Ch. 12 Test of Controls Flashcards
What is internal control defined as under CAS 315?
The system designed, implemented, and maintained by those chargedd with governannce, management, and other personnel
What are the 5 interrelated components?
- control environment
- the entity’s risk assessment process
- the entity’s process to monitor the system of internal control
- the information system and communication
- control acitivites
What are the two types of controls?
Direct controls - controls that are precise enough to address risk of material misstatementsat the assertion level
indirect controls - that are not precise to prevent, detect, or correct at the assertion level but support other controls.
What are the different types of indirect internal controls?
Control environment - sets the tone of an entity, and reflects the overall attitude, awareness, and response of management
entity’s risk-assessment process - the identification, analysis and management of risks relevant to the preparation of the financial statements
monitoring controls - consist fo polciies and procedures designed to assess teh quality of internal control performance over time
What are the different types of direct controls?
information systems - consists of procedures and records designed and established specifically related to the usage of IT.
communication
control activities
Note: Because an internal control contains both manual and automated elements - the auditor must gain an understasnding on which elements are automated or manual to assess the risk of material misstatements and the procedures to be performed
Note: Automated controls may be more reliable than manual controlssepecially in:
- high volume recurring transactions
- controls where specific ways to performt he control can be designed and automated
How are information systems related to IT?
They have general IT controls such as:
- managing access: authentication, ahuthorization, provisions, depreovisioning, priviledged access, user-access reviews, security configuration controls, phyiscal access
- process to manage program or other changes to the IT environment: change to management process, segregation of duties over change migration, systems development or acquistion or implementation, data conversion
- process to manage IT operations: job scheduling, job monitoirng, back-up and recovery, intrusion detection.
What are the four layers that an auditor must cosnider when evaluating the general IT controls mentioned earlier?
- Applications - how general IT controls will correlate to the nature and extent of application fuctionality and the accesss paths allowed in the tech
- Database - General IT controls at the database layer addresses risks arrising from the use of IT related to unauthroized updates
- Operating system - How general IT controls at the operating system layer addresses risk arising from the use of IT related to ADMIN accesss which can overide other controls