Professional Documents
Culture Documents
COSO defines internal control as, “a process, influenced by an entity’s board of directors,
management, and other personnel, that is designed to provide reasonable assurance in the
effectiveness and efficiency of operations, reliability of financial reporting, and the
compliance of applicable laws and regulations”. The auditor evaluates the organization’s
control structure by understanding the organization’s five interrelated control components.
They include:
In addition to understanding the organization’s control components, the auditor must also
evaluate the organization’s General and Application controls. there are three audit risk
componenets which are control risk, detection risk and inherent risk.
General controls relate to the overall information-processing environment and has a large
effect on the organization’s computer operations. Types of general controls include:
Application controls apply to the processing of individual accounting applications and help
ensure the completeness and accuracy of transaction processing, authorization, and validity.
Types of application controls include:
Data Capture Controls – ensures that all transactions are recorded in the application
system, transactions are recorded only once, and rejected transactions are identified,
controlled, corrected, and reentered into the system.
Data Validation Controls – ensures that all transactions are properly valued.
Processing Controls – ensures the proper processing of transactions.
Output Controls – ensures that computer output is not distributed or displayed to
unauthorized users.
Error Controls – ensures that errors are corrected and resubmitted to the application
system at the correct point in processing.
Weak security
Unauthorized access to data and unauthorized remote access
Inaccurate information and erroneous or falsified data input
Misuse by authorized end users
Incomplete processing and/or duplicate transactions
Untimely processing
Communication system failure
Inadequate training and support
Tests of controls are audit procedures performed to evaluate the effectiveness of either the
design or the operation of an internal control. Tests of controls directed toward the design of
the control focuses on evaluating whether the control is suitably designed to prevent material
weaknesses. Tests of controls directed toward the operation of the control focuses on
assessing how the control was applied, the consistency with which it was applied, and who
applied it. In addition to inquiring with appropriate personnel and observation of the
application of the control, an IT auditor’s main focus when testing the controls is to do a re-
performance of the application of the control themselves.
The auditor should select the sample items in such a way that they are representative of the
population. The most commonly used sampling selection methods are:
The selection of the sample size is affected by the level of sampling risk that the IT auditor is
willing to accept. Sampling risk is the risk the auditor’s conclusion may be different from the
conclusion that would be not be reached