Chapter Nine — Understanding Internal Control

Summary

This Chapter discusses another key aspect of Horizon - understanding

and documenting an entity’s internal control as part of risk assessment
procedures. In addition to matters discussed in Chapter 8, understanding
internal control is essential in assessing risk of material misstatements,
whether due to error or fraud.

Introduction
9.01 To develop an appropriate audit plan (one that reduces the audit risk to an
appropriate level), the audit team must understand the entity being audited
and the environment in which it operates, including its internal control. The
audit team uses this understanding of internal control to:
 identify the types of misstatements that may be present
 evaluate the internal control deficiencies that may increase risk of
material misstatement
 design internal control testing strategies and substantive audit
procedures

9.02 Internal control is a process, effected by an entity's management,

employees, other personnel and those charged with governance that is
designed to achieve three objectives: effective and efficient operations,
reliable financial reporting, and compliance with laws and regulations.
Establishing and maintaining effective internal control is an important
management responsibility and requires continuing management
supervision to monitor that controls are operating as intended and
appropriately modified as needed.

9.03 The Horizon approach to understanding, documenting, and evaluating

internal control includes:
 performing risk assessment procedures to determine the extent of
internal control documentation needed
 obtaining and documenting an understanding of entity-level controls
 obtaining and documenting an understanding of activities-level
controls for very important and somewhat important processes
associated with reasonably possible risks
 determining whether these controls are designed effectively and
implemented
 determining an intended control reliance strategy for each
reasonably possible risk
 identifying key controls (those controls that the audit team intends
to test for operating effectiveness as a basis for supporting the
intended control reliance)
 testing the operating effectiveness of those key controls
 This process enables the audit team to achieve their intended control
reliance strategy for each reasonably possible risk, identify other areas of
risk and tailor the substantive audit program in Voyager.

9.04 Voyager is designed to implement Horizon’s internal control methodology

and enables the audit team to focus on internal controls that address
reasonably possible risks. Voyager assists the audit team in
understanding the entity’s controls pertinent to reliable financial reporting.
More specifically, Voyager assists the audit team as they:
 obtain an understanding of the processes that impact financial
reporting
 obtain and document an understanding of the controls within such
processes that prevent or detect errors, including fraud
 assess the effectiveness of the design of those controls
 perform tests of controls to evaluate their operating effectiveness
 identify potential control “gaps,” operating deficiencies, and other
weaknesses or advisory comments

9.05 This chapter focuses on the firm’s policies and procedures for obtaining
and documenting an understanding of the entity’s internal control. Such
understanding is ordinarily gained through:
 previous experience with the entity (in continuing client
relationships)
 inquiries of appropriate management, supervisory, and other
personnel
 tracing transactions through processes and controls (i.e.,
walkthroughs)
 inspecting documents and records
 observing control activities and operations

Internal Control Framework

9.06 Internal control can be defined in a number of ways. Various groups
comprised of experts that follow due process have developed internal
control frameworks. Such frameworks establish a common definition of
internal control and provide suitable criteria against which organizations
can design and evaluate their controls.

9.07 The Committee of Sponsoring Organizations of the Treadway Commission

(COSO) created the most widely accepted framework for evaluating
controls over financial reporting. International auditing standards use
COSO to define internal control. Voyager uses the COSO framework.

9.08 Some legislative and regulatory bodies require an audit report on the
effectiveness of internal control using a framework established through
due process by an appropriate group. The COSO framework is an
acceptable framework for this purpose.

Internal Control Objectives and Components

9.09 COSO defines internal control as a process designed to provide
reasonable assurance regarding the achievement of objectives in the
following categories:
 reliability of financial reporting
 effectiveness and efficiency of operations
 compliance with applicable laws and regulations

9.10 There is a direct relationship between the objectives, which are what an
entity strives to achieve, and internal control components, which represent
what is needed to achieve the objectives. COSO identified the following
five interrelated internal control components:
 control environment – sets the tone of an organization, influencing
the control consciousness of its people; the foundation for all other
components of internal control, providing discipline and structure
 risk assessment – the entity's identification and analysis of relevant
risks to achievement of its objectives, forming a basis for
determining how the risks should be managed
 control activities – the policies and procedures that help ensure that
management directives are carried out
 information and communication systems – support the
identification, capture, and exchange of information in a form and
time frame that enable people to carry out their responsibilities
 monitoring – a process that assesses the quality of internal control
performance over time

9.11 Voyager uses the COSO definition of internal control, including these five
interrelated components. Accordingly, Voyager focuses on controls at both
the entity and operations level. In Voyager, entity-level controls are
sometimes referred to as governance controls, and operations-level
controls are referred to as activities-level controls. Each entity and
activities-level control is linked to a COSO component.

Entity-Level Controls
9.12 Governance is the term used to describe the role of persons entrusted
with the supervision, control, and direction of an entity. Those charged
with governance ordinarily are accountable for ensuring that the entity
achieves its objectives and also for the process of financial reporting and
reporting to interested parties. Governance controls are the foundation of
all other controls and are applicable to all entities, regardless of size.
Voyager refers to governance controls as entity-level controls.

9.13 In Voyager, entity-level controls are organized by the following activities:

 control environment
 monitoring
 information and communication
 information technology (IT)
 financial reporting
9.14 Monitoring includes risk assessment and monitoring risk activities.
Information technology is separated from information and communication
to enable the audit team to obtain a more focused understanding of
controls over systems and applications.

Control Environment

9.15 The control environment sets the tone of an organization, influencing the
control consciousness of its people. It is the foundation for effective
internal control, providing discipline and structure. The control
environment primarily includes:
 Communication and enforcement of integrity and ethical values –
The effectiveness of controls cannot rise above the integrity and
ethical values of the people who create, administer, and monitor
them. Integrity and ethical values are essential elements of the
control environment which influence the design, administration, and
monitoring of other components. Integrity and ethical behavior is
the product of the entity’s ethical and behavioral standards, how
they are communicated, and how they are reinforced in practice.
They include management’s actions to remove or reduce incentives
and temptations that might prompt people to engage in dishonest,
illegal, or unethical acts. They also include the communication of
entity values and behavioral standards to people through policy
statements and codes of conduct and by example.
 Commitment to competence – Competence is the knowledge and
skills necessary to accomplish tasks that define the individual’s job.
Commitment to competence includes management’s consideration
of the competence levels for particular jobs and how those levels
translate into requisite skills and knowledge.
 Participation by those charged with governance – An entity’s
control consciousness is influenced significantly by those charged
with governance. Attributes of those charged with governance
include independence from management, their experience and
stature, the extent of their involvement and scrutiny of activities, the
appropriateness of their actions, the information they receive, the
degree to which difficult questions are raised and pursued with
management and their interaction with internal and external audit
teams.
 Management’s philosophy and operating style – Management’s
philosophy and operating style encompass a broad range of
characteristics. Such characteristics may include management’s (a)
approach to taking and monitoring business risks, (b) attitudes and
actions toward financial reporting, for example, conservative or
aggressive selection from available alternative accounting
principles and conscientiousness and conservatism with which
accounting estimates are developed, and (c) attitudes toward
information processing and accounting functions and people.
 Organizational structure – An entity’s organizational structure
provides the framework within which its activities for achieving
entity-wide objectives are planned, executed, controlled, and
reviewed. Authority and responsibility and appropriate lines of
 reporting are critical elements of an organizational structure. An
entity develops an organizational structure suited to its needs. The
appropriateness of an entity’s organizational structure depends, in
part, on its size and the nature of its activities.
 Assignment of authority and responsibility – This factor includes
how authority and responsibility for operating activities are assigned
and how reporting relationships and authorization hierarchies are
established. It also includes policies relating to appropriate
business practices, knowledge and experience of key people, and
resources provided for carrying out duties. In addition, it includes
policies and communications directed at ensuring that all people
understand the entity’s objectives, know how their individual actions
interrelate and contribute to those objectives, and recognize how
and for what they will be held accountable.
 Human resource policies and practices – Human resource policies
and practices relate to recruitment, orientation, training, evaluating,
counseling, promoting, compensating, and remedial actions. For
example, standards for recruiting the most qualified individuals, with
emphasis on educational background, prior work experience, past
accomplishments, and evidence of integrity and ethical behavior,
demonstrate an entity’s commitment to competent and trustworthy
people. Training policies that communicate prospective roles and
responsibilities and include practices such as training schools and
seminars illustrate expected levels of performance and behavior.
Promotions driven by periodic performance appraisals demonstrate
the entity’s commitment to the advancement of qualified people to
higher levels of responsibility.

Monitoring - Risk Assessment

9.16 An entity’s risk assessment process is its process for identifying and
responding to business risks and the results thereof. An entity’s risk
assessment process includes how management identifies risks relevant to
the preparation of financial statements that give a true and fair view (or are
presented fairly, in all material respects) in accordance with the entity’s
applicable financial reporting framework, estimates their significance,
assesses the likelihood of their occurrence, and decides upon actions to
manage them. For example, the entity’s risk assessment process may
address how the entity considers the possibility of unrecorded transactions
or identifies and analyzes significant estimates recorded in the financial
statements. Risks relevant to reliable financial reporting also relate to
specific events or transactions.

9.17 Risks relevant to financial reporting include external and internal events
and circumstances that may occur and adversely affect an entity’s ability
to initiate, record, process, and report financial data consistent with the
assertions of management in the financial statements. Once risks are
identified, management considers their significance and the likelihood of
their occurrence, and determines how the risks will be managed.
Management may initiate plans, programs, or actions to address specific
risks or they may decide to accept a risk because of cost or other
 considerations. Risks can arise or change due to circumstances, such as
the following:
 changes in operating environment
 new people
 new or revamped information systems
 rapid growth
 new technology
 new business models, products, or activities
 corporate restructurings
 expanded foreign operations
 new accounting pronouncements

Monitoring – Risk Activities

9.18 Monitoring of controls is a process to assess the quality of internal control

performance over time. It involves assessing the design and operation of
controls on a timely basis and taking necessary corrective actions.
Monitoring is done to ensure that controls continue to operate effectively
over time. Monitoring of controls is accomplished through ongoing
monitoring activities, separate evaluations, or a combination of the two.

9.19 Ongoing monitoring activities are built into the normal recurring activities
of an entity and include regular management and supervisory activities.
Managers of sales, purchasing, and production at divisional and corporate
levels are in touch with operations and may question reports that differ
significantly from their knowledge of operations.

9.20 In many entities, internal auditors or people performing similar functions

contribute to the monitoring of an entity’s controls through separate
evaluations. They regularly provide information about the functioning of
internal control, focusing considerable attention on evaluating the design
and operation of internal control. They communicate information about
strengths and weaknesses and recommendations for improving internal
control.

9.21 Monitoring activities may include using information from communications

from external parties. Customers implicitly corroborate billing data by
paying their invoices or complaining about their charges. In addition,
regulators may communicate with the entity concerning matters that affect
the functioning of internal control, for example, communications
concerning examinations by bank regulatory agencies. Also, management
may consider communications relating to internal control from external
parties in performing their monitoring activities.

Information and Communication

9.22 An information system consists of infrastructure (physical and hardware

components), software, people, procedures, and data. Infrastructure and
software will be absent, or have less significance, in systems that are
primarily manual.
9.23 The information system relevant to financial reporting objectives, which
includes the financial reporting system, consists of the procedures and
records established to initiate record, process and report entity
transactions and to maintain accountability for the related assets, liabilities
and equity. Transactions may be initiated manually or automatically by
programmed procedures. Recording includes identifying and capturing the
relevant information for transactions or events. Processing includes
functions such as edit and validation, calculation, measurement, valuation,
summarization, and reconciliation, whether performed by automated or
manual procedures. Reporting relates to the preparation of financial
reports as well as other information, in electronic or printed format, that the
entity uses in measuring and reviewing the entity’s financial performance
and in other functions. The quality of system-generated information affects
management’s ability to make appropriate decisions in managing and
controlling the entity’s activities and to prepare reliable financial reports.

9.24 Accordingly, an information system encompasses methods and records

that:
 identify and record all valid transactions
 describe on a timely basis the transactions in sufficient detail to
permit proper classification of transactions for financial reporting
 measure the value of transactions in a manner that permits
recording their proper monetary value in the financial statements
 determine the period in which transactions occurred to permit
recording of transactions in the proper accounting period
 present properly the transactions and related disclosures in the
financial statements

9.25 Communication involves providing an understanding of individual roles

and responsibilities pertaining to internal control over financial reporting. It
includes the extent to which people understand how their activities in the
financial reporting information system relate to the work of others and the
means of reporting exceptions to an appropriate higher level within the
entity. Open communications channels help ensure that exceptions are
reported and acted on.

9.26 Communication takes such forms as policy manuals, accounting and

financial reporting manuals, and memoranda. Communication also can be
made electronically, orally, and through the actions of management.

Information Technology

9.27 Most information systems make extensive use of information technology

(IT). IT can provide more useful and timely information to management by
collecting and processing data faster and enabling more flexible access
and reporting. An automated system is often more complicated and
difficult to understand than a manual system. For example, electronic
records may be changed without evidence of the change.
9.28 Voyager focuses on IT general controls and activities-level IT security
access controls. Within Voyager, IT general controls are categorized as
follows:
 security administration – managing internal user, remote, and third-
party access and monitoring access to IT systems
 program maintenance – initiating change requests, designing,
developing and configuring program changes and promoting
changes to production
 program execution – scheduling batch programs, executing
authorized programs and monitoring execution of programs
 new system implementation – establishing an effective new system
implementation environment, initiating a new system project,
defining system requirements and specifications, designing,
developing configuring and integrating a new system, converting
data and implementing and deploying a new system

9.29 Applicability of each ITGC activity

 Security administration – This activity is ordinarily applicable to all
entities. The controls in this activity address the entity’s policies for
administering security, including the control of access to financial
reporting applications and related databases by internal and remote
users and authorized third parties. Refer to Exhibit 9.1 for
definitions of the security administration controls.
 Program maintenance – This activity is ordinarily applicable to all
entities regardless of whether they utilize programmers to develop
and maintain applications, license them from third parties or both.
The controls in this activity address the entity’s policies for
maintaining financial reporting applications and databases and
ensuring that only authorized versions of applications are in use.
 Program execution – This activity is only relevant to entities whose
IT environment includes batch processing. The controls in this
activity address the entity’s policies for administering batch
controls, including controls that ensure the right programs are
executed to completion at the right times. Audit teams should
deselect this activity for entities whose IT environment does not
include batch processing in financial reporting applications.
 New system implementation – This activity is relevant only to
integrated audits of entities who implemented a new system too
late in the year (typically during the last quarter) to allow the audit
team to evaluate the operating effectiveness of the new financial
reporting controls. Audit teams should deselect this activity for other
audits. The controls in this activity address how the entity designed,
configured, and integrated its new system and converted the data.
 Financial Reporting

9.30 One objective of internal control is to ensure that information generated

and communicated from the various activities of an organization come
together to achieve reliable financial reporting. In Voyager, controls related
to the preparation of reliable and accurate financial statements and
regulatory reports are documented in “Financial Reporting”.

9.31 Activities-level processes and controls initiate, capture, process and

record transactions which culminate in the general ledger. Financial
reporting activities take this information in the general ledger and use it to
prepare accurate and reliable financial statements and regulatory reports.
Financial reporting processes include:
mapping general ledger accounts to financial statement lines
preparing post-closing trial balances, including top-level journal entries
consolidating business units
applying appropriate accounting principles
preparing financial statements and other regulatory reports

Activities-Level Controls
9.32 Activities-level controls are controls (or control activities) performed at the
process level within a transaction cycle (i.e., controls over the origination,
processing, and recording of transactions). Processes are the action steps
that are performed by every entity when conducting their business. In
Voyager, each transaction cycle consists of activities, and each activity
consists of processes. Controls are established over each process to
reduce the possibility of error or fraud.

Limitations of Internal Control

9.33 Internal control does not provide management with conclusive evidence
that objectives are achieved, because of inherent limitations. Such
limitations include:
 the potential for mistakes arising from such causes as
misunderstanding of instructions, errors of judgment, and personal
carelessness, distraction, or fatigue
 the possibility that procedures whose effectiveness depends on
segregation of duties can be circumvented by collusion or
management override
 the possibility that procedures designed to assure the execution
and recording of transactions in accordance with management's
authorizations may be ineffective against either fraud or errors
perpetrated by management, or against the estimates and
judgments required in the preparation of financial statements
 the potential for circumventing even the most elaborate security
controls
9.34 Any projection of a current evaluation of internal control to future periods is
subject to the risk that the procedures may become inadequate because
of changes in personnel, system software, or other conditions, or the
degree of compliance with any particular control may deteriorate.

9.35 The concept of reasonable, as opposed to absolute, assurance

recognizes that the cost of an internal control policy or procedure should
be considered in relation to the benefits to be derived and also recognizes
that the evaluation of the various pertinent factors necessarily requires
estimates and judgments by management.

Economic and Financial Statement Events

9.36 Financial statements may be considered summaries of the economic
effects of exchange transactions between the reporting enterprise and
third parties. Such transactions typically go through a series of processes
until they are summarized in the general ledger and reported in the
financial statements. Voyager recognizes four types of events that can
occur within a transaction cycle: boundary, discretionary, internal, and
ledger. Each process within a transaction cycle is assigned to one of these
events.

9.37 The boundary event is the point in a transaction cycle where an entity
interacts with a third-party. There are four types of boundary events:
 initiation – transaction is initiated
 movement – goods or services are provided
 recording - transaction is recorded
 consideration – transaction is completed; by receiving or paying the
consideration
In Voyager, all four events are listed as boundary events.

9.38 Discretionary events are economic activities that are initiated internally
and are necessary to allocate revenues, expenses, gains, and losses to
the proper accounts and periods. Discretionary events are judgmental in
nature. Examples of such events include:
 adjusting and recording the provision for inventory obsolescence
 adjusting and recording inventory balances after a physical count
 calculating and recording depreciation charges
 calculating and recording the provision for bad debts

9.39 Internal events are intermediate activities that process data and
information between the boundary and ledger events. Examples of internal
events include maintaining the customer master file, entering receiving
information, and recording receipts in a subsystem.

9.40 Finally, ledger events are activities that record transactions in the general
ledger. Examples of such events include recording investments, income,
and receipts in the general ledger.
 Processes and Controls
9.41 Processes, whether automated or manual, can introduce errors into the
accounting system. These errors can be intentional or unintentional.
Controls, on the other hand, are needed to ensure that all the relevant
economic events are captured and are established over processes to
prevent and detect such errors. For example, most businesses have the
process “collect cash from customers (receive payments)”. Controls
implemented over this process should ensure that all cash collected is
properly recorded and deposited in the entity’s bank account. Such
controls may include segregating the cash collection activity from the
recording activity, performing reconciliations and following up on identified
exceptions.

9.42 No one person should be responsible for processing a complete

transaction. In Voyager, the function or person performing a particular
process or control is captured and evaluated for proper segregation of
duties - an important internal control element in Horizon.

Control Objectives
9.43 Each activities-level control is assigned to a control objective. Control
objectives are applicable to economic and financial statement events as
follows:
Boundary Internal Discretionary Ledger
Control Objective
Event Event Event Event
Authorization   
Completeness and
 
accuracy
Integrity   
Budgetary 
Reconciliation 
Safeguarding 

9.44 Controls that achieve the authorization objective are designed to ensure
that captured transactions are valid and have the approval of
management. This authorization may be based on a broad policy, for
example, when authorization is given to extend credit to any customer up
to a specified limit. This authorization may also be specific, for example,
where further authorization controls are performed for transactions in
excess of the specified limit. Authorization controls occurring during
processing are the same in nature and purpose as those at the boundary;
however, controls at the boundary are normally stronger. For example,
authorization of the extension of credit after the fact is not a very effective
control; it may be useful in detecting potential recoverability problems, but
not in preventing or minimizing them.

9.45 Controls that achieve the completeness and accuracy objective are
designed to ensure that all exchanges with third parties are properly
captured in the accounting system and the data captured is complete and
accurate. “Completeness controls” are designed to prevent or detect
errors in the number of items or transactions processed, to guard against
the possibility that items accepted by the accounting system are omitted
 from processing or are processed more than once. “Accuracy controls” are
designed to prevent or detect discrepancies between items of information
and the corresponding economic facts, to guard against the possibility that
incorrect information is processed.

9.46 Controls that achieve the integrity objective are designed to prevent the
alteration of computer data files and programs, to help ensure that all
accepted transactions remain on file for the proper period, and all
captured transactions accurately update the master files. “Integrity
controls” apply to automated components of the accounting system and
include controls such as restricted access to databases. They do not
include controls such as locks restricting access to the computer room.

9.47 Controls that achieve the budgetary objective are designed to aid
management in determining that the entity is operating as expected. For
example, if salaries are a negotiated contract item, management might
expect actual salary expense to match the aggregate contracted amount.
If the actual expense is significantly different, a “budgetary control” may
indicate an error in the accounting system.

9.48 Controls that achieve the reconciliation objective are designed to ensure
that the general ledger account properly reflects the summary of the
events recorded in the accounting system. An example is reconciling a
control account to a subsidiary ledger. Such controls are detective rather
than preventive. In Voyager, the completion of a reconciliation is not a
control in and of itself. For example, if the reconciliation is prepared but
the reconciling items are not examined to determine if they are indicative
of an error, no control is provided by the reconciliation.

9.49 Controls that achieve the safeguarding objective are designed to protect
assets. They include procedures and security measures that restrict
access to assets to authorized personnel. These controls are particularly
important in the case of valuable, easily exchangeable, or portable assets.

Control Attributes
9.50 All controls have distinct attributes. However, any given control can fit a
number of different control attributes. The controls built into Voyager are
pre-assigned to certain attributes. Examples of such attributes are:
 COSO component
 control objective
 foundational, operational, or monitoring
 preventive or detective
 automated or manual
 primary (and sometimes secondary) assertion

9.51 The COSO component and control objective attributes are discussed
above. The other attributes are discussed in the following paragraphs. The
Control Attributes report can be generated to identify the controls within a
process and their pre-assigned attributes.
9.52 In addition to the attributes assigned by Voyager, the audit team should
determine and document in Voyager whether the control is a documented
or undocumented control.

Foundational, Operational and Monitoring Controls

9.53 Foundational controls provide an overall context or environment to ensure

that the execution of activities and controls is consistent with management
objectives. Examples of foundational controls include segregation of
duties, standard operating policies and procedures, and controls over
entity-level processes.

9.54 Operational controls provide the front line of defense in preventing,

detecting, and correcting errors. Examples of operational controls include
following-up on reconciliations and exception reports, comparing batch
totals to predetermined numbers, performing edits on transaction limits
and data and systems access controls.

9.55 Monitoring controls ensure that all other controls are operating as
designed. Examples of monitoring controls include review of business
performance metrics, observation of operational controls, and
reperformance of specific controls.

Preventive and Detective Controls

9.56 Preventive versus detective is a distinction based on the timing of the

control application, because both types of controls are designed to
discover errors. Preventive controls, as the name implies, prevent errors
from initially being accepted in the books and records; detective controls
expose the errors after their initial recording. Examples of preventive
controls are:
 reperformance of tasks by a second individual prior to recording
 accounting for all items in a batch through the use of batch totals
 edits on invalid or duplicate entries
Examples of detective controls are:
 following up on reconciliations
 following up on exception reports
 performing monitoring activities

9.57 Preventive controls are usually preferred over detective controls, because
they prevent errors from being introduced into a process, as opposed to
detecting errors already introduced. For example, the entity's control
system would be better if a preventive control (such as an edit) required
authorization of large sales than if a detective control (such as follow-up
on an exception report) identified transactions requiring authorization after
the occurrence of the event.

9.58 Because of the inherent limitations of internal control, an entity should

have an appropriate mix of preventive and detective controls. While
preventive controls are ordinarily preferable to detective controls, detective
 controls supplement preventive controls and further reduce the risk of
error. Detective controls also address the risk of management override
and fraud.

Manual and Automated Controls

9.59 People perform manual controls. Their reliability is affected by the

possibility of human errors in judgment or misinterpretation,
misunderstanding of the controls to be performed, carelessness, fatigue,
or distraction.

9.60 The operating system or application software performs automated

controls. They enhance the reliability or integrity of data and are inherently
more reliable than manual controls. An example of an automated control is
an edit check that prevents entry of invalid data.

Documented and Undocumented Controls

9.61 Documented controls provide written evidence that they are performed
and are often characteristic of manual controls. Undocumented controls
may be effective, but they can only be tested through inquiry and
observation.

9.62 Written evidence, which may take the form of signatures or initials, assists
in the identification of items for testing and only provides indirect evidence
that a control procedure was performed. For example, the person
performing the control procedure might not have performed the procedure
effectively because he or she misunderstood the purpose of the control.

Application and System Controls

9.63 Application controls are automated controls built into application software
(e.g., payroll, accounts receivable, or general ledger software), which may
vary from application to application. Application controls are designed to
ensure that all transactions recorded are authorized, complete, and
accurate. For example, a customer enters a sales order either through a
telephone call to a salesperson or by using an interactive website.
However, the sales order software will not process the transaction unless
the customer’s accounts receivable balance is below a specified credit
limit.

9.64 System controls (also referred to as IT general controls) are automated

controls that help ensure the continued, proper operation of information
systems. Such controls apply to systems as a whole and are substantially
the same regardless of the application. In Voyager, these are included
within entity-level controls under Information Technology. For example,
passwords restricting access to a computer network are system controls.
There are five basic control objectives for system controls over computer
processing:
 reliability of processing controls – provide evidence that computer
applications are properly running, and that:
 – the organizational structure and staffing is appropriate for the
effective operation of the information technology department
– there is appropriate segregation of duties between users,
programmers and operators
– unauthorized access to the system is prevented
– the correct versions of data and program files are used in
processing
– the operating system facilities are properly implemented
– the use of utility programs is restricted to authorized people
– live implementation of new or amended programs is properly
controlled
 integrity of software program controls – provide evidence that
processes and controls implemented within computer programs are
not accidentally modified or deliberately circumvented. They
include:
– automated access security
– physical access controls over electronic files
– operational controls over enhancements and amendments to
programs
 integrity of electronic data controls – provide evidence that data is
correctly processed and that data maintained by the accounting
system is not accidentally or deliberately modified or corrupted by
other means. They include:
– electronic access security
– physical access controls over electronic media
 continuity of processing controls – provide evidence that computer
hardware and application systems continue to be available for
processing accounting data on a timely basis, and include:
– physical access controls
– backup and business continuity plans
 system and application development and installation controls –
provide evidence that applications are properly designed to
incorporate appropriate controls by the user, and that controls are
properly implemented. This includes:
– development, testing, and documentation of applications
developed in-house
– acquisition, testing, documentation and implementation of
purchased applications

9.65 Although five basic control objectives have been defined for system
controls over computer processing, there is considerable interdependence
between them. For example, controls to restrict the use of utility programs,
such as file editing tools, are not only relevant to the reliability of
processing, but also to the integrity of data and the integrity of programs.
In fact, since such a utility could be used to falsify a log file, it could be
employed to circumvent controls over system amendments. System
controls over computer processing should not therefore, be considered in
isolation from each other, or from the applications.
 Obtaining and Documenting an Understanding of Internal
Control
9.66 The particular design of the entity’s internal control will vary according to
the size and nature of the business. The applicability and importance of
specific elements of the entity’s internal control should be considered in
the context of the entity's:
 size
 organization and ownership characteristics
 nature of business
 diversity and complexity of operations
 methods of processing data
 applicable legal and regulatory requirements

9.67 For example, some companies are organized first by subsidiaries, then by
regions within those subsidiaries. Others are organized first by geographic
region, then by lines of business within those regions. For these types of
engagements, the audit team must determine how the entity’s operations
will be segregated for evaluation purposes.

9.68 The extent of work performed at each location or business unit varies
depending on the entity and the risk of material misstatement. For each
individually important location or business unit, a separate Voyager file
should ordinarily be created and completed. At each location, it is only
necessary to document significant transaction cycles.

9.69 For locations and business units that are not individually important, a
separate Voyager file may not be necessary. However, the audit team
should consider whether an error could occur in one location (or several
locations in the aggregate) that may give rise to a material misstatement
for the entity as a whole. In such cases, controls that prevent or detect
such errors should be understood and documented. For example, if a
business unit has complex revenue transactions that may result in a
material misstatement for the entity as a whole, it is reasonable to expect
controls in this cycle to be documented. In this situation, a separate
Voyager file should be created to document the controls over the revenue
cycle for that unit.

Understanding Entity-Level and Activities-Level Controls

9.70 Horizon requires the audit team to obtain an understanding sufficient to

identify:
 major classes of transactions in the entity’s operations
 how such transactions are initiated
 significant accounting records, supporting documents and accounts
in the financial statements
 the accounting and financial reporting process, from the initiation of
significant transactions and other events to their inclusion in the
financial statements
  whether the control environment is sufficient to assess directors’
and management’s attitudes, awareness and actions regarding
internal control and their importance to the entity
 whether the control procedures (or activities) are sufficient to
develop the audit plan

9.71 Accordingly, to obtain such understanding, Horizon requires the audit

team to understand and document:
 all entity-level controls
 activities-level controls associated with risks that are reasonably
possible

9.72 Voyager should be used to document this understanding. This process

allows the audit team to understand how the entity

 identifies, assembles, analyzes, classifies, records, and reports

transactions
 maintains the accountability for the related assets and liabilities
 provides information concerning the balances and the transactions
as a basis for producing accurate and reliable financial statements

9.73 A significant cycle is one that contains accounts or disclosure amounts

that are quantitatively or qualitatively material. Audit teams should use
tolerable error as the quantitative measure for materiality. Qualitative
factors, such as related party implications, could make an otherwise
immaterial account material, even when it is less than tolerable error.

9.74 Each process within a significant cycle is evaluated to determine its

importance. While efforts to document and evaluate activities-level
controls is focused on processes associated with reasonably possible
risks, documentation of “process importance” and “who performs” for all
processes in a significant cycle demonstrates that the audit team
understands the accounting system and the flow of transactions.

9.75 Through observation and inquiry, the audit team identifies controls. Using
Voyager, the audit team:
 places a check next to those controls that are implemented
 indicates whether the control is documented
 designates the name or function of the person performing the
process and the controls

9.76 Evidence that supports or corroborates processes or controls may only

exist at certain points in time. In this situation, to confirm their
understanding, the audit team might need to perform procedures at varied
times during the year.

9.77 The audit team may also choose to document other client information and
their understanding of the entity in Voyager.
 Process Importance

9.78 Voyager suggests process importance for all processes in all industries.
The audit team may need to change process importance when the
suggestion is not appropriate for the specific client situation. It is essential
to access process importance correctly as this determination may affect
the nature, timing and extent of other audit procedures. Audit teams
should carefully evaluate the process and consider the relevance of the
process factors. The more factors that are relevant, the more important a
process is likely to be. Voyager requires audit teams to document their
rationale for changing a preset process importance determination.

9.79 There are three possible assessments:

 very important
 somewhat important
 not important

9.80 To assist the audit team in the determination of process importance,

Voyager contains factors for the audit team to consider. These factors are
grouped into four categories:
 materiality – large monetary amounts, high volume of transactions,
and impact on disclosures
 complexity – specialized skills required, potential for introduction of
errors, and complex accounting, judgments or estimates
 fraud and related party transactions – potential for fraudulent
financial reporting and misappropriation of assets and significant
related party transactions
 recent changes – in the business processes or in accounting
principles or practices

9.81 The audit team should document controls for the very important and
somewhat important processes. For not important processes,
documentation of the controls is not required.

Assistance of IT Specialists

9.82 Members of the audit team should have sufficient background and
experience to review most electronic systems. However, complex systems
require the assistance of an IT specialist. The application programs and
databases used by an entity often provide the first clue on the complexity
of the system. Examples of software applications commonly found in a
complex IT environment are PeopleSoft and SAP. Examples of relational
databases commonly used in complex IT environment are Oracle and
DB2. The IT Profile tool in Voyager assists teams in determining whether
an IT system is complex.

9.83 The audit team is responsible for capturing the information in the IT Profile
correctly. This includes entering details regarding significant applications
used by the entity to process information related to financial reporting
processes. Once this information is entered, the team evaluates
complexity by considering the applicability of the IT complexity factors for
 each application. If any of the applications are complex, the audit team
should then add an IT specialist to the team. The IT specialist then
reviews the IT Profile documentation to appropriately determine the extent
of his or her involvement. In addition, the audit team can include an IT
specialist if they deem necessary even if the applications are not
accessed as complex.

9.84 When an IT specialist is added to the audit team, his or her initial
responsibility is to participate in the risk assessment process, including the
discussion among the audit team members to brainstorm about risks,
including fraud and where things could go wrong. Due to the complex
nature of IT systems, the IT specialist will normally be a partner or
manager who will assist the audit team in identifying IT-related risks.
Based on the specifics of the client and the risks identified, the audit team
and the IT specialist will then determine the extent of the IT specialist’s
further involvement. This includes assigning the appropriate IT specialist
to perform the work and deciding what role he or she will perform in
documenting and testing IT controls for the audit.

9.85 The IT specialist is considered part of the audit team. As such, he or she
should document his or her work using Voyager. In addition, the IT
specialist should adhere to all professional and firm standards.

9.86 The audit team cannot “audit around” the computer, delegate
responsibility for technology risk assessments to others, or delegate
responsibility to as IT specialist to determine the correct audit judgments.
The audit team should have the requisite skills to understand and
complete the IT profile and general IT environment as set out in Voyager.
That is not to say that an IT specialist will not be needed to assist with that
process, but when an IT specialist participates on the audit as a member
of the audit team, it is still incumbent on the rest of the audit team to
understand and concur with the work that the specialist performs.

9.87 Understanding the IT environment is essential to enable the audit team to

assess risks properly and to design a focused audit strategy. Generally, it
is the in-charge accountant or someone with adequate skills and
experience that should make the appropriate inquiries of management and
IT personnel and complete Voyager. The in-charge accountant should
consider accompanying the IT specialist as he or she makes inquiries and
observations to understand the IT environment. The audit team, including
the IT specialist, is responsible for understanding the entity’s IT
environment, making final decisions regarding risk and properly tailoring
the engagement program.

Performing Walkthroughs

9.88 The objectives of a walkthrough are to:

 Verify and update the understanding of internal control. For
example, an audit team may gather the information necessary to
document their understanding for a new client principally through
inquiry and observation with reference to the entity’s procedures
 manuals. This understanding may be verified by walking through
one or more transactions for a transaction cycle. The audit team
performs walkthrough tests to update and verify this understanding
in a similar manner in subsequent years; however, as a matter of
efficiency, instead of first updating the understanding for any
changes and later walking through transactions, the audit team may
consider performing the walkthrough tests at the same time they
make the inquiries and observations necessary to update their
understanding.
 Verify controls are implemented. When determining whether
controls are implemented, the audit team should also consider the
effectiveness of the design of the control in preventing or detecting
errors or fraud. Identification of ineffective control procedures at this
time will help avoid performing tests of controls that do not function
well enough to justify lower control risk assessments.

9.89 Walkthroughs should be performed for processes associated with

reasonably possible risks. Walkthroughs may be performed in other areas;
however, they are not required.

9.90 When performing a walkthrough, the audit team ordinarily traces

transactions through the transaction cycle beginning with the
documentation resulting from a boundary event, such as the issuance of a
receiving report, and, while observing the operation of identified controls,
they follow the transaction through the system until it is ultimately
summarized and recorded in the client's general ledger.

9.91 When there has been a change to the system, for example, a software
upgrade, the audit team may consider selecting transactions occurring
before and after the change to walk through the system, particularly if, in
the software upgrade example, the entity does not have specific system
controls for testing new versions of software before they are implemented.

9.92 Using Voyager, the audit team documents the transactions selected for a
walkthrough, the pertinent accounting system attributes, the controls that
were observed, and describes the responses to inquiries made of client
personnel. Significant or unusual matters coming to our attention during
the walkthrough should be noted.

Using the Work of Others

9.93 The audit team should refer to management’s documentation as they build
the documentation in Voyager. Leveraging the work of others will make
the process of capturing the controls more efficient.

9.94 Certain entity-level controls present unique challenges because of their

subjective nature, for example the control environment. Determining
whether these subjective governance controls are implemented requires
judgment. Accordingly, the audit team should exercise appropriate
professional skepticism and form their own conclusions with respect to the
documentation and implementation of these controls.
 Applicability to Small Entities
9.95 In many entities the number of people involved in the processes and
controls is small and owners are involved in many aspects of the day-to-
day management. The Horizon approach is the same regardless of the
size of the business. The fact that an organization does not have many
employees and may be dominated by the owner-manager does not
necessarily mean that the organization does not have effective internal
control.

9.96 In such organizations, effective internal control procedures are often

carried out by owner-managers as part of their overall direction and
management of the business. In general, the better an owner-manager
understands the purposes of financial reporting, and the greater the
attention directed to the entity’s internal control, the more likely the audit
team might find it appropriate to lower control risk assessments and
perform tests of controls. However, the audit team should consider the
possibility that the owner-manager might override controls or be "overly
involved" in control activities. For example, insistence that all
correspondence go to his or her desk first, or extensive owner-manager
involvement with basic control functions (for example, monthly bank
reconciliations or the systematic matching of receiving reports and
purchase orders with vendor invoices) might indicate potential override of
controls.

Entity-Level Controls and the Small Entity

9.97 As discussed previously, Voyager identifies five elements of governance:

control environment; monitoring (comprised of risk assessment and
monitoring risk activities); information and communication; information
technology and financial reporting.

9.98 Small entities may implement the control environment elements differently
than larger entities. For example, small entities might not have a written
code of conduct but, instead, develop a culture that emphasizes the
importance of integrity and ethical behavior through oral communication
and by management example. Similarly, the board of directors or those
charged with governance in small entities may not include an independent
or outside member.

9.99 The basic concepts of the entity’s risk assessment process are usually
present in every entity, regardless of size, but the risk assessment
process is likely to be less formal and less structured in small entities than
in larger ones. All entities have established financial reporting objectives,
but they may be recognized implicitly rather than explicitly in small entities.
Management may be able to learn about risks related to these objectives
through direct personal involvement with employees and outside parties.

9.100 Ongoing monitoring activities of small entities are more likely to be

informal and are typically performed as a part of the overall management
of the entity’s operations. Management’s close involvement in operations
 often will identify significant variances from expectations and inaccuracies
in financial data.

9.101 Communication may be less formal and easier to achieve in a small entity
than in a larger entity due to the small entity’s size and fewer levels as well
as management’s greater visibility and availability.

9.102 Information systems and related business processes relevant to financial

reporting in small entities are likely to be less formal than in larger entities,
but their role is just as significant. Small entities with active management
involvement may not need extensive descriptions of accounting
procedures, sophisticated accounting records, or written policies.

9.103 The concepts underlying control procedures in small entities are likely to
be similar to those in larger entities, but the formality with which they
operate varies. An appropriate segregation of duties often appears to
present difficulties in small entities. However, even companies that have
only a few employees may be able to assign their responsibilities to
segregate those duties that are most essential to protect assets.

Very Small Entities

9.104 A “very small entity” flag is included in Voyager for entities that meet the
definition below. Selecting this flag turns off all of Voyager’s internal
control evaluation tools, which places the responsibility for evaluating
design effectiveness entirely upon the audit team. The definition of a very
small entity was adopted for the purpose of achieving consistency
throughout the GTI member firms.

Definition of a very small entity

9.105 A “very small entity” is one that employs very few people (for example,
less than 10 full time equivalents) in the entire organization. Very small
entities typically have only one or two distinct sources of revenue. The
number of transactions within each revenue source is small. Their
transactions lack complexity.

9.106 A very small entity is not:

 a company traded on a stock exchange
 an entity with publicly traded debt
 a transnational entity
 an entity subject to significant regulation
 an entity where the audit approach includes tests of operating
effectiveness of internal control

9.107 The entity may not be a very small entity when:

 governance includes external individuals (i.e., an audit committee
or equivalent) or
 there are one or more absentee owners
9.108 By designating an entity to be very small, the audit team assumes
additional responsibility in identifying activities-level deficiencies in internal
control. For example, for very small entities, Voyager will not identify
potential segregation of duties issues. In this situation, the audit team will
manually add this finding to Voyager’s Design Effectiveness tool, evaluate
its severity, and design an appropriate response to the risk.

9.109 Examples of very small entities include:

 a single site retail store
 an investment company that holds a few residential or commercial
real estate rental buildings

Designating a client as a very small entity

9.110 When the audit team believes that a client meets the definition of a very
small entity, they should consult with the engagement partner or the office
PSP and obtain his or her approval. Once the approval is obtained, the
audit team can choose the very small entity option.
Exhibit 9.1 – Glossary of IT Security Administration
Controls
IT general controls include the following activities: security administration,
program maintenance, program execution, and new system
implementation. The security administration activity includes the following
processes:
 establish effective security environment
 manage internal user access
 manage remote and third-party access
 monitor access to IT systems

The following definitions apply to these processes and related controls

within the security administration activity.
Establish Effective Security Environment
The controls in the establish effective security environment process address the need for
management to establish security policies and procedures to protect the entity’s programs
and data. These programs and data are the source of the information used for financial
reporting. The nature and extent of these policies and procedures and the methods used to
implement them will vary with the size of the entity and its security requirements.
Policies and Management must understand and evaluate security risks, and
procedures for the develop and enforce a written policy that clearly states the
administration of standards and procedures to be followed. These policies should
security are be communicated in an effective manner such as through a staff
documented, handbook or Intranet web page.
approved and
communicated
Security policies are The effectiveness of security policies requires that they be
acknowledged and communicated periodically to all employees, who formally
documented acknowledge their understanding of (1) the importance of
periodically by all protecting the organization's information assets, (2) security
employees policies and procedures (e.g., using and protecting passwords)
and (3) the potential consequences for violation of security
policies and procedures. Periodic acknowledgement can be
documented in writing, such as in connection with the periodic
changing of passwords.
Security policies are As a condition of employment, management should require new
acknowledged and hires to read and acknowledge in writing their understanding of
documented by new security policies and procedures. (See also discussion of
employees upon hire "Security policies are acknowledged and documented periodically
by all employees.")
Personnel The security administration function is primarily responsible for
responsible for the granting, changing and revoking security access rights to
administration of company data and assets as per the security policy. As a result,
security have the individuals that perform this function require a high level of
appropriate skills and access to the various operating systems, applications, and
experience databases. This level of access is typically referred to as
“administrator rights”. Due to the capabilities of this level of
access, the number of individuals with administrator rights should
be limited to people whose duties are such that they have an
absolute need for administrator level access. The more people
that have administrator rights, the more difficult it becomes to
achieve accountability, protect data and segregate duties.
Personnel The security administration function facilitates access to
responsible for the information assets by users to perform their jobs. In addition to
administration of this operational responsibility, the security administration function
security are properly serves as a critical instrument of control. Both of these
supervised responsibilities require that the security administration function
operate in an environment that promotes objectivity and the
freedom to act in the best interests of the company without undue
influence. Accordingly, the security administration function should
be positioned within the organization to enable access to senior
levels of IT and business management. In many organizations,
the head of the security administration function is the Chief
Security Officer or reports to the Chief Security Officer. Like any
other important business function, members of the security
administration function should be properly trained and supervised
in a manner that promotes objectivity, independence of action and
effectiveness of job performance.
Commercially The variety and volume of information assets, sources of access
available software and access channels creates risks that are difficult to manage
tools are used to without the use of commercially available tools and controls.
facilitate the These tools and other technology-based controls enable the
enforcement of automated application of business rules to restrict access to
access rules and to information assets in accordance with legitimate business need
monitor access as well as to identify unauthorized access attempts and patterns
of access that required follow-up. Commercially available tools
can automate and control the process of the granting of access,
enforce the periodic changing of passwords, terminate access
rights, and other user administration activities that might
otherwise overwhelm exclusively manual processes. Certain tools
can also be configured to monitor and trace accesses to sensitive
information assets to facilitate informed actions by security
management.
Position of security (See discussion of "Personnel responsible for the administration
administration of security are properly supervised.")
function within the
organization
promotes objectivity
Duties of security Segregation of duties is one of the most important internal
personnel do not controls. To achieve appropriate segregation of duties,
include performing administrator rights should not be assigned to people who are
financial reporting involved in the financial reporting process.
processes or controls
Duties of security In addition to not being involved in the financial reporting process,
personnel do not different people should perform programming and IT
include programming management. The following describes each of these functions:
or IT management • Programming: involves the development of applications for the
entity.
• IT Management: Typically, the duties of IT Management
include the development of technology strategies, strategic
business plans and policies and standards.
Management A person’s responsibilities within the organization frequently
periodically assesses change over time. Thus, management should perform periodic
IT security reviews of user profiles and assignments to groups to maintain
vulnerability the segregation of duties established when an employee was first
setup on the system. Such a review also helps to ensure
compliance with security policies. Executing this control may
include a review of network operating system access, application
access, and database access.
Manage Internal User Access
The controls in the manage internal user access process address the need for management
to use security techniques to protect the integrity of application program and data files that
are used in financial reporting. These procedures also enforce segregation of duties.
In any system, there are three potential ways to access data. First, is through the operating
system (for example, with using Windows Explorer to access files on a network). Second, is
the application program (for example, accessing your bank account using Internet banking or
accessing the general ledger program that records journal entries). Third, is by directly
accessing the files (or the database) that contain the information (for example, with a
database program like SQL Server or a utility program provided by the application vendor).
Ideally, an entity’s system will facilitate having a single set of policies and procedures that
administer access rights.
Access rights of The access rights of all users of information assets (e.g.,
users and IT business process, IT, executive management) should be defined,
personnel are documented and approved by appropriate managers. For
documented and example, the access rights of an employee in the accounts
approved by payable department should be specified by his or her supervisor,
appropriate members who is in a position to understand and prevent potential conflicts
of management with incompatible duties. Business process managers who are
responsible for the identification and authorization of employees'
access rights should not be able to directly enable those access
rights in the system.
User and group Information owners establish an individual’s access rights to
profiles used to programs and data. Typically, this is accomplished by managing
control the level of access rights at a group level and assigning individuals to a
access to data group. For example, the sales staff group has access to the sales
order program and data. John Jones is a member of the sales
staff group. Thus, John Jones has access to the sales order
program and data.

Access rights can also be controlled with user profiles. For

Computers are
configured to prevent
the bypassing of
approved user
profiles and menu
restrictions
Updates to user
profiles and menus
on the system
restricted to IT
security personnel
User id and password
required to logon
User ids required to
be unique
System requires
passwords to be
changed periodically
example, John Jones may also have responsibility to maintain the
sales successes section of the company’s Intranet. His user
profile would allow him to have access rights to the network folder
containing these files.
Controlling access is key to establishing and enforcing
segregation of duties.
Security controls (user profiles and menu restrictions) protect the
completeness and accuracy of information by managing access
to the programs and/or access to the underlying data files.
The security administration group serves as a control buffer
between users and systems. Authorized user managers are
responsible for specifying, documenting, and approving the
access rights of users within their respective chains of command.
Allowing user managers to directly enable access right decisions
in the system represents a conflict.
A user identification (ID) provides the computer system with the
name of the user. The associated password validates the user’s
identity claim.
A unique user identification (ID) is necessary to establish
individual accountability.
There is a risk of compromising accountability, segregation of
duties, and data by user passwords becoming known to others.
Periodically changing passwords is one technique to control this
risk. Virtually all computer operating systems and computer
application programs provide administrators with the ability to
make appropriate settings. Good practice is to require passwords
to be changed between every 30 to 60 days.
Minimum lengths There is a risk of compromising accountability, segregation of
established for duties, and data by user passwords becoming known to others.
passwords The shorter the password the easier it is for others to guess and
the easier it is to be cracked by a utility program. Virtually all
computer operating systems and computer application programs
provide administrators with the ability to make appropriate
settings. Good practice is to require passwords to be at least 6
characters in length.
Passwords hidden There is a risk of compromising accountability, segregation of
during system logon duties, and data by user passwords becoming known to others.
Displaying passwords during logon is one way that this could
happen. Virtually all computer operating systems and computer
application programs provide the ability to hide the password
during logon.
Passwords are As with any other data, passwords are stored in a file on the
encrypted computer system. Encryption scrambles the content of the file to
prevent it from being read by utility programs. Most computer
operating systems and application programs provide for this
ability.
Users required to An explicit policy that requires users to maintain confidentiality of
keep passwords passwords sets an appropriate tone regarding accountability,
confidential segregation of duties, and protection of data. Users should avoid
displaying passwords by paper notes and other such means.
Dictionaries prevent There is a risk of compromising accountability, segregation of
use of common duties, and data by user passwords becoming known to others.
words as passwords The more common the password, the easier it is for others to
guess and the easier it is to be cracked by a utility program. Most
computer operating systems and computer application programs
provide administrators with the ability to make appropriate
settings to prevent the use of common words as passwords.
Good practice would include using this feature.
System security There is a risk of compromising accountability, segregation of
enforces use of duties, and data by user passwords becoming known to others.
complex passwords The simpler the password, the easier it is for others to guess and
the easier it is to be cracked by a utility program. Most computer
operating systems and computer application programs provide
administrators with the ability to make appropriate settings to
enforce the use of complex passwords. Rules for complex
passwords vary from system to system, but frequently using this
feature requires the user to include a mixture of upper and lower
case characters, numbers, and special characters (such as @ or
# or $ or %) when designating their passwords. Good practice
would include using this feature.
System locks out There is a risk of compromising accountability, segregation of
users after a duties, and data by user passwords becoming known to others.
reasonable number of Guessing passwords frequently involves making multiple system
unauthorized entry access attempts either manually or by using a password cracker
attempts utility program. Risk increases in proportion to the number of
unsuccessful logons that the system allows. Virtually all computer
operating systems and computer application programs provide
administrators with the ability to make appropriate settings. Good
practice would lock out a user after 3 or so unsuccessful access
attempts.
Hardware devices Controlling access with passwords has several limitations.
used for Decreasing costs are facilitating the replacement of passwords
authentication with hardware authentication devices. An example is a finger print
reader that authenticates by matching thumbprints. Another
example is a digital hardware token (usually provided as a key
chain) that is synchronized with a centralized server. The token
and the server generate a 12-digit password every 20 seconds.
To control costs, some entities implement these devices only for
those users that access the system remotely (for example,
through the Internet or by dial-up).
Digital certificates
used for
authentication
System automatically
logs off users after a
period of inactivity
Access rights of
terminated employees
are disabled on a
timely basis
The security
administration
function is
automatically notified
by human resources
of employee
terminations and
work status changes
that impact access
rights
The number of people
with administrator
rights is limited
appropriately
Access to and use of
data altering utilities
are restricted, logged
and approved
Manage Remote and Third-Party Access
The controls in the manager remote and third party access process address the need for
management to use security techniques to protect the integrity of application program and
data files that are used in financial reporting from remote users or outside parties.
Remote access
restricted to persons
who need it
Because of the inherent limitations of controlling access with
passwords, many entities use a second level of authentication.
For example, to gain access to the system, users not only have to
have a unique ID and validated password, but they also have to
be using an authorized computer. One way to accomplish this
objective is to place a file on the user’s computer called a digital
certificate. Upon logon, a server verifies the validity of the
certificate before allowing access to the system. Good practice
would include second level authentication, but there are
associated costs. Many entities use this technique for both
internal and external access, as unauthorized access to the
system could be gained via the Internet or with a network
connection in a meeting room.
There is a risk of compromising accountability, segregation of
duties, and data by a user accessing the system with another
user’s identity. The longer the system allows idle activity, the
greater the risk. Virtually all computer operating systems and
computer application programs provide administrators with the
ability to make appropriate settings. Frequently, this control is
placed into practice by using screen saver password settings.
Good practice would require a user to log back on after 30
minutes or so of inactivity.
People that have left the entity could potentially continue to have
access to programs and data if they are not removed from the
system. Common practices include first disabling the person’s
account to allow time for IT people to retrieve such things as
stored email. Accounts are removed at a later date.
Automatic notification of personnel changes (e.g., terminations,
department changes) promotes more timely action by the security
administration function to terminate or modify employee access
rights. While the access of terminated employees can typically
occur without further input from HR or managers, automated
notification of changes in employee responsibilities can alert both
the security administration function and user management to
define and authorize changes to access rights on a more timely
basis. Manual notification is less reliable and frequently less
timely than automatic notification.
Due to the accidental or deliberate damage that could occur with
inappropriate administrator access, the number of individuals with
administrator rights should be limited to only those people who
have an absolute need. The more people that have access, the
more difficult it is to achieve accountability, protect data integrity,
and segregate duties.
A common characteristic of data altering utilities (including special
purpose scripts or programs) is their ability to make changes to
data without creating an audit trail. Additionally, if the change
process using utilities is not well-controlled, errors may occur and
not be detected on a timely basis. A fundamental control principle
is changes to data should be made only through the use of
business application functions performed by authorized
personnel. Application software typically provides an array of
controls over data entry, processing and posting, including the
creation of audit trails. The frequent use of data altering utilities
may indicate application software problems that cannot be
prevented or corrected through use of routine application
functions. System utilities, such as those that can change data,
are necessary tools to the administration of systems.
A user account is an entry point into the system. The more user
accounts, the more ways an unauthorized user could potentially
gain system access. Restricting external access to the system to
only those users that need this capability reduces the number of
potential entry points, thereby reducing risk. Virtually all computer
operating systems provide administrators with the ability to make
appropriate settings. Good practice would include using this
feature.
Users are identified Authentication, for example through a user ID and password,
and authenticated establishes accountability, enforces segregation of duties, and
before remote access protects data. Virtually all computer operating systems provide
is granted administrators with the ability to make appropriate settings. This
practice is essential.
Hardware devices Controlling access with passwords has several limitations.
used for remote Decreasing costs are facilitating the replacement of passwords
authentication with hardware authentication devices. An example is a finger print
reader that authenticates by matching thumbprints. Another
example is a digital hardware token (usually provided as a key
chain) that is synchronized with a centralized server. The token
and the server generate a 12 digit password every 20 seconds.
To control costs, some entities implement these devices only for
those users that access the system remotely (for example,
through the Internet or by dial-up).
Digital certificates Because of the inherent limitations of controlling access with
used for remote passwords, many entities use a second level of authentication.
authentication For example, to gain access to the system, users not only have to
have a unique ID and validated password, but they also have to
be using an authorized computer. One way to accomplish this
objective is to place a file on the user’s computer called a digital
certificate. Upon logon, a centralized server verifies the validity of
the certificate before allowing access to the system. Good
practice would include second level authentication, but there are
associated costs. Many entities use this technique for both
internal and external access, as unauthorized access to the
system could be gained via the Internet or with a network
connection in a meeting room.
Number of access An Internet connection or a remote access phone line is
points limited examples of access points. Each access point needs to be
controlled and managed. For example, each connection to the
Internet requires appropriate protection with a firewall. Access
threats change frequently, and firewall settings need on-going
management. The more access points a network has, the more
ways an unauthorized user could potentially gain system access.
Controlling the number of access points allows the IT group to
focus their control activities and thereby reduce the risk of
unauthorized access.
Transmitted Unless control techniques are used, information that is
information is transmitted from the network to the user via the Internet can be
protected (VPN, https) viewed or copied by others.
Using secure transmission mode (https in the Internet browser) is
one way to protect transmitted information. Here, data is
encrypted before leaving the network and then decrypted upon
receipt. This technique is not difficult or expensive to implement,
but the encryption does add overhead to the transmission. This
performance impact causes most entities to be selective in the
information that is transferred in secure mode.
Using a virtual private network (VPN) is another way to protect
transmitted information. Here, a combination of techniques and
protocols are used to create a virtual private tunnel through the
public Internet. Information flows through the tunnel with a very
high degree of protection. VPNs do have associated costs, but
their use is emerging as a best practice, as they provide both
increased security and speed over alternatives such as dial-up
connections.
Properly configured Digital network connections provide for multiple communication
firewalls are used at “layers”, “ports”, and “protocols.” Each piece has a specific
all external access purpose, and without them, data communication would not occur.
points However, people have figured out ways to use these pieces for
other, less reputable, purposes. The result is that there are
dozens of ways that a person could use a single unprotected
Internet connection to gain unauthorized access to the network.
The technology used to protect networks and data from these
threats is called a firewall. Firewalls can take many shapes and
forms. They can be single purpose hardware devices,
multipurpose hardware devices, dedicated servers running
firewall software, or firewall software running on individual
computers. IT people configure the firewall to allow specified
activity and not allow others.
Internet security is a technical and dynamic subject. Firewall
developers have to keep pace with an increasing number of
threats, and therefore, frequently provide their customers with
updates and upgrades. An entity reduces the risk by acquiring
and implementing the upgrades.
The frequency of upgrade depends on the nature of the entity’s
Internet activity. For example, an entity where Internet activity is
restricted to web browsing needs less frequent upgrades than an
entity that has significant e-commerce activity.
Intrusion detection Intrusion detection software monitors network activity and firewall
system used logs for specific events and patterns that may indicate
unauthorized access. IT people are automatically notified of
suspicious events and this allows for quick follow-up and
resolution. No control system is foolproof and intrusion detection
minimizes damage if a security breach occurs.
Good practice would include using an intrusion detection system
as their use is much more effective than a human review of logs.
However, there are associated costs, and an entity must weigh
the cost of the control with the reduced risk that it provides.
Intrusion detection is a common practice in entities that have
significant e-commerce activity. As costs decrease, their use will
spread.
Periodic intrusion Intrusion testing (also called penetration testing) involves trying to
testing circumvent the entity’s security controls. Intrusion testing is very
technical and the entities that use this technique usually
periodically hire outside consultants.
Intrusion testing typically involves using dozens of software tools
to probe and identify potential weaknesses in firewall and server
settings. These tools identify potential weaknesses and provide
ideas for the creative tester to use to gain system access. Testing
is usually done both from outside the network to address Internet
threats and inside the network to address user threats.
Periodically performing intrusion testing provides for an evaluation
of the entity’s security controls. This review could result in
changing firewall settings, upgrades, and changes to the
network’s configuration.
Good practice would include periodic intrusion testing, as it does
provide a good test of the operating effectiveness of the security
controls. However, there are associated costs, and an entity must
weigh the cost of the testing with the reduced risk that it provides.
Intrusion testing is a common practice in entities that have
significant e-commerce activity.
Network zones Network zones or DMZs are a configuration technique designed
protect data to segment and protect the different information assets of an
entity. Zones are usually created by placing servers that contain
specific information assets between two different firewalls.
For example, an entity needs to send email to others via the
Internet. To accomplish this objective, they configure a server
specifically for this one function and connected it to two firewalls.
One firewall provides the needed connection to the Internet and
protects the Internet mail server from external threats. The
second firewall is placed between the Internet mail server and the
rest of the entity’s network. The Internet mail server resides in a
zone. A breach of the first firewall only exposes the mail
messages residing on the Internet mail server. The unauthorized
user has to circumvent a second firewall to gain access to other
information such as the entity’s financial data files.
Network zones are most frequently used to protect data from
external threats, but they can be used to protect data from
internal threats as well.
Good practice would include some zones. There are costs
involved, but only small entities would consider the increased
costs to be prohibitive.
Anti-virus software Generally, Windows-based technologies (i.e., programs such as
protects servers and Windows Office, operating systems such as Windows NT and XT)
workstations are vulnerable to computer viruses. Clients and servers using
Windows software should be protected by commercially-available
anti-virus products, such as those marketed by McAfee and
Norton. The administration of anti-virus software should include
periodic updating of virus definitions and related protections made
available by anti-virus product vendors. When used in connection
with other control techniques, such as network filters and
firewalls, anti-virus software can be effective in the prevention of
data and software corruption that can impair the integrity of
financial reporting.
Monitor Access to IT Systems
The controls in the monitor access to IT systems address the need for management to
monitor access rights and the activities of users.
User and IT personnel Periodic review of employee access rights complements those
access rights are controls that are designed to define and authorize employees'
periodically reviewed access rights at the time they are hired, terminated, or change job
and approved by responsibilities. Periodic management review and confirmation of
management the appropriateness of each employee's access rights also
provides opportunities to evaluate the effectiveness of ongoing
controls to keep employees' access rights in sync with their
employment and job responsibility status.
Unauthorized access Employees and third-parties may attempt to access information
attempts are logged, assets for which they are not authorized. Unsuccessful attempts
investigated and may represent innocent mistakes (e.g., the user has forgotten his
follow-up actions or her password), or they may represent malicious efforts by
documented unauthorized personnel. Commercially-available tools are used
by security administration groups to identify and report
unsuccessful attempts that by their nature or frequency require
follow-up. Tools used to monitor access can be configured to alert
security administration personnel according to business rules that
are defined by management (e.g., number of unsuccessful
accesses within a defined period of time, any attempted access to
particularly sensitive information assets). Access attempts and
other defined access patterns should be reported and followed-up
with their disposition documented.