COPYRIGHT © 2010 BY Mohammad Faizan Farooq FFQA 1

CONTROL
AUDIT
&
SECURITY

Prepared & Complied by: Mohammad Faizan Farooq Qadri Attari

ACCA (Finalist)
http://www.ffqacca.co.cc
Contact: faizanacca@yahoo.com
COPYRIGHT © 2010 BY Mohammad Faizan Farooq FFQA 2
Internal control
Internal control within an organisation is the system of control within the organisation
that has been put in place in order to:
„ prevent the system from getting out of control and failing to achieve its
purpose, and so

„ help the organisation to achieve its objectives and policies.

A useful definition of internal control was provided in 1992 in the US by the COSO
Framework (COSO is the Committee of Sponsoring Organizations of the Treadway
Commission). This defined internal control as: ‘a process, effected by an entity’s
board of directors, management and other personnel, designed to provide reasonable
assurance regarding the achievement of objectives’ in three particular areas: the
effectiveness and efficiency of operations, the reliability of financial reporting, and
compliance with applicable laws and regulations.
„ Risks to the effectiveness and efficiency of operations are ‘operational risks’
and controls designed to limit operational risks are ‘operational controls’. (These
controls are tested by operational audits.)

„ Risks affecting the reliability of financial reporting, as well as risks of financial

fraud or error, are ‘financial risks’, which can be mitigated by ‘financial controls’.

„ Risks of non-compliance with important aspects of the law or regulations are

‘compliance risks’, which can also be controlled by appropriate measures.

The purpose of internal control is therefore to apply control to the system by

internal means and internal procedures and arrangements.

The five elements in a system of internal control

The COSO Framework identified five elements in a system of internal control. These are
elements of internal control that must be in place and sufficient in order for internal
control to be effective:
„ a suitable control environment „ risk identification and assessment
„ the design and application of internal controls „ information and communication
„ monitoring

Prepared & Complied by: Mohammad Faizan Farooq Qadri Attari

ACCA (Finalist)
http://www.ffqacca.co.cc
Contact: faizanacca@yahoo.com
COPYRIGHT © 2010 BY Mohammad Faizan Farooq FFQA 3
A control environment
A control environment is the control culture within the organisation, and the attitude of
its employees toward ensuring that controls are adequate and properly applied.
Individuals within an organisation will not take control seriously unless they are given
direction form their bosses. The company’s directors are therefore responsible for the
control environment, and the board of directors must establish policies on internal
control. There should be a culture of control throughout the organisation, from the
board down to all employees, but the leadership must come from the board, which sets
the ‘tone at the top’.

Risk identification and assessment

There should be a system for the regular review of risks, identifying new risks and
re-assessing existing risks. Risks that have been identified should be measured, to assess
their significance (in terms of probability of an adverse event and the amount of loss
that might be incurred if an adverse event happens).
Risk assessment can be carried out by means of a systems audit. Tests of control in
the external audit are also a form of risk assessment of current risks and existing
internal controls

Control activities (internal controls)

Controls for reducing risks should be designed and implemented. In financial reporting,
the main risks are risks of error and fraud. Controls should be designed to eliminate a
risk, but before effective controls can be designed, they must first be identified and
assessed. Management need to know what the risk is and how serious it might be if it is
not controlled.
Internal controls are a part of normal day-to-day operational activities and procedures.
The features of internal financial controls are explained in more detail later.

Prepared & Complied by: Mohammad Faizan Farooq Qadri Attari

ACCA (Finalist)
http://www.ffqacca.co.cc
Contact: faizanacca@yahoo.com
COPYRIGHT © 2010 BY Mohammad Faizan Farooq FFQA 4
Information and communication
An effective internal control system must have effective channels of communication, to
ensure that all employees understand their responsibilities for control and that all
relevant information reaches the individuals who need it. Controls cannot be applied
effectively unless the individuals responsible for the controls are kept properly nformed

Monitoring
There should be regular monitoring and review of the effectiveness of the system of
internal control. One way of monitoring internal control is to have an internal audit
department, for carrying out reviews and reporting to senior management.

The consequences of weak internal financial control

When internal financial control is weak, there is a high risk of errors and fraud in the
accounting records and the financial statements.
„ When there is a large error, or an accumulation of smaller errors, the financial
statements will not be reliable.

„ Weak internal control makes it easier for fraudsters to operate. Fraud is a

criminal activity, and is damaging to company, its shareholders and possibly also
its customers.

„ In extreme cases, companies might operate in a condition close to insolvency

without its management or its shareholders being aware of the problem. Weak
corporate governance and weak financial control have been identified as the
main causes of major corporate collapses in the past – and will probably be the
cause of more corporate failures in the future.

Risks and internal financial controls

Financial risks
Financial risks have been described so far as the risk of an error in the accounts or
deliberate fraud. It is useful to think about what types of error might occur in the
accounting system.
„ A transaction might be omitted from the accounts entirely. For example, a sale
of goods on credit to a customer for $25,000 might not be recorded. If not, total
sales will be under-stated by $25,000 and the amount owed by customers will
also be under-stated by the same amount.

„ A transaction might be recorded twice. For example a credit sale of $25,000 to

customer X might be recorded twice, so that total sales are recorded as $50,000.

Prepared & Complied by: Mohammad Faizan Farooq Qadri Attari

ACCA (Finalist)
http://www.ffqacca.co.cc
Contact: faizanacca@yahoo.com
COPYRIGHT © 2010 BY Mohammad Faizan Farooq FFQA 5
„ A transaction might be recorded with the wrong value. For example, an item of
machinery that is purchased for $20,000 might be recorded in the accounts with
a value of $30,000.

„ Numbers might be added up incorrectly. For example the total amount of

money receivable from credit customers might be stated incorrectly in the
financial statements because the amounts owed by each customer are added up
incorrectly.

„ A transaction might be recorded as the wrong type of transaction. For example

a sale to a customer might be recorded as a purchase, or as a sales return.

Types of internal controls

Internal financial controls are designed and implemented to deal with financial
risks. There are two broad types of internal control.
„ Preventative controls. These are controls that are designed to prevent the
error (or fraud) from happening.

„ Detective controls. These are controls that are designed to identify an error (or
fraud) when it happens. When there are detective controls, there should also be
corrective measures for correcting the error or dealing with the fraud.

Features of effective internal financial controls

Effective internal financial controls are controls that provide a high level of assurance
that errors or fraud will be prevented or will be detected when they happen.

In addition, the cost of an internal control should not exceed the benefits obtain from
implementing it.

Prepared & Complied by: Mohammad Faizan Farooq Qadri Attari

ACCA (Finalist)
http://www.ffqacca.co.cc
Contact: faizanacca@yahoo.com
COPYRIGHT © 2010 BY Mohammad Faizan Farooq FFQA 6
Internal financial control procedures can be divided into eight types or categories,
which might be remembered by the mnemonic SPAMSOAP.

Internal check
An internal check is a type of internal control. An internal check is intended to prevent
errors or fraud, or to detect them quickly when they occur. In financial accounting, an
internal check involves arranging accounting tasks and duties so that no single task is
performed from beginning to end by just one person. In this way, the work of each
individual is subject to an independent check in the course of the work that is done by
somebody else.
Prepared & Complied by: Mohammad Faizan Farooq Qadri Attari
ACCA (Finalist)
http://www.ffqacca.co.cc
Contact: faizanacca@yahoo.com
COPYRIGHT © 2010 BY Mohammad Faizan Farooq FFQA 7
IT system security and controls

Threats to IT system security

Business organisations rely on IT systems to function. Computer systems need to be
kept secure from errors, breakdown, unauthorised access and corruption.

Some of the major risks to IT systems are as follows:

„ Human error. Individuals make mistakes.

„ Technical error. loss or corruption of data.

„ Natural disasters.

„ Sabotage/criminal damage. criminal damage, theft, terrorist attack

„ Deliberate corruption. Viruses, Hackers

„ The loss of key personnel with specialist knowledge about a system

„ The exposure of system data to unauthorised users

In addition, there are risks within the computer software itself:

„ The software might have been written with mistakes in it, so that it fails to
process all the data properly

„ The software should contain controls as a check against errors in processing,

such as human errors with the input of data from keyboard and mouse. The
software might not contain enough in-built controls against the risk of input
error and other processing errors.

General controls and application controls

Controls in IT can be divided into two categories:
„ general controls, „ application controls.

General controls are controls that are applied to all IT systems and in particular to
the development, security and use of computer programs. Examples of general
controls are:
„ physical security measures and controls
„ physical protection against risks to the continuity of IT operations
„ general controls within the system software such as passwords, encryption
software, and software firewalls
„ general controls over the introduction and use of new versions of a computer program
Prepared & Complied by: Mohammad Faizan Farooq Qadri Attari
ACCA (Finalist)
http://www.ffqacca.co.cc
Contact: faizanacca@yahoo.com
COPYRIGHT © 2010 BY Mohammad Faizan Farooq FFQA 8

Application controls are specific controls that are unique to a particular IT system
or IT application. They include controls that are written into the computer software,
such as data validation checks on data input.

Passwords
A computer password is defined as ‘a sequence of characters that must be presented
to a computer system before it will allow access to the systems or parts of a system’

Passwords should be changed regularly frequently, and employees should be

continually reminded to change passwords.

Users should be required to use passwords that are not easy to guess: for example, an
organisation might require its employees to use passwords that are at least 8 digits and
include a mixture of letters and numbers.

Encryption
Encryption involves the coding of data into a form that is not understandable to the
casual reader. Data can be encrypted (converted into a coded language) using an
encryption key in the software.

A hacker into a system holding data in encrypted form would not be able to read
the data, and would not be able to convert it back into a readable form (‘decrypt the
data’) without a special decryption key.

Preventing or detecting hackers

Controls to prevent or detect hacking include:
„ physical security measures to prevent unauthorised access to computer
terminals „ the use of passwords

„ the encryption of data

„ audit trails, so that transactions can be traced through the system when
hacking is suspected

„ network logs, whereby network servers record attempts to gain access to the
system „ firewalls.

Prepared & Complied by: Mohammad Faizan Farooq Qadri Attari

ACCA (Finalist)
http://www.ffqacca.co.cc
Contact: faizanacca@yahoo.com
COPYRIGHT © 2010 BY Mohammad Faizan Farooq FFQA 9

FOR PREPARATION AND

TUITION OF
F1 TO F9
CONTACT: FAIZANACCA@YAHOO.COM
OR
0334-3440590

Prepared & Complied by: Mohammad Faizan Farooq Qadri Attari

ACCA (Finalist)
http://www.ffqacca.co.cc
Contact: faizanacca@yahoo.com
COPYRIGHT © 2010 BY Mohammad Faizan Farooq FFQA 10
Firewalls
Firewalls are either software or a hardware device (between the user’s computer
and modem). Computer users might have both.

The purpose of a firewall is to detect and prevent any attempt to gain unauthorised
entry through the Internet into a user’s computer or Intranet system.

A firewall:
„ will block suspicious messages from he Internet, and prevent them from
entering the user’s computer, and

„ may provide an on-screen report to the user whenever it has blocked a

message, so that the user is aware of the existence of the messages.

Computer viruses
Viruses are computer software that is designed to deliberately corrupt computer
systems. Viruses can be introduced into a system on a file containing the virus. A
virus may be contained:
„ in a file attachment to an e-mail or
„ on a backing storage device such as a CD.

The term ‘virus’ might also be used to describe other methods of corrupting a
system.

Trojan horses Whilst the user thins that the system is carrying out one program, the
Trojan horse secretly carries on another.

Worms This is corrupt data that replicates itself within the system, moving from one file
or program to another.

Trap doors A trap door is an entry point to a system that bypasses normal controls to
prevent unauthorised entry.

Logic bombs This is a virus that is designed to start ‘working’ (corrupting the files or
data processing) when a certain event occurs.

Time bombs This is a virus that is designed to start ‘working’ (corrupting the files or
data processing) on a certain date.

Prepared & Complied by: Mohammad Faizan Farooq Qadri Attari

ACCA (Finalist)
http://www.ffqacca.co.cc
Contact: faizanacca@yahoo.com
COPYRIGHT © 2010 BY Mohammad Faizan Farooq FFQA 11
IT Standards
A range of IT Standards have been issued. For example, the International Standards
Organisation (ISO) has issued IT security system standards. There are also IT
Standards for the development and testing of new IT systems.

IT Standards are a form of general control within IT that help to reduce the risk of IT
system weaknesses and processing errors, for entities that apply the Standards.

Application controls
Application controls are controls that are designed for a specific IT system. One
example of application controls is data validation. Data validation checks are checks
on specific items of data that are input to a computer system, to test the logical
‘correctness’ of the data. If an item of data appears to be incorrect, the system does
not process the data: instead it issues a data validation report, so that the apparent
error can be checked and corrected if appropriate.

AUDIT
Internal audit and internal control
Internal audit is one part of an internal control system which assesses the effectiveness
of other controls.
The work of the internal audit department may cover the following broad areas:
(a) Review of accounting and internal control systems
(b) Examination of financial and operating information
(c) Review of the economy, efficiency and effectiveness of operations
(d) Review of compliance
(e) Review of safeguarding of assets
(f) Review of implementation of corporate objectives
(g) Identification of significant business risks, monitoring overall risk management policy
and monitoring risk management strategies
(h) Special investigations

Internal auditors' work depends on the scope and priority of the identified risks. They may have to
conduct a risk assessment from which they will recommend an appropriate framework.

The key features of good internal audit:

(a) Independence
(b) Appraisal

There are five different types of audit to be aware of:

(a) Operational (b) Systems (c) Transactions
(d) Social (e) Management investigations

Prepared & Complied by: Mohammad Faizan Farooq Qadri Attari

ACCA (Finalist)
http://www.ffqacca.co.cc
Contact: faizanacca@yahoo.com
COPYRIGHT © 2010 BY Mohammad Faizan Farooq FFQA 12

Operational audits monitor management's performance and are sometimes known as

'management', 'efficiency' or 'value for money' audits.

Systems audits test and evaluate internal controls. Typically there are two types of test:
• Compliance (controls are applied as laid down)
• Substantive (seeking errors and omissions)
If compliance tests reveal that internal controls are working satisfactorily then the
amount of substantive testing can be reduced.

A transactions audit aims to detect fraud and uses only substantive tests.

Ideally the internal audit department should report to the audit committee of the board
of directors as it is then free to report on all levels of management and can ensure that
any of its recommendations are implemented.
The internal audit department plays a significant part in an organisation's risk
management

External audit
External audit is the regular examination of the organisation's records by an outside
party to ensure that they have been properly maintained and give a true and fair view of
the entity's financial state.

The key differences between internal and external audit are:

There should be co-ordination between the external and internal auditors to ensure
that duplication of work is minimised and controls enhanced.

If external auditors rely to an extent on the work of the internal audit department they
will consider:
(a) Organisational status (b) Scope of internal audit functions
(c) Technical competence 5(d) Due professional care

Prepared & Complied by: Mohammad Faizan Farooq Qadri Attari

ACCA (Finalist)
http://www.ffqacca.co.cc
Contact: faizanacca@yahoo.com
COPYRIGHT © 2010 BY Mohammad Faizan Farooq FFQA 13
QUESTION FFQA
Internal auditors are employees of the company's external auditors who work full time
auditing the company's accounts. True or false?
A True
B False

QUESTION FFQA
Which of the following is not an inherent limitation of an internal control system?
A Procedures manual
B Non routine transactions
C Management by passing controls
D Employee collusion

QUESTION FFQA
Which of the following is an incorrect statement regarding the external auditors?
A They report to the Board of Directors
B There work relates to financial statements
C They express an opinion on the financial statements
D They are independent of the company and its management

QUESTION FFQA
Which of the following is not a method of data validation?
A Audit trails
B Range checks
C Control totals
D Limit checks

QUESTION FFQA Which of the following is not suggested by Turnbull to help ensure a
strong control environment?
A Clear definition of authority
B Clear strategies
C Good internal communications
D Reconciliations

Prepared & Complied by: Mohammad Faizan Farooq Qadri Attari

ACCA (Finalist)
http://www.ffqacca.co.cc
Contact: faizanacca@yahoo.com