Lecture 1-5 is Audit and Internal Controls

7/31/2019 Lecture 1-5 is Audit and Internal Controls

1/82

Auditing-

Software System Auditing

1


2/82

Audit Independent reviewand examination of records

and activities to assess the adequacy of internal

controls, to ensure compliance with established

policies and operational procedures, and torecommend necessary changes in controls,

policies, or procedures.

2


3/82

Audit An audit is an evaluation of a person, organization,

system, process, enterprise, project or product.

The term most commonly refers to audits in accounting,

but similar concepts also exist in project management,

quality management, and energy conservation.

3


4/82

IT/IS Audit The process of collecting and evaluating evidence to

determine whether computer system safeguards assets,

maintains data integrity, achieves organizational goalseffectively and consumes resources effectively.

An Information Technology audit, or Information Systems

audit, is an examination of the management controlswithin an IT infrastructure.

4


5/82

IT/IS Audit The evaluation of obtained evidence determines if the

Information Systems are safeguarding assets, maintaining

data integrity, and operating effectively to achieve the

organization's goals or objectives.

These reviews may be performed in conjunction with a

financial statement audit, internal audit, or other form ofattestation engagement.

5


6/82

IT/IS Audit

Information Systems audit is a part of the overall auditprocess, which is one of the facilitators for goodcorporate governance.

While there is no single universal definition of IS audit,we can define it as:

The process of collecting and evaluating evidence todetermine whether a computer system (InformationSystem) safeguards assets, maintains data integrity,achieves organizational goals effectively and consumes

resources efficiently 6


7/82

Software Audit Software Audits provide an independent evaluation of

software products or processes to ascertain compliance

to standards, specifications, and procedures based on

objective criteria that included documents that specify:

The form or content of the product to be produced.

The process by which the products shall be produced. How compliance to standards or guidelines shall be

measured.

7


8/82

Software Audit Software audits include checking software products

and processes to verify that they comply with the

applicable procedures and standards.

8


9/82

Categories of Software Audits Software audits can be categorized as:

A software licensing audit, where use of thesoftware is audited for license compliance

A software quality assurance, where a piece ofsoftware is audited for quality

A software audit review, where a group of peopleexternal to a software development organization

examines a software product

A physical configuration audit

A functional configuration audit

9


10/82

Need for IS Control & Audit

Reliance on computersystems

Survival oforganization

Costs of data loss

Costs of errors

Inability to function Possibility of

incorrect decisions

10


11/82

Need for IS Control & Audit

Security & abuse - from

inside & outside: hacking,

viruses, access

Destruction & theft ofassets

Modification of assets

Disruption of operations

Unauthorized use ofassets

Physical harm

Privacy violations

11


12/82

What triggers an audit..? Quality Assurance Plan

Event

Date Requests from management

Requests from developers

Requests from customers

Integration with process improvement activities

Outside requirements regulatory

Gut feeling

12


13/82

IT audits are also known as Automated Data Processing(ADP) audits" and Computer Audits". They were formerly

called Electronic Data Processing (EDP) audits

Sometimes IS Auditing has another objective- namely,ensuring that an organization complies with some

regulation, rule, or condition. IS Auditing is conceived as

being a force that enables organizations to better achieve

four major objectives.

13


14/82

Objectives of IT/IS Audit

IT/ISAudit

Safeguarding ofAssets

Improved DataIntegrity

Improved SystemEffectiveness

Improved SystemEfficiency

Source: Ron Weber 14


15/82

Asset Safeguarding Objectives The IS assets of an organization include:

Hardware

Software

Facilities People (knowledge)

Data files

System documentation and

Supplies.

Like all assets they must be protected by a system ofinternal control.

15


16/82

Data integrity objectives Data integrity is a fundamental concept in IS auditing. It is

a state implying data has certain attributes;

Completeness, Soundness, Purity and Veracity.

If data integrity is not maintained, an organization no

longer has a true representation of itself or of events.

Moreover if the integrity of an organizations data is low, itcould suffer from loss of competitive advantage.

16


17/82

Three major factors affect the value of a data item to anorganization:

1. The value of the information content of the data item for

individual decision makers

2. The extent to which the data item is shared among

decision makers

3. The value of the data item to competitors.

17


18/82

Purpose of IT Audit An IT audit is different from a financial statement

audit. While a financial audit's purpose is to

evaluate whether an organization is adhering to

standard accounting practices, the purpose of an IT

audit is to evaluate the system's internal control

design and effectiveness.

This includes, but is not limited to, efficiency and

security protocols, development processes, and IT

governance or oversight.

18


19/82

Types ofInformation System Audits

Various authorities have created differing taxonomies to

distinguish the various types of IT audits. Goodman & Lawless

state that there are three specific systematic approaches to

carry out an IT audit:

Technological Innovation Process Audit. This audit constructs a

risk profile for existing and new projects. The audit will assess

the length and depth of the company's experience in its chosen

technologies, as well as its presence in relevant markets, the

organization of each project, and the structure of the portion of

the industry that deals with this project or product,

organization and industry structure.

19


20/82

Types of Information System Audits

Innovative Comparison Audit. This audit is an analysis of the

innovative abilities of the company being audited, in comparison

to its competitors. This requires examination of company's

research and development facilities, as well as its track record inactually producing new products.

Technological Position Audit: This audit reviews the technologies

that the business currently has and that it needs to add.Technologies are characterized as being either "base", "key",

"pacing" or "emerging".

20


21/82


Others describe the spectrum of IT audits with five

categories of audits:

1. Systems and Applications.

2. Information Processing Facilities.

3. Systems Development.

4. Management of IT and Enterprise Architecture.

5. Client/Server, Telecommunications, Intranets, and

Extranets.

21


22/82


Systems and Applications: An audit to verify that systems andapplications are appropriate, efficient, and adequately controlledto ensure valid, reliable, timely, and secure input, processing, andoutput at all levels of a system's activity.

Information Processing Facilities: An audit to verify that theprocessing facility is controlled to ensure timely, accurate, andefficient processing of applications under normal and potentiallydisruptive conditions.

Systems Development: An audit to verify that the systems underdevelopment meet the objectives of the organization, and toensure that the systems are developed in accordance withgenerally accepted standards for systems development.

22


23/82


Management of IT and Enterprise Architecture: An audit to

verify that IT management has developed an organizational

structure and procedures to ensure a controlled and efficient

environment for information processing.

Client/Server, Telecommunications, Intranets, and Extranets: An

audit to verify that telecommunications controls are in place on

the client (computer receiving services), server, and on thenetwork connecting the clients and servers.

23


24/82

Elements IT/IS Audit

1. Physical and Environmental

2. System Administration

3. Application Software

4. Application Development

5. Network Security

6. Business Continuity

7. Data Integrity

24


25/82

What Tools do IT Auditors require?

25


26/82

Audit Process

26


27/82

Audit- Main Steps Initial Review:

A preliminary investigation by the auditors todetermine how the audit should be conducted.

Controls Review:

Detailed controls are appraised both in their necessityand presence.

Compliance Testing:

Determines whether controls actually exist andfunction as specified in the documentation.

Substantive Testing:

Determining if the system data actually representsreality. 27


28/82

Internal vs External Audit Audit function can be performed Internallyor

Externally

Internal audit is an independent appraisal of

operations, conducted under the direction ofmanagement, to assess the effectiveness of internal

administrative and accounting controls and help

ensure conformance with managerial policies.

External Audit is an audit conducted by an individualof a firm that is independent of the company being

audited.

28


29/82

Internal Audit Internal auditing is an independent, objective

assurance and consulting activity designed to addvalue and improve an organization's operations.

It helps an organization accomplish its objectives bybringing a systematic, disciplined approach toevaluate and improve the effectiveness of riskmanagement, control, and governance processes.

29


30/82

Internal Audit Internal auditing is a catalyst for improving an

organizations effectiveness and efficiency byproviding insight and recommendations based onanalyses and assessments of data and businessprocesses.

With commitment to integrity and accountability,internal auditing provides value to governing

bodies and senior management as an objectivesource of independent advice.

Professionals called internal auditors are employedby organizations to perform the internal auditing

activity. 30


31/82

Scope of Internal Audit The scope of internal auditing within an organization is

broad and may involve topics such as:

Efficacy of operations.

Reliability of financial reporting.

Deterring and investigating fraud.

Safeguarding assets, and

Compliance with laws and regulations.

31


32/82

Scope of Internal Audit

Internal auditing frequently involves measuringcompliance with the entity's policies andprocedures. However, Internal auditors are not

responsible for the execution of company activities;they advise management and the Board of Directors(or similar oversight body) regarding how to betterexecute their responsibilities.

As a result of their broad scope of involvement,internal auditors may have a variety of highereducational and professional backgrounds.

32


33/82

Scope of Internal Audit Publicly traded corporations typically have an

Internal Auditing Department, led by a Chief Audit

Executive (CAE) who generally reports to the

Audit Committee of the Board of Directors, with

administrative reporting to the Chief Executive

Officer.

33


34/82

Internal Audit Reporting Structure

Non-IT Audit TeamMembers

CEO

Board Audit Committee

Head of Audit Dept

Head of Non-IT AuditHead of IT Audit

IT Audit Team Members

34


35/82

Role of Internal Audit in Risk Management

Internal auditing professional standards require the

function to monitor and evaluate the effectiveness

of the organization's risk management processes.

Risk management relates to how an organization

sets objectives, then identifies, analyzes, and

responds to the risks that could potentially impact

its ability to realize its objectives.

35


36/82

Motivation for Control & Audit Major business fraud cases

Enron

Worldcom

The Didnt know these things were happening

syndrome

Comprehensive ethical/control programs do matter to

corporate stakeholders

Need for ethical/control

Standards

Internal reporting process

Highest level responsibility 36


37/82

Objectives Audit and Control Need to control & audit info systems

IS AUDITING = collecting & evaluating evidence to

determine if system accomplishes its organizational tasks

effectively & efficiently

Understanding the organization & environment

Understanding systems

EDP in particular Understanding the Control Approach

Control - a system that prevents, detects, or corrects

unlawful, undesirable or improper events37


38/82

The Auditing Environment External vs. Internal auditors

External auditors provide increased assurance

Fairness of financial statements

Frauds & Irregularities

Ability to survive

Internal auditors appraise and evaluate adequacy &

effectiveness of controls Control - a system that prevents, detects, or corrects

unlawful, undesirable or improper events

Reporting and responsibility to Board of Directors

38


39/82

The Auditing Environmentcontined.

Types of audit procedures To gain understanding of controls.

Test of controls.

Substantive tests of details of transactions.

Substantive tests of balances and overall results.

Analytic review procedures.

39


40/82

Assessing Reliability

By controls

By transaction

By errors

40


41/82

Internal Auditors

Responsible to Board of Directors.

An internal control function.

Assist the organization in measurement and evaluation

of:

Effectiveness of Internal Controls.

Achievement of organizational objectives.

Economics & efficiency of activities.

Compliance with laws and regulations.

Operational audits.

41


42/82

Internal Auditors Scope of

Work- SCARE

Safeguarding assets.

Compliance with policies and plans. Accomplishment of established objectives.

Reliability & integrity of information.

Economics & efficient use of resources.

42


43/82

External Auditors Responsible to stockholders and public

Via Board of Directors

Assess financial statement assertions (transactions)

Existence or occurrence. Completeness.

Valuation and allocation.

Presentation and disclosure.

Rights and obligations.

Must test compliance with laws and regulations.

Must test for fraud and improprieties.

Relies on internal control structure for planning of audit.43


44/82

External Auditors

Audit (material misstatement) risk = product of

Inherent (assertion could be materially misstated) risk

Control risk (misstatement will not be prevented ordetected on a timely basis by internal controls)

Detection risk

Inversely related to control and inherent risks

44


45/82

Internal Controls In auditing Internal Control is defined as a process effected by

an organization's structure, work and authority flows, people

and Management Information Systems, designed to help the

organization accomplish specific goals or objectives.

Internal controls are a MEANS by which an organization's

resources are directed, monitored, and measured.

It plays an important role in preventing and detecting fraud

and protecting the organization's resources.

45


46/82

Internal Controls Internal controls are designed to provide reasonable assurance

regarding the achievement of objectives in the following

categories:

1. Effectiveness and efficiency of operations.2. Reliability of financial reporting.

3. Compliance with applicable laws and regulations.

46


47/82

Internal Controls - Continued...

Controls - System of activities:

Preventive

Detective Corrective

Affect reliability

Reduce failure probability

Reduce expected loss in failure

Reasonable assurance

Based on cost-benefit considerations

47


48/82

Internal Controls Continued... Internal controls can be Detective, Corrective, or Preventive by

nature.

1. Detective Controls are designed to detect errors or

irregularities that may have occurred.

2. Corrective controls are designed to correct errors or

irregularities that have been detected.

3. Preventive controls on the other hand, are designed to keep

errors or irregularities from occurring in the first place.

48


49/82

Internal Controls consist of five interrelated components.

These are derived from the way management runs a

business, and are integrated with the management

process.

Although the components apply to all entities, small and

mid-size companies may implement them differently than

large ones. Its controls may be less formal and lessstructured, yet a small company can still have effective

internal control. The components are:

49


50/82

1. Control Environment:The control environment sets the tone of an organization,

influencing the control consciousness of its people. It is

the foundation for all other components of internalcontrol, providing discipline and structure. Control

environment factors include the integrity, ethical values

and competence of the entity's people; management's

philosophy and operating style; the way managementassigns authority and responsibility, and organizes and

develops its people; and the attention and direction

provided by the board of directors.

50


51/82

2. Risk AssessmentEvery entity faces a variety of risks from external and

internal sources that must be assessed. A precondition to

risk assessment is establishment of objectives, linked at

different levels and internally consistent. Risk assessment

is the identification and analysis of relevant risks to

achievement of the objectives, forming a basis for

determining how the risks should be managed. Because

economic, industry, regulatory and operating conditionswill continue to change, mechanisms are needed to

identify and deal with the special risks associated with

change.

51


52/82

3. Control ActivitiesControl activities are the policies and procedures that

help ensure management directives are carried out. They

help ensure that necessary actions are taken to address

risks to achievement of the entity's objectives. Control

activities occur throughout the organization, at all levels

and in all functions. They include a range of activities as

diverse as approvals, authorizations, verifications,

reconciliations, reviews of operating performance,security of assets and segregation of duties.

52


53/82

4. Information &Communication

Pertinent information must be identified, captured andcommunicated in a form and timeframe that enable people

to carry out their responsibilities. Information systemsproduce reports, containing operational, financial andcompliance-related information, that make it possible torun and control the business. They deal not only with

internally generated data, but also information aboutexternal events, activities and conditions necessary toinformed business decision-making and external reporting.

53


54/82

Information & Communication-

ContinuedEffective communication also must occur in a broader

sense, flowing down, across and up the organization. All

personnel must receive a clear message from topmanagement that control responsibilities must be taken

seriously. They must understand their own role in the

internal control system, as well as how individual

activities relate to the work of others. They must have ameans of communicating significant information

upstream. There also needs to be effective

communication with external parties, such as customers,

suppliers, regulators and shareholders. 54


55/82

5. MonitoringInternal control systems need to be monitored--a process that

assesses the quality of the system's performance over time.

This is accomplished through ongoing monitoring activities,

separate evaluations or a combination of the two. Ongoingmonitoring occurs in the course of operations. It includes

regular management and supervisory activities, and other

actions personnel take in performing their duties. The scope

and frequency of separate evaluations will depend primarilyon an assessment of risks and the effectiveness of ongoing

monitoring procedures. Internal control deficiencies should be

reported upstream, with serious matters reported to top

management and the board.

55


56/82

The Internal Controls

Framework Separation of duties

Delegation of authority & responsibility System of authorizations

Documentation & records

Physical control over assets & records

Management supervision

Independent checks

Recruitment & training

56


57/82

Internal Control Objectives Internal Control objectives are desired goals or conditions for aspecific event cycle which, if achieved, minimize the potential that

waste, loss, unauthorized use or misappropriation will occur. They

are conditions which we want the system of internal control to

satisfy. For a control objective to be effective, compliance with it

must be measurable and observable.

Internal Audit evaluates internal control by accessing the ability of

individual process controls to achieve seven pre-defined controlobjectives. The control objectives include authorization,

completeness, accuracy, validity, physical safeguards and security,

error handling and segregation of duties.

57


58/82

Authorization

The objective is to ensure that all transactions are approved byresponsible personnel in accordance with specific or generalauthority before the transaction is recorded.

CompletenessThe objective is to ensure that no valid transactions have been

omitted from the accounting records. Accuracy

The objective is to ensure that all valid transactions are accurate,consistent with the originating transaction data and informationis recorded in a timely manner.

ValidityThe objective is to ensure that all recorded transactions fairlyrepresent the economic events that actually occurred, are lawfulin nature, and have been executed in accordance withmanagement's general authorization.

58


59/82

Physical Safeguards & Security

The objective is to ensure that access to physical assets and

information systems are controlled and properly restricted toauthorized personnel.

Error handling

The objective is to ensure that errors detected at any stage of

processing receive prompt corrective action and are reported

to the appropriate level of management.

Segregation of Duties

The objective is to ensure that duties are assigned toindividuals in a manner that ensures that no one individual

can control both the recording function and the procedures

relative to processing the transaction.

A well designed process with appropriate internal controls

should meet most, if not all of these control objectives.

59


60/82

IT Controls Information Technology controls (or IT controls) arespecific activities performed by persons or systems

designed to ensure that business objectives are met.

They are a subset of an enterprise's internal control.

IT control objectives relate to the confidentiality,integrity, and availability of data and the overall

management of the IT function of the business

enterprise.

60


61/82

IT Controls

IT controls are often described in two categories:

1. IT General Controls ITGC and

2. IT Application Controls.

ITGC include controls over the Information Technology

(IT) environment, computer operations, access to

programs and data, program development and program

changes.

IT Application Controls refer to transaction processing

controls, sometimes called "input-processing-output"

controls.

61


62/82

The COBITFramework(Control Objectives for Information

Technology) is a widely-used framework promulgated by

the IT Governance Institute, which defines a variety of

ITGC and application control objectives andrecommended evaluation approaches.

IT departments in organizations are often led by a Chief

Information Officer (CIO), who is responsible for ensuringeffective information technology controls are utilized.

62


63/82

ITGC ITGC represent the foundation of the IT control structure. They

help ensure the reliability of data generated by IT systems and

support the assertion that systems operate as intended and that

output is reliable. ITGC usually include the following types of

controls:

Control Environment: Those controls designed to shape the

corporate culture or "tone at the top. Provides the foundation

for the other components. Encompasses such factors asmanagements philosophy and operating style.

Change Management procedures: Controls designed to ensure

changes meet business requirements and are authorized.63


64/82

Control Activities: Consists of the policies and procedures that

ensure employees carry out managements directions. Types of

control activities an organization must implement are preventative

controls (controls intended to stop an error from occurring),

detective controls (controls intended to detect if an error hasoccurred), and mitigating controls (control activities that can

mitigate the risks associated with a key control not operating

effectively).

Information and Communication: Ensures the organization obtains

pertinent information, and then communicates it throughout the

organization.

Monitoring Reviewing the output generated by control activities

and conducting special evaluations.

ITGC

64


65/82

ITGC Source code/document version control procedures - controls

designed to protect the integrity of program code

Software development life cycle standards - controls designed

to ensure IT projects are effectively managed.

Logical Access policies, standards and processes - controlsdesigned to manage access based on business need.

Incident management policies and procedures - controlsdesigned to address operational processing errors.

Problem management policies and procedures - controlsdesigned to identify and address the root cause of incidents.

65


66/82

ITGC Technical support policies and procedures - policies to help usersperform more efficiently and report problems.

Hardware/software configuration, installation, testing,management standards, policies and procedures.

Disaster recovery/backup and recovery procedures, to enable

continued processing despite adverse conditions.

Physical Security - controls to ensure the physical security of

information technology from individuals and from environmental

risks.

66


67/82

IT Application Controls IT Application Controls or Program Controls are fully-

automated controls (i.e., performed automatically by the

systems) designed to ensure the complete and accurate

processing of data, from input through output.

These controls vary based on the business purpose of the

specific application. These controls may also help ensure

the privacy and security of data transmitted between

applications.

67


68/82

Completeness checks - controls that ensure all records were

processed from initiation to completion.

Validity checks - controls that ensure only valid data is input orprocessed.

Identification - controls that ensure all users are uniquely and

irrefutably identified.

Authentication - controls that provide an authentication

mechanism in the application system.

IT Application Controls

68


69/82

Categories of IT application controls may include:

Authorization - controls that ensure only approved

business users have access to the application system.

Input controls - controls that ensure data integrity fed

from upstream sources into the application system.


69


70/82

Application controls may be compromised by the following

application risks:

Weak security.

Unauthorized access to data and unauthorized remote access. Inaccurate information and erroneous or falsified data input.

Misuse by authorized end users.

Incomplete processing and/or duplicate transactions.

Untimely processing.

Communication system failure.

Inadequate training and support.


70


71/82

Internal Control Frameworks -

COBIT

COBIT is a widely-utilized framework containing best

practices for both ITGC and application controls. Itconsists of domains and processes.

The basic structure indicates that IT processes satisfy

business requirements, which is enabled by specific IT

control activities. It also recommends best practices and

methods of evaluation of an enterprise's IT controls.

71


72/82

The Committee of Sponsoring Organizations of the Treadway

Commission (COSO) identifies five components of internal control:

1. control environment

2. risk assessment

3. control activities

4. information and communication

5. monitoring

These controls need to be in place to achieve financial reporting

and disclosure objectives;

Internal Control Frameworks -

COSO

72


73/82

Internal Control Frameworks COBIT provides a similar detailed guidance for IT, while theinterrelated Val IT concentrates on higher-level IT governance

and value-for-money issues.

The five components of COSO can be visualized as the

horizontal layers of a three-dimensional cube, with the COBIT

objective domains-applying to each individually and in

aggregate.

The four COBIT major domains are: plan and organize, acquire

and implement, deliver and support, and monitor and

evaluate. 73


74/82

Roles and Responsibilities in

Internal Controls According to the COSO Framework, everyone in an organization has

responsibility for internal control to some extent.

Virtually all employees produce information used in the internal

control system or take other actions needed to affect control. Also,

all personnel should be responsible for communicating upward

problems in operations, noncompliance with the code of conduct, orother policy violations or illegal actions.

Each major entity in corporate governance has a particular role to

play:74


75/82

Management: The Chief Executive Officer (the top manager) of the organization

has overall responsibility for designing and implementing effectiveinternal control.

More than any other individual, the chief executive sets the "tone atthe top" that affects integrity and ethics and other factors of apositive control environment. In a large company, the chiefexecutive fulfills this duty by providing leadership and direction tosenior managers and reviewing the way they're controlling thebusiness.

Senior managers, in turn, assign responsibility for establishment ofmore specific internal control policies and procedures to personnelresponsible for the unit's functions.

75


76/82

In a smaller entity, the influence of the chief executive,

often an owner-manager, is usually more direct. In any

event, in a cascading responsibility, a manager is

effectively a chief executive of his or her sphere ofresponsibility. Of particular significance are financial

officers and their staffs, whose control activities cut

across, as well as up and down, the operating and other

units of an enterprise.

76


77/82

Board of Directors: Management is accountable to the board of directors, which

provides governance, guidance and oversight. Effective boardmembers are objective, capable and inquisitive.

They also have a knowledge of the entity's activities andenvironment, and commit the time necessary to fulfill theirboard responsibilities. Management may be in a position tooverride controls and ignore or stifle communications fromsubordinates, enabling a dishonest management which

intentionally misrepresents results to cover its tracks. A strong,active board, particularly when coupled with effective upwardcommunications channels and capable financial, legal andinternal audit functions, is often best able to identify andcorrect such a problem.

77


78/82

Auditors: The Internal Auditors and External Auditors of the organization also

measure the effectiveness of internal control through their efforts.

They assess whether the controls are properly designed,implemented and working effectively, and make recommendations

on how to improve Internal Controls.

They may also review Information Technology controls, which relate

to the IT systems of the organization.

78


79/82

Limitations of Internal Controls:

No matter how well internal controls are designed, they can only

provide reasonable assurance that objectives have been

achieved. Some limitations are inherent in all internal control

systems. These include:

1. Judgment:The effectiveness of controls will be limited by decisions made with

human judgment under pressures to conduct business based on

the information at hand.

2. Breakdowns:

Even well designed internal controls can break down. Employees

sometimes misunderstand instructions or simply make

mistakes. Errors may also result from new technology and the

complexity of computerized information systems. 79


80/82

Limitations of Internal Controls:

3. ManagementOverride:

High level personnel may be able to override prescribed policies and

procedures for personal gain or advantage. This should not be

confused with management intervention, which representsmanagement actions to depart from prescribed policies and

procedures for legitimate purposes.

4. Collusion:

Control systems can be circumvented by employee

collusion. Individuals acting collectively can alter financial data or

other management information in a manner that cannot be

identified by control systems.

80


81/82

Limitations of Internal Controls: Internal control can provide reasonable, not absolute,

assurance that the objectives of an organization will bemet. The concept of reasonable assurance implies a high

degree of assurance, constrained by the costs andbenefits of establishing incremental control procedures.

Effective internal control implies the organizationgenerates reliable reporting and substantially complieswith the laws and regulations that apply to it.

81


82/82

Limitations of Internal Controls: However, whether an organization achieves operational

and strategic objectives may depend on factors outside

the enterprise, such as competition or technological

innovation.

These factors are outside the scope of internal control;

therefore, effective Internal Controls provides only timely

information or feedback on progress towards the

achievement of operational and strategic objectives, but

cannot guarantee their achievement.

Documents

Lecture 1-5 is Audit and Internal Controls