CAT / FIA FBT Syllabus C. Accounting And Reporting Systems, Controls - Security of IT Sytems & Software - Notes 4 / 6
GENERAL AND APPLICATION SYSTEMS CONTROLS IN BUSINESS
Different books identify different categories of control activities.
One possibility is:
Authorisation
Comparison
Computer controls
Arithmetical controls (include pre-list, post-lists and control totals)
Maintaining a trial balance and control accounts
Accounting reconciliations
Physical controls.
(Use the mnemonic ACCA MAP to remember these categories.)
Monitoring of controls is a process to assess the quality of internal control performance over time.
It involves assessing the design and operation of controls on a timely basis and taking necessary corrective actions.
Compliance failures may arise because of lack of staff motivation or through poor training and supervision.
Alternative analysis of internal controls
Preventive controls
These are controls that prevent risks occurring.
For example, authorisation controls should prevent fraudulent or erroneous transactions taking place.
Other preventive controls include segregation of duties, recruiting and training the right staff and having an effective control culture.
Detective controls
These are controls that detect if any problems have occurred.
They are designed to pick up errors that have not been prevented.
These could be exception reports that reveal that controls have been circumvented (for example, large amounts paid without being authorised).
Other examples could include reconciliations, supervision and internal checks.
Corrective controls
These are controls that address any problems that have occurred.
Basically, corrective controls are aimed at restoring the system to its expected state.
Having backup configuration files or hard drive images that can be reloaded to restore the state are both good examples.
So where problems are identified, the controls ensure that they are properly rectified.
Clearly the most powerful type of control is preventative.
It is more effective to have a control that stops problems occurring rather than to detect or correct them once they have occurred.
There is always a possibility that it is too late to sort out the problem.
| classifications | details |
| discretionary | controls which are subject to human discretion |
| non-discretionary | controls automatically provided by the system and cannot be overridden eg. use of password |
| voluntary | controls chosen by the organization to support management |
| mandated | required by law and imposed by external authorities |
| manual | these controls demonstrate a one-to-one relationship between the processing functions and controls and the human functions |
| automated | these controls are programmed procedures designed to prevent, detect and correct errors all the way through processing |
Types of Audit
Internal audit is a management control, as it is a tool used to ensure that other internal controls are working satisfactory.
Different types of audit can be distinguished:
Operational audit
– concerned with overall management’s performance including outputs of the system and efficiency of the organization.
Systems audit
– based on testing and evaluation of the internal controls including compliance tests to see that controls are applied as they should and substantive tests used to discover errors and omissions.
Transaction audit
Social audit
Management investigations.