is audit and internal controls

IS Audit and

Internal Controls BHARATH RAO

CA

Professional

Audit

• Audit

• Tax

• Company Matters

• Legal Complicances

• Accounts

• Statutory Audit

• Internal Audit

• Tax Audit (44AB, VAT etc)

• Special Audits

10/19/2013 blog.bharathraob.com

2

More work more pay

• IS Audit

• Design of Access, Process Controls

• Implementation of ERP

• Implementation of GRC

• Forensic Audit

• Legal Compliances and Frameworks for IT Governance: • Sarbanes - Oxley Act 2002 – Section 302 and 404

• Companies Act 2013 – Section 134 and 143

• ISO 27001

• ISO 27002

• ISO 27031

• COBIT 5/COSO Framework


3

Terms

Risk


4

Internal Controls

It means policies framed by the management in order to have stronger and adequate control within the organization, which can be checked by the internal or stat auditor in order to ensure that the goals and objectives are duly met.


5

Components of Internal

Controls

Control Environment

Risk Assessment

Control Activities

Information and

Communication Monitoring


6

Formula of Internal

Control

General Controls

IS Controls

Internal Controls


7

IS Controls

IS Controls

Application Controls

IT General Controls


8

Objective of IS Controls

Maintaining Confidentiality

Preserving Integrity

Ensuring Availability


9

Applications Controls

Application software is the software that processes business transactions.

The application software could be a payroll system, a retail banking system, an inventory system, a billing system or, possibly, an integrated ERP.

Controls, which relate to the business applications thereby leading to judicial use of the application and are enforced through the application itself to the end user.


10

Examples of Applications

• General Ledger

• Fixed Assets

• Inventory Control

• Sales

• Manufacturing Resource Planning (MRP)

• Human Resources

• And, everyone’s favorite – Payroll…


11

Types of Application

Controls

Input Controls

Data Checks

and Validation

s

Processing Controls

Duplicate Checks,

File Identificati

ons and validations

Output Controls

Update Authorizat

ion

Integrity Controls

Data Encryption, Input

Validation

Management Trail

Snapshots, Time

Stamps


12

General Controls

ITGCs may also be referred to as General Computer Controls which are defined as: Controls, other than application controls, which relate to the environment within which computer-based application systems are developed, maintained and operated, and which are therefore applicable to all applications.

These are policies and procedures that relate to many applications and support the effective functioning of application controls by helping to ensure the continued proper operation of information systems.


13

Areas of IT General

controls

Physical Access Data Center IS Security

SDLC and Change

Management (CM)

Logical Controls Backup and Recovery

End User Computing


14

The IS audit

Checking the Documentation of Policies, Processes

Understanding the solutions that are present other than

business applications and

their role

Reviewing Logs that are generated

by applications

Testing and gathering of evidences based on Sampling

• Screen shots, Photos, Email Conversations, Scans


15

RCM – Risk control matrix

• Link


16

Sample RCM.xlsx

Sampling

Suggested Sample Size

Nature of Control Frequency of Performance Number of Items to Test per

Annual Number of Items to Test per

Quarter

Manual General Controls Many times per day 25 6-7

Manual General Controls Daily 20 5

Manual General Controls Weekly 10 2-3

Manual General Controls Monthly 3 1

Manual General Controls Quarterly 2 0-1

Manual General Controls Annually 1

Programmed General Controls Test one instance of each programmed control activity.


17

18 Thank you

• BHARATH RAO B

• +91 96113 19421 | [email protected]

• www.bharathraob.com

blog.bharathraob.com

/bharathraob


mailto:[email protected]

http://www.bharathraob.com/

http://blog.bharathraob.com/

is audit and internal controls

Documents