INTERNAL CONTROLS IN AN

IT ENVIRONMENT
CHAPTER 8, pages 8/3 to 8/41

1
COMPONENTS OF INTERNAL CONTROLS
(COSO FRAMEWORK)
• Control environment

• Risk assessment

• Control activities

• Accounting information systems

• Monitoring

2
CONTROL ACTIVITIES
• Approval, authorisation
• Segregation / division of duties
• Isolation of responsibility
• Access /custody controls
• Comparison and reconciliation
• Performance reviews
• Double‐checking
• Competent, trustworthy staff
• Good document design

3
INTRODUCTION TO CONTROLS IN IT
ENVIRONMENT
• Companies operate with some form of computer / IT systems.
• As an auditor you should be able to:
‐ identify risk (weaknesses in system and impact thereof),
‐ recommend controls,
‐ test controls (AUD322),
‐ perform substantiate audit work using CAATS (AUD322).
• Principle is still the same
‐ you want to prevent errors and fraud; detect those that passed through the system; and ensure
they are corrected timeously.
• With computers there are added risks (system crashes, malware,
intrusions etc) but also an opportunity for additional automated controls
(automatic linking of documents, exception reports, audit trail (logs) etc.)

4
RISKS IN AN IT ENVIRONMENT
Let’s just think of risks in an IT environment: Remember that I/C is essentially
• Entity relying on system that is not processing all valid a response to risk. So always
think about what could go wrong
transactions (completeness) (i.e. the risk)
• Unauthorised access which results in errors, fraud
• Unauthorised changes to masterfile data
o In an IT environment there is a masterfile and transaction file
• Unauthorised changes to system / programs
• Inappropriate manual intervention
o Results from lack of SOD, authorisation, mgt reviews etc
• Potential loss of data

5
 COMPUTER CONTROLS ENVIRONMENT
Computer controls are in place to ensure transactions are valid, accurate and complete (VAC)

1‐ Programmed / Automated controls 2 – Manual / User controls

3 – General controls 4 – Application controls 3 – General controls 4 – Application controls

1 – Controls which a computer will automatically perform.

2 – Controls which are performed by users (sometimes using computer software)
3 – General controls (controls over the whole system – remember the 9 activities from
Term 1? Opportunity for others… see later)
4 – Application controls (controls over input, processing, output, Masterfile maintenance
and relates to a specific function / cycle)
6
GENERAL vs APPLICATION CONTROLS
• General controls relate to the IT environment as a whole

• Pervasive – if they are weak / absent, may negate the effects of the
application controls

• Effective general controls, therefore, are vital

• Application controls specific to cycle

• Effectiveness of application controls – general controls must be sound

7
GENERAL CONTROLS (Pg 8/7 to 8/25)
Control environment

System development and implementation

Access controls

Continuity

System software and operating control

Documentation

8
Control Environment (Pp 8/8 to 8/1)
• King IV principle 12: The governing body should govern technology
and information in a way that supports the organisation setting and
achieving its strategic objectives.
• Management should lead by example.
• May create an IT risk committee and create a position of CIO.
• Lines of authority and responsibility very NB – IT should not have
access to processing; within IT there should SoD where a programme
developer is not involved in implementation and testing etc.
• Sound staff practices – recruitment policies, revoke access on
termination, staff rotation etc

9
System development and implementation (Pg
8/11 to 8/16)
• Refers to the development of a new computer system for the entity or
major updates to an existing one.
• Could be purchased off the shelve or developed inhouse.
• Potential risks:

• Can be avoided by having proper system development and

implementation controls. 10
System development and implementation
controls ‐ inhouse
PLANNING & PREINSTALLATION
1. Develop a SDP, aligned to strategic business plan.
2. New projects must result from management requirements.
3. Changes to comply with standard (eg ISO 9000). Compliance to be
monitored.
4. Project leader / leadership team should be appointed. Plan of
action to be developed – time scale, site preparation, testing)
5. Feasibility study (inhouse development vs purchasing a package)
6. Authorisation – only after analysing users’ needs and system
analysed.
11
System development and implementation
controls ‐ inhouse
PLANNING & PREINSTALLATION (contd.)
7. Cost / benefit analysis – benefit should outweigh cost of installation
(benefit = cost saving, efficiency, improved information etc).

8. Competitive quotes – assess suitability and cost.

9. Financing – lease or purchase? effect on cash flows? tax benefits?

12
System development and implementation
controls ‐ inhouse
INSTALLATION
1. Requests for changes should be prompt
• written on pre‐numbered change requests forms (why?)
• recorded in a register (why?)
2. Change forms should be authorised in writing
3. Users to be involved in definition of system requirements
4. Functions of system analyst and programmers are to be defined
5. Procedures and techniques to be standardised
6. Analyst to design the system or changes to the system
7. Programmers to change or write new programs (operations staff should
not be authorised to make changes)

13
System development and implementation
controls ‐ inhouse
INSTALLATION (Contd)
8. Changes to be tested on “test copies” – not on the live version
9. Users (also internal auditors) must review and management
authorised every phase of the development.
10. Must be comprehensively tested before installation (test data,
parallel run, pilot, testing by users)
11. Staff to be adequately trained
12. Backups – prevent loss of developmental material
13. Documentation (system and programme documentation;
specifications and approval etc)
14
System development and implementation
controls ‐ inhouse
CONVERSION
Information being migrated must be VAC
• Check data being converted and resolve discrepancies A
• Parallel testing VAC
• Reconciliation VAC
• Follow up on exception reports VAC
• Direct confirmation of balances eg print out customer balances from
new system and ask customers to confirm balance VA
Post implementation reviews to be conducted. (Is the system working
as intended?)
15
System development and implementation
controls ‐ packaged
• Project team to be appointed.
• Feasibility study
• Purchase must be approved (users, internal audit, CIO, board)
• Training to staff.
• Conversion as per inhouse developed system.
• Post implementation reviews to be conducted. (Is the system working
as intended?)
• Documentation

16
INHOUSE OR PACKAGED?
• Costs
• Implementation
• Flexibility
• Technical support
• System capabilities

See topic 4.2, page 8/15 to 8/16

17
ACCESS CONTROLS
Access to all aspects of the system must be controlled:
• Physical
o Locked area; access through fingerprints; visitors to sign in etc

• Logical
o Log‐on IDs (must be unique; change frequently)
o Prohibit simultaneous logins using same password
o Password required to authorise
o Firewalls

• See pages 8/16 to 8/22

18
CONTINUITY (Pages 8/22 to 8/24)
Procedures for backup of software, data, documentation and hardware
• Arrange for backup facilities (preferable offsite or even online)
• Regular backups
• Retention of data (documents to be shredded say after 20 years?)
• Disaster recovery plan to be documented, tested and communicated
• Job rotation – do now want to rely on one “super user”
• Insurance
• Regular maintenance
• UPS

19
SYSTEM SOFTWARE (Pages 8/24 to 8/25)
• System must work as intended.
• System software made up of various software: operating system; network
mgt; database mgt; system development; system support programmes
• Review log of activity for malfunctions, user overrides, access violations
• Skilled technicians who can resolve operating problems
• Adherence to manufacturers’ usage guidelines
• Supervision and review of IT personnel

20
APPLICATION CONTROLS (Pages 8/26 to 8/39)

• Objectives – validity (authorisation), accuracy and completeness

(VAC)

• Controls over input processing  output

• Masterfile maintenance controls

• Think about the risks at each stage of the transaction (input,

processing, output)
21
APPLICATION CONTROLS ‐ INPUT
• Risks
o
o
o
• Controls must therefore be put in place to mitigate the above risks
• Objectives is to:
o Ensure only authorised personnel initiate transactions which have occurred and authorised
personnel authorise transactions which have occurred (validity and authorisation)
o Ensure all valid transactions are captured accurately (accuracy)
o Ensure all valid transactions that should be captured are captured

22
APPLICATION CONTROLS ‐ INPUT
Validity
• Access controls
o Physical
o Logical (passwords)
• Authorisation of input documents (eg. before capturing a transaction
on pastel it must first be approved by the FM)
• System produces reports on controls overrides (exception reports)
• Segregation of duties & staff recruitment policies
• Matching to source documents
23
APPLICATION CONTROLS ‐ INPUT
ACCURACY
Ensure incorrect data input is rejected:
• Validation checks
• Matching checks
• Data approval / authorisation checks
• Reasonableness and limit checks
• Dependency checks
• Format checks (alpha‐numeric, size,
missing data, valid character & sign)
• Check digits
• As much info as possible
should be system generated
• Friendly screens (screen aids)
• Well designed docs
• Review of exception reports
24
APPLICATION CONTROLS ‐ INPUT
COMPLETENESS
• Pre‐numbered documents (Pastel does this automatically)
• Stationery register?
• Batch entry (input batches of source documents – no interaction by user,
more automated eg bank statements imported directly from bank website;
employee hours directly from clocking system)
• Sequential testing
• Control totals (eg are there 12 entries in the GL for the monthly rental)
• Screen aids
• Review of exception reports

25
APPLICATION CONTROLS ‐ PROCESSING
What are the risks here?
•
•
•
•
Automated process – computer will do most of the work and user reviews system
log to confirm accuracy and completeness
The controls on the next slide are typically automated

26
APPLICATION CONTROLS ‐ PROCESSING
ACCURACY & COMPLETENESS
• Sequence checks
• Arithmetic accuracy checks
• Reasonableness / consistency / range tests
• Limit test
• Accuracy test
• Matching
• Control totals (input totals vs processing totals)
• Run‐to‐run totals (identify lost / duplicated records)

27
APPLICATION CONTROLS ‐ OUTPUT
A product of processing
Accurate & complete processing accurate & complete output
Controls (see topic 3.4 on page 8/38):

• Output to be reviewed for reasonableness and completeness

• Distribution controlled to authorised users (may require users to sign for
sensitive reports)
• Shredding of reports that are not required
• Reconciliations
• Sequence checks
• Review exception reports
28
APPLICATION CONTROLS ‐ OUTPUT
Controls (contd.)
Control of “on‐screen” output
• Terminals located to ensure only authorised users have access
(physical security).
• Access controls to limit access to information on screen.
• Users should log out when terminals not in use.
• Terminals to shut down if not used for a specified period.
• Prohibit simultaneous login by one user.

29
LOGS AND REPORTS
• Log of all computer activity.
• May be printed or viewed on‐screen.
• Controls over logs very NB (should only give read access).
• Management must regularly reviewed the logs and make necessary
follow ups.

See Topic 3.5, page 8/38 for various types of logs and reports

30
MASTERFILE MAINTENANCE
• Standing permanent data in the background of any computer
environment
• Objective:
o Only valid (authorised) amendments are made to MF (validity)
o Details of the amendment are captured and processed accurately and
completely (accuracy and completeness)
o All MF amendments are captured and processed (completeness)

31
MASTERFILE MAINTENANCE
Controls / procedures overview:

1. Record all MF amendments on a source document (MAF)

2. Authorise MAF
3. Only capture authorised MF amendments onto system accurately
and completely
4. Review MF amendments

32
EXAM TECHNIQUE
Provide recommendations to the system…
Cannot just state: computer must perform duplication test
Need to discuss and make it applicable to scenario:
Computer must run a monthly duplication test to ensure that no invoice
has been captured twice. An exception report should be generated for
all instances of duplication. Management should review the report, sign
for proof of review and further investigate the reason’s for duplication.

33
POSSIBLE EXAM QUESTIONS
As per Internal controls, chapter 5
Based on past exams – do not use this guide to spot questions
•
•
•
•
•
•

34
CLASS EXERCISE
ABC Online (Pty) Ltd is a company that offers on‐line music downloads
which enables customers to purchase their favourite music. The Co. has
2 systems for music downloads:
Online downloads using credit card
Browse tracks… selected tracks are put in a ‘shopping basket’.
Customer proceeds to check out and gets redirected to a secure
website where they have to enter their credit card details.
Payment is then collected from the customer’s bank account.

35
CLASS EXERCISE
Cell phone downloads
Sends SMS (artist & title) and cell phone number song to be
downloaded to… receives SMS confirming the song and airtime
required to download, customer is requested to reply “YES/NO”
Contract customers – ABC sends statements to network provider
monthly detailing airtime used for downloads. Network provider bills
the customer, collect from the customer, pays over to ABC after
deducting 20% admin fees.
Prepaid customers – IT system interfaces with network provider system
to determine if customer has enough airtime for the download. Airtime
is then deducted immediately.
36
REQUIRED
Describe the controls you would expect ABC to have implemented to
ensure occurrence (validity) and completeness of transactions from
music downloads. (15 marks)

37
Approaching the question
• Understanding the required
• Validity & completeness of transactions – these are controls to ensure that
only authorised downloads go through and all downloads will be accounted
for.
• Validity – authorise the Person, Product, Price (amount).
• Completeness – numbering, sequence checks.
• Address both general and application controls.
• Focus more on application controls as the question is on I/C over a specific
function (80/20 rule).
• Note there are online downloads using a credit card and mobile downloads
where airtime is deducted immediately (prepaid customers) or added to
monthly bill (contract customers). Some controls may only be applicable to
one category of downloads
38
NEXT WEEK’S TUTORIALS

39