COPYRIGHT © 2010 BY Mohammad Faizan Farooq

FFQA 1

CONTROL AUDIT & SECURITY
Prepared & Complied by: Mohammad Faizan Farooq Qadri Attari ACCA (Finalist) http://www.ffqacca.co.cc Contact: faizanacca@yahoo.com

COPYRIGHT © 2010 BY Mohammad Faizan Farooq

FFQA 2

Internal control
Internal control within an organisation is the system of control within the organisation that has been put in place in order to: „ prevent the system from getting out of control and failing to achieve its purpose, and so „ help the organisation to achieve its objectives and policies. A useful definition of internal control was provided in 1992 in the US by the COSO Framework (COSO is the Committee of Sponsoring Organizations of the Treadway Commission). This defined internal control as: ‘a process, effected by an entity’s board of directors, management and other personnel, designed to provide reasonable assurance regarding the achievement of objectives’ in three particular areas: the effectiveness and efficiency of operations, the reliability of financial reporting, and compliance with applicable laws and regulations. „ Risks to the effectiveness and efficiency of operations are ‘operational risks’ and controls designed to limit operational risks are ‘operational controls’. (These controls are tested by operational audits.) „ Risks affecting the reliability of financial reporting, as well as risks of financial fraud or error, are ‘financial risks’, which can be mitigated by ‘financial controls’. „ Risks of non-compliance with important aspects of the law or regulations are ‘compliance risks’, which can also be controlled by appropriate measures. The purpose of internal control is therefore to apply control to the system by internal means and internal procedures and arrangements.

The five elements in a system of internal control
The COSO Framework identified five elements in a system of internal control. These are elements of internal control that must be in place and sufficient in order for internal control to be effective: „ a suitable control environment „ risk identification and assessment „ the design and application of internal controls „ information and communication „ monitoring

Prepared & Complied by: Mohammad Faizan Farooq Qadri Attari ACCA (Finalist) http://www.ffqacca.co.cc Contact: faizanacca@yahoo.com

COPYRIGHT © 2010 BY Mohammad Faizan Farooq

FFQA 3

A control environment A control environment is the control culture within the organisation, and the attitude of its employees toward ensuring that controls are adequate and properly applied. Individuals within an organisation will not take control seriously unless they are given direction form their bosses. The company’s directors are therefore responsible for the control environment, and the board of directors must establish policies on internal control. There should be a culture of control throughout the organisation, from the board down to all employees, but the leadership must come from the board, which sets the ‘tone at the top’.

Risk identification and assessment There should be a system for the regular review of risks, identifying new risks and re-assessing existing risks. Risks that have been identified should be measured, to assess their significance (in terms of probability of an adverse event and the amount of loss that might be incurred if an adverse event happens). Risk assessment can be carried out by means of a systems audit. Tests of control in the external audit are also a form of risk assessment of current risks and existing internal controls Control activities (internal controls) Controls for reducing risks should be designed and implemented. In financial reporting, the main risks are risks of error and fraud. Controls should be designed to eliminate a risk, but before effective controls can be designed, they must first be identified and assessed. Management need to know what the risk is and how serious it might be if it is not controlled. Internal controls are a part of normal day-to-day operational activities and procedures. The features of internal financial controls are explained in more detail later.

Prepared & Complied by: Mohammad Faizan Farooq Qadri Attari ACCA (Finalist) http://www.ffqacca.co.cc Contact: faizanacca@yahoo.com

COPYRIGHT © 2010 BY Mohammad Faizan Farooq

FFQA 4

Information and communication An effective internal control system must have effective channels of communication, to ensure that all employees understand their responsibilities for control and that all relevant information reaches the individuals who need it. Controls cannot be applied effectively unless the individuals responsible for the controls are kept properly nformed Monitoring There should be regular monitoring and review of the effectiveness of the system of internal control. One way of monitoring internal control is to have an internal audit department, for carrying out reviews and reporting to senior management.

The consequences of weak internal financial control
When internal financial control is weak, there is a high risk of errors and fraud in the accounting records and the financial statements. „ When there is a large error, or an accumulation of smaller errors, the financial statements will not be reliable. „ Weak internal control makes it easier for fraudsters to operate. Fraud is a criminal activity, and is damaging to company, its shareholders and possibly also its customers. „ In extreme cases, companies might operate in a condition close to insolvency without its management or its shareholders being aware of the problem. Weak corporate governance and weak financial control have been identified as the main causes of major corporate collapses in the past – and will probably be the cause of more corporate failures in the future.

Risks and internal financial controls
Financial risks Financial risks have been described so far as the risk of an error in the accounts or deliberate fraud. It is useful to think about what types of error might occur in the accounting system. „ A transaction might be omitted from the accounts entirely. For example, a sale of goods on credit to a customer for $25,000 might not be recorded. If not, total sales will be under-stated by $25,000 and the amount owed by customers will also be under-stated by the same amount. „ A transaction might be recorded twice. For example a credit sale of $25,000 to customer X might be recorded twice, so that total sales are recorded as $50,000.

Prepared & Complied by: Mohammad Faizan Farooq Qadri Attari ACCA (Finalist) http://www.ffqacca.co.cc Contact: faizanacca@yahoo.com

COPYRIGHT © 2010 BY Mohammad Faizan Farooq

FFQA 5

„ A transaction might be recorded with the wrong value. For example, an item of machinery that is purchased for $20,000 might be recorded in the accounts with a value of $30,000. „ Numbers might be added up incorrectly. For example the total amount of money receivable from credit customers might be stated incorrectly in the financial statements because the amounts owed by each customer are added up incorrectly. „ A transaction might be recorded as the wrong type of transaction. For example a sale to a customer might be recorded as a purchase, or as a sales return.

Types of internal controls
Internal financial controls are designed and implemented to deal with financial risks. There are two broad types of internal control. „ Preventative controls. These are controls that are designed to prevent the error (or fraud) from happening. „ Detective controls. These are controls that are designed to identify an error (or fraud) when it happens. When there are detective controls, there should also be corrective measures for correcting the error or dealing with the fraud.

Features of effective internal financial controls
Effective internal financial controls are controls that provide a high level of assurance that errors or fraud will be prevented or will be detected when they happen. In addition, the cost of an internal control should not exceed the benefits obtain from implementing it.

Prepared & Complied by: Mohammad Faizan Farooq Qadri Attari ACCA (Finalist) http://www.ffqacca.co.cc Contact: faizanacca@yahoo.com

COPYRIGHT © 2010 BY Mohammad Faizan Farooq Internal financial control procedures can be divided into eight types or categories, which might be remembered by the mnemonic SPAMSOAP.

FFQA 6

Internal check
An internal check is a type of internal control. An internal check is intended to prevent errors or fraud, or to detect them quickly when they occur. In financial accounting, an internal check involves arranging accounting tasks and duties so that no single task is performed from beginning to end by just one person. In this way, the work of each individual is subject to an independent check in the course of the work that is done by somebody else.

Prepared & Complied by: Mohammad Faizan Farooq Qadri Attari ACCA (Finalist) http://www.ffqacca.co.cc Contact: faizanacca@yahoo.com

COPYRIGHT © 2010 BY Mohammad Faizan Farooq

FFQA 7

IT system security and controls
Threats to IT system security Business organisations rely on IT systems to function. Computer systems need to be kept secure from errors, breakdown, unauthorised access and corruption. Some of the major risks to IT systems are as follows: „ Human error. Individuals make mistakes. „ Technical error. loss or corruption of data. „ Natural disasters. „ Sabotage/criminal damage. criminal damage, theft, terrorist attack „ Deliberate corruption. Viruses, Hackers „ The loss of key personnel with specialist knowledge about a system „ The exposure of system data to unauthorised users In addition, there are risks within the computer software itself: „ The software might have been written with mistakes in it, so that it fails to process all the data properly „ The software should contain controls as a check against errors in processing, such as human errors with the input of data from keyboard and mouse. The software might not contain enough in-built controls against the risk of input error and other processing errors. General controls and application controls Controls in IT can be divided into two categories: „ general controls,

„ application controls.

General controls are controls that are applied to all IT systems and in particular to the development, security and use of computer programs. Examples of general controls are: „ physical security measures and controls „ physical protection against risks to the continuity of IT operations „ general controls within the system software such as passwords, encryption software, and software firewalls „ general controls over the introduction and use of new versions of a computer program

Prepared & Complied by: Mohammad Faizan Farooq Qadri Attari ACCA (Finalist) http://www.ffqacca.co.cc Contact: faizanacca@yahoo.com

COPYRIGHT © 2010 BY Mohammad Faizan Farooq

FFQA 8

Application controls are specific controls that are unique to a particular IT system or IT application. They include controls that are written into the computer software, such as data validation checks on data input.

Passwords
A computer password is defined as ‘a sequence of characters that must be presented to a computer system before it will allow access to the systems or parts of a system’ Passwords should be changed regularly frequently, and employees should be continually reminded to change passwords. Users should be required to use passwords that are not easy to guess: for example, an organisation might require its employees to use passwords that are at least 8 digits and include a mixture of letters and numbers.

Encryption
Encryption involves the coding of data into a form that is not understandable to the casual reader. Data can be encrypted (converted into a coded language) using an encryption key in the software. A hacker into a system holding data in encrypted form would not be able to read the data, and would not be able to convert it back into a readable form (‘decrypt the data’) without a special decryption key.

Preventing or detecting hackers
Controls to prevent or detect hacking include: „ physical security measures to prevent unauthorised access to computer terminals „ the use of passwords „ the encryption of data „ audit trails, so that transactions can be traced through the system when hacking is suspected „ network logs, whereby network servers record attempts to gain access to the system „ firewalls.

Prepared & Complied by: Mohammad Faizan Farooq Qadri Attari ACCA (Finalist) http://www.ffqacca.co.cc Contact: faizanacca@yahoo.com

COPYRIGHT © 2010 BY Mohammad Faizan Farooq

FFQA 9

FOR PREPARATION AND TUITION OF F1 TO F9
CONTACT: FAIZANACCA@YAHOO.COM OR 0334-3440590

Prepared & Complied by: Mohammad Faizan Farooq Qadri Attari ACCA (Finalist) http://www.ffqacca.co.cc Contact: faizanacca@yahoo.com

COPYRIGHT © 2010 BY Mohammad Faizan Farooq

FFQA 10

Firewalls
Firewalls are either software or a hardware device (between the user’s computer and modem). Computer users might have both. The purpose of a firewall is to detect and prevent any attempt to gain unauthorised entry through the Internet into a user’s computer or Intranet system. A firewall: „ will block suspicious messages from he Internet, and prevent them from entering the user’s computer, and „ may provide an on-screen report to the user whenever it has blocked a message, so that the user is aware of the existence of the messages.

Computer viruses
Viruses are computer software that is designed to deliberately corrupt computer systems. Viruses can be introduced into a system on a file containing the virus. A virus may be contained: „ in a file attachment to an e-mail or „ on a backing storage device such as a CD. The term ‘virus’ might also be used to describe other methods of corrupting a system. Trojan horses Whilst the user thins that the system is carrying out one program, the Trojan horse secretly carries on another. Worms This is corrupt data that replicates itself within the system, moving from one file or program to another. Trap doors A trap door is an entry point to a system that bypasses normal controls to prevent unauthorised entry. Logic bombs This is a virus that is designed to start ‘working’ (corrupting the files or data processing) when a certain event occurs. Time bombs This is a virus that is designed to start ‘working’ (corrupting the files or data processing) on a certain date.

Prepared & Complied by: Mohammad Faizan Farooq Qadri Attari ACCA (Finalist) http://www.ffqacca.co.cc Contact: faizanacca@yahoo.com

COPYRIGHT © 2010 BY Mohammad Faizan Farooq

FFQA 11

IT Standards
A range of IT Standards have been issued. For example, the International Standards Organisation (ISO) has issued IT security system standards. There are also IT Standards for the development and testing of new IT systems. IT Standards are a form of general control within IT that help to reduce the risk of IT system weaknesses and processing errors, for entities that apply the Standards.

Application controls
Application controls are controls that are designed for a specific IT system. One example of application controls is data validation. Data validation checks are checks on specific items of data that are input to a computer system, to test the logical ‘correctness’ of the data. If an item of data appears to be incorrect, the system does not process the data: instead it issues a data validation report, so that the apparent error can be checked and corrected if appropriate.

AUDIT
Internal audit and internal control Internal audit is one part of an internal control system which assesses the effectiveness of other controls. The work of the internal audit department may cover the following broad areas: (a) Review of accounting and internal control systems (b) Examination of financial and operating information (c) Review of the economy, efficiency and effectiveness of operations (d) Review of compliance (e) Review of safeguarding of assets (f) Review of implementation of corporate objectives (g) Identification of significant business risks, monitoring overall risk management policy and monitoring risk management strategies (h) Special investigations Internal auditors' work depends on the scope and priority of the identified risks. They may have to conduct a risk assessment from which they will recommend an appropriate framework. The key features of good internal audit: (a) Independence (b) Appraisal There are five different types of audit to be aware of: (a) Operational (b) Systems (c) Transactions (d) Social (e) Management investigations

Prepared & Complied by: Mohammad Faizan Farooq Qadri Attari ACCA (Finalist) http://www.ffqacca.co.cc Contact: faizanacca@yahoo.com

COPYRIGHT © 2010 BY Mohammad Faizan Farooq

FFQA 12

Operational audits monitor management's performance and are sometimes known as 'management', 'efficiency' or 'value for money' audits. Systems audits test and evaluate internal controls. Typically there are two types of test: • Compliance (controls are applied as laid down) • Substantive (seeking errors and omissions) If compliance tests reveal that internal controls are working satisfactorily then the amount of substantive testing can be reduced. A transactions audit aims to detect fraud and uses only substantive tests. Ideally the internal audit department should report to the audit committee of the board of directors as it is then free to report on all levels of management and can ensure that any of its recommendations are implemented. The internal audit department plays a significant part in an organisation's risk management

External audit
External audit is the regular examination of the organisation's records by an outside party to ensure that they have been properly maintained and give a true and fair view of the entity's financial state. The key differences between internal and external audit are:

There should be co-ordination between the external and internal auditors to ensure that duplication of work is minimised and controls enhanced. If external auditors rely to an extent on the work of the internal audit department they will consider: (a) Organisational status (b) Scope of internal audit functions (c) Technical competence 5(d) Due professional care

Prepared & Complied by: Mohammad Faizan Farooq Qadri Attari ACCA (Finalist) http://www.ffqacca.co.cc Contact: faizanacca@yahoo.com

COPYRIGHT © 2010 BY Mohammad Faizan Farooq

FFQA 13

QUESTION FFQA Internal auditors are employees of the company's external auditors who work full time auditing the company's accounts. True or false? A True B False QUESTION FFQA Which of the following is not an inherent limitation of an internal control system? A Procedures manual B Non routine transactions C Management by passing controls D Employee collusion QUESTION FFQA Which of the following is an incorrect statement regarding the external auditors? A They report to the Board of Directors B There work relates to financial statements C They express an opinion on the financial statements D They are independent of the company and its management QUESTION FFQA Which of the following is not a method of data validation? A Audit trails B Range checks C Control totals D Limit checks QUESTION FFQA Which of the following is not suggested by Turnbull to help ensure a strong control environment? A Clear definition of authority B Clear strategies C Good internal communications D Reconciliations

Prepared & Complied by: Mohammad Faizan Farooq Qadri Attari ACCA (Finalist) http://www.ffqacca.co.cc Contact: faizanacca@yahoo.com

Sign up to vote on this title
UsefulNot useful