400 likes | 609 Views
Chapter 9 Control, security and audit. Qiang Jiang School of Business Sichuan University, China jiang.qiang@outlook.com. Topic list. 1 Internal control systems 2 Internal control environment and procedures 3 Internal audit and internal control 4 External audit
E N D
Chapter 9 Control, security and audit Qiang Jiang School of Business Sichuan University, China jiang.qiang@outlook.com
Topic list 1 Internal control systems 2 Internal control environment and procedures 3 Internal audit and internal control 4 External audit 5 IT systems security and safety 6 Building controls into an information system
1 Internal control systems • Internal control is any action taken by management to enhance the likelihood that established objectives and goals will be achieved. • 历史上看,英国内部控制的发展离不开公司治理研究的推动。尤其是卡德伯利报告(Cadbury Report,1992 )、哈姆佩尔报告(Rutterman Report,1994) ,以及作为综合准则指南的特恩布尔报告(Turnbull Report,1999),堪称英国公司治理和内部控制研究历史上的三大里程牌。
1 Internal control systems • Turnbull Report guideline • Facilitate its effective and efficient operation by enabling it to respond appropriately to significant business, operational, financial, compliance and other risks to achieving the company` s objectives • Ensure the quality of internal and external reporting • Ensure compliance with applicable laws and regulations , also with internal policies respect to conduct of business
1 Internal control systems • Turnbull Report guideline • Facilitate its effective and efficient operation by enabling it to respond appropriately to significant business, operational, financial, compliance and other risks to achieving the company` s objectives • Ensure the quality of internal and external reporting • Ensure compliance with applicable laws and regulations , also with internal policies respect to conduct of business
1 Internal control systems • Framework for internal control • Control environment • Control procedures • Turnbull report highlights • Information and communication processes • Processes for monitoring the continuing effectiveness
2 Internal control environment and procedures • Control environment is the overall attitude , awareness and actions of directors and management regarding internal controls and their importance in the entity. • Control procedures are those policies and procedures in addition to the control environment which are established to achieve the entity` s specific objectives
2 Internal control environment and procedures • Aims of internal checks • Segregate tasks • Create and preserve the records • Break down routine procedures into separate steps • Reduce the possibility of fraud and error
2 Internal control environment and procedures • Classification of control procedures • Administration • Accounting • Prevent • Detect • Correct
2 Internal control environment and procedures • Types of financial control procedure Administration • Segregation of duties • Physical • Authorisation and approval • Management • Supervision • Organisation • Arithmetical and accounting • Personnel
2 Internal control environment and procedures • Characteristics of a good internal control system • A clear defined organisation structure • Adequate internal checks • Acknowledgement of work done • Protective devices for physical security • Formal documents should acknowledge the transfer of responsibility for goods • Pre-review
2 Internal control environment and procedures • Clearly defined system for authorising transactions within specified spending limits • Post-review • There be authorisation, custody and re-ordering procedures • Personnel • Internal audit
2 Internal control environment and procedures • Limitations on the effectiveness of internal controls • Segregation of duties be avoided by the collusion • Authorisation controls can be abused • Management can often override the controls
3 Internal audit and internal control • Internal audit is an independent appraisal activity established within an organisation as a service to it . it is a control which functions by examining and evaluating the adequacy and effectiveness of other controls, the investigative techniques developed are applied to the analysis of the effectiveness of all parts of an entity` s operations and management. • part of the internal control system
3 Internal audit and internal control • Need for internal audit depend on (Turnbull report) : • The scale, diversity and complexity of the company` s activities • Number of employees • Cost-benefit considerations • Changes in organisational structures , reporting processes or underlying information systems • Change in key risks • Problems with internal control systems • Increased number of unexplained or unacceptable events
3 Internal audit and internal control • Objectives of internal audit • Review of the accounting and internal control systems • Examination of financial and operating information • Review of the economy, efficiency and effectiveness of operations • Review of compliance with laws, regulations and other external requirements and with internal policies and directives and other requirements
3 Internal audit and internal control • Review of the safe guarding of assets • Reviews of the implementation of corporate objectives • Identification of significant business and financial risks, monitoring the organisation` s overall risk management policy and the risk management strategies • Special investigation into particular areas.
3 Internal audit and internal control • Internal audit will assess: • Adequacy of the risk management and response processes • Risk management and control culture • Internal controls in operation to limit risks • Operation and effectiveness of the risk management processes
3 Internal audit and internal control • The features of internal audit • Independence • Appraisal
3 Internal audit and internal control • Types of audit • Operational audit: concerned with any sphere of a company` s activities. • Systems audit :testing and evaluation of the internal controls • Compliance tests • Substantive tests • Transactions audit • Social audit • Management investigations
3 Internal audit and internal control • Accountability • Auditor needs access to all parts of the organisation • Auditor be free to comment on the performance of management • Auditor’s report need be actioned at the highest level
3 Internal audit and internal control • Independence • Responsibility structure • Mandatory authority • Auditor`s own approach
4 External audit • External audit is a periodic examination of the books of account and records of an entity carried out by an independent third party (the auditor) , to ensure that they have been properly maintained , are accurate and comply with established concepts , principles , accounting standards and legal requirements and give a true and fair view of the financial state of the entity.
4 External audit • Differences between internal and external audit • Reason • Reporting to • Relating to • Relationship with the company
4 External audit • Relationship between external and internal audit • Periodic meeting to plan the overall audit • Periodic meeting s to discuss matters of mutual interest • Mutual access to audit programmes and working papers • Exchange of audit reports and management letters • Common development of audit techniques ,methods and terminology
4 External audit • Assessment criteria by external auditors • Organisational status • Scope of function • Technical competence • Due professional care
5 IT systems security and safety • Security ,in information management terms ,means the protection of data from accidental or deliberate threats which might cause unauthorised modification ,disclosure or destruction of data ,and the protection of the information system from the degradation or non-availability of services.
5 IT systems security and safety • Aspects of security • Prevention • Detection • Deterrence • Recovery procedures • Correction procedures • Threat avoidance
5 IT systems security and safety • Aspects of security • Prevention • Detection • Deterrence • Recovery procedures • Correction procedures • Threat avoidance
5 IT systems security and safety • Physical threats • Fire • Water • Weather • Lightning • Terrorist activity • Accidental damage
5 IT systems security and safety • Physical threats • Fire • Water • Weather • Lightning • Terrorist activity • Accidental damage
5 IT systems security and safety • Physical access controls • Personnel • Door locks • Lock: keypad system, card entry system • Intruder alarms
6 Building controls into an information system • Security can be defined as the protection of data from accidental or deliberate threats which might cause unauthorised modification disclosure or destruction of data , and the protection of the information system from the degradation or non-availability of services
6 Building controls into an information system • Risks to data • Human error • Processing the wrong files • Technical error • Natural disasters • Deliberate actions • Commercial espionage • Malicious damage • Industrial action
6 Building controls into an information system • Integrity controls • Data integrity • Systems integrity
6 Building controls into an information system • Input control • Processing controls • Output controls • Back-up controls • Archiving • Passwords and logical access systems • Administrative controls • Audit trail • Systems integrity with a PC • Systems integrity with a LAN • Systems integrity with a WAN
6 Building controls into an information system • Contingency controls • A contingency is an unscheduled interruption of computing services that requires measures outside the day-to-day routine operating procedures.