IT Audit Process / Internal Controls [LG] Flashcards
What is the internal control systems main objectives?
- Safeguard assets
- Check the accuracy and reliability of accounting data
- Promote operational efficiency
- Enforce prescribed managerial policies
State examples of control activities
- Good audit trail
- Separation of duties
- Personnel policies
- Physical protection of assets
- Internal reviews & performance reports
What are the objectives of an internal audit?
(4 main)
To appraise:
- The organisation’s information systems
- The organisation’s internal control structure
- The extent of compliance to operating procedures, procedures & plans.
- The quality of performance by company personnel
What analysis should be done to ensure that controls outweigh the costs of implementing controls?
Cost-Benefit Analysis
Explain what preventative, corrective and detective controls are
Preventative - designed to prevent some potential problem from occurring when an activity is performed
Detective - discover the occurrence of adverse events such as operational inefficiency
Corrective - designed to remedy problems discovered through detective controls.
What are examples of enterprise level controls?
- Consistent policies and procedures
- Management’s risk assessment process
- Centralized processing and controls
- Controls to monitor results of operations
What are general controls?
General controls ensure that a company’s control environment is stable and well managed in order to strengthen the effectiveness of application controls.
What are application controls?
Application controls are designed to prevent, detect, and correct errors and irregularities in transactions as they flow through the input, processing, and output stages of data processing
What type of control is meant to prevent, detect and correct errors?
Application controls:
as info flows through input, processing and output
State specific examples of control procedures for each of these categories
1) Input controls
2) Processing controls
3) Output controls
Input controls:
i) data confirmation, observation and recording
ii) data transcription
iii) edit tests
Processing controls:
i) data access
ii) data manipulation
Output controls:
1) Activity (or proof) listings
2) Forms control - esp. cheque-writing.
3) Pre-numbered forms
What is the main objectives of general controls for IT systems?
- Access to programs and data is limited to authorized users
- Data and systems protected from change, theft, and loss
- Computer programs are authorized, tested, and approved before usage
What is the purpose of Application controls and how are they embedded in IT systems?
Prevent, detect, and correct errors and irregularities
Embedded in business process applications
What is the purpose of input controls, processing controls and output controls?
Input - Ensure validity, accuracy and completeness
Processing - Focus on manipulation of accounting data and Contribute to a good audit trail
Output - Ensure validity, accuracy and completeness
What are the types of edit tests (used in input controls) ?
Sign - always a positive e.g.
Consistency - All transactions from a particular office have same codes
Completeness - No blanks in required fields
Sequence - input data is in ascending/descending e.g.
Reasonableness - Data is reasonable e.g. employee worked 2000 hrs in a week
Valid codes - Cash = 10, credit = 50
Alphanumeric - both letters and numbers without special characters
Alphabetic - only letters
Numeric - only numbers
What are the Internal system audits objectives?
1) Security provisions protect computer equipment, programs, communications, and data from unauthorized access, modification, or destruction.
2) Program development and acquisition is performed in accordance with management’s general and specific authorization.
3) Program modifications have the authorization and approval of management
4) Processing of transactions, files, reports, and other computer records is accurate and complete.
5) Source data that is inaccurate or improperly authorized is identified and handled according to prescribed managerial policies.
6) Computer data files are accurate, complete, and confidential.
