5. Controls: Types and Frameworks (5% 6 MCQs) Flashcards
Section I – Proficient
Types of IC
Definition & Control Process
Overview of Control
Control Process:
- Set standards
- Measure performance
- Analyze and review
- Take corrective action
- Reassess standards
- Encourage Compliance: Use rewards.
Section I – Proficient
Types of IC
Definition & Control Process
Overview of Control
- Reasonable Assurance: Recognize limitations which is cannot provide absolute assurance due to;
1. Human Judgment: Errors and biases.
2. Override of Controls: Bypassing by higher authority.
3. Collusion: Working together to bypass controls.
4. Cost-Benefit Analysis: Balancing costs and benefits, leading to some risks being accepted.
Section I – Proficient
Types of IC
Characteristics of Automated Process
Overview of Control
- Transaction Trail: Track history.
- Uniform Processing: Reduces errors.
- Segregation: Spread control; use extra safeguards if needed.
- Error and Fraud Risk: Limit access and human intervention.
- Management Supervision: Use analytical tools.
- Computer-Generated Transactions: Execute based on logic.
- Input/Output: Controls work best when computer processing is accurate; manual errors can affect control.
Section I – Proficient
Types of IC
Manual vs Automated
Overview of Control
Manual:
* Handles unique transactions,
* hard to predict misstatements due to complexity,
* adapts to changes,
* relies on how well automated systems works.
Automated:
* Manages high volume,
* predictable,
* needs high accuracy.
Section I – Proficient
Types of IC
Role of IA in Controls
Overview of Control
- Performance Standards:
* 2130: Ensure audit work meets performance expectations.
* 2130.A1: Evaluate and improve control effectiveness.
* 2130.C1: Maintain consistent and high-quality performance. - Implementation Standards:
* 2210.AE: Implement and ensure effective auditing processes.
Section I – Proficient
Types of IC
Implementation Guidance 2130 - Controls
Overview of Control
- Controls: Reduce risks at all levels.
- Roles:
1. Management: Set and assess controls.
2. Auditors: Assure controls. - Internal Auditors: Understand risks; use a control matrix.
- Cost-Benefit: Assess control efficiency.
- CAE: Promote improvements.
Section I – Proficient
Types of IC
Primary & Secondary Controls
Types of Control
Primary Controls:
- Preventive: Prevent issues.
- Detective: Find issues.
- Corrective: Fix issues.
- Directive: Guide actions.
Secondary Controls:
- Compensatory: Mitigate risks when primary controls fail.
- Complementary: Enhance primary controls.
Section I – Proficient
Types of IC
IT General & Application Controls
Types of Control
General:
* Access,
* development,
* changes,
* security,
* backups.
Application:
* Input: Authorization, validation, error alerts.
* Output: Screen accuracy, format, range, and balance checks.
* Processing: Manages concurrent processing.
* Integrity: Consistent data storage.
* Management Trails: Tracks processing history.
Section I – Proficient
Types of IC
Financial & Operational Controls
Types of Control
Financial Controls: Focus on accuracy and reliability of financial reporting, compliance with laws, and safeguarding assets.
Operational Controls: Aim to improve efficiency, effectiveness, and performance of operations
Section I – Proficient
Types of IC
People & System Controls
Types of Control
People-Based Controls: Depend on human actions and judgment, such as supervision and approval processes.
System-Based Controls: Automated and built into systems, such as software validation and access controls.
Section I – Proficient
Types of IC
US - FCPA Act (Govt.)
Control Framework
Foreign Corrupt Practices Act
FCPA Act: Government regulation focusing on anti-bribery and accurate financial reporting.
Section I – Proficient
Types of IC
US - COSO (Private)
Control Framework
Committee of Sponsoring Organizations
- Internal Control: Ensures effective operations and compliance.
- Objectives: Manage risks in operations, reporting, compliance.
- Components:
1. Control Environment: Integrity and oversight.
2. Risk Assessment: Identify risks.
3. Control Activities: Mitigate risks
4. Information: Adjust controls. - Relationship: Align objectives and structure
Section I – Proficient
Types of IC
Canada - CoCo Framework
Control Framework
Criteria of Control
CoCo Framework;
* Most suitable for internal auditing purpose.
* Components:
1. Purpose
2. Commitment
3. Capability
4. Monitoring and Learning
* Criteria: 20 criteria across these 4 components.
Section I – Proficient
Types of IC
UK - Combine Code
Control Framework
Guidelines for:
- Board Governance: Clear roles and oversight.
- Internal Controls: Effective risk management and accurate reporting.
- Audit Committees: Supervision of financial and audit processes.
- Risk Management: Identifying and managing risks.
- Disclosure: Transparent reporting to stakeholders.
It aims to enhance corporate governance and transparency.
Section I – Proficient
Types of IC
IT - COBIT
Control Framework
Control Objectives for Information and Related Technologies
Focus: IT supporting business operations.
COBIT 5 Principles:
1. Stakeholder Needs: Balance benefits, risk, resources.
2. End to End: Manage all information functions.
3. Integrated Framework: One compatible framework.
4. Holistic Approach: Integrate principles, processes, and people.
5. Governance vs. Management:
* Governance: Evaluate, direct, monitor.
* Management: Plan, build, run, monitor.
COBIT 2019 Updates:
* Principles: 6 principles (up from 5).
* Objectives: 40 objectives in 5 domains.
* Performance: Based on CMMI scheme.
