• Home
• Store
• Past Posts
• Articles
  • Asking for a pay rise
  • Resignation
  • Asking for a Promotion
  • Getting a Green Card
• Contact us
• Job Vacancies

Subscribe

IT Internal Controls

If you're new here, you may want to subscribe to my RSS feed. Thanks for visiting and have a nice day!

These are policies, procedures, practices and organizational structures designed to provide reasonable assurance that an organization’s objectives will be achieved, undesired risks presented, or detected and corrected.

Internal control objectives are statements of desired results or purposes to be achieved by implemented control procedures.

Control is the means by which control objectives are addressed: the control objectives include:

• Safeguarding of IT assets

• Compliance to corporate policies and legal requirements

• Authorization/input

• Accuracy and completeness of processing of transaction.

• Output

• Reliability of process.

• Backup/recovery.

• Efficiency and economy of operations

Controls can be classified as:

Preventative Controls:

This involves:

• Detecting problems before they arise.

• Monitor both operational aspects and input process.

• Attempts to predict potential problems before they occur and make adjustments.

• Prevent an error, omission or malicious act.

Preventative controls include segmentation of duties, controlling access to physical facilities, audit checks, use of access control software that allow only authorized personnel to access sensitive files.

Detective Controls

These controls report the occurrence of an error, omission or malicious act. These controls include harsh totals, checkpoint in production jobs, internal audit function, error message over tape labels, duplicate checking of calculations.

Corrective Controls

These controls minimize the impact of a threat. It helps to identify the cause of a problem and correct the error arising from a problem. It also helps to modify processing systems to minimize future occurrences of the problem.

These controls are contingency back up procedures and rerun procedures.

The objectives of IS controls include:

• Safeguarding Assets: This involves securing information systems from improper access and keeping that information up to date.

• Assuring integrity of general system environments including network management.

• Assuring integrity of sensitive and critical application system environments including accounting/financial and management information through.

• Authorization of inputs.

• Accuracy and completeness in processing of transaction.

• Reliability of overall information processing activities.

• Accuracy, completeness and security of output.

• Database integrity.

• Ensuring the efficiency and effectiveness of operations.

• Complying with user’s requirements and with organizational policies and procedures as well as laws and regulations.

• Develop business continuity and disaster recovery plans.

• Developing an incidence response time.

IT Governance

Corporate Governance can be defined as ethical corporate behavior by directors or others charged with governance in the creation and presentation of wealth.

Corporate Governance spells out the rules and procedures for making decisions on corporate affairs. This helps in providing a structure through which company objectives are set and means of attaining those objectives and monitoring performance.

IT Governance tries to ensure that the organization and related technology support its resources i.e. resources are used responsibly, and its risks are managed.

IT has long been considered as an integral part of the overall organization’s strategy. IT helps achieve this overall strategy by efficiently and effectively deploying secure and reliable technology. The intent of IT Governance is to ensure:

• Integrity of IT systems.

• Inclusion of independent audit.

• Inclusion of appropriate controls for monitoring IT risks, controlling IT assets, compliance with laws and regulations and record management.

• Enable the enterprise by exploiting opportunities and maximizing benefits of IT

• Ensure IT resources are used responsibly.

 

Factors driving IT Governance are:

• Expanding role of IT into corporate/enterprise governance support, strategy initiative, knowledge management, privacy/security/continuity.

• Proliferation of technology solutions.

• Increased emphasis on accountability

• Need to manage the management process.

• Focus on organizational capital, value and balance.

• Rapid advance of technology.

The key elements driving IT Governance are:

• IT strategic planning

• IT control performance

• IT project management

• IT asset management

• IT policies/standards/processes i.e corporate, business units, information services.

IT Governance is concerned with two issues i.e. IT delivers value to the business and that IT risks are mitigated. The first issue is driven by strategic alignment of IT with business this is driven by embedding accountability into enterprise.

IT governance is the responsibility of the Board and Executive management. It is an integral part of the enterprise governance and consists of the leadership and organizational structures and processes that ensure that the organization’s IT sustains and extends the organization’s strategy and objectives.

 

A key goal of IT governance is aligning of business and IT to achieve business value.

This key goal is achieved by aligning IT governance frameworks with best practices. Such a framework should be composed of:

IT governance .

• Structures, processes and relational mechanism.

• The key governance practices are:

• IT strategic committee.

• Risk management

• Standard IT balanced scorecard.

BEST PRACTISES FOR IT GOVERNANCE:

Corporate governance is a set of responsibility and practices used by an organization’s management to provide strategic direction thereby ensuring that goals are achievable, risks are properly addressed and organization’s resources are properly utilized. IT Governance is a structure of relationship and processes used to direct and control the enterprise towards achievement of its goals by adding value while balancing risk vs return over IT and the processes.

IS Audit Process

Audit Objectives:

The basic purpose of an IS Audit is to identify control objectives and the related controls that address the objective. Audit objectives refer to a specific goal of the audit and it centers around substantiating that internal controls exists to minimize business risks.

Audit process:

• Plan: this involves assessing the risk, then developing an audit program i.e. objectives and procedures.

• Obtain evidence:

• Evaluate evidence: this involves evaluating the strength and weakness of controls.

• Prepare and present report.

• Follow up: this involves taking corrective action by management.

The basic steps followed in performing an audit include:

• Obtaining and recording of an understanding of the audit area/subject.

• Carrying out risk assessment and a general audit plan/schedule.

• Carry out detailed audit planning.

• Carry out preliminary review of the audit area/subject.

• Evaluating audit areas/subject.

• Compliance testing i.e. test of controls.

• Substantive testing.

• Reporting

• Follow up

Procedures for testing and evaluating IS controls.

• One can use generalized audit software to survey contents of data files.

• Use of specialized software to assess as parameter files.

• Use of flowcharting techniques for documenting automated applications.

• Use of audit reports available

An audit program is a step by step audit procedures and instructions that should be performed to complete an audit. It is actually a guide to performing or documenting various audit steps performed, the type and extent of evidential matters to be reviewed.

An audit program provides the trail of the process used and provides accountability for performance.

Audit phases: There are various phases in an audit. these are:

• Audit subject: identify the area to be audited.

• Audit objective: identify purpose of audit.

• Audit Scope

• Pre-audit planning

• Audit procedures and steps for data gathering.

• Procedures for evaluating the tests or reviewing results (organization specific).

• Procedures for communication with management (organization specific)

• Audit report preparation.

Audit Objective

An audit objective is to identify the purpose of an audit e.g. determining that source code changes occur in a well defined and controlled manner.

Audit Scope:

An audit scope identifies the specific function, system or organizational unit to be included in the review e.g. in the above example, you can check that source code changes occur in a well defined and controlled manner in a single application or a limited period of time e.g.3 months.

Pre_audit planning

• This involves identifying technical skills and resources required.

• Identify sources of information for tests of review e.g. functional flowcharts, procedures, policies, standards, pros audit papers.

• Identify locations and facilities to be audited.

Audit Planning

Obtain an understanding of the client by obtaining background information about the client, obtaining information about the client’s legal obligations and assess acceptability of audit risk and inherent risk.

Audit Procedures and steps for data gathering:

• Identify and select audit approach to verify and test controls.

• Identify individuals you want to interview.

• Identify and obtain departmental policies, standards and guidelines for review.

• Develop audit tools and methodology to test and verify control.

Audit report preparation:

• Identify following review procedures.

• Identify procedures to evaluate/test operational efficiency and effectiveness.

• Identify procedures to test controls.

• Review and evaluate the soundness of documents, policies and procedures.

Fraud Detection

It is management’s responsibility to establish, implement and maintain a framework and design of IT controls to meet internal control objectives. A well designed framework helps to deter fraud and it enables timely detection f frauds.

When it comes to fraud:

• IS auditors should be alert to the possibilities of opportunities that allow a fraud to materialize and should observe and exercise professional care in all aspects of their work.

• IS auditors should have knowledge of fraud indicators and during audit work, they should be alert to possibilities of fraud and errors.

• In case an auditor identifies a major fraud, where the risk associated with the detection is high, they should consider communicating to the audit committee.

• When an IS auditor comes across instances of fraud, or indicators of fraud he/she may carefully evaluate, communicate the need for a detailed investigation to appropriate authorities.

Audit Classification

 

The basic purpose of an IS Audit is to identify control objectives and the related controls that address the objective. Audit objectives refer to a specific goal of the audit and it centers around substantiating that internal controls exists to minimize business risks.

 

Performing IS Audit

Audit is the process by which an independent competent person obtains and evaluates evidence regarding an event or economic entity in conformance with identified set of standards.

Classification of Audits

Audits can be classified as:

Financial Audits: Relates to information reliability and integrity and it assess the correctness of financial statements. It involves detailed substantive testing.

Operational Audit is designed to evaluate internal controls like IS audit of application controls or logical security.

Integrated Audit: Includes doing both compliance and substantive testing i.e. data and controls. It assesses the overall objectives related to financial information, assets, safeguarding.

Administrative Audits: these audits assess issues related to efficiency and effectiveness of operational productivity within an organization.

IS Audit: This audit collects and evaluates evidence to determine if an IS and related resources safeguard assets, maintain data and system integrity, provide relevant and reliable information, achieve organizational goals effectively and efficiently.

Internal Controls provide reasonable assurance that operational and control objectives will be met.

Specialized Audits:

These are audits done to review services such as those offered by third parties. it defines professional standards used by service auditor to assess the internal control of service organizations.

Forensic Audits:

They are specialized in discovering, discussing and following up on fraud and crimes. Forensic audit tools such as data mapping for security and privacy, risk assessment and intellectual property for data protection are being used for prevention compliance and assurance.

 

Risk management

Provide Information Systems audit services in occurrence with IS audit standards guidelines and best processes to assist organization to know that their IT and business systems are protected and controlled.

Risk Management

A risk can be said to be the potential a given threat will exploit vulnerabilities of a given asset to cause loss or damage. It can also be said to be “uncertainty that surrounds future events and outcomes ”. Risk is anything that can impact on interest of stakeholders or achievement of organization’s objectives. The impact of risk is based on probabilities of threats (likelihood and frequency e.g occurrence). Threats can be in form of errors, malicious damage, malicious attack, fraud, theft, equipment failure, software failure.

Vulnerabilities can be lack of user knowledge, use of untested technology, weak passwords, transmission over unprotected communication.

Risk management therefore entails identifying risks to information resources and deciding on appropriate controls to reduce risk to an acceptable level based on the value of Information resources to the organization. There is also the management problem i.e. that of achieving effective balance between risks and controls.

Risk management process involves three steps i.e. identify risks, evaluate controls, and managing risks i.e. reduce likelihood/impact of risk, transfer risk, avoid risk or accept to live with it. Risk management is a systematic, logical process that allows the organization to take advantage of opportunities and minimize losses.

The steps involved in the risk management process include:

• Identifying information resources.

• Identify threats.

• Evaluate vulnerabilities.

• Identify consequential impacts.

• Identify controls to Prevent or reduce likelihood problems, Detect problem and report occurrence or Minimize impact.

• Evaluate controls.

• Determine and evaluate new or additional controls to further minimize risk.

• Prioritize risks.

• Identify and implement controls that are most effective and efficient.

 

When doing risk management one should also check on risk in the audit process thus one should have a planning guide that makes an assessment of the risk so as to:

• Provide reasonable assurance that material items will be adequately covered during the audit work.

• Identify areas with relative high risk of existence of material problems.

Components of an enterprise risk management:

• Internal Environment i.e. the tone, philosophy and risk appetite of the organization i.e. the risk they are willing to accept to live with.

• Objective setting i.e. the objective of the ERM

• Event identification i.e. internal and external

• Risk assessment i.e. the likelihood and the impact of the risk.

• Risk response i.e. reduce likelihood, transfer, avoid, treat.

• Control activities i.e. policies and procedures to carry out risk responses.

• Information and communication: Identifying the flow of information downwards and upwards and across.

• Monitoring: ongoing management activities, modifications.

IT Governance

Corporate Governance can be defined as ethical corporate behavior by directors or others charged with governance in the creation and presentation of wealth.

Corporate Governance spells out the rules and procedures for making decisions on corporate affairs. This helps in providing a structure through which company objectives are set and means of attaining those objectives and monitoring performance.

IT Governance tries to ensure that the organization and related technology support its resources i.e. resources are used responsibly, and its risks are managed.

IT has long been considered as an integral part of the overall organization’s strategy. IT helps achieve this overall strategy by efficiently and effectively deploying secure and reliable technology. The intent of IT Governance is to ensure:

• Integrity of IT systems.

• Inclusion of independent audit.

• Inclusion of appropriate controls for monitoring IT risks, controlling IT assets, compliance with laws and regulations and record management.

• Enable the enterprise by exploiting opportunities and maximizing benefits of IT

• Ensure IT resources are used responsibly.

 

Factors driving IT Governance are:

• Expanding role of IT into corporate/enterprise governance support, strategy initiative, knowledge management, privacy/security/continuity.

• Proliferation of technology solutions.

• Increased emphasis on accountability

• Need to manage the management process.

• Focus on organizational capital, value and balance.

• Rapid advance of technology.

The key elements driving IT Governance are:

• IT strategic planning

• IT control performance

• IT project management

• IT asset management

• IT policies/standards/processes i.e corporate, business units, information services.

IT Governance is concerned with two issues i.e. IT delivers value to the business and that IT risks are mitigated. The first issue is driven by strategic alignment of IT with business this is driven by embedding accountability into enterprise.

IT governance is the responsibility of the Board and Executive management. It is an integral part of the enterprise governance and consists of the leadership and organizational structures and processes that ensure that the organization’s IT sustains and extends the organization’s strategy and objectives.

 

A key goal of IT governance is aligning of business and IT to achieve business value.

This key goal is achieved by aligning IT governance frameworks with best practices. Such a framework should be composed of:

IT governance .

• Structures, processes and relational mechanism.

• The key governance practices are:

• IT strategic committee.

• Risk management

• Standard IT balanced scorecard.

BEST PRACTISES FOR IT GOVERNANCE:

Corporate governance is a set of responsibility and practices used by an organization’s management to provide strategic direction thereby ensuring that goals are achievable, risks are properly addressed and organization’s resources are properly utilized. IT Governance is a structure of relationship and processes used to direct and control the enterprise towards achievement of its goals by adding value while balancing risk vs return over IT and the processes.

• Recent Posts

  • Delegation
  • INVENTORY MANAGEMENT TECHNIQUES
  • Inventory management
  • Inventory Management
  • Business Process reengineering BPR
  • System development methodology
  • PRINCE (Projects IN Controlled Environments)
  • Object oriented technology
  • Data Warehouse
  • The Hierarchy of needs Abraham Maslow

Copyright © 2008 Lecture Notes · VarsityLecture by Admin · Login