Auditing II

Dr. Yasmena Elashmawy

Lecturer of Accounting, Mansoura University
Staff Member of Accounting Department, Horus University
Lecture 4
Chapter 2:
Internal Control and COSO Framework
Learning Objectives

1) Describe the three primary objectives of effective internal control .

2) Contrast management’s responsibilities for maintaining internal
control with the auditor’s responsibilities for evaluating and reporting
on internal control.
3) Explain the five components of the COSO internal control
framework.
4) Explain how general controls and application controls reduce
information technology risks.
5) Identify types of information technology systems and their impact
on internal controls.
Learning Objective 4

Explain how general controls and application controls reduce

information technology risks
Internal Controls Specific to Information
Technology
• Technology can strengthen a company’s system of internal
control but can also provide challenges.
– To address risks associated with reliance on technology,
organizations often implement specific IT controls.
• Auditing standards describe two categories of controls
for IT systems:
– General controls.
– Application controls.
Figure 1: Relationship Between General
and Application Controls
General Controls

• There are six categories of general controls have an

entity-wide effect on all IT functions:
– Administration of the IT function
– Separation of IT duties
– Systems development
– Physical and online security
– Backup and contingency planning
– Hardware controls
General Controls- Administration of the IT
function
The board of directors’ and senior management’s
attitude about IT affect the perceived importance of
IT within an organization.
Their oversight, resource allocation, and involvement
in key IT decisions each signal the importance of IT
to the organization.
 General Controls- Separation of IT Duties
To respond to the risk of combining traditional custody, authorization,
and record-keeping responsibilities by having the computer perform
those tasks, well-controlled organizations separate key duties within
IT.
For example, there should be separation of IT duties to prevent IT
personnel from authorizing and recording transactions to cover the
theft of assets.
Ideally, responsibilities for IT management, systems development,
operations, and data control should be separated as follows:
 General Controls- Separation of IT Duties
 IT management. The CIO (Chief Information Officer) or IT manager
should be responsible for oversight of the IT function to ensure that
activities are carried out consistent with the IT strategic plan.
• A security administrator should monitor both physical and online access
to hardware, software, and data files and investigate all security
breaches.
 Systems development. Programmers should not have access to input
data or computer operations to avoid using their knowledge of the
system for personal benefit. They should be allowed to work only with
test copies of programs and data so they can only make software
changes after proper authorization.
 Operations. Computer operators are responsible for the day-to-day
operations of the computer, following the schedule established by the
CIO.
 Data control. Data input/output control personnel independently verify
the quality of input and the reasonableness of output.
Figure 2: Segregation of IT Duties
 General Controls- Physical and Online Security

Physical controls over computers and restrictions to online

software and related data files decrease the risk of unauthorized
changes to programs and improper use of programs and data files.
 General Controls- Hardware Controls

Hardware controls are built into computer equipment by

manufacturers to detect and report equipment failures.
 General controls
 Because general controls often apply to the entire entity and affect many
different software applications, auditors evaluate general controls for the
company as a whole.
Table 1: Categories of General
Controls
 Application Controls
• Application controls are designed for each software application.
• These controls may be manual or automated and include:
– Input controls: are designed to ensure that the information entered into the
computer is authorized, accurate, and complete.
– Processing controls: prevent and detect errors while transaction data are
processed. General controls, especially controls related to systems
development and security, provide essential control for minimizing
processing errors.
– Output controls. Output controls focus on detecting errors after processing
is completed, rather than on preventing errors. The most important output
control is review of the data for reasonableness by someone knowledgeable
about the output.
Table 2: Categories of Application
Controls
Learning Objective 5

Identify types of information technology systems and their

impact on internal controls
Impact of IT Infrastructure on Internal
Control
• The accounting function’s use of complex IT networks,
databases, the Internet, cloud computing, and centralized IT
functions is now commonplace
• The types of internal controls will vary based on the type and
complexity of the IT system.
 Impact of IT Infrastructure on Internal Control

• Types of information technology systems include:

– Local area networks (LANs): link equipment within a single or small
cluster of buildings and are used only within a company.
– Wide area networks (WANs): link equipment in larger geographic
regions, including global operations.
– Database management systems: allow clients to create databases that
includeinformation that can be shared across multiple applications.
– Enterprise resource planning (ERP) systems: integrate numerous
aspects of an organization’s activities into one accounting information
system. ERP systems share data across accounting and nonaccounting
business functions of the organization.
Impact of IT Infrastructure on Internal
Control
• Companies use firewalls, encryption techniques, and
digital signatures to limit risks and to increase IT security
• Many companies outsource some or all of their IT needs to
an independent organization rather than maintain an internal
IT center.
References

 AICPA, “Overall Objectives of the Independent Auditor and the Conduct of

an Audit in Accordance with Generally Accepted Auditing Standards” (AU-
C 200.02), 2021. Copyright by American Institute of CPAs. All rights
reserved. Used with permission.

 Arens, A., R. Elder and M. Beasley, 2021, Auditing and Assurance

Services: An Integrated Approach, Prentice Hall, 17th Edition.

 PwC, 2017, Understanding a financial statement audit, available at:

www.pwc.com