Internal Control II Flashcards
What are the five types of controls?
- Authorisation
- Performance reviews
- Information processing controls
- Physical controls
- Segregation of duties
What is meant by authorisation?
– Activities and procedures to assure transactions and events are carried out by those with the appropriate authority.
– Set defined roles, responsibilities and adherence mechanisms for individuals within the organisation.
What is meant by performance reviews?
– Review or analysis of performance, comparing actual outcomes with those that were expected or planned.
What is meant by information processing controls?
– Work towards the accuracy, completeness and authorisation of
transactions.
* Accuracy: data entered is correct and reflects actual recorded
events.
* Completeness: all events are recorded.
* Authorisation (Validity): whether or not the events that occur are
appropriately approved before being executed.
* Computerised information systems – aims to ensure transactions
are properly authorised, recorded and completely processed in
timely manner.
– General controls: policies and procedures that support
applications and application controls.
– Application controls: manual or automated procedures, at
business process level, related to the processing of transactions
by individual applications.
What is meant by physical controls?
– Controls put in place to physically protect the resources of the
organisation, including protecting them from the risk of theft or
damage.
What is meant by segregation of duties?
– Certain key functions should not be performed by the same
person. Assign the execution, recording, custody, reconciliation
and authorisation functions to different individuals.
– Also applies across the IT systems within the organisation.
What are the three controls classifications?
- Preventive – are designed to stop errors or irregularities
occurring. - Detective – to alert those involved in the system when
an error or anomaly occurs. - Corrective – are designed to correct an error or
irregularity after it has occurred.
What is meant by proper authorisation?
– Appropriate authority given prior to the execution of transactions
or the modification to the data.
What is meant by proper recording?
- ensuring all data is recorded in the correct format and of the right
type. - the data accurately records the reality of the underlying transaction
or event.
What is meant by completeness?
- Input completeness: all transaction events and required data
are captured.
What is meant by timeliness?
– Data is captured, processed, stored and made accessible in a
timely manner.
What are general controls?
Controls that relate across all the
information systems in an organisation.
What are the different general controls?
– physical controls
– segregation of duties
– user access
– systems development procedures
– user awareness of risks
– data storage procedures
– security policies
What are physical controls?
Concerned with restricting access
to the physical resources.
What is segregation of duties?
The separating of employee duties and responsibilities in a way that ensures that an individual employee cannot carry out a fraud
without being detected.
What is user access?
– Logical access of users to the systems within the organisation.
What are systems development procedures?
– Maintenance and development of different information systems.
– Requires policies, procedures and restrictions.
What is user awareness of risks?
Security education training and awareness (SETA) programs to
ensure employees are aware of:
- Information system risks.
- Security threats and issues.
- Organisational ecurity policies
- The policies for detectin of fraud.
What is data storage procedures?
– Information about customers, staff and intellectual property is
stored on servers.
– Need to manage data storage risks (locally or in the cloud).
– Controls for data: data access logs, restriction of user privileges
– Controls for backup: backup policies, offsite backup facilities,
scheduling of backups and real-time backups if needed.
What are security policies?
– Information security policies to protect electronic
resources.
* Document an organisation’s approach to security.
* Usually by following a framework and/or standard.
* Should be understood and used by all users.
What makes application controls and what activities do these relate to?
They are built around the operation of a particular process. They relate to the key system stages of: input, processing, output
When are internal controls used and what do they aim to do?
They are used on data as it enters the system. Aim to provide reasonable assurance about the accuracy,
validity and completeness of data being entered.
Define the input control for data entry, standardised forms/preformatted screens.
