Evaluation of Internal Controls

COSO defines internal control as, “a process, influenced by an entity’s board of directors,
management, and other personnel, that is designed to provide reasonable assurance in the
effectiveness and efficiency of operations, reliability of financial reporting, and the
compliance of applicable laws and regulations”. The auditor evaluates the organization’s
control structure by understanding the organization’s five interrelated control components.
They include:

1. Control Environment Provides the foundation for the other components.

Encompasses such factors as management’s philosophy and operating style.
2. Risk Assessment Consists of risk identification and analysis.
3. Control Activities Consists of the policies and procedures that ensure employees
carry out management’s directions. Types of control activities an organization must
implement are preventative controls (controls intended to stop an error from
occurring), detective controls (controls intended to detect if an error has occurred),
and mitigating controls (control activities that can mitigate the risks associated with a
key control not operating effectively).
4. Information and Communication Ensures the organization obtains pertinent
information, and then communicates it throughout the organization.
5. Monitoring Reviewing the output generated by control activities and conducting
special evaluations.

In addition to understanding the organization’s control components, the auditor must also
evaluate the organization’s General and Application controls. there are three audit risk
componenets which are control risk, detection risk and inherent risk.

[edit] General Controls

General controls relate to the overall information-processing environment and has a large
effect on the organization’s computer operations. Types of general controls include:

 Organizational Controls – includes segregation of duties controls.

 Data Center and Network Operations Controls – ensures the proper entry of data into
an application system and proper oversight of error correction.
 Hardware & Software Acquisition and Maintenance Controls – includes controls to
compare data for accuracy when it is input twice by two separate components.
 Access Security Controls – ensures the physical protection of computer equipment,
software, and data, and is concerned with the loss of assets and information through
theft or unauthorized use.
 Application System Acquisition, Development, and Maintenance Controls – ensures
the reliability of information processing.
 Managerial controls- To ensure that there is no unauthorised access to IT assets.
[edit] Application Controls

Application controls apply to the processing of individual accounting applications and help
ensure the completeness and accuracy of transaction processing, authorization, and validity.
Types of application controls include:

 Data Capture Controls – ensures that all transactions are recorded in the application
system, transactions are recorded only once, and rejected transactions are identified,
controlled, corrected, and reentered into the system.
 Data Validation Controls – ensures that all transactions are properly valued.
 Processing Controls – ensures the proper processing of transactions.
 Output Controls – ensures that computer output is not distributed or displayed to
unauthorized users.
 Error Controls – ensures that errors are corrected and resubmitted to the application
system at the correct point in processing.

Application controls may be compromised by the following application risks:

 Weak security
 Unauthorized access to data and unauthorized remote access
 Inaccurate information and erroneous or falsified data input
 Misuse by authorized end users
 Incomplete processing and/or duplicate transactions
 Untimely processing
 Communication system failure
 Inadequate training and support

[edit] Tests of Controls

Tests of controls are audit procedures performed to evaluate the effectiveness of either the
design or the operation of an internal control. Tests of controls directed toward the design of
the control focuses on evaluating whether the control is suitably designed to prevent material
weaknesses. Tests of controls directed toward the operation of the control focuses on
assessing how the control was applied, the consistency with which it was applied, and who
applied it. In addition to inquiring with appropriate personnel and observation of the
application of the control, an IT auditor’s main focus when testing the controls is to do a re-
performance of the application of the control themselves.

[edit] Audit Procedures

[edit] Audit Sampling
Audit sampling is the application of an audit procedure to less than 100% of the population to
enable the IT auditor to evaluate audit evidence within a class of transactions for the purpose
of forming a conclusion concerning the population. When designing the size and structure of
an audit sample, the IT auditor should consider the audit objectives determined when
planning the audit, the nature of the population, and the sampling and selection methods.

[edit] Selecting the Sample

The auditor should select the sample items in such a way that they are representative of the
population. The most commonly used sampling selection methods are:

 Statistical Sampling Methods

o Random Sampling – ensures that all combinations of sampling units in the
population have an equal chance of selection.
o Systematic Sampling – involves selecting sampling units using a fixed interval
between selections with the first interval having a random start.
 Non-Statistical Sampling Methods
o Haphazard Sampling – the auditor selects the sample without following a
structured technique.
o Judgmental Sampling – the auditor places a bias on the sample. For example,
selecting only sampling units over a certain value.

The selection of the sample size is affected by the level of sampling risk that the IT auditor is
willing to accept. Sampling risk is the risk the auditor’s conclusion may be different from the
conclusion that would be not be reached