control, audit and security - acca f1

COPYRIGHT © 2010 BY Mohammad Faizan Farooq

Prepared & Complied by: Mohammad Faizan Farooq Qadri Attari

ACCA (Finalist)

http://www.ffqacca.co.cc

Contact: [email protected]

FFQA 1

CONTROL

AUDIT

&

SECURITY



ACCA (Finalist)



FFQA 2

Internal control Internal control within an organisation is the system of control within the organisation

that has been put in place in order to:

„ prevent the system from getting out of control and failing to achieve its

purpose, and so

„ help the organisation to achieve its objectives and policies.

A useful definition of internal control was provided in 1992 in the US by the COSO

Framework (COSO is the Committee of Sponsoring Organizations of the Treadway

Commission). This defined internal control as: ‘a process, effected by an entity’s

board of directors, management and other personnel, designed to provide reasonable

assurance regarding the achievement of objectives’ in three particular areas: the

effectiveness and efficiency of operations, the reliability of financial reporting, and

compliance with applicable laws and regulations.

„ Risks to the effectiveness and efficiency of operations are ‘operational risks’

and controls designed to limit operational risks are ‘operational controls’. (These

controls are tested by operational audits.)

„ Risks affecting the reliability of financial reporting, as well as risks of financial

fraud or error, are ‘financial risks’, which can be mitigated by ‘financial controls’.

„ Risks of non-compliance with important aspects of the law or regulations are

‘compliance risks’, which can also be controlled by appropriate measures.

The purpose of internal control is therefore to apply control to the system by

internal means and internal procedures and arrangements.

The five elements in a system of internal control The COSO Framework identified five elements in a system of internal control. These are

elements of internal control that must be in place and sufficient in order for internal

control to be effective:

„ a suitable control environment „ risk identification and assessment

„ the design and application of internal controls „ information and communication

„ monitoring



ACCA (Finalist)



FFQA 3

A control environment

A control environment is the control culture within the organisation, and the attitude of

its employees toward ensuring that controls are adequate and properly applied.

Individuals within an organisation will not take control seriously unless they are given

direction form their bosses. The company’s directors are therefore responsible for the

control environment, and the board of directors must establish policies on internal

control. There should be a culture of control throughout the organisation, from the

board down to all employees, but the leadership must come from the board, which sets

the ‘tone at the top’.

Risk identification and assessment

There should be a system for the regular review of risks, identifying new risks and

re-assessing existing risks. Risks that have been identified should be measured, to assess

their significance (in terms of probability of an adverse event and the amount of loss

that might be incurred if an adverse event happens).

Risk assessment can be carried out by means of a systems audit. Tests of control in

the external audit are also a form of risk assessment of current risks and existing

internal controls

Control activities (internal controls)

Controls for reducing risks should be designed and implemented. In financial reporting,

the main risks are risks of error and fraud. Controls should be designed to eliminate a

risk, but before effective controls can be designed, they must first be identified and

assessed. Management need to know what the risk is and how serious it might be if it is

not controlled.

Internal controls are a part of normal day-to-day operational activities and procedures.

The features of internal financial controls are explained in more detail later.



ACCA (Finalist)



FFQA 4

Information and communication

An effective internal control system must have effective channels of communication, to

ensure that all employees understand their responsibilities for control and that all

relevant information reaches the individuals who need it. Controls cannot be applied

effectively unless the individuals responsible for the controls are kept properly nformed

Monitoring

There should be regular monitoring and review of the effectiveness of the system of

internal control. One way of monitoring internal control is to have an internal audit

department, for carrying out reviews and reporting to senior management.

The consequences of weak internal financial control When internal financial control is weak, there is a high risk of errors and fraud in the

accounting records and the financial statements.

„ When there is a large error, or an accumulation of smaller errors, the financial

statements will not be reliable.

„ Weak internal control makes it easier for fraudsters to operate. Fraud is a

criminal activity, and is damaging to company, its shareholders and possibly also

its customers.

„ In extreme cases, companies might operate in a condition close to insolvency

without its management or its shareholders being aware of the problem. Weak

corporate governance and weak financial control have been identified as the

main causes of major corporate collapses in the past – and will probably be the

cause of more corporate failures in the future.

Risks and internal financial controls Financial risks

Financial risks have been described so far as the risk of an error in the accounts or

deliberate fraud. It is useful to think about what types of error might occur in the

accounting system.

„ A transaction might be omitted from the accounts entirely. For example, a sale

of goods on credit to a customer for $25,000 might not be recorded. If not, total

sales will be under-stated by $25,000 and the amount owed by customers will

also be under-stated by the same amount.

„ A transaction might be recorded twice. For example a credit sale of $25,000 to

customer X might be recorded twice, so that total sales are recorded as $50,000.



ACCA (Finalist)



FFQA 5

„ A transaction might be recorded with the wrong value. For example, an item of

machinery that is purchased for $20,000 might be recorded in the accounts with

a value of $30,000.

„ Numbers might be added up incorrectly. For example the total amount of

money receivable from credit customers might be stated incorrectly in the

financial statements because the amounts owed by each customer are added up

incorrectly.

„ A transaction might be recorded as the wrong type of transaction. For example

a sale to a customer might be recorded as a purchase, or as a sales return.

Types of internal controls Internal financial controls are designed and implemented to deal with financial

risks. There are two broad types of internal control.

„ Preventative controls. These are controls that are designed to prevent the

error (or fraud) from happening.

„ Detective controls. These are controls that are designed to identify an error (or

fraud) when it happens. When there are detective controls, there should also be

corrective measures for correcting the error or dealing with the fraud.

Features of effective internal financial controls Effective internal financial controls are controls that provide a high level of assurance

that errors or fraud will be prevented or will be detected when they happen.

In addition, the cost of an internal control should not exceed the benefits obtain from

implementing it.



ACCA (Finalist)



FFQA 6

Internal financial control procedures can be divided into eight types or categories,

which might be remembered by the mnemonic SPAMSOAP.

Internal check An internal check is a type of internal control. An internal check is intended to prevent

errors or fraud, or to detect them quickly when they occur. In financial accounting, an

internal check involves arranging accounting tasks and duties so that no single task is

performed from beginning to end by just one person. In this way, the work of each

individual is subject to an independent check in the course of the work that is done by

somebody else.



ACCA (Finalist)



FFQA 7

IT system security and controls

Threats to IT system security

Business organisations rely on IT systems to function. Computer systems need to be

kept secure from errors, breakdown, unauthorised access and corruption.

Some of the major risks to IT systems are as follows:

„ Human error. Individuals make mistakes.

„ Technical error. loss or corruption of data.

„ Natural disasters.

„ Sabotage/criminal damage. criminal damage, theft, terrorist attack

„ Deliberate corruption. Viruses, Hackers

„ The loss of key personnel with specialist knowledge about a system

„ The exposure of system data to unauthorised users

In addition, there are risks within the computer software itself:

„ The software might have been written with mistakes in it, so that it fails to

process all the data properly

„ The software should contain controls as a check against errors in processing,

such as human errors with the input of data from keyboard and mouse. The

software might not contain enough in-built controls against the risk of input

error and other processing errors.

General controls and application controls

Controls in IT can be divided into two categories:

„ general controls, „ application controls.

General controls are controls that are applied to all IT systems and in particular to

the development, security and use of computer programs. Examples of general

controls are:

„ physical security measures and controls

„ physical protection against risks to the continuity of IT operations

„ general controls within the system software such as passwords, encryption

software, and software firewalls

„ general controls over the introduction and use of new versions of a computer program



ACCA (Finalist)



FFQA 8

Application controls are specific controls that are unique to a particular IT system

or IT application. They include controls that are written into the computer software,

such as data validation checks on data input.

Passwords A computer password is defined as ‘a sequence of characters that must be presented

to a computer system before it will allow access to the systems or parts of a system’

Passwords should be changed regularly frequently, and employees should be

continually reminded to change passwords.

Users should be required to use passwords that are not easy to guess: for example, an

organisation might require its employees to use passwords that are at least 8 digits and

include a mixture of letters and numbers.

Encryption Encryption involves the coding of data into a form that is not understandable to the

casual reader. Data can be encrypted (converted into a coded language) using an

encryption key in the software.

A hacker into a system holding data in encrypted form would not be able to read

the data, and would not be able to convert it back into a readable form (‘decrypt the

data’) without a special decryption key.

Preventing or detecting hackers Controls to prevent or detect hacking include:

„ physical security measures to prevent unauthorised access to computer

terminals „ the use of passwords

„ the encryption of data

„ audit trails, so that transactions can be traced through the system when

hacking is suspected

„ network logs, whereby network servers record attempts to gain access to the

system „ firewalls.



ACCA (Finalist)



FFQA 9

FOR PREPARATION AND

TUITION OF

F1 TO F9 CONTACT: [email protected]

OR

0334-3440590



ACCA (Finalist)



FFQA 10

Firewalls Firewalls are either software or a hardware device (between the user’s computer

and modem). Computer users might have both.

The purpose of a firewall is to detect and prevent any attempt to gain unauthorised

entry through the Internet into a user’s computer or Intranet system.

A firewall:

„ will block suspicious messages from he Internet, and prevent them from

entering the user’s computer, and

„ may provide an on-screen report to the user whenever it has blocked a

message, so that the user is aware of the existence of the messages.

Computer viruses Viruses are computer software that is designed to deliberately corrupt computer

systems. Viruses can be introduced into a system on a file containing the virus. A

virus may be contained:

„ in a file attachment to an e-mail or

„ on a backing storage device such as a CD.

The term ‘virus’ might also be used to describe other methods of corrupting a

system.

Trojan horses Whilst the user thins that the system is carrying out one program, the

Trojan horse secretly carries on another.

Worms This is corrupt data that replicates itself within the system, moving from one file

or program to another.

Trap doors A trap door is an entry point to a system that bypasses normal controls to

prevent unauthorised entry.

Logic bombs This is a virus that is designed to start ‘working’ (corrupting the files or

data processing) when a certain event occurs.

Time bombs This is a virus that is designed to start ‘working’ (corrupting the files or

data processing) on a certain date.



ACCA (Finalist)



FFQA 11

IT Standards A range of IT Standards have been issued. For example, the International Standards

Organisation (ISO) has issued IT security system standards. There are also IT

Standards for the development and testing of new IT systems.

IT Standards are a form of general control within IT that help to reduce the risk of IT

system weaknesses and processing errors, for entities that apply the Standards.

Application controls Application controls are controls that are designed for a specific IT system. One

example of application controls is data validation. Data validation checks are checks

on specific items of data that are input to a computer system, to test the logical

‘correctness’ of the data. If an item of data appears to be incorrect, the system does

not process the data: instead it issues a data validation report, so that the apparent

error can be checked and corrected if appropriate.

AUDIT Internal audit and internal control

Internal audit is one part of an internal control system which assesses the effectiveness

of other controls.

The work of the internal audit department may cover the following broad areas:

(a) Review of accounting and internal control systems

(b) Examination of financial and operating information

(c) Review of the economy, efficiency and effectiveness of operations

(d) Review of compliance

(e) Review of safeguarding of assets

(f) Review of implementation of corporate objectives

(g) Identification of significant business risks, monitoring overall risk management policy

and monitoring risk management strategies

(h) Special investigations

Internal auditors' work depends on the scope and priority of the identified risks. They may have to

conduct a risk assessment from which they will recommend an appropriate framework.

The key features of good internal audit:

(a) Independence

(b) Appraisal

There are five different types of audit to be aware of:

(a) Operational (b) Systems (c) Transactions

(d) Social (e) Management investigations



ACCA (Finalist)



FFQA 12

Operational audits monitor management's performance and are sometimes known as

'management', 'efficiency' or 'value for money' audits.

Systems audits test and evaluate internal controls. Typically there are two types of test:

• Compliance (controls are applied as laid down)

• Substantive (seeking errors and omissions)

If compliance tests reveal that internal controls are working satisfactorily then the

amount of substantive testing can be reduced.

A transactions audit aims to detect fraud and uses only substantive tests.

Ideally the internal audit department should report to the audit committee of the board

of directors as it is then free to report on all levels of management and can ensure that

any of its recommendations are implemented.

The internal audit department plays a significant part in an organisation's risk

management

External audit External audit is the regular examination of the organisation's records by an outside

party to ensure that they have been properly maintained and give a true and fair view of

the entity's financial state.

The key differences between internal and external audit are:

There should be co-ordination between the external and internal auditors to ensure

that duplication of work is minimised and controls enhanced.

If external auditors rely to an extent on the work of the internal audit department they

will consider:

(a) Organisational status (b) Scope of internal audit functions

(c) Technical competence 5(d) Due professional care



ACCA (Finalist)



FFQA 13

QUESTION FFQA

Internal auditors are employees of the company's external auditors who work full time

auditing the company's accounts. True or false?

A True

B False

QUESTION FFQA

Which of the following is not an inherent limitation of an internal control system?

A Procedures manual

B Non routine transactions

C Management by passing controls

D Employee collusion

QUESTION FFQA

Which of the following is an incorrect statement regarding the external auditors?

A They report to the Board of Directors

B There work relates to financial statements

C They express an opinion on the financial statements

D They are independent of the company and its management

QUESTION FFQA

Which of the following is not a method of data validation?

A Audit trails

B Range checks

C Control totals

D Limit checks

QUESTION FFQA Which of the following is not suggested by Turnbull to help ensure a

strong control environment?

A Clear definition of authority

B Clear strategies

C Good internal communications

D Reconciliations

control, audit and security - acca f1

Documents