Course : A0274 - Managing Audit Function Year : 2012

Risk Assesment and Control in Audit Function

Risk Assessment
Risk Assessment: Internal Perspective Risk Assessment: External perspective

Control Strategies
Fourfold Perspective of Controls Model
Prediction Prevention Detection correction

Information Systems and Controls Model

Physical Controls Computer Controls: General Computer Controls: Application 3

An Internal Audit Function

Corporate Governance

Audit Committee Information Technology Governance

Logs and Auditability Segregation of Duties Investigation Procedures

Risk Assessment
Risk assessment is a critical step in building an effective control system that has the ability to internal manage undesirable events, primarily because it strategically focuses attention on the most likely trouble spots withhighest costs rather than general protection. the The IIA on risk assessment in internal auditor focuses activities and standards.

The five major areas of internal control include:

Control Environment Risk Assessment Information and Communication Monitoring Control Activities

Risk Assessment: Internal Perspective An effective risk assessment must emphasize a good understanding of the internal risks.

Risk Assessment: External Perspective

An effective risk assessment must also emphasize a good understanding of the external risks, especially if the firm has a web server connected to its internal systems or has remote to networks. If the company has access remote to its computer systems, it should be access concerned about unauthorized access by users external to the organization. If the company has employed electronic commerce, there are a number of risks to consider. 8

While online, there is a risk that the data used in an e-commerce transaction might be stolen. The highest risk associated with the Internet is neither hackers or crackers but viruses or It is relatively easy to spread malicious code worm. attachments to e-mail. And while it is as impossible to activate a virus by simply virtually an e-mail message, Microsoft complicated opening by allowing the automatic opening of that attachments in Outlook. Almost all wideviruses spread depend on the features of Outlook automatically open attachments) and the (e.g., 9 address book on each computer.

There are several other problem areas or risks associated with e-mail.

10

Control Strategies
Effective control activities can help to mitigate the risks identified in the risk assessment.

11

Fourfold Perspective of Controls Model Before developing management policies, management needs to have a general understanding of how to design internal controls. effective

12

Prediction
The first area, prediction, is the most difficult.

13

Prevention Secondly, activities should be implemented where the objective is to prevent malicious activities. A better control is firewall that has multiple layers: a combination of routers, filters, proxy servers, software, and so on, used to provide a shield that could be compared to an onion, with layers of skin. Preventive controls are all its also necessary in software applications to prevent errors in data
14

Detection
It is much easier to develop controls for detection, the third perspective.

15

Correction
The last perspective, correction, is another fruitful source of controls.

16

Information Systems and Controls Model A second model applies to controls in general: physical and computer.

17

Physical Controls Physical controls involve controls of a manual nature. Transaction authorization needs physical controls (i.e., manual controls) to ensure all material transactions are processed by the accounting system with integrity and in compliance with management policies and objectives. Using management decision certain rules, recurring transactions become a programmed procedure, or operate under general authority. Other decisions of a nonroutine nature need specific authority. 18

Segregation of duties is another important type of physical control.

19

Three good rules of thumb for developing controls using segregation of duties controls is:
Separate authorization of transactions from processing them Separate custody of assets from record keeping Create controls such that a successful fraud can only be perpetrated using collusion

20

The latter generally can be accomplished by separating the process between different individuals. steps of Also, sure segregation of duties extends beyond make the typical area of basic accounting functions.

21

Some of the controls that illustrate proper segregation of duties in information systems are: Separate systems development from computer

operations. Separate new systems development from maintenance, which also should increase the of documentation. quality Separate the database administrator (DBA) from other database and systems functions, computer operations, development and maintenance. Separate data library function from computer operations, development and maintenance. Use of a data control group. 22

Management also will assess the integrity of the computer system and data on an ongoing basis as a of independent verification. Internal controls should part be implemented for independent verification of also classicA data. control in this category is the comparison of physical assets with accounting records but it includes controls such as reviewing management also reports.

23

Computer Controls: General

They would include controls such as locked doors for sensitive areas (e.g., data storage, mainframe room). They should also include controls regarding the development of new systems.

24

These controls might include:

Requiring a written request with justification from user(s) Requiring a written evaluation and authorization of this request by information systems staff Requiring the design of the application by a crossfunctional team that includes a CISA or CIA (to ensure the inclusion of adequate controls during development) Requiring adequate documentation procedures Requiring a written report on the testing (probably re-ntroduce CISA or CIA 25 the process at this point) i to

Requiring full off-line testing for new applications, hardware, or systems before activation online Requiring training of new applications before implementation

26

Major changes to existing software systems should generally follow the same set of controls. There should also be controls regarding computer operations. Access to programs and data are critical and need controls and have already been discussed.

27

Computer Controls: Application

They include:
Input controls Processing controls Output controls

28

An Internal Audit Function

The most important general control activity is an internal function. Each enterprise must have an audit independent source for developing and verifying above and beyond what the external controls, auditors in a financial audit. might do

29

Corporate Governance
A key control strategy is an effective corporate governance structure. This strategy begins with the internal auditor function and includes an effective audit committee and information technology governance.

30

Audit Committee Another key major control activity is an audit committee. But having an audit adequate is not the same as having an effective audit committee committee. Companies need an audit committee for reasons. several The organizational structure of the committee is also important. Leadership refers to the chair of the audit committee. Lastly, the audit committee needs to be 31 proactive.

Information Technology Governance Information technology governance is similar to corporate governance in its objectives and is a prime of ISACA. service

32

The objectives of information technology governance are to:

Understand the issues and the strategic importance of information technology Ensure that the enterprise can sustain its operations Ascertain it can implement the strategies required to extend its activities into the future

33

Information governance should address the following:

Appropriate and adequate business and information performance measures technology Appropriate and adequate business and information outcome drivers technology Information technology strategic and alignment issuespractices in information technology Best governanceboards and management should ask Questions

34

Logs and Auditability The last control activities area is that of logs. The more an enterprise is dependent on systems, automation and computers, the invisible audit trails tend to become. more One effective control is the implementation of computer logs. If the entity is connected to the Internet, logs become even more important. Logs hould be used to track data such as sites visited, files downloaded or uploaded, time spent on the Internet, etc.
35

Hacking tools might be an indication of an employee preparing to hack into the organizations system.

36

Segregation of Duties
Another primary objective of internal controls is the effective use of segregation of incompatible duties. Three rules to observe are to separate transaction authorization from transaction processing, keeping from asset custody and any series of record processing steps such that a collusion of transaction would be necessary to commit fraud. individuals

37

Investigation Procedures
Management must also consider what specific procedures should be employed to protect against internal threats. Key positions, including executives, a background search. may require

38

Investigation in Risk
Risk of new Policy Risk of Implement new Policy Risk of impact to the Business

Bina Nusantara University 39

Investigation with SOP

New Policy will generate new SOP New SOP will impact to the Operational Business Process Investigate variances of implementation new SOP

Bina Nusantara University 40

Investigation for Risk and Fraud

Application Brainware Infrastructure

The End
42

Bina Nusantara University 41