?Who Needs COBIT?Management Needs CObIT•IT investment decisions•Balance of risk and control •Benchmark existing and future IT environment

IS Auditors Need CObITTo substantiate opinions to management on

internal controls• To answer the question of what are the minimum

controls necessary

Users Need CObITTo obtain assurance on return on costs, on security, and control of products and services they acquire internally and externally.

5

COSO & COBIT: The Needs

• In most companies of any size, data moves between multiple business groups and IT systems on its way from initial transactions to the reports that the CEO and CFO must attest to.

• Attesting to the accuracy of the data requires confidence in accounting procedures and controls. These are addressed within the COSO framework.

• The SOX 404 attestation also requires confidence in the IT

systems that house, move, and transform data. This requires

confidence in the processes and controls for those IT systems and databases. The COBiT framework

was designed to address IT concerns.

6

COSO & COBIT: The Linkage

In order to provide the information that

the organization needs to achieve its objectives, IT

resources need to be managed by a set of naturally

grouped processes.

Cobit’sGolden Rule

COBIT: IT Governance

Business

IT Processes

Audit Guidelines

Control Objectives

Control Practices

Critical Success Factors

Key Performance

Indicators

Key Goal Indicators

Maturity Models

requirements information



Compliance with laws and

regulations

Efficiency/ effectiveness of operations

Reliability of financial reporting

Internal Control Objectives

Management has three broad objectives in designing an effective internal control system

Control Classifications

Preventive ControlPreventive Control

Detective ControlDetective Control

Corrective ControlCorrective Control

Preventive controls are those inputs, which are designed to protect the organization from unlawful activities

Corrective controls are very important because prevention and detection alone cannot be effective unless there is an appropriate

corrective mechanism in place.

Detective controls are those which detect and report the occurences of an error, omission or malicious act in the Information System.

Preventive Control

• Employ qualified personnel• Segregation of duties• Access control• Vaccination against diseases• Documentation• Prescribing appropriate books for a course• Training and retraining of staff• Authorization of transactions• Validation, edit checks in the application• Firewalls• Anti virus software• Passwords

Detective Control

• Surprise checks by supervisor• Hash totals• Checks points in production jobs• Echo control in telecommunications• Error message over tape labels• Duplicate checking of calculations• Periodic performance reporting with variances• Past – due accounts report• The internal audit functions• Intrusion detection system• Cash counts and bank reconciliation• Monitoring expenditure against budget amount

Corrective Control

• Contingency planning• Backup procedure• Rerun procedures• Tratment procedures for a disease• Change input value to an application system• Investigate budget variance and report violations

Compensatory Control

While designing the appropriate control one thing should be kept in mind – the cost of the lock should not be more than the cost of the assets it protects.

Compensatory ControlCompensatory Control



View of IT Controls

IT Governance Another View

General Control

Application Control

General IT controls are typically pervasivein nature and are addressed through various audit avenues.

Application controls provide another category of controls and include controls within an application around input,processing, and output.

Information system auditors need to understand the range of controlsavailable for mitigating IT risks.

The controls can be thoughtof as existing within ahierarchy that relies on theoperating effectivenessinterconnectivity of thecontrols as well as therealization that failure of aset of controls can lead toincreased reliance andnecessary examination ofother control groups

IT Governance

• When addressing the topic of IT controls, an important consideration is IT governance, which provides the framework to ensure that IT can support the organization’s overall business needs.– IT Governance is not only composed of the control needed

to address identified risk but also is an integrated structure of IT practices and personnel that must be aligned closely with – and enable achievement of – the organization’s overall strategies and goals.

IT Controls

ApplicationControls

Application Systems

Development/Changes

GeneralControls

Computer Service Center

(Operations and Security)

ComputerApplication

Systems andProgram

INTERNAL CONTROLS

IT Controls and Financial Reporting



Computer Assisted Audit Tools and Techniques (CAAT’s)

• For evaluation of controls in the information system, auditors sometimes use some tools which are used in the computer system, an exercise also known as auditing with computer, for extracting and evaluating evidence.

• Such tools are basically data-mining tools and generically called Computer Assisted Tools and Techniques (CAAT’s).

Types of CAAT’s• Packaged Software• Generalized Audit Software (GAS)• Embedded Audit Module (EAM)• Audit Hook (AH)• Integrated Test Facility (ITF)• Parallel Simulation (PS)• Program Code Analysis (PCA)• Test Data• Specialized Audit Software (SAS)

Find the definitions..!!

L/O/G/O

End of Presentation

Thank You!

Documents

2. Internal Control and is Audit