A process for assuring achievement

of an organization’s objectives in
operational effectiveness and
efficiency, reliable financial
reporting, and compliance with
laws, regulations and policies.
It comprises policies, practices, and
procedures employed by the organization
to achieve four broad objectives:
To safeguard assets of the organization;

To ensure the accuracy and reliability of accounting

records and information;

To promote efficiency in the organization’s operations;

To measure compliance with management’s prescribed

policies and procedures.
Inherent to these control objectives are four
modifying assumptions that guide designers and
auditors of internal control:
❑ Management responsibility
❑ Reasonable assurance
❑ Methods of data processing
❑ Limitations
o Possibility of error
o Circumvention
o Management override
o Changing conditions
RISKS are undesirable events and or factors that
threaten an organization’s ability to achieve
goals.
Examples:
1. Destruction of assets (physical & information)
2. Fraud
3. System threats such as hackers and computer
viruses.
EXPOSURE is when internal control is absent or
weak and increases the organization’s risk.
❑ These are the passive techniques designed to
reduce the frequency of occurrence of
undesirable event.

❑ These force compliance with the

prescribed or desired actions and
thus screen out abnormal events.

❑ Majority of the undesirable

events can be blocked in this level.
❑ These are the devices, techniques, and
procedures designed to identify and expose
undesirable events that elude preventive
controls.

❑ Reveal specific types or errors

by comparing actual occurrences
to pre-established standards.
❑ These are the actions taken to reverse the
effects of errors detected in the previous
level.

❑ If detective controls identify the anomalies

or errors, corrective controls
actually fix the problems.
 The PDC control model is conceptually pleasing
but offers little practical guidance for
designing specific control. For this, we need
a more precise framework.
The policies and procedures used to The control environment sets the tone
ensure that appropriate actions are Control Control for the organization and influences the
taken to deal with the organization’s Activities Environment control awareness of its management and
identified risks. employees.

The process by which the quality

Internal Control
of internal control and design Monitoring
Processes
Framework Risk
Assessment
Organizations perform risk
assessment to identify, analyze,
and operation can be assessed.
and manage risks relevant to
financial reporting.

Information &
Communication

The quality of information the AIS generates impacts

management’s ability to take actions and make decisions in
connection with the organization’s operation.
 General Controls pertains to entity-wide
concerns such as controls over the data center,
organization databases, systems development, and
IT program maintenance.
Controls
Application Controls ensure the integrity of specific
systems such as sales order processing, accounts
payable, and payroll applications.

Physical These relates primarily to the human activities

that trigger and utilize the results of
Controls performing accounting tasks.
 Accounting
Supervision
Records

Segregation of
Access Control
Duties

Transaction Physical Independent

Authorization
Controls Verification
❑ TRANSACTION AUTHORIZATION
Ensures that all material transactions
processed by the information system are valid
and in accordance with management’s
objectives.

❑ SEGREGATION OF DUTIES
One of the most important control
activities to minimize incompatible functions
of employees’ duties.
❑ SUPERVISION
In small organizations or in functional
areas that lack sufficient personnel, management
must compensate for the absence of segregation
controls with close supervision.

❑ ACCOUNTING RECORDS
These records capture the economic essence
of transactions and provide audit trail of
economic events.
❑ ACCESS CONTROL
Ensure that only authorized personnel have
access to the firm’s asset. Unauthorized access
exposes assets to misappropriation, damage and
theft.

❑ INDEPENDENT VERIFICATION
Procedures that check accounting system to
identify errors and misrepresentations. Through
these, management can assess the performance of
individuals, the integrity of the transaction
processing system and the correctness of data
contained in accounting records.
General controls begin with a security policy, a
comprehensive plan that helps protect an enterprise
from both internal and external threats.
1. Integrated Security for the Organization
Physical security refers to any measures that an
organization uses to protect its facilities,
resources, or its proprietary data that are stored
on physical media.
Logical security uses technology to limit access to
the organization’s systems and information to only
authorized individuals.
 PHYSICAL CONTROLS
❑ facility monitoring (surveillance
systems, cameras, guards, exterior
lighting)
❑ access controls to facilities/data
center/computers (biometrics, access
cards)
❑ alarm systems (fire, burglar, water,
humidity, power fluctuations)
❑ shred sensitive documents
❑ proper storage/disposal of hard drives
and other electronic storage media
❑ secure storage of backup copies of data
and master copies of critical software
LOGICAL CONTROLS
❑ e-IDs and passwords system
authentication
❑ biometrics
❑ logs of logon attempts
❑ application-level firewalls
❑ anti-virus and anti-spyware software
❑ intrusion detection systems
❑ encryption for data in transit
❑ smart cards
2. Organization-Level, Personnel, File Security Controls
Management’s ethical values, philosophy, assignment of
authority and responsibility, and the effectiveness of
the board of directors.

General controls within IT environments that affect

personnel include: separation of duties, use of
computer accounts, and informal knowledge of employees.

The purpose of file security controls is to protect

computer files from either accidental or intentional
abuse.
3. Fault-Tolerant Systems, Backup, and Contingency
Organizations use fault-tolerant systems to deal with
computer errors and keep functioning so that data is
accurate and complete.

Because of the risk of losing data before, during, or

after processing, organizations have an even greater
need to establish backup procedures for their files.
4. Planning and Computer Facility Controls
Organizations develop and test business continuity
plans to be reasonably sure that they will be able to
operate in spite of any interruptions, such as power
failures, IT system crashes, natural disasters, supply
chain problems, and others.

Some computer facility controls that prevent both

unintentional and intentional physical harm.
a)Locate Data Processing Centers in Safe Places
b)Limit Employee Access to Computers
The major objectives of an organization’s IT controls
are to provide reasonable assurance that,

✓ Development of, and changes to, computer

programs are authorized, tested, and approved
before their usage;

✓ Access to programs and data is granted only to

authorized users to increase the likelihood that
processed accounting data are accurate and
complete.
IT general controls involve:
✓ Security for Wireless Technology
Virtual Private Network (VPN), a security
appliance that runs behind a university’s (or a
company’s) firewall and allows remote users to access
entity resources by using wireless, handheld devices.

Data encryption – it can be used to prevent a

company’s competitors from electronically monitoring
confidential data transmissions.
IT general controls involve:
✓ Controls for Hardwired Network
Systems
- Control problems for companies,
which include electronic eavesdropping,
hardware or software malfunctions
causing computer network system failures
and or errors in data transmission.
IT general controls involve:
✓ Security and Controls for Microcomputers
Most risks associated with AISs result from
errors, irregularities or fraud general threats to
security (such as a computer virus.
Risks that are unique to the microcomputer are:
Hardware - microcomputers can be easily
stolen or destroyed.
Data and software - easy to access,
modify, copy or destroy; therefore
are difficult to control.
The purpose of application controls is to prevent,
detect, and correct errors and irregularities in
processing transactions.

Application controls are those controls that are

embedded in business process applications.

The three major stages of data processing work are

accumulating the input data, processing the data, and
reporting the processed data in some form of output.
 APPLICATION
CONTROLS

Processing Output
Input Controls
Controls Controls

Input controls help ensure the validity, accuracy, and

completeness of the data entered into an AIS. It is usually
cost effective to test input data for the attributes of
validity, accuracy, and completeness as early as possible.
Input application controls three categories:
(1)Observation, recording, and transcription of data
feedback mechanism, dual observation, point-of-sale(POS) devices,
preprinted recording forms
(2)Edit tests
input validation routines
(3)Additional input controls.
 APPLICATION
CONTROLS

Processing Output
Input Controls
Controls Controls

Processing controls focus on the manipulation of accounting

data after they are input to the computer system. An
important objective of processing controls is to contribute
to a good audit trail.
Processing application controls two types:
(1)Data-access control totals
batch control total, financial control total,
nonfinancial control total, hash total, record
count

(2)Data manipulation controls

Software documentation, i.e. flow charts and
diagrams, Compiler, Test Data
 APPLICATION
CONTROLS

Processing Output
Input Controls
Controls Controls

The objective of output controls is to ensure the output’s

validity, accuracy, and completeness.
Output application controls two types:
(1)Validation of processed results
Activity (or proof) listings

(2)Regulating the distribution and use of

printed output
Prenumbered forms, authorized distribution list
Shredding sensitive documents
Thank You GROUP 5
ARBIOL, JANICE ASIS, ANALIZA
DELVOGADO, KIMBERLY JAVIER, JONALYN
SABALO, JAQUELYN