ACCA F8 audit- internalcontrols slides
-
Upload
arshadul-hoque-chowdhury -
Category
Documents
-
view
878 -
download
60
description
Transcript of ACCA F8 audit- internalcontrols slides
Internal Control Is …
A Process … Not Merely Policies, Procedures and Forms
Affected by People
Directed Toward the Achievement of Objectives
Internal Control As Defined by COSO Is …(Committee of Sponsoring Organizations)
A process, affected by an entity’s board of directors, management, and other personnel, designed to provide reasonable assurance regarding the achievement of objectives in the following categories:
Reliability of financial reporting;
Effectiveness and efficiency of operations; and
Compliance with applicable laws and regulations
Perfect Internal Control?
There is no such thing as a perfect internal control
system … there are inherent limitations, which
typically cannot be controlled
Perfect Internal Control? Inherent Limitations
Misunderstanding of Instructions
Perfect Internal Control? Inherent Limitations
Mistakes of Judgment
Perfect Internal Control? Inherent Limitations
Personal Carelessness
Perfect Internal Control? Inherent Limitations
Distraction
Perfect Internal Control? Inherent Limitations
Fatigue
Perfect Internal Control? Inherent Limitations
Management Override
Can Lead to Cover Ups
Perfect Internal Control? Inherent Limitations
Collusion Among Individuals
Circumvent Control Procedures Whose Effectiveness Depends on Segregation of
Duties
Perfect Internal Control? Inherent Limitations
Staff Size Limitations
May Obstruct Efforts to Properly Segregate Duties
If Staff Size is Limited …
Compensating Controls Should Be Implemented to Ensure Objectives Are Met
A Compensating Control is used to Counter-balance an Internal Control Weakness
Perfect Internal Control? Summary Inherent Limitations
Misunderstanding of Instructions Mistakes of Judgment Personal Carelessness Distraction Fatigue Management Override Staff Size Limitations Collusion Among Individuals
Perfect Internal Control? Level of Assurances
As a Result of Inherent Limitations and Cost Limitations, the Internal Control Structure Can Provide Only “Reasonable”, Not Absolute Assurances, That Goals and Objectives Will Be Accomplished
Perfect Internal Control? “Reasonable Assurance”
The concept of reasonable assurance recognizes that the cost of an entity’s internal control structure should not
exceed the benefits that are expected to be derived. Although the cost-benefit
relationship is a primary criterion that should be considered in designing an internal control structure, the precise
management of costs and benefits usually is not possible.
Internal Control Failures Result From …
Lack of Integrity
Internal Control Failures Result From …
Weak Control Environment
Internal Control Failures Result From …
Inconsistent Objectives
Internal Control Failures Result From …
Poor Communication
Internal Control Failures Result From …
Inability to Understand & React to Changing Conditions
Internal Control Summary - Failures Result From …
Lack of Integrity Weak Control Environment Inconsistent Objectives Poor Communication Inability to Understand and React
to Changing conditions
Internal Control Primary Objectives
Compliance with policies, plans, laws, procedures, regulations, contracts, etc.
Internal Control Primary Objectives
Accomplishment of goals and objectives
Internal Control Primary Objectives
Reliability and integrity of information
Internal Control Primary Objectives
Economical and efficient use of resources
Internal Control Primary Objectives
Safeguarding of assets
Internal Control Summary Primary Objectives
Compliance
Accomplishment of Goals & Objectives
Reliability & Integrity of Information
Economical & Efficient Use of Resources
Safeguarding of Assets
Internal Control Isn’t Always Good When it …
Is Excessive Has a cost that outweighs the derived
benefits Tries to obtain the unobtainable, i.e.
“absolute assurance” Violates the Golden Rule of Internal
Control
Control is Excessive When …
It unnecessarily increases the complexity of transaction processing
The “control” steps merely increase the processing time and do not add value to the activity being controlled
Internal ControlGolden Rule
There is no greater waste than doing with great efficiency that
which should not be done at all!
Internal Control Traits Present When Poor I/C …
Bureaucracy Increased
In the best case scenario,
Productivity Decreased
Internal Control Traits Present When Poor I/C …
In the best case scenario,
Complexity Increased
Transaction Processing Time Increased
Internal Control Traits Present When Poor I/C …
In the best case scenario,
Non-value Adding Activities Increased
Going Nowhere Fast …
Internal Control Traits Present When Poor I/C …
In the worst case scenario,
Interfere with goal accomplishment
Allow for abuse of assets
Internal Control Components
Control Environment Risk Assessment Control Activities Information & Communication Monitoring
Internal Control Components
Control Environment Risk Assessment Control Activities Information & Communication Monitoring
Internal Control Components:Control Environment
Is the attitude and actions of the board and management
regarding the significance of control within the
organization
Internal Control Components:Control Environment
Provides the discipline and structure for the overall system of internal controls
Established and maintained by management Should foster control conscientiousness
Includes the overall “tone at the top” set by people in positions of authorityBased on the attitudes and habits of those in authority
Integrity and Ethical Values Management’s Philosophy & Operating
Style Organizational Structure Assignment of Authority & Responsibility Human Resource Policies & Practices Competence of Personnel
Control Environment Includes …
Control Environment Includes …
Integrity and Ethical Values Management’s Philosophy & Operating
Style Organizational Structure Assignment of Authority & Responsibility Human Resource Policies & Practices Competence of Personnel
Institutional objectives, and how they are achieved, are based on preferences, value judgments and management styles
Control Environment Integrity and Ethical Values
Ethical values must be clearly communicated
Codes of conduct must be defined in written policy & procedures
Control Environment Integrity and Ethical Values
Ethics may be transmitted by example, i.e. people tend to imitate their leadership
Real management concerns can often be evaluated in terms of how violators are dealt with, i.e. the messages sent by leader’s actions in such situations quickly become accepted behavior
Organizational values cannot rise above the integrity and
ethics of the people who create, administer and
monitor them
Control Environment Integrity and Ethical Values
Control Environment Includes …
Integrity and Ethical Values Management’s Philosophy & Operating
Style Organizational Structure Assignment of Authority & Responsibility Human Resource Policies & Practices Competence of Personnel
Factors affecting leadership’s philosophy and operating style:
Control Environment Management’s Philosophy & Operating Style
Delegation of Authority (Empowerment)
Risk Taking
Reliance on Policies & Procedures
Control Environment Management’s Philosophy & Operating Style
Administrators should promote compliance through their own actions
Administrators must support adherence to policies and procedures … if they expect employees to have that attitude
Control Environment Includes …
Integrity and Ethical Values Management’s Philosophy & Operating
Style Organizational Structure Assignment of Authority & Responsibility Human Resource Policies & Practices Competence of Personnel
Provides the framework for achievement of objectives, through proper planning, executing, controlling, and monitoring
Control Environment Organizational Structure
Depends on the administration’s philosophy
The appropriateness of depends on various factors, such as size and type of activities
Control Environment Includes …
Integrity and Ethical Values Management’s Philosophy & Operating
Style Organizational Structure Assignment of Authority & Responsibility Human Resource Policies & Practices Competence of Personnel
Control Environment Assignment of Authority & Responsibility
Determines the degree to which individuals & departments are encouraged to use initiative in addressing issues and problem solving, as well as the limits of their authority
Delegation of Authority (Empowerment)Placing control for certain decisions at lower levels of the organization, to individuals closest to everyday activities
Control environment is greatly influenced by the degree to which individuals are held accountable
Control Environment Assignment of Authority & Responsibility
Critical challenge is to delegate to the extent required to achieve objectives
Always remember that “One Can Delegate Authority, Not Responsibility”
Control Environment Includes …
Integrity and Ethical Values Management’s Philosophy & Operating
Style Organizational Structure Assignment of Authority & Responsibility Human Resource Policies & Practices Competence of Personnel
Control Environment Human Resource Policies & Responsibilities
Human resource practices send messages to employees regarding expected levels of integrity, ethical behavior
and competence
Control Environment Human Resource Policies & Responsibilities
Integrity, ethics, and competence must be exercised in …
HIRING
Integrity, ethics, and competence must be exercised in …
TRAINING
Control Environment Human Resource Policies & Responsibilities
Control Environment Human Resource Policies & Responsibilities
Integrity, ethics, and competence must be exercised in …
EVALUATING
Control Environment Human Resource Policies & Responsibilities
Integrity, ethics, and competence must be exercised in …
PROMOTING
Control Environment Human Resource Policies & Responsibilities
Integrity, ethics, and competence must be exercised in …
COMPENSATING
Control Environment Human Resource Policies & Responsibilities
Disciplinary action should be consistently applied to all
employees
Control Environment Includes …
Integrity and Ethical Values Management’s Philosophy & Operating
Style Organizational Structure Assignment of Authority & Responsibility Human Resource Policies & Practices Competence of Personnel
Control Environment Competence of Personnel
Lines of authority and responsibility clearly established, documented in written job descriptions and procedures manuals
Competent people must be hired
Control Environment Competence of Personnel
Job descriptions should be periodically updated to ensure that employees are aware of the duties they are expected to perform
Organizational charts provide a visual presentation of lines of authority
Internal Control Components
Control Environment Risk Assessment Control Activities Information & Communication Monitoring
Internal Control Components:Risk Assessment …
Is the identification and analysis of relevant risks associated with the achievement of objectives
Is an ongoing process that is a critical component of an effective internal control system
Internal Control Components:Risk …
Risk is the uncertainty of an event occurring that could have an impact on
the achievement of objectives.
Risk is measured in terms of consequences and likelihood.
Internal Control Component:Risk Assessment
Risk can pertain to external & internal factors
External risk factors are outside of the university, usually beyond management’s span of control
Internal risk factors are within the university, usually within management’s control
Risk Assessment External Risk Factors
Economic Changes
Risk Assessment External Risk Factors (cont.)
Changing Student & Community Needs and/or Expectations
Risk Assessment External Risk Factors (cont.)
New or Changed Legislation or Regulations
Risk Assessment External Risk Factors (cont.)
Technological Developments
Risk Assessment External Risk Factors (cont.)
Natural Catastrophes
Risk Assessment External Risk Factors (cont.)
Competitive Conditions
Economic changes
Changing student & community needs
New/changed legislation & regulations
Technological developments
Natural catastrophes
Competitive conditions
Risk Assessment Summary - External Risk Factors
Risk Assessment Internal Risk Factors
New Personnel
Risk Assessment Internal Risk Factors (cont.)
Low Morale
Risk Assessment Internal Risk Factors (cont.)
Competence, Adequacy & Integrity of Personnel
Risk Assessment Internal Risk Factors (cont.)
New or Revamped Information Systems
Risk Assessment Internal Risk Factors (cont.)
Size of Organization
Can be measured in terms of …
Assets Liquidity Transaction Volume
Risk Assessment Internal Risk Factors (cont.)
Complexity & Volatility of Activities
Risk Assessment Internal Risk Factors (cont.)
Geographical Dispersion of Operations
Risk Assessment Internal Risk Factors (cont.)
Changes in Management Responsibilities
For, Example … Climbing The Ladder of Success
New Personnel Low Morale Competency & Integrity of Personnel New or Revamped Information Systems Size of Organization Complexity & Volatility of Activities Geographical Dispersion of Operations Changes in Management Responsibilities
Risk Assessment Summary Internal Risk Factors
After the risk factors have been identified, they
must be evaluated or analyzed in terms of risk
Risk Assessment Risk Analysis
Risk Assessment Risk Analysis Includes …
Estimating the Significance of the Risk
Risk Assessment Risk Analysis Includes … (cont.)
Assessing the Likelihood (or Frequency) of the Risk Occurring
A determination must be made on how to manage risk, i.e. an assessment of actions that can
be taken and their relative cost
Risk Assessment Risk Analysis
What can go wrong What areas have the most risk What assets are at risk Who is in a position of risk
Risk Assessment Risk Analysis
Administrators must determine …
Risk Assessment Risk Analysis … (cont.)
When determining risk levels, administrators must consider…
Governmental Mandates The
Unexpected Obstacles
Public Scandal
Risk Assessment Risks May Include Such Things As …
Risk Assessment Risks May Include Such Things As …
Revenues Not Received or Not Recorded Properly
Risk Assessment Risks May Include Such Things As …
Assets Not Used Efficiently
Finances PersonnelSpace
Efficient Performance accomplishes objectives and goals in an ACCURATE and TIMELY FASHION with
MINIMAL USE of RESOURCES
Risk Assessment Risks May Include Such Things As …
Assets Not Used Effectively
Effective Control is present when management directs systems in such a manner as to provide REASONABLE ASSURANCE that the
organization’s OBJECTIVES and GOALS will be ACHIEVED
Finances PersonnelSpace
Risk Assessment Risks May Include Such Things As …
Assets Diverted to Personal Use
SpaceFinances
Personnel
All Break and No Work
Risk Assessment Risks May Include Such Things As …
When Information Used For Decision Is Making Not Reliable, Available or Timely
Reliable Available Timely
In assessing risk, the potential loss associated with any
exposure or risk is weighed against the cost to
control it
Internal Control Component:Risk Assessment
Internal Control Components
Control Environment Risk Assessment Control Activities Information & Communication Monitoring
Control activities are the policies and procedures that
help ensure that management directives are carried out
Internal Control Component:Control Activities
Internal Control Component:Control Activities
Generally, control activities (procedures) fall within five broad categories
Authorizations Segregation of Duties Recording Safeguarding Reconciliations
Internal Control Component:Control Activities
Authorizations Segregation of Duties Recording Safeguarding Reconciliations
Control ActivitiesAuthorizations …
Transactions must be authorized and executed in accordance with
management’s intent
Authorization to initiate or approve transactions should be limited to specific personnel
Control ActivitiesAuthorizations … (cont.)
Authorizations can be limited by type of transaction (e.g. timesheets) or amount of transactions (e.g. under a certain dollar amount)
Authorizations Segregation of Duties Recording Safeguarding Reconciliations
Internal Control Component:Control Activities
Segregation of duties is adequate when no one person is a position
to both initiate and conceal errors and/or irregularities in
the normal course of their duties without detection
Control ActivitiesSegregation of Duties …
Provide that one employee does not have responsibility for all phases of a transaction
Different people should be responsibility for:
Control ActivitiesSegregation of Duties …(cont.)
• Authorizing Transactions• Recording Transactions• Maintaining Custody of the Assets
Generally, an employee with physical access to an asset should
not also be responsible for the accounting records for that asset
Control ActivitiesSegregation of Duties …(cont.)
Authorizations Segregation of Duties Recording Safeguarding Reconciliations
Internal Control Component:Control Activities
Documents and records must be properly designed to provide reasonable assurance that …
Control ActivitiesRecording …
Assets are properly controlled
Transactions are properly recorded in the correct account, amount, and period
Control ActivitiesRecording …(cont.)
Proper design may include such things as …
Pre-numbered documents, which can be used to detect missing documents and for tracking purposes
NCR documents, which can be used for authenticity and control purposes
Control ActivitiesRecording …(cont.)
Transactions should be properly documented
Records should be retained in an organized manner
Authorizations Segregation of Duties Recording Safeguarding Reconciliations
Internal Control Component:Control Activities
Measures should be taken to safeguard the access to and use of both assets and records
Achieved through physical security & reconciliation of assets to records
Control ActivitiesSafeguarding …
Control ActivitiesSafeguarding …
Assets should be physically secured
Access to assets should be limited to designated authorized personnel
Authorizations Segregation of Duties Recording Safeguarding Reconciliations
Internal Control Component:Control Activities
Are independent checks and internal
verification procedures designed to help provide assurance
that the other four control procedures are
achieved
Control ActivitiesReconciliations …
Control ActivitiesReconciliations …(cont.)
The person performing the reconciliation (or
verification procedures) should be independent from the individuals
originally responsible for preparing the data
Internal Control Components
Control Environment Risk Assessment Control Activities Information & Communication Monitoring
Internal Control Components:Information & Communication
The purpose of the information and communication system is to help ensure that employees are aware of …
The unit’s goals and objectives
How the unit’s goals and objectives are to be accomplished
Who is responsible for the specific tasks to accomplish them
Internal Control Components:Information & Communication
The information & communication system must provide administrators with
reports containing operational, financial, and
compliance information for progress monitoring and
decision making
Internal Control Components:Information & Communication
Pertinent information must be identified, captured and communicated to
appropriate personnel on a timely basis
The quality of information received and/or given influences the quality of decisions
Internal Control Components:Information & Communication
Once information is identified, captured, and processed it is reported formally and informally through both
manual and computerized information systems
Information & CommunicationInformation Systems Include …
University’s Written Policies and Procedures
Budget Unit’s Goals and Objectives
Information & CommunicationSystems Include …(cont.)
Budget Unit’s Documented Policies and Procedures
Organizational Charts
Information & CommunicationSystems Include …(cont.)
Position Descriptions
Performance Evaluations
Information & CommunicationSystems Include …(cont.)
Training Programs
Periodic Progress Reports (Goals & Objectives Accomplishment)
Internal Control Components:Information & Communication
Employees must know what they are supposed to accomplish and
how they are to do it
Internal Control Components:Information & Communication
Communication must flow …
Up and down the organization
Across organizational lines
Information & CommunicationInformation Systems’ Effectiveness
Strategic Plan Necessary Resources Targeted Audience Timeliness of Sufficient Detailed
Information Accuracy and Relevancy of Information
Depends Largely on Following Factors:
Information & CommunicationInformation Systems’ Effectiveness (cont.)
Information Systems should be developed and revised based on a strategic plan
The strategic plan must be congruent with university-wide and activity-level objectives
Information & CommunicationInformation Systems’ Effectiveness (cont.)
Management must commit the necessary resources (human and
financial) to information systems development
Information & CommunicationInformation Systems’ Effectiveness (cont.)
Information must reach the right people, i.e. the targeted audience
Information & CommunicationInformation Systems’ Effectiveness (cont.)
Information must be in sufficient detail and timely enough to allow for
an appropriate response
Information & CommunicationInformation Systems’ Effectiveness (cont.)
Reports must be accurate and provide information relevant to
established objectives
Internal Control Components
Control Environment Risk Assessment Control Activities Information & Communication Monitoring
Monitoring includes the following:
Internal Control Components:Monitoring
Supervising
Observing
Testing
Reporting to Responsible Individuals
Is a process that assesses the quality of the system’s performance over time
Internal Control Components:Monitoring
Ensures that the internal control system is operating as expected and that the organization’s goals and objectives are achieved
Internal Control Components:Monitoring
Should be performed by supervisory personnel and be focused on high-risk areas
Internal Control Components:Monitoring
Can be ongoing monitoring activities, separate evaluations or a combination of the two
Ongoing monitoring occurs in the normal course of operations, inclusive of regular supervisory activities
The scope and frequency of separate evaluations depend primarily on risk assessment and the effectiveness of the ongoing monitoring procedures
Reviews of financial reports such as ..
MonitoringMonitoring Activities Include …
Comparisons of budgeted to actual revenues and/or expenditures
Comparisons of current to prior months and/or years activities
MonitoringMonitoring Activities Include …
Spot Checks of Transactions to Ensure Compliance With Policies and Procedures
Reviews of Outstanding Encumbrances
MonitoringMonitoring Activities Include …
Evaluation of Trends
Review of Supporting Documentation
MonitoringMonitoring Activities Include …
Documentation of Software Licenses
Surprise Cash and Other Asset Counts
MonitoringMonitoring Activities Include …
Follow-up on Complaints
Internal Control Components:Monitoring
Internal control systems change over time. Once effective procedures can become less effective due to …
New Personnel
Varying Effectiveness of Training and Supervision
Time and Resource Constraints
Internal Control Components:Monitoring
When changes occur, the internal control system must change to
meet those changes
Remember … Time & Change Waits For No One
Internal Control Components:Monitoring
If management does not make the necessary changes, the organization may,
in most cases, be left behind
Internal control is a process, affected by people, directed toward the achievement of goals
Internal Control vs. ControlsCompared
Controls are a part of the internal control process
Internal Control vs. ControlsControls
Controls are any action taken by management, the board, and other parties to enhance risk management and increase the likelihood that
established goals and objectives will be achieved
Control is the result of proper planning, organizing, and directing by management
Internal Control vs. ControlsAdequate Control
Is present when management has planned and organized (designed) in a manner that
reasonable assurance that the …
Organization’s risks have been managed effectively
Organization’s goals and objectives will be achieved efficiently and economically
Internal Control vs. ControlsAdequate Control & Reasonable Assurance
Reasonable Assurance implies that material errors and irregularities will be prevented or detected / corrected
within a timely period by employees during the normal course of
performing their assigned duties
Internal ControlsErrors Defined
An error is an unintentional mistake Examples of errors include …
Mathematical error
Unintentional omission of events or transactions
Internal ControlsIrregularities Defined
An irregularity is an intentional act; a fraud
Examples of irregularities include …• Manipulation, falsification, or alteration of
accounting records or supporting documentation
• Misrepresentation or intentional omission of events or transactions
Types of Controls
Preventive Detective Directive EDP General Controls
Preventive, Detective or Directive
EDP Application Controls Preventive, Detective or Directive
Types of Controls
Preventive Detective Directive EDP General Controls
Preventive, Detective or Directive
EDP Application Controls Preventive, Detective or Directive
Types of ControlsPreventive Controls …
Deter undesirable events from occurring
Should be designed to discourage errors or irregularities
Types of ControlsExamples of Preventive Controls …
A computer application which checks validity prevents the entry of invalid account numbers
Shred documents containing confidential information (SSN, grades, addresses, etc.)
Types of Controls Examples of Preventive Controls …
Reading and understanding policy and procedures manuals
Manager’s approval of a purchase requisition for expenditure appropriateness
Read Sign
Departmental University
Types of Controls Examples of Preventive Controls …
Restrict access to data to only authorized users
Physically restricting access to assets
Types of Controls Examples of Preventive Controls …
Keep food and drinks away from computer hardware
Back-up your work periodically on your personal computer … length of interval depends on importance of the data
Types of Controls Examples of Preventive Controls …
Protect your password
Run updated anti-virus software on your personal computer
Types of Controls
Preventive Detective Directive EDP General Controls
Preventive, Detective or Directive
EDP Application Controls Preventive, Detective or Directive
Types of ControlsDetective Controls …
Detect and correct undesirable events which have occurred
Should be designed to identify an error or irregularity after it has occurred
Exception reports which list incorrect or invalid entries or transactions
Types of Controls Examples of Detective Controls …
A review of long distance telephone charges to check for improper or personal calls
Reconciliations
Types of Controls Examples of Detective Controls …
Types of Controls
Preventive Detective Directive EDP General Controls
Preventive, Detective or Directive
EDP Application Controls Preventive, Detective or Directive
Types of ControlsDirective Controls …
Cause or encourage a desirable event to occur
Should be designed to aid in the accomplishment of goals and objectives
Types of Controls Examples of Directive Controls …
Written, distributed policy and procedures
Training seminars
Well defined job descriptions
Types of Controls
Preventive Detective Directive EDP General Controls
Preventive, Detective or Directive
EDP Application Controls Preventive, Detective or Directive
Types of ControlsEDP General Controls
Ensure that the programmed procedures within a computerized
system are appropriately implemented, maintained, and
operated and that only authorized changes are made to programs and
data
Types of ControlsEDP General Controls
Programmed procedures include the precise
instructions to the computer to perform specific steps to achieve a particular task
Types of ControlsEDP General Controls
There are two types of programmed procedures … Accounting and Control
Programmed Accounting Procedures … are simply accounting procedures performed by the computer
Programmed Control Procedures … ensure the completeness, accuracy, and authorization of processed and stored data
Types of ControlsEDP General Controls
Examples of Programmed Accounting Procedures include …
Calculating and producing student bills
Updating master files
Generating data within the computer
Types of ControlsEDP General Controls
Examples of Programmed Control Procedures include … Matching student identification numbers
against a master file containing student information
Exception reports generated when there are instances when the computer is unable to complete the prescribed operation
Types of ControlsEDP General Controls
There are seven categories of EDP General Control Procedures
Implementation File Conversion Maintenance Computer Operations Data File Security Program Security System Software
EDP General ControlsImplementation Control Procedures
Help guard against financially significant errors in new applications
Ensure that programmed procedures for new systems or major enhancements to existing systems are effectively designed and implemented
EDP General Controls File Conversion Control Procedures
Ensure that newly created or converted data files contain correct data
Ensure that when a significant new system is introduced or an existing system is modified, the conversion process does not give rise to data file errors
EDP General Controls Maintenance Control Procedures
Cover same areas as implementation procedures, but relate to program amendments rather than entirely new applications
Ensure that changes to programmed procedures are effectively designed and implemented
EDP General ControlsComputer Operations Control Procedures
Ensure the continuity of processing and the consistent application of programmed procedures
Ensures that the correct data files are used, including their correct version, and that recovery procedures for processing failures are provided
EDP General ControlsData File Security Control Procedures
Protect data from unauthorized access that could result in their modification, disclosure or destruction
Are designed to prevent or detect unauthorized changes to stored data
Are designed to prevent or detect the initiation of unauthorized transaction
EDP General Controls Program Security Control Procedures
Are designed to prevent or detect unauthorized amendments to programs
EDP General Controls System Software Control Procedures
Are designed to ensure that system software is effectively implemented, maintained, and protected from unauthorized changes
System software includes such things as operating systems, utilities, sorts, compilers, file management systems, security software packages, etc.
EDP General ControlsThings Commonly Looked At …
Is access to programs and data adequately secured?
Are only authorized changes made to programs and data files?
Program and Data File Security
EDP General ControlsThings Commonly Looked At …
Is the access level granted to employees consistent with the duties that they perform (need-to-know basis)?
Program and Data File Security
EDP General ControlsThings Commonly Looked At …
Is access to programs and data terminated when employees separate from the university?
Program and Data File Security
EDP General ControlsThings Commonly Looked At …
Are unauthorized attempts to access the system monitored?
Followed-up on?
Program and Data File Security
EDP General ControlsThings Commonly Looked At …
Is access to file servers, computers, etc. physically restricted?
Are the hinges on doors on the inside or outside?
Physical Security
EDP General ControlsThings Commonly Looked At …
Are there any water pipes or sprinkler systems located above sensitive computer equipment?
Physical Security
EDP General ControlsThings Commonly Looked At …
Is there a Business Continuity Plan (Disaster Recovery Plan)?
Is it up-to-date?
Has it been tested recently?
Ever been tested?
Continuity of Operations
EDP General ControlsThings Commonly Looked At …
Are there sufficient back up and recovery procedures on the main processing system?
Continuity of Operations
Are critical operations on personal computers backed up?
How often?
EDP General ControlsThings Commonly Looked At …
How fast does the vendor respond to the needs of the university?
Is the vendor dependable?
Vendor Relations
Types of Controls
Preventive Detective Directive EDP General Controls
Preventive, Detective or Directive
EDP Application Controls Preventive, Detective or Directive
Types of ControlsEDP Application Controls
Are the programmed control procedures in application software
(e.g. SCT products), and related manual procedures, designed to help ensure the completeness, accuracy, and authorization of
data processed and stored
Types of ControlsEDP Application Controls
Completeness and Accuracy of Input Completeness and Accuracy of Updates Authorization Maintenance Security
There are five categories of EDP Application Control Procedures
EDP Application ControlsExamples Include …
Computerized edit checks for data input into the system, i.e. “No ID for term selected”
Matching sales orders against a master file containing credit information, such as credit line limitations
Manual procedures to follow-up on items listed in exception reports
Everyone at Northwestern has a role in regard to internal controls
Internal ControlsResponsibility For …
Roles will vary depending on level of responsibility and the nature of involvement by the individual
Internal ControlsResponsibility For …
A weak link in the organizational structure can create a weakness in the control system
Internal ControlsResponsibility For …
The management board is responsible for providing important oversight
Dr. Sally Clausen, President ULS
Internal ControlsResponsibility For …
The President is responsible for providing leadership and direction to Vice Presidents and
Administrators
Dr. Randall J. Webb, President NSU
Internal ControlsResponsibility For …
The President, along with Vice Presidents and other senior
administrators, are responsible for establishing the presence of …
Integrity Ethics Competence Positive Control Environment
Internal ControlsResponsibility For …
The President, along with Vice Presidents and other senior administrators, are responsible for establishing major
operating policies that form the foundation of the internal control system
Internal ControlsResponsibility For …
Vice Presidents are responsible for providing direction and oversight to
senior administrators in major functional areas (e.g. colleges,
departments, auxiliary operations and support services)
Internal ControlsResponsibility For …
Deans, directors, and department heads are
responsible for executing those major institution-
wide control policies and procedures
Internal ControlsResponsibility For …
Deans, directors, and department heads are
responsible for designing and implementing control systems at detailed levels within their specific units
Internal ControlsResponsibility For …
Managers and other supervisory personnel are responsible for executing
control policies and procedures at detailed
levels within their specific units
Internal ControlsResponsibility For …
Each individual within a unit is responsible for
being cognizant of proper internal control procedures associated with their specific job
responsibilities
Internal auditors are responsible for examining
the adequacy and effectiveness of the
University’s internal controls, and making
recommendations where control improvements are
needed
Internal ControlsResponsibility For …
Internal auditors contribute to the effectiveness of the controls, but they are
not responsible for establishing or maintaining them
Internal ControlsResponsibility For …
Internal auditors are a part of the internal control system, not the whole
system
Internal Controls …And Internal Auditors
Internal Controls …And Internal Auditing
Internal Auditing is an independent, objective assurance and consulting activity designed to add value and
improve an organization’s operations.
Internal Controls …And Internal Auditing
Assurance Services
An objective examination of evidence for the purpose of providing an independent assessment on risk
management, control, or governance processes for the organization.
Internal Controls …And Internal Auditing
Financial Engagements Performance Engagements Compliance Engagements System Security Engagements Due Diligence Engagements
Assurance Services Examples Include …
Internal Controls …And Internal Auditing
Consulting Services
Advisory and related client service activities, the nature and scope of
which are agreed upon with the client and which are intended to add value
and improve the organization’s operations.
Internal Controls …And Internal Auditing
Consulting Services Examples Include …
Counsel Advice Facilitation Process Design Training
Internal Controls …And Internal Auditing
Internal Auditing helps an organization accomplish its objectives by bringing a
systematic, disciplined approach to evaluate and improve the effectiveness of …
Risk management
Control
Governance Processes
Internal Controls And Internal AuditorsTypical Internal Audit Functions …
Appraise the adequacy of the internal control system
Internal Controls And Internal AuditorsTypical Internal Audit Functions …
Verify the existence of University assets, noting whether or not the assets are properly safeguarded
Internal Controls And Internal AuditorsTypical Internal Audit Functions …
Identify operational opportunities for cost savings
Internal Controls And Internal AuditorsTypical Internal Audit Functions …
Perform agreed-upon procedures for clients (departments) that add value and improve operations of the overall organization
Internal Controls And Internal AuditorsTypical Internal Audit Functions …
Act as an in-house consultant on internal control matters
Internal Controls And Internal AuditorsTypical Internal Audit Functions …
Submit timely audit reports to management, encompassing audit findings and recommendations for corrective action
Internal Controls And Internal AuditorsTypical Internal Audit Functions …
Perform special projects or investigations as requested by management and board staff or as mandated by internal audit charter and IIA Code of Ethics
Direct personnel to change work methods
Internal Controls And Internal AuditorsInternal Auditors Should NOT …
Make financial or other operating decisions
Internal Controls And Internal AuditorsInternal Auditors Should NOT …
Direct personnel to take corrective action to audit recommendations
The adoption of audit recommendations is encouraged; however, acceptance of audit suggestions is the
responsibility of operating management
THE END