Internal Control and IS Audit

Control

• “Any input given to a dynamic system to produce a desired output.”

• Here the word dynamic and desired output are very important.

Input Dynamic System

Desired output

Control

• Dynamism of the system and Control Requirement – Static system – control is not required – More dynamism – the greater will be the control requirement of

the system – Computer system – control not required, if it is not being used

for any application or switched off – As complexity increases – its control requirement will also rise.– This implies that

• Lesser control is required for stand-alone system • Greater for one which is connected to network or Internet

Control

• Knowledge of Dynamism of the System Makes Control Effective– The predictability of the complexity of the disease has helped in

development of vaccines to prevent and cure

– Similarly, in computer system – control measures would operate effectively if the dynamism and complexity were known.

Control

• The Input should be Directed towards Achieving the Desired Output– If the inputs are not focused and directed towards specific

outputs – then control mechanism will not be successful.

– There are No thumb rule

– Each input or control measure should be directed towards achieving a specific output.

Control

• The Output Should be Evaluated for Giving further Appropriate Input to the System

– Example: Automobile driving system

– This example shows how input can be effectively altered on the basis of evaluation of actual performance to achieve the desired output.

– The same is true for complex computer system.

Control • The Output Should be Evaluated for Giving further

Appropriate Input to the System– Example: Automobile driving system

– This example shows how input can be effectively altered on the basis of Antivirus software is deployed

• It acts as a detective , or preventive some time corrective control

• The output can be observed by regular scanning

• When the output is not at desired level – system is infected with some viruses

• Based this evaluation patches can be loaded or new anti-virus software deployed

Internal Control

• Basic purpose:– Business objectives are achieved– Undesired risk events are prevented or detected and

corrected

• How this can be achieved– By designing an effective internal control framework,

comprises• Policies, procedures, practices, and organizational structure that gives

reasonable assurance that the business objectives will be achieved• Discrete activities and supporting process• Either manual or automated

Internal Control

• Manual or automated process• Implementation of internal control differs in both, essence

remains the same• It not solely a procedure or policy performed at certain

point of time• Rather this is an ongoing activity, based on

– Risk assessment of the organization

• Role of auditor is very important in evaluating the strength of the control

Internal Control

• Elements of Control – Nature of controls

• Preventive or Detective• Manual or Programmed

– Preventive Control • Those inputs, designed to protect the organization from unlawful

activities• The broad characteristics of preventive controls are:

– A clear cut understanding about the vulnerabilities of the asset

– Understanding the probable threats

– Provision of necessary controls for probable threats from materializing

Internal Control

• Some examples of preventive controls and how the same control is implemented in different environments. – Employ qualified personnel– Access control – Vaccination against diseases – Prescribing appropriate book for a course– Authorization of transaction– Firewalls– Anti-virus software passwords

Internal Controls

Purpose Manual Control Computerized Control

Restrict unauthorized Entry into the premises

Build a gate and post a security guard

Use access control software, smart card, biometrics

Restrict unauthorized entry into software application

Keep the computer in a secured location and allow only authorized persons to use the applications

Use access control, viz. user ID, password, smart card

Detective Control

• Detect and report the occurrences of an error, omission, or malicious act in the IS

• Main characteristics are as follows:– Clear understanding of lawful activities so that anything

which deviates from these is reported as unlawful, malicious, etc.

– An established mechanism to refer the reported unlawful activities to the appropriate person or group

– Interaction with preventive control to prevent such acts from occurring

Detective Control

• Examples of Detective Controls

– Surprise checks by supervisor– Check point in production jobs– Error messages over tape labels – Duplicate checking of calculations– Periodic performance reporting with variances– Past-due accounts report– The internal audit functions – Intrusion detection system– Cash counts and bank reconciliation– Monitoring expenditure against budgeted amount

Corrective Controls

• Are very important • Prevention and detection alone cannot be effective

unless there is an appropriate corrective mechanism in place.

• Main characteristics are:– Minimize the impacts of threat– Identify the cause of the problem– Remedy problems discovered by detective controls – Get feedback from detective and preventive controls – Modify the processing system to minimize future occurrence

of the problem

Compensatory Control

• The cost of the lock should not be more than the cost of the asset it protects.

Corrective Control

• Examples of Corrective Controls– Contingency planning – Backup procedure– Treatment procedures for a diseases – Change input value to an application system – Investigate budget variance and report violations

CISCO Security – Monitoring Analysis & Response System