FILE 1: AUDITING THE FINANCE AND ACCOUNTING FUNCTIONS

Finance and accounting areas have long been the traditional domain of the internal auditor, perhaps to the
extent that management only thought of internal auditing in terms of conducting reviews of accounting
records.

SYSTEM/ FUNCTION COMPONENTS OF THE FINANCIAL AND ACCOUNTING ENVIRONMENT

DEFINING THE FINANCE AND ACCOUNTING UNIVERSE

 Functionally, based upon the discrete accounting departments that are in place.
 Financial Cycles, revenue cycle, expenditure cycle, or treasury cycle.
o Cycle—series of events that repeat in predictable pattern. (repetition)
o Process—series of action or steps taken to achieve something. (Progress towards goal)

Key Functions, Systems, or Activities

Treasury Sales tax (VAT) Accounting
Payroll Taxation
Accounts Payable Inventories
Accounts Receivable Product/ Project Accounting
General Ledger/ Management Accounts Petty Cash and Expenses
Fixed Assets (Capital Charges) Financial Information and Reporting
Budgeting and Monitoring Investments
Bank Accounts and Banking Arrangements

CONTROL OBJECTIVES, RISKS, AND CONTROL ISSUES

1. Treasury—adequacy of funding and the accountability for transactions, which are normally of high
value.
Control Objectives:
a. Ensure that the organization’s funds are appropriately managed with the aim of providing
adequate level of working capital.
b. Ensure that suitable and secure investments, financial instruments, and such are utilized to the
maximum benefit of the organization and within the constraints of the prevailing laws and
regulations.
c. Ensure that treasury staff are suitably experienced and qualified and operate within the limits of
established policy and practices.
d. Ensure that treasury activities are monitored as part of an overall view of risk management.
e. Prevent the processing of unauthorized and fraudulent transactions.

2. Payroll—incorporates the initial authorized set-up of new employees, the processing of suitably
authorized amendments (salary increase, holiday pay, bonuses), periodic payroll runs, payment
arrangements, correct accounting for taxation, national insurance deductions, reconciliation of
payroll, and removal of employees from the payroll.
Control Objectives:
a. Only valid employees are paid and at the correct and authorized rate.
b. Ensure that calculations of all payments and deductions are correct and in accord with the
relevant taxation and other regulations and requirements.
c. Ensure that all deductions are correctly disbursed.
d. Ensure that unauthorized access to the payroll system and data is prevented.
e. Ensure that all payroll transactions are accurately reflected in the accounting systems.
f. Ensure that regular, accurate management. And statutory information is produced,

3. Accounts Payable—incorporates related processes such as linking to the original purchase orders or
instructions, confirmation of the receipt of goods/ services, conforming the accuracy and validity of
invoices, obtaining the authority to pay =, maintenance of accurate creditor records, and account
settlement.
Control Objectives:
 a. Ensure that all payments are for valid and suitably approved creditor accounts for goods and
services actually received.
b. Ensure that all payments are correct and accurately reflected in the accounting system.
c. Ensure that the prevailing sales tax or Vatt regulations are correctly complied with.
d. Ensure that good relationships are maintained with key suppliers.
e. Prevent the possibility of supplier or staff malpractice.

4. Accounts Receivable—linkages to the vetting of customers of their stability and sales ordering
processing.
Control Objectives
a. Ensure that all income generating activities are identified and accurately invoiced to customers.
b. Ensure that all invoices are paid, and the income is correctly identified and accounted for and
reflected in accounts.
c. Minimize the extent of debt and provide for the prompt follow-up of overdue accounts.
d. Maintain the integrity of the accounts receivable system and data.

5. General Ledger/ Management Accounts—effects of all the economic events are reflected in the
general ledger system/ general Ledgering System will be used to generate financial information for
both internal and external consumptions, and must operate in a stable and secure environment.
Control Objectives:
a. Ensure that the general ledger and management accounts are accurate, reliable, and
appropriately reflect the structure and operations of the organization.
b. Ensure that the accounting data is capable of meaningful and accurate analysis in order to
support management decisions and actions.
c. Ensure that the accounting records are maintained and in accordance with the prevailing laws,
regulations, and professional good practice.
d. Ensure that the accounting information can be used to generate all the required statutory
published accounting statements.

6. Fixed Assets (and Capital Charges)—investments in fixed assets, appropriate authorization for
capital acquisition, accurate and complete accounting processes covering the purchase, depreciation,
verification, and eventual disposal of the assets.
Control Objectives:
a. Ensure that assets ate correctly and accurately reflected in the accounts.
b. Ensure that all capital expenditure is justified and approved.
c. Ensure that all assets are identified, recorded and regularly verified.
d. Ensure that depreciation is appropriate and in accordance with both company policy and the
prevailing regulations.
e. Ensure that all asset disposals and write-offs are valid, authorized, and correctly reflected in the
accounts.
f. Ensure that assets are appropriately protected and insured.

7. Budgeting and Monitoring—general budgeting framework (how the budgets are initially generated,
authorized and rolled out) and the allocated responsibilities for subsequently monitoring actual
performance against budget (identifying, reacting to significant variances, authorizing budget
amendments.
Control Objectives:
a. Provide an accurate and reliable budgeting system as a means to ensure that agreed financial and
business objectives are achieved,
b. Provide a realistic and accurate budgeting framework and plan which accurately reflects the
structure and operations of the organization.
c. Provide management with a means to progress against financial targets.
d. Ensure that variations, deviations, and failures to achieve targets are promptly identified fort
management action.

8. Bank Accounts and Banking Arrangements—affects all businesses. Due attention should be paid
to the control and monitoring of account usage. Especially in terms of devolved authorities such as
 cheque signatories and fund transfers. Independent and effective account reconciliations to internal
records are essential, as they can limit the possibility of defalcation passing undetected.
Control Objectives:
a. Ensure that banking arrangement and facilities are appropriate and adequate for the businesses.
b. Ensure that all transactions are bona fide, accurate, and authorized whenever necessary.
c. Ensure that overdraft facilities are authorized and correctly operated within the limits defined by
management and the organization’s bankers.
d. Ensure that fund transfers and automated methods of effecting banking transactions are valid, in
the best interest of the organization, and authorized.
e. Ensure that the potential for staff malpractice and fraud are minimized.
f. Ensure that all income is banked without delay.
g. Ensure that banking charges are effectively monitored and minimized.

9. Sales Tax (VAT) Accounting—uses VAT as standard model but can be easily modified and applied to
other sales taxation regimes. VAT considers the registration, calculation of, accounting for input and
output VAT, production and submission of regular VAT returns, and settlement of any taxes due.
Control Objectives:
a. Ensure that all valid input and output VAT is accurately identified at the appropriate rate,
recorded, and reported.
b. Ensure that the correct net value of VAT is either reclaimed or paid over and supported by the
relevant return.
c. Ensure that the prevailing VAT regulations are correctly observed at all times.
d. Ensure that the business remains correctly registered for VAT and correctly displays its
registration number on all relevant documentation.

10. Taxation—each organization will have in place a taxation policy which takes into account all the
factors relevant to its own trading and fiscal situation. Subject of taxation can be simply viewed as a
balance between minimizing liabilities and ensuring compliance with often very complex regulations.
Control Objectives:
a. Ensure that all tax affairs are appropriately planned and managed.
b. Ensure that clear objectives are established in relation to taxation matters with a view to
minimizing tax liabilities within the confines of the prevailing legislation and regulations.
c. Ensure that all tax liabilities are accurately determined and supported by accounting data.
d. Ensure that all required taxation returns are correctly completed and filed on time.
e. Ensure compliance with all relevant taxation, legislation and regulations.
f. Ensure that allowances and concessions are identified, accurately assessed and accordingly
claimed.
g. Ensure that all tax payments are suitably authorized.
h. Provide management with adequate and accurate information on taxation matters and liabilities.

11. Inventory
Control Objectives:
a. Ensure that the accounting system and statutory accounts accurately reflect the value of current
inventory stocks.
b. Ensure that all stock purchases, issues, and other movements are valid and correctly reflected in
the inventory accounts.
c. Ensure that stocks are correctly priced.
d. Ensure that inventory values are periodically verified as correct.
e. Ensure that all adjustments to stock valuations are suitably investigated and authorized.
f. Ensure that inventory items utilized in production and customer sales activities are correctly
charged out of the inventory accounts and accounted for in target systems.
g. Ensure that write-offs of excess, scarp, or obsolete stocks are valid, and authorized.
h. Provide adequate, accurate, and timely management information.

12. Product/ Project Accounting

Control Objectives:
 a. Ensure that all projects and product development/ launches are suitably authorized as part of
the strategic direction of the organization.
b. Ensure that appropriate costing method is selected.
c. Ensure that all relevant costs are identified and accurately recorded,
d. Ensure local factors are appropriately taken into consideration, such as market share, price
sensitivity, price controls.
e. Establish budgets based on reliable data and assumptions.
f. Ensure that actual costs and progress are adequately monitored and that variances are identified
and acted upon.
g. Ensure that actual sales or project outturn performance is monitored and managed.
h. Ensure that the accounting system accurately reflects all the relevant economic events associated
with each product/ project.

13. Petty Cash Expenses—related to question of scale, level of petty cash and general expenses vary
between organizations.
Control Objectives:
a. Ensure that all expenses are valid and authorized.
b. Ensure that all expenses are correctly identified, recorded, and accurately reflected in the
accounting system.
c. Ensure that all expense payments are in accord with company policy and any relevant external
regulations.

14. Financial Information and Reporting—concerns related to accuracy, completeness, timeliness, and
security of the information.
Control Objectives:
a. Ensure that management are provided with accurate and timely financial information to support
their decision-making and activities.
b. Ensure that all relevant financial reports and returns are accurately prepared and distributed to
external bodies in accordance with the prevailing legislation, regulation, and contractual
obligations.
c. Ensure that accounting records and statements are correctly maintained and prepared in
accordance with the prevailing accounting standards and good practice.
d. Ensure that all financial information is adequately protected from loss, misuse, or unauthorized
leakage.

15. Investments—financial and timing implications associated with investment activities, it is crucial
that authorized policies are in place and adhered.
Control Objectives:
a. Ensure that all investment decision are adequately researched and authorized in accordance with
the established objectives.
b. Ensure that investment commitments do nit interfere with the required cash flow and that
sufficient working funds are maintained.
c. Ensure that timescale and liquidity implications of investments are adequately considered and
catered for.
d. Ensure that invested funds and the income generated are correctly accounted for.
e. Ensure that all relevant regulations, exchange controls, and accountancy standards are complied
with.
f. Ensure that investment documentation is adequately and securely stored.

FILE 2: SPREADSHEET DESIGN AND GOOD PRACTICE

Spreadsheets are often woven into the corporate information system. Approachable and easy to use, often
evade any scrutiny during their development or live use.

Spreadsheet prone errors

1. Overtyping of cells containing formulas
2. Inserting rows/ column without amending formulas
 3. Inconsistencies in formula
4. Inaccurate ranges of data used in formula
5. Failing to cross-cast rows and columns as a means of proving accuracy
6. Failing to amend all formulas when constant or variables are changed.
7. Inappropriate mixing and use of units and frequencies.
8. Putting function arguments in the wrong order.
9. Undocumented changes applied.
10. Failure to use the correct data set in a regular cycle of use.

There are real risks associated with the use of spreadsheets especially of they form a significant part of the
management information and decision-making processes, and their development has been undertaken.

“The use of spreadsheet to augment mainstream system information and greater dependence being placed on
spreadsheet when they become part of the mainstream system.

Inventory of Key Spreadsheet

Managers should consider undertaking an inventory so that the extent and nature of their use can be
accurately determined and assessed.

Key critical spreadsheet should be identified as information asset and recorded on organization’s Information
Asset Register; the following should be captured for key spreadsheets.
- File Name
- File/ Data Owner and Information Steward.
- Data of Introduction
- An overview of its functionality and purpose
- If it is financial or operational in nature.

Documenting Spreadsheet
Operationally critical spreadsheet should be treated in the same way as key application systems and be
specified and documented so ongoing maintenance and update can be understood. Specification of a software
application, the following should be defined:
- Purpose of the spreadsheet
- Assessment of how critical the sheet will be to the organization.
- Owner and Designer of the sheet
- Filename of the sheet
- Any constant or standing data to be used in the formula.

Examples of good practice

Excel—is a Flat File application and should be utilized; solution requires a relational database.
- Create and circulate templates for common tasks.
- Use conditional formatting to highlighting results as a warning.
- Ensure that data do not include blank rows.
- Data should be sorted in the most appropriate and efficient form
- Use dynamic ranges and give them meaningful names
- Label rows and columns to avoid ambiguity
- Do not include variable as values in formula but hold them as data elsewhere and include the
appropriate cell reference within the associated formula.
- Ensure that formulas are constantly copied to the appropriate cell ranges (relative and absolute cell
reference)
- Use pivot tables or charts to summarize data but ensure that they reflect all the required data ranges
especially after changes have been applied elsewhere in the file.
o Array Functions (alternative database function and Pivot Table)
o Sum product used for multiple condition summing or counting.
 o Spreadsheet lookup function (Vlookup) enable the extraction of data from tables of data and
can consume processing resources if the command involves the examination of thousands of
cells.
- Changes to spreadsheet files should be clearly determined and applied.
- Autosave or auto recover should be turned on.

 Pivot Functions
 Conditional Formatting
 Conditional Highlighting
 If Function
 Concentrate Function
 V-Look Up
 Mail merge
 Hyperlink
 Shortcut Functions
 ¶ -- Pilcrow, indicates the start of a new paragraph within a block of text.

FILE 3: BASIC TOOLS FOR PROCESS IMPROVEMENT

Flowchart (Flow Diagram)—diagram that uses graphic symbols to depict the nature and flow of the steps in
a process,

Benefits of using flowchart

1. Promote understanding of a process by explaining the steps pictorially.
2. Provide a tool for training employees.
3. Identify problem areas and opportunities for process improvement.
4. Depict customer-supplier relationships, helping the process workers to understand who their
customers are.

Common Symbols used in flowchart

1. Oval—starting point and ending point of the process steps.
2. Box—individual step or activity in the process.
3. Diamond—decision point (yes or no)
4. Circle—particular step is connected to another page or part of the flowchart.
5. Triangle—shows where an in-process measurement occurs.

Levels of Flowchart
1. Macro Level—May not need detailed process. Fewer than six steps.
2. Mini Level—Big picture of macro level and fine detail of micro level.
3. Micro Level—Detailed depiction of process steps. Detailed picture of process by documenting every
action and decision.

How to start a Flowchart

1. Identify the right people to develop the chart.
2. Determine what you expect to get from the flowchart.
3. Identify who will use it and how.
4. Define the level of detail you need.
5. Establish the boundaries of the process to be improved.

Key to Successful Flowcharting

1. Start with the big picture.
2. Observe the current process
3. Record process steps
4. Arrange the sequence of steps
5. Draw the Flowchart

Types of Flowcharts
1. Linear Flowchart—displays the sequence of work steps that make up a process. This helps to
identify rework and redundant or unnecessary steps within a process.

Steps:
a. Define the process to be flowcharted and the purpose of flowcharting.
b. Assemble the right people to develop the flowchart.
c. Establish process boundaries.
d. List the steps, activities, and decisions to be charted.
e. Put the steps in chronological sequence.
f. Assign flowchart symbols.
g. Review and title the flowchart.

2. Deployment Flowchart—shows the actual process flow and identifies the people or groups involved
at each step. Horizontal lines define customer-supplier relationships. This flowchart shows where the
people or groups fit into the process sequence, and how they relate to one another throughout the
process.

Steps:
 a. List the major steps of the process vertically on the left side of a sheet of paper.
b. List the responsible process workers across the top, each in a separate column.
c. Place each step in the appropriate column under the responsible process worker’s name.
d. Connect the steps in order in which they relate to each other.

3. Opportunity Flowchart—a variation of the basic linear type, differentiates process activities that
add value from those that add cost only.
o Value Added Steps (VA)—essential for producing the required product or service. Output
cannot be produced without them.
o Cost-Added Only Steps (CAO)—essential for producing the required product or service.
Added to a process in anticipation of something that might go wrong, or something is wrong.

Steps:
a. Divide your paper into two columns headed Value Added (VA) and Cost Added Only (CAO).
b. List the steps in the process in these columns vertically, all VA steps in one column and all CAO
steps in the other.
c. Connect the steps.

FILE 4: STANDARD AUDIT PROGRAMME GUIDES (SAPG)

A systems approach can be supported by the use of individual SAPGs with the added flexibility of using a
number of related systems SAPGs in combination to provide wider coverage and take into account related
issues and implications.

Six Categories of Business Process

**Treasury to Conversion Process are built around a range of related economic events which may in turn
generate transactions and interactions with systems
1. Treasury Process—incorporates those activities concerned with organizations capital funds,
definition of cash requirements, allocation of available cash to various operations, investment
considerations, and outflow of cash to investors and creditors. (General management of cash)
2. Revenue Process—exchange the organization’s product and services for cash, credit granting, order
entry, delivery/ shipping, billing, accounts receivable, and pursuing debtors. (Cash receipts)
3. Expenditure Process—activities/ systems that acquire goods, services, labor, and property, pay for
them, and classify , summarize, and report what was acquired and what was paid. (cash
disbursements)
4. Conversion Process—utilization and management of various resources, in the process of creating
the goods and services marketed by the organization. Include accountability for the movement and
usage of resources up to the point of supply which is then dealt with in the Revenue Process. Include
product accounting/ costing, manufacturing control, and stock management.
5. Financial Reporting—not based on business process but concentrates upon the consolidation and
reporting of results to various interested parties.
6. Corporate Framework—concerned with the development and maintenance of effective
management, strategic, infrastructure, and control frameworks which aim to give form to underlying
direction structure, and effectiveness of organization. Also includes issues such as specific industry
regulations and compliance.

ACTIVITY/ SYSTEM
TREASURY PROCESS
TREASURY PROCESS REVENUE PROCESS
Management and Administration Management and Administration
- Capital Projects - Risk Management
- Insurance
Financial and Accounting Financial and Accounting
- Treasury - Accounts Receivable
- Payroll
 - Accounts Payable/ Receivable - Budgeting and Monitoring
- Fixed Assets - Bank Accounts & Banking Arrangements
- Budgeting and Monitoring - VAT Accounting
- Bank Accounts & Banking Arrangements - Taxation
- Taxation - Inventories
- Financial Information and Reporting - Product/ Project Accounting
- Investments - Financial Information and Reporting
- Investments
Procurement Stock and Material Handling
- Purchasing - Stock Control
- Warehousing/ Storage
- Distribution, Transport, and Logistics
Production/ Manufacturing Market & Sales
- Facilities, Plant and Equipment - Product Development
- Market Research
- Promotion and Advertising
- Pricing and Discount Policies
- Sales Management
- Sales Performance and Monitoring
- Distributors
- Relationship with Parent Company
- Agents
- Order Processing
Market & Sales After Sales Support
- Product Development - Warranty Arrangements
- Relationship with Parent Company - Maintenance and Servicing
- Spare Parts and Supply
Research and Development Research and Development
- Product Development - Product Development
- Project Appraisal and Monitoring - Project Appraisal and Monitoring
- Plant and Equipment
Information Technology Information Technology
- Processing Operations - IT Strategic Planning
- Back-up and Media Management - IT Policy Framework
- Facility Management - Information Asset Register
- Electronic Data Interchanges - Capacity Management
- BACS - Information Management
- Records Management
- Knowledge Management
- Processing Operations
- Back-up and Media Management
- Electronic Data Interchanges
Contracting Contracting
- Contract Management Environment - Contract Management Environment
- Project Assessment and Approval - Project Assessment and Approval
- Tendering Procedures - Performance Monitoring
- Materials, Plant & Project Assets - Extensions of Time
- Valuing Work for Interim Payments - Controlling Contractual Claims
- Controlling Contractual Claims - Liquidation and Bankrupties
- Liquidation & Bankrupties
- Recovery of Damages
- Review of Project Outturn and Performance
- Review of Project Outturn and Performance

EXPENDITURE PROCESS CONVERSION PROCESS

Management & Administration Management & Administration
- Risk Management - Organization
- Estates Management & Facilities - Risk Management
- Insurance - Quality Management
- Capital Projects - Estates Management & Facilities
- Environmental Issues
Financial and Accounting Financial and Accounting
- Payroll - Accounts Receivables
- Accounts Payable - Inventories
- Fixed Assets - Product/ Project Accounting
- Budgeting and Monitoring - Financial Information and Reporting
- Bank Accounts & Banking Arrangements
- VAT Accounting
- Taxation
- Inventories
- Product/ Project Accounting
- Petty Cash & Expenses
- Financial Information and Reporting
Personnel Personnel
- Human Resources Department - Human Resources Department
- Staff Training and Development - Recruitment
- Welfare - Manpower & Succession Planning
- Performance-Related Compensation, Pension - Staff Training and Development
Schemes
- Health Insurance
- Company Vehicles
Procurement Procurement
- Purchasing - Purchasing
Stock and Materials Handling Stock and Materials Handling
- Stock Control - Stock Control
- Warehousing/ Storage - Warehousing/ Storage
- Distribution, Transport and Logistics - Distribution, Transport and Logistics
Production/ Manufacturing Production/ Manufacturing
- Planning & Production Control - Planning & Production Control
- Facilities, Plant and Equipment - Facilities, Plant and Equipment
- Personnel - Personnel
- Materials and Energy - Materials and Energy
- Maintenance - Quality Control
- Safety
- Environmental Issues
- Maintenance
Marketing and Sales Marketing and Sales
- Product Development - Product Development
- Promotion and Advertising - Pricing and Discount Policies
- Relationship with Parent Company
After Sales Support After Sales Support
- Warranty Arrangements - Spare Parts and Supply
- Maintenance and Servicing
- Spare Parts and Supply
Research and Development Research and Development
- Product Development - Product Development
- Product Appraisal and Monitoring - Product Appraisal and Monitoring
- Plant and Equipment - Plant and Equipment
- Development Project Management - Development Project Management
- Legal and Regulatory Issues
Information Technology Information Technology
- IT Strategic Planning - IT Organization
- IT Policy Framework - Knowledge Management
- Capacity Management - Processing Operations
- Information Management - Back-up and Media Management
- Records Management - Data Transfer & Sharing
- Knowledge Management - Electronic Data Interchnages
- IT Sites and Infrastructure
- Processing Operations
- Back-up and Media Management
 - Software Maintenance
- Facilities Management
- System Development
- Electronic Data Interchanges
- BACS
Contracting Contracting
- Contract Management Environment - Design
- Project Assessment and Approval
- Engaging, Monitoring & Paying Consultants
- Design
- Assessing the Viability/ Competence of
Contractors
- Maintaining an Approved List of contractors
- Tendering Procedures
- Insurance and Bonding
- Selection & Letting of Contracts
- Performance Monitoring
- Arrangement for Sub-Contractors and
Suppliers
- Materials, Plant & Project Assets
- Valuing Work for Interim Payments
- Controlling Price Fluctuations
- Extensions of Time
- Liquidations & Bankrupties
- Contractor’s Final Account
- Recovery of Damages
- Review of Project Outturn & Performance
- Maintenance Obligations

FINANCIAL REPORTING CONCEPTUAL FRAMEWORK

Management & Administration Management & Admission
- Management Information - The Control Environment
- Company Secretarial Department - Organization
- - Management Information
- Planning
- Risk Management
- Legal Department
- Quality Management
- Estates Management & Facilities
- Environmental Issues
- Insurance
- Security
- Capital Projects
- Industry Regulations and Compliance
- Media, Public, and External Relations
- Company Secretarial Department
Financial and Accounting Financial and Accounting
- Treasury - Treasury
- Payroll - General Ledger/ Management
- Accounts Payable/ Receivable - Budget and Monitoring
- General Ledger/ Management - Bank Accounts & Banking Arrangements
- Fixed Assets - Taxation
- Budget and Monitoring - Product/ Project Accounting
- Bank Accounts & Banking Arrangements
- Petty Cash & Expenses
- VAT Accounting
- Financial Information & Reporting
- Taxation
- Inventories - Investments
- Product/ Project Accounting
- Petty Cash & Expenses
- Financial Information & Reporting
- Investments
Personnel Personnel
- Performance-Related Compensation, Pension - Human Resources Department
Schemes - Recruitment
- Manpower & Succession Planning
Procurement - Staff Training and Development
- Purchasing - Welfare
- Performance-Related Compensation, Pension
Schemes
- Health Insurance
- Staff Appraisal & Disciplinary Matters
- Health and Safety
- Labor Relations
- Company Vehicles
Stock and Materials Handling Stock and Materials Handling
- Stock Control - Stock Control
- Warehousing/ Storage - Warehousing/ Storage
- Distribution, Transport and Logistics - Distribution, Transport and Logistics
Production/ Manufacturing Production/ Manufacturing
- Facilities, Plant and Equipment - Planning & Production Control
- Facilities, Plant and Equipment
- Personnel
- Materials and Energy
- Quality Control
- Safety
- Environmental Issues
- Law and Regulatory Compliance
- Maintenance
Marketing and Sales Marketing and Sales
- Sales Performance and Monitoring - Product Development
- Relationship with Parent Company - Market Research
- Order Processing - Promotion and Advertising
- Pricing and Discount Policies
- Sales Performance and Monitoring
- Distributors
- Relationship with Parent Company
- Agents
- Order Processing
Research and Development After Sales Support
- Legal and Regulatory Issues - Warranty Arrangements
- Maintenance and Servicing
- Spare Parts and Supply
Information Technology Research and Development
- Processing operations - Product Development
- Back-up and Media Management - Project Appraisal and Monitoring
- System Access Control - Plant and Equipment
- Databases - Development Project Management
- Data Protection - Legal and Regulatory Issues
- Electronic Data Interchanges
- BACS
- Spreadsheet Design & Good Practice
- IT Accounting
Information Technology
- IT Strategic Planning
- IT Organization
- IT Policy Framework
- Information Asset Register
- Capacity Management
- Information Management
- Records Management
- Knowledge Management
 - IT Sites and Infrastructure
- Processing Operations
- Back-up and Media Management
- Removable Media
- Systems/ Operating Systems
- System Access Control
- Personal Computers
- Remote Working
- Email
- Internet Usage
- Software Maintenance
- Networks
- Databases
- Data Protection
- Freedom of Information
- Data Transfer & Sharing
- Legal Responsibilities
- Facilities Management
- System Development
- Software Selection
- Contingency Planning
- Human Resource Information Security

FILE 5: AUDITING INFORMATION TECHNOLOGY

It approaches IT activities from business and operational viewpoints, the objectives being to consider the key
issues and identify optimum actions.

Includes Information Management, Records Management, and Knowledge Management. Majority of this will
be primarily supported by electronic records.

INTRODUCTION TO RECOGNIZED STANDARDS RELATED TO INFORMATION TECHNOLOGY AND

RELATED TOPICS

BSI—British Standards Institution

ISO—International Organization for Standardization

Information Security Management Systems

Objective: Provide a model of establishing, implementing, operating, monitoring, reviewing, maintaining and
improving an Information Security Management System.

The design and implementation of an organizations’ ISMS is influenced by their needs and objectives, security
requirements, the process employed, and size and structure of the organization.

12 Main Sections
1. Risk Assessment
2. Security Policy—management direction.
3. Organization of information security—governance of information security
4. Asset Management—inventory and classification of information assets
5. Human Resources Security—security aspects for employees joining, moving within, and leaving an
organization.
6. Physical and Environmental Security—Protection of computer facilities.
7. Communications and Operations Management—management of technical security controls in
systems and networks.
8. Access Control—restriction of access rights to networks, systems, applications, functions, and data.
9. Information System Acquisition, Development, and Maintenance—building a security inro systems.
10. Information Security Incident—anticipating and responding appropriately to information security
breaches.
 11. Business Continuity Management—protecting, maintaining, and recovering business-critical
processes and systems.
12. Compliance—ensuring compliance with information security policies, standards, laws, and
regulations.

Information Security Risk Management

This standard is interesting as it neither provide nor recommends a specific risk methodology but rather
provides guidelines. This approach may be appropriate as each sector and organization will vary in terms of
its potential risk impacts and their operational relevance.

Information Technology—Security Techniques

Requirements for bodies providing audit and certification of information security management systems.

Information and Documentation—Records Management

- Effective management of any organization’s records irrespective of the type and form (paper-based/
electronic forms).
- Adopts cradle to grave approach to records ranging from the creation of a record, through its use
and maintenance, to the eventual disposal, or destruction.

1. Information & Documentation—Records Management—General

o Illustrates framework for records-keeping and notes the related benefits and regulatory
considerations. It covers the key process of record creation, for and structure, storage,
retention, and access.
a. Scope
b. Normative References
c. Terms and Definitions
d. Benefits of Records Management
e. Regulatory Environment
f. Policy and Responsibilities
g. Records Management Requirements
h. Design and Implementation of a records systems
i. Record Management processes and controls
j. Monitoring and auditing
k. Training
2. Information & Documentation—Records Management—Guidelines
o Practical and detailed guidelines.
a. Scope
b. Policies and Responsibilities
c. Strategies, Design, and Implementation
d. Records Processes, and Controls
e. Monitoring and Auditing
f. Training.

Emerging Standards and Best Practice for Knowledge Management

- The capabilities by which communicates within an organization capture the knowledge that is critical
to them constantly improve and make it available in the most effective manner to those people who
need it, so that they can exploit it creatively to add value as a normal part of their work.

System/ Function Components of Information Technology and Management

- Breakdown of the key functions, systems, or activities.
a. IT Strategic Planning
b. IT Organization
c. IT Policy Framework
d. Information Asset Register*
e. Capacity Management
f. Information Management*
g. Records Management*
 h. Knowledge Management*
i. IT Sites and Infrastructure (physical security)
j. Processing Operations
k. Back-up and Media Management
l. Removable Media
m. System and Operating Software (patch management)
n. System Access Control (logical security)
o. Remote Working
p. Software Maintenance
q. Networks
r. Databases
s. Data Protection
t. Freedom of Information
u. Data Transfer and Sharing (Standards and Protocol Guidelines)
v. Legal Responsibilities
w. Facilities Management
x. Electronic Data Interchange
y. BACS (automated cash/ funds transfer)
z. Contingency Planning

- This broad-brush approach is intended to unable auditors to identify and extract those elements that
match their own organization’s use of IT.
- IT Strategic Planning outputs may have direct relevance to system developments or the expansions
of local area networks.
- Information Asset Register, Information Management, Records Management, and Knowledge
Management are relevant to the wider aspects of information and knowledge including electronic
records. Also encompasses information and records in any form.

IT STRATEGIC PLANNING
- Concerned with planning for the use of IT in the organization to ensure that the business objectives
and operational requirements are effectively met.
- Applying formal strategic planning techniques to the operational use of IT will normally concentrate
on the key business requirements and the objectives set by management as part of their wider long-
term planning.

Action Plan:
o Acquiring and moving over to new hardware or software platforms.
o Improving or extending the data communications infrastructure.
o Improving or upgrading existing application systems
o Commissioning new application software to support business activities.
o Introducing new or improved IT development and management techniques to contribute to
efficiency and cost effectiveness.
o Implementing a training plan in order to ensure that It staff skill levels are maintained up to
date.

Control Objectives for IT Strategic Planning

o Ensure that the IT facilities and services support both the strategic objectives of the business
and the maintenance of competitive advantage.
o Ensure that the use of IT throughout the organization is adequately planned and geared to
the underlying business needs.
o Ensure that investments in IT facilities are justified and represent value for money.
o Ensure that a stable, reliable, and secure IT environment is provided to support the business.
o Ensure that both the current and anticipated requirements of the business are appropriately
served by the IT facilities.
 o Ensure that adequate and appropriately skilled personnel are provided to support the
achievement of established objectives.
o Ensure that the IT environment incorporates appropriate and justifiable hardware, software,
methods, facilities, and tools to support the business.
o Ensure that the information needs of the business are best served by current and planned
systems.
o Ensure that a suitable planning methodology is utilized in order to accurately identify
underlying requirements and convert them into action plans.
o Ensure that only justified and authorized systems are developed and maintained.
o Ensure that all IT projects and acquisitions are authorized and in accord with the established
planning objectives.
o Ensure that cost-effective and optimum solutions are applied.
o Ensure that IT-related costs are accurately identified and contained within budgeted limits.

IT ORGANIZATION
- Targets the organizational structure of an in-house IT function.
o Optimum organizational structure
o Terms of reference for the IT function
o Service level agreements
o Definition of roles and responsibilities
o Required operational and technical standards.

Control Objective
o Ensure that an appropriate and efficient organizational structure is established for the IT
Functions.
o Ensure that responsibilities and accountabilities are defined, agreed, and allocated.
o Ensure that adequate and appropriate IT resources and skills are provided to support the
business.
o Ensure that an appropriate framework of operating standards, procedures and policies is
established, adhered to, maintained, and kept-up to date.
o Ensure that the required levels and standards of IT service provision are established, agreed,
and can be observed.
o Ensure that the key duties are appropriately segregated in order to protect the integrity of
operations, systems, and data.
o Ensure that skill requirements are identified and met through on-going training and staff
development.
o Ensure the accuracy and security of use application systems and data.
o Ensure that the continuity of operations can be maintained in the event of a disaster or
failure.
o Ensure that effective channels of communication are provided, and that staff remain aware of
the required performance, quality, and service objectives.

IT POLICY FRAMEWORK
- A framework of pragmatic policies surrounding the use and control of IT and information-related
facilities should fundamentally guide staff on what to do and what not to do.

Control Objectives
o To ensure that the appropriate policy and procedural framework is in place to provide secure
and reliable IT facilities in order to support the organization’s operational and administrative
requirements.
o To develop, agree and ratify a range of appropriate best practice policies suited to the
specific utilization of IT by the organization.
o To ensure that policies (and related procedural processes) are “owned” by a named manager
or officer, who is responsible for promoting, supporting and maintaining the allocated
policies.
 o To ensure that all policies are ratified and formally agreed by senior management as a means
of ensuring that they are seen as significant parts of the culture and management oversight
of the organization.
o To ensure that policies incorporate any sector-specific issues and best practice exemplars.
o To ensure that any legislative or regulatory obligations are included in the relevant policies.
o To ensure that policies define how the related key activities will be monitored and managed.
o To ensure that the policies (and supporting materials) clearly state what is, in turn,
acceptable or unacceptable action or behavior.
o To ensure that policies include, where appropriate, the potential implications of a failure to
comply, including employee sanctions.
o To provide, where appropriate, documented practical guidance and procedures to support
the objectives and principles contained within the various IT policies.
o To ensure that general and specific roles and responsibilities are clearly defined within the
policies.
o To ensure that all policies are periodically reviewed and maintained up to date.
o To ensure that policies and the obligations they contain are suitably promoted within the
organization.
o To ensure that policies are accessible by all employees as sources of reference.
o To ensure that policy awareness is supported by appropriately targeted training.
o To ensure that there are reliable methods in place to monitor policy compliance and
promptly detect noncompliance or breaches of information security.

INFORMATION ASSET REGISTER

- All IT equipment owned is regarded as hardware assets and treated as fixed assets.
- All software owned is regarded as software asset and treated as revenue expenditure.

Information Assets
o Databases
o Electronic records, files, and documents
o Paper records and files
o Mailboxes
o Data Files
o Drawings
o Configuration Files
o Photographs

Importance of Information Assets:

o Operational Value: Information assets, while not always represented financially, are critical
to operations and should be identified, managed, and protected.
o Management Challenges: Organizations often take information assets for granted, leading
to inefficiencies in managing and optimizing their use.

Key Objectives for Managing Information Assets:

1. Ensuring Accuracy and Integrity:
o Maintain correct, consistent, and reliable data.
2. Identifying Opportunities:
o Find ways to improve and develop the use of information.
3. Gap Identification:
o Detect and address missing or inadequate information.
4. Maximizing Usage:
o Use information in innovative and effective ways to benefit the organization.
5. Protection:
o Secure information from loss, damage, or unauthorized access.
6. Compliance:
o Ensure all information handling aligns with data protection laws, freedom of information
regulations, and other relevant legislation.
 7. Exposing Risks and Liabilities:
o Identify any redundant, unused, or risky information, ensuring the organization is not
exposed to liabilities.
8. Classification:
o Classify information based on sensitivity, applying appropriate security measures.

Creating and Managing the Information Asset Register:

1. Responsibility:
o Assign ownership to a designated individual (e.g., project manager), who will oversee the
creation and maintenance of the register.
2. Project Management:
o For large organizations, consider managing the register creation as a formal project with
milestones and management oversight.
3. Pragmatic Approach:
o Avoid excessive detail in cataloging every asset; focus on key and primary information sets
that deliver value.

Data Fields for an Information Asset Register:

1. Essential Information:
o Name of the asset
o Dates of creation or when operational
o Reference number
o Status (e.g., in live use, under review)
o Sensitivity (based on classifications like personal data or sensitive information)
2. Additional Administrative Fields:
o Freedom of Information (FoI) status and exemption details.
o Asset content and use descriptions.
o Related system/software environment.
o Owner of the system and data.
o Usage level, frequency of updates, and method of updates.
o Security level (high, medium, low).
o Retention and disposal methods.
o Controls and gaps in controls.

Collection Methods:
1. Centralized Data Gathering:
o More thorough but time-consuming; ensures consistency across all departments.
2. Self-assessment by Department:
o System owners/administrators collect data, requiring some quality control to ensure
accuracy.

Ongoing Review and Maintenance:

 Regular updates and reviews are essential for the asset register.
 Processes should be in place to:
o Add new information sets.
o Expand or modify existing sets.
o Remove obsolete data.
o Track changes in the characteristics of information (e.g., sensitivity or format changes).

Role of the Information Asset Register:

 Critical Tool: Supports managing, maintaining, and protecting information assets.
 Audit Support: Helps internal auditors assess risks and target areas for improvement.
 Corporate Governance: Senior management can use it to assess the effectiveness of information
and governance practices.

Control Objectives
- To ensure that management take the steps necessary to assess the benefits of creating an Information
Asset Register or inventory and, if proven justified, to allocate adequate resources for its creation and
ongoing maintenance.
 - To ensure that there is ownership of the register or inventory at both a senior management (e.g.
board) level and across the organization.
- To ensure that day-to-day responsibility for the creation and ongoing maintenance of the register or
inventory is allocated to a nominated person, manager or officer.
- To ensure that, where appropriate, the creation of an Information Asset
- Register or inventory is regarded as a project to be managed using formal project planning and
management method and led by a suitably experienced project manager.
- To ensure that the register provides senior management with the ability to accurately consider the
impacts of their decisions on the organization’s information assets and to support effective decision
making and planning.
- To ensure that senior management utilize the facility of an Information Asset Register to aid their
assessment of information governance and corporate governance.
- To ensure that all information assets are accurately identified as the basis for their effective
management and protection.
- To ensure that the data specification for the register is robust, practical and provides the necessary
reporting and monitoring functionality.
- To ensure that the application system or software environment hosting the register is robust, proven,
fit for purpose and adequately secure. This should include the application of any IT procurement
procedures aimed at assessing the financial stability of the supplier and the technical quality of the
system itself.
- To ensure that the optimum method of data collection is used to accurately populate the register. This
should include the validation of data (either manually or by some automated means) and some form
of data quality control process.
- To ensure that all information assets are correctly categorized and codified so as to accurately reflect
their significance, degree of sensitivity and operational importance to the organization.
- To ensure that only authorized and appropriate amendments are applied to the register; and that
only authorized users have access to the register system.
- To ensure information security measures are proportional to the value and sensitivity of the data.
- To facilitate the efficient identification of personal data sets that should be managed in accordance
with the prevailing Data Protection legislation and/or regulations should be specifically codified and
identifiable.
- To ensure that the register provides clear indications of the data that can be publicly disclosed, for
example under the prevailing Freedom of Information legislation or an approved Publication Scheme.
- To ensure that management take the action necessary to ensure that all staff are made aware of the
register, its various purposes and its use as a reference point for determining when information can
and cannot be released due to either being defined, as appropriate in each specific case, as publicly
accessible, personal or lawfully exempt.
- To ensure that there is the ability to readily detect situations which could have an impact on the
contents of the register (for example, the expansion of an existing system or the removal from service
of a legacy system) and to promptly reflect such changes on the register.
- To ensure that an Information Asset Register or inventory is accurately maintained and periodically
reviewed.
- To ensure that any gaps in controls exercised over information assets are promptly identified and
action taken to improve control to an adequate level.

Importance of IT Capacity Management

 Objective: The capacity of IT services must align with current and future demands to ensure smooth
operations.
 Linkage with IT Strategy: Capacity management should be closely linked with long-term
operational and service planning, as part of the IT Strategy or Strategic Plan.

Key Components of IT Capacity Management:

1. Network Performance:
o Speed and bandwidth requirements must be evaluated regularly to keep up with growing
demands.
2. Electronic Storage:
o Adequate and scalable storage systems are essential for managing electronic records.
 3. Processing Ability:
o Ensure that the processing infrastructure is capable of handling tasks efficiently and can
scale when necessary.

Planning for IT Capacity:

1. Assessment:
o Analyze the current IT capacity, and evaluate upcoming changes (e.g., new services or
business activities) that might affect capacity.
2. Planning Changes:
o Develop a strategic plan to implement necessary changes, considering both short-term and
long-term requirements.

Managing Change:
 Planned vs. Sudden Change:
o IT capacity changes should be planned and coordinated, but sudden, drastic changes might
be required to seize business opportunities or respond to economic conditions (e.g.,
recession).
o It is essential to maintain contingency capacity to cope with unexpected peaks in demand.

Financial Considerations:
 Cost Factor:
o The cost of providing increased capacity must be considered. It should be weighed against
the potential benefits, particularly in financial models for speculative ventures or new
business opportunities.

Monitoring and Maintenance:

 Capacity Management Policy and Plan:
o An ongoing assessment and monitoring plan should be established to keep track of IT
capacity. This should be formalized through a Capacity Management Policy that sets
guidelines for future capacity adjustments.

Control Objectives
- To ensure that the various IT capacities remain at an optimum level in order to support the
organization currently and in the future.
- To ensure that IT capacities are economically provided and to avoid unnecessary or excessive
provision costs.
- To ensure that any proposed changes in operations or service provision are appropriately planned for
and assessed in terms of potential IT capacity impacts.
- To ensure that IT management are engaged in the high-level organization planning process so that
they can assess and plan for the IT implications.
- To avoid the disruption or failure of operations or service provision due to a lack of available IT
capacities.
- To avoid sudden or unplanned operational changes that could adversely impact upon IT capacities.

Importance of Information Management (IM)

 Valuable Asset: Information, alongside employees, finances, products, and technologies, is a critical
asset to any organization. Without accurate, complete, and reliable information, an organization
may fail.
 Careful Management: IM ensures that information assets are well-governed and protected,
delivering benefits to the organization.

Influence of Information Management

 Wide-Ranging Impact: IM affects how organizations manage, govern, and protect their information
assets. It must also address legal and regulatory implications.
 Effort and Resources: Implementing an effective IM environment requires considerable effort. The
challenge varies depending on existing practices within the organization.

Key Principles of an Effective Information Management Policy:

 1. Accuracy and Timeliness:
o Information must be up-to-date and accurate for its intended use.
2. Accessibility:
o Information should be readily accessible to authorized users and properly organized.
3. Governance:
o Information must be managed according to a clear set of rules that staff understand and
follow.
4. Security:
o Information must be protected and secured according to legislative and regulatory
standards.

5. Compliance:
o Information handling must comply with relevant laws, policies, and procedures.
6. Records Management:
o Information must be stored, archived, and disposed of in an organized and regulated
manner.
7. Sharing:
o Information must be shared appropriately within the organization, with Data Subjects,
strategic partners, and external bodies.

Uses of Information in Organizations:

1. Customer, Business, and Regulatory Data:
o Organizations collect data on customers, debtors, and regulatory authorities.
2. Service Provision:
o Information supports transactions, planning, and development of services.
3. Internal and External Sharing:
o Information is shared between departments or with external authorities (e.g., tax
authorities).
4. Decision-Making:
o Information is crucial for business expansion assessments, managing finances, and
employee administration.

Policy Commitments for Information Management:

1. Support Organization Objectives:
o Information should help achieve the organization’s goals in decision-making, operations, and
service delivery.
2. Records Management:
o Manage records based on strict regulatory guidelines (further details in Chapter 29 on
Records Management).
3. Availability and Accessibility:
o Ensure information is available and understandable to authorized users.
4. Data Protection:
o Ensure that personal and sensitive data are adequately protected (refer to Chapter 44 on
Data Protection).

Key Considerations for Employees and Management:

1. Information Life Cycle:
o Consider how information is gathered, stored, used, disclosed, and disposed of.
2. Security and Responsibilities:
o Ensure responsibilities for handling information are clear and appropriately allocated.
3. Compliance:
o Employees must understand and comply with laws and policies surrounding information
usage and protection.
Key Aspects of Information Management (IM):
1. Accessibility:
o Information must be shared appropriately within the organization, ensuring privacy and
confidentiality are maintained.
2. Accuracy:
 o Validate information at acquisition and apply validation checks to maintain its integrity.
3. Compliance:
o Ensure staff have the necessary knowledge and resources for data protection and
compliance with regulations.
4. Information Sharing:
o Information must be shared lawfully and securely, especially when dealing with external
partners or government bodies.
5. Monitoring and Evaluation:
o Regularly monitor and evaluate information usage to ensure it is accurate, supports the
organization's goals, and is fit for purpose.

Records Management (RM):

 Implement a Records Management Policy to ensure records are gathered, used, stored, and
disposed of securely and lawfully.
 Prevent the accidental disposal of important records, and ensure records are retained for the
necessary period.

Roles and Responsibilities:

1. Awareness:
o Ensure employees understand their responsibilities for managing information.
2. Monitoring Compliance:
o Management must monitor compliance with information policies and address any
potential breaches.
3. Training:
o Provide training and guidance to support compliance and security policies.

Security and Safety:

 IT Security Policies must be in place and employees trained on how to protect their identities,
manage personal and sensitive data, and handle it lawfully.

Control Objectives
- To ensure that all the organization’s information assets have been accurately identified as the basis
for applying effective Information Management.
- To ensure that information is effectively managed and exploited.
- To ensure that the creation and use of corporate information is geared to the overall objectives and
commitments of the organization.
- To ensure that there is a sufficiently defined and robust policy and procedural framework in place for
the application of best practice Information Management.
- To ensure the IM Policy and procedural requirements have been adequately promoted.
- To ensure that there is sufficient senior management buy in to the concepts of IM.
- To ensure that an appropriate IM culture is developed across the organization and that all employees
have a sufficient awareness of the key issues and their responsibilities for IM.
- To ensure that the IM environment fully meets with any legislative, regulatory or standard
requirements.
- To ensure that the organization and storage of information is both accessible to authorized users and
adequately protected from loss, corruption or inappropriate disclosure.
- To ensure that data is only transferred or shared when it is lawful to do so and for defined and
justifiable purposes.
- To ensure that the sharing of data with external parties is only permitted in authorized situations and
bound by the terms of a formal signed.
- Information Sharing Agreement that defines the expectations in relation to usage, storage, access
control, security, additional distribution and eventual disposal.
- To ensure that key information assets that are utilized in the creation and management of knowledge
are identified and protected.

FILE 6: IT SITES AND INFRASTRUCTURE

- Concerned with the provision of an adequate and secure IT facilities, where equipment, operations
and data are protected from damage, disruption, or loss.
- It has specific responsibilities for ensuring the protection of centralized parts of the IT infrastructure,
such as server rooms, network communication equipment, and the physical network.
Physical Security Policy
1. Perimeters and External Environs
o Fences or barriers need to be adequate and maintained in good order.
o Clear and well pathways and routes
o Provision of adequate external lighting
o The use of CCTV where appropriate
2. Buildings
o Buildings are well constructed to recognized standards and well maintained.
o Points of entry are protected.
o Keys and other barrier access devices are controlled, registered, verified, and recovered.
o Secure storage of unallocated keys.
o Consideration and justification of intruder alarms.
3. Access Control
o Control access to staff only areas
o The controlled issues and use of access key cards
o Access codes is change periodically.
o Staff should wear or carry official identity cards.
o Registering all visitors and ensuring that they are met and accompanied at times during their
visit.
4. Personal Safety
o Minimize potential hazards.
o Appropriate PPE are issued to employees.
o Provision and maintenance of adequate first aid facilities and the appointment of qualified
first aiders.
o Ensuring that employees know what to do in the event of an emergency.
5. Property and Assets
o Physically securing It equipment in place
o Identify marking the organization’s assets and maintaining an up-to date assets register.
o Guidance on the secure use of company vehicles.
6. Dealing with Emergencies
o Having in place documented plans in the event if various emergency scenarios.
o Periodic testing of such plans and their ongoing improvement
o Allocating specific responsibilities
o Ensuring that staff know what to do.
o Calmly and effectively dealing with visitors and customers on site at the time.

Control Objectives
- To provide a sure and reliable environment for all IT activities.
- To ensure that all IT facilities are adequately protected from damage, loss or disruption.
- To ensure that adequate plans are in place to deal effectively with emergencies.
- To ensure that appropriate and reliable environmental and physical conditions are provided and
maintained.
- To prevent unauthorized access to the IT facility.
- To ensure that risks are assessed, and IT facilities are adequately and appropriately insured.
- To ensure that staff maintain an up-to-date awareness of their responsibilities for security and safety.
- To ensure that buildings, persons and property are effectively protected from fire.

Processing Operations
- Designed so that they can be applied to variety of processing situations.
- Traditional Batch Oriented Methods, associated with centralized systems or more direct entry of
data into freestanding or networked personal computers. Auditors will be mainly concerned with
matters of data accuracy, validity, authorization, and completeness.
- These factors are linked not only to the matters of access controls but also dependent on use of
authorized and valid versions of computer programs.

Control Objectives
- To ensure that all processing is valid, authorized and accurate.
- To ensure that data is protected from unauthorized access and use.
 - To ensure that the required service levels are achieved in support of the business objectives.
- To ensure that only authorized and tested programs are used.
- To ensure that only accurate, complete and timely data is provided.
- To ensure that IT processing facilities are operated at optimum performance/ efficiency without
jeopardizing system integrity and reliability.

Back-up and Media Management

- Examine the issues relating to protection of data through adequate back-up and include details of the
related practices of secure storage and media handling.

Protection of Data through Back-Up and Secure Storage

1. Importance of Data Back-Up and Storage:
o Data back-up is essential but often falsely viewed as a task that can be delayed.
o Operational and business data must be protected against risks like system failure or
environmental damage.
o Many businesses rely on personal computers (PCs), and users are often left responsible for
their own data backups, leading to potential negligence.
2. Challenges with PC Data Handling:
o The informal nature of PC usage does not align well with the strict data security methods
developed for mainframes.
o Unless back-up responsibilities are clearly assigned, users may assume that someone else is
managing data security, which can lead to data loss.
3. Server-Based Applications:
o The shift to server-based applications places backups under the control of IT staff, who
follow a set schedule.
o This centralized approach reduces the burden on individual users to handle backups.
4. Media Disposal:
o Secure disposal of media is critical when it reaches the end of its life or becomes faulty.
o Simply deleting files does not remove all traces; in many cases, deleted files can be recovered.
o To ensure data is not accessible to unauthorized users, media must be destroyed or rendered
permanently unusable.
o The chapter references further details on media disposal in Chapter 55 (Data Retention and
Disposal).

Control Objectives
- To ensure that critical systems and data are adequately and frequently backed up to protect the
business operations and integrity of the organization.
- To provide the means to recover promptly and accurately from system failure or invalid processing
situations.
- To ensure that the organization’s data is adequately protected from loss, damage and leakage.
- To ensure that all corporate data is safeguarded and retained.
- To ensure that retained data remains in a usable and accessible form.
- To ensure that the organization is capable of complying with the prevailing data retention legislation
and regulations.
- To ensure that data storage facilities provide the appropriate environmental conditions to prevent
deterioration or damage to media.
- To ensure that media staff are appropriately skilled in media handling techniques.
- To ensure that all media and data are accurately identified, trailed and accounted for.
- To ensure that media and data are not prematurely disposed of or destroyed.
- To prevent the infection of media and systems with viruses.
- To ensure that users are made aware of their responsibilities with regard to the back-up and
protection of PC data.
- To ensure that only the correct data are used for processing operations.
- To ensure that faulty or defective media are identified, replaced and disposed of by a means that
makes them unusable.
- To prevent the unauthorized use of media and data.

Removable Media
Risks Associated with Removable Media Devices:
 Examples of Removable Media: USB memory sticks, data CDs, DVDs, portable external hard drives.
  Key Risks: Loss, theft, or misuse of devices can result in breaches of sensitive information. Incidents
have included memory sticks or CDs with customer data being lost or left in public places.
 Survey Findings:
o 78% of companies with stolen computers did not encrypt hard drives.
o 67% did not prevent confidential data from leaving on USB devices.
o Only 11% restricted or monitored the use of removable devices.
Security Considerations for Removable Media:
 Sensitive Data: Organizations may ban removable media for handling personal, sensitive, or
confidential data to reduce risks of exposure or theft.

Implementing a Removable Media Policy:

To protect data, organizations should implement a Removable Media Policy that includes the following:
1. Clear Definitions of Covered Devices:
o Data CDs, DVDs, optical disks, external hard drives, USB memory sticks, SD cards, embedded
microchips, digital cameras, cassettes, and audio recording formats.
2. Restricted Usage:
o Only approved, specified devices should be used. Devices not physically or logically capable
of supporting removable devices (e.g., "Thin Client" systems) are preferred.
o Personal devices must be explicitly prohibited from official duties.
3. Controlled Distribution:
o Limit the use of removable media to a small group of authorized employees. Ensure that
devices are issued and recovered securely.
4. Data Handling Guidelines:
o Removable media should only supplement data storage and not become the primary storage.
o Devices must have password protection, encryption, and security measures applied,
including when used outside the workplace.
5. Logging and Monitoring:
o Enable event logging for file copying or downloading. Disabling software or hardware can
prevent unauthorized copying.
6. Breach Reporting:
o Report, log, and investigate any breaches of security related to removable media
immediately.
7. Usage Restrictions:
o Prohibit the use of removable media to transfer data to external parties.
o Remove data from devices promptly after use to reduce unauthorized access.
8. Media Disposal:
o Return and ensure the irreversible destruction of damaged or faulty removable media.
o Protect devices from virus infections and the spread of malicious software.

Control Objectives
- To ensure that the use of removable media devices is appropriate, sanctioned and protects the
organization from data loss, theft or authorized disclosure.
- To ensure that all employees are aware of required, appropriate and secure use of removable media
devices and of their specific responsibilities for data security.
- To avoid the loss, theft and/or subsequent misuse of data and information held on removable media
devices.
- To prevent the infection of removable media devices with viruses and other malicious software and
the associated onward transmission and dispersal of infected files.
- To ensure that management are fully aware of any actual or suspected information security incidents
relating to removable media devices as a means to take appropriate action to prevent or limit any
possible future reoccurrence.

System and Operating Software (including Patch Management)

 System and Operating Software is critical for the operation of computers, determining how data is
handled, stored, and processed.
 Examples include Microsoft Windows™, XP™, Vista™, and Apple MAC™.
 Operating systems for networking and server environments are more complex and require expertise
for configuration and use.

Importance of Keeping Software Updated:

  Keeping system and operating software up to date is essential for maintaining security and
functionality.
 Updates include bug fixes, security patches, and official upgrades. Failing to update exposes the
organization to risks like viruses, malware, and spyware.

Types of Software Updates:

1. Patch or Fix: Enhances performance or addresses bugs in the system.
2. Driver: Supports hardware devices like printers and scanners. Applying the latest driver can solve
issues and improve performance.
3. Service Pack or Release: A bundle of updates or patches to bring software to a certain level (e.g.,
Version 1.1).
4. Update: Adds or improves software functionality, leading to new versions (e.g., from Version 1.0 to
2.0).
5. Build or Version: Sequential version numbering to track progressive updates and improvements in
the software.

Costs and Maintenance Agreements:

 Patches within the same software version (e.g., V3.1, V3.2) are usually free if the organization has a
maintenance agreement.
 A new version or build (e.g., V3 to V4) may require additional costs.
 Withdrawal of Support: Software suppliers may stop supporting older versions, forcing upgrades.

Patch Management:
Patch Management is the process of managing updates to system and operating software. Key issues include:
1. Defined Approach: A clear process for managing updates and patching, ensuring that they are
tested, justified, and appropriately applied.
2. Central Control: Patch management should be centrally controlled, not left to individual users.
3. Inventory Maintenance: Keep an updated inventory of all hardware and software components
requiring patches.
4. Responsibility Allocation: Designate a Patch Administrator to oversee the process.
5. Access to Update Information: Ensure access to reliable sources for new patch releases, updates,
and virus definitions.
6. Costs, Resources, and Time: Consider the resource and time impact on staff for patch deployment,
testing, and management.

Deployment of Patches:
 Testing: Test patches in a separate environment before deployment to ensure functionality and
prevent disruptions.
 Automation: Automated patch deployment can be efficient but requires monitoring for failures.
 Roll-back Capability: Always ensure the ability to revert to the previous version in case of
deployment problems.

Post-Deployment Monitoring:
 After deployment, monitor the environment for any unexpected or adverse issues.
 Update the central inventory with details of the deployment.

Control Objective
- To ensure that only authorised and reliable systems and operating software are used in order to
provide a stable basis for data processing operations.
- To ensure that the configuration of the systems/operating software supports the efficient running of
systems.
- To ensure that the operating system prevents unauthorised access to systems, data and facilities.
- To ensure that adequate and appropriately skilled staff are available to maintain the
systems/operating software.
- To ensure that all configuration changes or software amendments applied to the operating software
are valid, authorised and fully tested prior to implementation.
- To ensure that the use of privilege user or high-level facilities is valid, authorised, and suitably trailed.
- To ensure that the operating systems for personal computers are appropriately configured for
maximum performance and integrity.
- To ensure that personal computer operating systems are adequately protected from unauthorised
tampering.
 - To ensure that the capability to recover from a major systems failure is maintained and periodically
tested.
- To ensure that error conditions, etc. are appropriately logged and followed up.
- To ensure that the use of powerful utility and diagnostic software is controlled and monitored in
order to prevent disruption of services or corruption of data and systems.

System Access Control (Logical Security)

 Purpose: To protect data and systems from unauthorized use through access control measures,
which is a key proactive security component.
 Common Methods: The most common access control method is a unique user ID and password,
with more secure environments using biometric methods (e.g., iris, fingerprint, voice recognition).
Access Based on "Need to Know":
 Tailored Access: Access is granted based on the individual’s need, ensuring that unnecessary or
sensitive areas not related to their role are restricted.
 Role Segregation: This tailored access supports segregation of duties, helping to prevent fraud or
inappropriate activities.
System Administrator Access:
 Higher Privileges: System Administrators may have access to higher-level system functions, which
should be restricted and closely monitored.
 Multi-Level Access: A user may need multiple IDs and passwords to access different levels, such as
the corporate network and specific application systems.

IT Access Policy Guidelines:

Management should develop an IT Access Policy with clear and comprehensive guidance:
1. Scope:
o Define who is affected (e.g., employees, contractors, temporary workers, and agents).
2. User Setup:
o New users should be set up with controlled authorization processes.
o Changes to existing access rights must be authorized and necessary.
3. User Accountability:
o Users must be reminded that all actions performed under their user IDs are logged.
4. Disabling Access:
o Access rights should be promptly disabled when an employee leaves or is suspended.
5. Regular Verification:
o Active user accounts should be regularly reviewed to ensure they are still relevant.

Password Security Standards:

1. Strong Passwords:
o Incorporate minimum length, upper/lowercase letters, numbers, and symbols to create
strong passwords.
2. Password Protection:
o Users must protect their passwords, avoiding writing them down or using "remember
password" features.
o Passwords should not be shared with others.
3. Periodic Changes:
o Password changes should be forced periodically by the system.
o Prevent password reuse or recycling.
4. Screen Obscurity:
o Passwords should be hidden when entered (e.g., using asterisks).
5. Failed Login Attempts:
o Limit unsuccessful attempts to access the system, which should result in account lockout and
incident logging for follow-up.

External Access Security:

 Additional Controls: External connections to the organization’s network require additional controls,
such as two-factor authentication (e.g., password plus a key card or similar device).
 Prevent Unauthorized Access: These measures help secure remote access and protect against
malicious intrusion.

Control Objectives
 - To ensure that systems and data are secure from unauthorised access and usage.
- To prevent disruption of the business caused by unauthorised access to computing facilities.
- To ensure that data are adequately protected from unauthorised amendment, loss or leakage.
- To ensure that all system usage is recorded and accounted for.
- To ensure that potential breaches of access security are promptly detected and reacted to.
- To ensure that staff are aware of their responsibilities for protecting company systems and data.
- To ensure that access passwords are of an acceptable standard and kept confidential.
- To ensure that access rights and associated records are kept up to date.

Personal Computers (Including Laptops and PDAs)

Global Popularity of PCs:
 By the end of 2008, there were an estimated 1.19 billion personal computers in use worldwide,
with 72% of these located in the top 15 countries.
 The total number of PCs was projected to reach 2 billion by 2014.
 PCs are now central to both social and business activities, thanks to their accessibility, reliability, and
power.
Advantages of PCs:
 PCs are easy to use, powerful, and flexible, especially when connected to networks.
 They have revolutionized working methods by enabling data sharing and collaboration.
Challenges of PC Use:
 Security Risks: The widespread use of PCs has led to concerns about security and access control.
 Organizational Reliance: As reliance on PCs grows, organizations face increased exposure to risks if
adequate security and usage protocols are not in place.

PC Acceptable Use Policy:

To manage the risks associated with PC use, organizations often implement a PC Acceptable Use Policy with
the following provisions:
1. Prohibited Activities:
o No use of PC resources for fraud, theft, or dishonesty.
o Personal use of PCs should be limited, with strict rules for non-work-related activities.
2. Software Restrictions:
o Prohibit downloading, installing, or using non-work-related software.
o Ensure that all software is approved through official procurement processes, properly
licensed, and virus-checked.
3. Corporate Data and Software:
o No copying of licensed or proprietary software or data belonging to the organization.
o No use of corporate PCs for private business ventures or activities.
4. Data Storage and Processing:
o Store, process, and print data only for official work purposes.
5. Email and Internet Use:
o Adhere to the organization’s Email Policy and Internet Usage Policy.
6. Legal Compliance:
o Ensure PC use complies with relevant laws and regulations, such as:
 Freedom of Information Act (2000)
 Data Protection Act (1998)
 Human Rights Act (1998)
 Electronic Communications Act (2000)
 Regulation of Investigatory Powers Act (2000)
 Copyright Designs and Patents Act (1988)
 Computer Misuse Act (1990)

Control Objectives
- To ensure that personal computers are consistently and securely used throughout the organisation as
a means of contributing to efficiency and the achievement of business objectives.
- To ensure that the use of all personal computers is justified and authorised.
- To ensure that only suitable industry standard personal computers are acquired from stable and
reliable suppliers capable of providing the required support.
- To ensure that all personal computers and ancillary equipment are effectively protected from loss,
theft or damage.
 - To ensure that staff are suitably trained in the effective and efficient use of personal computing
facilities.
- To ensure that only authorised and licensed versions of software are used throughout the
organisation.
- To ensure that all PC equipment is correctly installed and appropriately configured.
- To prevent unauthorised configuration and software amendments being applied.
- To ensure that only authorised users are granted access to PC facilities.
- To ensure that the organisation conforms to the prevailing software licensing conditions.
- To prevent the unauthorised copying and theft of PC software and data.
- To prevent the loading of unauthorised software.
- To ensure compliance with the requirements of the Data Protection legislation.
- To ensure that business disruption caused by hardware failure is minimised.
- To prevent the infection of PC equipment and other IT facilities with viruses, and to deal promptly
and effectively with any suspected or actual infection.

Remote Working
 Remote access allows employees (e.g., those traveling, working from home, or at other locations) and
authorized contractors to access an organization’s network and data systems.
Key Findings from 2008 UK Information Security Breaches Survey:
 54% of companies allow remote access for employees.
 84% restrict which staff can access systems remotely and what systems they can use.
 53% require additional passwords beyond standard network sign-on.
 9% use strong authentication methods (e.g., tokens, smart cards, biometric verification).
 44% use Virtual Private Networks (VPNs) for secure access.

Remote Working Policy Components:

To ensure secure remote access, organizations should implement a Remote Working Policy covering:
1. Scope:
o Define which employees, contractors, and partners can access systems remotely. Some roles
may not be granted access under specific circumstances.
2. Authorized Devices:
o Policy applies to devices such as:
 Personal computers
 Laptops
 Tablet PCs
 PDAs
 Mobile phones
 Wireless devices
3. Assessment and Authorization:
o Ground rules should establish how employees are assessed and authorized for remote work
and necessary facilities provided.
4. Equipment Ownership and Standards:
o The organization retains ownership of all equipment and has the right to maintain or recover
it.
o All equipment must meet technical standards to support secure connections, especially for
high-security environments (e.g., government networks).
o Employee-owned equipment may be excluded for reliability and liability reasons.
Security Measures for Remote Access:
1. Approved Software and Configuration:
o Only licensed software tailored to the user’s needs is provided.
o Unwanted or unnecessary applications should be removed.
2. Encryption and Anti-virus:
o Use encryption for all remote access transmissions.
o Ensure anti-virus and malware software is installed and kept updated.
3. Data Storage and Audits:
o Avoid storing key data on remote devices (e.g., local drives); store data on secure central
servers.
o Conduct periodic audits to ensure compliance with policies and procedures.
4. Removable Media:
 o Follow Removable Media Policy guidelines for secure use of devices like USBs and external
drives.

Employee Responsibilities:
1. Equipment Protection:
o Employees must take care of the equipment, preventing damage, loss, or theft, especially
during transit or at remote locations.
o Avoid leaving equipment in open view (e.g., in cars or client sites).
2. Workplace Setup:
o If possible, use a secure area in the home for work purposes that can be locked when not in
use.
3. Computer Security:
o Log off or disable computers when unattended.
o Prevent unauthorized persons (e.g., visitors or other employees) from accessing corporate
information.
4. Device and Information Protection:
o Secure access devices, removable media, and hardcopy information, storing them separately
from computers when not in use.
5. Prohibited Actions:
o Do not change system or software configurations.
o No unauthorized software (e.g., screensavers) or hardware installations.
o No use of corporate equipment for personal business activities.
6. Compliance and Reporting:
o Report faults or suspected security breaches to the central IT Helpdesk.
o Comply with all IT and Information Management policies.

Other Important Restrictions:

 Family members and visitors should never use company equipment.
 Do not take equipment outside the country unless authorized.
 Follow proper procedures for the destruction of waste information (e.g., shredding hard copies).

Control Objectives
- To ensure that remote access is only granted to and provided for use by authorised users (including
non employees) and in justified circumstances.
- To ensure that the technical basis for remotely accessing the organisation’s systems and data are
sufficiently robust and reliable in order to protect such information assets from loss, unauthorised
access or unlawful disclosure.
- To ensure that the basis for providing remote access to IT facilities is clearly defined together with
the employee’s specific responsibilities.
- To ensure that the non-work use of the provided facilities is clearly defined and enforced.
- To effectively protect systems and data and to retain their accuracy and integrity.
- To provide and install adequate, robust and industry standard hardware and supporting devices and
to maintain them in working order.
- To ensure that adequate physical security measures are in place to protect the hardware, software
and hardcopy information from theft, loss, damage or corruption.
- To ensure that appropriate and licensed software is provided and correctly configured for secure and
efficient use.
- To ensure that log-on processes are appropriately secure and operate in accord with any prevailing
required technical standards.
- To actively prevent the loading or use of unauthorised software or code.
- To prevent the interception or other misuse of network transactions and data flow.
- To ensure that the storage and back-up of data is suitably robust, including protecting the storage
devices from loss or theft.
- To ensure that all aspects of remote working are conducted lawfully and comply with the current
documented policies and procedures.

Email
Global Email Usage:
 Email Marketing Reports (Austria) estimates that 247 billion emails are sent daily worldwide,
with the number projected to nearly double to 507 billion by 2013 (Radicati Group).
  In 2009, 81% of email traffic was expected to be spam.
Email's Role in Organizations:
 Email is a vital communication tool, used for both marketing and internal/external communication.
 However, email can waste time, spread malware, and be a platform for inappropriate behavior.

Key Findings from 2008 BERR Information Security Breaches Survey (UK):
 97% of companies filter incoming emails for spam.
 95% scan incoming emails for viruses.
 94% quarantine suspicious email attachments.
 84% do not scan outgoing emails for confidential data.
 33% encrypt email messages with main business partners.
 26% scan email content for inappropriate material.

Email Usage Risks and Security Concerns:

 Email is not always secure, especially when sent outside the organization, leaving emails vulnerable
to interception.
 Sensitive data should be handled through secure networks where possible.

Email Usage Policy (or Acceptable Use Policy) Components:

Organizations should establish a formal Email Usage Policy to guide and control employee email practices.
The policy should cover:
1. Scope:
o Applies to all users, including employees, contractors, and non-employees.
2. Primary Purpose:
o Email facilities are for official business.
3. Access and Authorization:
o Access to email is granted as necessary for employees to fulfill their duties.
o Unauthorized access or usage is a disciplinary offense.
4. Official Records:
o Emails are part of the organization’s official records and subject to the same security,
handling, and disclosure requirements.
5. Legal Compliance:
o Emails must comply with applicable laws, including Data Protection Act and Freedom of
Information requirements.
6. Email Disclaimers:
o All outgoing emails should carry disclaimers that include:
 Intended for the named recipient only.
 May be monitored.
 Contents may be confidential.

Employee Responsibilities:
1. Appropriate Use:
o Emails should support business activities; personal use of email should be limited to breaks
and not interfere with operations.
o Personal emails should include disclaimers stating that the contents are not official
communications from the organization.
2. Confidentiality:
o Confidential emails should be clearly marked and handled according to appropriate
standards (e.g., using encryption).
3. Monitoring:
o Emails may be monitored to ensure compliance with policies and to prevent inappropriate
use.
4. Prohibited Actions:
o Employees must not:
 Use email to distribute inappropriate material (e.g., obscene, defamatory, or
discriminatory content).
 Engage in activities that could damage the organization’s reputation.
 Forward private communications without consent.
5. IT Security:
o Do not circumvent antivirus or security systems.
 o Report any suspicious or unsolicited emails to IT immediately.

Email Management Tips:

1. Efficient Use:
o Regularly check and respond to emails.
o Avoid copying unnecessary people.
o Ensure attachments are in accessible formats.
o Do not use email to avoid difficult conversations or provoke confrontations.
2. Spam and Malware:
o Delete spam emails immediately without opening.
o Be cautious with attachments from unknown sources.
3. Out of Office:
o Use the Out of Office Assistant when absent, providing alternative contacts.

Control Objectives:
- To ensure that corporate email facilities are reliable and efficient.
- To ensure that the permitted use of email is clearly defined for all users.
- To prevent wastage of resources, operational disruption or other adverse effects generated by the
inappropriate use of email.
- To ensure that consistent standards are applied to the format and content of official emails.
- To retain and protect email records as part of the organisation’s official documentation.
- To prevent the disruptions caused by spam email and emails containing viruses or other malicious
code.
- To ensure that the use of email is lawful and complies with the prevailing regulations.
- To ensure that personal or sensitive information contained within emails or attachments is
appropriately protected from loss or inappropriate disclosure.
- To ensure that any highly sensitive or restricted information is only emailed using recognised and
approved secure networks.
- To prevent the interception of corporate emails by unauthorised persons.
- To ensure that access to employee’s email accounts, in exceptional circumstances, is lawful and
granted with the explicit permission of the employee concerned.
- To monitor email usage as a means of determining any excessive usage or abuse of the permitted
levels of activity.

Internet Usage
Internet's Role in Society:
 The Internet has become one of the most powerful instruments of cultural and social change, akin
to the telephone, radio, and television.
 Initially developed in the 1960s, it grew from academic and military use (e.g., ARPANET, MILNET) to
a global network. By 2009, 1.7 billion users, or 24.7% of the world population, were online.
 Its impact has included the open availability of information, new ways of communication, and
business transformation.

Growth and Importance of Internet Usage:

 Between 2000 and 2009, Internet user growth was 362%, driven by cheaper hardware, improved
interconnectivity, and the spread of high-speed platforms like broadband and fiber optics.
 The Internet has become essential for business operations, government services, and citizen
engagement.

Internet Acceptable Usage Policy (AUP):

Organizations should develop a formal Internet Acceptable Usage Policy to manage and monitor
employees' Internet usage. Key components of the policy should include:
1. Scope of Policy:
o Defines who the policy applies to, the reasons for granting Internet access, and the permitted
scope of use.
2. Work-Related Internet Use:
o Employees should use the Internet primarily for business purposes, such as keeping up with
industry trends, conducting research, or authorized e-commerce activities.
o Focus on relevant content, avoiding distractions, and only downloading or printing necessary
materials.
 3. Guidance on Information Sources:
o Employees should rely on approved, reliable, and recognized websites for accurate
information. Information from dubious or unverified sources should not be used for
decision-making.
4. Newsgroups and Discussion Boards:
o These can be valuable for research but may contain links to inappropriate sites. Participation
in non-work-related or controversial discussions should be avoided.
5. Personal Use of the Internet:
o Define when personal use is allowed (e.g., lunch breaks) and when it is prohibited (e.g., core
working hours).
o Personal Internet activities should not interfere with business operations or involve the
organization in liability.
6. Monitoring and Security:
o Employees should be aware that their Internet activity is monitored, including the extent
and nature of sites visited.
o Blocked access to inappropriate sites (e.g., adult content, violence, illegal substances) will be
logged.
o Users should protect their Internet user ID and password.

Prohibited Internet Activities:

The policy should prohibit access to the following types of content or activities:
 Adult or explicit content
 Illegal activities (e.g., hacking, phishing, cybercrime)
 Gambling or money-making schemes
 Malware, spyware, or downloading harmful software
 Social networking or personal business during work hours
 Streaming media, large downloads, and spam-related sites

Legal Implications:
 Users must be aware of the legal consequences of accessing inappropriate or illegal content, such as
pornography or offensive materials, which can be subject to criminal prosecution.
 Any incident involving illegal content (e.g., child pornography) must be reported to authorities
immediately.

Guidelines for Appropriate Internet Use:

 Employees should ensure that personal use of the Internet does not affect their work and comply
with organizational rules.
 Emails and corporate information should not be shared or accessed through unapproved or personal
email services.
 Employees should be cautious when browsing, ensuring that they are not exposing the organization
to legal or security risks.

FILE 6: GOVERNANCE PROCESSES

Introduction to Governance Processes
 Main Focus:
o Governance processes, risk management, and internal control are intertwined and
fundamental to corporate governance.
o Internal audit’s involvement spans internal governance processes, board oversight, and
ensuring that the organization meets its accountability obligations to stakeholders.
 Key Aspects:
o Internal audit is expanding its role in board reviews and stakeholder accountability.
o Governance processes consist of promoting organizational ethics, managing performance,
and maintaining communication between management and auditors.

2. Internal Control and Risk Management

 COSO Framework (1992 vs. 2004):
o 1992 COSO Framework: Risk management was treated as a subset of internal control.
o 2004 COSO Enterprise Risk Management Framework: Internal control now falls under
risk management, broadening its scope.
 Internal Audit’s Role:
 o Defined by the Institute of Internal Auditors (IIA) as an independent, objective activity
designed to add value and improve operations.
o Helps organizations achieve objectives by enhancing the effectiveness of risk management,
control, and governance processes.
3. Risk Management as Part of Governance
 Revised Standards:
o Standards now place risk management and governance in sequence: governance first,
followed by risk management and control processes.
 Internal Audit’s Scope:
o Internal audit reviews governance processes, ensuring that risk management is effectively
integrated into governance.
o The audit function assesses governance, risk management, and control processes holistically.
4. Governance and Audit Standards
 Relevant Standards:
o Standard 2110 (Governance): Internal audit must assess and make recommendations to
improve governance.
o Standard 2120 (Risk Management): Evaluates the effectiveness of risk management
processes.
o Standard 2130 (Control): Assesses the effectiveness and efficiency of controls, promoting
continuous improvement.
5. Objectives of Governance, Risk Management, and Control Processes
 Key Objectives:
o Reliability and Integrity: Ensuring the reliability and integrity of financial and operational
information.
o Efficiency: Evaluating the effectiveness and efficiency of operations.
o Asset Safeguarding: Ensuring that assets are protected from loss or misuse.
o Compliance: Ensuring compliance with laws, regulations, and contracts.
 COSO’s Contribution:
o COSO’s framework provides integrated objectives for risk management, control, and
governance, shaping internal audit’s approach to these areas.
6. Promoting Ethics and Values within the Organization
 Key Issues:
o Does the organization have high ethical standards, and are they consistently applied?
o Are ethical policies, like codes of conduct and anti-bribery policies, in place and
communicated effectively?
o Are whistleblowing mechanisms in place and accessible to staff and contractors?
 Internal Audit’s Role:
o Evaluates the effectiveness of policies related to ethics and transparency.
o Reports to the board on organizational culture, ethical standards, and transparency.

7. Ensuring Organizational Performance Management and Accountability

 Key Issues:
o Does the board and management share a common understanding of the organization's
purpose?
o Are performance reports reliable and clear, enabling proper management oversight?
o Do performance appraisals align with organizational objectives, and are perverse incentives
avoided?
 Internal Audit’s Role:
o Assesses whether performance management systems are in place and functioning correctly.
o Reviews job descriptions, performance appraisals, and alignment of rewards with the
organization’s goals.
8. Communication of Risk and Control Information
 Key Issues:
o Is risk and control information communicated effectively throughout the organization, from
management to employees and vice versa?
o Has the organization defined its risk appetite, and is risk management embedded into its
culture?
 Internal Audit’s Role:
 o Ensures that risk communication flows both ways, between management and employees.
o Assesses whether risk management processes are shared and understood across the
organization.
9. Coordination Among the Board, Auditors, and Management
 Key Issues:
o Are internal and external auditors working independently and avoiding conflicts of interest?
o Does the audit committee ensure the quality and independence of the external audit?
 Internal Audit’s Role:
o Coordinates activities between internal and external auditors to avoid duplication of work.
o Ensures that information is communicated clearly among the board, auditors, and
management.
10. Risk and Control Issues for the Board
 Setting Organizational Direction:
o Internal audit reviews whether the board effectively oversees strategy and performance.
o The board must receive timely, reliable, and clear information to direct the organization.
 Oversight of Management:
o Internal audit assesses whether the board sufficiently challenges management and whether
non-executive members are well-informed.
o It also evaluates whether the board gets assurance from internal audit on the
implementation of board policies and risk management.
11. External Governance Processes
 Key Objectives:
o Stakeholder Relations: Ensuring the organization considers the interests of owners and
other stakeholders.
o Accountability: Transparency in the organization’s accountability to stakeholders, including
shareholders.
o Stakeholder Control: Ensuring stakeholders are well-informed and can exercise control
over their stakes.
 Internal Audit’s Role:
o Helps ensure that the organization’s accountability is transparent and stakeholder interests
are adequately considered.
o Supports external governance processes through engagements like sustainability audits and
evaluating corporate social responsibility (CSR) efforts.
12. Addressing the Assurance Vacuum
 Key Issue:
o Many boards are unaware of internal and external risks, a problem highlighted by the global
financial crisis.
o Boards need independent assurance on risk and control matters, and internal audit can help
fill this gap.
 Internal Audit’s Role:
o Reports directly to the board, bypassing management where necessary, to provide
independent assurance.
o Works to ensure that reports and findings presented to the board are free from management
influence.

FILE 7: INTERNAL CONTROL PROCESSES

Introduction to Governance Processes
 Main Idea: Governance, risk management, and internal control are crucial elements of corporate
governance. Internal audit helps ensure these processes run effectively, playing a key role in
reviewing and enhancing governance systems, monitoring board performance, and ensuring
accountability to stakeholders.
 Key Concepts:
o Internal Audit Role: Acts as a third-party review to enhance internal governance processes.
o Integration with Board: Internal audit is increasingly involved in reviewing board
performance and providing feedback to improve organizational accountability.
2. Internal Control and Risk Management
 Historical Development:
o COSO Framework (1992 vs. 2004): Initially, risk management was considered part of
internal control, but since 2004, internal control became a subset of the broader risk
management framework.
 o AICPA’s Role: Earlier definitions focused on safeguarding assets and ensuring the reliability
of accounting data. This evolved with time into broader interpretations covering operational
efficiency and regulatory compliance.
 Key Components:
o Internal Control as a Process: Defined as a systematic approach by management to ensure
effective operations, reliable reporting, and compliance with laws and regulations.
3. Risk Management as a Core Part of Governance
 Revised Approach:
o Risk management is now viewed as an integral component of governance, with internal
control processes embedded within it.
o Internal Audit’s Role: Review the processes behind governance, risk management, and
internal control to ensure they are sound and effective.

4. Governance and Audit Standards

 Audit Standards:
o Standard 2110 (Governance): Ensures that internal audit assesses and recommends
improvements to the governance process.
o Standard 2120 (Risk Management): Evaluates the effectiveness of risk management
processes.
o Standard 2130 (Control): Ensures continuous improvement of control effectiveness and
efficiency.
5. Objectives of Governance, Risk Management, and Control
 Main Objectives:
o Reliability of Information: Ensuring accurate and reliable financial and operational data.
o Efficiency of Operations: Assessing operational effectiveness.
o Compliance and Safeguarding of Assets: Protecting assets from loss and ensuring
compliance with legal regulations.
 COSO’s Contribution: The 1992 COSO framework shaped these objectives and integrated them into
modern governance practices.
6. Promoting Ethics and Organizational Values
 Key Concerns:
o Ethical Standards: Does the organization have clearly communicated ethical policies and
standards?
o Whistleblowing Policies: Are there effective mechanisms for employees to report
misconduct?
 Internal Audit’s Role:
o Auditors help ensure that the organization’s policies align with ethical standards and that
these values are reflected across all levels of the organization.
7. Ensuring Organizational Performance and Accountability
 Performance Evaluation:
o Does the organization have a clear understanding of its objectives?
o Is management’s progress toward meeting these objectives properly tracked?
 Internal Audit’s Contribution:
o Audit teams review job descriptions, performance assessments, and reward structures to
ensure alignment with organizational goals and to avoid misaligned incentives.
8. Communication of Risk and Control Information
 Top-Down and Bottom-Up Communication:
o Risk and control information must be effectively communicated from senior management to
employees and vice versa.
 Internal Audit’s Role:
o Ensure risk perceptions and concerns are communicated appropriately at all levels and
across departments.
9. Coordination Between the Board, Auditors, and Management
 Coordination Issues:
o How well do internal and external auditors coordinate their efforts?
o Does the audit committee ensure the independence and quality of external audits?
 Internal Audit’s Contribution:
o Internal audit helps facilitate coordination between these groups, ensuring seamless
communication and avoiding duplication of effort.
10. Risk and Control Issues for the Board
 Setting Organizational Direction:
o Does the board receive reliable information to guide strategic direction?
o Are non-executive members sufficiently informed to challenge management decisions?
 Internal Audit’s Role:
o Internal audit reviews whether the board’s strategic direction aligns with organizational
objectives and assesses how well the board oversees management.
11. External Governance Processes
 Key Objectives:
o Stakeholder Relations: The organization must maintain transparent and accountable
relationships with shareholders and other stakeholders.
o External Governance Accountability: Ensuring transparency in accountability to
stakeholders and exercising control over their interests.
 Internal Audit’s Role:
o Evaluates how well the organization’s governance processes address external accountability
and transparency.
12. Addressing the Assurance Vacuum
 Key Issue:
o In many organizations, boards are unaware of critical internal and external risks. The
assurance vacuum must be filled by internal audit.
 Internal Audit’s Contribution:
o Internal auditors report directly to the board, providing independent assessments to fill gaps
in assurance and ensure risks are managed effectively.
13. Internal Control Processes
 COSO Framework for Internal Control:
o Five essential components: control environment, risk assessment, control activities,
information and communication, and monitoring.
o The control environment sets the tone for internal control through ethics, competence, and
leadership commitment.
 Key Control Objectives:
o Control Activities: These involve mechanisms such as authorizations, reconciliations, and
segregations of duties to ensure operations proceed as planned.
o Monitoring: Ensures that control processes remain effective over time, adjusting as needed
to handle emerging risks and challenges.
14. Ensuring Effectiveness of Internal Control
 Effectiveness Measures:
o Regular evaluations and internal audits are necessary to ensure that control processes are
achieving their objectives.
o If issues arise, management must address these promptly, ensuring continuous
improvement.
 Control Cost-Effectiveness:
o Ensuring controls are cost-effective without compromising their ability to safeguard assets
and ensure reliable financial reporting.