SU 5 Internal Control & IT Flashcards
What is internal control?
A process executed by mgmt, those charged with governance and others to provide reasonable assurance regarding:
1. Reliability of financial reporting
2. Effectiveness and efficiency of operations
3. Compliance with applicable laws and regulations.
CRIME: Five components of internal control (defined by COSO and auditing standards)
- Control activities
- Risk assessment process
- Information systems
- Monitoring
- Control Environment
CRIME “control activities”
Control activities: Policies and procedures that help ensure that management derivatives are carried out
Authorization
Performance reviews
Information processing
Physical controls
Segregation of duties
CRIME: What is the risk assessment process?
Risk assessment process: 1.the entity’s identification and analysis of relevant risks. 2. Things that prohibit the entity from initiating authorizing, recording, processing and reporting data consistent with the FS assertions.
CRIME: information systems
Business processes that support the identification capture and exchange of information.
1. Physical and hardware elements
2. People
3. Software
4. Data
5. Manual and automated procedures
CRIME: monitoring of controls
Monitoring of controls: assesses the effectiveness of internal control over time.
CRIME: control environment
The control environment sets the tone for the organization. It includes
1. governance and management functions
2. attitudes awareness and actions of management and those charged with governance regarding internal control and its importance.
Internal control Fact
Internal control can only provide reasonable assurance that the entity’s objectives are met.
Internal control Fact 2
An auditor must obtain an understanding of internal control to:
1. identify and assess the RMM
2. design further audit procedures.
Evaluation of design
Considers whether a control can effectively prevent or detect and correct material misstatements.
Does GAAS require that the understanding of internal controls be documented?
Yes
Flowcharting
Flowcharting: a way to understand internal controls.
Includes: system flowchart, program flowchart, document flowchart
Flowcharts: system flowcharts
System flowchart: provides an overall view of the inputs, processes, and outputs of a system.
What does a Program flowchart do?
Represents the specific steps in a computer program and the order in which they will be carried out
What is a Document flowchart?
Shows the flow of documents through an entity
Batch processing
Transactions are accumulated and then processed as a single batch.
Batches are not released for processing unless the #of records reported by the system matches the # calculated by the user.
Online real time processing
Transactions are updated on the database immediately as they are entered instead of being done in batches.
General controls include
Controls over
1. data center and network operations
2. System Software acquisitions, change, and maintenance
3. Access security
4. Application system acquisition, Development and maintenance
Validity check
Tests identification numbers or transaction codes for validity by comparing it with items that are known to be correct or authorized.
Closed loop verification
Sends certain data back to the terminal for comparison with data originally sent by the operator.
Limit check
Determines whether a numerical amount exceeds a predetermined amount.
What are application controls?
- Input controls
- Processing controls
- Output controls over a particular application
What are the 2 basic processing modes?
- Batch
- online, real time
Components of the control environment
- Commitment to competence
- HR policies and practices
- Assignment of authority and responsibility
- Management’s philosophy and operating style
- Participation of those charged with governance
- Integrity and ethical values
- The Organizational Network
Monitoring involves
- Monitoring Ongoing activities
- Actions of IA
- Info from external parties like customers who complain
Auditors Primary consideration regarding internal controls
How the control impacts managements FS assertions.
In audit planning an auditors knowledge about internal controls is used to:
- Evaluate the design of controls
- Determine if the controls are implemented
This knowledge helps identify:
- Types of misstatements
- Factors that affect RMMs
- Design further audit procedures
Risk assessment procedures performed to obtain evidence about the design and implementation of relevant controls include:
- Inquiries
- Observations
- Inspection
- Tracing transactions
Fact
Mgmt is concerned with the efficiency of internal control. Auditors are concerned with its design and operating effectiveness.
Internal control effectiveness
Auditors obtain an understanding of internal control to design appropriate audit procedures not to express an opinion on internal control. No such opinion is expressed.
Crime: risk assessment
Changes in operating environment
New personnel
New or revamped information systems
Rapid growth
New technology
New business models
Corporate restructuring
Expanded foreign operations
New accounting pronouncements
Changes in economic conditions