THE STUDY & EVALUATION OF INTERNAL CONTROL
Definition Professional Standards Data-Oriented Small, simple systems Weaker controls System-Oriented Large, complex Strong controls Advanced Systems or Audits SYSTEMS-ORIENTED vs DATA-ORIENTED
Chronology of an Audit of Computer-based Accounting System document systems and controls plan and perform tests of systems and controls assess and document adequacy of systems and controls extend tests of systems, transactions and/or balances internal control letter use of/provide third party report for service bureau
Chronology of an Audit of a Computer-based Accounting System Document systems and controls Plan and perform tests of systems and controls Assess and document adequacy of systems and controls Extend tests of systems, transactions and/or balances Internal Control letter
Understand and document IT environment Review and document application Perform “walk - throughs” DOCUMENT SYSTEMS & CONTROLS
IT Strategic Plan IT Business Plan Organization Chart Information Security Policy Technology Summary Application Summary DOCUMENT IT ENVIRONMENT
Change Controls Logical access controls Business continuity plans System development policies Operation policies and procedures DOCUMENT IT ENVIRONMENT
Prepare Summary Flowchart Detailed flowcharts Narrative description Summary Processing Chart Summary Run Structure Chart REVIEW & DOCUMENT APPLICATION
Document Systems and Controls document applications, hardware, software, how EDP costs are accounted for/allocations, organization, policies and procedures, and any special risks review general computer controls document the results of the review
Document Systems and Controls document application processing procedures prepare/update summary flowchart then manual phase document computer processing phase update of master files, summarization of data, arith calcs, sorting/merging data, extraction of data from one/more files printing prepare EDP processing report
Confirm understanding of system Tests should cover: key transactions types related control information error correction procedures LIMITED TESTS OR “WALK-THROUGHS”
Document Tests of Transaction Flows do walk-throughs to ensure that documentation accumulated to date reflects actual system in place trace computer phase recalc invoices, test ageing trace control info and balance procedures obtain and check batch totals
Document Tests of Transaction Flows trace error correction procedures select a few errors and check back to original source documents done to determine nature and that error was identified on exception report ensure properly rejected and properly corrected
Identify risks - ‘What Could Go Wrong’ Identify controls to mitigate risks Design appropriate tests Document test results PERFORM TESTS OF SYSTEMS & CONTROLS
What is the control objective What could happen to defeat objective Is there significant risk Identify key controls WHAT COULD GO WRONG
Identify controls to rely on High level versus low level controls Controls covering multiple control objective Interdependency of Controls DESIGN APPROPRIATE TESTS
Review of Error/Exception Reports starts with reported error point in time test use of suspense accounts Replicate data entry Recompute procedure Use of test data PROGRAMMED ACCOUNTING PROCEDURES & CONTROLS
1.Interval testing 2.Reliance on Program Change Controls authorised tested implemented correctly EXTENT OF PROGRAMMED CONTROL TESTING
Make clear it is programmed controls Extent of tests Reliance on change control DOCUMENTATION OF TESTS
Objective is to assess overall adequacy of internal control in areas to be relied on Assessment made at both general controls and application controls levels ASSESS ADEQUACY OF SYSTEMS & CONTROLS
Has each primary control objective been achieved If not: document on weakness evaluation schedule assess impact on individual applications Direct impact objectives: logical access controls program change controls EVALUATE GENERAL CONTROLS
Use of Evaluation Guides Could material error occur? Id. system efficiencies ADEQUACY OF CONTROLS BY SYSTEM
Planning and Performing Tests of Systems and Controls determine whether reliance warranted cost/benefit vs substantive ID key controls where reliance is appropriate consider overlapping manual controls look at related application controls
Planning and Performing Tests of Systems and Controls design and record tests arith accuracy (prog errors would be the cause) key totals having no documentary evidence (such as review/existence of a control group) key controls evidenced by completed accounting routines (monthly totals, error logs) key controls evidenced by signatures,initials (initially master file changes)
Assessing and Documenting Adequacy of Systems and Controls evaluate adequacy of general and financial controls use computer control evaluation guide assess impact of deficiencies use control weakness evaluation schedule evaluate adequacy of controls in each major system application controls master file changes, data controls, error controls use application control evaluation guide document conclusions
General Computer Control Weaknesses Application Control Weakness reliance on preventive controls reliance on detective controls Absent Control vs Ineffective Control Specific period control breakdown Reporting to management EXTENDED TESTS & REPORTING
Extended Tests of Systems, Transactions, Balances general control weaknesses must evaluate in light of each accounting application if preventive - need to look at associated detective controls if detective- may need to do procedure to check for evidence of errors CAATs, review transactions, reconciliations entire - vs specific period
Internal Control Letter basic information risks service opportunities general control weaknesses application control weaknesses practical recommendations
Chronology of an Audit of a Computer-based Accounting System Document systems and controls Plan and perform tests of systems and controls Assess and document adequacy of systems and controls Extend tests of systems, transactions and/or balances Internal Control letter