You are on page 1of 30

Part 1 CMA – Section C: Management Controls Part 1 CMA – Section C: Management Controls

What Is the Definition What Are the Benefits

of Internal Control? of Internal Control?

HOCK international - 2004 1 ©
HOCK international - 2004 2

Part 1 CMA – Section C: Management Controls Part 1 CMA – Section C: Management Controls

How Does the AICPA What Are the Components

Define Internal Control? of Internal Control?

HOCK international - 2004 3 ©
HOCK international - 2004 4
Internal controls are an important part of a company’s overall operations. Statement of Management Accounting Standard 2 defines internal
A strong internal control system will provide many benefits to the control as:
company. Among these are:
“The whole system of controls (financial and otherwise) established
by management to carry on the business of the enterprise in an orderly
• Lower audit costs.
and efficient manner, to ensure adherence to management policies,
safeguard the assets and ensure as far as possible the completeness
• Better control over the assets of the company.
and accuracy of the records.”

• Reliable information for use in decision-making. As a result of the above definition, internal controls should provide
reasonable assurance that the entity can achieve its objectives
A company with weak internal controls is putting itself at risk for
employee theft, loss of control over the information relating to operations • The effectiveness and efficiency of operations,
and other damaging inefficiencies to the business. Just because a
• The reliability of financial reporting, and
company does not have strong internal controls does not mean that it
will suffer from fraud or embezzlement, but the chances are increased. • Compliance with applicable laws and regulations.

There are five components to the internal control system of a Audits that are done in accordance with the Generally Accepted
company, Auditing Standards (GAAS) require the auditor to obtain an
which are: understanding of the client’s internal control system. From this
understanding, the auditor will determine the nature, timing and extent
1) Control Activities. of audit procedures. This requirement is reflected in the second standard
of fieldwork under GAAS:
2) Risk Assessment.
3) Information and Communication. “A sufficient understanding of internal control is to be obtained to plan
4) Monitoring. the audit and to determine the nature, timing and extent of tests to
5) The Control Environment. be performed.”

The useful mnemonics for easier memorization of the above is: CRIME. The controls that an external auditor is interested in are those related
to the financial statements and the risk of a material misstatement of
them. As a result of this some, if not many, of the internal controls
that a company has will not be of interest to the external auditor.
However, these controls may be very important, and will therefore be
reviewed by the internal auditor.
Part 1 CMA – Section C: Management Controls Part 1 CMA – Section C: Management Controls

What Are the Explanations

What Are of the Components of
Control Activities? Internal Control – Other
than Activities?

HOCK international - 2004 5 ©
HOCK international - 2004 6

Part 1 CMA – Section C: Management Controls Part 1 CMA – Section C: Management Controls

How Does the Institute of

What Are the Limitations
Internal Auditors (IIA)
of Internal Controls
Define Internal Control?

HOCK international - 2004 7 ©
HOCK international - 2004 8
Risk assessment relates to the company’s ability to identify, analyze The control activities are the policies and procedures that ensure
and manage its own risks. This includes both internal and external factors management directives are carried out, such as:
that may negatively affect the company’s ability to generate the financial
• Performance reviews (e.g., compare actual results with budgets).
• Information processing controls.
Information and communication relate to the ability of the company
to identify, record and exchange information in a timely manner that • Physical controls (e.g., physical security of assets and records).
enables people to carry out their responsibilities. • Segregation of duties. This activity is the main underlying idea to
Monitoring is the ongoing review of the effectiveness of internal controls. internal controls.

Control environment is the tone and atmosphere within the organization

The duties of: Authorizing a transaction; Recording the
in regard to internal controls. It includes the philosophy of management,
transaction; keeping physical Custody of the related asset;
the structure of the organization, the board of directors and audit
and the periodic Reconciliation of the existing assets to
committee (if there is one), the integrity and values of the company and
the recorded amounts for those assets must be done by
the employees, including their goals, objectives, policies and procedures. different people.

To the IIA, internal controls are the basis of internal auditing and No matter how good an internal control system, it is NOT possible for
therefore the controls extend beyond the scope of the financial it to detect and prevent every misstatement or fraud. This is because
statements: humans are involved, and there is an inherent weakness in humans that
“The scope of internal auditing should encompass the examination and we sometimes make mistakes or simply forget to do something.
evaluation of the adequacy and effectiveness of the organization’s system
In addition, collusion (the working together of more than one person to
of internal control and the quality of performance in carrying out assigned
get around the controls) can prevent controls from working as intended
and needed.
According to the IIA, there are five primary objectives of internal controls:
There are also limits as to the types of controls that will be placed into
1) Compliance with policies and plans. operations because the cost of the control must be less than the
2) Accomplishment of objectives and goals. benefit that is expected to be gained from the control.
3) Reliability and integrity of information.
4) Economical and efficient use of resources. Because of these limitations on their effectiveness, internal controls provide
5) Safeguarding of assets. reasonable assurance (but not absolute assurance) that the entity will
The useful mnemonics for easier memorization of the above is: CARES. be able to achieve its objectives.
Part 1 CMA – Section C: Management Controls Part 1 CMA – Section C: Management Controls

What Are the Different

Classifications of What Is Flowcharting?
Internal Controls?

HOCK international - 2004 9 ©
HOCK international - 2004 10

Part 1 CMA – Section C: Management Controls Part 1 CMA – Section C: Management Controls

What Is
What Are the Different
The Foreign Corrupt
Types of Flowcharts?
Practices Act (FCPA)?

HOCK international - 2004 11 ©
HOCK international - 2004 12
Flowcharting helps understanding of the internal controls of a company. Control activities can be:
A flowchart also enables the auditor to identify areas where internal
1) Preventive, to avoid the occurrence of an unwanted event;
controls are required and necessary for the company.
2) Detective, to detect the occurrence of an unwanted event;
3) Directive, to ensure the occurrence of a desirable event;
The main elements that are shown in a flowchart are:
4) Corrective, to correct an occurrence of an undesirable event; or
• Data sources (where the information comes from). 5) Compensating, to compensate for what appears to be a weakness
• Data destinations (where the information goes). in controls.
• Data flows (how the data gets there).
• Transformation processes (what happens to the data). SIAS 1 states that the main responsibility for internal control falls
• Data storage (how the data is stored for the long term). on management, especially the functions of planning, organizing
and directing.
Flowcharts can be used for developing information systems as well.

The Foreign Corrupt Practices Act (FCPA) was established in 1977 There are two main types of flowcharts: horizontal and vertical.
to prevent companies from making secret payments that are contrary
to public policy. This act makes it illegal to offer or authorize corrupt Horizontal (systems) flowcharts document the manual processes as well as the
political payments (bribes) to any foreign official, foreign party chief or computer processes and the input, output and processing steps in columnar format
official, or candidate for political office. with areas of responsibility/departments/functions arranged horizontally. This type
of flowchart will more easily show the segregation of duties.
A corrupt payment is one that intends to cause the recipient to act in A program flowchart shows specific steps and their order in a software program.
a certain way or to refrain from acting in a certain way.
A vertical flowchart is similar to horizontal but it presents the steps in a sequential
A promise of a bribe is also considered to be illegal under this act. manner from top to bottom. This type of flowchart is not used much now as it does
not show the system as clearly.
The responsibility to insure that all payments are acceptable is given
There are a number of special symbols to depict specific operations, documents,
to the company as a whole and not to any individual or position.
states and items in a chart, which aid comprehension of the whole system.
The company must ensure that all transactions are in accordance with
management’s general or specific authorization, and that they are
recorded properly.
Part 1 CMA – Section C: Management Controls Part 1 CMA – Section C: Management Controls

What Does The Private

What Is
Securities Litigation Reform
The Treadway Report?
Act (PSLRA) of 1995 Require?

HOCK international - 2004 13 ©
HOCK international - 2004 14

Part 1 CMA – Section C: Management Controls Part 1 CMA – Section C: Management Controls

How Is Fraud Considered in What Is Audit Risk and

a Financial Statement Audit? How Is It Assessed?

HOCK international - 2004 15 ©
HOCK international - 2004 16
The PSLRA includes provisions about auditor requirements for fraud The Treadway Report was the result of accusations of widespread financial
detection and disclosure. It states that audits should provide reporting fraud by public companies. The objectives of the commission
reasonable assurance of detecting illegal acts that have a direct were to: consider the causes and effects of fraudulent reporting and how
and material effect in the financial statements, and that audits must to prevent and detect it; examine the role of the internal and external
auditor in preventing and detecting fraud; and identify causes that
be designed to identify material related party transactions. Also, audits
contribute to fraudulent reporting.
must evaluate the ability of the entity to remain a going concern.
As a result of its work, the commission drafted a report with
Any illegal acts (unless it is obviously immaterial) uncovered by recommendations for public companies, independent public accountants,
the auditors must be reported to the audit committee and the SEC and education.
appropriate level of management. If management fails to take The director of the internal audit function should have unlimited and
appropriate action, the board of directors must notify the SEC within direct access to the audit committee and CEO. This involvement of the
one business day. If the board fails to notify the SEC, the auditor internal auditors in the dealings of upper management gives them a
must notify the SEC. better perspective for doing their work. The internal auditors should
coordinate their work with the external auditors and also do things to
enhance the objectivity of the internal audit function.

Audit risk (AR) is the risk that an auditor will give an unqualified opinion Fraud is different from an error in that fraud is an intentional misstate-
(meaning that everything is fine), when in reality there are one or more ment, while an error is unintentional. The two main types of fraud are:
material misstatements. The risk of a material misstatement is calculated
• Misstatements arising from fraudulent financial reporting that are
by the multiplication of three other risk factors, which are:
made to mislead users. This includes omission of information from the
• Inherent risk (IR) – This is the risk that is natural in an element of financial statements and a misapplication of accounting principles.
the financial statements, assuming that there are no controls.
• Misstatements arising from the misappropriation of assets (steal-
• Control risk (CR) – This is the risk that an internal control will NOT ing). This includes theft, embezzlement and any action that causes
prevent or detect a material misstatement in a timely manner. CR is the company to expend cash for things that are not received by the
assessed in either a quantitatively (1% - 100%) or in a qualitative company.
manner (minimum - maximum).
The risk of misstatement due to fraud needs to be specifically considered
• Detection risk (DR) – This is the risk that an auditor will not detect in the planning of the audit. If fraud is found, it is generally not the
a material misstatement in the financial statements through audit auditor’s duty to report this outside of the organization, but in some
testing. cases he/she needs to report this event to the SEC, a predecessor auditor,
a court or the government.
Audit risk is calculated as follows: AR = IR * CR * DR
Part 1 CMA – Section C: Management Controls Part 1 CMA – Section C: Management Controls

What Are the Nature What Are the Areas in

and Objectives of which Internal Auditors
Internal Auditing? Assist Management?

HOCK international - 2004 17 ©
HOCK international - 2004 18

Part 1 CMA – Section C: Management Controls Part 1 CMA – Section C: Management Controls

What Is Organizational
Independence and What Is the Internal
Objectivity of the Audit Charter?
Internal Audit Function?

HOCK international - 2004 19 ©
HOCK international - 2004 20
Some of the areas in which internal auditors assist management are: In the U.S., the Institute of Internal Auditors (IIA) is the professional
organization, and the Certified Internal Auditor (CIA) exams lead to the
• Providing a reasonable control over the day-to-day operations.
professional CIA license. The IIA has defined internal auditing as:
• Assuring the adequacy and effectiveness of the accounting,
“an independent, objective assurance and consulting activity
financial and operational controls.
designed to add value and improve an organization’s operations. It helps
• Evaluating the quality of performance. an organization accomplish its objectives by bringing a systematic,
disciplined approach to evaluate and improve the effectiveness of risk
• Determining compliance with policies, plans, procedures, laws, management, control and governance processes.”
regulations and contracts. Determining economical and efficient use
of resources. The internal audit function should encompass every part of the organization’s
operations, and to this end it should have unlimited access to the
• Assessing risk and coordinating the activities of the external auditor. company’s documents, records or properties. The primary objective of
the internal audit is to help the employees of the organization to perform
• Safeguarding assets and preventing and detecting fraud.
their jobs and duties effectively, and also help ensure that the organization’s
• Ensuring reliability and integrity of information. goals are achieved.

There should be a formal, written charter that defines the purpose of For the internal audit department to be independent it must have the
the internal audit department, their authority and their responsibility. necessary authority and freedom to carry out its activities.
Specifically, this charter should: The internal audit function should report to the board of directors or top
management. In any case, it needs to be above the level of the people or
departments that are audited. Also, it needs to be supported on a high
• Establish the position of internal audit within the organization.
level so that those who are audited will cooperate because this is important
• Define the scope of the internal audit activities. to the organization as a whole.

• Authorize the access of internal auditors to the records, personnel

The internal audit department must have organizational independence,
and properties that are relevant to the work being performed.
that is, the internal audit function should not have any direct relationships
with the various departments that it audits. The internal auditors should
The existence of the charter will help establish the internal audit
also be objective. This means that they act as if they are independent
department by demonstrating the commitment of top management to
(like the external auditor), even if they are in fact not independent (they
the function. It will also establish their role, authority and responsibility
cannot be independent in the same sense as the external auditor because
in the company.
they are employees of the firm).
Part 1 CMA – Section C: Management Controls Part 1 CMA – Section C: Management Controls

What Authority and What Is the Role of Internal

Responsibilities Do Audit in the Detection and
Internal Auditors Have? Prevention of Fraud?

HOCK international - 2004 21 ©
HOCK international - 2004 22

Part 1 CMA – Section C: Management Controls Part 1 CMA – Section C: Management Controls

What Are the Main Points

of the IIA’s Pronouncement What Is the Audit Committee?
on Fraud?

HOCK international - 2004 23 ©
HOCK international - 2004 24
The internal auditor is responsible for examining the controls that are The authority and responsibilities of internal auditors include the review
in place to determine if they are adequate to prevent or detect fraud. and appraisal of policies, procedures, plans and records for the purpose
Although the internal auditor is responsible for examining for fraud, he of informing and advising management.
or she is NOT responsible for preventing fraud. Because people may
work together to get around the system and controls in the system, it Internal auditors do not have any authority or responsibility
is impossible for any one person to guarantee that there is not and will over operating activities so as to not impair their independence and
not be fraud. objectivity in these areas.

If fraud is suspected, the internal auditor should notify the appropriate It is important that internal auditors remain detached from the items they
level within the organization (this level is always at least one level above are auditing or reviewing so that they can carry out their duties to
where the fraud is suspected). Usually, the investigation is carried out by management. Therefore, after joining internal audit, a person should not
people other than the internal auditor, so the internal auditor should audit the area he/she came from for a reasonable amount of time (one
generally avoid any contact with the suspected individuals to prevent year). The responsibility of internal audit ends with making
the suspect from bringing a legal case of libel or slander (spreading false recommendations. It is the responsibility of the board or management to
and damaging information) against the internal auditor. implement the recommendations brought to them by the internal auditors.

The audit committee is a subcommittee of the board of directors, The IIA issued a pronouncement about fraud entitled Deterrence,
preferably made up of outside directors. The duties of the audit committee Detection, Investigation and Reporting of Fraud. The main points of
include: this pronouncement are:
• Serving as an intermediary between management and the
• The deterrence of fraud is the responsibility of management.
external auditor.
• Internal auditors have to have sufficient knowledge to identify the
• Selecting an external auditor and reviewing the audit fee and
indicators that fraud may have occurred.
engagement letter.
• If control weaknesses are detected, additional tests should be
• Inviting communication with the external auditor regarding major
performed to identify other factors of fraud that are present.
problems discovered during the audit.
• Audit procedures alone will not guarantee that fraud is detected.
• Reviewing the external auditor’s overall audit plan.
• A fraud that is found needs to be reported.
• Reviewing interim and annual financial statements.
• Reviewing the results of internal and external audits.
• Reviewing the work of the internal auditors and evaluations of
internal control.
Part 1 CMA – Section C: Management Controls Part 1 CMA – Section C: Management Controls

What Are the Purposes

What Role Do Tests Play
and Functions of the
as Part of the Audit?
Internal Audit Program?

HOCK international - 2004 25 ©
HOCK international - 2004 26

Part 1 CMA – Section C: Management Controls Part 1 CMA – Section C: Management Controls

What Are the What Is Operational Auditing?

Characteristics of Evidence?

HOCK international - 2004 27 ©
HOCK international - 2004 28
The tests that are performed as part of the audit should provide the Audit programs are required as part of the planning for each audit
auditor with sufficient, competent, relevant and useful evidence in order engagement or project. This program will detail the work to accomplish,
to reach a conclusion about the operations under audit. Evidence can how it will be done, what will be done and, as with an external audit
come from both inside the organization or outside the organization as well program, it will facilitate the supervision and review of the work.
as from the direct observation or experience of the auditor. The auditor
The extent of the audit program depends upon the scope and extent of
is the best source of information, followed by information that is obtained
the work to be performed. The larger the project, the more detailed the
from outside the organization. Information from within the organization is
program. This scope of the project is determined in the first step in the
the least persuasive evidence.
planning process – establishing the audit objectives and scope of the
work. The objectives are the goals of the audit and the procedures are
Evidence that is only circumstantial is not very good because by definition
the detailed steps that will be carried out in order to reach those objectives.
circumstantial evidence simply indicates that maybe something occurred.
After an initial survey of the task at hand, an audit program is prepared.
Corroborative evidence is evidence that supports something else – either The work can actually start only after the program is prepared. This must
other evidence or a statement that has been made by someone. be the case since it is the program that informs the auditors what to do.

An operational audit (OA) is a thorough examination of a department Evidence should have the following characteristics:
or division with the purpose of appraising managerial organization,
• Sufficient – meaning that there is enough information to support the
performance and techniques. It attempts to determine which organizational
conclusions that were drawn and that another auditor would also
objectives have been met and provides management with a control
believe that there is enough evidence.
technique to evaluate the effectiveness of the procedures and controls.
As part of an operational audit, recommendations will be made regarding • Competent – meaning that the information is reliable and the best
how to improve the process or operation. available given the means used.

The report from an OA will go first to the manager of that department. • Relevant – meaning that the information supports the findings and is
consistent with the audit objectives.
The focus of an operational audit is on the three Es – efficiency, • Useful – meaning that it is helping the organization meet its goals.
effectiveness and economy. In order to assess these items, a standard
level of behavior or output, or something that is to be achieved,
is compared to the results of the operations. The report that is delivered
at the end of the audit consists mostly of specific problems that exist
and/or emphasizing the lack of problems.
Part 1 CMA – Section C: Management Controls Part 1 CMA – Section C: Management Controls

What Are the Main Techniques What Are

of Operational Auditing? Internal Audit Reports?

HOCK international - 2004 29 ©
HOCK international - 2004 30

Part 1 CMA – Section C: Management Controls Part 1 CMA – Section C: Management Controls

How Should Oral Reports

How Should Internal and Interim Reports
Audit Reports Be Prepared? Be Delivered?

HOCK international - 2004 31 ©
HOCK international - 2004 32
Auditors issue reports in different forms and for different types of projects. The main techniques for the auditor are financial analysis, the
They may be formal or informal, written or oral, interim or summary observation of departmental activities and questionnaire interviews
reports. of employees.
The format of the report will depend upon the type of the audit, the Part of the audit process includes reviews of control loops in an
results of the audit, management needs, the nature of the company and organization. A control loop consists of the:
how internal audit is accepted by the various levels of the organization.
• Setting of standards,
However, all reports must include the purpose, the scope, the results
• Measuring performance,
and (if appropriate) an opinion. In addition to these items, a report may
• Examining and analyzing deviations,
also include the following items: background information, summaries, status
• Taking corrective action, and
of findings from previous audits, recommendations, acknowledgment of
• Reappraising the standards based on experience.
good performance and corrective actions taken, and comments from the
department that was audited. There are four attributes to findings: criteria
In order to have a successfully functioning control loop we will need to
– the standards used in the evaluation; condition – the actual facts
plan, organize and monitor the system.
found; cause – the reason for the variance or deviation; and effect –
what is the risk of this variance or deviation.

Oral reports should supplement written reports, but cannot replace them.
Except for very simple reports, the auditor should first prepare a brief
The advantages of oral reports are timeliness (and this is essential when
outline of the report, including main headings such as Summary, Forward,
a problem needs to be immediately fixed), developing the relationship
Purpose, Scope, Opinion and Findings. Each finding may require an
between the auditor and the auditee through increased, informal
additional outline in order to properly explain and address it.
communication, and enabling the auditee to point out any errors in the
logic or understanding by the auditor. Oral reports must be prepared in
All reports should be:
order to achieve these advantages.
• Objective,
Interim reports are issued during the audit. These are not reports that • Clear,
are issued with the interim financial statements. Interim reports are issued • Concise (no longer than necessary),
whenever there is something that needs to be addressed immediately – if • Timely, and
there is a need to change the scope of the audit or simply keep people • Constructive (helpful to the company and leading to some type
informed when the audit process is a long one. Interim reports should of improvement).
state that the report includes only information to date, and is not
a complete report. They should also state that the final report will
follow-up on and cover all remaining issues from the audit.
Part 1 CMA – Section C: Management Controls Part 1 CMA – Section C: Management Controls

How Should the Report Be What Is the Role of the Auditor

Reviewed and Distributed? in Respect to Follow-Up?

HOCK international - 2004 33 ©
HOCK international - 2004 34

Part 1 CMA – Section C: Management Controls Part 1 CMA – Section C: Management Controls

What Are the Goals of What Documents Provide

Internal Control in an Information System
Information System? Internal Control Guidelines?

HOCK international - 2004 35 ©
HOCK international - 2004 36
IIA Standards require that internal auditors follow up on the actions It is a courtesy to let the auditee review the report before it is sent to
taken by the company regarding any deficiencies found. The auditor should the supervisors. This review also allows the auditee to identify any
determine that either corrective action has been taken, or management inaccuracies in the report. The auditor needs to lead the meeting
has assumed the risk of not taking corrective action. with the auditee. In no circumstances will the auditor allow the auditee
to write or change the report. Notes should be kept from any review
In following up, the auditor should receive all of the responses from the meeting, with records of any conflicts or disagreements, including
auditees to the audit, evaluate if those replies are adequate and then be resolution. The report should be distributed to everyone who has direct
certain that actions are actually taken to correct the problems. In order interest in it. This includes executives to whom internal audit reports,
to ensure that the actions have been taken, the auditor may need to do persons responsible for the activities or operations audited, and those
additional testing after the correction has been put into place. who will need to take corrective action as a result of the audit.
The report should include a list of people to whom it was distributed and
The auditor is the best person to carry out this necessary step because who reviewed it during the draft stage.
he/she is more familiar with the situation and the potential risks. The Information that is sensitive, privileged or proprietary should be disclosed
auditor should also be more impartial or objective than the manager who in a separate report and delivered to the audit committee.
has to make the changes.

Information system internal control guidelines are based upon Even though a company may use computers extensively in its operations
two documents: and accounting systems, this does not change the fundamental goals of
and need for internal controls in that system. It will, however, change
The report of the Committee of Sponsoring Organizations, Internal the practical implementation of controls and the types of controls that
Control – Integrated Framework, and Control Objectives for Information are needed. Internal control for an information system has the same
and Related Technology (COBIT), a document published by the goals as overall organizational internal control:
Information Systems Audit and Control Foundation (ISACF). • Promoting effectiveness and efficiency of operations in order to
achieve the company’s objectives;

• Maintaining the reliability of financial reporting through checking

the accuracy and reliability of accounting data;

• Assuring compliance with all laws and regulations that the com-
pany is subject to, as well as adherence to managerial policies; and

• Safeguarding assets.
Part 1 CMA – Section C: Management Controls Part 1 CMA – Section C: Management Controls

How Does the Internal

Control Integrated Framework What Are the
Define Internal Control and General Controls?
What Are Its Components?

HOCK international - 2004 37 ©
HOCK international - 2004 38

Part 1 CMA – Section C: Management Controls Part 1 CMA – Section C: Management Controls

What Are What Are System,

Systems and Program Program and
Development Controls? Operating Documentation?

HOCK international - 2004 39 ©
HOCK international - 2004 40
Controls within a computer system are broken down into two types. In Internal Control – Integrated Framework, internal control is
They are general controls and application controls. defined as:

General controls relate to all computer activities and include controls

“a process, effected by an entity’s board of directors, management,
over the development, modification and maintenance of computer
and other personnel, designed to provide reasonable assurance
programs. They are designed to ensure that the company’s control
regarding the achievement of objectives in the following categories:
environment is stable and well managed. This strengthens the
effectiveness and efficiency of operations, reliability of financial
effectiveness of its application controls. General controls are broken
reporting, and compliance with applicable laws and regulations.”
down into the following categories: Program development and
documentation – to provide reasonable assurance that development
According to that document, the internal control system should consist
of, and changes to, computer programs are authorized, tested, and
of five interrelated components: 1) the control environment, 2) risk
approved prior to their usage; Access controls – to restrict access to
assessment, 3) control activities, 4) information and communication,
data files to authorized users and programs; Organizational and operating
and 5) monitoring.
controls – segregation of duties, other controls such as file security
controls; and Hardware controls – to ensure that the computer itself
is operating correctly.

System documentation includes narrative descriptions, flowcharts, Systems development controls during the development stage of an
input and output forms, file and record layouts, controls, the information system enhance the ultimate accuracy, validity, safety, security
authorizations for any changes, and backup procedures. and adaptability of the new system’s input, processing, output and storage
Program documentation includes the description of the programs, functions.
program flowcharts, program listings of source code, input and output Controls are instituted at this stage for multiple reasons:
forms, change requests, operator instructions and controls.
• To ensure that all changes are properly authorized and are not made
Operating documentation provides the information about the actual by individuals who lack sufficient understanding of control procedures,
performance of the program, and procedural documentation provides the proper approvals, and the understanding of the need for adequate
information about the master plan and the handling of files. testing.
User documentation includes all of the necessary information for a
• To prevent errors in the resulting system, which could cause major
user to be able to use the program. The documentation should be in a
processing errors in data.
limited and controlled access area. There should be set standards for
the coding, modification and flowcharting procedures. • To limit the potential for a myriad of other problems during the
development process and after it is complete.
Part 1 CMA – Section C: Management Controls Part 1 CMA – Section C: Management Controls

What Are Access Controls? What Are the Organizational

and Operating Controls?

HOCK international - 2004 41 ©
HOCK international - 2004 42

Part 1 CMA – Section C: Management Controls Part 1 CMA – Section C: Management Controls

What Are the What Are the Hardware

Hardware Controls? Controls for Networks?

HOCK international - 2004 43 ©
HOCK international - 2004 44
The most important organizational and operating control is the segregation Access involves both physical access to the hardware and the logical
of duties. Though the traditional segregation practiced in accounting of (ability to use) access to it. The various types of access controls are
separating the responsibilities of authorization, record keeping and custody given below:
of assets may not be appropriate in a computer department (since the
work is quite different), there are still specific duties in the Information • Password and ID numbers.
Systems environment that need to be separated from one another: • Device authorization table.
• System access logs.
• Separate Information Systems from Other Departments; • Security personnel.
• Separate responsibilities within the Information Systems department • Encryption.
(systems analysis, programming, data control, computer operation, • Callback.
transaction authorization, data conversion, and file security controls • Controlled disposal of documents.
(librarianship). • Biometric technologies.
• Automatic log off.
An important organizational control is computer facility controls.

Hardware controls for networks include: Hardware controls are given below:

• Checkpoint control procedures to back up all the data and other

• Boundary (storage) protection.
information needed to restart the system. This checkpoint is recorded
• Diagnostic routines.
on separate media. Then, if a hardware failure occurs, the system
• Dual read.
reverts to the last saved copy and reprocesses only the transactions
• Dual read-write heads.
that were posted after that checkpoint.
• Duplicate circuitry.
• Routing verification procedures protect against transactions • Echo check.
being routed to the wrong computer network system address. • File protection.
Any transaction must have a header label identifying its destination. • Parity check.
The system verifies that the message did go to the destination code • Preventive maintenance.
in the header. • Read-write suppression.
• Validity checks.
• Message acknowledgment procedures check a trailer label,
attached to a message to verify its completeness and correct
Part 1 CMA – Section C: Management Controls Part 1 CMA – Section C: Management Controls

What Are the

What Are Input Controls?
Application Controls

HOCK international - 2004 45 ©
HOCK international - 2004 46

Part 1 CMA – Section C: Management Controls Part 1 CMA – Section C: Management Controls

What Are Data Observation What Are Data

and Recording Controls? Transcription Controls?

HOCK international - 2004 47 ©
HOCK international - 2004 48
Input controls are the controls that are in place to ensure that the data Application controls relate to the specific tasks that are performed by
is entered into the program correctly. Input is the stage where there is the system and the programs. They are designed to prevent, detect and
the most human involvement and, as a result, the risk of errors is higher correct errors in transactions as they flow through the input, processing
in this stage than in the processing and output stages. If the data is not and output stages of work. Thus, they are broken down into these three
entered correctly there is no chance that the output will be correct. main categories:

There are four classifications of input controls: • Input controls,

• Processing controls, and
• Data observation and recording, • Output controls.
• Data transcription,
• Edit tests, and
• Additional input controls.

Data transcription is the preparation of the data for processing. One or more observational control procedures may be practiced:
The actual data input usually takes place at a workstation with a
display terminal. A preformatted input screen can assist in the • Feedback mechanisms are manual systems that attest to the
transcription process. accuracy of a document. For instance, a sales person might ask a
Edit tests or input validation routines are programs that check the customer to confirm their order with a signature, attesting to the
validity and accuracy of input data. They perform edit tests by examining accuracy of the data in the sales order.
specific fields of data and rejecting transactions if their data fields do
• Dual observation means more than one employee sees the
not meet standards.
input documents. In some cases this might mean a supervisor reviews
Key verification is the process of inputting the information again and
the work.
comparing the two results.
A redundancy check is the process of sending additional sets of data • Point-of-sale devices used to encode data can decrease errors
to confirm the original data sent. substantially.
An echo check is the process of sending the received data back to
the sending computer to compare with what was actually sent. • Preprinted forms such as receipt and confirmation forms can ensure
that all the data required for processing have been captured.
Part 1 CMA – Section C: Management Controls Part 1 CMA – Section C: Management Controls

What Are Specific What Are Processing Controls

Input Controls? and Data Access Controls?

HOCK international - 2004 49 ©
HOCK international - 2004 50

Part 1 CMA – Section C: Management Controls Part 1 CMA – Section C: Management Controls

What Are Data What Are Other

Manipulation Controls? Processing Controls?

HOCK international - 2004 51 ©
HOCK international - 2004 52
Processing Controls are those controls that are in place to monitor Additional Input Controls include:
and check the processing of the data. Processing controls fall into two
classifications: • Error listing.
• Field checks.
• Data Access Controls • Hash total.
• Data Manipulation Controls • Validity checks.
• Overflow test.
Data Access Controls are a processing control procedure that • Limit and range checks.
attempts to ensure that all input is processed correctly by the computer. • Preformatting.
In batch processing, items are batched in bundles of a preset number • Reasonableness (or compatibility) tests.
of transactions. As the computer processes the batch, it checks the • Record count.
batch control total (the total dollar amount) for the batch and compares • Self-checking digits.
the processed total with the batch control total. Batch control totals • Sequence checks.
can also be used for nonfinancial transactions. • Sign checks.

There are a number of other processing controls: Data Manipulation Controls are one of two types of Processing
• Posting check compares the record before and after updating.
• Cross-footing compares the sum of the individual components to Examining software documentation, such as system flowcharts, program
the total. flowcharts, data flow diagrams and decision tables can also be a control
• Zero-balance check is used when a sum should be 0. because it makes sure that the programs are complete in their data
• Run-to-run control totals check critical information for correctness. manipulation.
• Internal header and trailer labels allow processing of only
correct data. Computer programs are error tested by using a compiler, which checks
• End-of-file procedures is the process of not closing the processing for programming language errors. Test data can be used to test a
when the end of the master file is reached. computer program.
• Concurrency controls manage access to data by two or more System testing can be used to test the interaction of several different
programs. computer programs. Output from one program is often input to another,
• Key integrity checks insure that keys are not changed during and system testing tests the linkages between the programs.
Part 1 CMA – Section C: Management Controls Part 1 CMA – Section C: Management Controls

What Are Output Controls? What Is Internet Security

and How Is It Maintained?

HOCK international - 2004 53 ©
HOCK international - 2004 54

Part 1 CMA – Section C: Management Controls Part 1 CMA – Section C: Management Controls

How Are Computer What Is Backup and

Systems Audited? Contingency Planning?

HOCK international - 2004 55 ©
HOCK international - 2004 56
Once a company is connected to the Internet a number of additional Output controls relate to the result of the processing. Their objective is
security issues must be properly addressed. Electronic eavesdropping to assure the output’s validity, accuracy and completeness. The output
can occur if computer users are able to observe transmissions intended is supervised by the data control group.
for someone else. At a minimum, the system should include the following:
There are two types of output application controls:
• User account management is the process of giving people accounts
and passwords. • Validating processing results is an activity, or proof, listing that
documents processing activity. This provides detailed information about
• Anti-virus software must be kept up to date.
all changes to master files and create an audit trail.
• A firewall is a barrier between the internal and the external networks.
• Printed output controls such as physical control over company
This firewall prevents unauthorized access to the internal network.
checks. Checks should be kept under lock and key, and only authorized
• A proxy server is a computer and software that create a gateway persons should be permitted access.
to and from the Internet. Encryption is the technology that
converts data into a code and then requires a key to convert the Output control also concerns report distribution. Confidential reports should
code back to data. be shredded when they are no longer needed.

In any computer system, it is essential that the company has plans for In a computer system there is still a need for auditing.
the backup and recovery of data (especially disaster recovery).
Programs, as well as data files, should be backed up regularly. Test data is the use of a prepared set of input data that are then run
through the system being audited. The results from this system are
Copies of all transaction data are stored as a transaction log as
they are entered into the system. Should the master file be destroyed, compared to the predetermined results.
computer operations will roll back to the most recent backup; recovery An integrated test facility is the process of setting up artificial
takes place by reprocessing the data transaction log against the transactions that are then run through the computer system as it is
backup copy. normally operating. This may be done without the knowledge of the
computer operator. In a parallel simulation the auditor will run a set of
Backups should be stored at a secure remote location, so that in the
actual data through another computer system that is known to be working.
event data is destroyed due to a physical disaster, it can be
The results from the test computer and the actual computer are
reconstructed. Backup data can be transmitted electronically to the
backup site, through a process called electronic vaulting. then compared.

Embedded data collection is a process whereby a program within the

Computers should be on an Uninterruptible Power Supply (UPS) to
provide some protection in the event of a power failure. system identifies specific types of transactions for further testing.
Part 1 CMA – Section C: Management Controls Part 1 CMA – Section C: Management Controls

What Are Grandparent-

Parent-Child Systems, What Is Disaster Recovery?
Fault-Tolerant Systems
and Disk Mirroring?

HOCK international - 2004 57 ©
HOCK international - 2004 58

Part 1 CMA – Section C: Management Controls Part 1 CMA – Section C: Management Controls

What Is Joint Application

Development (JAD)?

HOCK international - 2004 59 ©
HOCK international - 2004
A disaster recovery plan specifies who participates, what hardware In grandparent-parent-child processing, files from previous periods are
and software will be used, and the applications to recover in case of retained, and if a file is damaged during updating, the previous files can
a disaster. be used to reconstruct the current file. These files should be stored
Disaster recovery sites can be either hot or cold. A hot site is a backup
facility that has a computer system fully operational and thus immediately Fault-tolerant systems are designed to tolerate faults or errors.
available. A cold site is a facility ready to install processing equipment, They often utilize redundancy, so that if one system fails, another one
but it is not immediately available. will take over. With multiple processors, consensus-based protocols specify
that if one processor disagrees with the others, it is to be ignored; with
Mobile recovery centers are used on a contracted basis in the event of
two processors, the second processor can serve as a watchdog processor.
a disaster that destroys operations facilities. They arrive within hours
fully equipped with their client’s platform requirements and staffed with If something happens to the primary processor, the watchdog processor
technical personnel. takes over. A CPU could have two disks, and all data on the first disk is
mirrored on the second disk. This is called disk mirroring or disk
The disaster recovery plan should be reviewed regularly and revised when
shadowing. Rollback processing can be used to prevent any transactions
necessary; and each member of the disaster recovery team should keep
from being written to disk until they are complete.
a current copy of the plan at home.

JAD is an accepted approach to systems development in many

companies, and the process has evolved into a highly focused, structured
workshop environment. The involved people get together and talk things
out. Everyone gets to hear what others have to say, and there are no
delays caused by waiting for someone to return a telephone call or
respond to a memo.