Information Systems Audit (ISA)

ISTN103 Lecture 5

Lecturer:
Simeon Ambrose Nwone
Email: [email protected]
Lecture 5 outline
• Understanding Internal Controls and definition
• Fundamental objectives of any business organization
• Types of Internal Control
• Characteristics of good Internal Control
• Components of Internal Control
Internal Controls
• In order to carry out an ISA on an entity, the auditor must have an
understanding of the internal controls relevant to the audit.
• Without an understanding of internal controls, the auditor would not
be able carry out an effective audit.
• It follows that if the systems in place and internal controls are ‘good’,
the information produced by the system will also be ‘good’,
Definition of Internal Control
• Before we define internal control, it is important to identify the
fundamental objectives of any business organization:
• reliability and integrity of information.
• compliance with applicable policies, plans, procedures, laws and regulations.
• safeguarding of assets
• effectiveness and efficiency of operations
• achievement of desired outcomes
• These objectives were used by the Committee of Sponsoring
Organizations (COSO) in defining internal control as a process used in
an organization to provide reasonable assurance regarding the
achievement of the above stated objectives, for which all businesses
strive.
• According to COSO the five components that can assist management
in achieving business objectives are:
• sound control environment
• sound risk assessment process
• sound operational control activities
• sound information and communications systems
• effective monitoring
• Hence, a comprehensive definition:
• internal control refers to the entire set of controls established by the
management of an entity in order to provide reasonable assurance that the
operations of the entity are legal, economic, efficient, effective and
transparent; that the strategic and other plans are implemented; that assets
are safeguarded; that financial information and reporting are reliable and
exhaustive; that contractual liabilities to third persons are satisfied and that
all identified risks are managed.

• Important aspects of internal control identified from the above

definition are:
• Internal control refers to processes that involve a collection of policies,
procedures and activities adopted by management to achieve certain goals.
• Internal control provides only reasonable, not absolute assurance that
management's goals will be achieved.
Types of Internal Control
• Internal Control can be classified into various types. It is the
combination of these controls that makes up the overall system of
internal controls designed to achieve the general control objectives.
Such controls can be classified into:
• Preventive controls These could include controls such as restrictions
on users, requirements for passwords, and separate authorization of
transactions.
• Detective controls, which detect irregularities after occurrence and
may be cheaper than checking every transaction with a preventive
control.
• Corrective controls ensure the correction of problems identified by
detective controls and normally require human intervention within the IS.
These include processes such as Disaster Recovery Plans and transaction
reversal capabilities.
• Directive controls are designed to produce positive results and encourage
acceptable behaviour. They do not themselves prevent undesirable
behaviour and are normally used where there is human discretion in a
situation. For example, instructing users of personal computers that backing
up their files is their responsibility does not enforce compliance.
Nonetheless, such a directive control can be monitored, and action taken
where the control is breached.
• Compensating controls can be seen to exist where a weakness in one
control may be compensated by a control elsewhere. They are used to limit
risk exposure and may trap the incautious evaluator. This is particularly true
where auditors are faced with complex integrated systems and the control
structures involve a mixture of system-driven and human controls scattered
over a variety of operational areas.
Characteristics of good Internal
Control
• In view of the overall control objectives, control structures must be designed
to ensure the following: segregation of duties; competence and integrity of
people; appropriate levels of authority; accountability; adequate
resources; supervision and review. Let us now look at each of these.
• Segregation of duties (SOD)
• SOD is a vital component of virtually any organization's internal control
system. SOD are controls designed to ensure that no single individual
inappropriately handles all aspects of a transaction or business process,
helping to prevent employees from committing errors or engaging in
fraudulent activity. Internal auditors are often charged with reviewing
employee tasks and transactions to identify potential SOD conflicts and
make recommendations to minimize their impact.
• Competence and reliability of personnel
• People are a fundamental component of internal control; therefore,
personnel involved in the internal control system must be competent
to fulfil their functions honestly and reliably. Without competent,
trustworthy personnel the best internal controls can be circumvented.
• This implies that having users follow procedures is not the ideal
situation in a modern Information Systems environment; a high
degree of risk and control awareness is required to ensure that
controls function as intended. This characteristic is achieved through
the implementation of proper recruitment of personnel and training
policies.
• Appropriate levels of authority
• A common mistake in control structures is the granting of too much authority
within control boundaries. Authorities should only be granted on a ‘need-to-
have’ basis. If there is no need for a particular individual to have specific
authorities, they should not be granted. This obviously requires effort on those
individuals who assign authorities to critically identify which levels of authority
are a need and which are simply desired.
• Accountability
• For all decisions, transactions made, and actions taken, there must be controls
of accountability; i.e. controls that will allow the determination of who did
what, when, and how, with an acceptable degree of confidence. This often
involves the use of control logs and audit trials. Audit trails are records of user
activity, which may be maintained by the operating system and/or by
application systems such as enterprise systems. Operating system audit trails
record user actions to the level of including successful and failed logins,
programs executed, and resources consumed.
• Adequate resources
• Controls that are implemented with inadequate resources will
typically fail whenever they come under stress. Adequate resources
include manpower, finance, equipment, materials, and
methodologies. Management frequently underestimates the cost of
resources to implement controls; IS auditors commonly recommend
controls giving no thought to the cost of such control and lack of
resources to implement.
• Supervision and review
• Adequate supervision is fundamental to the implementation of sound
internal control. It is only unfortunate that people rarely choose to do
what is expected, but often do what is inspected.
Five Components of Internal Control that
Assist Management in Achieving Business
Objectives
• Sound Control Environment
• Firstly, a control environment may be defined as the overall infrastructure
within which the other control elements will function; it establishes the
conditions under which the rest of the Internal Controls will operate.
• A sound control is a function of management’s philosophy and operating
style, all of which are reflected in the quality of employees who can
implement it, such as employees possessing integrity, ethical values, and
competence.
• After assigning authority and responsibility to available human resources,
training and development of people to the required standard is also
essential to ensure their competence in exercising control.
• Sound Risk Assessment Process:
• This process requires the implementation of an awareness of risks and
obstacles to the achievement of business objectives and the
development of strategies to deal with them.
• Sound Operational Control Activities:
• Such activities involve the establishment and execution of sound
policies and procedures aimed at ensuring effective implementation of
actions identified as appropriate to address the risks by management.
• Sound information and communications systems:
• Since information systems promote the running and control of a
business by producing reports that contain operational-, financial-, and
compliance-related information, appropriate information needs to be
identified, captured, and communicated in a manner and time frame
that enables employees to carry out their responsibilities.
• Effective monitoring:
• Efficiency of the control process requires that the entire control
system be monitored to measure the quality of the system’s
performance over time. This practice provides the opportunity to
report shortfalls to senior management.
END