Professional Documents
Culture Documents
GUIDEBOOK
2010
OR OF ST
IT
AUD
AT
E
NO
A V 11 , 1 8 8 9
N
W
SH O
INGT
REFERENCES.......................................................................................................29
v e s tmen edit Card setsCa B illing t r o l s p o r t ing entCre a p i tal A P a y men a l Con
tro
I n C r A s n t s o n R e n m C o r n e r
t tal me al C ial iro ivabl
es end IT Ge tsF
in
i ro n men
e s Capi d o r Pay I T G ener F i nanc n t r o l Env
R e c e C a s hV e n t s c e i p
n
enInternal Control over CoFinancial
nv abl Ve ts ts d Reporting tty tm Re ts
R eceiv C a sh s t m r d R eceip C a sh B i l l i ng an yrollPe I nves d i t Card i t a l Asse
d y
ett Internal e a g e
g an
r o llP t i
Inv
ng control C over C
redit financial t a ssets ym
l Areporting nts as
isedefined
t r Pa designed
oalsprocess R epor by,
tin orenundertCr thelesCap shVe
a y o r t p i P a o n i a l n m ab a
lsP i a l Rep supervision n men of the s Ca principal
entity’s n dorexecutive e l C principal
raand i
c
nanfinancial E nviro nord persons
officers, R eceiv Petty C e
F i na n c
o l E nv
performing
i ro
c e i
similar
b l e
va functions, C a s
V e
h and seffected I T e n
G by the
c e i p ts
entity’s
F
governing
C o nt ro l
board, l i n g a
manage- a y r ol l
I n vestm
pts Cont
r dR e ent Re Bi l P ng
s h ment
i n g anand other l l Petty vesto
personnel, tmprovide i t Card
reasonable t s
assuranceCash regarding e nts theCoreliability n
trols ofl Reporti e n tCr
a i l l ro I n d e y m l m
sC B
ents financial
Pay g Cre al As
s
ndor Ifor
Pa ener
a cia
Finan introl Envi
ron ec
a y m o n t r ols reporting e p o rtinand the
n m ent
preparation C a pitfinancial
of V statements
e T Gexternal t s purposes
a nd R
r P l C a l R i r o e s s h en t s e i p o n i n g
do
Gene ts
ra accordance ci
Finan Cowith n l Env
trogenerally e caccepted
l
eivab accounting P etty
Ca principles
vestm and
ec
ard R tthose
includes hC ntsBill
Caspolicies Payro
I T d R l l I n d i t C s m e ro l s
nts ceip andCprocedures ash Billthat: n
ing a olsPayr Reportin
o g e sse ay nt
a r d Re t s e n tCr a p i tal A e n dor P eneral Co F i n ancia
l
edit
C Ass e ts t r ncia l n m C V s
pital ymen toenthe l Con
ramaintenance Finaof nviroin reasonable
Ethat
ables detail ash ntand
Caccurately
G
sITfairly Receipt Co
s C a d o 1. r P aPertain
G e
i p t s records
o n t r o l
e c e i v P e t t y
s t m e a r d C a sh
bl e Ve n I T ce C nd R l l ve it C ets
C ash estmereflect nts theCatransactions
t rd Re sCand ash dispositions
B i l l ing a of the l s assetsPayroof the r t i n gIn ntCred
entity;
i t a l Ass y m ents
t y i t o o p a
Pet
ng
Inv d
Cre reasonable sse
ital A rassurance
ts
men thatnetransactions ontr Rep
cialrecorded nme es Ca
endo
rP
o r t i m 2. e ntProvide C a p P a y e ral C i n a n are l E n vasironecessary i va b lto permit h V
Rep
l Envir
on
ables shofVefinancial ndo tsI
TG tsF
ipaccordance
ro
Cont generally a Rece
nd accepted e ty Ca
taccount-
s
t r o c e i vpreparation e n statements e c in
e s h with n g P
Con and R ling
e ty Ca Iand tm
nvesthat ereceipts rd R expenditures ets
Ca li
Bilentity roll made only
Paybeing
l l i n g l P etprinciples,
n g r d it Ca and l A s s e n ts
of the o l s are
Bi lsPayro inl accordance rti C ta ym ntr
o i a Repo ronm ent
with authorizations
e s Capi ofemanagement n d or Pa e rand
a l Codirectors of the entity; and
t r an c vi ab l V e n
Con F i n l E n ce i v a s h I T G
ipts 3. ontro reasonable e C ts
Rece s h CProvide
l i n g and R assurance
l l Petty regarding v e s t men prevention or timely detection of unauthor-
a i l ayr o In
tsC tsBacquisition,
nized lsP usepor ting
disposition of the entity’s assets that could have a material
Asse P a y m e
o n t r o
R e o r
or effect C
ral on the financial cia l statements.
Vend I T Gene tsFinan
ts ip
men a r d Rece
it C
Cred This definition reflects certain fundamental concepts:
Managers should be careful to avoid excessive control, recognizing that absolute assurance
is generally not achievable and would be prohibitively expensive and impede productivity.
E. Monitoring
After risks have been identified, policies and procedures put into place and information on
control activities communicated, managers must implement the fifth component of internal
control, monitoring. Monitoring assesses the quality of internal controls over time, making
adjustments as necessary. Like the other four components, monitoring is a basic manage-
ment practice that involves activities such as performance evaluations; ongoing supervisory
activities, reviews and analyses; and independent evaluations of internal controls performed
by management or other parties outside of the process. Proper monitoring ensures that con-
trols continue to be adequate and to function properly.
Management’s task is to design control activities that prevent, detect and correct these and
other potential errors and other frauds. Front-end, or preventive, controls are performed
before an action takes place. For example, a supervisor or manager must approve an invoice
3. Inventories
• Individuals responsible for monitoring inventories should not have the authority to
authorize withdrawals of items maintained in inventory.
• Individuals performing physical inventory counts should not be involved in maintaining
inventory records.
4. Check-Writing Activities
• Individuals who prepare/record checks should not sign the checks.
• Individuals who prepare/record checks should not reconcile the checking account.
Periodic Reconciliations
Managers should provide for periodic comparison of recorded amounts with independent
evidence of existence and valuation. Internal auditors and/or other members of the account-
ing staff can perform such comparisons on a regular basis. These individuals, however, should
not also have responsibility for authorization of the related transactions, accounting or re-
cordkeeping, or custodial responsibility for the assets.
Periodic comparisons may include reconciliation of bank statements, inventory counting, con-
firmation of accounts receivable and accounts payable. The more frequent the comparisons,
the greater the opportunity to detect errors. The results of nightly processing in the central
accounting system for example, should be compared the next morning to the detail sum-
mary records. Cash account balances per the central accounting system should be reconciled
Documentation Control
Internal control systems, all transactions and other significant events should be clearly docu-
mented, and the documentation should be readily available for internal review or audit pur-
poses.
• Detailed written evidence of the internal control system, its objectives and activities,
is essential. This documentation is valuable to managers in controlling their operations
and is useful to auditors or others involved in analyzing and reviewing operations.
Written documentation facilitates job training by communicating specific responsibilities.
The documentation should appear in management directives, administrative policy,
and accounting procedure manuals. Many documentation tools are available such as
checklists, flow charts, narratives, and software packages. These tools may be particularly
helpful in documenting complex information systems and the related control activities.
• Internal control reviews and risk analyses should be documented. Supporting
documentation for conclusions should be kept on file for use by the government and for
audit purposes.
1 This subsection was adapted from the example on project team organization presented by Mr. Michael Ramos in his book
entitled, How to Comply with Sarbanes-Oxley Section 404 – Assessing the Effectiveness of Internal Control, John Wiley & Sons, Inc., Hobo-
ken, NJ, 2004.
D. Observation
Some controls may be observed, such as computer edit checks or physical inventory accounts.
If the physical count is performed only occasionally, it may be possible to observe the control
each time it is performed.
G. Application Controls
The IT specialist may decide to test the processing controls related to individual application
systems. One method is to prepare a file of test transactions and run them through the sys-
tem to determine that all pre-defined errors are identified.
The Standard of Good Practice for Information Security, Information Security Forum (ISF),
2004, http://www.isfsecuritystandard.com