Professional Documents
Culture Documents
SYSTEM OF
INTERNAL
CONTROLS
AUDITING
FUNDAMENTALS
CHAPTER 5
GENERAL IT CONTROLS
LEARNING OUTCOMES:
• Students should be able to list and explain the different categories of General IT
controls.
• Students should demonstrate that they can recall (list) the detailed controls under each
category for each category.
• Students should be able to apply the detailed controls in a case study and demonstrate
that they understand how the controls will address shortcomings and risks in the case
study.
LU2: Study Guide, Page 7 Copy Right Reserved © University of the Free State 2023
See video on Blackboard
INTRODUCTION
• Information systems are part of the daily functioning of every business.
• Different levels of IT integration – different levels of IT risks. Internal
controls designed to address those risks.
• Internal controls can be both manual and computerised.
• Controls are divided into two categories:
• General Information Technology (IT) Controls (General Controls)
• Information Processing controls
• Controls can also be classified according to their purpose:
• Preventative controls
• Detective controls and corrective controls
Auditing Fundamentals, Page 146 Copy Right Reserved © University of the Free State 2023
See video on Blackboard
ACCOUNTING SOFTWARE
Examples of accounting software
Capture data on
Initiate/Execute Transaction manual source
document
Flow of transaction
[Source Input source
Record document into
documents]
system
Accounting records:
Process
changes and
Process Journals, ledgers, trial
Masterfile
transaction
storage
balance
Financial
Report Output
Statements
Auditing Fundamentals, Page 149 Copy Right Reserved © University of the Free State 2023 See video on Blackboard
See video on Blackboard
GENERAL IT CONTROLS
• Previously known as general controls.
• Controls over IT processes as a whole.
• Support continued functioning of the information processing controls:
• If the general IT controls are weak, then the information processing
controls will not function effectively
• Policies and procedures relating to many applications.
• Support their effective functioning.
Auditing Fundamentals, Page 150 - 151 Copy Right Reserved © University of the Free State 2023
See video on Blackboard
I N F O R M AT I O N P R O C E S S I N G
CONTROLS
• Controls relating to the processing of information.
• Initiate, record, process, and report of information
• Changes to standing data on the Masterfile
• Controls over specific IT applications or manual processes used for
processing information
• Protect the integrity of the information (valid, accurate and complete)
• Ensure information is free from fraud or error
Auditing Fundamentals, Page 151 - 152 Copy Right Reserved © University of the Free State 2023
See video on Blackboard
EXAMPLE:
User Application
Makes use of Apps to function – work
together to achieve a common goal
Operating System Applications
• General IT Controls: Those controls implemented over the entire phone (all
applications) to ensure they are working (E.g., antivirus protection, auto-updates or
screen lock).
• Information processing controls: Those controls implemented over a specific task (E.g.,
spell checker in your messaging apps).
Capture data on
Initiate/Execute Transaction manual source
document
General IT Controls
General IT Controls
Flow of transaction
[Source Input source
Record document into
documents]
system
Accounting records:
Process
changes and
Process Journals, ledgers, trial
Masterfile
transaction
storage
balance
Financial
Report Output
Statements
General IT Controls
Auditing Fundamentals, Page 149 Copy Right Reserved © University of the Free State 2023 See video on Blackboard
C AT E G O R I E S O F G E N E R A L I T
CONTROLS
Organisational System
Business
controls and Development
continuity
personnel and change
controls
practices controls
Operating
Access controls
controls
Auditing Fundamentals, Page 153 Copy Right Reserved © University of the Free State 2023
O R G A N I S AT I O N A L C O N T R O L S
AND PERSONNEL PRACTICES
• Controls deal with the structure, activities, and staff practices within the IT
department (The component deals with the entire organisation).
• Management’s attitude towards the IT control environment.
• Clear organisational structure and reporting lines within the IT
department.
• Top-down approach for creating an ethical culture and control
environment.
Auditing Fundamentals, Page 154 Copy Right Reserved © University of the Free State 2023
O R G A N I S AT I O N A L C O N T R O L S
AND PERSONNEL PRACTICES
Delegation of • Management responsible for IT governance
• Delegate to IT-committee
responsibility • IT-manager daily management of IT-department
Auditing Fundamentals, Page 155 - 157 Copy Right Reserved © University of the Free State 2023
SYSTEM DEVELOPMENT AND
CHANGE CONTROLS
• Information systems change because the business world changes.
• Objective: System needs to be effective to meet users’ needs and should
be cost efficient.
• System development: New system developed in-house.
• System acquisition: New system is acquired from a vendor.
• System change: Changes are made to an existing program
• Five (5) stages of the system development life cycle.
Auditing Fundamentals, Page 157 - 158 Copy Right Reserved © University of the Free State 2023
SYSTEM DEVELOPMENT LIFE CYCLE
• Approved requests originate from user-departments
Request submission, needs • Feasibility study to determine course of action
assessment, and selection
•Project team (incl. user dept) and project plan with milestones
Planning and design •Standards and framework
•Detailed investigation into users’ needs
Auditing Fundamentals, Page 158 - 161 Copy Right Reserved © University of the Free State 2023
System Conversion Methods
Auditing Fundamentals, Page 160 Copy Right Reserved © University of the Free State 2023
CHANGE CONTROLS
Auditing Fundamentals, Page 161 Copy Right Reserved © University of the Free State 2023
ACCESS CONTROLS
• Physical or computerised controls implemented to:
• Prevent unauthorised person gaining access.
• Limiting the activities of authorised persons to authorized areas.
• Least privilege principle
• Access to only systems and information to perform their job properly.
• Security Management Policy
• Documents process to identify risks, allocates responsibility and
accountability for responding to those risks
• Physical Access controls
• Logical Access controls
• Other security controls
• Encryption, firewalls, antivirus and malware programs
Auditing Fundamentals, Page 162 - 166 Copy Right Reserved © University of the Free State 2023
PHYSICAL ACCESS CONTROLS
• Protect access to:
Important files,
Computer terminals
documents and programs
Auditing Fundamentals, Page 163 - 164 Copy Right Reserved © University of the Free State 2023
LOGICAL ACCESS CONTROLS
• Computerised access controls implemented within the system which
limits access to terminals, networks, data, functionality.
• Unique code or username – student number
User identification • Links to your user profile
Auditing Fundamentals, Page 164 - 165 Copy Right Reserved © University of the Free State 2023
Example of logical access controls
User Identification
User authentication
Auditing Fundamentals, Page 164 - 165 Copy Right Reserved © University of the Free State 2023
BUSINESS CONTINUITY
CONTROLS
• Controls to ensure the continuity of processing (operations) of the
business.
• Prevent system interruptions or limit the impact from those interruptions.
• Preventative controls
• Physical controls
• Detective and corrective controls
• Backups
• Emergency recovery plans
Auditing Fundamentals, Page 167 - 169 Copy Right Reserved © University of the Free State 2023
PHYSICAL BUSINESS CONTINUITY
CONTROLS
• Include controls addressing the following:
Construction and
Fire Electricity
location
Auditing Fundamentals, Page 167 - 168 Copy Right Reserved © University of the Free State 2023
B A C K U P S T R AT E G I E S :
Auditing Fundamentals, Page 168 Copy Right Reserved © University of the Free State 2023
EMERGENCY RECOVERY PLANS
List of data, program files that are key to the operation of the
business
Auditing Fundamentals, Page 168 Copy Right Reserved © University of the Free State 2023
HOMEWORK:
• Auditing Fundamentals Graded Questions (Chapter 5)
• Question 1
• Question 4
• Question 5
• Due on Tuesday, 7 March 2023