Chapter One

Introduction

1
 Contents in this Chapter
1. Auditing Principles, Standards and Performance,
Cost and Management Auditing
2. Scope of the Course and Perspective on EDP
Auditing
3. General Controls
4. Application Reviews
5. Examples of How General and Application Controls
Interact
6. Systems Development Audits
2
1.1. Auditing Principles, Standards and
Performance, Cost and Management
Auditing

3
 1.1. Auditing principles, Standards and Performance, Cost and Management Auditing

• Accounting is an information system that collect, process and store data to

produce information, Financial Statements- end results of an accounting
information system which is management’s assertions regarding the financial
position and operating results , useful for decision making.
• These assertions by management must be examined and confirmed by
auditors.
• Auditing is defined as a process, carried out by an appointed qualified person or
body, whereby the records and financial statements of an entity are subjected to
independent examination in such detail as will enable the auditor form an
opinion as to their truth and fairness of the financial statements.
• Auditing involves the accumulation and evaluation of evidence about
information to determine and report on the degree of correspondence between
the information and established criteria. (Arens, 2012).
• The output of accounting is an input to auditing. Accounting asserts auditing
attests.
• Auditing should be done by a competent, independent person based on GAAS.
• Thus, Auditors must thoroughly understand accounting standards and must
possess expertise in the accumulation and interpretation of audit evidence. 4
Auditing Principles

5
 Auditing Principles

• The auditor should comply with the Code of Ethics for

Members.
• The principles are professional requirements on professional
conduct .
• Fundamental principles are to be followed while carrying out
an audit assignment.
• Ethical principles governing the auditor’s professional
responsibilities are:
a) Independence
b) Integrity
c) Objectivity
d) Professional competence and due care
e) Confidentiality
6
 Auditing Principles (cont.)

a)Independence
• An auditor must have both independence of mind/fact and
independence of appearance.
• Independence in appearance is what third parties would perceive as
being independence so you are perceived by others to be independent. If
you audit a company and your brother is the CEO you would be perceived
not to be independent.
• Independence in Fact/Mind is based on your actions in a situation. It is
real independence. Would you be able to make independent decisions if
you were pushed into a corner and under pressure? Even if you were
perceived independence of appearance would you still act independently
without being influenced in anyway.
• The auditor must be in a position to give an unbiased opinion – no
conflict of interest.
• Independence in terms of financial, ownership, relation, management,
etc. 7
 Auditing Principles (cont.)

b) Objectivity
• Objectivity is the state of mind and the auditor
should strive for objectivity.
• The auditor should assemble all the relevant
information available based on the books of
account submitted to him and express his opinion
or base decisions only on that data and the guiding
principle of the profession.
• Objectivity can only be assured if the auditor is and
is seen to be independent.
8
 Auditing Principles (cont.)

c) Integrity
• An auditor should behave with integrity -
intellectual honesty.
• The Auditor shall not knowingly misrepresent
facts or subordinate his or her judgment to
others.
• Auditors should behave with courtesy and
consideration towards all with whom they
come into contact with during the course of
performing their work. 9
 Auditing Principles (cont.)

d) Professional Competence and Due Care

• An auditor should not accept or perform work which he or she
is not competent.
• In order to provide quality services to their client, an auditor should
carry out his or her professional work with due skill, care,
diligence and expedition with proper regard for technical and
professional standards expected of him or her as a member.
• Technical Competence refers to auditing in that it is performed
by persons having adequate technical training and proficiency
auditors.
• Due professional care: Whether auditing is properly planned,
supervised, reviewed and documented. The existence of
adequate audit manuals, work programs and working papers
would be considered. 10
 Auditing Principles (cont.)

e)Confidentiality
• An auditor should respect the confidentiality of information
acquired and should not disclose any such information to
third parties about a client’s or employer’s affairs acquired
in the course of professional services unless there is a legal
or professional right or duty to disclose.
• The duty of confidentiality continues even after the end of
the relationship between the professional accountant and
the client or employer.
• An auditor who acquires information in the course of
professional work should neither use nor appear to use that
information for his personal advantage or for the advantage
of a third party. 11
Moreover the following are regarded as Auditing Principles
• Professional Behavior - auditors should behave
with courtesy/good manner/politeness and
consideration towards all with whom they come
into contact with during the course of performing
their audit function.
• Technical Standards – auditors should carry out
the their professional work/auditing function
with proper regard for the technical professional
standards expected.

12
Auditing Standards

13
 Auditing Standards (cont.)

• Auditing should be conducted in accordance with approved

auditing standards.
• The 10 standards approved and adopted by the AICPA
(Auditing Standards Board - ASB) are categorized as general,
field work, and reporting standards.
a) General Standards
1. The auditor must have adequate technical training and
proficiency to perform the audit.
2. The auditor must maintain independence in mental attitude
in all matters relating to the audit.
3. The auditor must exercise due professional care in the
performance of the audit and the preparation of the report.

14
 Auditing Standards (cont.)
b) Standards of Field Work
1. The auditor must adequately plan the work and must
properly supervise any assistants.
2. The auditor must obtain a sufficient understanding of
the entity and its environment, including its internal
control, to assess the risk of material misstatement of
the financial statements whether due to error or fraud,
and to design the nature, timing, and extent of further
audit procedures.
3. The auditor must obtain sufficient appropriate audit
evidence by performing audit procedures to afford a
reasonable basis for an opinion regarding the financial
statements under audit. 15
 Auditing Standards (cont.)
c) Standards of Reporting
1. The auditor must state in the auditor's report whether the financial
statements are presented in accordance with generally accepted
accounting principles (GAAPs).
2.The auditor must identify in the auditor's report those
circumstances in which such principles have not been consistently
observed in the current period in relation to the preceding period.
3. When the auditor determines that informative disclosures are not
reasonably adequate, the auditor must so state in the auditor's
report.
4. The auditor must either express an opinion regarding the financial
statements, taken as a whole, or state that an opinion cannot be
expressed, in the auditor's report. When the auditor cannot
express an overall opinion, the auditor should state the reasons in
the auditor's report. 16
Performance, Cost and
Management Auditing

17
 Performance, Cost and Management Auditing
• Performance audit refers to an audit of a program,
function, operation or the management systems
and procedures of an entity to assess whether the
entity is achieving economy, efficiency and
effectiveness in the employment of resources.
• Cost Audit involves an examination of cost books,
cost accounts, cost statements and cost documents
to see whether these represent true and fair view
of the cost of production. This includes the
examination of the appropriateness of Cost
Accounting system.
18
 Performance, Cost and Management Auditing (cont.)
• Management audit is an evaluation of all the activities
of an entity with a view to provide appropriate
suggestions to the management to help their work.
• It focuses on the critical evaluation of management as a
team rather than appraisal of individual.
• The main objective of management audit is to improve
the profit earning capacity, work of management,
objectives of program, social objectives and human
resource development so that organizational goal can
be easily attained.
• Unlike financial audit, management audit mainly
examines the non-financial data.
19
1.2. Scope of the Course and Perspective
on EDP Auditing

20
 1.2. Scope of the Course and Perspective on EDP Auditing

• Accounting Information System can be designed as manual or

computerized system.
• A Manual AIS consists: People, Procedure, Data, Documents
and Equipments.
• A Computerized AIS consists: People, Procedure, Data and IT
[Hardware and Software]
• Accounting Systems are evolving from manual to
computerized systems.
• As a result, auditing systems must evolve to examine the
integrity of information produced by computerized systems.
• EDP Auditing (IT (Information Technology) audit ) Objective:
• To examine the computer based information system to
vouch/assure on the integrity of the entity’s information
system . 21
 Scope of the Course and Perspective on EDP
Auditing (cont.)
• EDP Audit Scope: the scope of an EDP audit can involve
the following:
– Organizational - examines the management control
over IT and related programs, policies, and processes.
– Compliance - pertains to ensuring that specific
guidelines, laws, or requirements have been met.
– Application - involves the applications that are
strategic to the organization, for example those
typically used by finance and operations.
– Technical - Examines the IT infrastructure and data
communications.
• EDP audit address the risk exposures within IT systems
& assess the controls & integrity of information systems.
22
 Scope of the Course and Perspective on EDP Auditing (cont.)

• IT (EDP)Audit Strategies
1. Auditing Around the Computer
• Involves auditing the input and output with out
examining the processing and storage devices.
• Done by auditors with less computer based auditing
skills.
• On the basis of the input and output of the
application system, the auditor infers the quality of
the processing carried out indirectly.
• Less effective but based on GIGO.
• Auditors ignore the computer and programs.
• Assumption: If output was correctly obtained from system
input, then processing must be reliable. 23
Auditing Around the Computer

24
 IT (EDP)Audit Strategies (cont.)
2. Auditing Through the Computer
2. Involves auditing inputs, storage, processes and outputs of the
computer system.
3. The auditor tests: (a) the logic and control existing within the
system and (b) the records produced by the system.
4. Uses the computer to check adequacy of system controls, data,
and output.
5. auditors may need specialized skills to:
2. Determine how the audit will be affected by IT.
3. Assess and evaluate IT controls.
4. Design and perform both tests of IT controls and
substantive tests.
3. Auditing By the Computer
• Involves auditing through the computer by being assisted by
auditing software. 25
Auditing through the Computer

26
 The Nature and Definition of EDP/IT Auditing
• EDP/IT Auditing is a branch of auditing that deals with the
evaluation of IT and IS by auditors to assure the integrity of an
entity’s information system - to assure valid, reliable and secure
information and other services.
• EDP/IT auditing is the process/organizational function of collecting
and evaluating evidence to determine whether a computer system
safeguards assets, maintains data integrity, achieves organizational
goals effectively, and consumes resources efficiently.
• The EDP audit supports the attainment of traditional audit
objectives:
• Attest objectives (those of the external auditor) that have asset
safeguarding and data integrity as their focus, and
• Management objectives (those of the internal auditor) that
encompass not only attest objectives but also effectiveness and
efficiency objectives
• The EDP audit process can be conceived as a force that helps 27
organizations to better attain these objectives: improved
 Foundation of EDP/IT Auditing
• EDP/IT auditing is not simple extension of traditional auditing.
• It focuses on the computer-based aspects of an organization’s
information system to assess the proper implementation,
operation, and control of computer resources.
• EDP auditing is an intersection of four other areas or disciplines:
Traditional auditing, Information systems management,
Computer Science and Behavioral science (organizational
behavior).
• EDP auditing borrows much of its theory and practical
methodologies from these disciplines.
Traditi Compu
onal ter
auditin Science
g EDP auditing

Information Behavi
systems oral
management
science
28
 THE NEED FOR EDP/IT AUDIT FUNCTION
• The advance in computing technology/computers
increase companies reliance on computers to
perform daily transactions and make decisions.
• This coupled with the higher risks associated
with new technologies oblige management to look
for assurance that controls governing computer
operations are adequate i.e. the EDP audit
function.
• By specialists to perform computer based systems
control assessments.
• These specialists are EDP Auditors/IT Auditors.
29
 THE NEED FOR EDP/IT AUDIT FUNCTION (CONT.)
•Since computers play a large part in assisting us to process data and make
decisions, it is important that their use be controlled.
•The following are the major reasons for establishing a function to examine
controls over computer data processing.
• Organizational Costs of Data Loss
• Incorrect Decision Making (because of Inaccurate Data, Processing and
Output)
• Computer Abuse (fraud)
• Value of Computer Hardware, Software and Personnel
• High Costs of Computer Error
• Need to Maintain Individual (and Organizations) Privacy
• Controlled (Need to Control) Evolution of Computer Use (Evolutionary
Use of Computers) – evaluating the use of technology. Technology is
neutral, neither good nor bad. It is the use of the technology that produces
social problems - how the computers should be used with in the society
(example: to what extent should the implementation of computer
technology be allowed to displace the work force? It is the responsibility of
the government, professional societies, pressure groups as well as30 the
individual organizations about the social conscience/ethics.
 THE STRUCTURE OF AN EDP/IT AUDIT

• An EDP/IT audit focuses on the computer based

aspects of an organization’s information system.

• EDP/IT audit like financial audit may be

structured in three phases
1. Audit Planning
2. Tests of Controls
3. Substantive Tests

31
 1. AUDIT PLANNING
• An Auditor must gain a through understanding of the
client’s business to determine the nature and extent of tests
to perform (Tests of Controls – general & application, and
Substantive Tests).
• Audit planning involves:
1. Reviewing organization’s policies, practices and
structures.
2. Reviewing general controls and application controls.
3. Planning tests of controls and substantive testing
procedures.
• The major task is assess/analysis of audit risk, which is a
function of Inherent Risk, Control Risk and Detection Risk.
• Audit Risk = f(Inherent Risk, Control Risk and Detection
Risk. 32
 AUDIT PLANNING (CONT.)
• Audit risk is the probability that the auditor will issue an unqualified (clean) opinion when
in fact the financial statements are materially misstated.
• Audit risk is the risk that the financial statements are materially incorrect, even though
the audit opinion states that the financial reports are free of any material misstatements.
• Components of Audit Risk:
• Inherent risk (IR) is associated with the unique characteristics of the business or
industry of the client.
• It is the risk posed by an error or omission in a financial statement due to a factor
other than a failure of control. In a financial audit, inherent risk is most likely to occur
when transactions are complex, or in situations that require a high degree of judgment
in regards to financial estimates.
• Control risk (CR) is the likelihood that the control structure is flawed/defective
because controls are either absent or inadequate to prevent or detect errors.
• This will not be prevented or detected on a timely basis by the company's internal
control.
• Detection risk (DR) is the risk that auditors are willing to take that errors not detected
or prevented by the control structure will also not be detected by the auditor.
• It is the risk that the auditor will not detect a misstatement that exists in an assertion
that could be material (significant), either individually or when aggregated with
other misstatements. 33
 2. TESTS OF CONTROLS
• Internal Controls are Policies, procedures, practices and organizational
structures implemented to manage/reduce risks.
• Classification of internal controls:
 Preventive controls
 Detective controls
 Corrective controls
• The aim of testing controls is to determine whether adequate
controls are in place and functioning properly.
• The auditor must assess the quality of the internal controls.
• Tests of controls involve:
• Performing tests of controls
• Evaluating test results
• Determining degree of reliance on controls
• The degree of reliance on internal controls affect the nature and
extent of substantive testing. 34
 Assessing the Quality of Internal Controls
• Controls include policies and procedures set by management to
manage risk.
• The auditor is particularly interested in those controls designed to
protect the company's key processes and the measures used to
monitor the operation of these controls.
• Examples of these measures (key performance indicators):
– Backlog of work in progress
– Amount of return items
– Increased disputes regarding accounts receivable or accounts
payable
– Surveys of customer satisfaction
– Employee absenteeism
– Decreased productivity
– Information processing errors
– Increased delays in important processes 35
 Tests of Controls Techniques
• Auditing Around the Computer—Manually processing selected transactions and
comparing results to computer output.
• Auditing Through the Computer—Computer assisted techniques
– Test Decks—Processing dummy transactions and records with errors and
exceptions to see that program controls are operating.
– Controlled Programs—Processing real and test data with a copy of the client’s
program under the auditors’ control.
– Program Analysis Techniques—The examination of a computer generated
flowchart of the client’s program to test the program’s logic.
– Tagging and Tracing Transactions—Examination of computer generated details
of the steps in processing “tagged” transactions.
– Integrated Test Facility (ITF)—A system that processes test data
simultaneously with real transactions to allow the system to be constantly
monitored. It is an automated, on-going technique that enables the auditor to
test an application’s logic and controls during its normal operation
– Parallel Simulation—The use of an auditor-written program to process client
data and comparison of its output to the output generated by the client’s
program. Auditor writes simulation programs and runs actual transactions of the
36
client through the system.
Tests of Controls Techniques: Auditing Around the Computer

Auditors’ Test Client’s

Data Program

Computer Processing

Auditors’
Computer Results should Predetermined
match Results

37
Auditing through the Computer:
The ITF Technique

38
Tests of Controls Techniques: Auditing Through the Computer
System Concept of Parallel Simulation

Master file Transactions

“Live” system Simulated system

“Live” Comparison Simulated

file output

Exceptions

Source: W.C. Mair, “New Techniques in Computer Program Verification,” Tempo

39
(Touche Ross & Co., Winter 1971-72), p. 14.
 Parallel Simulation

Input Transaction Input Master

File File

System Parallel
Application Simulation

Generalized
Output Audit Output
Master File Software Master File

Discrepancies
40
Auditing through the Computer:
The Parallel Simulation Technique

41
 3. SUBSTANTIVE TESTING
• Substantive testing is an audit procedure that examines
the financial statements and supporting documentation
to see if they contain errors.
• These tests are needed as evidence to support the
assertion that the financial records of an entity are
complete, valid, and accurate.
• Focuses on financial data.
• Involves a detail investigation of specific account
balances and transaction amounts .
• Substantive testing involve:
1. Performing substantive tests
2. Evaluating results
3. Issuing auditor’s report 42
 Substantive Testing Techniques
• Search for unrecorded liabilities.
• Confirm accounts receivable to ensure they
are not overstated.
• Determine the correct value of inventory,
and ensure they are not overstated.
• Determine the accuracy of accruals for
expenses incurred, but not yet received (also
revenues if appropriate), etc.

43
Summery on Structure/Phases of an EDP/IT Audit

44
 Effect of EDP on Auditing
• Does/May the fundamental nature of auditing have
to change to cope with the new technology-EDP for
auditors in providing a competent, independent
evaluation as to the correspondence between some
set of economic activities and established standards
or criteria?
• EDP systems have impacted the two basic functions
of auditing: evidence collection and evidence
evaluation.

45
 Changes to Evidence Collection
• Collecting evidence on the reliability of an EDP system is more
complex than the case in manual system.
• This is due to the diverse and complex range of internal control
technology that did not exist in manual systems.
– For example, hardware controls for accurate and complete operation
of a disk drive, system development controls that include procedures
for testing programs, that would not be found in the manual system.
– Auditors must understand these controls if they are to be able to
collect evidence completely on the reliability of the controls.
– Understanding the control technology is not easy. Also, with the rapid
evolvement of the hardware and software the associated controls
evolve rapidly. Example: cryptographic controls to protect the privacy
of data where auditors must keep up with these developments if they
are to be able to evaluate the reliability of communications networks.

46
 Changes to Evidence Collection (cont.)
• The continuing evolution of control technology also makes it more
difficult for auditors to collect evidence on the reliability of controls.
• It may be impossible for the auditors to obtain the evidence using
manual means.
• Thus, auditors need EDP systems themselves if they are to be able
to collect the necessary evidence.
• The development of generalized audit software occurred, for
example, because auditors needed access to data maintained on
magnetic media.
• Similarly, new audit tools may be required in due course to evaluate
the reliability of controls in data communication networks.
• Unfortunately the development of these tools usually lags the
development of the technology that must be evaluated.
• In the meantime, auditors are forced to compromise in some way
when they perform the evidence collection function. 47
 Changes to Evidence Evaluation
• Given the increased complexity of EDP systems and internal
control technologies, it is also more difficult for auditors to
evaluate the consequence of control strengths and
weaknesses for the overall reliability of systems.
• First, auditors must understand when a control is acting
reliably or malfunctioning.
• Next, they must be able to trace the consequences of the
control strength or weakness through the system – for
example, in a shared data environment where a single input
transaction may update multiple data items used by different
users, though a difficult task, auditors must be able to trace
the consequence of an error in the input for all users.
• This creates stress for auditors when they perform the audit
evidence evaluation function for computer systems. 48
 Changes to Evidence Evaluation (cont.)
• The consequence of errors (tend to be deterministic, an
erroneous program always will execute incorrectly) in a computer
system can be more serious than in a manual system( errors tend
to occur stochastically in manual systems for example,
periodically a clerk prices an inventory item incorrectly).
• Moreover, errors are generated at high speed, and the cost to
correct and rerun programs may be high. Whereas, fast feedback
can be provided to clerks if they make errors, errors in computer
programs can involve extensive redesign and reprogramming.
• Thus, internal controls that ensure high-quality computer systems
are designed, implemented and operated are critical.
• The onus is on the auditors to ensure these controls are sufficient
to maintain asset safeguarding, data integrity, system
effectiveness, and system efficiency and that they are in place
and working. 49
 INTERNAL CONTROLS

1.3. General Controls and

Application Controls Reviews
And
1.4. Examples of How General and
Application Controls Interact
50
 INTERNAL CONTROLS: OBJECTIVES, PRINCIPLES AND
MODELS
• What is an internal control system?
• Internal control comprises policies, practices, and procedures to achieve four
broad objectives.
1. To safeguard assets of the firm
2. To assure the accuracy and reliability of accounting records and
information (Integrity of information)
3. To promote efficiency /effectiveness in the firm’s operations.
4. To measure and evaluate compliance with management’s prescribed
policies and procedures.
• Internal control is designed and implemented by management to address
business and fraud risks that threaten the achievement of stated objectives.
• Internal control can be designed to prevent potential misstatements from
occurring in the first place or detect and correct misstatements after they
have occurred.
• The auditor’s primary consideration is whether, and how, a specific control
prevents, or detects and corrects errors, irregularities and material
misstatements rather than its classification into any particular internal
control component. 51
 INTERNAL CONTROLS PRINCIPLES
• Internal Control Principles are tenets/ beliefs /views that guide the design and audit
of internal control systems.
• These are:
1. Management Responsibility: The establishment and maintenance of a system of
internal controls is management’s responsibility.
2. Methods of Data Processing: The internal control system should achieve its
objectives regardless of the data processing method.
3. Limitations: Every system of internal control has limitations on its effectiveness
due to
• Errors
• Circumvention and Management Override
• Changing Conditions
4. Reasonable Assurance
• The internal control system should provide reasonable assurance that
objectives of internal control are met
• Reasonableness means that the cost of achieving improved controls should not
out weight its benefits
• Immaterial weaknesses of controls are not worth fixing under the principle of
reasonable assurance 52
INTERNAL CONTROLS MODELS

53
 PDC CONTROL MODELS
• Under the PDC (Preventive Detective and Corrective) control model, controls are
structured in three levels.
• These are
1. Preventive Controls
• Are first line of defense
• Are passive techniques designed to reduce the frequency of occurrence of
undesirable events
• A small/an ounce of prevention worth a pound of cure
2. Detective Controls
• Are second line of defense
• Are devices, techniques and procedures designed to identify and expose
undesirable events that elude/ scape preventive controls
• Reveal specific types of errors by comparing actual occurrences to pre-
established standards
3. Corrective controls
• Corrective actions must be taken to reverse the effects of detected errors
• Immediate corrective response may result in incorrect action that worsen
54
the problem than the original error
55
 COSO INTERNAL CONTROL FRAMEWORK
• Committee of Sponsoring Organization (COSO) internal
control framework
• Is a standard for assessing internal controls by internal
and external auditors.
• Formed by five professional organizations:
• the Institute of Internal Auditors (IIA)
• the American Institute of Certified Public Accountants (AICPA)
• the Financial Executives Institute (FEI),
• the American Accounting Association (AAA) and
• the Institute of Management Accountants (IMA).
• COSO refers to these five professional auditing and
accounting organizations that formed a committee to
develop the Integrated Control—Integrated Framework in
1992. 56
 COMPONENTS OF COSO INTERNAL CONTROL
FRAMEWORK
• COSO internal control framework consists of 5 components: Control
Environment, Risk Assessment, Information and Communication, Monitoring
and Control Activities.
• The division of internal control (system/structure) into these five components
provides a useful framework for auditors in understanding the different
aspects of an entity’s internal control system.

57
 COMPONENTS OF COSO INTERNAL CONTROL FRAMEWORK
(CONT.)
1. The Control Environment:
• The auditor should obtain an understanding of the control
environment.
• Refers to the attitude and awareness of the organization’s
management, BODs and owners regarding internal control.
• Involves reviewing the integrity and ethical values of management,
the procedures for delegating responsibility and authority…
2. Risk Assessment
• Refers to the system used by organization’s to identify, analyze and
manage the risks
• The auditor should obtain an understanding of the entity’s process for
identifying risks and deciding about actions to address those risks,
and the results thereof.
• Matters the auditor should consider are how management:
Identifies risks
Estimates the significance of the risks;
Assesses the likelihood of their occurrence; and
Decides upon actions to manage them. 58
• If a material weakness exists in the entity’s risk assessment process,
 COMPONENTS OF COSO INTERNAL CONTROL FRAMEWORK (CONT.)
3. Information and Communication
• Refers to the system that consists of the records and methods used to
initiate, identify, analyze and record the organizations transactions
and used to account for the related assets and liabilities
• The auditor should obtain an understanding of the information system,
including the related business processes including the following areas: 
 The classes of transactions in the entity’s operations
 The procedures by which those transactions are initiated, recorded,
processed and reported.
 The related accounting records supporting information, and specific
accounts in the financial statements, in respect of initiating, recording,
processing and reporting transactions.
 How the information system captures events and conditions, other than
classes of transactions.
 The financial reporting process used to prepare the entity’s financial
statements, including significant accounting estimates and disclosures. 
• The focus is on sources of information, information processing and uses
of information produced. 59
 COMPONENTS OF COSO INTERNAL CONTROL FRAMEWORK
(CONT.)
5. Monitoring: refers to the process by which the
quality of internal control design and operation can
be assessed.
• The auditor should obtain an understanding of the major types of
activities that the entity uses to monitor internal control, including those
related to control activities relevant to the audit, and how the entity
initiates corrective actions to its controls.
• Monitoring assesses the effectiveness of the internal control’s
performance over time. The objective is to ensure the controls are
working properly and, if not, to take necessary corrective actions.
• Monitoring provides feedback to management on whether the internal
control system they have designed to mitigate risks is:
 Effective in addressing the stated control objectives;
 Properly implemented and understood by employees;
 Being used and complied with on a day-to-day basis; and
 In need of modification or improvement to reflect changes in
60
conditions.
 COMPONENTS OF COSO INTERNAL CONTROL FRAMEWORK
(CONT.)
4. Control Activities
• Refers to the policies and procedures used to ensure
that appropriate actions are taken to deal with the
organization’s identified risks and attain its objectives.
• The objectives of an organization can only be achieved
if the management sets up a system of internal control.
• Control activities are grouped into
physical and information technology
(IT)controls (General and Application).
• The following slides address the control
activities in detail.
61
 CONTROL ACTIVITIES: PHYSICAL
CONTROLS And IT CONTROLS
(APPLICATION and GENERAL CONTROLS )
ACTIVITIES

62
 CONTROL ACTIVITIES (CONT.)
1. Physical Controls
• Relates to human activities employed in (accounting) systems.
• Can be purely manual such as the physical custody of assets or may involve the
physical use of computers to record transactions or update accounts.
• Focus on people but are not limited to manual systems.
• The following are types of physical control activities: major traditional components of
an internal control system (activities):
 Separation/ Segregation of duties,
 Clear delegation of authority and responsibility
 Recruitment and training of high-quality personnel,
 A system of (transaction) authorization,
 Adequate documents and records/ Accounting records
 Physical control over assets and records/ Access controls
 Management supervision,
 Independent checks on performance /Independent Verification, and
 Periodic comparison of recorded accountability with assets.
• In an EDP system these components must still exist.
• However, use of EDP affects the implementation of these components in several ways.
• The following sections /slides briefly examine the major areas of these effect/ impact.
63
 Separation of Duties
• Separation/ Segregation of duties
– Involve separation of duties intended to minimize incompatible functions
– Is based on 2 principles
1. The authorization for a transaction must be separated from the
process of the transactions
2. The responsibility for asset custody should be separate from the
record keeping responsibility
– In the manual system, separate individuals should be responsible for
initiating transactions, recording transactions, and custody of assets
(incompatible functions) to prevent and detect errors and irregularities.
– In the computer system, however, the traditional notion of separation of
duties does not always apply.
– The computer program performs functions that in the manual system would
be considered incompatible.
– Separation of duties in a computerized system must exist in a different form.
• Once it has been determined that the computer program executes
correctly, the capacity to run the program in the production mode and the
capacity to change the program must be separated. 64
Delegation of Authority and Responsibility
• A clear line of authority and responsibility is an essential control in
both manual and computer systems.
• In a computer system, however, delegating authority and
responsibility in an unambiguous way may be difficult because
some resources are shared among multiple users, for example, a
database management system to provide multiple users with access
to the same data.
• In this case it is not easy to trace who is responsible for corrupting
the data, and who is responsible for identifying and correcting the
error.
• One solution might be designing a single user as the owner of the
data, who assumes ultimate responsibility for the integrity of the
data.

65
 Competent and Trustworthy Personnel
• High skilled, competent and trustworthy personnel are
needed to develop, modify, maintain, operate computer
systems used to process an organization’s data.
• Assuring this is a difficult task because of:
– Shortage of well trained, skilled and experienced personnel
and organizations compromise in choice of staff
– Difficulty to assess the competence and integrity of EDP staff,
and not easy to evaluate staffs’ skill due to rapid evolution of
technology that inhabits management’s ability.
– High turn over in the data processing industry
– Lack of a well developed system of ethics for data processing
personnel – individuals who delight in subverting controls.

66
System of Authorization (to execute transactions)
• Transaction authorization : A system of (transaction) authorization
• Ensures that all material transactions processed are valid and in accordance with
management’s objective
• There are two types of authorizations: General and Specific
1. General authority: Granted to operations personnel to perform day to day
activities/ routine transactions - General authorizations establish policies for the
organization to follow: example - a fixed price list issued for personnel to use when
products are sold.
2. Specific authority: Granted to management/BoD to perform case by case decisions
associated with non-routine transactions - Specific authorizations apply to
individual transactions: example – acquisitions of major capital assets may have to
be approved by the board of directors.
• In the manual system, auditors evaluate the adequacy of procedures for authorization by
examining the work of employees.
• In a computerized system authorizations are often embedded within a computer program.
– For example, the order entry module in a sales system may determine the price to be
charged to a customer.
– In this case, when evaluating the adequacy of authorization procedures, auditors have to
examine not only the work of employees but also the veracity of program processing.
67
 Adequate Documents and Reports (Accounting records)

• Accounting records include source documents, journals and ledgers

that capture the economic essence of transactions and provide an
audit trail of economic events
• Enable tracing a transaction thorough all phases of its
processing from the initiation of the event to its inclusion in
financial statements
• In the manual system, adequate documents and records are necessary
to provide an audit trail of activities.
• In a computerized system documents may not be used to support the
initiation, execution, and recording of some transactions.
– For example: online order entry system, or transactions activated
automatically such as inventory replenishment program.
– No visible audit or management trail may be available to trace the
transactions
– This would not be a problem if the system is designed to maintain a
68
record of all events and there is a means of accessing these records.
 Physical Controls over Assets (access) and
• Access Controls
Controls
• Ensure that only authorized personnel have access to the firm’s assets
• Access to assets can be Direct Access - access to assets directly and
controlled by physical security devices such as locks, safes and
electronic and infrared alarm systems or Indirect Access - access
to records and documents that control the use, ownership and
disposition of assets.
• Computer systems concentrate the data processing assets and records.
– For example, in a manual system, a person wishing to perpetrate a fraud may
have needed access to records that were maintained at different locations.
– In a computer system, however, all the necessary records may be maintained at a
single site – no need to go to physically disparate locations to execute the fraud.
• This concentration of data processing assets and records also increases the loss that
can arise from computer abuse or a disaster.
– For example, a fire that destroys a computer room may result in the loss of all
major master files in an organization.
– If the organization does not have suitable backup, it may be unable to continue
operation. 69
 Adequate Management Supervision
• Supervision is a compensating control used in small organization
where segregation is impossible due to lack of sufficient personnel
• In a manual system, management supervision of employee activity is
relatively straightforward because the managers and the employees are
often at the same physical location.
• In computer systems, however, data communications may be used to
enable employees to be closer to the customers they service.
• Thus, the supervision of employees may have to be carried out remotely.
• Supervisory controls must be built into the computer system to
compensate for the controls that usually can be exercised through
observation and inquiry.
• Computer systems also make the activities of employees less visible to
management as many activities are performed electronically.
• Managers must ensure they periodically access the audit trail of employee
activities and examine it for unauthorized actions.
• Again, the effectiveness of observation and inquiry as controls has
decreased. 70
 Independent Checks/Verification on
•
Performance
Independent verification
• Are independent checks of the (accounting) system to identify
errors and misrepresentations
• Verification is not supervision
• In a manual system, independent checks are carried out because
employees are likely to forget procedures, make mistakes, become
careless, etc.
• Checks by an independent person help to detect any errors or
irregularities.
• In a computer system, provided that program code is authorized, accurate
and complete, the system will always follow the designated procedures.
• Thus, independent checks on performance of programs are unnecessary.
• Instead, the control emphasis shifts to assuring the veracity of the
program code.
• Insofar as many independent checks on performance are no longer
appropriate, auditors must now evaluate the controls established for
program development, modification and maintenance. 71
 Comparing Recorded Accountability with Assets
• Periodically, data and the assets that the data purports to
represent should be compared to determine whether
incompleteness or inaccuracies in the data exist or shortages in
the assets have occurred.
• In the manual system, independent staff prepare the basic data
used for comparison purposes.
• In a computer system, however, programs are used to prepare
this data.
• If unauthorized modifications occur to the programs or the data
files that the program use, an irregularity may not be discovered.
• Again, internal controls must be implemented to ensure the
veracity of program code, since traditional separation of duties
no longer applies to the data being prepared for comparison
purposes.
72
 IT CONTROLS (APPLICATION AND GENERAL)
•The auditor should obtain an understanding of how the entity has responded to
risks arising from IT.
•IT controls are useful to mitigate risks.
•Regardless of size, there are a number of risk factors relating to IT management
that, if not mitigated, could result in a material misstatement.
•The two types of IT controls (control activities) that need to work together to ensure
complete and accurate information processing are Application and General.
1. Application Controls
• Ensure the validity, completeness, and accuracy
• Are application specific – input, process and output
• Application Reviews: Testing Application Controls
• Black Box Approach - understanding flowcharts, input procedures, & output results
• White Box Approach - understanding the internal logic of the application
2. General Controls include controls over :
• IT governance,
• IT infrastructure,
• Security and access to operating systems and databases,
• Application/System acquisition and development ,and
• Program change procedures
73
 IT CONTROL CLASSIFICATION

By Risk
Setting
Aversion

– General
• Corrective

• Preventive

•
– Application
• Input
Detective
• Processing
• Output
}
74
 Application Controls
• These controls are automated controls that relate specifically
to applications (such as sales processing or payroll).
• IT application controls relate to how specific transactions are
processed at the business process level.
• IT application controls relate to the particular software
application that is used at the business process level.
• Application controls can be preventive or detective in nature
and are designed to ensure the integrity of the (accounting)
records/information.
• Typical application controls relate to procedures used to
initiate, record, process, and report transactions or other
financial data.
• These controls help ensure that transactions occurred, are
authorized, and are completely and accurately recorded and
processed. 75
 Application Controls (cont.)
• Application controls pertain directly to
the transaction processing systems.
• The objectives of application controls are
to ensure that all transactions are
legitimately authorized and accurately
recorded, classified, processed, and
reported.
• Application controls are subdivided into
input, processing and output controls.
76
 Input Controls
• Input Controls attempt to ensure the validity,
accuracy, and completeness of the data
entered into an (A)IS.
• Input controls may be subdivided into:
– Data Observation and Recording
– Data Transcription (Batching and
Converting)
– Edit tests of Transaction Data
– Transmission of Transaction Data
Detail Coverage on Input Control in Chapter Five 77
 Processing Controls - Objectives
• Processing Controls help assure that data are
processed accurately and completely, that no
unauthorized transactions are included, that the
proper files and programs are included, and that all
transactions can be easily traced.
• Categories of processing controls include
Manual Cross-checks, Processing
Logic Checks, Run-to-Run Controls,
File and Program Checks, and Audit
Trail Linkages.

Detail Coverage on Processing Control in Chapter Six 78

 Output Controls
• Outputs should be complete and reliable
and should be distributed to the proper
recipients.
• Two major types of output controls are:
–validating processing results
–regulating the distribution and use of
printed output

Detail Coverage on Output Control in Chapter Seven79

 Auditor Tasks
• Identify significant application components
and flow of transactions
• Identify, Test and Evaluate the controls
their effectiveness
• Analyze the test results to determine
whether controls work as expected

80
 General Controls
• General Controls pertain to all activities involving a
organization’s (A)IS and resources (assets).
• These controls operate across all applications and
usually consist of a mixture of automated controls
(embedded in computer programs) and manual
controls.
• General information technology (IT) controls focus
on how IT operations are managed across the
entity.
• The following is an outline of the General IT
controls.
81
 General Controls (cont.)
• IT Control Environment
– The IT governance structure - Structure to help align
IT strategy with business strategy
– How IT risks are identified, mitigated, and managed.
– The information system, strategic plan, and budget.
– IT policies, procedures, and standards.
– The organizational structure and segregation of
duties.

82
 General Controls (cont.)
• Day-to-day Computer Operations
– Acquisitions, installations, configurations, integration,
and maintenance of the IT infrastructure.
– Delivery of information services to users.
– Management of third-party providers.
– Use of (operating) system software, security software,
database management systems, and utilities.
– Incident tracking, system logging/classification, and
monitoring functions.

83
 General Controls (cont.)
• Access to Programs and Data
– Security of passwords.
– Internet firewalls and remote access controls.
– Data encryption and cryptographic keys.
– User accounts and access privilege controls.
– User profiles that permit or restrict access.
– Revoking employee passwords and user IDs when
employees resign or are terminated.

84
 General Controls (cont.)
• Program Development and Program Changes
– Acquisition and implementation of new applications.
– System development and quality assurance
methodology.
– The maintenance of existing applications including
controls over program changes.
• Monitoring of IT Operations
– Policies and procedures regarding the information
system and reporting that ensure that users comply
with IT general controls and that IT is aligned with
business requirements.

85
 Objectives and Controls : Example
• Program Development and Program Changes - The maintenance
of existing applications including controls over program changes.
– Systems maintenance objectives:
• detect unauthorized program maintenance and determine that...
– maintenance procedures protect applications from unauthorized
changes
– applications are free from material errors
– program libraries are protected from unauthorized access
– Controls:
• authorization requirements for program maintenance
• appropriate documentation of changes
• adequate testing of program changes
• reconciling program version numbers
• review programmer authority table
• test authority table 86
 Individual Assignment (5%)
• Identify at least one specific General IT control
activities from each of the following categories and
determine objectives and controls.
– IT Control Environment
– Day-to-day Computer Operations
– Access to Programs and Data
– Program Development and Program Changes
– Monitoring of IT Operations

87
 CobiT FRAMEWORK
• CobiT: Control Objectives for Information and Related
Technologies
• What is CobiT?
• Is an internal control framework
• Is a support tool for documenting and understanding COSO
controls
• Is a tool for documenting, reviewing and understanding internal
controls
• Why CobiT?
• You may ask “ I understand and use COSO internal control
framework:- Why another framework?”
• CobiT provides an alternative approach to define and describe
internal controls that has more of an IT emphasis than COSO
• The last two letters are capitalized to show its emphasis on
Controls and Technology.
88
 Areas of Internal Controls under CobiT Framework

• There are 5 broad areas of internal controls

under CobiT Framework with an emphasis on IT
governance.
1. Strategic alignment
2. Value delivery
3. Resource management
4. Risk management
5. Performance Measurement

89
 CobiT Areas of Controls
1. Strategic Alignment
• Focuses on the linkage of business and IT plans
• Deals with defining, maintaining, and validating the IT value
propositions
• Aligns IT operations with enterprise operations
2. Value Delivery
• Is about executing the value propositions
• Ensures that IT delivers the promised benefits against strategy
• Concentrates on optimizing costs and providing intrinsic value of
IT
3. Resource Management
• Is about the optimal investment in, and proper management of
critical IT Resources: applications, information infrastructure and
people
• Key issues relate to optimization of knowledge and infrastructure
90
 CobiT Areas of Controls
4. Risk Management
• Requires
• risk awareness by senior corporate officers
• a clear understanding of the enterprises appetite for
risk
• Understanding of compliance requirements
• Transparency about significant risks to the enterprise
and embedding of risk management responsibilities to
the organization
5. Performance Measurement
• Tracks and monitors strategy implementation, project
completion, resource usage, process performance, and
service delivery using performance measures such as
Balanced Scorecard 91
 Basic CobiT Principles

• Business processes provide the requirements to

build and construct IT processes and IT
provides the information necessary to operate
those business processes.

92
CobiT Framework [CobiT cube]

93
 1. IT Resources
• IT resources consists of 4 components
1. Applications
• Consist of both automated user systems and manual
procedures to process information
2. Information
• Includes the data input, output and processed for use by
business processes
3. Infrastructure
• Consists technology and facility including hardware,
operating systems, databases, networks, and the environment
that houses and supports the IT resources
4. People
• Consists of specialized personnel to plan, organize, acquire,
implement, support monitor and evaluate the IS and services
94
 2. IT Processes
• IT processes consist of 3 segments - CobiT - Structure
1. Domains
• There are 4 specific domain areas representing organizational areas
of responsibility
a) Planning and Organization (PO)
• Refers to the strategies and tactics that allow IT to best contribute to
and support the business objectives of the enterprise.
Define a Strategic IT Plan
Define the Information Architecture
Determine the Technological Direction
Define the IT Organization and Relationships
Manage the IT Investment
Communicate Management Aims and Direction
Manage Human Resources
Ensure Compliance with External Requirements
Assess Risks
Manage Projects
Manage Quality 95
 2. IT Processes
b) Acquisition and Implementation
• Refers to identifying, developing or acquiring IT solutions and implementing and
integrating with business processes
Identify Solutions
Acquire and Maintain Application Software
Acquire and Maintain Technology Architecture
Develop and Maintain IT Procedures
Install and Accredit Systems
Manage Changes
c) Delivery and Support
• Refers to both applications and infrastructure tools actually delivering the required services
Define Service Levels
Manage Third-Party Services
Manage Performance and Capacity
Ensure Continuous Service
Ensure Systems Security
Identify and Attribute Costs
Educate and Train Users
Assist and Advise IT Customers
Manage the Configuration
Manage Problems and Incidents
Manage Data
Manage Facilities
96
Manage Operations
 2. IT Processes
d) Monitoring and Evaluation
• Refers to control processes including quality and compliance
monitoring as well as external and internal audit evaluations.
Monitor the Processes
Assess Internal Control Adequacy
Obtain Independent Assurance
Provide for Independent Audit

2. Processes
• Are series of joined activities with natural
control breaks.
3. Activities
• Are actions needed to achieve measurable
results. 97
 3. Business Requirements

• Business requirements have 7 components

1. Effectiveness
2. Efficiency
3. Confidentiality
4. Integrity
5. Availability
6. Compliance
7. Reliability

98
Systems Development Audits - Assignment (6%)
• Issues and Contents to be Addressed
– Systems Development Life Cycle – Overview
– Controlling/controls New System Development
– Auditing the Systems Development Process: Audit
Objectives and Procedures

99
End of Chapter One

100