Internal Control Concepts Knowledge Best Practices for IT Governance • IT Governance Structure of Relationship • Audit Role in IT Governance Internal Control Objectives • Safeguarding of information technology assets • Compliance to corporate policies or legal requirements • Authorization/input • Accuracy and completeness of processing of transactions • Output • Reliability of process • Backup/recovery • Efficiency and economy of operations Information Systems Control Objectives • Safeguarding assets • Assuring the integrity of general operational system environments • Assuring the integrity of sensitive and critical application system environments – – – – – Authorization of the input Accuracy and completeness of processing of transactions Reliability of overall information processing activities Accuracy, completeness and security of the output Database Integrity • Ensuring the efficiency and effectiveness of operations (operationnal objectives) • Complying with the users' requirements, organizational policies and procedures, and applicable laws and regulations (compliance objectives) • Developing business continuity and disaster recovery plans • Developing an incident response and handling plan COBIT • 34 high level control objectives • 4 domains – – – – Plan and organize Acquire and implement Deliver and support Monitor and evaluate Other Internal Control Standards • • • • ITIL ISO IEC 1799 Sarbanes - Oxley COSO Procedures • Strategy and direction • General organizational and management • Access to data and programs • Systems development methodologies and change control • Data processing operations • Systems programming and technical support functions • Data processing quality assurance procedures • Physical access controls • Business Continuity/Disaster Recovery Planning • Network and Communications • Database administration Application Controls • Function • To ensure • Auditor task Function • Input • Processing • Output Input • • • • Input Authorization Batch Control and Balancing Error reporting and handling Techniques Input Authorization • • • • • Signatures on batch forms or source documents Online access controls Unique password Terminal or client workstation identification Source documents – Standard headings – Title and instructions – Layouts • • • • Emphasize ease of use and readability Group similar fields together to facilitate input Provide predetermined input codes to reduce errors Contain appropriate cross-reference numbers or a comparable identifiier to facilitate research and tracing • Use boxes to identify field size errors • Include an appropriate area for management to document authorization Batch Control and Balancing • Types of batch control • Types of batch balancing Types of batch control • • • • Total monetary amount Total items Total documents Hash totals Types of batch balancing • Batch registers • Control accounts • Computer agreement Error reporting and handling • • • • Rejecting only transactions with errors Rejecting the whole batch of transactions Holding the batch in suspense Accepting the batch and flagging error transactions Techniques • • • • • • • Transaction log Reconsilition of data Documentation Error correction procedures Anticipation Transmittal log Cancellation of source documents Error correction procedures • • • • • • • Logging of errors Timely corrections Upstream resubmission Approval of corrections Suspence file Error file Validity of corrections Processing • Data Validation and Editing Procedures • Techniques • Data file control procedures Techniques • • • • • Manual recalculations Editing Run to run totals Programmed controls Reasonableness verification of calculated amounts • Limit checks on calculated amounts • Reconciliation of file totals • Exception reports Data file control procedures • • • • System control parameters Standing data Master data/balance data Transaction files Output • Logging and storage of negotiable, sensitive and critical forms in a secure place • Computer generation of negotiable instruments, forms, and signatures • Report distribution • Balancing and reconciling • Output error handling • Output report retention • Verification of receipt of reports To ensure • Only complete, accurate, and valid data are entered and updated in a computer system • Processing accomplishes the correct task • Processing results meet expectations • Data are maintained Auditor task • Identifying the significant application component and the flow of transactions throught the system and gaining a detailed understanding of the application by reviewing the availability documentation and interviewing appropriate personnel • Identifying the application control strenghts, and evaluation the impact of the control weaknesses on the development of a testing strategy by analyzing the accumulated information • Testing the controls to ensure their functionality and effectiveness by applying appropriate audit procedures • Evaluating the control environment to determine that control objectives were achieved through analyzing the test results and other audit evidence • Considering the operational aspects of the application to ensure its efficiency and effectiveness by comparing the system with efficient programming standards, analyzing procedures used and comparing them to management's objectives for the systems