Scribd
Upload
10 views6 pages

IT Audit and Internal Control Overview

The document discusses the structure and objectives of an IT audit and internal controls. It explains that an IT audit evaluates controls over technology assets and information systems to ensure integrity and alignment with organizational goals. The audit has four phases: planning, testing of controls, substantive testing, and reporting. It also outlines the history and objectives of internal controls, including legislation like SOX, and describes preventive, detective, and corrective control models.

Uploaded by

Mervidelle
Copyright
© All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as DOCX, PDF, TXT or read online on Scribd
10 views6 pages

IT Audit and Internal Control Overview

The document discusses the structure and objectives of an IT audit and internal controls. It explains that an IT audit evaluates controls over technology assets and information systems to ensure integrity and alignment with organizational goals. The audit has four phases: planning, testing of controls, substantive testing, and reporting. It also outlines the history and objectives of internal controls, including legislation like SOX, and describes preventive, detective, and corrective control models.

Uploaded by

Mervidelle
Copyright
© All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as DOCX, PDF, TXT or read online on Scribd

Mervidelle F.

Castro

AUD2

AUDITING AND INTERNAL CONTROL

The Information Technology Audit (IT Audit)


• Evaluates if the controls to protect information technology assets ensure integrity and are
aligned with organizational goals and objectives.

• Focuses on the computer-based aspects of an organization’s information system; and modern


systems employ significant levels of technology.

Structure of an IT Audit

Audit Planning Phase


• The auditor must gain a thorough understanding of the company's business and financial
reporting systems.
• Auditor’s objective is to obtain sufficient information about the firm to plan the other phases
of the audit.

Test of Control Phase


• The auditor must assess the quality of the internal control by assigning a level of control risk.

• Auditor’s objective is to determine whether adequate internal controls are in place and
functioning properly.

• Test of controls is performed to confirm the efficiency and effectiveness of control over
financial reporting so that the auditor can conclude whether they could rely on or not.

Substantive Testing Phase


• A detailed investigation of specific account balances and transactions.

• Auditor’s objective is to determine whether adequate internal controls are in place and
functioning properly.

• Test of controls is performed to confirm the efficiency and effectiveness of control over
financial reporting so that the audit can conclude whether they could rely on or not.

(cost-benefit relationship)

INTERNAL CONTROL OBJECTIVES, PRINCIPLES, AND MODELS

INTERNAL CONTROL
• An internal control is a procedure or policy put in place by management to safeguard assets,
promote accountability, increase efficiency, and stop fraudulent behavior.

• Required by law

Brief History of Internal Control Legislation


SE Acts of 1933
Objectives

1. Require that the investors receive financial and other significant information concerning
securities being offered for public sale;

2. And prohibit deceit, misrepresentation, and other fraud in the sale of securities.
SE Acts of 1934
• Created the SEC and empowered it with broad authority over all aspects of securities industry,
including auditing standards

• Required publicly traded companies to be audited by independent auditors

• Required company to maintain a system of internal control

Copyright Law 1976


- Added software and other intellectual properties into the existing copyright laws

Foreign Corrupt Practices Act (FCPA)


1. Keep records that fairly and reasonably reflect the transactions of the firm and its financial
position.

2. Maintain a system of internal control that provides reasonable assurance that the objectives
are met.

Committee of Sponsoring Organizations (1992)


- published the “Internal Control Integrated Framework” 

- This commission was sponsored and funded by five US private sector organizations

1. American Accounting Association (AAA)

2. American Institute of Certified Public Accountants (AICPA),

3. Financial Executives International (FEI),

4. The Institute of Internal Auditors (IIA)

5. National Association of Accountants (now the Institute of Management Accountants [IMA]). 

Sarbanes-Oxley Act (2002)


- protect the public from fraudulent or erroneous practices by corporations and other business
entities.
- The goal of the legislation is to increase transparency in the financial reporting by
corporations and to require a formalized system of checks and balances in each company.

- Sec 302 and Sec 304

Internal Control Objectives


1. Safeguard assets

-to ensure that access to physical assets and information systems are controlled and properly
restricted to authorized personnel.

2. Ensure accurate and reliable records

-  to ensure that all valid transactions are accurate, consistent with the originating transaction
data and information is recorded in a timely manner and to ensure that no valid transactions
have been omitted from the accounting records.

3. Promote operational efficiency

-to ensure there is the optimum utilization of the firm’s resources, i.e. men, material, machine
and money.

4. Encourage employees to follow policy

- Evaluate the performance of all personnel to promote efficient operations.


5. Comply with legal requirements

-compliance with applicable laws and regulations

Internal Control Modifying Principles


1. Management Responsibility

2. Data Processing Method

3. Limitations

4. Reasonable Assurance

-REASONABLE = cost should not outweigh benefit

Limitations of Internal Control


1. Possibility of error - no system is perfect.

2. Circumvention – person may find a way against the established control.

3. Management override – management s in the position to distract or take manual control of


the procedures by personally distorting transaction or directing a subordinate to do so.
4. Changing conditions – existing control may be ineffective after some time

The PDC Model


Preventive Control
• First line of defense

• Passive techniques designed to reduce the frequency of occurrence of undesirable events.


(errors and fraud)

Examples of preventive controls:

• Segregation of duties.

• Pre-approval of actions and transactions.

• Physical control over assets (i.e. locks).

• Computer passwords and access controls.

• Employee screening and training.

Detective Control
• Devices, techniques, and procedures designed to identify and expose undesirable events that
elude preventive controls.

• Designed to find errors or fraud in transactions after they have occurred (already been
processed) and identify missing assets or invalid transactions.

Examples of detective controls:

• Surprise cash counts.

• Physical inventory counts.

• Reconciliations.

• Review organizational performance (i.e. budget to actual and current year to prior year).

• Internal audit.

Corrective Control
• Taken to reverse the effect of detected errors

• Actually fix the problem.


Examples of corrective controls:

• insurance can be utilized to help replace damaged or stolen assets

• management variance reports can highlight variances from budget to actual for management
corrective action

• training and operations manuals can be revised to prevent future errors and irregularities

• close supervision and management review including reviewing cost center reports, personal
expense reports, time cards, etc.

You might also like