Beruflich Dokumente
Kultur Dokumente
©
HOCK international - 2004 1 ©
HOCK international - 2004 2
Part 1 CMA – Section C: Management Controls Part 1 CMA – Section C: Management Controls
©
HOCK international - 2004 3 ©
HOCK international - 2004 4
Internal controls are an important part of a company’s overall operations. Statement of Management Accounting Standard 2 defines internal
A strong internal control system will provide many benefits to the control as:
company. Among these are:
“The whole system of controls (financial and otherwise) established
by management to carry on the business of the enterprise in an orderly
• Lower audit costs.
and efficient manner, to ensure adherence to management policies,
safeguard the assets and ensure as far as possible the completeness
• Better control over the assets of the company.
and accuracy of the records.”
• Reliable information for use in decision-making. As a result of the above definition, internal controls should provide
reasonable assurance that the entity can achieve its objectives
involving:
A company with weak internal controls is putting itself at risk for
employee theft, loss of control over the information relating to operations • The effectiveness and efficiency of operations,
and other damaging inefficiencies to the business. Just because a
• The reliability of financial reporting, and
company does not have strong internal controls does not mean that it
will suffer from fraud or embezzlement, but the chances are increased. • Compliance with applicable laws and regulations.
There are five components to the internal control system of a Audits that are done in accordance with the Generally Accepted
company, Auditing Standards (GAAS) require the auditor to obtain an
which are: understanding of the client’s internal control system. From this
understanding, the auditor will determine the nature, timing and extent
1) Control Activities. of audit procedures. This requirement is reflected in the second standard
of fieldwork under GAAS:
2) Risk Assessment.
3) Information and Communication. “A sufficient understanding of internal control is to be obtained to plan
4) Monitoring. the audit and to determine the nature, timing and extent of tests to
5) The Control Environment. be performed.”
The useful mnemonics for easier memorization of the above is: CRIME. The controls that an external auditor is interested in are those related
to the financial statements and the risk of a material misstatement of
them. As a result of this some, if not many, of the internal controls
that a company has will not be of interest to the external auditor.
However, these controls may be very important, and will therefore be
reviewed by the internal auditor.
Part 1 CMA – Section C: Management Controls Part 1 CMA – Section C: Management Controls
©
HOCK international - 2004 5 ©
HOCK international - 2004 6
Part 1 CMA – Section C: Management Controls Part 1 CMA – Section C: Management Controls
©
HOCK international - 2004 7 ©
HOCK international - 2004 8
Risk assessment relates to the company’s ability to identify, analyze The control activities are the policies and procedures that ensure
and manage its own risks. This includes both internal and external factors management directives are carried out, such as:
that may negatively affect the company’s ability to generate the financial
• Performance reviews (e.g., compare actual results with budgets).
statements.
• Information processing controls.
Information and communication relate to the ability of the company
to identify, record and exchange information in a timely manner that • Physical controls (e.g., physical security of assets and records).
enables people to carry out their responsibilities. • Segregation of duties. This activity is the main underlying idea to
Monitoring is the ongoing review of the effectiveness of internal controls. internal controls.
To the IIA, internal controls are the basis of internal auditing and No matter how good an internal control system, it is NOT possible for
therefore the controls extend beyond the scope of the financial it to detect and prevent every misstatement or fraud. This is because
statements: humans are involved, and there is an inherent weakness in humans that
“The scope of internal auditing should encompass the examination and we sometimes make mistakes or simply forget to do something.
evaluation of the adequacy and effectiveness of the organization’s system
In addition, collusion (the working together of more than one person to
of internal control and the quality of performance in carrying out assigned
get around the controls) can prevent controls from working as intended
responsibilities.”
and needed.
According to the IIA, there are five primary objectives of internal controls:
There are also limits as to the types of controls that will be placed into
1) Compliance with policies and plans. operations because the cost of the control must be less than the
2) Accomplishment of objectives and goals. benefit that is expected to be gained from the control.
3) Reliability and integrity of information.
4) Economical and efficient use of resources. Because of these limitations on their effectiveness, internal controls provide
5) Safeguarding of assets. reasonable assurance (but not absolute assurance) that the entity will
The useful mnemonics for easier memorization of the above is: CARES. be able to achieve its objectives.
Part 1 CMA – Section C: Management Controls Part 1 CMA – Section C: Management Controls
©
HOCK international - 2004 9 ©
HOCK international - 2004 10
Part 1 CMA – Section C: Management Controls Part 1 CMA – Section C: Management Controls
What Is
What Are the Different
The Foreign Corrupt
Types of Flowcharts?
Practices Act (FCPA)?
©
HOCK international - 2004 11 ©
HOCK international - 2004 12
Flowcharting helps understanding of the internal controls of a company. Control activities can be:
A flowchart also enables the auditor to identify areas where internal
1) Preventive, to avoid the occurrence of an unwanted event;
controls are required and necessary for the company.
2) Detective, to detect the occurrence of an unwanted event;
3) Directive, to ensure the occurrence of a desirable event;
The main elements that are shown in a flowchart are:
4) Corrective, to correct an occurrence of an undesirable event; or
• Data sources (where the information comes from). 5) Compensating, to compensate for what appears to be a weakness
• Data destinations (where the information goes). in controls.
• Data flows (how the data gets there).
• Transformation processes (what happens to the data). SIAS 1 states that the main responsibility for internal control falls
• Data storage (how the data is stored for the long term). on management, especially the functions of planning, organizing
and directing.
Flowcharts can be used for developing information systems as well.
The Foreign Corrupt Practices Act (FCPA) was established in 1977 There are two main types of flowcharts: horizontal and vertical.
to prevent companies from making secret payments that are contrary
to public policy. This act makes it illegal to offer or authorize corrupt Horizontal (systems) flowcharts document the manual processes as well as the
political payments (bribes) to any foreign official, foreign party chief or computer processes and the input, output and processing steps in columnar format
official, or candidate for political office. with areas of responsibility/departments/functions arranged horizontally. This type
of flowchart will more easily show the segregation of duties.
A corrupt payment is one that intends to cause the recipient to act in A program flowchart shows specific steps and their order in a software program.
a certain way or to refrain from acting in a certain way.
A vertical flowchart is similar to horizontal but it presents the steps in a sequential
A promise of a bribe is also considered to be illegal under this act. manner from top to bottom. This type of flowchart is not used much now as it does
not show the system as clearly.
The responsibility to insure that all payments are acceptable is given
There are a number of special symbols to depict specific operations, documents,
to the company as a whole and not to any individual or position.
states and items in a chart, which aid comprehension of the whole system.
The company must ensure that all transactions are in accordance with
management’s general or specific authorization, and that they are
recorded properly.
Part 1 CMA – Section C: Management Controls Part 1 CMA – Section C: Management Controls
©
HOCK international - 2004 13 ©
HOCK international - 2004 14
Part 1 CMA – Section C: Management Controls Part 1 CMA – Section C: Management Controls
©
HOCK international - 2004 15 ©
HOCK international - 2004 16
The PSLRA includes provisions about auditor requirements for fraud The Treadway Report was the result of accusations of widespread financial
detection and disclosure. It states that audits should provide reporting fraud by public companies. The objectives of the commission
reasonable assurance of detecting illegal acts that have a direct were to: consider the causes and effects of fraudulent reporting and how
and material effect in the financial statements, and that audits must to prevent and detect it; examine the role of the internal and external
auditor in preventing and detecting fraud; and identify causes that
be designed to identify material related party transactions. Also, audits
contribute to fraudulent reporting.
must evaluate the ability of the entity to remain a going concern.
As a result of its work, the commission drafted a report with
Any illegal acts (unless it is obviously immaterial) uncovered by recommendations for public companies, independent public accountants,
the auditors must be reported to the audit committee and the SEC and education.
appropriate level of management. If management fails to take The director of the internal audit function should have unlimited and
appropriate action, the board of directors must notify the SEC within direct access to the audit committee and CEO. This involvement of the
one business day. If the board fails to notify the SEC, the auditor internal auditors in the dealings of upper management gives them a
must notify the SEC. better perspective for doing their work. The internal auditors should
coordinate their work with the external auditors and also do things to
enhance the objectivity of the internal audit function.
Audit risk (AR) is the risk that an auditor will give an unqualified opinion Fraud is different from an error in that fraud is an intentional misstate-
(meaning that everything is fine), when in reality there are one or more ment, while an error is unintentional. The two main types of fraud are:
material misstatements. The risk of a material misstatement is calculated
• Misstatements arising from fraudulent financial reporting that are
by the multiplication of three other risk factors, which are:
made to mislead users. This includes omission of information from the
• Inherent risk (IR) – This is the risk that is natural in an element of financial statements and a misapplication of accounting principles.
the financial statements, assuming that there are no controls.
• Misstatements arising from the misappropriation of assets (steal-
• Control risk (CR) – This is the risk that an internal control will NOT ing). This includes theft, embezzlement and any action that causes
prevent or detect a material misstatement in a timely manner. CR is the company to expend cash for things that are not received by the
assessed in either a quantitatively (1% - 100%) or in a qualitative company.
manner (minimum - maximum).
The risk of misstatement due to fraud needs to be specifically considered
• Detection risk (DR) – This is the risk that an auditor will not detect in the planning of the audit. If fraud is found, it is generally not the
a material misstatement in the financial statements through audit auditor’s duty to report this outside of the organization, but in some
testing. cases he/she needs to report this event to the SEC, a predecessor auditor,
a court or the government.
Audit risk is calculated as follows: AR = IR * CR * DR
Part 1 CMA – Section C: Management Controls Part 1 CMA – Section C: Management Controls
©
HOCK international - 2004 17 ©
HOCK international - 2004 18
Part 1 CMA – Section C: Management Controls Part 1 CMA – Section C: Management Controls
What Is Organizational
Independence and What Is the Internal
Objectivity of the Audit Charter?
Internal Audit Function?
©
HOCK international - 2004 19 ©
HOCK international - 2004 20
Some of the areas in which internal auditors assist management are: In the U.S., the Institute of Internal Auditors (IIA) is the professional
organization, and the Certified Internal Auditor (CIA) exams lead to the
• Providing a reasonable control over the day-to-day operations.
professional CIA license. The IIA has defined internal auditing as:
• Assuring the adequacy and effectiveness of the accounting,
“an independent, objective assurance and consulting activity
financial and operational controls.
designed to add value and improve an organization’s operations. It helps
• Evaluating the quality of performance. an organization accomplish its objectives by bringing a systematic,
disciplined approach to evaluate and improve the effectiveness of risk
• Determining compliance with policies, plans, procedures, laws, management, control and governance processes.”
regulations and contracts. Determining economical and efficient use
of resources. The internal audit function should encompass every part of the organization’s
operations, and to this end it should have unlimited access to the
• Assessing risk and coordinating the activities of the external auditor. company’s documents, records or properties. The primary objective of
the internal audit is to help the employees of the organization to perform
• Safeguarding assets and preventing and detecting fraud.
their jobs and duties effectively, and also help ensure that the organization’s
• Ensuring reliability and integrity of information. goals are achieved.
There should be a formal, written charter that defines the purpose of For the internal audit department to be independent it must have the
the internal audit department, their authority and their responsibility. necessary authority and freedom to carry out its activities.
Specifically, this charter should: The internal audit function should report to the board of directors or top
management. In any case, it needs to be above the level of the people or
departments that are audited. Also, it needs to be supported on a high
• Establish the position of internal audit within the organization.
level so that those who are audited will cooperate because this is important
• Define the scope of the internal audit activities. to the organization as a whole.
©
HOCK international - 2004 21 ©
HOCK international - 2004 22
Part 1 CMA – Section C: Management Controls Part 1 CMA – Section C: Management Controls
©
HOCK international - 2004 23 ©
HOCK international - 2004 24
The internal auditor is responsible for examining the controls that are The authority and responsibilities of internal auditors include the review
in place to determine if they are adequate to prevent or detect fraud. and appraisal of policies, procedures, plans and records for the purpose
Although the internal auditor is responsible for examining for fraud, he of informing and advising management.
or she is NOT responsible for preventing fraud. Because people may
work together to get around the system and controls in the system, it Internal auditors do not have any authority or responsibility
is impossible for any one person to guarantee that there is not and will over operating activities so as to not impair their independence and
not be fraud. objectivity in these areas.
If fraud is suspected, the internal auditor should notify the appropriate It is important that internal auditors remain detached from the items they
level within the organization (this level is always at least one level above are auditing or reviewing so that they can carry out their duties to
where the fraud is suspected). Usually, the investigation is carried out by management. Therefore, after joining internal audit, a person should not
people other than the internal auditor, so the internal auditor should audit the area he/she came from for a reasonable amount of time (one
generally avoid any contact with the suspected individuals to prevent year). The responsibility of internal audit ends with making
the suspect from bringing a legal case of libel or slander (spreading false recommendations. It is the responsibility of the board or management to
and damaging information) against the internal auditor. implement the recommendations brought to them by the internal auditors.
The audit committee is a subcommittee of the board of directors, The IIA issued a pronouncement about fraud entitled Deterrence,
preferably made up of outside directors. The duties of the audit committee Detection, Investigation and Reporting of Fraud. The main points of
include: this pronouncement are:
• Serving as an intermediary between management and the
• The deterrence of fraud is the responsibility of management.
external auditor.
• Internal auditors have to have sufficient knowledge to identify the
• Selecting an external auditor and reviewing the audit fee and
indicators that fraud may have occurred.
engagement letter.
• If control weaknesses are detected, additional tests should be
• Inviting communication with the external auditor regarding major
performed to identify other factors of fraud that are present.
problems discovered during the audit.
• Audit procedures alone will not guarantee that fraud is detected.
• Reviewing the external auditor’s overall audit plan.
• A fraud that is found needs to be reported.
• Reviewing interim and annual financial statements.
• Reviewing the results of internal and external audits.
• Reviewing the work of the internal auditors and evaluations of
internal control.
Part 1 CMA – Section C: Management Controls Part 1 CMA – Section C: Management Controls
©
HOCK international - 2004 25 ©
HOCK international - 2004 26
Part 1 CMA – Section C: Management Controls Part 1 CMA – Section C: Management Controls
©
HOCK international - 2004 27 ©
HOCK international - 2004 28
The tests that are performed as part of the audit should provide the Audit programs are required as part of the planning for each audit
auditor with sufficient, competent, relevant and useful evidence in order engagement or project. This program will detail the work to accomplish,
to reach a conclusion about the operations under audit. Evidence can how it will be done, what will be done and, as with an external audit
come from both inside the organization or outside the organization as well program, it will facilitate the supervision and review of the work.
as from the direct observation or experience of the auditor. The auditor
The extent of the audit program depends upon the scope and extent of
is the best source of information, followed by information that is obtained
the work to be performed. The larger the project, the more detailed the
from outside the organization. Information from within the organization is
program. This scope of the project is determined in the first step in the
the least persuasive evidence.
planning process – establishing the audit objectives and scope of the
work. The objectives are the goals of the audit and the procedures are
Evidence that is only circumstantial is not very good because by definition
the detailed steps that will be carried out in order to reach those objectives.
circumstantial evidence simply indicates that maybe something occurred.
After an initial survey of the task at hand, an audit program is prepared.
Corroborative evidence is evidence that supports something else – either The work can actually start only after the program is prepared. This must
other evidence or a statement that has been made by someone. be the case since it is the program that informs the auditors what to do.
An operational audit (OA) is a thorough examination of a department Evidence should have the following characteristics:
or division with the purpose of appraising managerial organization,
• Sufficient – meaning that there is enough information to support the
performance and techniques. It attempts to determine which organizational
conclusions that were drawn and that another auditor would also
objectives have been met and provides management with a control
believe that there is enough evidence.
technique to evaluate the effectiveness of the procedures and controls.
As part of an operational audit, recommendations will be made regarding • Competent – meaning that the information is reliable and the best
how to improve the process or operation. available given the means used.
The report from an OA will go first to the manager of that department. • Relevant – meaning that the information supports the findings and is
consistent with the audit objectives.
The focus of an operational audit is on the three Es – efficiency, • Useful – meaning that it is helping the organization meet its goals.
effectiveness and economy. In order to assess these items, a standard
level of behavior or output, or something that is to be achieved,
is compared to the results of the operations. The report that is delivered
at the end of the audit consists mostly of specific problems that exist
and/or emphasizing the lack of problems.
Part 1 CMA – Section C: Management Controls Part 1 CMA – Section C: Management Controls
©
HOCK international - 2004 29 ©
HOCK international - 2004 30
Part 1 CMA – Section C: Management Controls Part 1 CMA – Section C: Management Controls
©
HOCK international - 2004 31 ©
HOCK international - 2004 32
Auditors issue reports in different forms and for different types of projects. The main techniques for the auditor are financial analysis, the
They may be formal or informal, written or oral, interim or summary observation of departmental activities and questionnaire interviews
reports. of employees.
The format of the report will depend upon the type of the audit, the Part of the audit process includes reviews of control loops in an
results of the audit, management needs, the nature of the company and organization. A control loop consists of the:
how internal audit is accepted by the various levels of the organization.
• Setting of standards,
However, all reports must include the purpose, the scope, the results
• Measuring performance,
and (if appropriate) an opinion. In addition to these items, a report may
• Examining and analyzing deviations,
also include the following items: background information, summaries, status
• Taking corrective action, and
of findings from previous audits, recommendations, acknowledgment of
• Reappraising the standards based on experience.
good performance and corrective actions taken, and comments from the
department that was audited. There are four attributes to findings: criteria
In order to have a successfully functioning control loop we will need to
– the standards used in the evaluation; condition – the actual facts
plan, organize and monitor the system.
found; cause – the reason for the variance or deviation; and effect –
what is the risk of this variance or deviation.
Oral reports should supplement written reports, but cannot replace them.
Except for very simple reports, the auditor should first prepare a brief
The advantages of oral reports are timeliness (and this is essential when
outline of the report, including main headings such as Summary, Forward,
a problem needs to be immediately fixed), developing the relationship
Purpose, Scope, Opinion and Findings. Each finding may require an
between the auditor and the auditee through increased, informal
additional outline in order to properly explain and address it.
communication, and enabling the auditee to point out any errors in the
logic or understanding by the auditor. Oral reports must be prepared in
All reports should be:
order to achieve these advantages.
• Objective,
Interim reports are issued during the audit. These are not reports that • Clear,
are issued with the interim financial statements. Interim reports are issued • Concise (no longer than necessary),
whenever there is something that needs to be addressed immediately – if • Timely, and
there is a need to change the scope of the audit or simply keep people • Constructive (helpful to the company and leading to some type
informed when the audit process is a long one. Interim reports should of improvement).
state that the report includes only information to date, and is not
a complete report. They should also state that the final report will
follow-up on and cover all remaining issues from the audit.
Part 1 CMA – Section C: Management Controls Part 1 CMA – Section C: Management Controls
©
HOCK international - 2004 33 ©
HOCK international - 2004 34
Part 1 CMA – Section C: Management Controls Part 1 CMA – Section C: Management Controls
©
HOCK international - 2004 35 ©
HOCK international - 2004 36
IIA Standards require that internal auditors follow up on the actions It is a courtesy to let the auditee review the report before it is sent to
taken by the company regarding any deficiencies found. The auditor should the supervisors. This review also allows the auditee to identify any
determine that either corrective action has been taken, or management inaccuracies in the report. The auditor needs to lead the meeting
has assumed the risk of not taking corrective action. with the auditee. In no circumstances will the auditor allow the auditee
to write or change the report. Notes should be kept from any review
In following up, the auditor should receive all of the responses from the meeting, with records of any conflicts or disagreements, including
auditees to the audit, evaluate if those replies are adequate and then be resolution. The report should be distributed to everyone who has direct
certain that actions are actually taken to correct the problems. In order interest in it. This includes executives to whom internal audit reports,
to ensure that the actions have been taken, the auditor may need to do persons responsible for the activities or operations audited, and those
additional testing after the correction has been put into place. who will need to take corrective action as a result of the audit.
The report should include a list of people to whom it was distributed and
The auditor is the best person to carry out this necessary step because who reviewed it during the draft stage.
he/she is more familiar with the situation and the potential risks. The Information that is sensitive, privileged or proprietary should be disclosed
auditor should also be more impartial or objective than the manager who in a separate report and delivered to the audit committee.
has to make the changes.
Information system internal control guidelines are based upon Even though a company may use computers extensively in its operations
two documents: and accounting systems, this does not change the fundamental goals of
and need for internal controls in that system. It will, however, change
The report of the Committee of Sponsoring Organizations, Internal the practical implementation of controls and the types of controls that
Control – Integrated Framework, and Control Objectives for Information are needed. Internal control for an information system has the same
and Related Technology (COBIT), a document published by the goals as overall organizational internal control:
Information Systems Audit and Control Foundation (ISACF). • Promoting effectiveness and efficiency of operations in order to
achieve the company’s objectives;
• Assuring compliance with all laws and regulations that the com-
pany is subject to, as well as adherence to managerial policies; and
• Safeguarding assets.
Part 1 CMA – Section C: Management Controls Part 1 CMA – Section C: Management Controls
©
HOCK international - 2004 37 ©
HOCK international - 2004 38
Part 1 CMA – Section C: Management Controls Part 1 CMA – Section C: Management Controls
©
HOCK international - 2004 39 ©
HOCK international - 2004 40
Controls within a computer system are broken down into two types. In Internal Control – Integrated Framework, internal control is
They are general controls and application controls. defined as:
System documentation includes narrative descriptions, flowcharts, Systems development controls during the development stage of an
input and output forms, file and record layouts, controls, the information system enhance the ultimate accuracy, validity, safety, security
authorizations for any changes, and backup procedures. and adaptability of the new system’s input, processing, output and storage
Program documentation includes the description of the programs, functions.
program flowcharts, program listings of source code, input and output Controls are instituted at this stage for multiple reasons:
forms, change requests, operator instructions and controls.
• To ensure that all changes are properly authorized and are not made
Operating documentation provides the information about the actual by individuals who lack sufficient understanding of control procedures,
performance of the program, and procedural documentation provides the proper approvals, and the understanding of the need for adequate
information about the master plan and the handling of files. testing.
User documentation includes all of the necessary information for a
• To prevent errors in the resulting system, which could cause major
user to be able to use the program. The documentation should be in a
processing errors in data.
limited and controlled access area. There should be set standards for
the coding, modification and flowcharting procedures. • To limit the potential for a myriad of other problems during the
development process and after it is complete.
Part 1 CMA – Section C: Management Controls Part 1 CMA – Section C: Management Controls
©
HOCK international - 2004 41 ©
HOCK international - 2004 42
Part 1 CMA – Section C: Management Controls Part 1 CMA – Section C: Management Controls
©
HOCK international - 2004 43 ©
HOCK international - 2004 44
The most important organizational and operating control is the segregation Access involves both physical access to the hardware and the logical
of duties. Though the traditional segregation practiced in accounting of (ability to use) access to it. The various types of access controls are
separating the responsibilities of authorization, record keeping and custody given below:
of assets may not be appropriate in a computer department (since the
work is quite different), there are still specific duties in the Information • Password and ID numbers.
Systems environment that need to be separated from one another: • Device authorization table.
• System access logs.
• Separate Information Systems from Other Departments; • Security personnel.
• Separate responsibilities within the Information Systems department • Encryption.
(systems analysis, programming, data control, computer operation, • Callback.
transaction authorization, data conversion, and file security controls • Controlled disposal of documents.
(librarianship). • Biometric technologies.
• Automatic log off.
An important organizational control is computer facility controls.
Hardware controls for networks include: Hardware controls are given below:
©
HOCK international - 2004 45 ©
HOCK international - 2004 46
Part 1 CMA – Section C: Management Controls Part 1 CMA – Section C: Management Controls
©
HOCK international - 2004 47 ©
HOCK international - 2004 48
Input controls are the controls that are in place to ensure that the data Application controls relate to the specific tasks that are performed by
is entered into the program correctly. Input is the stage where there is the system and the programs. They are designed to prevent, detect and
the most human involvement and, as a result, the risk of errors is higher correct errors in transactions as they flow through the input, processing
in this stage than in the processing and output stages. If the data is not and output stages of work. Thus, they are broken down into these three
entered correctly there is no chance that the output will be correct. main categories:
Data transcription is the preparation of the data for processing. One or more observational control procedures may be practiced:
The actual data input usually takes place at a workstation with a
display terminal. A preformatted input screen can assist in the • Feedback mechanisms are manual systems that attest to the
transcription process. accuracy of a document. For instance, a sales person might ask a
Edit tests or input validation routines are programs that check the customer to confirm their order with a signature, attesting to the
validity and accuracy of input data. They perform edit tests by examining accuracy of the data in the sales order.
specific fields of data and rejecting transactions if their data fields do
• Dual observation means more than one employee sees the
not meet standards.
input documents. In some cases this might mean a supervisor reviews
Key verification is the process of inputting the information again and
the work.
comparing the two results.
A redundancy check is the process of sending additional sets of data • Point-of-sale devices used to encode data can decrease errors
to confirm the original data sent. substantially.
An echo check is the process of sending the received data back to
the sending computer to compare with what was actually sent. • Preprinted forms such as receipt and confirmation forms can ensure
that all the data required for processing have been captured.
Part 1 CMA – Section C: Management Controls Part 1 CMA – Section C: Management Controls
©
HOCK international - 2004 49 ©
HOCK international - 2004 50
Part 1 CMA – Section C: Management Controls Part 1 CMA – Section C: Management Controls
©
HOCK international - 2004 51 ©
HOCK international - 2004 52
Processing Controls are those controls that are in place to monitor Additional Input Controls include:
and check the processing of the data. Processing controls fall into two
classifications: • Error listing.
• Field checks.
• Data Access Controls • Hash total.
• Data Manipulation Controls • Validity checks.
• Overflow test.
Data Access Controls are a processing control procedure that • Limit and range checks.
attempts to ensure that all input is processed correctly by the computer. • Preformatting.
In batch processing, items are batched in bundles of a preset number • Reasonableness (or compatibility) tests.
of transactions. As the computer processes the batch, it checks the • Record count.
batch control total (the total dollar amount) for the batch and compares • Self-checking digits.
the processed total with the batch control total. Batch control totals • Sequence checks.
can also be used for nonfinancial transactions. • Sign checks.
There are a number of other processing controls: Data Manipulation Controls are one of two types of Processing
Controls.
• Posting check compares the record before and after updating.
• Cross-footing compares the sum of the individual components to Examining software documentation, such as system flowcharts, program
the total. flowcharts, data flow diagrams and decision tables can also be a control
• Zero-balance check is used when a sum should be 0. because it makes sure that the programs are complete in their data
• Run-to-run control totals check critical information for correctness. manipulation.
• Internal header and trailer labels allow processing of only
correct data. Computer programs are error tested by using a compiler, which checks
• End-of-file procedures is the process of not closing the processing for programming language errors. Test data can be used to test a
when the end of the master file is reached. computer program.
• Concurrency controls manage access to data by two or more System testing can be used to test the interaction of several different
programs. computer programs. Output from one program is often input to another,
• Key integrity checks insure that keys are not changed during and system testing tests the linkages between the programs.
processing.
Part 1 CMA – Section C: Management Controls Part 1 CMA – Section C: Management Controls
©
HOCK international - 2004 53 ©
HOCK international - 2004 54
Part 1 CMA – Section C: Management Controls Part 1 CMA – Section C: Management Controls
©
HOCK international - 2004 55 ©
HOCK international - 2004 56
Once a company is connected to the Internet a number of additional Output controls relate to the result of the processing. Their objective is
security issues must be properly addressed. Electronic eavesdropping to assure the output’s validity, accuracy and completeness. The output
can occur if computer users are able to observe transmissions intended is supervised by the data control group.
for someone else. At a minimum, the system should include the following:
There are two types of output application controls:
• User account management is the process of giving people accounts
and passwords. • Validating processing results is an activity, or proof, listing that
documents processing activity. This provides detailed information about
• Anti-virus software must be kept up to date.
all changes to master files and create an audit trail.
• A firewall is a barrier between the internal and the external networks.
• Printed output controls such as physical control over company
This firewall prevents unauthorized access to the internal network.
checks. Checks should be kept under lock and key, and only authorized
• A proxy server is a computer and software that create a gateway persons should be permitted access.
to and from the Internet. Encryption is the technology that
converts data into a code and then requires a key to convert the Output control also concerns report distribution. Confidential reports should
code back to data. be shredded when they are no longer needed.
In any computer system, it is essential that the company has plans for In a computer system there is still a need for auditing.
the backup and recovery of data (especially disaster recovery).
Programs, as well as data files, should be backed up regularly. Test data is the use of a prepared set of input data that are then run
through the system being audited. The results from this system are
Copies of all transaction data are stored as a transaction log as
they are entered into the system. Should the master file be destroyed, compared to the predetermined results.
computer operations will roll back to the most recent backup; recovery An integrated test facility is the process of setting up artificial
takes place by reprocessing the data transaction log against the transactions that are then run through the computer system as it is
backup copy. normally operating. This may be done without the knowledge of the
computer operator. In a parallel simulation the auditor will run a set of
Backups should be stored at a secure remote location, so that in the
actual data through another computer system that is known to be working.
event data is destroyed due to a physical disaster, it can be
The results from the test computer and the actual computer are
reconstructed. Backup data can be transmitted electronically to the
backup site, through a process called electronic vaulting. then compared.
©
HOCK international - 2004 57 ©
HOCK international - 2004 58
Part 1 CMA – Section C: Management Controls Part 1 CMA – Section C: Management Controls
©
HOCK international - 2004 59 ©
HOCK international - 2004
A disaster recovery plan specifies who participates, what hardware In grandparent-parent-child processing, files from previous periods are
and software will be used, and the applications to recover in case of retained, and if a file is damaged during updating, the previous files can
a disaster. be used to reconstruct the current file. These files should be stored
off-premise.
Disaster recovery sites can be either hot or cold. A hot site is a backup
facility that has a computer system fully operational and thus immediately Fault-tolerant systems are designed to tolerate faults or errors.
available. A cold site is a facility ready to install processing equipment, They often utilize redundancy, so that if one system fails, another one
but it is not immediately available. will take over. With multiple processors, consensus-based protocols specify
that if one processor disagrees with the others, it is to be ignored; with
Mobile recovery centers are used on a contracted basis in the event of
two processors, the second processor can serve as a watchdog processor.
a disaster that destroys operations facilities. They arrive within hours
fully equipped with their client’s platform requirements and staffed with If something happens to the primary processor, the watchdog processor
technical personnel. takes over. A CPU could have two disks, and all data on the first disk is
mirrored on the second disk. This is called disk mirroring or disk
The disaster recovery plan should be reviewed regularly and revised when
shadowing. Rollback processing can be used to prevent any transactions
necessary; and each member of the disaster recovery team should keep
from being written to disk until they are complete.
a current copy of the plan at home.