Modern Internal Control Systems: Ensuring

Compliance and Effective Risk Management

Evaluate and recommend modern control systems, ensuring

compliance with regulations and effective risk management
 What is (purpose) Internal
control?
• Internal control are policies, processes, and procedures set by management
to achieve the following:
• Reliability of financial reporting

• Efficiency and effectiveness of the operation

• Compliance with laws and regulations (materially affecting financial reporting).

• Safeguarding of assets
 Reliability of Financial
a. Accuracy:
Reporting
Information in financial statements should be free from material misstatements and errors.
b. Completeness:
All relevant financial information should be disclosed to present a comprehensive view of the
organization’s financial situation.
c. Neutrality:
Financial reporting should be free from bias or any attempts to manipulate information to favor
certain interests (investors vs. creditors).
d. Transparency:
Disclosure should be clear, comprehensive, and understandable, providing sufficient
information for users to make informed decisions.
e. Consistency:
Accounting policies and practices should be applied consistently from one reporting period to
another, facilitating comparability.
 Efficiency and Effectiveness of
Efficiency:
Operation
Internal controls can help an organization achieve its goals using the least amount of
resources possible.
Efficient processes reduce waste, prevent errors, and save time.
For instance, automation of certain processes such as data entry, invoicing, and
reconciliation can reduce manual errors and save employee time, thus improving
operational efficiency.
Effectiveness:
Effectiveness refers to the ability of the organization to meet its objectives.
Internal controls can help ensure that the business operations effectively achieve the
intended results.
The efficiency and effectiveness of operations are typically measured through:
Financial performance metrics like revenue, cost control, and profitability.
Non-financial metrics such as customer satisfaction, market share, and operational quality.
 Compliance with Laws and
• EnsuresRegulations
that a business operates within the legal framework, thereby minimizing
the risk of:
• Lawsuits
• Penalties
• Damage to its reputation
• Internal control mechanisms focused on compliance can take many forms, and
their precise nature will depend on:
• The company’s industry
• The countries in which it operates
• The specific laws and regulations it must adhere to
• Training, monitoring systems, reporting mechanisms, and a compliance
officer/department play a crucial role in ensuring compliance.
 Safeguarding of
Involves procedures and measures designed to prevent theft, fraud, misuse, or damage
to a company's assets. Assets
• Assets include not only tangible assets like cash, inventory, equipment, and property
but also intangible assets such as intellectual property, trade secrets, and
company reputation.
1. Physical Controls:
1. This involves physical security measures to protect tangible assets.
2. For example:
1. Cash may be stored in a safe.
2. Warehouses may have security cameras or guards.
3. Access to valuable equipment may be restricted to authorized personnel only.
2. Authorization Controls:
1. Important transactions that could affect the company’s assets should require approval from a
higher-level manager or multiple individuals.
2. For example, large purchases might need to be approved by a senior manager.
Which of the following is the auditor's primary concern regarding the management’s

assertions about the implementation of internal controls?

A- Compliance with applicable laws and regulations

B- Efficiency of operations

C- Reliability of financial reporting

D- Effectiveness of operations
 Management and Auditor Responsibilities for
Internal Control
• Management, not the auditor, must establish and maintain the
entity’s internal
controls.

• Two key concepts underlie management’s design and implementation of

internal control:
• Reasonable assurance
• Inherent limitations
 Management’s Section 404 Reporting
Responsibilities
Management of all public companies is to issue an internal control report
that includes the following:
• A statement that management is responsible for
establishing and maintaining an adequate internal
control structure and procedures for financial reporting
• An assessment of the effectiveness of the internal control
structure and procedures for financial reporting as of the
end of the company’s fiscal year.
 Auditor Responsibilities for Understanding
Internal Control
Auditors are required to:
• Obtain an understanding of internal control relevant to the
audit on every audit engagement.

• Report on the effectiveness of internal

control over financial
reporting, if the client is an accelerated filer.

Auditors are primarily concerned about:

• Controls over the reliability of financial reporting.

• Controls over classes of transactions .

Example Section 404 Management Report on Internal
Control over Financial Reporting
A system of internal control is designed to ensure that all of the following would be

achieved, except that

A- The company’s personnel complies with applicable rules and regulations.

B- All instances of fraud will be detected.

C- Transactions are executed by the management’s authorization.

D- The company’s resources are used efficiently and effectively.

• Describe the objectives management has when designing
effective internal control.

Section 404(a) of the Sarbanes–Oxley Act requires management

to issue a report on internal control over financial reporting.

• Identify the specific Section 404(a) reporting requirements

for
management.
• Describe which of the categories of broad objectives for internal
controls are considered by the auditor in an audit of both
the financial statements and internal control over financial
reporting.

• What two aspects of internal control must the auditor

assess when performing procedures to obtain an
understanding of internal control?
 COSO
One tool to evaluate an organization’s internal
Model
controls is the COSO model. This FRAMEWORK is
important – it formalizes a set of conditions that can
be commonly understood and accepted by all parties
and that will foster good controls.

COSO is The Committee of Sponsoring Organizations

formed in 1985 to sponsor the National Commission
on Fraudulent Financial Reporting known as the
Treadway Commission, which continues to be
dedicated to enhancing the quality of financial
reporting.

COSO developed a common definition of internal

controls that provides a standard against which all
organizations can assess their controls.
“Systems and processes, effected by the entity’s COSO’s mission is to strengthen internal control and deter
board, management, and other personnel, designed fraud
to provide management with reasonable but not
absolute assurance that the goals and objectives it
believes important to the entity will be met”
15
 COSO Components of Internal Control
• Control environment
• Consists of the actions, policies, and procedures that reflect
the overall attitudes of top management, directors, and
owners of an entity about internal control and its importance to the
entity.

• Risk assessment
• Involves a process for identifying and analyzing risks that may
prevent the organization from achieving its objectives.

• Control activities
• Policies and procedures that help ensure that necessary actions
are taken to address risks to the achievement of the entity’s
objectives.
 COSO Components of Internal
Control
• Information and communication
• To initiate, record, process, and report the entity’s
transactions and to maintain accountability for the related
assets.

• Monitoring
• Deal with ongoing or periodic assessment of the quality of
internal control by management to determine that controls are
operating as intended and that they are modified as
appropriate for changes in conditions.
Five Components of Internal
Control
• What are the five components of internal control in
the COSO internal
control framework?

• What is the relationship among these five components?

• How do the COSO principleshelp an organization

assess whether internal controls are designed and
operating effectively?
Relationship Among the Five
Components:
These five components are interconnected and work together to create
a cohesive and comprehensive system of internal control. The control
environment sets the tone for the organization and influences the
effectiveness of the other components. Risk assessment drives the
need for specific control activities, which are the actionable steps
taken to manage risks. Information and communication ensure that
critical information flows through the organization, while monitoring
provides feedback to determine whether the controls are working
effectively and to identify areas for improvement.
 How COSO Principles Help Organizations Assess
Internal Controls:
• The COSO framework provides a detailed set of principles that help
organizations assess whether their internal controls are both
well- designed and effective in operation. These principles:
• Provide clear guidance on how each component should be
implemented.
• Enable management to evaluate whether the controls are adequate
to address the identified risks.
• Help organizations adapt their control processes to changing
environments, ensuring the internal control system remains
relevant and effective in mitigating risks.
Frank James, a highly competent employee of Brinkwater Sales
Corporation, had been responsible for accounting-related matters
for two decades. His devotion to the firm and his duties had always
been exceptional, and over the years, he had been given
increased responsibility. Both the president of Brinkwater and the
partner of an independent CPA firm in charge of the audit were
shocked and dismayed to discover that James had embezzled
more than $500,000 over a 10-year period by not recording
billings in the sales journal and subsequently diverting the cash
receipts.

• What major factors permitted the embezzlement to take place?

 Wells Fargo uncovers up to 1.4 million more fake accounts
• The image you've uploaded appears to be a screenshot of a news
article from CNN Business discussing a scandal involving Wells
Fargo. The text references several key points:
• There was relentless pressure and wildly unrealistic sales targets
put on employees, which led to unethical behaviors.
• Employees were pressured to lean on family members and friends
to open unnecessary bank accounts.
• The article notes that more than a dozen former Wells Fargo
employees described the bank's culture to CNNMoney in this
way.
• Wells Fargo was accused by federal regulators of illegal activities
on a stunning level, with employees secretly creating millions of
unauthorized bank and credit card accounts between 2011 and
July 2015, which allowed the bank to make more money in fees
and meet internal sales targets.
• Wells Fargo agreed to pay penalties of $185 million and fired
5,300 employees over the scandal, which has rocked the industry
and eroded trust among the bank's customers nationwide.
• Former employees told CNNMoney that they faced incredible
demands from managers to meet sales quotas, and that managers
turned a blind eye to unethical and potentially illegal activity.
• This situation is often cited as a case study in the importance of
ethical corporate culture and the potential consequences of
allowing a toxic sales culture to go unchecked. It also underscores
the significant role of internal controls and oversight in
preventing such issues.
What Lessons Can Be Learned from the Wells Fargo Fake • How Wells Fargo workers created fake accounts | CNN Business
Accounts Scandal Regarding Internal Controls and Ethical
Corporate Culture?
 Internal Controls Specific to Information
Technology
• Technology can strengthen a company’s system
of internal control but can
also provide challenges.

• To address risks associated with reliance on technology,

organizations often implement specific IT controls.

• Auditing standards describe two categories of controls for IT

systems:
• General controls
• Application controls
Relationship Between General and
Application Controls
 General
Controls
Six categories of general controls have an entity-wide effect on all IT functions:
• Administration of the IT function (environment respobility for board of
directors and senior management to provide healthy clean
environment)
• Separation of IT duties ( programmer and analyzed are segregated)
• Systems development ( people who devlep system need to be
different different system analyst and programmers, you shouldn’t
combine two components together.
• Physical and online security ( camera, people outside the protect the
property)
• Backup and contingency planning ( you need to have backup,
• Hardware controls ( authorized people for hardware)
 Application
Controls
Application controls are designed for each software
application
These controls may be manual or automated and include:
• Input controls
• Processing controls
• Output controls
 Categories of General and
Application Controls
Control Type Category of Control Example of Control

General Administration of the IT Chief information officer or IT manager reports to

controls function senior management and board.
Separation of IT duties Responsibilities for programming, operations, and data
control are separated.
Systems development Teams of users, systems analysts, and programmers
develop and thoroughly test software.

Physical and online security Access to hardware is restricted, passwords and user IDs
limit access to software and data files, and
encryption and firewalls protect data and programs
from external parties.

Backup and contingency Written backup plans are prepared and tested regularly
planning throughout the year.
Hardware controls Memory failure or hard-drive failure causes error
messages on the monitor.
 Categories of General and
Application Controls
Control Type Category of Control Example of Control

Application Input controls Preformatted screens prompt data input personnel for
controls information to be entered.
Processing controls Reasonableness tests review unit-selling prices used to
process a sale.
Output controls The sales department does postprocessing review of
sales transactions.
Segregation of IT Duties
 Impact of IT Infrastructure on
Internal Control
• The accounting function’s use of complex IT networks, databases,
the Internet, cloud computing, and centralized IT functions is
now commonplace.

• The types of internal controls will vary based on the type and
complexity of
the IT system
 Impact of IT Infrastructure on
Internal Control
Types of information technology systems include:
• Local area networks (LANs)
• Wide area networks (WANs)
• Database management systems
• Enterprise resource planning (ERP)
systems
 Impact of IT Infrastructure on Internal
Control
• Companies use firewalls, encryption techniques, and digital
signatures to limit risks and to increase IT security.

• Many companies outsource some or all of their IT needs to an

independent organization rather than maintain an internal IT
center.
 Let’s
Discuss
• Distinguish general controls from application controls and give
two examples of each.

• Identify the typicalduties withinan IT function and

describe how those duties should be segregated among IT
personnel.
 Identify the typical duties within an IT function and
describe how those duties should be
segregated among IT personnel.
1. Systems Development:
Role: Responsible for developing and modifying applications and systems to meet business needs.
Segregation: Developers should not have the authority to move applications into the live production environment or alter live
production data. Testing and deployment should be handled by separate teams to maintain integrity.
2. Systems Operations:
Role: Manages daily operations, including running and scheduling system jobs, performing backups, and ensuring the smooth
running of IT infrastructure.
Segregation: Operations personnel should not have access to modify systems or application code. Their role is limited to
executing tasks, not making changes to the systems themselves.
3. Data Control and Data Management:
Role: Ensures the integrity, accuracy, and completeness of data within the system. Manages data input, processing, and
output.
Segregation: Data control staff should not have the ability to modify the system itself or make unauthorized changes to data.
They should focus on overseeing data handling without being able to access sensitive systems.
4. Security Administration:
Role: Manages user access, permissions, and security policies to safeguard data and systems from unauthorized access.
Segregation: Security administrators should not be involved in system development or operations. Their focus is on managing
who has access to what within the organization, ensuring proper segregation of duties and controls.
 Identify the typical duties within an IT function and describe how those duties should be segregated among
IT personnel.

5. Network Management:
Role: Maintains network infrastructure, such as routers, switches, and firewalls, ensuring secure and
efficient connectivity.
Segregation: Network managers should focus only on network-related tasks and should not have access
to applications, databases, or sensitive data that they are not responsible for.
6. Database Administration:
Role: Manages databases, ensuring data storage, backup, and retrieval functions are running smoothly.
Segregation: Database administrators should not be responsible for developing the application or
managing network infrastructure. Their role is confined to managing data storage and retrieval.
Who is responsible for controlling the use of computer programs, transaction
files, and other records and releasing them to operators only when authorized?
The options provided are:
A) The data control operator
B) The chief computer operator
C) The librarian
D) The software engineer
Why librarian? In the context of information technology controls and auditing, a
"librarian" typically refers to someone responsible for managing and
safeguarding important IT resources such as computer programs, files, and
documentation. They ensure that these resources are released to authorized
personnel, which aligns with the responsibilities described in the question.
 Let’s Discuss
• Explain how the effectiveness of general controls impacts the
effectiveness
of automated application controls.
• Compare the risks associated with network systems and database
systems to those associated with centralized IT functions.
 Explain how the effectiveness of general controls
impacts the effectiveness of automated
application
General controls controls.
provide the secure and well-maintained environment that
automated application controls rely upon to function properly. When
general controls are strong, they ensure that the automated application
controls can operate in a secure, accurate, and available environment,
enhancing their effectiveness in safeguarding organizational processes.
Conversely, weak general controls undermine the reliability and security of
automated controls, leaving the organization vulnerable to risks such as
unauthorized access, data corruption, and system failures.
 Explain how the effectiveness of general controls
impacts the effectiveness of automated application
controls.
1. Security and Access Control
General Controls: These are overarching policies and procedures that govern access to the IT
environment. Examples include password policies, user access rights, encryption, and firewalls.
Impact on Automated Application Controls: If general controls are weak, unauthorized users may gain
access to systems, potentially overriding or tampering with automated application controls. Effective
general controls ensure that only authorized individuals can access critical applications, safeguarding
automated processes from manipulation or unauthorized changes.
2. System Integrity
General Controls: These include system development controls, change management, and backup
procedures to ensure that the IT infrastructure functions as intended and is safeguarded against crashes,
malfunctions, or unauthorized alterations.
Impact on Automated Application Controls: Automated controls rely on the underlying IT infrastructure.
If general controls are weak (e.g., poor change management, no proper backups), the system’s integrity
can be compromised, leading to failures in automated controls. A system crash or incorrect data input
could render application controls ineffective or cause them to function incorrectly.
 Explain how the effectiveness of general controls impacts the effectiveness of
automated application controls.
3. Data Integrity
General Controls: These include controls over data entry, processing, and storage, ensuring that only valid,
accurate, and authorized data is processed within the system.
Impact on Automated Application Controls: Automated controls are only as reliable as the data they
process. If general controls fail to ensure data accuracy (e.g., incorrect or unauthorized updates to master
files), the automated application controls could produce incorrect outputs or fail to detect fraudulent
activities. Strong general controls ensure the integrity of data, making sure the automated controls operate
on accurate and authorized data.
4. Change Management
General Controls: Controls that govern how changes to the IT environment are authorized, tested, and
implemented.
Impact on Automated Application Controls: Automated controls depend on stable application
environments. Without robust change management, untested or unauthorized changes to systems can
disrupt or disable automated controls. Proper change management ensures that updates or system
modifications are done carefully, maintaining the effectiveness of automated controls.
 Explain how the effectiveness of general controls
impacts the effectiveness of automated application
controls.
5. System Availability and Continuity
General Controls: This includes business continuity planning, disaster recovery, and system maintenance to
ensure the IT infrastructure is always available.
Impact on Automated Application Controls: Automated controls require continuous system availability to
function. If general controls such as disaster recovery plans or system maintenance procedures are
ineffective, system outages or disruptions can cause automated controls to fail, leading to missed
transactions, errors, or an inability to enforce critical control mechanisms.
6. Audit Trails and Monitoring
General Controls: These include mechanisms to track system usage, changes, and incidents, as well as
auditing protocols.
Impact on Automated Application Controls: Effective monitoring and audit trails enable organizations to
detect when automated controls fail or when there are anomalies in the control processes. Without robust
monitoring (a general control), failures in automated application controls may go undetected, leading to an
increased risk of errors or fraud.
 Compare the risks associated with network systems and database systems to those associated with
centralized IT functions.

Network Systems are exposed to external threats and rely on continuous protection against hacking, unauthorized
access, and malware, whereas centralized IT systems face a greater risk of being a single point of failure. Network
systems require consistent attention to perimeter security (firewalls, IDS, encryption), while centralized systems
require effective failover and backup strategies to prevent widespread impact from failure.

Database Systems hold sensitive and structured data, and risks include data breaches, unauthorized access, and data
corruption, while centralized IT functions, due to their broad reach, may face broader system-wide outages that can
impact all applications, including databases. Databases benefit from strong access control and encryption, while
centralized systems must focus on redundancy and disaster recovery.

In conclusion, network systems and database systems have more specialized, focused risks related to data flow and
security, while centralized IT functions deal with broader risks like operational continuity, scalability, and single-point
failures. Both require different layers of controls to mitigate their respective risks effectively.
Network systems, database systems, and centralized IT functions all
face distinct but interconnected risks. Network systems are vulnerable
to external threats like hacking and data interception, while database
systems are at risk of data breaches, corruption, and unauthorized
access. Centralized IT functions, on the other hand, pose risks of
system-wide outages, single points of failure, and scalability challenges.
 Internal Audit’s Role in Mitigating These Risks:
Internal audit plays a crucial role in ensuring the effectiveness of risk management and control
mechanisms in all these areas:
For Network Systems:
1. Audit Network Security Measures: Internal auditors assess the robustness of firewalls,
intrusion detection systems (IDS), and encryption protocols to ensure that the
network is protected from external threats.
2. Review Access Controls: Auditors verify that access to network resources is properly
controlled and that user roles and permissions are regularly reviewed and updated.
3. Assess Incident Response Plans: Internal audit ensures that the organization has effective
incident response plans in place to handle breaches, attacks, and network
disruptions.
4. Penetration Testing Audits: Internal auditors may oversee or recommend penetration
testing to simulate attacks and identify vulnerabilities in the network infrastructure.
Internal Audit’s Role in Mitigating These Risks:
For Database Systems:
1. Evaluate Data Security and Privacy Controls: Internal auditors review the
encryption, authentication, and data access controls to ensure that
sensitive information is protected against unauthorized access or
breaches.
2. Audit Data Integrity Controls: Auditors assess mechanisms to prevent data
corruption, ensuring that backups are regular and reliable, and that
recovery procedures are effective.
3. Review Change Management Procedures: Auditors check that database
changes (updates, patches, configurations) follow strict approval
processes to prevent unauthorized modifications.
4. Monitor Compliance with Regulations: Internal audit ensures that database
systems comply with relevant regulations (e.g., Oman Personal Data
Protection Law (PDPL)by verifying that data protection protocols are in
place.
Internal Audit’s Role in Mitigating These Risks:
For Centralized IT Functions:
1. Assess IT Governance Frameworks: Internal auditors review the overall IT
governance to ensure that roles and responsibilities are clearly defined
and that the IT function operates efficiently in supporting business objectives.
2. Review Business Continuity and Disaster Recovery Plans: Internal audit
evaluates the effectiveness of business continuity plans (BCP) and
disaster recovery (DR) strategies to ensure minimal disruption in case
of failures or disasters.
3. Audit System Scalability and Resource Management: Auditors examine
whether the centralized IT systems can scale appropriately with the
organization’s growth and whether resource allocation is optimized.
4. Evaluate Single Point of Failure Risks: Internal audit identifies critical areas
within centralized IT functions that are vulnerable to failure and recommends
redundancies and failover solutions to mitigate these risks.
Internal Audit’s Role in Mitigating These Risks:
Internal Audit’s Strategic Contributions:
By providing independent and objective assessments, internal auditors
help organizations strengthen their control environments. They identify
weaknesses, recommend improvements, and monitor the
implementation of corrective actions. Additionally, they ensure that
management has proper oversight over IT functions and that risk
mitigation strategies are effective across network, database, and
centralized IT systems.
Reference:
Arens, A. A., Elder, R. J., Beasley, M. S., & Hogan, C. E. (2017).
Auditing and Assurance Services: An Integrated Approach (16th ed.).
Pearson Education.