The Importance of Internal Controls

Auditing General IT controls - Audit scope

IT Management

Review of: -
Organisation Structure
Job Descriptions
Training Records
IT Plan
IT Committee
IT Budget – training and CAPEX
IT Policies
Project Management
Risk ManagementInsurance

IT Security

Review of: -
IT Security Policy
Network Security
Virus Protection
Software LicensingPatch Management

IT Operations

Review of: -
Backup process – onsite, offsite
Backup policy, strategy
Tape management – labelling, inventory, disposal
Physical security of Computer Room / Data Centre
Environmental controls of Computer Room / Data Centre
IT Procedures, operations manual

BCP

Review of: -
Physical security of DR site
BCP Plan
BCP Infrastructure
BCP testing – test plan, script
BCP Committee

Change Management
Review of: -
Change Management Procedures
Service Request Notes – identify long outstanding issues
UAT process

Application Controls

In short, application controls can be categorised into :-
- Data origination - preparation
- Input
- Processing
- Output

Data needs to be prepared from the source documents before data is entered (input) into the application system, processed and finally generating the required information in the form of output required.

COBIT version4 has also added one more item i.e. Boundary Controls i.e. the required controls between two parties (sender and receier)

As per COBIT, followings are the recommended controls:-

Data Origination/Authorisation Controls

AC1 Data Preparation Procedures
Data preparation procedures are in place and followed by user departments. In this context, input form design helps ensure that errors and omissions are minimised. Error-handling procedures during data origination reasonably ensure that errors and
irregularities are detected, reported and corrected.

AC2 Source Document Authorisation Procedures
Authorised personnel who are acting within their authority properly prepare source documents and an adequate segregation of duties is in place regarding the origination and approval of source documents.

AC3 Source Document Data Collection
Procedures ensure that all authorised source documents are complete and accurate, properly accounted for and transmitted in a
timely manner for entry.

AC4 Source Document Error Handling
Error-handling procedures during data origination reasonably ensure detection, reporting and correction of errors and irregularities.

AC5 Source Document Retention
Procedures are in place to ensure original source documents are retained or are reproducible by the organisation for an adequate
amount of time to facilitate retrieval or reconstruction of data as well as to satisfy legal requirements.

Data Input Controls
AC6 Data Input Authorisation Procedures
Procedures ensure that only authorised staff members perform data input.

AC7 Accuracy, Completeness and Authorisation Checks
Transaction data entered for processing (people-generated, system-generated or interfaced inputs) are subject to a variety of controls to check for accuracy, completeness and validity. Procedures also assure that input data are validated and edited as close to the point
of origination as possible.

AC8 Data Input Error Handling
Procedures for the correction and resubmission of data that were erroneously input are in place and followed.

Data Processing Controls

AC9 Data Processing Integrity
Procedures for processing data ensure that separation of duties is maintained and work performed is routinely verified. The
procedures ensure that adequate update controls such as run-to-run control totals and master file update controls are in place.

AC10 Data Processing Validation and Editing
Procedures ensure that data processing validation, authentication and editing are performed as close to the point of origination as
possible. Individuals approve vital decisions that are based on artificial intelligence systems.

AC11 Data Processing Error Handling
Data processing error-handling procedures enable erroneous transactions to be identified without being processed and without
undue disruption of the processing of other valid transactions.

Data Output Controls

AC12 Output Handling and Retention
Handling and retention of output from IT applications follow defined procedures and consider privacy and security requirements.

AC13 Output Distribution
Procedures for the distribution of IT output are defined, communicated and followed.

AC14 Output Balancing and Reconciliation
Output is routinely balanced to the relevant control totals. Audit trails facilitate the tracing of transaction processing and the reconciliation of disrupted data.

AC15 Output Review and Error Handling
Procedures assure that the provider and relevant users review the accuracy of output reports. Procedures are also in place for identification and handling of errors contained in the output.

AC16 Security Provision for Output Reports
Procedures are in place to assure that the security of output reports is maintained for those awaiting distribution as well as those already distributed to users.

Boundary Controls

AC17 Authenticity and Integrity
The authenticity and integrity of information originated outside the organisation, whether received by telephone, voice mail, paper document, fax or e-mail, are appropriately checked before potentially critical action is taken.

AC18 Protection of Sensitive Information During Transmission and Transport
Adequate protection against unauthorised access, modification and misaddressing of sensitive information is provided during transmission and transport.

Types of IT Controls

Basically there are 2 main categories of IT controls, i.e.:-

IT GENERAL CONTROLS
General controls are those controls embedded in IT processes and services. Examples include:
• Systems development
• Change management
• Security
• Computer operations

APPLICATION CONTROLS
Controls embedded in business process applications are commonly referred to as application controls. Examples include:
• Completeness
• Accuracy
• Validity
• Authorisation
• Segregation of duties

PROCESSES NEED CONTROLS

Control is defined as the policies, procedures, practices and organisational
structures designed to provide reasonable assurance that business objectives
will be achieved and undesired events will be prevented or detected and
corrected.

An IT control objective is a statement of the desired result or purpose to be
achieved by implementing control procedures in a particular IT activity.

COBIT’s control objectives are the minimum requirements for effective control
of each IT process.

Each of COBIT’s IT processes has a high-level control objective and a number of detailed control objectives. As a whole, they are the characteristics of a well-managed process.

The detailed control objectives are identified by a two-character domain reference plus a process number and a control objective number.

Effective controls reduce risk, increase the likelihood of value delivery and improve efficiency because there will be fewer errors and a more consistent management approach.

IT Controls

IT Risks exist in every IT processes. Therefore, IT Controls should also be in place to mitigate or reduce the IT risk.

IT Controls are available in COBIT. COBIT is something like an IT standard. COBITS focused on 34 IT processes and define what are the controls that have to be in place for these processes.

For a simple illustration,
IT Risks-----> IT Processes------> IT Controls

• Infrastructure Risk-----> Plan & Organise (PO)--------> IT Plan
• Infrastructure Risk-----> Monitor & Evaluate (ME) ---->Supervisory Review
• Availability Risk -------->Deliver & Support (DS) ------>IT Continuity Plan
• Access Risk-------------> Deliver & Support (DS)------> IT Security Plan
• Integrity Risk----------> Acquire & Implement (AI)---> Change Standard, procedures
• Relevance Risk---------> Deliver & Support (DS)------> Business Requirements
  
  Therefore, every organisation needs to evaluate whether the IT controls is sufficient to address and mitigate the IT risks.