CONTROL OBJECTIVES

NEED FOR CONTROL

EFFECT OF COMPUTERS ON INTERNAL AUDIT

• changes in the audit trail and audit evidence;
• change in the internal controls environments;
• new opportunities and mechanisms for fraud and error; and
• new audit procedures.
RESPONSIBILITY OF CONTROLS
• Develop and implement appropriate, cost-effective internal control for
results-oriented management;
• Assess the adequacy of internal control in programs and operations;
• Separately assess and document internal control over information systems
consistent with the information security policy of the organization
• Identify needed improvements;
• Take corresponding corrective action; and
• Report annually on internal control through management assurance
statements.
COST EFFECTIVENESS OF CONTROL
PROCEDURE
• The benefit of an internal control must not exceed its cost
CONTROL OBJECTIVES FOR INFORMATION
RELATED TECHNOLOGY(COBIT)
• COBIT, is a framework for IT management and governance created by
the Information Systems Audit and Control Association- ISACA.
• COBIT was designed to act as a supportive tool for managers and
bridge the gap between business risks, technical issues, and control
requirements.
• It is a recognised guideline that can be applied to any organisation or
industry and helps in quality assurance, control, and information
systems’ reliability in any organisation which is an essential aspect of
modern business.
What is the COBIT Framework?

• Linking business goals and processes with the IT infrastructure is one

of the main objectives of COBIT.
• It provides various metrics and maturity models used to measure IT
processes’ achievement while identifying the associated business
responsibilities.
• COBIT 4.1 is a process-based model that can be subdivided into four
domains; they are:
• Planning and Organising
• Delivering and Support
• Acquiring and Implementing
• Monitoring and Evaluating

COBIT has a high position and is recognised under several international

standards such as CMMI, COSO, TOGAF, ITIL, PRINCE2, PMBOK, and ISO
2700
• It mergers all solutions under one umbrella by acting as a guideline
integrator.
• In April 2012, the latest COBIT version 5 came out and had the
consolidated COBIT 4.1, Val IT 2.0, and Risk IT Frameworks principles.
It has drawn reference from ITAF or IT assurance frame, from ISACA,
and revered business models for information security
Components

• Framework- The framework helps the organisation bring the best

practices in the IT processes and helps organise the objectives of IT
governance while also linking business requirements
• Process Descriptions- A reference model that acts as a common
language for the entire organisation, the process description includes
building, planning, running, and monitoring the IT process.
• Control Objectives-Control objectives are a complete list of
requirements that are considered for management and effective IT
business control
• Maturity Models-Access the capability of every process while
addressing gaps, if any
• Management Guidelines-We can measure performance, agree upon
common objectives, better-assign responsibilities, illustrate better
interrelationships with every process
• COBIT is used by all organisations whose primary responsibility is
business process and technology, i.e., all organisations who depend
on technology for their informational needs. The private sector and
the government both use COBIT to increase the sensibility of the IT
process.
Why is COBIT 5.0 wins
• Cover the enterprise from end-to-end
• Meet the needs of the stakeholders
• Ensure a holistic approach to business decision making
• Separate governance from management
• Application of a single integrated framework
Hence reduces the risk of IT implementations as they typically require a
quick and agile approach and adaptation that simultaneously needs
regular buy-ins from stakeholders and other users.
• It has also managed to bring in a collaborative culture in the
organisation. This ensures that the risks, needs, and benefits of all IT
initiatives are better understood.
The Advantages a Certification

• not only prepares a professional for the global challenges that they
may face but also delivers expertise information in the following
areas:
• Can help the establishment of the five basic principles along with other
enablers
• How IT management issues can affect organisations
• The principles of enterprise IT and governance while establishing the
difference between governance and management
• To discuss COBIT 5.0 concerning goal cascade and process reference model
Benefits of COBIT

• An individual who understands IT governance’s nuances in business

management practices is best suited for COBIT methodologies.
• Learning more about COBIT will be beneficial for:
• Risk Committee
• CIOs/IT Directors/ IT Managers
• Process Owners
• Audit Committee Members
• IT Professionals in governance, security, audit, risk management sectors
• Users of COBIT 4.1 and earlier
• With the advent of technology, we can now ensure that a large
volume of data and information is managed well. Due to this, the
success of businesses has increased but has also increased risk in
security. The newer businesses demand that these risks are better
managed with the power of information, and COBIT 5.0 is the
solution. …. cloud computing, social media, information security and
IT, big data….
Summary
• COBIT, which consolidates standards from 36 different sources into a
single framework, is having a big impact on the information systems
profession.
• It is helping managers learn how to balance risk and control
investment in an information system environment.
• It provides users with greater assurance that the security and IT
controls provided by internal and third parties are adequate.
• It guides auditors as they substantiate their opinions and as they
provide advice to management on internal controls
INFORMATION SYSTEMS CONTROL
TECHNIQUES
• Ensures that the business objectives are achieved and undesired risk
events are prevented or detected and corrected.
• achieved by designing effective information control framework, which
comprise policies, procedures, practices, and organization structure
that gives reasonable assurances that the business objectives will be
achieved.
• When reviewing a client’s control systems, the auditor will be able to
identify three components of internal control. Each component is
aimed at achieving different objectives.
• The information system auditor will be most familiar with;
• Accounting controls-safeguards the client’s assets and ensures the
reliability of the financial records;
• Operational controls-deals with the day to day operations, functions
and activities to ensure that the operational activities are contributing
to business objectives;
• Administrative controls-These are concerned with ensuring efficiency
and compliance with management policies, including the operational
controls.
Auditor’s categorisation of controls
• financial or accounting controls- we examined to see if they reduce
the likelihood of the financial statements containing material errors.
• Controls are categories depending on when they act/do
i. Preventive Controls-Preventive controls are those inputs, which are
designed to prevent an error, omission or malicious act occurring.
An example of a preventive control is the use of passwords to gain
access to a financial system. The broad characteristics of preventive
controls are:
 i. A clear-cut understanding about the vulnerabilities of the asset
ii. Understanding probable threats
iii. Provision of necessary controls for probable threats from materializing
ii. Detective Control-designed to detect errors, omissions or malicious
acts that occur and report the occurrence.
iii. Corrective Controls-Corrective controls are designed to reduce the
impact or correct an error once it has been detected.
iv. Compensatory Controls-
 designed to reduce the probability of threats, which can exploit the
vulnerabilities of an asset and cause a loss to that asset.
In design —the cost of the lock should not be more than the cost of the assets it
protects-

Audit Trails-Audit trails are logs that can be designed to record activity
at the system, application, and user level. When properly implemented,
audit trails provide an important detective control to help accomplish
security policy objectives
Audit Trail Objectives