Documente Academic
Documente Profesional
Documente Cultură
Physical Controls
Transaction authorization
Example:
Segregation of duties
Examples of incompatible duties:
Authorization vs. processing [e.g., Sales vs. Auth. Cust.]
Custody vs. recordkeeping [e.g., custody of inventory vs. DP
of inventory]
Fraud requires collusion [e.g., separate various steps in
process]
Supervision
Serves as compensating control when lack of
segregation of duties exists by necessity
Physical Controls
Independent verification
Management can assess:
The performance of individuals
The integrity of the AIS
The integrity of the data in the records
IT General Controls
These are policies and procedures
that relate to many applications and
support the effective functioning of
application controls by helping to
ensure the continued proper
operation of the information system.
These include controls over:
IT governance
IT infrastructure
Security and access to operating
systems and databases
Application acquisition and development
Application Controls
These are procedures used to
initiate, record, process and
report transactions or other
financial data. These controls
help ensure validity,
completeness, and accuracy of
financial transactions
1. Obtain an understanding
2. Make a preliminary assessment of
the risk of material misstatement
3. Determine the procedures to perform
in response to assessed risk
4. Revise the preliminary risk
assessment as necessary
5. Finalize the audit strategy, audit plan
and audit program
Design
IT General Controls
Application Controls
the procedures to
perform in response to
assessed risk
External to the CPU = observable
Inspection of documents (with Trail)
Inquiries + Observation (if there is no audit trail)
Parallel simulation
Auditor-written program that simulates features
Actual data used
Common test
procedures
Authenticity tests
Accuracy tests
Completeness tests
Redundancy tests
Access tests
Audit trail tests
Rounding error tests
Documentation
Test of controls may include:
Inspection of documents
Inquiries + Observation (if there is no audit trail)
Reperformance of internal controls
Situation 1:
PRA = less than high
TOC confirm that the controls are working effectively
No revision of PRA
Situation 2
PRA = less than high
TOC reveals that results are not working effectively
Revise Risk assessment from less than high to high.
Documenting ITGCs
When ITGCs are evaluated in an
audit, document a clear link between
those ITGC and:
Key automated application controls and
interfaces
Key automated accounting procedures
System generated data and reports used
in key manual controls or in generation of
manual journal entries
Corporate Governance
Governance is the combination of processes
and structures implemented by the board to
inform, direct, manage, and monitor
the activities of the organization toward the
achievement of its objectives
Help ensure organizations operate within
certain regulatory and ethical standards,
manage resources optimally, and mitigate
business risks
Focused primarily on leadership,
management, ethics and reporting.
IT Governance Defined
Per International Professional Practices
Framework (IPPF), IT Governance consists
of leadership, organizational
structures, and processes that ensure
that the Enterprises IT supports the
organizations strategies and objectives.
Proper alignment between IT and the
Entity mean:
Entity understands the potential and limitation
of IT
The IT function understands the objectives and
needs of the organization
This understanding is applied and monitored
31
Importance of IT
Governance
Importance of IT
Governance
34
IT Governance Objectives
IT Resource Management
Performance Measurement
focuses on measuring the performance of
IT resources and helps gauge whether the
resources are adding the expected level of
value to the business. This process also
helps to identify and mitigate risks
Compliance Management
institutionalizing legal and regulatory
compliance processes.
IT Governance
Components
1. Executive Leadership
and Support Issues
39
40
41
42
5. Organization and
Governance Structures Issues
Organization Operating Model (CDP vs
DDP)
Computer Controls Center
Disaster Recovery Planning / Business
Continuity Management
Outsourcing IT Services
Governance Accountability
Operations vs Projects
43
5. Organization and
Governance Structures Issues
44
46
Centralized vs Distributed
Centralized
Data processing is
performed by one or
more large computers
housed at a central site
that services throughout
the organization.
Distributed
Small IT units
IT services activities
distributed locally.
50
51
56
59
Lack of standards
60
Advantages of DDP
Cost reduction
Development and maintenance costs reduced
End user data entry vs. data control group
Application complexity reduced
Backup flexibility
Excess capacity for DRP
61
IT staff
62
65
Fire suppression
Automatic: usually sprinklers
Gas, such as halon, that will smother fire by
removing oxygen can also kill anybody trapped
there
Sprinklers and certain chemicals can destroy the
computers and equipment
Manual methods
Power supply
Need for clean power, at a acceptable level
Uninterrupted power supply
67
70
c. Disaster Recovery
Planning
Disaster recovery plans (DRP) identify:
actions before, during, and after the
disaster
disaster recovery team
priorities for restoring critical
applications
Audit objective verify that DRP is
adequate and feasible for dealing with
disasters
71
75
76
d. Benefits of IT Outsourcing
(new)
Improved core business processes
Improved IT performance
Reduced IT costs
77
Risks of IT Outsourcing
Failure to perform
Vendor exploitation
Costs exceed benefits
Reduced security
Loss of strategic advantage
78
79
80
Documentation
Particulars
Attachment
IT Governance Engagement
Planning Checklist
IT Governance
Engagement Planning Checkli
IT Governance Charter
IT Governance
Charter
COBIT Documentation
Questionnaire
COBIT Controls
Documentation Template
81