Upload
mohammad-abdul-matin
View
436
Download
2
Embed Size (px)
Citation preview
IT KNOWLEDGECA Professional Stage - Knowledge Level, ICABTutor: Mohammad Abdul Matin
Chapter 5Internal Control in Computer Based Business System
Chapter Outline Control, IT Internal Control, IT Internal Audit Responsibility of Control Control Objectives and Techniques Control over Acquisition, Implementation
and Changes Risk Assessment Business Continuity Plan Overview of ERP
Internal ControlWhat is Internal Control? The process of ensuring effective
administration of unit through developing processes, policies and standards and monitoring the compliances of the same. Internal control strives to achieve:– Effectiveness and efficiency of operations– Reliability and compliance with applicable laws
and regulations
Purpose of Internal Control Promote orderly, economical, efficient and
effective operations, and produce quality products and services consistent with the organization’s mission.
Safeguard resources against loss due to waste, abuse, mismanagement, errors, and frauds.
Promote adherence to laws, regulations, contracts and management directives.
Develop and maintain reliable financial and management data, and accurately present that data in timely reports.
Key Components of Internal Control1. Control Environment – integrity, ethical
values, competence of the company, management philosophy and operating style.
2. Risk Assessment – Identifying and analyzing the risks
3. Control Activities – approvals, authorizations, verifications, reconciliations, reviews of – Performance of operations– Security of assets– Segregation of duties (roles)
Key Components of Internal Control4. Information and Communication –
identification, capture and exchange of information. Information flow controls, e.g. top-down, bottom-up, workflow, etc.
5. Monitoring – ongoing (regular), separate evaluations, or combinations.
Elements of a Good System Separation of Duties– To establish accountability and optimize performance as
an organization Authorization– To prevent invalid transactions and establish
responsibility Documentation– To help achieving accuracy, completeness of
transactions, control of assets and review of performance records
Reconciliation– To compare and ensure accuracy, completeness and
compliance of records, transactions and activities.
Main Types of IT Audit Operational Computer/Network Audits
Operating system, network, firewall, crypto, etc. IT Installation Audits
Security, usage, risks, etc. related to establishments hosting IT facilities.
Developing Systems AuditsDevelopment procedural controls. Sometimes, project time plan or resource plan reviews.
IT Management AuditsOrganization structure, budgeting, strategy, work plans, etc.
Main Types of IT Audit IT Process Audits
Processes within IT functions like backup-restoration, issue resolution, testing, etc.
Change Management AuditsTechnical change processes, back off plans, PIRs, etc.
Information Security & Control AuditsConfidentiality, integrity and availability.
IT Legal Compliance AuditsCopyright, protection of personal data, etc.
Main Types of IT Audit Certification & Other Compliance Audits
ISO certifications, industry standard certifications for security and/or compliances.
Disaster Contingency, BCP and IT DR AuditsApproach to risk management in terms of quick and effective recovery / restoration of business critical services.
IT Strategy AuditsReview and validation of IT strategies, objectives and their alignment to the business vision.
Special InvestigationsInvestigations against frauds, misappropriations, security breaches. Also, due diligence of IT asset evaluation in case of M&As.
Exam Questions What is control? What are the purposes of
internal control? Explain the five key components required for effective internal control.
What is Audit Trail? Explain its objectives. Describe Post Implementation Review (PIR). Why is information system security
important? Explain “vulnerability management” and
“threat management” in management of IT security
What is disaster recovery plan? Describe major areas of a disaster recovery planning document.
Thank You
Next class will continue with Chapter 5