Internal Controls II

Components in COSO
• Control environment
This chapter
• Control activities
• Risk assessment
• Monitoring
• Information and Communication

2
Control activities, business processes & accounting

• Financial statements make a series of

assertions about the events that have taken
place and the balances that are presented
• Applying internal controls involves an
evaluation of these assertions coupled with a
risk assessment
Control activities, business processes & accounting

• Once risk has been identified it needs to be

evaluated
• Example: a sale process requiring that a sales
order form be filled in, entered into the
computer at the end of the day; risks are
– incorrect details being recorded
– form lost/damaged
– data being entered incorrectly
– computer being unavailable
– computer being hacked

4
 Types of Control Activities
• Australian Auditing Standard ASA 315
classifies controls into five types:
– Authorization
– Performance reviews
– Information processing controls
– Physical controls
– Segregation of duties
 Types of Control Activities
• Authorization: ensuring users have correctly
defined access to information within a system
and that transactions are executed and
recorded by people with the appropriate
authority

6
 Types of Control Activities
• Performance review: activities that involve some form
of review or analysis of performance
– Comparison of actual and budgeted figures
– Comparison of two sets of data
• Information processing controls: controls put in place
within the organization to work towards the accuracy,
and completeness of transactions. Can be classified as
either general or application controls
– Accuracy: ensuring that data enters the system is correct
and reflects the actual events
– Completeness: ensuring that all events that occur are
recorded

7
 Types of Control Activities
• Physical controls: controls that are put in place
to physically protect the resources of the
organization
• Segregation of duties: the concept that certain
key functions should not be performed by the
same person

8
 Other classification schemes
Two broad control classifications
– Preventive, detective & corrective
– Input, processing and output controls
 Preventive & detective controls
• Preventive controls are designed to stop
errors or irregularities occurring
– Input controls

• Detective controls will not prevent errors from

occurring but rather they alert those using the
system to errors and anomalies
– Reconciliations
– Batch totals
– Independent reviews
 Corrective Controls
• Corrective controls are designed to correct an
error or irregularity after it has occurred
– Disaster recovery plan
– Virus protection software
Input, processing & output controls
• Input controls: are designed to detect errors or
irregularities at the time data are first entered
into the system

• Processing controls: are put in place to detect any

errors or irregularities during the processing of
data

• Output controls: are designed to protect the

outputs of the system
 Aims of a Computerised AIS
• Proper authorisation
– Appropriate authority given prior to the
execution of transactions or the modification of
software

• Proper recording
– Input validity
– Input accuracy
 Aims of a Computerised AIS
• Completeness
– Ensuring all transaction events and all required data
relating to those events are captured within the
system
• Timeliness
– Ensuring data are captured, processed, stored and
made accessible in a timely manner, to enable the
production of useful information for system users
– Options for the processing of data
• Batch processing
• Online real-time data processing
• Online data gathering and batch processing
 General Controls
• General controls are those that relate across
all the information systems in an organisation.
They include:
– Physical controls
– Segregation of duties
– User access
– Systems development procedures
– User awareness of risks
– Data storage procedures
 Physical Controls
• Physical controls are concerned with
restricting access to physical resources
– Locked discrete computing premises
– Swipe card access
– Biometric access controls
– Onsite security
– Security cameras
 Segregation of Duties
Segregation of duties: involves the separating
of employee duties and responsibilities in a
way that ensures that an individual employee
cannot carry out a fraud without being
detected
 User access
• User access: relates to the access of users to
the systems within the organisation. A key
issue is having appropriate secure passwords
– Password format
– Password life
– Password unique
– If login is unsuccessful

18
 System development procedures
• Provides a set of policies and procedures for
design and implementation of new software
or systems
– Who can initiate and execute the development
and installation

19
 Risk Awareness & Data Storage
• Organisations need to ensure that the users of
a system are aware of the security threats &
risks and that organisational policies are
followed

• Data is one of an organisations most valuable

resources. Appropriate data storage policies
need to be implemented:
– Restrictions on access
– Offsite backup is critical
Application Controls – Input Controls
• Standardised forms
• Prenumbered documents
• Sequence Checks
• Turnaround documents
• Data entry routines
• Automated form completion
• Transaction authorisation procedures
• Batch totals
• Independent review
Application Controls – Processing Controls & Output
Controls

Processing Controls
– Run-to-run totals
– Reconciliations
– Batch totals
– Sequence checks
– Hash totals
Output Controls
– Database queries
 Disaster Recovery Plans
• Disaster recovery plan: the strategy that the
organisation will put into action, in the event of a
disaster that disrupts normal operations, to
resume operations as soon as possible and
recover data that relate to its processes

• Key provisions include:

– Provisions for temporary sites (hot site vs cold site)
– Staffing (evacuation procedure, role of staff)
– Restoring business relationships
 Execution of Internal Control
• The consideration of control execution - be it
manual or computerised – is important, since
there are different characteristics of manual and
computerised controls that can impact on their
effectiveness within the organisation

– Manual Controls:
• Prone to human error
• Can handle irregularities

– Computer controls:
• Are consistent
• Rely on a sound control environment & general controls
 Documenting Controls
• Once controls are established it is essential to
ensure that documentation outlines how
these controls operate

• Methods of documentation:
– Narrative descriptions
– Questionnaires and checklists
– Flowcharts
– Control matrix
 The Limitations of Controls
• CPA Australia identifies five reasons an
internal control system does not provide 100%
assurance that an organisation’s objectives
will be achieved
– Judgement error
– Unexpected transactions
– Collusion
– Management override
– Weak internal controls
 Threats To Internal Controls

– Management incompetence
– External factors
– Fraud
– Regulatory environment
– Information technology
 Overview of Chapter 8
• The relationship between accounting and
control activities was established
• Internal controls were identified and classified
• The aims of a computerised accounting
information system were outlined
• The components and importance of a disaster
recovery plan were discussed
 Overview of Chapter 8
• Overviewed the manner with which control
activities are executed

• Considered methods of documenting controls

• The effectiveness and limitations of a control

system were evaluated
 Key Terms

• Application controls • Input controls

• Corrective controls • Output controls
• Detective controls • Physical controls
• Disaster recovery plan • Preventive controls
• General controls • Segregation of
• Information processing duties
controls
31