LU1:

SYSTEM OF
INTERNAL
CONTROLS

AUDITING
FUNDAMENTALS
CHAPTER 5
GENERAL IT CONTROLS
 LEARNING OUTCOMES:
• Students should be able to list and explain the different categories of General IT
controls.
• Students should demonstrate that they can recall (list) the detailed controls under each
category for each category.
• Students should be able to apply the detailed controls in a case study and demonstrate
that they understand how the controls will address shortcomings and risks in the case
study.

LU2: Study Guide, Page 7 Copy Right Reserved © University of the Free State 2023
 See video on Blackboard

INTRODUCTION
• Information systems are part of the daily functioning of every business.
• Different levels of IT integration – different levels of IT risks. Internal
controls designed to address those risks.
• Internal controls can be both manual and computerised.
• Controls are divided into two categories:
• General Information Technology (IT) Controls (General Controls)
• Information Processing controls
• Controls can also be classified according to their purpose:
• Preventative controls
• Detective controls and corrective controls

Auditing Fundamentals, Page 146 Copy Right Reserved © University of the Free State 2023
See video on Blackboard

ACCOUNTING SOFTWARE
Examples of accounting software

Copy Right Reserved © University of the Free State 2023

 W H AT P R O C E S S I S F O L LO W E D :
• Process that data follows through the accounting software:
Accounting System Stages of a transaction

Capture data on
Initiate/Execute Transaction manual source
document

Flow of transaction
[Source Input source
Record document into
documents]
system

Accounting records:
Process

changes and
Process Journals, ledgers, trial

Masterfile
transaction

storage
balance

Financial
Report Output
Statements

Auditing Fundamentals, Page 149 Copy Right Reserved © University of the Free State 2023 See video on Blackboard
See video on Blackboard

GENERAL IT CONTROLS
• Previously known as general controls.
• Controls over IT processes as a whole.
• Support continued functioning of the information processing controls:
• If the general IT controls are weak, then the information processing
controls will not function effectively
• Policies and procedures relating to many applications.
• Support their effective functioning.

Auditing Fundamentals, Page 150 - 151 Copy Right Reserved © University of the Free State 2023
See video on Blackboard

I N F O R M AT I O N P R O C E S S I N G
CONTROLS
• Controls relating to the processing of information.
• Initiate, record, process, and report of information
• Changes to standing data on the Masterfile
• Controls over specific IT applications or manual processes used for
processing information
• Protect the integrity of the information (valid, accurate and complete)
• Ensure information is free from fraud or error

Auditing Fundamentals, Page 151 - 152 Copy Right Reserved © University of the Free State 2023
See video on Blackboard

EXAMPLE:

User Application
Makes use of Apps to function – work
together to achieve a common goal
Operating System Applications

• General IT Controls: Those controls implemented over the entire phone (all
applications) to ensure they are working (E.g., antivirus protection, auto-updates or
screen lock).
• Information processing controls: Those controls implemented over a specific task (E.g.,
spell checker in your messaging apps).

Copy Right Reserved © University of the Free State 2023

 W H AT P R O C E S S I S F O L LO W E D :
General IT Controls
Accounting System Stages of a transaction

Capture data on
Initiate/Execute Transaction manual source
document
General IT Controls

General IT Controls
Flow of transaction
[Source Input source
Record document into
documents]
system

Accounting records:
Process

changes and
Process Journals, ledgers, trial

Masterfile
transaction

storage
balance

Financial
Report Output
Statements
General IT Controls
Auditing Fundamentals, Page 149 Copy Right Reserved © University of the Free State 2023 See video on Blackboard
 C AT E G O R I E S O F G E N E R A L I T
CONTROLS

Organisational System
Business
controls and Development
continuity
personnel and change
controls
practices controls

Operating
Access controls
controls

Auditing Fundamentals, Page 153 Copy Right Reserved © University of the Free State 2023
 O R G A N I S AT I O N A L C O N T R O L S
AND PERSONNEL PRACTICES
• Controls deal with the structure, activities, and staff practices within the IT
department (The component deals with the entire organisation).
• Management’s attitude towards the IT control environment.
• Clear organisational structure and reporting lines within the IT
department.
• Top-down approach for creating an ethical culture and control
environment.

Auditing Fundamentals, Page 154 Copy Right Reserved © University of the Free State 2023
 O R G A N I S AT I O N A L C O N T R O L S
AND PERSONNEL PRACTICES
Delegation of • Management responsible for IT governance
• Delegate to IT-committee
responsibility • IT-manager daily management of IT-department

• Separate IT-department from user departments

Segregation of duties • Separate responsibilities within the IT-department
• Report directly to management

Reporting, supervising • All work performed should be initiated by user departments

• User departments remain responsible for integrity of information
and review • Users can perform different levels of review

• Ensure competent IT staff are employed

Personnel Practices • Regular training | Performance evaluations
• Procedures for dismissal of IT-staff

Auditing Fundamentals, Page 155 - 157 Copy Right Reserved © University of the Free State 2023
 SYSTEM DEVELOPMENT AND
CHANGE CONTROLS
• Information systems change because the business world changes.
• Objective: System needs to be effective to meet users’ needs and should
be cost efficient.
• System development: New system developed in-house.
• System acquisition: New system is acquired from a vendor.
• System change: Changes are made to an existing program
• Five (5) stages of the system development life cycle.

Auditing Fundamentals, Page 157 - 158 Copy Right Reserved © University of the Free State 2023
 SYSTEM DEVELOPMENT LIFE CYCLE
• Approved requests originate from user-departments
Request submission, needs • Feasibility study to determine course of action
assessment, and selection

•Project team (incl. user dept) and project plan with milestones
Planning and design •Standards and framework
•Detailed investigation into users’ needs

• Development of the new program

System development and • Testing of the new program using test data
testing

• Conversion to the new program

Implementation • Transfer of data/information from the old to the new
• Documentation and training

• Errors corrected and recorded

Post-implementation review • Review by user department, auditors and IT-department
and training • Meet user requirements

Auditing Fundamentals, Page 158 - 161 Copy Right Reserved © University of the Free State 2023
 System Conversion Methods

Auditing Fundamentals, Page 160 Copy Right Reserved © University of the Free State 2023
 CHANGE CONTROLS

• Changes to existing software being used

• Update of software
• Changes not as big as implementing a new information system
• Changes needed as user requirements change
• Follow a similar process to follow as with system development and
implementation - system development life cycle

Auditing Fundamentals, Page 161 Copy Right Reserved © University of the Free State 2023
 ACCESS CONTROLS
• Physical or computerised controls implemented to:
• Prevent unauthorised person gaining access.
• Limiting the activities of authorised persons to authorized areas.
• Least privilege principle
• Access to only systems and information to perform their job properly.
• Security Management Policy
• Documents process to identify risks, allocates responsibility and
accountability for responding to those risks
• Physical Access controls
• Logical Access controls
• Other security controls
• Encryption, firewalls, antivirus and malware programs

Auditing Fundamentals, Page 162 - 166 Copy Right Reserved © University of the Free State 2023
 PHYSICAL ACCESS CONTROLS
• Protect access to:

Company premises IT Department Sensitive Facilities

Important files,
Computer terminals
documents and programs

Auditing Fundamentals, Page 163 - 164 Copy Right Reserved © University of the Free State 2023
 LOGICAL ACCESS CONTROLS
• Computerised access controls implemented within the system which
limits access to terminals, networks, data, functionality.
• Unique code or username – student number
User identification • Links to your user profile

• Ensure that the username belongs to the correct user

User authentication • Access tables, Passwords, One-time PIN, fingerprints,
other ways to authenticate a user

• Least privilege principle

User authorisation • Limited to specific parts to complete tasks

Logs, registers, and • Detective and corrective controls

• Logs activity of user (access, or any changes made)
violation reports • Reviewed and followed-up on a regular basis

Auditing Fundamentals, Page 164 - 165 Copy Right Reserved © University of the Free State 2023
 Example of logical access controls

User Identification

User authentication

Specific password controls are

very important – Page 165

Auditing Fundamentals, Page 164 - 165 Copy Right Reserved © University of the Free State 2023
 BUSINESS CONTINUITY
CONTROLS
• Controls to ensure the continuity of processing (operations) of the
business.
• Prevent system interruptions or limit the impact from those interruptions.
• Preventative controls
• Physical controls
• Detective and corrective controls
• Backups
• Emergency recovery plans

Auditing Fundamentals, Page 167 - 169 Copy Right Reserved © University of the Free State 2023
 PHYSICAL BUSINESS CONTINUITY
CONTROLS
• Include controls addressing the following:

Construction and
Fire Electricity
location

Water Environment Theft

Auditing Fundamentals, Page 167 - 168 Copy Right Reserved © University of the Free State 2023
 B A C K U P S T R AT E G I E S :

Backup policy and how backups should be made

Backup policy on what information should be recovered

Regular backups should be made

Backups stored in a secure location off site

Backup copies should be tested frequently

Auditing Fundamentals, Page 168 Copy Right Reserved © University of the Free State 2023
 EMERGENCY RECOVERY PLANS

• Plan on how a business should act in the event of an emergency:

A written emergency recovery plan/strategy document should be

in place

List of data, program files that are key to the operation of the
business

Alternative processing facility should be in place

Emergency recover plan should be tested to identify weaknesses

Auditing Fundamentals, Page 168 Copy Right Reserved © University of the Free State 2023
HOMEWORK:
• Auditing Fundamentals Graded Questions (Chapter 5)
• Question 1
• Question 4
• Question 5
• Due on Tuesday, 7 March 2023

Copy Right Reserved © University of the Free State 2023