Internal Control II

Question 1

What are the five types of controls?

Answer 1

1. Authorisation
2. Performance reviews
3. Information processing controls
4. Physical controls
5. Segregation of duties

Question 2

What is meant by authorisation?

Answer 2

– Activities and procedures to assure transactions and events are carried out by those with the appropriate authority.
– Set defined roles, responsibilities and adherence mechanisms for individuals within the organisation.

Question 3

What is meant by performance reviews?

Answer 3

– Review or analysis of performance, comparing actual outcomes with those that were expected or planned.

Question 4

What is meant by information processing controls?

Answer 4

– Work towards the accuracy, completeness and authorisation of
transactions.
* Accuracy: data entered is correct and reflects actual recorded
events.
* Completeness: all events are recorded.
* Authorisation (Validity): whether or not the events that occur are
appropriately approved before being executed.
* Computerised information systems – aims to ensure transactions
are properly authorised, recorded and completely processed in
timely manner.
– General controls: policies and procedures that support
applications and application controls.
– Application controls: manual or automated procedures, at
business process level, related to the processing of transactions
by individual applications.

Question 5

What is meant by physical controls?

Answer 5

– Controls put in place to physically protect the resources of the
organisation, including protecting them from the risk of theft or
damage.

Question 6

What is meant by segregation of duties?

Answer 6

– Certain key functions should not be performed by the same
person. Assign the execution, recording, custody, reconciliation
and authorisation functions to different individuals.
– Also applies across the IT systems within the organisation.

Question 7

What are the three controls classifications?

Answer 7

• Preventive – are designed to stop errors or irregularities
  occurring.
• Detective – to alert those involved in the system when
  an error or anomaly occurs.
• Corrective – are designed to correct an error or
  irregularity after it has occurred.

Question 8

What is meant by proper authorisation?

Answer 8

– Appropriate authority given prior to the execution of transactions
or the modification to the data.

Question 9

What is meant by proper recording?

Answer 9

• ensuring all data is recorded in the correct format and of the right
  type.
• the data accurately records the reality of the underlying transaction
  or event.

Question 10

What is meant by completeness?

Answer 10

• Input completeness: all transaction events and required data
  are captured.

Question 11

What is meant by timeliness?

Answer 11

– Data is captured, processed, stored and made accessible in a
timely manner.

Question 12

What are general controls?

Answer 12

Controls that relate across all the
information systems in an organisation.

Question 13

What are the different general controls?

Answer 13

– physical controls
– segregation of duties
– user access
– systems development procedures
– user awareness of risks
– data storage procedures
– security policies

Question 14

What are physical controls?

Answer 14

Concerned with restricting access
to the physical resources.

Question 15

What is segregation of duties?

Answer 15

The separating of employee duties and responsibilities in a way that ensures that an individual employee cannot carry out a fraud
without being detected.

Question 16

What is user access?

Answer 16

– Logical access of users to the systems within the organisation.

Question 17

What are systems development procedures?

Answer 17

– Maintenance and development of different information systems.
– Requires policies, procedures and restrictions.

Question 18

What is user awareness of risks?

Answer 18

Security education training and awareness (SETA) programs to
ensure employees are aware of:
- Information system risks.
- Security threats and issues.
- Organisational ecurity policies
- The policies for detectin of fraud.

Question 19

What is data storage procedures?

Answer 19

– Information about customers, staff and intellectual property is
stored on servers.
– Need to manage data storage risks (locally or in the cloud).
– Controls for data: data access logs, restriction of user privileges
– Controls for backup: backup policies, offsite backup facilities,
scheduling of backups and real-time backups if needed.

Question 20

What are security policies?

Answer 20

– Information security policies to protect electronic
resources.
* Document an organisation’s approach to security.
* Usually by following a framework and/or standard.
* Should be understood and used by all users.

Question 21

What makes application controls and what activities do these relate to?

Answer 21

They are built around the operation of a particular process. They relate to the key system stages of: input, processing, output

Question 22

When are internal controls used and what do they aim to do?

Answer 22

They are used on data as it enters the system. Aim to provide reasonable assurance about the accuracy,
validity and completeness of data being entered.

Question 23

Define the input control for data entry, standardised forms/preformatted screens.