Internal Controls & IT General Controls 1

Question 1

What is the COBIT framework?

Answer 1

• “Control Objectives for Info and Related Technologies”
• Created by IT Governance Institute (ITGI) of the Info Systems Audit and Control Association (ISACA)
• Recommends best practices framework and methods of evaluation of IT controls
• From IT Process perspective, life cycle view
• Systems model looks at controls from data processing or infosys view

Question 2

What is the COSO framework?

Answer 2

• “Committee of Sponsoring Orgs” developed framework of IC (btwn 1985-1992)
• COSO Model of IC

Question 3

What is the COSO definition of “Internal Controls”?

Answer 3

• A process effected by BOD, mgmt and other personnel, designed to provide reasonable assurance regarding achievement of objectives in:
  (1) effectiveness and efficiency of operations
  (2) reliability of financial reporting and
  (3) compliance w/ applicable laws and regs

Question 4

What is the definition of Control Deficiency (CD)?

Answer 4

• The design or operation of control does not allow mgmt or employees, in normal course of performing their assigned functions, to prevent, or detect and correct misstatements in a timely basis.

Question 5

What is the definition of Material Weakness (MW)?

Answer 5

• A deficiency, or combo of deficiencies, in internal control, such that there is a reasonable possibility that material misstatement of entity’s FS will not be prevented, or detected and corrected in a timely basis.
• Auditor is required to communicate in writing to those charged w/
  governance, by report release date

Question 6

What is the definition of Significant Deficiency (SD)?

Answer 6

• A deficiency, or combo of deficiencies, in IC
• Less severe than MW, but important to get attention by those charged w/ governance
• Auditor is required to communicate in writing to those charged w/
  governance, by report release date

Question 7

What SAS No defines the following terms:

(1) Control Deficiency
(2) Material Weakness and
(3) Significant Deficiency

Answer 7

• SAS 115, “Communicating ICs Related Matters ID’d in an Audit”.
• PCAOB identical definitions AS5, “An Audit of IC Over Financial Reporting Integrated w/ Audit of FS”

Question 8

What are 7 key axioms that affect affect the management of controls?

Answer 8

RRECOCD

(1) Controls are responsibility of mgmt.
(2) Controls can only provide reasonable assurance.
(3) There is always possibility of error, even in automated controls.
(4) There is always possibility of circumvention of controls.
(5) There is always possibility of mgmt override of controls.
(6) Control environment changes over time.
(7) Possible that downstream manual controls mitigate IT risk.

Question 9

What are the 3 general types of Controls?

Answer 9

(1) Manual (human intervention)
(2) Automated (application control)
(3) Hybrid (partly manual and automated aka “IT-dependent”)

Question 10

What are Manual Controls?

Answer 10

• Rely on human intervention to function
• Longer manual control functions, more likely slackness introduced into a full due diligence of performing that control
• Subject to human frailties like emotions, physical problems (lack of sleep), psychological, political issues that cause improper execution of manual control
• Generally, manual control not as reliable as same if automated

Question 11

What are Automated Controls?

Answer 11

• Control that occurs automatically, usually through computer systems, based on predefined criteria, circumstances, times, dates or events
• Designed to work w/in IT or apps and function automatically as related business process occurs
• May be tied to technologies, like transferring data from one system to another (where automatic reconciliation may occur)
• Once implemented, operate in same manner repeatedly (for identical set of circumstances), for infinite number of occurrences
• For this reason that AS5 and SAS 109 both say that it is possible, under right circumstances, that ToC could be a single instance
• Generally more reliable that manual controls

Question 12

What are examples of Hybrid Controls?

Answer 12

• Partly manual and automated
• Ex: Set automated flags in programs to ensure proper sequence of programs.
• At end of each run, program prints interim report, reconciled or reviewed by an employee.
• Once reconciled or reviewed, next program in series initiated.
• If automated flag from previous program is set “on” (ran), program will execute, lead to another printout/review.
• The final application print final report and reset all automated “flags” to “off”.
• Usually, checklist documents each reconciled/review and the series of process.

Question 13

What are 4 primary processes (Domains) under COBIT?

Answer 13

PO AI DS M

(1) Planning and Organizing (PO)
(2) Acquire and Implement (AI)
(3) Deliver and Support (DS)
(4) Monitor and Evaluate (M)

Question 14

What is the IT Assurance Framework (ITAF)?

Answer 14

• Focus on design, conduct and reporting IT audit and assurance assignments rather than IT processes of COBIT
• Stated purpose is to provide guidelines for formal IT audits and assessments of IT controls
• ITAF is organized around assurance or assessment activity and focuses on ICs
• In addition to COBIT, ISACA has this framework

Question 15

What are 3 components when Scoping an IT Audit?

Answer 15

• Scope equals the OVERLAP of these 3 components:
  (1) Objective
• CITP can recognize where objective of IT-related control overlaps w/ objective of substantive procedure
• Ideal for uncovering opportunities to use IT-related procedures vs. labor intensive
  substantive procedures
• If objectives overlap, then either ToC or substantive procedure could serve purposes of need for FAP
  (2) RMM (Level of Risk)
• Incorporate RBA Risk-Based Approach
  (3) IT Space of the entity
• Includes all elements of entity IT function