Chapter 9 Control, security
and audit
Qiang Jiang
School of Business
Sichuan University, China
[email protected]
Topic list
1 Internal control systems
2 Internal control environment and procedures
3 Internal audit and internal control
4 External audit
5 IT systems security and safety
6 Building controls into an information system
1 Internal control systems
• Internal control is any action taken by
management to enhance the likelihood that
established objectives and goals will be
achieved.
• 历史上看，英国内部控制的发展离不开公司治理
研究的推动。尤其是卡德伯利报告(Cadbury
Report，1992 )、哈姆佩尔报告(Rutterman Report，
1994) ，以及作为综合准则指南的特恩布尔报告
(Turnbull Report，1999)，堪称英国公司治理和内
部控制研究历史上的三大里程牌。
1 Internal control systems
• Turnbull Report guideline
– Facilitate its effective and efficient operation by
enabling it to respond appropriately to significant
business, operational, financial, compliance and
other risks to achieving the company` s objectives
– Ensure the quality of internal and external
reporting
– Ensure compliance with applicable laws and
regulations , also with internal policies respect to
conduct of business
1 Internal control systems
• Turnbull Report guideline
– Facilitate its effective and efficient operation by
enabling it to respond appropriately to significant
business, operational, financial, compliance and
other risks to achieving the company` s objectives
– Ensure the quality of internal and external
reporting
– Ensure compliance with applicable laws and
regulations , also with internal policies respect to
conduct of business
1 Internal control systems
• Framework for internal control
– Control environment
– Control procedures
• Turnbull report highlights
– Information and communication processes
– Processes for monitoring the continuing
effectiveness
2 Internal control environment and
procedures
• Control environment is the overall attitude ,
awareness and actions of directors and
management regarding internal controls and
their importance in the entity.
• Control procedures are those policies and
procedures in addition to the control
environment which are established to achieve
the entity` s specific objectives
2 Internal control environment and
procedures
• Aims of internal checks
– Segregate tasks
– Create and preserve the records
– Break down routine procedures into separate
steps
– Reduce the possibility of fraud and error
2 Internal control environment and
procedures
• Classification of control procedures
– Administration
– Accounting
– Prevent
– Detect
– Correct
2 Internal control environment and
procedures
• Types of financial control procedure
Administration
– Segregation of duties
– Physical
– Authorisation and approval
– Management
– Supervision
– Organisation
– Arithmetical and accounting
– Personnel
2 Internal control environment and
procedures
• Characteristics of a good internal control
system
– A clear defined organisation structure
– Adequate internal checks
– Acknowledgement of work done
– Protective devices for physical security
– Formal documents should acknowledge the
transfer of responsibility for goods
– Pre-review
2 Internal control environment and
procedures
– Clearly defined system for authorising transactions
within specified spending limits
– Post-review
– There be authorisation, custody and re-ordering
procedures
– Personnel
– Internal audit
2 Internal control environment and
procedures
• Limitations on the effectiveness of internal
controls
– Segregation of duties be avoided by the collusion
– Authorisation controls can be abused
– Management can often override the controls
3 Internal audit and internal control
• Internal audit is an independent appraisal
activity established within an organisation as a
service to it . it is a control which functions by
examining and evaluating the adequacy and
effectiveness of other controls, the
investigative techniques developed are
applied to the analysis of the effectiveness of
all parts of an entity` s operations and
management.
• part of the internal control system
3 Internal audit and internal control
• Need for internal audit depend on (Turnbull
report) :
– The scale, diversity and complexity of the company` s
activities
– Number of employees
– Cost-benefit considerations
– Changes in organisational structures , reporting processes
or underlying information systems
– Change in key risks
– Problems with internal control systems
– Increased number of unexplained or unacceptable events
3 Internal audit and internal control
• Objectives of internal audit
– Review of the accounting and internal control
systems
– Examination of financial and operating
information
– Review of the economy, efficiency and
effectiveness of operations
– Review of compliance with laws, regulations and
other external requirements and with internal
policies and directives and other requirements
3 Internal audit and internal control
– Review of the safe guarding of assets
– Reviews of the implementation of corporate
objectives
– Identification of significant business and financial
risks, monitoring the organisation` s overall risk
management policy and the risk management
strategies
– Special investigation into particular areas.
3 Internal audit and internal control
• Internal audit will assess:
– Adequacy of the risk management and response
processes
– Risk management and control culture
– Internal controls in operation to limit risks
– Operation and effectiveness of the risk
management processes
3 Internal audit and internal control
• The features of internal audit
– Independence
– Appraisal
3 Internal audit and internal control
• Types of audit
– Operational audit: concerned with any sphere of a
company` s activities.
– Systems audit :testing and evaluation of the
internal controls
• Compliance tests
• Substantive tests
– Transactions audit
– Social audit
– Management investigations
3 Internal audit and internal control
• Accountability
– Auditor needs access to all parts of the
organisation
– Auditor be free to comment on the performance
of management
– Auditor’s report need be actioned at the highest
level
3 Internal audit and internal control
• Independence
– Responsibility structure
– Mandatory authority
– Auditor`s own approach
4 External audit
• External audit is a periodic examination of the
books of account and records of an entity
carried out by an independent third party (the
auditor) , to ensure that they have been
properly maintained , are accurate and comply
with established concepts , principles ,
accounting standards and legal requirements
and give a true and fair view of the financial
state of the entity.
4 External audit
• Differences between internal and external
audit
– Reason
– Reporting to
– Relating to
– Relationship with the company
4 External audit
• Relationship between external and internal
audit
– Periodic meeting to plan the overall audit
– Periodic meeting s to discuss matters of mutual
interest
– Mutual access to audit programmes and working
papers
– Exchange of audit reports and management
letters
– Common development of audit
techniques ,methods and terminology
4 External audit
• Assessment criteria by external auditors
– Organisational status
– Scope of function
– Technical competence
– Due professional care
5 IT systems security and safety
• Security ,in information management
terms ,means the protection of data from
accidental or deliberate threats which might
cause unauthorised modification ,disclosure
or destruction of data ,and the protection of
the information system from the degradation
or non-availability of services.
5 IT systems security and safety
• Aspects of security
– Prevention
– Detection
– Deterrence
– Recovery procedures
– Correction procedures
– Threat avoidance
5 IT systems security and safety
• Aspects of security
– Prevention
– Detection
– Deterrence
– Recovery procedures
– Correction procedures
– Threat avoidance
5 IT systems security and safety
• Physical threats
– Fire
– Water
– Weather
– Lightning
– Terrorist activity
– Accidental damage
5 IT systems security and safety
• Physical threats
– Fire
– Water
– Weather
– Lightning
– Terrorist activity
– Accidental damage
5 IT systems security and safety
• Physical access controls
– Personnel
– Door locks
– Lock: keypad system, card entry system
– Intruder alarms
6 Building controls into an information
system
• Security can be defined as the protection of
data from accidental or deliberate threats
which might cause unauthorised modification
disclosure or destruction of data , and the
protection of the information system from the
degradation or non-availability of services
6 Building controls into an information
system
• Risks to data
– Human error
– Processing the wrong files
– Technical error
– Natural disasters
– Deliberate actions
– Commercial espionage
– Malicious damage
– Industrial action
6 Building controls into an information
system
• Integrity controls
– Data integrity
– Systems integrity
6 Building controls into an information
system
•
•
•
•
•
•
•
•
•
•
•
Input control
Processing controls
Output controls
Back-up controls
Archiving
Passwords and logical access systems
Administrative controls
Audit trail
Systems integrity with a PC
Systems integrity with a LAN
Systems integrity with a WAN
6 Building controls into an information
system
• Contingency controls
– A contingency is an unscheduled interruption of
computing services that requires measures
outside the day-to-day routine operating
procedures.