KORBEL FOUNDATION COLLEGE, INC.

Purok Spring 1, Brgy. Morales, Koronadal City

Contact No. 228-1996/887-2051
Lecturer: Ipril Joy R. Naquita, CPA A.Y. 2020-2021
----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
AUDIT IN AN EDP ENVIRONMENT PART 1: GENERAL CONTROLS

WEEK 1 Objectives:
1. Understand the key features of Sections 302 and 404 of Sarbanes-Oxley Act
2. Understand the management and auditor’s responsibilities under Section 302 and 404
3. Understand the risks of incompatible functions and how to structure the IT function
4. Be familiar with the controls and precautions to ensure the security of an organization’s computer facilities
5. Identify the principal threats to the operating system and the control techniques used to minimize the possibility of actual
exposures

INTRODUCTION
Weak internal control system is an increasing concern for most business organizations (Oseifuah & Gyekyu, 2013).
It comprises policies, practices, and procedures employed by the organization to achieve the objective (Hall, 2008) by
ensuring that corporate objectives are met under the conditions of reliable financial reporting, compliance with the laws
and regulations, accuracy, efficiency and safeguarding of assets (Doxey, 2019).
This provides an overview of management and auditors responsibilities under Sections 302 and 404 of Sarbanes-
Oxley Act(SOX). The design, implementation, and assessment of internal control over financial reporting process form a
central theme of the discussion. The study of internal control follows the Committee of Sponsoring Organizations of the
TreadWay Commission(COSO) control framework.

Internal Control COSO Framework

James C. Treadway, Jr., the Executive Vice President, Paine Webber, General Counsel and the former
Commissioner of Securities and Exchange Commission (SEC) in United State (US) incorporated the Commission. This
commission was sponsored and funded by five US private sector organizations - the American Accounting Association
(AAA), the American Institute of Certified Public Accountants (AICPA), Financial Executives International (FEI), The Institute
of Internal Auditors (IIA), and the National Association of Accountants (now the Institute of Management Accountants
(IMA), respectively. These organizations are collectively called the Committee of Sponsoring Organizations (COSO)
(Delloite, 2019).

The COSO group was charged by the Securities and Exchange Commission to develop an integrated guidance on
Internal Control. As a result, a framework for designing, implementing and evaluating internal control for organizations
was released the framework. It was designed to help businesses establish, assess and enhance their internal control. The
importance of Internal Control in the operations and financial reporting determines the quality of output produced in the
Financial Statements. The process provides the users of information with a reasonable assurance that the assertions
presented in the Financial Statements are accurate and can be relied upon for decision making (Doxey, 2019).

According to COSO, Internal Control has five components; the control environment, risk assessment, control
activities, information and communication, and monitoring. The organization demonstrates commitment to integrity and
ethical values, specifies objectives with sufficient clarity to enable the identification and assessment of risk relating to the
internal control objectives. In addition, select control activities that addressed the mitigation of risk into acceptable levels
and uses relevant information to support other components and performs ongoing and/or separate evaluations to
ascertain whether the components of internal control are present and functioning (Gantz, 2014).

The importance of internal control is to ensure that corporate objectives are met under the condition of reliable
financial reporting and compliance with the company’s law. According to associate Professor Goh Beng Wee (2015) from
the Singapore Management University (SMU) School of Accountancy, such controls range from segregation of duties,
authorization of transactions and retention to physical safeguards.

Relationship between IT Controls and Financial Reporting

Under COSO, information technology(IT) internal control are divided into application controls and general
controls. The objectives of application controls are to ensure the validity, completeness, and accuracy of financial
transactions. Example, a payroll system limit check that identifies employee time card records with reported hours worked
in excess of the predetermined normal limit. While general controls are so named because they are not application-
specific but, rather apply to all systems. They have an effect on transaction integrity. They are needed to support the
functioning of application controls, and both are needed to ensure accurate financial reporting.

INFORMATION SYSTEM AUDITING AND ASSURANCE: AUDIT IMPLICATIONS

Page 1|6
 KORBEL FOUNDATION COLLEGE, INC.
Purok Spring 1, Brgy. Morales, Koronadal City
Contact No. 228-1996/887-2051
Lecturer: Ipril Joy R. Naquita, CPA A.Y. 2020-2021
----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------

The following discussions assumes a basic understanding of the audit process. Specifically, the reader should:
1. Be able to distinguish between attest function and assurance
2. Understand the concept of management assertions and recognize the relationship between assertions and audit
objectives
3. Know the difference between test of controls and substantive tests and understand the relationship between
them

IT Governance Controls
The discussion on each of these governance issues begins with an explanation of the nature of risk and a
description of the controls needed to mitigate the risk. Then, the audit objective is presented. These control objectives
and associated tests may be performed by internal auditors providing evidence of management’

IT audit assesses the implementation, operation, and control of computer resources.

IT audits are often conducted by department named IT Risk Management, IS Risk Management, or Operational Systems
Risk Management.
IT Audits are typically divided into three stages.
 Audit planning: analysis of risk, determination of primary exposures, and determination of the relevant controls
for reducing risk.
 Tests of controls: determine whether there are adequate, effective, properly functioning internal controls.
 Substantive Testing: detailed sampling investigation of transactions in account balances. Since these can be very
labor-intensive, computer-assisted audit tools and techniques (CAATTs) have been developed.

EFFECTS OF CBIS ON TRADITIONAL CONTROL ACTIVITIES

Control Activities:
1. Transaction Authorization
An organization should only process valid transactions. Valid means that they actually occurred and that they are
authorized to occur. Computer controls need to be routinely tested to make sure that their authorization and captures
controls are present and functioning properly.

2. Segregation of Duties
The following three activity types must be separated from each other in order to reduce the risk of fraud and
embezzlement: authorization, execution (who has asset custody), and record keeping. These separations are masked/non-
existent in computer systems, and controls need to be routinely tested to make sure that their authorization and captures
controls are present and functioning properly.
Separation of the control over journals, subsidiary ledgers, and general ledgers is an important segregation of duties
in the accounting functions. This segregation should be physical as well as organizational.
In computer services departments, systems development from computer operations, separating the database
administrator(DBA) from other functions, separating DBA from systems development, separating new systems
development from maintenance.

3. Supervisions
Supervision is typically a compensating control for lack of segregation of duties, or when employees are being trained.
The underlying assumption is that the firm employs competent and trust worthy employees.

Several reasons are causing the difficulty of adequate supervisions in CBIS:

(1) Due to high current demand, it is difficult for businesses to attract competent IS employees.
(2) Additional risks are involved: re-staffing and evaluating performance are further complicated by rapid change in
technology, and IS worked involves both technical skills and opportunities, a combination that is risky to the
integrity of a business’ data.
(3) Management is typically unable to adequately observe employees in an IS environment.

4. Accounting Records
In a manual system, accounting records provide the audit trail. In a CBIS environment, such documentation does not
exist, are in magnetic form, are fragmented and are restored in normalized database tables. The audit trails take the form
of pointers, hashing techniques, indexes or imbedded keys.

Page 2|6
 KORBEL FOUNDATION COLLEGE, INC.
Purok Spring 1, Brgy. Morales, Koronadal City
Contact No. 228-1996/887-2051
Lecturer: Ipril Joy R. Naquita, CPA A.Y. 2020-2021
----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
5. Access Control
Unauthorized access, either direct (the asset) or indirect (the records or processing programs), to a company’s assets
can result in many risks: misappropriation, illegal use, theft, and destruction. Data consolidation exposes the company to
fraud and losses from disasters.
Access to the assets, to the records, and to the processing programs is required and should be based upon the “need
to know.” Research indicates that errors and fraud exposures occur most frequently in the maintenance stage of the SLDC,
or when the computer assets are being utilized rather than developed.
Access controls include: limiting personnel access authorities, physical access barriers, proper backup policies, and disaster
recovery capabilities.

6. Independent verification
Independent checks are necessary indirect responsibilities to identify errors and misrepresentations after the fact
(compare to supervision which occurs during the activity and involved direct responsibility).
Independent verification assesses:
 The performance of individuals
 The integrity of the processing system
 The correctness of the data elements
Independent verification procedures include:
 Periodic batch total reconciliations
 Periodic comparisons of physical assets to accounting records.
 Reconciliation of subsidiary ledgers to general ledger control accounts.
 Reviews of management reports.
 Periodic audits by internal auditors and external independent auditors.

GENERAL CONTROL FRAMEWORK FOR Computer Based Information System(CBIS) EXPOSURES

The focus is on identifying the primary areas of risk, the nature of the exposures and the control techniques that
exist to reduce the exposures.
I. General controls categories (company-wide focus and scope) include:
1. Operating system controls
2. Data management controls
3. Organizational structure controls
4. System development and maintenance controls
5. Computer center security and controls
Internet and intranet controls
6. Electronic data interchange controls
7. Personal computer controls
II. Application controls (sub-system specific, narrow scope and focus)

1.0 OPERATING SYSTEM CONTROLS[Chapter 16]

The operating system allows users and applications to share and access the common computer resources. The larger
the operating system, the greater the risks involved. The operating system performs three basic tasks:
 Translates programming languages into machine language (compilers and interpreters).
 Allocates computer resources to users, workgroups, and applications.
 Manages job scheduling and multi-processing in three ways:
- Directly by the operator
- Through batch-job queuing
- Through telecommunication links from remote work stations

The operating system has five control objectives:

1. Protect itself from the users
2. Protect users from each other
3. Protect users from themselves
4. Protect users from self-harm
5. Protect itself from environmental influences (fire, water, dust, etc.)

1.1 Operating System Security

Page 3|6
 KORBEL FOUNDATION COLLEGE, INC.
Purok Spring 1, Brgy. Morales, Koronadal City
Contact No. 228-1996/887-2051
Lecturer: Ipril Joy R. Naquita, CPA A.Y. 2020-2021
----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
Operating system security controls who can access the operating system
 Log-On Procedures with lock-outs after a few tries with wrong password.
 Access Tokens that record detailed user information and provide access authorizations.
 Access Control Lists capture all directories, files, records, printers accessed during user sessions.
 Discretionary Access Control allows administrator override for specific authorizations.

1.2 Threats to Operating System Integrity

Operating systems themselves contain weaknesses and flaws that may be exploited by knowledgeable perpetrators to
either browse, modify data/programs, or add viruses. These exposures come from three sources:
 Privileged personnel who abuse their authority
 Individuals who browse the operating system in order to identify and exploit security flaws
 Individuals who insert a virus or other form of destructive program into the operating system

1.3 Operating Systems Control Techniques

Operating system integrity can be preserved by:

 Controlling Access Privileges (need to be closely monitored and maintained)
 Password Control
Reusable Passwords: entered once and then the system accepts it each time the user comes back to log in. (make
them complex, with frequent changes, don’t write them down and store the note in obvious places, and use
lock-out procedures)
One-Time Passwords and smart-card technologies
Combined with a reusable PIN, or with a challenge/response approach where the network generates a code,
and the smart card uses a private algorithm to create a one-time password.

Malicious and Destructive Programs

 Viruses are replicable code parasites that infect many different types of files (.exe, .com, .olv, etc), book sectors and
device driver programs.
 Worms fill work memory so system slows or stops.
 Logic Bombs are virus-triggered by an upcoming event, like a date or an employment termination.
 Back Doors open operating system passwords (guest, etc.)
 Trojan Horses capture passwords from unsuspecting users by copying them into a separate file each time they are
typed by users. This is typically accomplished by bypassing the traditional log-on procedures.

Controlling Against Malicious and Destructive Programs

Administrative and technological controls that are recommended:
 Purchase software from reputable vendors in sealed packages.
 Establish corporate-wide policy for of copyrighted, licensed software only.
 Test all upgrades and all public-domain software before installation.
 Establish educational programs.
 Test all new applications and programs on a stand-alone computer with current virus detection software.
 Routine backups of key files.
 Limit users to read and execute privileges as much as possible. Deny write privileges unless needed for job
description.
 Require log-on protocols to avoid Trojan Horses.

Controlling Audit Trails

Audit trails can record activity at the system, application and user levels. Operating system options let management
choose the level of auditing to be recorded into the log:
 Keystroke Monitoring records both the user’s keystrokes and the system response. Consider possible legal, ethical,
and behavioral implications of this surveillance.
 Event Monitoring records who logged on when, for how long, and with which files and programs.

Audit Trail Objectives

Audit Trail Objectives support security objectives by:
 Detecting unauthorized access
Page 4|6
 KORBEL FOUNDATION COLLEGE, INC.
Purok Spring 1, Brgy. Morales, Koronadal City
Contact No. 228-1996/887-2051
Lecturer: Ipril Joy R. Naquita, CPA A.Y. 2020-2021
----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
 Facilitating event reconstruction
 Promoting personal accountability

Implementing an Audit Trail

Implementing an Audit Trail involves cost-benefit analysis in deciding several issues:
 How much should you log? All transactions or only significant transactions?
 How is “significant” defined (by process, by account, by nature)

Fault Tolerance Controls

Fault Tolerance Controls refer to the ability of the system to continue reliable operations in the event of hardware failure,
software failure, program error, or operator error. Redundant Arrays of Independent Disks(RAID) are two common
examples. Resource redundancies reduce these risks:
 Redundant arrays of inexpensive disks (RAID) – if one data fails, the lost data are automatically reconstructed from
the redundant components stored on the other disks.
 Uninterruptible power supplies – in case of supply failure, short term back up power is provided to allow the system
to shut down in a controlled manner.
 Multiprocessing (more than one computer performing the processing).

TESTING OPERATING SYSTEM CONTROLS

Audit Objectives and Procedures Relating to Access Privileges

Audit Objectives: To learn if access is consistently allowed or prohibited consistent with segregation of
duties and in accordance with organizational policy.

Audit Procedures:

 Review operating system policies.

 Review user group privileges,
 Review personnel records for active promises (signatures) to maintain data confidentiality
 Review of log-on times and log-on purposes of authorized users.

Audit Objective and Procedures Relating to Password Policies

Audit Objective: Passwords should effectively restrict access to the operating system.

Audit Procedures:

 Verify that all users have passwords and have been instructed on how to use passwords.
 Verify that password standard length and expiration policies exist.
 Verify that procedures exist to identify weak passwords
 Verify that account lockout policy and procedures exist.

Audit Objective and Procedures Relating to Viruses and Other Destructive Programs

Audit Objective: To determine that effective management policies exist to prevent infection.

Audit Procedures:

 Interview operating system personnel to determine level of related knowledge level.

 Review policies for the use of floppy disks.
 Review policies for periodic scans for viruses with current anti-viral software.
 Review policies for new testing on stand-alone computers prior to implementation.

Page 5|6
 KORBEL FOUNDATION COLLEGE, INC.
Purok Spring 1, Brgy. Morales, Koronadal City
Contact No. 228-1996/887-2051
Lecturer: Ipril Joy R. Naquita, CPA A.Y. 2020-2021
----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
Audit Objectives and Procedures Relating to Automated Audit Trails

Audit Objective: To verify that audit trails record activity at system, application, and user levels, detect
unauthorized access, reconstruct events, and promote personal accountability.

Audit Procedures:

 Verify that the audit manager function of the operating system software has been activated.
 Scan audit logs for unauthorized users, periods of account inactivity and account over-activity by a
single user, by a workgroup or by a department.
 Review log-on times, session durations, and log-off times.
 Review access to specific files or applications.

Audit Objectives and Procedures Relating to Fault Tolerance (hardware failure or program/operator
error)

Audit Objective: To ensure that appropriate levels of fault tolerance are utilized.

Audit Procedures:

 Verify use of redundant arrays of inexpensive disks (RAID)

 Verify if the level of RAID utilized is adequate for the organization’s business risk.
 Evaluate the potential for a single point of system failure.
 Interview the system administrator to determine recovery procedures.
 Verify that copies of the boot disks exist, are secured, and have highly restricted access.

WEEK 1
LEARNING ACTIVITY 1: Review Questions
Your points will be based on the explanation of your answer. Make it brief, concise and direct to the
point. Answer in a one whole sheet of paper and submit to our fb group page before Thursday. Kindly
name the activity in your paper as LEARNING ACTIVITY 1: REVIEW QUESTIONS
1. SOX contains many sections. Which sections are the focus of this chapter? 3pts
2. COSO identify two broad groupings of information system controls? What are they? 5pts
3. What are the objectives of application controls? 5pts
4. Define general controls. 3pts
5. Explain why certain duties that are deemed incompatible in a manual system may be
combined in a CBIS environment. Give an example. 10pts
6. What are the five control objectives of an operating system? 5pts
7. What are the three main tasks of the operating system performs? 5pts
8. What are the four techniques that a virus could use to infect a system? 5pts
9. What is the relationship between tests of controls and substantive test? 10pts
10. A bank in California has 13 branches spread throughout Northern California, each with its own
minicomputer where its data are stored. Another bank has 10 branches spread throughout
California, with the data being stored in a mainframe in San Francisco. Which System do you
think is more vulnerable to unauthorized access? Excessive losses from disaster?(10pts)

Page 6|6