A COMPARISON OF INTERNAL CONTROLS, WITH

SPECIFIC REFERENCE TO

COBIT, SAC, COSO, AND SAS 55/78

by

SUZANNE STEYN

SHORT DISSERTATION

SUBMITTED FOR THE PARTIAL FULFILMENT OF THE

REQUIREMENTS FOR

THE DEGREE OF

MASTER OF COMMERCE

in

COMPUTER AUDITING

in the

FACULTY OF ECONOMIC AND MANAGEMENT SCIENCES

at the

RAND AFRIKAANS UNIVERSITY

STUDY LEADER: PROF. A. DU TOIT

NOVEMBER 1997

CONTENTS

CHAPTER

LIST OF ACRONYMS AND ABBREVIATIONS

PAGE

OPSOMMING IN AFRIKAANS II

SYNOPSIS VIII

INTRODUCTION 1

A SUMMARY OF SAS55178, COBIT, COSO AND SAC 14

A COMPARISON BETWEEN SAS55/78, COBIT,

COSO AND SAC

28

AN INTEGRATED REFERENCE FRAMEWORK 72

FOR INTERNAL CONTROL

CONCLUSION 89

BIBLIOGRAPHY 92

LIST OF ACRONYMS AND ABBREVIATIONS

AICPA - American Institute of Certified Public Accountants

COBIT - Control Objectives for Information and related Technology

IC - Internal Control

IT - Information Technology

COSO - Committee of Sponsoring Organizations of the Treadway Commission

SAC - Systems Auditability and Control

SAS - Statement on Auditing Standards

SDLCM - System Development Life Cycle Methodology

ISACF - Information System Audit and Control Foundation

'N VERGELYKING VAN INTERNE

BEHEERMAATREELS MET SPESIFIEKE VERWYSING NA

COBIT, SAC, COSO EN SAS 55/78

deur

SUZANNE STEYN

OPSOMMING VAN DIE SKRIPSIE

INGEDIEN VIR

DIE GRAAD

MAGISTER COMMERCII

in

REKENAAROUDITERING

in die

FAKULTEIT EKONOMIESE EN BESTUURSWETENSKAPPE

aan die

RANDSE AFRIKAANSE UNIVERSITEIT

STUDIELEIER: PROF. A. DU TOIT

NOVEMBER 1997

II

Die doel met die opsomming is om die agtergrond, metodiek en gevolgtrekking, van die

navorsing oor die vergelyking van interne beheermaatreels, met spesifieke verwysing na

CobiT, COSO, SAC en SAS55/78, weer te gee. Hierdie opsomming word onder die volgende

hoofde uiteengesit:

PROBLEEMOMSKRYWING EN DOEL MET HIERDIE NAVORSING

NAVORSINGMETODIEK EN BEPERKINGS

RESULTATE

GEVOLGTREKKING

1. PROBLEEMOMSKRYWING EN DOEL MET HIERDIE NAVORSING

Oor die afgelope jare het 'n groot behoefte aan 'n verwysingsraamwerk vir interne beheer en

sekuritiet in 'n rekenaaromgewing ontstaan. Hierdie behoefte het onstaan nadat die Nasionale

Kommissie van Bedrieglike Finansiele Verslagdoening bevind het dat die mees algemene

redes vir die ineenstorting van sakeondernemings the swak verslagdoening is the, maar swak

etiek, korrupsie by topbestuur, swak kommunikasie en onbekwaamheid.

`n Balans moet gevind word tussen koste en risikobeheer in 'n rekenaaromgewing. Dit is

duidefilc dat daar 'n behoefte bestaan vir 'n raamwerk vir algemeen aanvaarbare

rekenaarsekuriteit- en beheerpraktyke. Bestuur kan sodandige raamwerk as 'n hulpmiddel

gebruik waarteen hulle hul bestaande of 'n beplande nuwe rekenaarbeheeromgewing kan

meet. Die raamwerk kan aan gebruikers die versekering gee dat daar voldoende sekuriteit en

beheer bestaan, terwyl ouditeure die raamwerk kan gebruik om hul ouditmening te stag

Verskeie organisasies het al onderneem om, die behoefte aan 'n algemeen aanvaarde

raamwerk, op te los. Elk van hierdie organisasies het egter 'n ander idee van hoe so 'n

raamwerk daar moet uitsien, wat verwarring veroorsaak. ITSEC, TCSEC, IS09000 en

COSO stel elk 'n ander evaluasiemetode voor, met die gevolg dat die implementering van

goeie interne rekenaarbeheer in die wiele gery word.

Ten einde die verwarring uit die weg te probeer ruim, het spesialiste van dwarsoor die w'ereld

deelgeneem in 'n intensiewe navorsingspoging om 'n internasionale raamwerk te ontwikkel

wat die standaarde van 18 primere bronne harmoniseer. Die resultaat van hierdie poging is

III

CobiT.

Vier ander gepubliseerde dokumente was ook die resultaat van voortgesette pogings om 'n

verbeterde interne beheeromgewing te definieer. Die Institute of Internal Auditors Research

Foundation het 'n dokument genaamd SAC ontwikkel. So ook het die Committee of

Sponsoring Organisations of the Treadway Commission 'n geintegreerde raamwerk

gepubliseer wat hulle COSO genoem het, terwyl die American Institute of Certified Public

Auditors twee dokumente gepubliseer het naamlik SAS55 en SAS78.

CobiT, COSO, SAC en SAS55/78 fokus elk op 'n ander faset van interne beheer, aangesien

elk 'n ander groep professionele mense aanspreek. Die doel van hierdie skripsie, is om te

bepaal of CobiT die ander dokumente kan vervang, aangesien dit koste oneffektief sou wees

om 'n addisionele raamwerk te ontwikkel as 'n bestaande dokument reeds die behoefte aan 'n

algemeen aanvaarbare dokument bevredig. CobiT word vergelyk met elk van die ander

dokumente ten einde te bepaal of CobiT inderdaad 'n oplossing bied vir al die interne

beheerprobleme wat tans deur ouditeursfirmas en ander organisasies ervaar word.

Deur die vier dokumente te vergelyk, en insette uit ander ander dokumente te gebruik, is 'n

matriks ontwikkel wat as raamwerk gebruik kan word vir die keuse van interne

beheermaatreels.

2. NAVORSINGSMETODIEK EN BEPERKINGS

Die skripsie fokus op die vergelyking van van interne beheermaatreels. Alhoewel daar

verskeie dokumente bestaan wat interne beheer behandel, is daar slegs op die volgende vyf

dokumente gekonsentreer:

CobiT The Information Systems Audit and Control Foundation;

SAC The Institute of Internal Auditors Research Foundation;

COSO The Committee of Sponsoring Organisation of the Treadway Commission;

SAS55 The American Institute of Certified Public Accountants; en

SAS78 The American Institute of Certified Public Accountants.

IV

Metodiek

'n Literatuurstudie van bestaande gesaghebbende literatuur oor interne beheerraamwerke

is uitgevoer. 'n Matriks is uit die bestaande raamwerke ontwikkel, wat as hulpmiddel dien

om die mees toepaslike raamwerk te kies.

Nadat al die inligting verkry is, is 'n vergelyking getref tussen die inteme beheermaatreels

wat deur CobiT en die ander dokumente gepropageer word. 'n Gevolgtrekking is gemaak

dat CobiT inderdaad die beste raamwerk uit 'n ouditeursoogpunt is om te gebruik.

Ten einde die studieveld of te baken en sodoende 'n betekenisvolle studie te kon doen, is die

volgende uitgesluit:

Alle dokumente, gesprekke, raamwerke, riglyne, kodes, praktyk benaderings oor

interne beheer, met die uitsondering van die volgende wat wel ingesluit is:

CobiT The Information Systems Audit and Control Foundation;

SAC The Institute of Internal Auditors Research Foundation;

COSO

The Committee of Sponsoring Organisations of the Treadway

Commission; en

SAS55/78 The American Institute of Certified Public Accountants;

COSO se rapportering aan eksteme partye;

SAC modules 11-13

Module 11: Toekomstige tegnologie;

Module 12: Die meester indeks;

Module 13: Gevorderde tegnologie aanhangsel; en

CobiT: die raamwerk en uitvoerende opsomming.

3. RESULTATE EN GEVOLGTRE1UUNGS

1-lierdie skripsie bled 'n opsomming van elk van die vier dokumente ten einde elke dokument

beter te kan verstaan. Die dokumente word vergelyk en prosedures word vasgestel om dit

moontlik te maak om tussen tussen die vier raamwerke te kies. Die prosedures word in 'n

matriks saamgevat waarin die dokumente teen mekaar opgeweeg word na gelang van die

fokuspunt wat vooropgestel word.

Die studie verloop soos volg:

3.1 'n Opsonuning van elk van die vier raamwerke;

3.2 'n Vergelykking van die vier dokumente; en

3.3 Die resultate van die vergelyking en die ontwikkeling van die matriks.

3.1 'n Opsonuning van elk van die vier dokumente

`n Opsomming word van elk van die vier dokumente gemaak ten einde lesers van die nodige

inligting te voorsien om dit vir hulle moontlik te maak om die vergelyking van die dokumente

ten voile te begryp en om verskille tussen die dokumente te identifiseer.

3.2 'n Vergelyking van die vier dokumente

Die rede vir die vergelyking word vasgestel en eksteme ouditeure se behoeftes word ontleed

ten einde te bepaal wafter fokuspunte vir hulle van belang sal wees. Ongeveer dertig

fokuspunte word geidentifiseer vir vergelyking. Die dertig fokuspunte word in tabelformaat

uiteengesit en die vier dokumente word vervolgens aan die hand van elke fokuspunt ontleed.

Op die manier word die sterk en swak punte van elke dokument geldentifiseer.

In sekere gevalle beklemtoon al vier dokumente verskillende aspekte met betrekking tot 'n

spesifieke fokuspunt, wat nogtans almal ewe belangrik is. In so geval sal 'n kombinasie van

die vier dokumente die ideale beheermaatreel vorm. In ander gevalle skenk slegs twee van die

vier dokumente aandag aan 'n spesifieke fokuspunt, wat dus as 'n swakpunt geidentifiseer

word in die twee dokumente wat die betrokke fokuspunt buite rekening hat.

VI

3.3 Die resultate van die vergelyking en die ontwikkeling van die matriks.

Die dertig fokuspunte word in vyftien groepe ingedeel en die resultate van die vergelyking

bespreek. Uit die vergelyking was dit maklik om te bepaal watter dokument elk van die

fokuspunte die beste adresseer. 'n Matriks word ontwikkel wat aandui wafter dokument om

te gebruik met water fokuspunt in gedagte. Uit die matriks is vasgestel dat CobiT 25 van die

dertig fokuspunte aanspreek, SAC 15, COSO 12 en SAS 13.

4. GEVOLGTREKKING

Alhoewel daar gevalle sal wees waar een van die ander dokumente beter standaarde sal stel vir

interne beheer, wil dit voorkom of CobiT die ander tot 'n groot mate kan vervang.

Die ander dokumente se sterkpunte is soos volg:

Geen ander dokument beskryf die ouditproses beter as SAS nie.

SAC identifiseer sekere gevallestudies, en bespreek dan interne beheer aan die hand

van hierdie gevallestudies. Indien een van hierdie gevallestudies spesifiek op 'n

organisasie van toepassing is, sal geen dokument die beheermaatreels beter bespreek as

SAC the .

COSO is 'n waardevolle hulpmiddel vir persone sonder enige agtergrond in interne

beheer, deurdat dit hulle van noodsaaklike evaluasiehulpmiddels voorsien.

Hierdie skipsie bied dus 'n voorbeeld van hoe om 'n keuse uit te oefen tussen die verskillende

raamwerke vir 'n spesifieke organisasie. Die matriks probeer geensins om rigiede reels neer te

le wat noodwendig gevolg moet word om 'n keuse oor 'n gepaste raamwerk uit te oefen the.

Dit is slegs 'n hulpmiddel wat deur 'n ouditeur gebruik kan word om 'n besluit te neem oor die

mees gepaste 'n raamwerk vir 'n gegewe organisasie.

VII

SYNOPSIS

I. PROBLEM DESCRIPTION AND OBJECTIVE OF THIS SHORT DISSERTATION

Internal control has come under the attention of many organizations, and each has its own

views on the most appropriate framework and evaluation methods to be adopted for specific

purposes. As a result of the confusion arising from the different evaluation methods that are in

vogue, the implementation of good information technology controls is hampered.

Experts from around the world have participated in exhaustive research to develop an

internationally acceptable tool that harmonizes standards. Their work has culminated in the

development of CobiT.

SAC , COSO, SAS 55 and SAS78 were also the result of continuing efforts to define, assess,

report on and improve internal control, but each of these documents addresses a different

audience, and therefore focuses on different aspects of internal control, and may even

completely disregard some areas which may be of crucial importance to other users.

It has been suggested that CobiT can replace COSO, SAC, and SAS 55/78, and there is a need

to determine whether this is indeed the case. This short dissertation attempts to answer this

question, while also putting in place a matrix to aid auditors in deciding which framework to

use for a given application.

2. RESEARCH METHODOLOGY

A literature survey has been done on existing authoritative text books and other literature,

such as material available on the Internet.

The information obtained in the literature survey established a sound basis for a

comparison of CobiT, COSO, SAC and SAS55/78, and the construction of a decision-

making matrix.

VIII

3. SCOPE AND LIMITATIONS

This short dissertation focuses on the comparison of internal controls. Although different

documents deal with this topic, this project focuses on five authoritative source documents

recently released by well-known institutions:

CobiT - The Information Systems Audit and Control Foundation;

SAC - The Institute of Internal Auditors Research Foundation;

COSO - The Committee of Sponsoring Organizations of the Treadway Commission;

SAS55 - The American Institute of Certified Public Accountants; and

SAS78 - The American Institute of Certified Public Accountants.

The following exclusions apply to this short dissertation:

All documents, discussions, frameworks, guidelines, and codes of practice dealing with

internal controls, and all approaches to the subject, except:

— CobiT, SAC, COSO, SAS55/78;

COSO Reporting to External Parties ;

SAC modules 11-13; and

CobiT.

— Framework

— Executive Summary.

4. RESULTS AND CONCLUSION

In summary, this research has provided a basis for understanding each of the five source

documents, as well as a procedure for deciding which framework to use for a given purpose.

A summary of each document was made to establish a basis for the identification of the

differences between the documents, after which thirty focus points were identified. The five

source documents were compared with reference to each focus point. From the comparison it

was easy to determine the strengths and weaknesses of each document.

Finally, a matrix was constructed indicating which document to use for each focus point. It

IX

was also determined that CobiT dealt effectively with twenty-five of the focus points, while

SAC dealt with fifteen, COSO with twelve, and SAS with thirteen. From these results one

could conclude that CobiT can indeed replace the other documents as a universal framework

for internal control.

5. CONCLUSION

The research merely sought to provided an example of how to decide which framework to use

for a specific organization or purpose. No effort has been made to establish a rigid set of rules

to follow in all cases in order to decide on a framework. Nevertheless, the author believes that

this study can assist auditors in deciding on the most appropriate framework and methodology

to adopt for a given purpose, and will provide them with arguments to convince management

of the soundness of their decision.

CHAPTER 1

INTRODUCTION

CONTENTS PAGE

1.1. BACKGROUND 2

1.1.1 Internal control 2

1.1.2 A comparison of a few control concepts 3

1.2. PROBLEM DESCRIPTION 5

1.3. OBJECTIVE OF THIS RESEARCH 6

1.4. SCOPE, LIMITATIONS AND EXCLUSIONS 6

1.4.1 The predefined environment 6

1.4.2 Limitations/exclusions 7

1.5. DEFINITIONS AND METHODOLOGY 7

1.5.1 Definitions 7

1.5.2 Methodology 10

1.6. RESEARCH APPROACH 11

1.7. SUMMARY OF RESULTS 11

1.8. CONCLUSION 12

1

1.1 BACKGROUND

1.1.1 Internal Control

For many companies and organisations the documents SAC, COSO, SAS55/78 and CobiT set

the standards for internal control. The problem is that these documents were all developed by

different bodies who were concerned with providing them with frameworks and evaluation

methods for internal control appropriate to the needs of their own audiences. It is therefore

unavoith. le that some discrepancies and disparities may exist between these documents,

although they all deal with essentially the same aspects of internal control.

The four documents define internal control as follows:

SAC: A set of processes, functions, activities, subsystems, and people who are grouped

together or consciously segregated to ensure the effective achievement of specific

objectives which has to be translated into measurable goals.

COSO: A process, effected by an entity's board of directors, management, and other

personnel, designed to provide reasonable assurance regarding the achievement of

objectives in the following categories:

Effectiveness and efficiency of operations;

Reliability of financial reporting; and

Compliance with applicable laws and regulations.

• SAS78: A process, effected by an entity's board of directors, management, and other

personnel, designed to provide reasonable assurance regarding the achievement of

objectives in the following categories:

Reliability of financial reporting;

Effectiveness and efficiency of operations; and

Compliance with applicable laws and regulations.

2

• CobiT: The policies, procedures, practices, and organisational structures designed to

provide reasonable assurance that business objectives will be achieved and that

undesired events will be prevented or detected and corrected.

From the definitions one can conclude that SAC views internal control as a system (a set of

functions and people and their interrelationship). It identifies people as an integral part of the

internal control system. SAC also states that objectives should be translated into measurable

goals. Although COSO also accentuates internal control as a process that is an integrated part

of business activities, it notes that the people involved are members of the board of directors,

management or other entity personnel. COSO places objectives into three categories called

operational, financial reporting, and compliance.

The SAS definition is exactly the same as the COSO definition, but it emphasises the

importance of reliable financial reporting, while COSO shifts the emphasis to effectiveness and

efficiency of operations. The CobiT definition emphasises the importance of internal control

as a process that includes organisational structures, policies, practices and procedures that

support business processes. It classifies people as a primary resource that is managed by

various information technology processes. CobiT also states that processes support

operational objectives, that these processes are in turn supported by information through IT

resources, and that business requirements for that information are only satisfied through

adequate control measures.

From the definitions one can conclude that all four documents are familiar with the concept of

reasonable assurance in relation to internal control and acknowledge the concept of

cost/benefit, and that they are equally conscious of the negative result that could flow from not

implementing all controls effectively.

1.1.2 A comparison of a few control concepts

The easiest way to identify the strengths and weaknesses of each of these documents is to

compare them. This is proved by Table 1.1.

3

Table 1.1 Comparison of Control Concepts (Colbert & Bowen, 1996: 26).

ti

CobiT SAC COSO SAS's 55/78

Primary Audience

Management, users, information system auditors

Internal auditors Management External auditors

IC viewed as a Set of processes including policies, procedures, practices, and organizational structures.

Set of processes, subsystems, and people.

Process Process

IC Objectives organizational

Effective & efficient operations Confidentiality, Integrity and availability of information. Reliable financial reporting Compliance with laws & regulations

Effective and efficient operations Reliable financial reporting Compliance with laws & regulations

Effective and efficient operations Reliable financial reporting Compliance with laws & regulations

Reliable financial reporting Effective and efficient operations Compliance with laws & regulations

Components or Domains

Domains: Planning and organization Acquisition and implementation Delivery and support Monitoring

Components: Control Environment Manuals & Automated System Control Procedures

Components: Control Environment Risk Management Control Activities Information & Communication Monitoring

Components: Control Environment Risk Assessment Control Activities Information &Communication Monitoring

Focus Information Technology

Information Technology

Overall Entity Financial Statement

IC Effectiveness Evaluated

For a period of time For a period of time

At a point in time

For a period of time.

Responsibility for IC system

Management Management Management Management

Size 187 pages in four documents

1193 pages in 12 modules

353 pages in four volumes

63 pages in two documents

From this comparison in table 1.1 it is clear that SAC offers assistance to internal auditors on

the control and audit of IT, while COSO tells management how to evaluate, report, and

improve control systems. SAS55 and SAS78 guide external auditors on the impact of internal

control on planning and performing an audit of an organisation's financial statements. CobiT

is a tool for business process owners to discharge their computer control responsibilities

4

(Colbert & Bowen, 1996:26).

1.2. PROBLEM DESCRIPTION

1.2.1 Introduction

In the past few years, it has become evident to lawmakers, regulators, users of IT and service

providers that there is a need for a reference framework for security and control in an

information technology (IT) environment. This became evident when the National

Commission on Fraudulent Financial Reporting (Treadway) revealed that the most common

causes of breakdown were not poor record keeping but bad ethics, corruption at the top,

incompetence and poor communication (ISACF, 1996: 12).

Management has to find a balance between risk control in an IT environment and the costs

involved. They therefore need a framework for generally accepted IT security and control

practices to benchmark their existing and planned IT environment. Users of IT services, on

the other hand, need to be assured, by the performance of audits, that adequate security and

control exist and, last but not least, auditors need a framework to substantiate their opinion on

internal control to management (ISACF, 1996).

Many organizations have become aware of the need for reliable internal control, but each has

its own ideas of the most appropriate framework and evaluation methods to be used. The

implementation of good IT controls is hampered by the confusion arising from the different

evaluation methods advocated by ITSEC, TCSEC, IS09000 and the emerging COSO

methodology.

To overcome this confusion, experts from around the world have participated in exhaustive

research to develop an international tool that harmonizes standards from 18 different primary

sources world-wide. These people were instrumental in the development of the Information

System Audit and Control Foundation's CobiT.

The four other documents with which this dissertation deals were also the result of continuing

efforts to define, assess, report on and improve internal control,. They are:

5

System Auditability and Control, drafted by the Institute of Internal Auditors Research

Foundation;

Internal Control-Integrated Framework, drafted by the Committee of Sponsoring

Organizations of the Treadway Commission;

Consideration of the Internal Control Structure in a Financial Statement Audit (SAS 55),

drafted by the American Institute of Certified Public Accountants; and

The latter was amended by Consideration of Internal Control in a Financial Audit: An

Amendment to SAS 55 (SAS 78).

1.3 OBJECTIVE OF THIS RESEARCH

There exists a need to determine whether CobiT can indeed replace COSO, SAC, and SAS

55/78. In order to prevent the expensive process of reinventing a similar product it is

important to subject the CobiT project to a detailed study. CobiT should also be compared

with other documents to see if the approach it advocates will indeed resolve all the internal

control discrepancies currently experienced by audit firms and other organizations.

By comparing the four documents, and drawing on other documents, a matrix will be prepared

that will serve as a framework and evaluating method for internal control.

1.4 SCOPE, LIMITATIONS AND EXCLUSIONS

1.4.1 The predefined environment

This short dissertation focuses on the comparison of internal controls. Although there are

many documents that deal with this topic, this project focuses on five documents recently

released by well-known institutes, and which have already been referred to above, i.e.:

• CobiT The Information Systems Audit and Control Foundation;

• SAC The Institute of Internal Auditors Research Foundation;

• COSO The Committee of Sponsoring Organizations of the Treadway Commission;

• SAS55 The American Institute of Certified Public Accountants; and

• SAS78 The American Institute of Certified Public Accountants.

6

1.4.2 Limitations and exclusions

Because of the limitations imposed on the length of this dissertation, the study is restricted to

the five documents published by the four bodies mentioned above, in other words:

CobiT The Information Systems Audit and Control Foundation;

SAC The Institute of Internal Auditors Research Foundation;

COSO

The Committee of Sponsoring Organizations of the Treadway

Commission; and

SAS55/78 The American Institute of Certified Public Accountants.

With the exception of these five documents, no other document, discussions, frameworks,

guidelines, or codes of practice were considered. The following documents emanating from

these four bodies have also been excluded:

COSO Reporting to External Parties (September 1992);

SAC modules 11-13

- Module 11: Emerging Technologies (June 1994)

- Module 12: Master index (December 1991)

- Module 13: Advanced Technology Supplement (June 1994); and

CobiT

- Framework

- Executive Summary.

1.5 DEFINITIONS AND METHODOLOGY

1.5.1 Definitions

CobiT defines control as: The policies, procedures, practices, and organizational

structures, designed to provide reasonable assurance that

7

business objectives will be achieved and that undesired events

will be prevented or detected and corrected (CobiT, 1996:9).

From an auditing perspective, it is necessary to enquire whether there are policies and

procedures in place to ensure that an entity will record, process, summarize, and report

financial data in a manner consistent with the assertions embodied in its financial statements

(SAS55,1988: 4). In a computerized environment data is captured by entering "events", in the

form of "messages", onto a data application system which draws on computer technology,

facilities and people to deliver information, usually referred to as the system's "service

output" (see below for definitions of words in italics).

COSO defines control as: Exercising, restraining, or directing influence; power or authority

to guide or manage direction, regulation and co-ordination of

business activities; and a mechanism used to regulate or guide

the operation of a system (COSO, 1992:101).

Internal:

Data:

Existing or situated within the limits or surface of something

(for the purposes of this study the "something" is an entity or

enterprise) (COSO, 1992:101).

Data is defined in its widest sense. It can be external or internal,

structured or unstructured, and it can be in the form of text,

graphics, sound etc. (CobiT, 1996:9).

Application system: The sum of manual and programmed procedures (CobiT,

1996:9).

Technology: Computer hardware, operating systems, database management

systems, networking, multimedia etc. (CobiT, 1996:9).

Facilities: Resources to house and support information systems (CobiT,

1996:9).

8

People:

Staff skills, awareness and productivity appropriate for the

planning, organizing, acquisition, delivery, support and

monitoring of information systems and services (CobiT, 1996:9).

Certain control objectives should be kept in mind when constructing internal control policies

and procedures for a computerized environment.

Control objective:

A statement of the desired result or purpose to be achieved

by implementing control procedures in a particular activity

(CobiT, 1996:9).

The control objective should make provision for:

COMPLETENESS of input, processing, file-updating and output .

ACCURACY of input, processing, file-updating and output.

INTEGRITY of data both in a transient (being manipulated) and

a static (having been updated) state.

AUTHORITYNALIDITY of business processing.

CONTINUITY: ensuring that the products is operating, and is

capable of continuing to operate in accordance with business

practice and management expectations" (Diamianides, 1991:5).

CobiT determines that information needs to conform to seven criteria, or business

requirements, to satisfy business objectives (CobiT, 1996:9):

Effectiveness: Whether the information is pertinent to the business process and

is delivered in a timely, correct, consistent and usable manner.

Efficiency: Whether the information is being provided by using resources

optimally, i.e. in the most productive and economical way.

9

Confidentiality:

Integrity:

Availability:

Compliance:

Whether sensitive information is adequately protected from

unauthorized disclosure.

Whether the information is valid and sufficiently accurate and

complete to satisfy business values and expectations.

Whether information is available when required by the business

process and whether the resources and associated capabilities

needed in order to make the information available, are

adequately safeguarded.

Whether the entity is complying with externally imposed

business criteria, such as laws, regulations and contractual

arrangements to which the business process is subject.

Reliability of Information: Whether appropriate information is made available to enable

management to operate the entity and exercise its financial and

compliance reporting responsibilities.

1.5.2 Methodology

The following methodology has been used:

In this chapter, the need for research to compare the internal controls propagated by SAC,

COSO, CobiT and SAS55/78 respectively has been established, and it has also been

established that there is a need to determine whether any of these is able to satisfy current

needs in full, or whether two or more of them may have to be used in concert.

In chapter 2 and 3 a comparison will be made between CobiT, SAS 55/78, COSO and SAC

with the emphasis on their respective strengths and weaknesses and their appropriateness for

the purposes of an auditing firm. Chapter 4 will consists of a framework developed from the

research, summarizing the results of the previous chapters. Chapter 5 will conclude the short

dissertation, and indicate whether its objectives have been met.

10

1.6 RESEARCH APPROACH

A literature survey has been undertaken of existing authoritative documents and other

background material, as well as discussions with people with technical knowledge, on the

SAC, COSO, SAS and CobiT frameworks.

With all the information obtained in the literature survey a comparison has been made between

the internal controls propagated by CobiT and the internal controls advocated in each of the

tidier frameworks. A conclusion was then drawn whether CobiT is the most appropriate

framework to adopt by an auditing firm.

1.7 SUMMARY OF RESULTS

The main problem identified is the choice to make between four well-known frameworks for

internal control. Each of these documents was developed by a different organization with a

specific audience in mind, which has resulted in many discrepancies between the four

documents.

In summary, this research provides a basis for understanding each of these documents, as well

as providing a procedure for deciding which framework to use.

In chapter 2 each document is summarized in order to provide the reader with background

information regarding the documents. The summaries also expand the reader's knowledge

regarding internal control, thus preparing readers for the comparison in chapter 3. The

summaries establish a basis for the identification of the differences between the documents.

In chapter 3 more penetrating reasons for a comparison of the documents are identified. This

research focuses on an external auditor's point of view, and thirty points of focus of particular

interest to internal auditors are identified from the four documents. These thirty focus points

were captured in a table and the four documents were compared with reference to each focus

point. This seemed to be the best way to identify the strengths and weaknesses of each

document. In some instances all four documents devoted considerable attention to the same

focus points, but concentrated on different, though equally important, aspects. In such

instances a combination of the documents would have provided one with an ideal framework.

11

In other instances, only two of the four documents dealt with a given focus point, and in these

instances it seems clear that the documents omitting this particular focus point could be

regarded as flawed by the omission.

In chapter 4 the thirty points of focus were grouped together into fifteen groups, and the

results of the comparison discussed for each group individually. From the comparison it was

easy to determine which document provided the best approach to the focus point and a

conclusion could thus be reached after each group was discussed.

In the conclusion of chapter 4 a matrix is presented indicating which documents to use for

which focus points. We conclude that CobiT provides the best approach for 25, SAC for 15,

COSO for 12 and SAS for 13 of the focus points. From these results one could conclude that

CobiT can indeed replace the other documents in most cases as a basis for internal control.

There are indeed still instances where the other documents will set better standards for internal

control than CobiT. Because SAS is solely focused on the audit process, none of the other

document is better able to explain the audit process than SAS. Because SAC identifies certain

scenarios and discusses in detail the internal control procedures that would be appropriate to

these scenarios, no other document would be able to explain the control issues better than

SAC in cases where one of these scenarios is applicable to a specific organization. COSO,

again, is a very helpful document for a person without an audit background because it

provides evaluation tools with examples of how to use them.

It is therefore not always easy to determine which document to use for a particular purpose.

The research therefore merely provides guidelines on how to decide which framework to use

for a specific organization. The research in no way attempts to provide a rigid set of rules

prescribing which framework to use. Nevertheless, it will almost certainly assist auditors in

deciding on an appropriate framework as well as providing them with a rational basis to

convince management of the appropriateness of their choice.

1.8 CONCLUSION

The objective of this short dissertation has been met; that is to help the auditor to decide

which document or combination of documents to use as a guideline for internal control, and to

12

determine whether CobiT can indeed replace COSO, SAC and SAS55/78 for most or all

purposes.

By using the comparison of the four documents in chapter 3, an auditor will be able to

determine which document or documents are most suitable for a specific control objective.

This will aid auditors in deciding which framework to use for their own work, as well as

providing them with sound arguments to convince a client which framework to use for internal

control in a given case.

By using the matrix developed in chapter 4 auditors can now:

Determine which document to use, depending on what their focus point is going to be;

Decide which document to recommend to their customers, taking into account the focus

points of the customer; and

Determine whether CobiT is suitable to replace the other four documents.

The matrix and comparison do not attempt to provide auditors with a rigid set of rules to

follow when making a decision regarding the documents, but merely set an example of how to

make such a decision.

It is hoped that this short dissertation will open new fields for academic research in the area of

internal control. A specific organization can be identified, focus points for that organization

can be determined, and an investigation can then be undertaken into which document will be

most suitable for the purposes of the organization being studied.

This research focused on an auditor's perspective. Research can also be performed from

management's perspective or from the Information System department's perspective. The

points of focus were not compared in detail. Academic research can also be performed in

more detail on specific points of focus.

13

CHAPTER 2

A SUMMARY OF SAS55/78, COBIT, COSO AND SAC

CONTENTS PAGE

2.1. OBJECTIVE 15

2.2. NATURE OF THE LITERATURE SURVEY 15

2.3 SCOPE, LIMITATIONS AND EXCLUSIONS 16

1.3.1 Scope 16

2.3.2 Limitations and exclusions 16

2.4 BACKGROUND 17

2.5 SUMMARY OF COBIT 18

2.6 SUMMARY OF SAS55/78 20

2.7 SUMMARY OF SAC 22

2.8 SUMMARY OF COSO 24

2.9 CONCLUSION 26

14

•

•

•

2.1 OBJECTIVE

In order to derive maximum benefit from the literature survey, the objectives have been

defined to allow comparative analysis of references and to facilitate the analysis of strengths

and weaknesses in frameworks for internal control. The objectives for this chapter are to

obtain authoritative views on:

CobiT;

SAS 55/78;

SAC; and

COSO.

2.2 NATURE OF THE LITERATURE SURVEY

To ensure credibility and acceptance of the findings and proposals of this short dissertation, it

is essential that the underlying concepts should be based on authoritative views and be

generally accepted among business and computer auditing professionals. Theory based on an

individual's experience without taking generally accepted professional views into account may

be subject to personal bias. Other factors which may introduce bias are the individual's

background and the absence of formal research. To avoid these problems, references have

been restricted to documents mainly used by auditors and auditing firms and to authoritative

frameworks (Lubbe, 1995: 15). The main sources of these documents are:

The Institute of Internal Auditors Research Foundation;

The Information Systems Audit and Control Foundation;

The Committee of Sponsoring Organisations of the Treadway Commission; and

The American Institute of Certified Public Accountants.

The reasons for choosing these sources are the following:

In their publications, they present most of the internationally accepted guidelines and

frameworks for internal control.

15

The emphasis on auditor-related sources provides more and better background for

finding risks relevant to the auditor involved in auditing internal controls.

In total, their documented findings represent a properly balanced view of internal

controls and frameworks needed to evaluate it in an entity.

Each of the documents will be discussed and, where necessary, material drawn from the

sources representing the different views on internal control, will also be included.

2.3 SCOPE, LIMITATIONS AND EXCLUSIONS

2.3.1 Scope

Existing internal control frameworks, or principles governing internal controls, with various

focus points had to be surveyed in order to establish a representative framework for internal

control. The purpose when examining existing frameworks and documentation was not to

attempt to include every possible point of view on internal control, but rat* to identify the

basic focus points of internal control about which there was some degree of consensus in the

literature. Each of the documents examined deals in some detail with internal control

principles, objectives, risks, the control environment, the audit process and the monitoring of

internal control, and these issues had to be analysed in greater depth in our main sources.

Once the main source documents, CobiT, COSO, SAS55/78 and SAC had been examined,

other relevant literature was then surveyed for the absence or presence of any important

information on internal control from an auditor's point of view. These points were compared

and only the strengths of each document were included in the final representative framework.

2.3.2 Limitations and Exclusions

To achieve the objectives of the literature survey, it was necessary to examine and analyse

control frameworks from as many points as view and in as much detail as possible. However,

in the context of a short dissertation, the following limitations and exclusions had to be placed

on the scope of the literature survey:

16

• Only issues raised in discussions dealing with non-technical aspects of internal control

were included. Sections in the sources which dealt with technical issues, such as

telecommunications, business systems, end-user departments, etc. were thus excluded.

Because the objectives of the survey require authoritative references, sources of

doubtful authority, as well as individual opinions, were ignored.

Because this short dissertation is principally concerned with a comparison of SAC,

COSO, CobiT and SAS, only comparative information was considered. Certain

detailed areas of discussion which were exclusive to particular documents, such as

SAC's continuity planning and COSO's reporting to external parties, therefore had to

be excluded.

A great deal of preparatory work was done to ensure that the short dissertation would be

based on sound theory. The limitations and exclusions imposed on the author did not detract

from the overall objectives of the study; in fact, they imposed a discipline on the work by

narrowing the investigation down to the principal issues which are relevant in a short

dissertation of this nature.

2.4 BACKGROUND

The source material was briefly surveyed to identify the principles for internal control in as

detailed a manner as possible, bearing in mind the objectives of this survey. The idea of

comparing the four documents, SAC, COSO, CobiT and SAS 55/78, in order to determine

which one provides us with the most generally acceptable framework, was conceived by Janet

L. Colbert, and Paul L. Bowen in 1996. When the three documents COSO, SAC and CobiT

were compared with the auditing guidelines for internal control provided by SAS55/78, a

proper link between these documents and audit-related references was found. The objective

of these guidance notes in this chapter is to introduce the four documents to a computer

auditor and highlight the basic differences between them. It will also assist the computer

auditor in making a decision about which model to use, and it contains summaries of CobiT,

SAS55/78, SAC and COSO.

17

2.5 SUMMARY OF COBIT (CONTROL OBJECTIVES FOR

INFORMATION AND RELATED TECHNOLOGY)

The design objective of CobiT was that it should:

Serve as a framework of generally applicable good practice governing information

services security and the control of information technology.

Establish a benchmark for management against which they can measure their security

and control practices in the information technology environment.

Assure users of information technology services that adequate security and control

exist to enable auditors to substantiate their opinions on internal control and to advise

management on information technology security and control matters .

Facilitate the development of clear policy and good practices for information

technology control throughout industry world wide (Colbert & Bowen, 1996: 26).

The contents of CobiT consists of an Executive Summary, a Framework for Control of

Information Technology, a list of Control Objectives, and a set of Audit Guidelines. The audit

guidelines and control objectives are referenced back to the framework (Colbert & Bowen,

1996: 26).

Like SAS78, CobiT adapted part of its definition of control from COSO. The policies,

procedures, practices, and organisational structures are designed to provide reasonable

assurance that business objectives will be achieved, and that undesired events will be prevented

or detected and corrected. The rest of CobiT's definition was adapted from that part of

SAC's definition which stipulates the desired result or purpose to be achieved by implementing

control procedures in a particular information technology activity (Colbert & Bowe;

1996: 26).

The CobiT documentation classifies information technology resources as follows:

(See Colbert & Bowen, 1996: 26, and paragraph 1.5.1 of chapter 1 of this dissertation)

Data (numbers, text, dates, graphics and sound);

Application systems (a set of manual and programmed procedures);

Technology (hardware, operating systems, networking equipment, and the like);

18

Facilities (resources used to house and support information systems); and

People (individuals' skills and abilities to plan, organise, acquire, deliver, support, and

monitor information systems and services).

To satisfy business objectives, CobiT also requires that information should conform to the

following criteria:

Effectiveness;

Efficiency;

Confidentiality;

Integrity;

Availability;

Compliance; and

Reliability.

CobiT combines the principles embedded in existing reference models in the three broad

categories of quality, fiduciary responsibility, and security. The quality requirement includes

not only quality itself, but also cost and delivery. The fiduciary requirements are drawn from

COSO, and include effectiveness and efficiency of operations, reliability of information, and

compliance with laws and regulations. Security requirements include confidentiality, integrity

and availability.

CobiT classifies information technology processes into four domains:

Planning and organisation;

Acquisition and implementation;

Delivery and support; and

Monitoring.

Planning and organisation: This domain covers strategy and tactics and concerns the

identification of the way information technology can best contribute to the achievement of the

business objectives. Furthermore, the realization of the strategic vision needs to be planned,

communicated and managed for different perspectives. Finally, a proper organisational as well

19

as technological infrastructure must be put in place (CobiT, 1996: 15).

Acquisition and implementation: To realize an organization's information technology

strategy, information technology solutions need to be identified, developed or acquired, as

well as implemented and integrated into the business process. In addition, changes in and

maintenance of existing systems are covered by this domain (CobiT, 1996: 15).

Delivery and support: In this domain one is concerned with the actual delivery of required

services, which range from traditional operations over security and continuity aspects to

training. In order to deliver services the necessary support processes must be established.

This domain includes the actual processing of data by application systems, often classified

under application controls (CobiT, 1996: 15).

Monitoring: All information technology processes need to be regularly assessed for quality

and compliance with control requirements (CobiT, 1996: 15).

CobiT presents a framework of control for business process owners, but the responsibility and

authority for business processes is still in the hands of management. CobiT includes

definitions of both internal control and information technology control objectives, four

domains of processes, 271 control objectives referenced to those 32 processes, and audit

guidelines linked to the control objectives (Colbert & Bowen, 1996: 26).

Framework: The CobiT framework provides a high-level control statement for certain

information technology processes. It also identifies the business need satisfied by the control

statement, identifies the information technology resources managed by the processes, states

the enabling controls and lists the major applicable control objectives (Colbert & Bowen,

1996: 26).

2.6 SUMMARY OF SAS55/78

SAS55 and SAS78 are statements of auditing standards published by the Auditing Standards

Board of AICPA (American Institute of Certified Public Accountants). These documents

define internal control, describe its components and provide guidance on the impact of

controls when planning and performing financial statement audits (Colbert & Bowen,

20

1996: 30).

SAS55 and SAS78 include the following:

A definition: SAS 78 replaces the definition of the internal control structure in SAS 55 with

that of COSO. The only difference between the COSO and SAS definitions is that SAS 78

emphasises the reliability of financial reporting by placing it first in their definition of internal

control.

A process, effected by an entity's board of directors, management, and other personnel,

designed to provide reasonable assurance regarding the achievement of objectives in the

following categories (Colbert & Bowen, 1996: 30):

Reliability of financial reporting;

Effectiveness and efficiency of operations; and

Compliance with applicable laws and regulations.

SAS55/78 focus primarily on controls that affect the scrutiny of the reliability of an entity's

financial reporting. This is proved through discussions on the components, impact and

opinion of S AS55/78.

Components: SAS78 replaces the three elements of the internal control structure

(control environment, the accounting system, and the control procedures) with the five

components of the internal control system presented in COSO, i.e. the control

environment, risk assessment, control activities, information and communication, and

monitoring (Colbert & Bowen, 1996: 30).

Impact: SAS 55/78 requires of the external auditor to perform procedures to obtain a

sufficient understanding of each of the five components to plan the audit. The auditor

should analyse and understand the design of the entity's policies and procedures, and

determine whether the design has been put into operation. Because the opinion

rendered by auditors refers to financial statements which cover a period of time,

external auditors are interested in controls affecting the capture and processing of

financial information for the entire period under review, and not just the date on which

21

the audit is carried out. External auditors are forced to provide the audit committee

with reports on any significant internal control deficiencies that could affect financial

reporting (AICPA, 1988: SAS 60). They also have the option to communicate other

control matters to the entity, for example proposals to improve certain systems

(Colbert & Bowen, 1996: 30).

• Opinion: The auditor must draft an opinion assessing the extent to which controls

aimed at assuring the reliability of account balances, the correct allocation of

transactions to income and expenditure categories, and full and proper disclosure of

financial statements are exposed to risk. The auditor may assess control risk at the

maximum level, which implies that the probability that a material misstatement in the

financial statements will not be prevented or detected on a timely basis by an entity's

internal control structure is at a maximum. Such an opinion will only be rendered if the

auditor believes that policies and procedures are unlikely to be effective or because

evaluating their effectiveness would be inefficient. Alternatively, the auditor might

decide to perform tests to support a lower assessed level of control risk. The auditor

uses the knowledge provided by the understanding of the internal control structure and

the assessed level of control risk in determining the nature, timing, and extent of

substantive tests for financial statement assertions (AICPA, 1988: SAS 55).

2.7 SUMMARY OF SAC

The SAC report defines internal control, describes its components, provides several

classifications of controls, defines control objectives and risks, and defines the internal

auditor's role. The report provides guidance on using, managing, and protecting information

technology resources, and discusses the effects of end-user computing, telecommunications,

and emerging technologies on the auditor (Colbert & Bowen, 1996:29).

The definition of SAC defines a system of internal control as: a set of processes, functions,

activities, subsystems, and people who are grouped together or consciously segregated to

ensure the effective achievement of objectives and goals (Colbert & Bowen, 1996:29).

The report emphasises the role and impact of computerised information systems on the system

of internal controls. It stresses the need to assess risks, to weigh costs and benefits, and to

22

build controls into systems in the design phase rather than adding them on after

implementation (Colbert & Bowen, 1996: 29).

According to the SAC documentation, the system of internal control consists of three

components:

The control environment;

Manual and automated systems; and

Control procedures.

The control environment is made up of an organisational structure, a control framework,

policies and procedures and external influences. The automated system consist of systems and

application software. SAC discusses the control risks associated with end-user and

departmental system, but neither describes nor defines manual systems. According to the SAC

documents, control procedures consist of general, application, and compensating controls

(Colbert & Bowe; 1996: 29).

SAC provides five classification schemes for internal controls in information systems.

Preventive, detective, and corrective;

Discretionary and non-discretionary;

Voluntary and mandated;

Manual and automated; and

Application and general controls.

These schemes focus on when the control is applied, whether the control can be bypassed,

who wanted the control, how the control was implemented, and where in the software the

control was implemented (Colbert & Bowen, 1996: 29).

Control objectives and risks: SAC describes risks as fraud, errors, business interruptions, and

inefficient and ineffective use of resources. Appropriate control objectives seek to reduce

these risks and to assure information integrity, security, and compliance. Information integrity

is guarded by quality controls governing input, processing, output and software. Security

measures include data, physical, and program security controls. Compliance controls ensure

23

conformance with laws and regulations, accounting and auditing standards, and internal

policies and procedures (Colbert & Bowen, 1996: 29).

SAC defines the role of the internal auditor as follows: The responsibilities of internal

auditors include ensuring the adequacy of the system of internal control, the reliability of data,

and the efficient use of the organisation's resources. They should also be concerned with

preventing and detecting fraud, and coordinating activities with external auditors. The

integration of auditing and information system skills and an understanding of the impact of

information technology on the auditing process are necessary for internal auditors. These

professionals now perform financial, operational and information system audits (Colbert &

Bowen, 1996: 29).

2.8 Summary of COSO

The COSO report also defines internal control, describes its components, and provides criteria

against which control systems can be evaluated. The report provides materials that

management, auditors, and others can use to evaluate an internal control system. It also offers

guidance for public reporting on internal control. The report has two major goals (Colbert &

Bowen, 1996: 29):

to establish a common definition of internal control that serves many different parties;

and

to provide a standard against which organisations can assess their control systems and

determine how to improve them.

The report emphasises that the internal control system is a tool of, but not a substitute for,

management and that controls should be built into, rather than built onto, operating activities.

The report recommends the evaluating of the effectiveness of internal control as of a point in

time and not for a period of time (Colbert & Bowen, 1996: 29).

24

According to COSO, the internal control system consists of five interrelated components:

Control environment;

Risk assessment;

Control activities;

Information and communication; and

Monitoring.

The control environment provides the foundation for the other components. It encompasses

such factors as management's operating style, philosophy, human resource policies and

practices, the integrity and ethical values of employees, the attention and direction of the board

of directors, and the organisational structure (Colbert & Bowen, 1996: 29).

COSO describes risk assessment as the identification and analysis of risk. Risk identification

includes examining the potential risks that could arise from external factors, such as

technological developments, competition, and economic changes, and from internal factors

such as personnel quality, the nature or the entity's activities, and the characteristics of

information system processing. Risk analysis involves estimating the significance of the risk,

assessing the likelihood of the risk occurring, and considering how to manage the risk should it

occur (Colbert & Bowen, 1996: 29).

Control activities consist of the policies and procedures that ensure that employees will carry

out management directives. Control activities include reviews of the control system, physical

controls, segregation of duties, and information system controls. Information system controls

include general and application controls. General controls are those covering access,

software, and system development. Application controls are those which prevent errors from

entering the system or detect and correct errors present in the system (Colbert & Bowen,

1996: 29).

Any entity should obtain pertinent information and communicate it throughout the

organisation. The information system identifies, captures, and reports financial and operating

information that is useful to control the organisation's activities. Within the organisation,

personnel must receive the message that they must understand their roles in the internal

control system, take their internal control responsibilities seriously and, if necessary, report

25

problems to higher levels of management. Outside the entity, individuals and organisations

supplying or receiving goods or services must clearly understand that the entity will not

tolerate improper actions (Colbert & Bowen, 1996: 30).

By conducting special evaluations and by reviewing the output generated by regular control

activities, management can monitor the control system. Regular control activities include

comparing physical assets with recorded data, training seminars, and examinations by internal

and external auditors. Deficiencies found during regular control activities are usually reported

to the supervisor in charge; deficiencies located during special evaluations are normally

com•unicated to higher levels of the organisation (Colbert & Bowen, 1996: 30),

Other concepts included in the COSO report include the limitations inherent in an internal

control system and the roles and responsibilities of the parties that affect a system. Limitations

include faulty human judgment, misunderstanding of instruction, human errors, management

overriding of controls, collusion, and cost versus benefit considerations. The COSO report

defines deficiencies as "conditions within an internal control system worthy of attention."

Deficiencies should be reported to the person responsible for the activity and to management

at least one level above the individual responsible (Colbert & Bowen, 1996: 30).

The effectiveness of an internal control system is judged on the basis of how well an entity

performs with regard to operations, financial reporting and compliance.

2.9 CONCLUSION

One of the objectives of the literature survey is to compare CobiT, COSO, SAC and

SAS55/78 with each other. To make it possible to accomplish this objective, it is important to

have good background knowledge and a basic understanding of each of the documents. Not

all the references to the literature in this dissertation relate directly to the objectives, but they

are necessary to enable one to understand the comparison between the documents. Some

references are also made in order to explain terms used by the authors.

In the writer's opinion, the objectives of the literature survey have been achieved. No further

background information regarding documents that have not been specifically excluded, should

be further exposed.

26

In chapter three, the four basic source documents will be compared in order to emphasise the

strengths and weaknesses of each. In chapter four we shall attempt to satisfy the objectives of

this short dissertation by drawing on the strengths of all four documents and distilling an ideal

reference module, while identifying the document which is most suitable to be used for a wide

range of purposes.

27

CHAPTER 3

A COMPARISON BETWEEN SAS55/78, COBIT, COSO AND SAC

CONTENTS PAGE

3.1 OBJECTIVE 29

3.2 SCOPE, LIMITATIONS AND EXCLUSIONS 29

3.2.1 Scope 29

3.2.2 Limitations and exclusions 29

3.3 A COMPARISON OF SAS55/78, COBIT, SAC, AND COSO 29

3.4 CONCLUSION 71

28

3.1 OBJECTIVE

The objective of this chapter is to compare the most important features of CobiT, COSO,

SAC and SAS55/78 in order to point out the strengths and weaknesses of each document.

3.2 SCOPE, LIMITATIONS AND EXCLUSIONS

3.2.1 Scope

Existing frameworks for internal control and current internal control structures have had to be

surveyed, but it had to be from an external auditor's point of view. The objective of the

survey was to decide which framework will be best suited for external auditing purposes and

to create a framework for internal control.

3.2.2 Limitations and exclusions

To achieve the objectives of the literature survey, it has been necessary to examine and analyse

the internal control frameworks and control structures of CobiT, SAC, COSO and SAS55/78.

Consequently the following limitations and exclusions have been placed on the scope of the

literature survey:

Only issues which deal with the perspective from an external auditor's point of view

have been included. Sections in the references which deal with any other party's

involvement in the process have this been excluded.

SAC module 2, chapter 4 "The Internal Auditor's role" has thus been excluded.

A great deal of preparatory work was done to ensure that the short dissertation would be

based on sound theory. The limitations and exclusions imposed on the author did not detract

from the overall objectives of the study; in fact, they imposed a discipline on the work by

narrowing the investigation down to the principal issues which are relevant in a short

dissertation of this nature.

3.3 Detailed comparison of CobiT, SAS 55/78, COSO and SAC

The comparison between CobiT, COSO, SAC and SAS55/78 is set out in table 3.1

29

-0 -0 0 I. 0 g a i - . 5 . g 0 is ci.

CO ej C ›-■ ?I,' c- go .. . c>1' g 0 -c) . g h; . 9. a ST g .... .0 . .; ›.;i0 g ' 0-.0 ca .3 g .4 %E. 00 -0 ug 73 6 ..:1 g It ,,E z..s I' 6 E 0 4) t g 2 0 EE ... 1 . 32 5 a 1 . -6' a).-?".Ece v-.E ° gt. 'a SI 0 " +4 1.1 0 .... ng al .--. I' m " .-4 ..c fai C., e Jai ' 01. o a “. o 03 a) E ..• 2 — ..0 0 g r.3., '0 vj 2 •ti .0 E i•-,,, .c o

4E' (8. E. 0 t) ..0 g ed .8 g 'N 2 ..; -1.) 4.6.4 23 g 0.3.) a, Nb. .4-. 0 0,.....ota..) 0 a --'4 2 E . g .c • p E a.) ca ..; ... 'E 2 0 ;.' .2 E-I -a g g E :z 0 2 8 0 e.,0 7,..12 E it, in 0 • = . ca c ■-, c i... .., 0 = 0 = P. a E go S2 g 15 :E c c'rt 0 5 ca' . a •-• 0 T, T.; c 8 t, ao, - '2 3 (;) 8 5 0 0. a 0 ,....c tc . (C

OS

O, 1

992:

I)

SAS

55 a

nd

78

Ta

ble

3.1 T

he

co

mp

aris

on b

etw

een

SAS

55/7

8, C

ob

iT,

SAC

and

CO

SO

per

poi

nt o

f fo

cus.

rI

ca

E

Ci .o VQ

0' cA

0 0

:1 2

OD CD CD cd .0 g 0 c

Cl

U cr)

:5 0 U

SAS

55

and

78

9

Cl

O

9 O

CC ,C,

tC

ti a

:€ -00 "

cti 0 g 0 ci. O t. E a, •-• 0 0 ° t 0 ° ›..

al u) -c -0 ...-• Tt. co_. a -0 •2 a of g a c celC id .-, ed 0

Z0 Cli tn. 0 C." 0 t 2 0 .2 v, - co .— 0 ytors E r., 0 .a" • C 0" -C 1 Q.) gr M 0 te 4 ca. 4-1 - Ls 0

a E n .,,., a)" 61) 51 c>. 1 4Z 0C g E 04 6 Y. sa 1.1 ..c '0 *4 0 AS 0 0 11 c.) 0 ••• 0 p

0 g -0 2 0 :a 4.) -0 Le a.) 5 E g E 5.1 o -5 g -6 'el

•

• • • (Co

lber

t &

Bow

en, 1

996:

29)

.0

U

2 . :a. Cd 0 16 .se .0 ..c a) a.) ..) ct ...., oa

..5 g C :I.= of et .2; .4 tis 00 0 g

.,.., es c 0 )..... z •g = E. bo 0 a) it 4.. a) .0

E -..... T.) a ,2 •a -, 0 ..- . -0 CA 0 (4"i Ggr. Ur 2 .-11'1 0 •1:3 0 ij 0 a •-• CA • ". 0 rn <I ›, cn 0 .1+ d, VI

...Sid *a >-• td C) d.) -0 .07 CA 6 ...a 4.) • ..W

+E; g -.5, se,:c.; .n

SAS 5

5 an

d 78

•

Con

tro

l act

iviti

es a

re t

he

(AIC

PA, 1

995:

3)

0

•

0 cn 0

C.... vi cti 0 00 0

es cri 2 2 5 5 0 5 = 0 c 4) 0 0 -6

-1

0.

,10 2 -

6

•

c

E1...

C

8

a

0 1g

0ato0

°

a

45

>

2 £ o2 % =00

2Ia i - 3

n=

!

.

g cu trs 5 0 •, ;4, (et ..- )-- u _c ..c 0 c..) ,.-:. cn ca ...

• • •

SAS

55 a

nd

78

en

Info

rmat

ion

and

•

0'

(Col

bert

& B

owen

,

Mt% 111:11;:r

, ca E -§ . o Ts las 4) as

..c ..c ui 0 TA ea p ..c 0E u J> ' a 8 o to = a.) -a -4- 0

a E-1 % 1:$ .2 as .... ta E r, r, - E go —9: 45

in 7 os 0 mi 44 s L7') a , E ..t. .1.) - — —

8 -c F. 2 g 41 ..c. .,>-• 'et -5 0 t0rosivact, g . 0 ba >,

..c .c 4.-.. 0 0 0 •= 0 „ c 0 _

. 0 cd C

cr, ca .2 D.'« •a .4..-. . cc 00 4-

6 C .Et 0 - a .g 2 • 2 2 C) 5 . : 5 't 0 v I( a 0 00. . a „,0 ao 0 . ■zi. 0 -c . F. :ts 1... 0 0 0 ± cd .o>' soFicg

•

C

0 U

SA

S 55

an

d 78

cont

rol s

yste

m.

*

C C

I-. •—•

“,

-2 3 C -c, <4., 0 0 o 3 0 ••= — .c. cg

o 0 ..,_— ..c — 0 .cn =

cs, -0 E 2 cii '2 >, rj .2 ..;

---., 2 1” .2 ' I. = 0 v-, . 14 2 4! lig 1 !

_13 e‘i 0 C o N 1.. c co 0 _co 0 oN -a 0 0 , 0 .. _. E :7). v, c 0. 'a ''' 0- 0 r = S2 5 2-). 4 ...■ C . C.) En CI `"

Ch C 0 >,0 E 4.)›

0 . 0 C4-. tn 0

U • (CO

SO, 1

992:

6)

to C.) C rA ...... 0 QS -0 = 0 0 al .,?; 0

-5_, "0 trl 5

0 -5:60 „ : :3. or-b° . Ea I '2:

a c- z .5

P. .§ og 12 i 0 WI - 43 S

4 .

0 C. :14 :!C 6 . rj! c , _Lit 5 4

‘0. .a ...,.

16..-P. F 0 sr.- ,... , .) CO I

Ct. Z

0 0 CA 0 C4.A 0 Cy. ...,CI) ..., 8

[—, 0 • c a .— HI al ci 0 .... "0 C 0

• • •

SAS

55 a

nd 7

8

00

• •

SA

S 55

and

78

ce X >-• TD X .0 .0 4..1 .,-,(4 cd c I-. 1 .§.; c 0 au 0 0 0 e -0 0 4.,

...; ..c ,.., .13 id

g "Cl g C 0 ....-t, gg a g -a 6 )

.. 0 0 .r. 0 Ty 0 ›, .0 ,_, '0 0 I" 4-I -• 0 6 4- .c -a 5 ro a V "4 as z > 0 (4_, 4.) o Oa

..0 0 . 0

CU o _ co. 0 r., ti 610 t iti7do 42z3 it ..ar) 5 '82".

co .0 0 0 ii r-. e 1 4.. ,....

0 4-4> 0 F.. 40 rd. P. ° ,9, § 8 E .10 . 5

F. . . = g — c. 8 8 -c 0 ( ISA

CF,

199

6: 8

)

r-

(CO

SO

, 199

2: 5

)

0 0 U

U Cin

0 0 U

SA

S 5

5 an

d 78

reso

urce

s

Ct 0

E- :E 0 U

SAS

55 a

nd 7

8

• • • (Col

bert

& B

owe n

, 199

6: 2

6)

with

law

s an

d (a

(Col

bert

& B

owen

,

(AIC

PA

, 199

6: 1

1)

• • • •

O U

(Col

bert

& B

owen

, 199

6: 2

6)

•

Top

lev

e l re

view

.

U ct)

COI ....I • [Si

0 ....cli. NO c ,,i

4.) .2 c 4ath c `e' E e 6. — o >, d Q • ..-■ 872. g . .-, ■••• ,-, 0 .5 0 -5 _ .c., c..) -a -0 0 0 > 8 g

I'd .k5 le d d Ct tt g "' 2 2.). ,, o 1 o g . 0g.4 , V E %It . •-• (1) G.) .1., IE

0 E 0-= .4-- 09 cu '5 2 T) E e bb

03 o g o 0 n e CU> Sbc 4". 0 CI 0 th C

731 c “ c 4) ° 0 tiltri 0 ° 00 a, 0 '0 0 A .7. a. a ,... li: te a o n a

1■1

▪

■••••1 • I

Inte

grit

y of

info

rmat

ion

I I I

E-1

U

SAS

55 a

nd 7

8

:I t tik ...o .3 2: .ts — o ba' PI ., 4 — et o c L. o c ti.,

& o zi C *4.. ,-, E t g 1 at EE e. c

o .a-43 iu g re, 42 a tatj " 1;1 41/.. g 2: E .... -tit -t v ...., (..) ci . ... (4, e is• t9 .s. v. . E rel -E 1 tl Clo SZI. PC 0

rn 01

0 0 U

C ii

TO v, 1-4 2

it u i 'c . -or. fn 0 13 cn

ce-.) .2 vc ..c 0 — ,., ca co —

= t 0 — .., =

-6 se co 0 -0 cd as 0 ...:

._ . -01 V g ", 0 5 Is' i... o

C ..= t 0 :

0 ea ui r> -5, .0 0 ..c 8 0 u, c ;.,- O. 0 •„..-■ cu (4- .f.)., co 0

0.) .- ...- O

-0 C .")

>. V 0 as : ^ ° "a 't5 6 0 ‘I) " V 1-

a •• t2 RE' . 0. a" g . —2 E _ 0 > E

C3 co 0 cr. 0 1.., CL 0 g

` re 0 • In

form

atio

n p

roce

ssin

g:

Z) 0 u)

Oc6 a) 7 eti eti C 1-

oii lett .- o t -C3 • CC 0 . C a X 'CI rs. 0 0 et 46)0 &•0 .5 o 0 0 a.) " 40- 0

.P .0

N

N in 0 ./

N ..2 • -6 % cill = es" "R "0 "0 col

x 4:::,i 0 oi 0 X 0.) u, 174

€1.) -o iti ..... ..E

E a E 0 03 • I-. t.)

0 . .0 ....A. 4.4 C) Ca {5 0 ° +4‘. "i 7 ra

•

2 -0 0 .0 ca. ca u -a -0 > 0 0

al 0 g 5 ° N TT '- it 46 g

et9 ."' v = bi) "ro Ey "g .2 - o wi a .111 tiv 4., 0 0 ca tu 0 x .1-• >1 90 .,... > 0 ct)

-. cl 4-• p ts o fzi

ocn = t2 E vi .--. grcitatuooitra ,,,, „, 0 05 00 00 0 a.) 4.) 0 = 0 I-. • c Cej . E 1 = 5 0. I! "8 >) 0

. -0 0 u a E oo .2.-,) . -6 33 4) c 6.0 0 0 0 lal 410 '.47,1 tija 'th' 2 v g 4 0 C >

2 0 2 Lei V 0 ezi en 0 0 Z 0 2 >1., 15 > 0 0 sm. 0 ta■ c.) o., 0V) ;4 = 1.41.44c40 Ou a. cl) E.90

I .111

cr.

SA

S 5

5 an

d 78

:3 U

I CA 0 ....° ."' •-• >, al 0 0 ca '0 ,_, -a >

lEal c- z' g '— 0 , _ „:„ 8 ifi it c)

"e c 4,9 - -el •-•:". in 4a0 O. c-) c-)

8 ..a. g 6 ...a- -0 En

g 0 C ..0 CA 0 CO be 14 t C CI (1)

! 8 to .2 c.)

:61 ° rcs. — 0 `€)

to — to co vi 00 0 6: e bb a a)

a.) ac c..- 1-

%Lis 114,_ ..c.... 0 a 02 o > — 0 o •-• c .o .= _ 44.) ca. o c•-a ,...- c.) c.)

• -= 0 c o .= as cc: • Se

greg

atio

n of

dutie

s.

(CO

SO,

1992

: 46)

0

E

Ca

to-13•5 >11

cci c .‘;

;, 0 0 0 .a •= ,,0-) = 0 i on t E k •

-0 :20 e4) C a) --a g ,., 0 4.) ..,66 ;€, eCI) 0 0 2 .ty C

1:14 0 ••-. •—. •-• 0 '—' 0 .2 0 0 V M E ›, .4.:;' al OS P ..0 •-. Mt g

t 'a t 00 a ,--. 5:1 0.0 ei.9 t II+) Z . .40 Z C 0 ,.. . 5 .o t.:5 ch.. t. o o 0 0 v t,' o J-.) (.2 .5 ri -o °

r. 0) ma ' t ta." "Cc 0) • C t.:,E ° '19 "8 C4 S 1 :2 V ni C. 55 rn 0 fa 8 . c c v c 0 0 0 co 0 c•I t4_, 0 (1)

C4 0 8 to c4 2 c..) ;.-A. c4 .5 c) as a,

1•11 •

SAS

55 a

nd 7

8

Pro

g ram

sec

urity

•

"c) 'ay' E .

gt 0 4 t 'a 2 ,... ..0 ., . u 2 4, oc. . if,. g 6-> 1 12.0 09s.a o E 0 00 .... 0 c 0, ,, . c„, -5, ,„0 curo) „Ea ot.) ..ccu _, 13. :E 4 . 9C >‘

0 lil ++) 8 C ,t -0 a ts ..a..a .4 isr, 0 1 z : .0,2 2 .co EE ..c.i, : . 4,— : O.>

° 0 1E' t en' -a .1:3 • a .._, „, to, o 0 = -0 .0 's

•° o u,

8 ' ' — . 00 E ° 'ro 0 to 2 ,t1 c) St • E cr. ,r, o o -o 2.• 8., _ _ _ ¢ l" •— ?..) -.E. ..t( 2 g a 1... III IL g 1... —

SAS

55 an

d 78

• P

hysi

cal s

ecu

rity

0

0

I I I

C 00 0 ..9 .2 c4, t

,- c.,- 4-. 0 o JD gm= wie,

0 "0 ..= 0 ti 1 1 E a Vi g Cip RiCfl ..5 4 E r.,4) 0 0 = C a 1) ea = V cp 4) ..... ■c) '-' CU . 0) en ' C =

8 — > •-• — 0 2 1 .,84 § 0 .§ 0 K,.. 0 0 4-4 0 "0 . 0 0 40) 1 c4. OC 4-g ._. 2 . a -00 .9 x tes - 4., _= ro Ls •,-- ca ....4.) " a.) En > 0 le ttt c.) G

te e us- co .ta gi ca t e "' 0 4-1 .0 1Z) 0 C 4) E-. ra' v) .9 °) c -o= a g - 1- 0 6 00 0.

8 2 'a 73 u, _ .3 a 0a "Cdt .

en "0 ° al PA 6- rn" 0 tu . 4) "i 0 CL I-. ' IA E •""- ,...° ..c° 2 'no tel . c 0 o = n - a - (-2 C ..., > 0 ce c.) . ,-, CL.

C.O. 0 C . 0 4) las " 0 >

'2

,6 c .-.. ,c2 $., C 0 ,• +0 To 1 2 <2,.., 1 L2 0 L2 . , . € ., .0, 0 0.0 0 I-, 0 co •— ie., Go gi, ctS > 0 ...a „, 0 00.a CA 0 -6 • c 4.9. C 0(13 i0 e=c1" •CHn 'CU ."Pg

0 0 "En 71 ra ca 1,-, t...) 6 .4 gi lai Cl) g ........ a , .= 03 V 0 03 -o „, ..0 z -0 0 0 .- _0 c .... -0=0o0oo ..c 0 t -.E,

0 E ci *-2 (,-) ° 8 % 8 cin os ... (4- a. rn 0 a E-1 0. to 0

9

a

SAS

55

and

78

01 cr.

U

SA

S 55 an

d 78

00J1:11 , .. .

w •••-i

' • '' NV1 g

L•s1;:":

2 C 0 viz a, c, -0 .... . c C

0 ea -0 0 . ,./2 g 44 -E, ,r. '5 0■-. ,4.)

E 2 . v v

= . • a 0 cn 0 2 (4-z. 7--1 .1.9 .01-1 g c 0-5 .,_, .._

..e 0 0 4-.) •

2 4..- o >r, 0 6 c -..o r, ... •- .t; c

0 44 cu 0 co> g .

al ..... 0 ..0 0

Ca o v

E '- 3 g. L' ° -5 c ',a I 2 . b) ii. v

•

-0 0 en CA

E000..7° c... 8 = .,:, .„-,- co-

a."6 t .5 c g

o t',..

= ..c .174 cu

0 C.) - -ED .4 o 0) ch., c °$.) g -re •ii C

os 0 4.) • --,

C) C) 0 0 ' '-' > a 0

0

0 0 cf) 0

nz' ..,2 '0". ca'' 00 chl oc —

U3 0 0,

0. C • "2 (L)

0 0 0

8 I. 0 0 ..., 0 u, 0 -0 0 0.) 'C. vi ••,;..1 9 tt, ' 1.) 8 crwo -6,. ,,... i 1 pi' I ort

0 co •- c. - p.., „, ,c

o., 0 o. Us a..— -0 ..0 0 0 ....

al a) cl •g g ti; •ri, 4)

bo u) ... 1. 0 0 '0 • C 0 mi— irtl 0 .5 0 I- -

..8 ..g I : 1-:„.. ...: 7,8 ,2" ,.;.1 :30:, `.) cdei ...;(.. ii...c 0

4.. u) .0 et —a ,-, 0 0 .7 0

41c Li CA +.1

N I

0 U

(CO

SO, 1

992:

3)

• •

envi

ronm

ent:

(AIC

PA

, 199

5: 1

0)

C -0

..0 •-" u. c..... 1.4 a) a? -0 f+-- a) 0 cs ••-

c) fa -0 -0 o 0 0 40 .5 ..C.4 0 .6 co ... En

Clf I-, a;

-0 0 3 0 cA en I-. = V • c v 8 00 .3 v -0 0 0 -5 - c 5 0 'a' ctt a -§, 4- •- 0 0.. 00 c in •-• ra. a „, . . t 0 b- s- o 00 .4- 4.• .2 -88.S350.5. w‘pa2a, (.... o c o E e - no so 4 ..2 .41 ..4" "" X f .9)

C a.) C 0 CA 75 LIS t 0 .... a to 0 ox ryi E 0 IC) En ce, To I.. sat 7) tn 40- = 7 4.) "S ..LE-i, •-o 0 .-. o -0 AC ,.., te ,,, 0 V a.

-0' cn- OOVAC... a; 0 1/20 no La, co •c) 0 0 0 ca co" 21, F u5

v' 0 .2 g = 4? . -0 y, 0 cd , , co ad ..E c 0

U

s C C.) t) c) in 6. cc" • 7, . 0 a o u tp 0 ,4 ,7 a 0 s' 0 E 0 c 2 - s".• c ..-; - a eu ad ri a .4 ' c.) ica (2 1 i.42 g a -c 7 E 7

c" 0

O. c c 0 a = ...? -. g .2. 4-9 7.) ch.° cn E 10 = a; 4.) 1-. . 4's "2<4.0000 0 0

(4. I- co-1 u) ..-. 0 ti° 2.0) a -- = - TA 0. g 2 -e .. • 0 • - 4, o > o 7,,, _.0, = c ."--

0 to.= m > 2 0 5. s... o -,„ -0 4)...0 c°0 0.4 4) 4 = 4 0. ri) 4-) 44 ..c• F o. a.) 1-• co

ci) O

r.)) 00:1 =I ° g o-• 0 ,., 0 0 Li 0 4-1 0 -C) `12, o '0 ° E te 8 3., zi

s., E sti 4) 4) • .0 • -•

vi 0'0 = 0 0 000

cti Ce-• t. 0 0.

U

SA

S 5

5 and

78

LC)

Lium))44 .........................

.. .

0 O U

. : .

C 0 i...

4as «, M 0 141

5 . c *4 -8 t 0)

c

•

$ .2 00-2 t 0 = -ch. 15 0 1- > 2 " P = 6. 2 ( . .. c

*E b- tu 0 c ca. — E cre) 5 c It' 6 c . c • - a, ) „, o c al. 5 :o ',2 . op. ,... t i i g . - 0 2 i ,,, 0 4) 0 ..0 (-. 0 ctIl ..-. 8 .0 0 c.) CCS ca >b 0 02 . -a it i. ,) i. O.) Ce

'0 • C 0 0- I- 43-12. 4 g -C) "1 8 r14- --.

5 bi 2 °3 ° (4-I 0 0 -0 .2 `n c.... ! o 0 u e. EL o o > -o ..0 o S 0 ,-. 0 "0 id 0 ce "0 • L. 47; 0 CO C4a C) 0. RI CI ce g t c 0

0-) 2 Lai ' 2 'a F.) . - c 'a s , r. z a) “, 0 H?, 71; 0 CC .7, 0 .... ..-, I to, _r! r• G.

2 g r; ,.... .- E c @ E o o rt....co E.-. c..) ,-. = o a) u -Ze 9,- .2 8 'E 8 ra .m. 0

0.11111MINIMI;!:: .....

7)W 591E1 . ... • it, "" - kr1:4': (C

OSO

, 19

92:

3)

SA

S 55

and

78

. . 5 5 1 ..... ... ... .... ' .......... .

. .................................. . . .. ........ .. ...... .. . ..

. • ........ . ...... ..... ... • .. .. te

C '! 0 0 IC. = 0 2 '0°3 M C '0 -0

ao 0 .2 = g,, g 0 3i,..E.g 72 8 60

-- ' Ta . in 03 En co)" 0,. 7; CI. 6.

6 sm. — 03 = 2 z: 0 tip 44 00 0 C 0 ias -0 0 .c o.

.2 I% o g u ..is 1... 4... al sy) 5 -a 1.)

— E 0 _ = :

0 c.) 00 r.: ..“.: cn 0 cti

= C.) ›, 0 0 ..c C•I■. 0

al •-•-• 1■•• CZ CA C..) C.) in.., CA 0 =

•

.... OMB! E,, .............

... Harapiammlamire. 5;:::::maininuu

(AIC

PA, 1

995:

17)

0 U

kr, cM

0

0.

SA

S 55

and

78

.L. ts

t E

.

tu " s c c

-a ti. tic c t3 t 14-.1 t. to 0 .S. 1 ;4' C14 k: 0 0 ,s, -a ,„. )"'a ti *C m z a' •Ste E ,P., t N ta ..t *tr. -t -E, :A_ t, 1 - ut {„,, Nal WI I% ..:1 .. , a ca 44 .2.J-$. La 6-, .s. zi

P."

en

0

- C

ont

rol f

ram

ewor

k.

Org

aniz

a tio

n st

ruct

ure.

.

1 -. cis .0 a g 4-1 .

c . .S. V CI ....

§ i . - let .9c4 2 1 8 r. .; s ; ' 5. ! ' ill

.. ,.. _ ..... m a to g

E.• its t a ca 0 g ott o . 0 a B 8 8 ... to I., En 1., v 0

.0 r p„ E ...+4 = .-. c co 0., “. o c {A ta.

C.) „E ti Cr • E 4 E a I. 0

C 0

0 ejj I-, 0 s... '0 .C... 6.0 -0 " .C3 E *■-• -0 g 1...s . 4)

5 4.1 7,.. T., 01)Q? CA " g . ea) t t c v ., C (.1 .,1= MS = '773 CA • ....

0

4a arts ::: .C)1 ° t g r3 E 00.1.),,:t CO Z 'a 0 0 _ ....1 4-, 0 I-1 is 0 IS .b 14...it Fa MI 03 U sa •■1 12 .1.7:1 0 r:4 al 0 0 ft R , 0)

0 1 I i i I I I I a..) .0 e.t) 0 I-. C :45 >1 g V) = V ... ..0 o 0 a t a. 112 t` • 5 sm. 1.., .2 2 a . o —

-a 2 o ri o 0 2 o uowta. :-A02-ta n• :2 ° 8 E)" Q. 's% — = -

.... Ca crj v r 0 — .) — ti t . - „a ,,,, 2 'z' 2 a ei &I° ° Z.' ° g cl) 'a 0 0 .:.-J . 0 a :-.: 2 ,c3

41E t :e' g 12; :11 1 i E .43 . c .0 1 mo 0. -2 = g V 00 rn C. .00 0 c A.

la' 0 0 0 "CI C5I) COM ViCi 1 "" ..t le) 0:1 a g a < E.) = g

SAS

55 a n

d 78

(ISA

CF,

199

6: 2

0)

CO

a t .0

10 nc; (4, 0 ES . C-) 0 ea -0 0 „yr, 9- 4. g g Q., -,.,

., ,z, -,:, c cs 0 . . o c

N -0 u, 03 . .5 ..-5 - -..:-. - n g r, .5 8 . 0 !F 0 -0 ,c, .c. 0 5. g „a. 5z' O 41.) 0 -5 0. — go .1. i -5 ... 'Ti = 0 u.f cn -4-, , 0 1 ta ED C8 C1) - C g 4 1...t.00b cn co ctIcn, S coos 0.,En c 0 t•-• ! ' 1... 4) 1:1 0 0 -00 00 ‘0) .50)0(1.0 >O0'.... 4

s ca, ,2 ..c . , al 0 .c --

.al-,` S t 1... c . cn ...., an, 2 r .4, . 2 t.4 .:::

_t) a rs. E R—o z .-a t nvut -3.

3.) A., Cid ) E •- ›.`n S mg.!! 0„ 5 3.) .._. " .... oi - a., ..... 0 .z. ,. OE /00I-.0

A!.. .= o f-. E N ig '6' o o..23. o .- 1. -c3 o o

aut c te

*C ki...., c'a M 4-.1 te 0.) C c3 Si A s CZ 1.4 Col ty

I.) "ti c til

1 5 t - •... . ir„,,

72 0 V *ill E c c i.. ' ‘.--, E.

a` .9. mo Cog „I) 3 ca -o

‘t-' a, I "!; "ti isse iss, cc c g o 0

i'1, * E E il 1 E t %,-„, .. c >, _.9. c ‘A cn -.... 1.4 v) (..) aa - c cz c;-; 8

c7 4, a 4. cre: t t it.

9O

U

Gn

:3 U

v 00 on c .L. C C 0

C0

2 .2

' 2 ;En ao ..... c m ,t ti .E t5

4) • •-• t to * 5 TO. 32 me -g o 0Cr MCI. '0

•

0 CV

C4-4 0 4-1 0 4-4 4-4 = ,---. 0 cvs 0 a 0 7) 0 . CA cn ta t

co) 0 co —.

ca in ca co,

4) 0 a) 0 v -0 41 .5. •—• cia 8 A c., 0 c...) = 4,, c., 4— 0 ei

a, ree7 a. 5 E 0 0 0 .2 2 -0 g 4

"FE 0

Sn

SA

S 55

an

d 78

rn Cr

in

U

- R

evi

ew o

pera

tion

s o

r pr

ogra

ms

to a

scer

tain

w

heth

er r

esu

lts a

re

cons

iste

nt w

ith e

stab

lishe

d ob

ject

ives

and

goa

ls, a

nd

whe

ther

the

ope

ratio

ns o

f

0 .0 ., , I c co

-13 G c..) e 0 = ,...-,

03 c, . rn • .- ci 4- - 1•4 2 ca >•-, t" u 2 Iv -0 g .2 „,c cin g t.. 0 il-q ,,,, 0 -- --' 0 0 --0 -a ...a

.h. ¢ ° 2 ' ticg.:4'

c I-■ --Q au " o. 0 o o

Vs .- 6. as as — c-,

0 1-1 c tu &I I- "C -0 0 g Vs 0 8 5 vg It ..., ....., L. <IN,

. a ce) en CU) Ca 0 0 G. ° ,_,e, 4-, Ce-,

0 0 .5. E 0 ie 0 -a CO v, c 4.3 .....; ›“C 0. I.. = ,_, u, Cl)

poca6 -&-ootgra 0 U Oh ,3` ;) g'' g tt.' 8 E '.7) ›• (-)

c.) le co,

, of ..4 4) " g .—e -ea' = vi ti 0 cf cn oo 0

U2 0 0 t- t tl 0 ■15 ° 4- 4-. [-C: 0 -C • - ' 0 1-1 t t.. c a C 0 0 C N i y 0o 4 000

c-) 0 bp > - -0 cn>.,

0 •-• a. c • c

c co o$ 000 la .4m Ccg e..5 E I-;

..." M

0 ul 22 t.■ ill eh C -0 C o 5. tura 9, (-).„. i tali 8 i . " --. 0 0 -0 0

V) >, 0 cd as 0

,..

...

iluipa,,,a;:i.„gr" c, .

.

.

14i . -

yy

....

, ------- ao

''''

„„„:“ ....

. : j. .••• : ID

i t

SA

S 5

5 an

d 78

” . i

- .. . ::-.

: . i a

.. . .

::

... . .. : . ,

...

00 n C CD 00 00 4=' E 0) C 0 2 c

0 .?, 0, —6 •— • — .- .4% R C.) " .a. C 4a 41)

15 0 co. n0 7 PO 8 Ia. 8 8 ±4 ..;-; cuc, 7,000.0.)00.0 a 0.. Es e...g _ u I. ..v u cn

it uj

5 ..t c`l .9., " C o ,.. 6.) .... c.- on .-- 0 ,_. 2 ..a.

Q. to= 8 g 1 co° osc cd2± to -8= 0 o u. .5 rn t v3 5 t >•-. c>

a? ''' •-•0 t a.) '1:1 cu ..0°' 0 I.. Eteo c:Boe e.=0.

o ..... d .- n .-0 4? t-t & 0 E 2 0 E 0 —6 in E ou .- v 0 :-.. 0 • a I. E — -o •-• <b° 0 2 0E°C"'.45c En 2? cn .= ,...) G.) ec‘ c to g'," o 8

-cer) v h E h

a ...:2 tk V

in`

4•••• 0 m 0 t tat F. t g E sc cy a ta = cJ IA €

c:6 ...5 CJ., 4.; P3/4.1

IS v h E

0 in 0 .4 0

0 c) 2a. 4-., 1-••• C = es es m -es .1., t . t . h ta ti V M 16.

0.. .‘as b t 1.. 61 t..) cy

%C 1

O LI)

_tic ui CA i... 75

4-• 1- NO o c ..-.

U :3 ..., c.) o E I- <I I... . lai 0 Q. >-. rn g 0

-• >-. 0 'C En .,_. 7 c = o o 8 rn

6 O g

C • En 7.:0 C

0.) cl) r y 00 a C U 0 = u, a) 0 v U as ■-• a.) 4.) r.•,.. T.) ti "" 4-1 u Ci.

-P. et a @ -• t u) > •

0 8 c:ii ¢' ¢ 43 E c

a

U

0 0 U

I I I App

licat

ion

cont

rols

(CO

SO, 1

992:

48)

I I

t IS

AC

F, 1

996;

13

SAS

55 an

d 78

(AIC

PA, 1

988:

10)

(AIC

PA;1

995:

17,

18)

04

SAS

55 a

nd 7

8

F PC U

U

Ct

U

0

SAS

55

and

78

"0 ed)

-5 1 g C 0

.40 0 5 r,

— 22 1-. .3,) go ro' .E cux 'dr, 4a. Jo c 0 0

0 F-1 : 5 -2 0 c u 3,5 o 4- R R a; c -a co et- 0 ,,, 047,00 0E-g -8 ›,._ ct ,?.:,

,-. ..--i s.). :ma - 1,-3 2 0 — 03 4- _ — c .E. 3 (0 -a c 0 a.

E -411 ' • 9. 1 g r.,, a a2 E r. gi E = ./...• 0 -6. 4.- , •,- >, a 0 a +4 Ea Ci. "t" C.) U) Ca al ..0 0 El ii 5 r. i 0= Tr! "g'06) cdt 0>

-0

. z el/ r, ,2 0- i- . ca "a, ig . r.7) -W ''''

c 5 .62 I k9 =0 .00 a 0 0 .0 0 P .c .2 .4 V

E t IC; 'Ea, 2 su •-d g 8 ra 0 E .5 ..... `Ic) • 7, t. -a O = 0 c; = o .5 .- o .c c9o—ct 0 (4. 2 o c c's) cc 0 0 01730 8 13 = cocll

I I

0 0.

(AIC

PA, 1

988:

26,

39)

er) f

( AIC

PA: 1

996,

5)

ct

SAS

55 a

nd 7

8 :..2 C

(.... 0 o >, E - -a a.) 0

§ g to. —

1-. 0 tci '0 X 0 0 ui

CI r.) E E.0 '0 C c .0 2 C., g • 1- 3 a ..... C? >, cu ry

ag C 9 I-, ... I-. p. En C ..= 3 0 0 • -• ° 0 0 ..= • ... C

VS' ° 8 t o e z .se - •- ra. = = .r. r° 0 = .n 0 -a '0 - 0 .." 7 .0 > -0 i—, -a 3 c n as a., as

(CO

SO, 1

992:

69)

O O U

00 00

O co.) C U

In

0•■

iT4

U Ct

0 0 c:

8

.c o

'0) -a The 8 'a' 0 0 0 E

0-0 c.) g

. r.-8 • 5 >,

■-• a. ix.

I I I (IIA

EF,

199

1: 9

15)

Phy

sica

l sec

urity

:3 0 U

SA

S 5

5 an

d 78

LI) u)

U (/)

E-1 :15

U

- C

om

pu t

er v

iruse

s.

N

0 U

1 ..' •?:.% . con c

g + =. +4 0 00

w O. v y= 2 <6.) C

cn I— G ea t 4—• 0 in ,... 0 .4 on

4-. 0. 0. .4-• cc; b —„, •10 „in E). R g

I-. its 4-• E c tu• o 0 %I a Q. — 0- r-- 0) .4

rn 0 0 ❑ 0

0 A 0., tg c 0 g CU C4-•

.1-. t-, 6 g <15) t "I la <et 0 5 i.. 0.3 .0) — us . N 2 2 00O ai " E .0 la

.4 ). oo rtg a' 2 0 0 A . 2 a..

ZZ ZO ' 2, -. = E od° 't > — ...: vi e g 1 — Go

lial 611 I I I I I

00 CO :Y. c ^

SAS

55 a

nd 7

8

LI)

NIn

©

U

U tin

E" •C

U

SAS

55 a

nd

78

(AIC

PA, 1

996:

10)

I I I

en

SG

g

.....;

8 . `6) o "aa g v oo -0 v . ..= E tri .0

g 0 ui • — — rn

0 o 0

I'60°Oaci WI•g° > 4a .E ■u, .a. u u,

co • — -•ic t g > c /2 o = .15 m, -a Ili 0 .2D 112 wi cd ,1) .m :Es 0 t.1 0 0 2 ..= o 5 E 0 1. 7: I,

C I . . • . - • 14") " ti I n 1 fa 0 " 0 0

I -, t 2 8 2 I 2 t ..= - • c

0 0 cd 4.1 0 I 1 I I

SA

S 5

5 a

nd 7

8

cal

eNi

SA

S 55

an

d 78

IC

0

-a 2 8 .:1 g , a.) > > c 0 a.) t ...z; .c -c g

7..) 8 -c- - 15 g 0., = E g 2

E t 8 ,,,, i g . 4. ° 3-tr) CO ° ;5, -C "lo :74— .F_, rn 0 DS cia :-, ca>"‘ .. 61) c.'0 .7S-- in° cw51 C 0 4' Ca CO or a = ... o to. to V V En I- 0 ' - 0 SS • - 0 0 '1.' 0 co). ry " IC ca ca 0 tr•■ 0 4-

00 0 OC .0 2 sic) cat)

0 1- 4. 0 O. = = cc; t g ..-, _," 0 , CL) ,= ° . . C C L) . " C c• 2 'la

rg...a tii .1z) c0 at . i rt3 1 '-' = 0 0 I-. I-.

E—• 2! ,)' M 2 2 E F. g

SA

S 55

and

78

`15, 1/2-0t, tt3

c 0 E °a b.) `le E

tia ItE Lc_ EE a g

t wiz cla " 41(4-'‘R t‘m E •E c E o ce

che

9

t)

-0

E

•

o :s. • g o•-•

4-049.9.0013.

c oo CS. Crt cri 0‘.°t

ft g

E.V. 208.t-ca

Eeg2

co "t

▪

o

**t Uco)

SA

S 5

5 an

d 78

° • E u, >, r>,Z

2w).-Eo±tm co, oj 03 45 a.) wtgul000 0

<tr

U •te

E-1

U

O O

SAS

55 a

nd

78

o c "ii "ar'l

t E d „, 4.) E

ty ot

E .t a i... it ••• (1) ISA ea a E "t'

t ” t ‘a

0

SA

S 55

and

78

"c? '22 c 1;

E %ILE

E to, tt Ca. 'a &CI

i

Et (LI

r

" C ors et fvt PS.

g § fig

wet t rtt c il. ts, c tck t

tie rc -4 4 ..i`JtE E e, t e t . tha -E3 -41 E J.: z "ts °S. .S §P.1

O O

U

PC

U

SA

S 5

5 an

d 78

tu ‘.5 t -- "et . c c c -,.a., ..,4 ri .E, ..„, ,c., E

t to -c, ., -... .0- ts E ,,,..) t w t „, t ej zti ta b cu •

' t ta z r".• 0 t pi "es C4. •-) c.....a wa:s. tec %a's. 144 41 8 -4 1:1 . a PE -1 t *S. E t (NI

(AIC

PA

, 199

5: 1

2)

SAS

55 a

nd 7

8

Cl)

0

SAS

55 an

d 78

SA

S 55

and

78

0

00 0 0

,... 0 —0" 'A t„ 1

1 .0 ,-. ,17) 0 °.] -0 0 -5 0 go yr 'as — 'a' 2, .--. . .6 g 0 V .2 _vrdogE -ao -E , „, Ea VI

. ■. C2 " . Ir. = . a 0 . . . 0 E . il E 4 • c 4) 0 c cn > tu •••• -= ts, cc E s

c c 4? E to o. 4.) 0 ..o ii, c" 4.)

>, 4) 'it of) 0 `'. , 0 erf C.) E a 0 . .g om 0 t° ti ..3 (4-1 a ui en I-. cn • 0 0 00g00 ........, (4...0„„ • 0C -00 r.i>,-. :: .... ° "E E -8 -2- e.,2 +6 .g al .0 Es 4) g P. ta 0 ui -0 . i .2

tg ., 00 a.) 45 . a 48 .c E 00 4.) c.-. r0 4E a. Ts -o .a o. __ 42r. a; 1.- .;-, o .0 -ct .... 0 ..-1. 0

0 ul IN 0 .E Ea = 0 0 2 0 0, L. .4u a. .2 a 0 cc 0 re

-0 — oo 00 4-' c 5 g E E -8 L.13, tcj 2 4.-at ..g g .` t,.., . a co 0 ' ° ui crl LI • .-. at 0 *0 CI.

0 •S ° g al. is ca) = 0 v ni 0. c — 0 to r0 to ,.§ It

,., 0 , , 0 4.) 0 ..., ... ,..). ,..- ..0 0 ..-■

0.) c — u C cil 0 4E00 cif 0 ■...1 0 C.) OD ... "gm rot cd 0 .... 'V I-1 .... 0 03

o , . " . r. 0

r a bi ) - g . • . a E v n• - . - -,N 4) 1 . 2 = - at .4r., 8" tri i 41 .0 0 0

0 0 0

0 -ri &n, 1-.1, 0 E 2 g) c... fd *4-1

-49 g Ou On 0 c 1-4 ct E on_ c., Is. .0 0 0 (.... . „.0 a. 0 — .,2 .I -0 r

>,. 0 a (49. fra it; c 0 -0 -a 03 {4 -:.-. ... ... 0 0 a) • '''

th rd cg ._.,, ck. o as o E -o E ‘,3 f...

Es)z o ,t2 .z.- E tat 0 E a,.• 2 .) = '6 °

4.)=00 ti.o 5

as . 8 -a --..:: .c: c ›" Alt 73 0 ' IS

0; = '21 es 11 I- .-• >, 4) cn 0 V) 'CI > Oa

2 43 2 .4 73..0 .0 . p -c

0.4 it 7 cn cd 5 I-4 0 f-i

■-•

(6)

o» 0

SA

S 5

5 an

d 78

O U

cu

..0 00 ,n.4 (0 c my 0 4., 00

-0 a.) g •I ...t 01 ..= 1 >, >, •

coo,,, 0 -= 0 0. 0 .2

Ct. 0 ."6 a E e.2 >cli .0 4) ..9.. E c.„

4 g . ii i 'S L 401 147) 8 0 — as ,42

c

0) GI X .2 r, ed. ..c co 0 ca ,/, _e ..0 -0 .4 6,› a .9 E c 'a' [t 0 1 tii q o

..,c3 g 2 a) E a)

3 -a vi be ru "a >, g

0 .c 5= "0 i ...c 00 co •0 0 .4 c o -. € i,i , tvo .F.c.ogoe• ...ctIst 46

0 ° 1) ; 0 >, ° • • 7, '5 E it ct) ° ' t) 0 .0 MI 0 0•.0 0 al 2 CPI 0 ° “ ° 5, 0 0 C cr

•

9 112 tn F iL I °{1)2 lal . ° 8 at 0. ox 7- ° o r. ci = — o rip 0

0 ti -R 1 I I U4.1 t

U In

.0 0 U

SAS

55 a

nd

78

42;

rn lD

©

U

U

.0

U

SAS

55 a

nd 7

8

es et tav ,

v, tt, t Ns ia .b "Ct c m pc 1.., ni Z if. ., 'ts, , `4 E tc :-:: ta cy. t . S cz

, 4 tC v E C V C M t:1 ti es c u .c z". rtl .,,,— g :

te ,.. ts 2 -a ra ct, ..c. 42 t, 1, E es > {.) esc •.5. c\* -el

cs M

5. CONCLUSION

To enable management to develop a proper internal control structure which will meet their

expectations, and to help them to benchmark their current internal control system, COSO,

SAS and CobiT were developed. To provide guidance on the independent auditor's

consideration of an entity's internal control in and audit of financial statements in accordance

with generally accepted auditing standards, SAS55 and SAS 78 , CobiT, COSO and SAC

were developed.

These four documents were compared in order to determine the strengths and weaknesses of

each, but also to determine which document is the most suitable from an auditing perspective.

A table was drawn up capturing the most important points in each document. Each of these

points was compared with similar points in each of the other documents. From the

comparison it is clear that each document has a different focus point and emphasizes different

internal control issues. It is therefore clear that each document has certain strengths and

weaknesses regarding the defining of an ideal internal control structure.

In chapter 4 conclusions will be reached regarding the strengths and weaknesses of each

document. A module will be developed indicating which document to use under a given set

of circumstances.

71

CHAPTER 4

AN INTEGRATED REFERENCE FRAMEWORK FOR INTERNAL CONTROL

CONTENTS PAGE

4.1 OBJECTIVE 74

4.2 BACKGROUND 74

4.3 SCOPE, LIMITATIONS AND EXCLUSIONS 74

4.3.1 Scope 74

4.3.1 Limitations and exclusions 74

4.4 RESULTS 75

4. 4. 1 The premise of an internal control structure and the audience it

addresses 76

4.4.2 The definition of internal control 76

4.4.3 The components of internal control 77

4.4.4 The purpose an internal control framework will serve for auditors,

management and an IS department 78

4.4.5 The internal control objectives and activities expected in an internal

control structure 79

4.4.6 The accepted structure of the auditing process, and auditing in an information

technology environment 80

4.4.7 The control environment, accounting system, control procedure

and monitoring as part of the internal control structure 80

4.4.8 Classification of controls 81

4.4.9 The assessment of control risk 82

4.4.10 The documentation of auditing work performed and the safeguarding

of assets 82

72

4.4.11 The risks to which a company is vulnerable 83

4.4.12 The focus of the internal control structure

83

4.4.13 Management's responsibility regarding internal control, the management

of information and the development of systems

84

4.4.14

The impact of technology trends on application systems, and the

impact of communication and end-user and departmental

computing on the internal control structure. 84

4.4.15 Contingency planning as part of the internal control structure

85

4.5 CONCLUSION 86

73

4.1 OBJECTIVE

The objective of this chapter is to establish a framework that will indicate which document to

use under a given set of circumstances. This will be done by highlighting the strengths and

weaknesses of the documents when applied under different circumstances.

4.2 BACKGROUND

The referencing material used for the study have been briefly surveyed in an as much detail as

is necessary to identify those references which represent a framework for internal control. The

study performed in chapter 3 has been used as a basis for developing a reference framework

for the use of SAS55/78, COSO, SAC and CobiT in different situations.

4.3 SCOPE, LIMITATIONS AND EXCLUSIONS

4.3.1 Scope

Existing frameworks for internal control and current internal control structures have had to be

surveyed, but it has to be from an external auditor's point of view as this is the objective of the

dissertation. These frameworks are compared to determine the strengths and weaknesses of

each. The objective of the comparison is to decide which framework will be best suited for

external auditing purposes in general, and also to establish a reference framework for decision

making on which framework to use in special circumstances.

4.3.2 Limitations and exclusions

To achieve the objectives of the literature survey, it has been necessary to re-examine and

analyse the comparison of the five documents, made in chapter 3. Consequently the following

limitation has been placed on the scope of the literature survey:

• Only the issues addressed in the comparison have been included. Sections in the four

74

documents that deal with other issues have thus been excluded.

A great deal of preparatory work has been done to ensure that the short dissertation is based

on sound theory and that exclusions imposed do not detract from the overall objective of this

chapter. In fact the limitation enforces a discipline on the discussion, which will ensure that

only those issues which are strictly relevant are taken into consideration.

4.4 RESULTS

The analysis comprises the following sections:

4.4.1 The premise of an internal control structure and the audience it addresses.

4.4.2 The definition of internal control.

4.4.3 The components of internal control.

4.4.4 The purpose an internal control framework will serve for auditors, management and an

Information System department.

4.4.5 The internal control objectives and activities expected in an internal control structure.

4.4.6 The accepted structure of the auditing process, and auditing in an information

technology environment.

4.4.7 The control environment, accounting system, control procedure and monitoring as part

of the internal control structure.

4.4.8 Classification of controls.

4.4.9 The assessment of control risk

4.4.10 The documentation of auditing work performed and the safeguarding of assets.

4.4.11 The risks to which a company is vulnerable.

4.4.12 The focus of the internal control structure.

4.4.13 Management's responsibility regarding internal control, the management of

information and the development of systems.

4.4.14 The impact of technology trends on application systems, and the impact of

communication and end-user and departmental computing on the internal control

structure.

4,4.13 Contingency planning as part of the internal control structure.

75

4.4.1 The premise of an internal control structure and the audience it

addresses

Before making a decision on which document to use as a framework for internal control, it is

important to determine what the premise is. If the internal control framework is needed to

obtain information to plan the audit and to determine the nature, timing and extent of tests to

be performed, then SAS55/78 is probably the most appropriate framework for this purpose, as

it is mainly focused on the requirements of external auditors. However, CobiT, SAC, and

COSO can also be used, because all three of them share the premise of achieving adequate

control to provide the information that an enterprises needs to achieve its objectives.

It is important to know that SAC focuses on internal auditors as an audience, while COSO

focuses on management. Therefore, when any questions of an external auditing nature need to

be taken into account when examining internal control, these documents cannot be used on

their own.

CobiT focuses on three audiences: management, users of information technology and

information auditors. CobiT is therefore not restricted to a specific premise or audience and

can be used to obtain sufficient information regarding internal control for auditing purposes,

but it can also be used by management to create an internal control structure or to benchmark

their current internal control structure (Chapter 3.3.1 paragraph 1, 2).

4.4.2 The definition of internal control

Al four documents view internal control as a process, but SAC further extends the meaning of

the concept by defining internal control as a set of processes, subsystems and people, and

CobiT defines it as a set of processes which include procedures, practices and organisational

structures (Chapter 3.3.1 paragraph 3).

Although CobiT defines the processes included in internal control very thoroughly, it does not

define the objectives of internal control as well as it is done in the definitions of COSO and

SAS55/78 (Chapter 3.3.1 paragraph 4).

76

Taking the foregoing into account, the following definition can be distilled from the source

document/ from COSO, SAS and CobiT.

A process, effected by and entity's board of directors, management, and other personnel, and

which includes policies, procedures, and organisational structures which are designed to

provide reasonable assurance regarding the achievement of objectives in the following

categories:

reliability of financial reporting;

effectiveness and efficiency of operations; and

compliance with applicable laws and regulations.

4.4.3 The components of internal control

SAS55/78 and COSO both divide internal control into the same five components:

the control environment;

risk assessment;

control activities;

information and communication; and

monitoring.

SAS55/78 focuses on the external auditor, while COSO focuses on management; as a result of

this the components are used by both audiences.

The domains used by CobiT are divided into a chronological sequence of

planning and organisation;

acquisition and implementation;

delivery and support; and

monitoring

that makes it more sensible.

77

CobiT addresses the control environment, in processes that is linked to each of these domains

(See chapter 3.3.1 paragraph 15 and chapter 4 4.7). It addresses the risk assessment process

separately and also as part of each and every process. Each process has illustrative tests to

perform to substantiate the risk of control objectives not being met (Chapter 3.3.1 paragraph

18).

Control activities is addressed by CobiT as a division in each process, and it is the evaluating

of the controls with examples for that specific process (Chapter 4 paragraph 4.5).

The communication process is also included in each of the processes under the section

"evaluating the controls". Examples of control are noted here, but the impact of

telecommunication on internal control is discussed within CobiT (Chapter 4, paragraph 4.14).

The last component included by SAS55/78 and COSO is also included as a domain in CobiT.

We can hereby conclude that all the components included in SAS55/78 and COSO also appear

in CobiT, not necessarily as separate components, but rather as part of the domains.

A chronological tracking of processes as they happen seems to be the best way to identify

components, therefore CobiT seems to be the best framework to use to identify components

as it also includes components of the other documents.

4.4.4 The purpose an internal control framework will serve for auditors,

management and an Information System department

SAS55/78 will help auditors to plan the auditing of an internal control structure, while CobiT,

SAC and COSO provide practitioners with specific guidelines and technical reference material

to evaluate the internal control structure. SAC provides auditors with specific examples to

assist them in performing their evaluation, while CobiT deals with general processes.

To aid auditors in evaluating a control structure a combination of SAS55/78 and CobiT or

SAC seems to be a realistic option. SAS sets the standards for the auditing process, while

CobiT makes it applicable to general control environments and SAC makes it applicable to

78

specific environments. The standards for auditing as set by SAS are also included in CobiT,

which makes it possible for auditors to use CobiT on its own (Chapter 4, paragraph 4.6, and

chapter 3.3.1, paragraph 6).

SAS55/78 will be of no help to management or the Information System department as it is

solely focused on the requirements of an external auditor. COSO's evaluating tools and

CobiT's control objectives will be the best aid for management in evaluating and

benchmarking their internal control (Chapter 3.3.1, paragraph 7,8).

To assist the Information System department to evaluate internal control issues, SAC wrote

separate modules. CobiT integrated the issues regarding the Information System department

into the four domains. Therefore, when focusing solely on the IS department, SAC will be the

best document to use. When focusing on the internal control structure as a whole including

the IS department CobiT is the best document to use (Chapter 3.4.1, paragraph 8).

4.4.5 The internal control objectives and activities expected in an internal

control structure

Control objectives: SAS55/78, CobiT, COSO and SAC have the same three control

objectives, i.e. reliable financial reporting, effective and efficient operations and compliance

with laws and regulations. CobiT introduced additional control objectives, i.e. the

confidentiality, integrity and availability of information. It is therefore clear that CobiT has the

most comprehensive control objectives (Chapter 3.3.1, paragraph 9).

Control activities: SAS55/78 identified four control activities which are relevant to an audit,

while SAC divided control activities into integrity of information and security. COSO divided

control activities into top-level review, direct functional or activity management, information

processing, physical controls, performance indicators and segregation of duties. Although

COSO and SAC are rather comprehensive regarding the control activities, CobiT is the most

comprehensive because it identifies factors to consider with respect to each of the thirty-two

processes (See chapter 3.41, paragraph 10). Therefore it is recommended to use CobiT to

identify control activities.

79

4.4.6 The accepted structure of the auditing process, and auditing in an

information technology environment

The accepted structure of the auditing process: SAS55/78 is the only document that focuses

exclusively on the external auditor. Therefore the structure as defined by this document is

accepted as the structure of the auditing process. SAC suggests that that internal auditor

should use current auditing approaches and methodologies, but neither SAC nor COSO

discusses the auditing process. All the points identified by SAS55/78 are more or less

addressed by CobiT. CobiT can therefore be used as an alternative for SAS55/78 to define the

accepted structure for the auditing process (See chapter 3.3.1, paragraph 11).

Auditing in an information technology environment: Although SAS55/78 is focused on the

external auditor, there is not much focus placed on auditing in an information technology

environment. COSO is not focused on auditors but rather management. CobiT was

specifically designed to illustrate how to audit in an information technology environment,

while SAC module 3 discusses how to make use of information technology in the auditing

process.

For auditing in an information technology environment, CobiT will provide the best guidelines

while SAC will provide the best guidelines for making use of information technology in the

auditing process (Chapter 3.3.1, paragraph 12).

4.4.7 The control environment, accounting system, control procedure and

monitoring as part of the internal control structure

The control environment SAS55/78 and CobiT both identified seven conditions which

define the control environment, while SAC identifies only four, and COSO as many as nine

conditions. It is therefore clear that COSO's definitions of the control environment is the most

comprehensive (Chapter 3.3.1, paragraph 14).

The accounting system: According to 5A555/78, in order to understand the accounting

system as a whole one has to understand the classes of transactions, how transactions are

initiated, the records and accounts used in the processing and reporting of transactions, and

80

the accounting processes. SAC identifies three factors that should be taken into account when

evaluating the accounting system: system software, application system and end-user or

departmental systems. COSO merely states the internal auditor's responsibility regarding the

accounting system in general terms. CobiT identifies five domains that are relevant to the

accounting system: the processes used to define the information architecture, to determine the

technological direction, to identify automated solutions, to acquire and maintain application

software, and to acquire and maintain technology architecture. One can therefore conclude

that, although all the documents express opinions regarding the accounting system,

SAS55/78's definition of the internal control structure is the most comprehensive (Chapter

3.3.1, paragraph 15).

Control procedures: SAS55 mentions that control procedures are integrated in specific

components of the control environment and accounting system. As auditors obtain and

understanding of the control environment and accounting system, they will obtain more

knowledge about the control procedures. SAC classifies controls into six categories, while

COSO classifies it into two broad categories. CobiT is the only document that evaluates the

appropriateness of control measure for the process under review by considering clearly

identified criteria and industry standard practices, and applying professional auditing

judgements (Chapter 3.3.1, paragraph 16).

Monitoring: SAS55/78 expresses general ideas on monitoring which are in line with the ideas

expressed in COSO. CobiT devotes a domain with two modules to monitoring. SAC does

not identify monitoring as one of the components of the internal control structure, and

therefore does not elaborated much on the monitoring process. When addressing this

component in a internal control structure any of the three documents CobiT, COSO or SAS

can be used. It is recommended that all three be used in conjunction with each other for best

results (Chapter 3.3.1, paragraph 29).

4.4.8 Classification of controls

SAS55/78 classifies controls into four categories, called performance reviews, information

processing, physical controls, and segregation of duties. CobiT moves the classification to a

higher level by dividing it into three categories called activities and tasks, processes and

domains. COSO classifies it into two categories called application controls and general

81

controls. SAC provides the most comprehensive classification of controls by dividing it into

five categories, called preventive, detective and corrective controls, discretionary and non-

discretionary controls, voluntary and mandated controls, manual and automated controls and

application and general controls (Chapter 3.3.1, paragraph 17).

4.4.9 The assessment of control risk

SAS55 discusses in detail how to assess control risk either at maximum or less than maximum

level, or even at a lower level. It identifies factors which have to be taken into account when

deciding at what level risk should be assessed, such as policies and procedures, results of tests,

and additional evidential matters.

CobiT identifies certain auditing steps to be performed to ensure that the control measure

established are working consistently and continuously as prescribed. This is done by obtaining

direct or indirect evidence for selected items, and performing limited and more extensive

analytical reviews. SAC states that the most effective method of evaluating a control

procedure is by means of classification.

COSO identifies external factors as potential risk factors. All four documents differ on their

statements regarding the assessment of risk, and each has a valid point regarding control risk.

All four documents can be used for the assessment of control risk (Chapter 3.3.1, paragraph

18).

4.4.10 The documentation of auditing work performed and the safeguarding

of assets

The documentation of auditing work performed: SAS55/78 states that the understanding of

the internal control structure and the conclusion about the assessed level of control risk should

be documented. CobiT takes it one step further by stating that the actual and potential impact

should also be documented. SAC and COSO do not include specific documentation

procedures regarding external auditors. The focus of these two documents is on the evaluator

and internal auditor. From an external auditor's point of view, CobiT provides the best

approach, but from an internal auditor's point of view SAC provides a better approach

82

(Chapter 3.3.1, paragraph 19).

The safeguarding of assets: SAS55/78 and COSO merely include a paragraph regarding the

safeguarding of assets. SAC, on the other hand, sets a high standard for the safeguarding of

assets by providing a whole module on security. Topics like security management, physical

security and logical security are addressed in this module. CobiT includes a process (D55)

addressing topics like authentication and access, security of on-line access to data, user

account management, data classification, central identification, violation reports, incident

handling, re-accreditation, cryptography, and virus prevention. The best documents to use for

the implementation of procedures for the safeguarding or assets are CobiT and SAC since

be.n these documents have modules dedicated to the topic (Chapter 3.3.1, paragraph 20).

44.11The risks to which a company is vulnerable

SAS55/78 identifies a few risks, but CobiT identifies risk for each or the thirty-two processes.

SAC identifies risks for very specific circumstances, such as computer aided software,

application programming, telecommunication, operating systems, knowledge-based systems,

image processing, database management and application packaging. COSO makes provision

for evaluation tools in the form of a documented process of evaluating a control structure, and

part of these tools are the evaluation of risks.

In deciding on the most appropriate tool to use for the identification of risks, CobiT will be the

most comprehensive document to use. COSO can be used as an alternative, while SAC can be

used in very specific circumstances (Chapter 3.3.1, paragraph 21).

4.4.12 The focus of the internal control structure

The focus of the evaluation of the internal control structure will determine which document

will be used. When focusing on the financial statements, SAS55/78 will be used as a

guideline, and when focusing on information technology, CobiT or SAC will be used. When

focusing on the overall entity COSO is the ideal guideline to use (Chapter 3.3.1, paragraph

22).

83

4.4.13 Management's responsibility regarding internal control, the

management of information and the development of systems

Management's responsibility regarding internal control: SAC provides a short description

of the responsibility of management which is nevertheless very extensive. CobiT discusses

management's responsibility by including it into the processes, but does not separately discuss

management's responsibility. SAS55/78's description of management's responsibility agrees

with the description in COSO. COSO gives a detailed description of management's

responsibility regarding internal control (Chapter 3.3.1, paragraph 25). The best documents to

use are therefore SAS and COSO.

The management of information and the development of systems: SAS55/78 does not go

into too much detail, but the other three documents do. CobiT has four processes dedicated

to this topic (P01-PO4). SAC has a separate module dedicated to the topic, and COSO has a

separate chapter addressing the topic. Therefore one can accept that all three these documents

can be used to develop and benchmark an entity's internal controls for the management of

information and the development of systems (Chapter 3.3.1, paragraph 26).

4.4.14 The impact of technology trends on application systems, and the

impact of communication and end-user and departmental computing,

on the internal control structure

The impact of technology trends on application systems: SAS55/78 does not address this

issue, and COSO only briefly describes the controls relating to the development and

maintenance controls. SAC module 6 chose six application systems that have a broad appeal

for both the business community and the auditing community to discuss the impact of

technology trends on application systems. CobiT domain Al2 sets certain control objectives

regarding the acquiring and maintenance of application software. No specific applications are

highlighted as was the case with SAC, but this makes it easier to apply to any application and

omits long discussions on a specific application (Chapter 3.3.1, paragraph 13). Again, CobiT

seems to be the document to use to determine the impact of technology trends on application

systems. For the specific applications discussed in SAC, SAC will be the best document to

use.

84

The impact of communication and telecommunication on the internal control structure:

SAS55/78 only states that the auditor should obtain sufficient knowledge of the means that the

entity uses to communicate financial reporting roles and responsibilities and significant matters

relating to financial reporting. COSO elaborates on the impact of communication on the

information systems and identifies two types of communications. Neither of these two

documents addresses the impact of telecommunication on the internal control structure. SAC

again dedicated a module to this topic. Module 8 identifies the auditing issues related to

telecommunication systems by concentrating on the risks and controls of each component.

Each chapter begins with a basic technical discussion and continues by relating the technical

issues to risk and control considerations. CobiT, on the other hand, identifies auditing issues

related to telecommunication in DS5. This is the normal process of system security, but it

includes certain points on telecommunication (Chapter 3.3.1, paragraph 28). When trying to

evaluate the impact of communication and telecommunication on the internal control

structure, COSO is the best to use for communication and SAC the best for

telecommunication. CobiT can also be used as an alternative guideline for the impact of

telecommunication because it addresses all the important issues.

The impact of end-user and departmental computing on the internal control structure:

SAS55/78 and COSO do not address the impact of end-user and departmental computing on

the internal control structure. SAC presents this issue in module 7 by using several EUC

scenarios With relevant auditing guidance. CobiT does not use scenarios, but deals with the

issue in a process called the acquiring and maintenance of application software (Chapter 3.3.1,

paragraph 27). SAC will be the best document to use if the specific scenario applicable is

discussed in SAC, in other cases CobiT will be the best instrument to use in order to determine

the impact of EUC on the internal control structure.

4.4.15 Contingency planning as part of the internal control structure

SAC module 10 and CobiT DS4 both discuss the contingency plan process, strategy,

documentation, and testing. SAC also discusses risk analysis, risks and controls, and auditing

considerations, while CobiT discusses backup processes, training, applications that are critical,

backup sites and hardware, and file recovery procedures. To obtain the best guideline for

85

contingency planning, the use of both documents is recommended. Neither SAS55/78 nor

COSO expresses an opinion regarding the contingency plan (Chapter 3.3.1, paragraph 30).

4.5 CONCLUSION

Table 4.4 will serve as a summary of this chapter, as well as a conclusion regarding which

document an external auditor should use for a given point of focus.

The table identifies the points of focus in column two, and there is a column for each

document compared. A symbol in a document's column indicates that the document is

considered appropriate for the specific point of focus. In some instances only one document is

recommended, in other instances all four are usable. To get the best results from this table it

will be necessary to refer back to the text in this chapter, and the necessary text references are

therefore given in the first column.

Table 4.4 Matrix for comparison between SAS55/78, CobiT, SAC and COSO

1 i 1 Ref. Point of focus SAS55/78 CobiT SAC COSO

4.1 Premise and # #

Audience # #

4.2 I Defining internal control #

View of internal control # #

4.3 Dividing internal control into components

4.4

4.5

Aid for auditors

Aid for management

Aid for IS department

Setting control objectives

# #

#

#

#

#

Defining control activities #

86

Ref. Point of focus SAS55/78 CobiT SAC COSO

4.6 Planning a structure for the auditing process # I #

Aid for auditing in an information technology

environment

# #

4.7 Defining the control environment #

Defining the accounting system #

Identifying control procedures #

Determining procedures to monitor Internal . #

Control

# #

4.8 Classification of controls . ft

4.9 How to assess control risk # # ft #

4.10 How to document auditing work # #

Best procedures to safeguard assets 1---

#

4.11 I Identifying risks # # #

4.12 I Focus of internal control and # # # #

Evaluating of effectiveness of internal control # # At #

For a period in time or specific time # # # #

4.13 Identifying management's responsibilities # #

4.14

I--- ---,-

Identifying controls to manage information

and to develop systems.

Determining the impact of technology on

application systems and setting procedures

. . .

.

#

#

#

#

#

Determining the impact of communication

and telecommunication on the internal

control structure and setting controls

# # #

Determining the impact of end-user and

departmental computing on the internal

control structure and identifying procedures

# #

87

r i

Ref.

•

Point of focus SAS55/78 CobiT I SAC COSO

4.15 Defining contingency planning procedures # I #

Total 1

13 25 i 15 1 2

The comparison of the principles of the four documents SAS55/78, CobiT, COSO, and SAC

has been successfully completed. By comparing the documents, the strengths and weaknesses

of each were identified. The application of the comparison's results to any control

environment can assist the auditor in determining which document to use. The objective of

this short dissertation, as set in chapter 1, has therefore been met. It is clear from the matrix

that CobiT can indeed replace the other three documents, as CobiT addressed twenty-five of

the focus points while SAC addressed only fifteen, COSO twelve and SAS thirteen.

88

CHAPTER 5

CONCLUSION

CONTENTS

PAGE

5.1 CONCLUSION

90

89

5.1 CONCLUSION

The objective of this short dissertation has been met, in other words to help the auditor to

decide which document or combination of documents to use as a guideline for internal control,

and to determine whether CobiT can indeed replace COSO, SAC and SAS55/78. A matrix

was presented in chapter 4 indicating which document or combination of documents to use for

which focus points. The validity of this matrix has been proved by the procedure followed to

create it.

The matrix was created as follows:

A total of thirty focus points which are important from an external auditing point of

view were identified from the four documents.

• These thirty points were compared in chapter 3 in order to determine the strengths and

weaknesses of each of the documents. It was found that, with the exception of CobiT,

not all the documents provided satisfactory approaches to all thirty focus points, and

this was identified as a weakness in these documents.

A matrix were prepared indicating which document to use for which focus points.

The main problem identified has been the fact that, although SAC, COSO, SAS55/78 and

CobiT is believed to set the standards for internal control, each of them was developed by a

different body. As a result it addresses the needs of different audiences. By using the

comparison of the four documents in chapter 3 an auditor can determine what document or

documents addresses the specific control objective the best. This will aid the auditor in

deciding which framework to use himself as well as aid him in convincing client what

framework to use for internal control.

By using the matrix developed in chapter 4 auditors can now:

Determine which document to use, depending on what their focus point is going to be.

Decide which document to recommend to their customers, taking into account the

90

focus points of the customer.

• Determine if CobiT can replace the other three documents.

The comparison in chapter 3 is in no way a complete comparison of the four documents. Only

thirty focus points which are important from an auditor's perspective were identified. As a

result, the matrix is also not a perfect aid to making a decision regarding the documents.

Nevertheless, it will still be useful to assist the auditor in making a decision. It also provides

important background information.

T us short dissertation opens new fields for academic research in the area of internal control.

A specific organisation can be identified, focus points for that organisation can be determined,

and a study can then be performed on which document will be most appropriate for the

purposes of this entity .

This research focused on an auditor's perspective. Research can also be performed from

management's perspective, or from the Information System department's perspective. In this

short dissertation the points of focus could not be compared in detail, and considerable scope

remains for more detailed academic research into specific points of focus.

This short dissertation provides the basic tools (comparison and matrix) which can be used by

different audiences for different focus points in order to determine which documents or

combination of documents to use in order to develop, evaluate and benchmark their current

internal control structures.

91

BIBLIOGRAPHY

AMERICAN INSTITUTE OF CERTIFIED PUBLIC ACCOUNTANTS 1988: Consideration of the

Internal Control Structure in a Financial Statement Audit. New York: AICPA

AMERICAN INSTITUTE OF CERTIFIED PUBLIC ACCOUNTANTS 1995: Consideration of

Internal Control in a Financial Statement Audit: An Amendment to SAS No. 55. Jersey City: AICPA

COLBERT, J. L. & BOWEN, P.L.1996: A Comparison of Internal Controls: CobiT, SAC, COSO

and SAS55/78. IS Audit &Control Journals volume 4 1996: 26-35.

COMMITTEE OF SPONSORING ORGANISATIONS OF THE TREADWAY COMMISSION

1992: Integrated Control — Integrated framework. Jersey City: COSO.

DAMIANIDES, M. 1991: A control model for the evaluation and analysis of control facilities in a

simple path context model in a MVS/XA environment. Johannesburg: Rand Afrikaans University (M

Com dissertation).

INFORMATION SYSTEMS AUDIT AND CONTROL FOUNDATION 1996: Control objectives

for information and related technology. Illinois: ISACF

INSTITUTE OF INTERNAL AUDITORS RESEARCH FOUNDATION 1991: Systems Auditability

and Control. Ahamonte Springs: IIA RF

GELINAS, J. & MAKOSZ, P. 1996: CobiT: Control objectives for information and related

technology. IS Audit &Control Journal, volume 4 1996: 12-13.

LAINHART, J. W. 1996: Arrival of CobiT helps refine the valuable role of IS Audit and Control in

the Enterprise. IS Audit &Control Journal, volume 4 1996:20-23.

LUBBE, J. 1995: A Value-for-money audit approach to LAN's with specific reference to Novell

Netware. Johannesburg: Rand Afrikaans University (M. Com dissertation)

92