Internal Control Concepts Knowledge

advertisement
Internal Control Concepts
Knowledge
Best Practices for IT
Governance
• IT Governance Structure of Relationship
• Audit Role in IT Governance
Internal Control Objectives
• Safeguarding of information technology assets
• Compliance to corporate policies or legal
requirements
• Authorization/input
• Accuracy and completeness of processing of
transactions
• Output
• Reliability of process
• Backup/recovery
• Efficiency and economy of operations
Information Systems Control
Objectives
• Safeguarding assets
• Assuring the integrity of general operational system environments
• Assuring the integrity of sensitive and critical application system
environments
–
–
–
–
–
Authorization of the input
Accuracy and completeness of processing of transactions
Reliability of overall information processing activities
Accuracy, completeness and security of the output
Database Integrity
• Ensuring the efficiency and effectiveness of operations
(operationnal objectives)
• Complying with the users' requirements, organizational policies and
procedures, and applicable laws and regulations (compliance
objectives)
• Developing business continuity and disaster recovery plans
• Developing an incident response and handling plan
COBIT
• 34 high level control objectives
• 4 domains
–
–
–
–
Plan and organize
Acquire and implement
Deliver and support
Monitor and evaluate
Other Internal Control
Standards
•
•
•
•
ITIL
ISO IEC 1799
Sarbanes - Oxley
COSO
Procedures
• Strategy and direction
• General organizational
and management
• Access to data and
programs
• Systems development
methodologies and
change control
• Data processing
operations
• Systems programming
and technical support
functions
• Data processing quality
assurance procedures
• Physical access controls
• Business
Continuity/Disaster
Recovery Planning
• Network and
Communications
• Database administration
Application Controls
• Function
• To ensure
• Auditor task
Function
• Input
• Processing
• Output
Input
•
•
•
•
Input Authorization
Batch Control and Balancing
Error reporting and handling
Techniques
Input Authorization
•
•
•
•
•
Signatures on batch forms or source documents
Online access controls
Unique password
Terminal or client workstation identification
Source documents
– Standard headings
– Title and instructions
– Layouts
•
•
•
•
Emphasize ease of use and readability
Group similar fields together to facilitate input
Provide predetermined input codes to reduce errors
Contain appropriate cross-reference numbers or a comparable
identifiier to facilitate research and tracing
• Use boxes to identify field size errors
• Include an appropriate area for management to document authorization
Batch Control and Balancing
• Types of batch control
• Types of batch balancing
Types of batch control
•
•
•
•
Total monetary amount
Total items
Total documents
Hash totals
Types of batch balancing
• Batch registers
• Control accounts
• Computer agreement
Error reporting and handling
•
•
•
•
Rejecting only transactions with errors
Rejecting the whole batch of transactions
Holding the batch in suspense
Accepting the batch and flagging error transactions
Techniques
•
•
•
•
•
•
•
Transaction log
Reconsilition of data
Documentation
Error correction procedures
Anticipation
Transmittal log
Cancellation of source documents
Error correction procedures
•
•
•
•
•
•
•
Logging of errors
Timely corrections
Upstream resubmission
Approval of corrections
Suspence file
Error file
Validity of corrections
Processing
• Data Validation and Editing Procedures
• Techniques
• Data file control procedures
Techniques
•
•
•
•
•
Manual recalculations
Editing
Run to run totals
Programmed controls
Reasonableness verification of calculated
amounts
• Limit checks on calculated amounts
• Reconciliation of file totals
• Exception reports
Data file control procedures
•
•
•
•
System control parameters
Standing data
Master data/balance data
Transaction files
Output
• Logging and storage of negotiable, sensitive
and critical forms in a secure place
• Computer generation of negotiable instruments,
forms, and signatures
• Report distribution
• Balancing and reconciling
• Output error handling
• Output report retention
• Verification of receipt of reports
To ensure
• Only complete, accurate, and valid data are entered and
updated in a computer system
• Processing accomplishes the correct task
• Processing results meet expectations
• Data are maintained
Auditor task
• Identifying the significant application component and the flow of
transactions throught the system and gaining a detailed
understanding of the application by reviewing the availability
documentation and interviewing appropriate personnel
• Identifying the application control strenghts, and evaluation the
impact of the control weaknesses on the development of a testing
strategy by analyzing the accumulated information
• Testing the controls to ensure their functionality and effectiveness
by applying appropriate audit procedures
• Evaluating the control environment to determine that control
objectives were achieved through analyzing the test results and
other audit evidence
• Considering the operational aspects of the application to ensure its
efficiency and effectiveness by comparing the system with efficient
programming standards, analyzing procedures used and comparing
them to management's objectives for the systems
Download