Control, security and audit -9

Internal control systems

Internal control: An internal control is any action taken by management to enhance the likelihood that
established objectives and goals will be achieved. Management plans, organises and directs the
performance of sufficient actions to provide reasonable assurance that objectives and goals will be
achieved. Thus, control is the result of proper planning, organising and directing by management.
(Institute of Internal Auditors)

Turnbull guidelines on internal controls:

 Facilitate its effective and efficient operation by enabling it to respond appropriately to

significant business, operational, financial, compliance and other risks to achieving the
company's objectives
 Help ensure the quality of internal and external reporting (quality information)
 Help ensure compliance with applicable laws and regulations, and also with internal policies
with respect to the conduct of business

The Turnbull report goes on to say that a sound system of internal control reduces but does not
eliminate the possibilities of poorly-judged decisions, human error, deliberate circumvention of controls,
management override of controls and unforeseeable circumstances

Control environment and control procedures:

 Control environment – the overall context of control, in particular the attitude of directors and
managers towards control
 Control procedures – the detailed controls in place
 Internal control environment and procedures

Elements of strong control environment (Turnbull report):

 Clear strategies for dealing with the significant risks that have been identified.
 The company's culture, code of conduct, human resource policies and performance reward
systems supporting the business objectives and risk management and internal control systems.
 Senior management demonstrating through its actions and policies commitment to
competence, integrity and fostering a climate of trust within the company.
 Clear definition of authority, responsibility and accountability so that decisions are made and
actions are taken by the appropriate people.
 Communication to employees what is expected of them and scope of their freedom to act
 People in the company having the knowledge, skills and tools to support the achievements of
the organisation's objectives and to manage effectively its risks.

Classification of control procedures:

a) Administration: These are concerned with achieving the objectives of the organisation and with
implementing policies (communications, lines of reporting)
b) Accounting: These controls aim to provide accurate accounting records and to achieve
accountability (records and transactions)
c) Prevent: These are controls designed to prevent errors from happening in the first place
(checking invoices against GRN)
d) Detect: These are designed to detect errors once they have happened (bank reconciliations)
e) Correct: These are designed to minimise or negate the effect of errors (backup computer)

Other classifications:

a) Discretionary: These are controls which are subject to human discretion (sign on purchase
order)
b) Nondiscretionary: These are controls which are provided automatically by the system and
cannot be overridden (entering PIN number)
c) Voluntary: These controls are chosen by the organisation to support the management of the
business.
d) Mandated: These controls are required by law and imposed by external authorities.
e) Manual: These controls demonstrate a one-to-one relationship between the processing
functions and controls, and the human functions.
f) Automated: These controls are programmed procedures designed to prevent, detect and
correct errors all the way through processing.
g) General: These controls are used to reduce the risks associated with the computer environment.
  Application: These controls are used to reduce the risks associated with the computer
environment. Application controls are controls that prevent, detect and correct errors.
 Financial: These controls focus on the key transaction areas, with the emphasis being on the
safeguarding of assets and the maintenance of proper accounting records and reliable financial
information.

Types of financial controls (SPAMSOAP):

 Segregation of duties: roles should be split

 Physical: measures taken to secure the custody of assets
 Authorisation and approval: all transaction should require authorisation and approval
 Management: control through analysis and review of accounts
 Supervision: of recording and operations of day to day transactions
 Organisation: identify reporting lines, levels of authority and responsibility
 Arithmetical and accounting: accurate recording and processing of transactions
 Personnel: attention should be given to selection, training and qualifications of personnel

Internal checks: are defined as the checks on day to day transactions whereby the work of one person is
proved independently or is complementary to the work of another.

Pre-list: is a list that is drawn up before any processing takes place

Post-list: is a list that is drawn up during or after processing

Control total: is a total of any sort used for control purposes by comparing it with another total that
ought to be the same.

Characteristics of good internal control system:

 A clearly defined organisation structure

 Adequate internal checks
 Acknowledgement of the work done
 Physical security (door locks, card entry system)
 Formal documents relating to goods
 Pre-review of transactions
 Well defined system for authorizing transactions
 Post-review of transactions
 Authorisation, custody and re-ordering procedures
 Personnel should have relevant expertise to fulfill their responsibilities
 Existence of an effective internal audit department
Limitations on the effectiveness of internal controls:

 Segregation of duties can be avoided by the collusion of two or more employees

 Authorisation controls can be abused by the person empowered
 Management can often override the controls the have set themselves up

Internal audit and internal controls

Internal audit: an independent appraisal activity established within an organisation as a service to it. It is
a control which functions by examining and evaluating adequacy and effectiveness of other controls.

Objectives of internal audit:

 Review of the accounting and internal control systems

 Examination of financial and operating information
 Review of the economy, efficiency and effectiveness
 Review of compliance with laws.
 Review of the safeguarding of assets
 Review of implementation of corporate objectives
 Identification of significant business and financial risks
 Investigations of suspected frauds

The features of internal audit:

 Independence: although an internal audit department is part of an organisation, it should be

independent of the line management whose sphere of authority it may audit.
 Appraisal: internal audit is concerned with the appraisal of work done by other people in the
organisation, and internal auditors should not carry out any of that work themselves.

types of audit

a) Operational audit
b) Systems audit
c) Transactions audit
d) Social audit
e) Management investigations

Procedures performed:

a) Compliance tests (test of controls)

b) Substantive procedures (test of details)
Accountability: The internal auditor is accountable to the highest executive level in the organisation,
preferably to the audit committee of the Board of Directors

Independence: Given an acceptable line of responsibility and clear terms of authority, it is vital that the
internal auditor is and is seen to be independent.

External audit
External audit: is a periodic examination of the books of account and records of an entity carried out by
an independent third party (the auditor), to ensure that they have been properly maintained, are
accurate and comply with established concepts, principles, accounting standards, legal requirements
and give a true and fair view of the financial state of the entity

Difference between external and internal audit:

Reason:

 Internal audit is an activity designed to add value and improve an organisation's operations
 External audit is an exercise to enable auditors to express an opinion on the financial
statements.

Reporting to:

 Internal audit reports to the board of directors, or others charged with governance, such as the
audit committee
 The external auditors report to the shareholders, or members, of a company on the stewardship
of the directors

Relating to:

 Internal audit's work relates to the operations of the organisation

 External audit's work relates to the financial statements. They are concerned with the financial
records that underlie these

Relationship with the company:

 Internal auditors are very often employees of the organisation, although sometimes the internal
audit function is outsourced
 External auditors are independent of the company and its management. They are appointed by
the shareholders
Assessment by external auditors when relying on internal audit:

 Organisational status
 Scope of function
 Technical competence
 Due professional care

IT systems and security

Responsibility of ownership:

Security: in information management terms, means the protection of data from accidental or deliberate
threats which might cause unauthorised modification, disclosure or destruction of data, and the
protection of the information system from the degradation or non-availability of services

Aspects of security:

 Prevention
 Detection
 Deterrence
 Recovery procedures
 Correction procedures
 Threat avoidance

Physical threats:

 Fire
 Water
 Weather
 Lightning
 Terrorist activity
 Accidental damages
 Building controls into an information system

security controls: Security can be defined as 'The protection of data from accidental or deliberate
threats which might cause unauthorised modification, disclosure or destruction of data, and the
protection of the information system from the degradation or non-availability of services

Risk to data:

 Human error
 Technical error
 Natural disasters
 Fraud
 Commercial espionage
 Malicious damage
 Industrial action

Integrity controls:

 Data integrity: in the context of security is preserved when data is the same as in source
documents and has not been accidentally or intentionally altered, destroyed or disclosed

 Systems integrity: refers to system operation conforming to the design specification despite
attempts (deliberate or accidental) to make it behave incorrectly

Integrity:

 The original input of the data must be controlled in such a way as to ensure that the results are
complete and correct
 Any processing and storage of data must maintain the completeness and correctness of the data
captured
 That reports or other output should be set up so that they, too, are complete and correct

Archiving: Archiving data is the process of moving data from primary storage, such as a hard disk, to
tape or other portable media for long-term storage.

Retained data is influenced by:

 Legal obligation
 Other business needs
Passwords and logical access systems: A password is a set of characters which may be allocated to a
person, a terminal or a facility which is required to be keyed into the system before further access is
permitted.

Administrative controls:

 Personnel selection is important

 Segregation of duty remains a core security requirement

Audit trail: An audit trail is a record showing who has accessed a computer system and what operations
he or she has performed. Audit trails are useful both for maintaining security and for recovering lost
transactions. Accounting systems include an audit trail component that is able to be output as a report.

System integrity with a PC:

 Installation of a password
 Installation of additional passwords on sensitive files
 Any data on portable devices should be locked away
 Physical access controls

System integrity with LAN:

 The main additional risk (when compared to a stand-alone PC) is the risk of a fault spreading
across the system. This is particularly true of viruses. This can be prevented by installing an anti-
virus

System integrity with WAN:

 If commercially sensitive data is being transferred it would be necessary to specify high quality
communications equipment and to use sophisticated network software to prevent and detect
any security breaches

Contingency controls:

 A contingency is an unscheduled interruption of computing services that requires measures

outside the day-to-day routine operating procedures .A contingency plan is necessary in case of
a major disaster, or if some of the security measures discussed elsewhere fail.