IS Audit and Internal ControlsBHARATH RAO

blog.bharathraob.com

2CA

Professional

Audit

• Audit• Tax• Company Matters• Legal Complicances• Accounts

• Statutory Audit• Internal Audit• Tax Audit (44AB,

VAT etc)• Special Audits

10/19/2013

blog.bharathraob.com

3

More work more pay

• IS Audit• Design of Access, Process Controls• Implementation of ERP• Implementation of GRC• Forensic Audit• Legal Compliances and Frameworks for IT Governance:

• Sarbanes - Oxley Act 2002 – Section 302 and 404• Companies Act 2013 – Section 134 and 143• ISO 27001• ISO 27002• ISO 27031• COBIT 5/COSO Framework

10/19/2013

blog.bharathraob.com

4Terms

Control

• Design

• Operatio

n

RiskProcess

10/19/2013

blog.bharathraob.com

5Internal Controls

It means policies framed by the management in order to have stronger and adequate control within the organization, which can be checked by the internal or stat auditor in order to ensure that the goals and objectives are duly met.

10/19/2013

blog.bharathraob.com

6

Components of Internal Controls

Control Environment

Risk Assessment

Control Activities

Information and

CommunicationMonitoring

10/19/2013

blog.bharathraob.com

7

Formula of Internal Control

General Controls

IS Controls

Internal Controls

10/19/2013

blog.bharathraob.com

8IS Controls

IS Controls

Application Controls

IT General Controls

10/19/2013

blog.bharathraob.com

9

Objective of IS Controls

Maintaining Confidentiality

Preserving Integrity

Ensuring Availability

10/19/2013

blog.bharathraob.com

10

Applications Controls

Application software is the software that processes business transactions.

The application software could be a payroll system, a retail banking system, an inventory system, a billing system or, possibly, an integrated ERP.

Controls, which relate to the business applications thereby leading to judicial use of the application and are enforced through the application itself to the end user.

10/19/2013

blog.bharathraob.com

11

Examples of Applications

• General Ledger• Fixed Assets• Inventory Control• Sales• Manufacturing Resource Planning (MRP)• Human Resources• And, everyone’s favorite – Payroll…

10/19/2013

blog.bharathraob.com

12Types of Application Controls

Input Controls

Data Checks

and Validation

s

Processing Controls

Duplicate Checks,

File Identificati

ons and validations

Output Controls

Update Authorizat

ion

Integrity Controls

Data Encryption, Input

Validation

Management Trail

Snapshots, Time

Stamps

10/19/2013

blog.bharathraob.com

13General Controls

ITGCs may also be referred to as General Computer Controls which are defined as: Controls, other than application controls, which relate to the environment within which computer-based application systems are developed, maintained and operated, and which are therefore applicable to all applications.

These are policies and procedures that relate to many applications and support the effective functioning of application controls by helping to ensure the continued proper operation of information systems.

10/19/2013

blog.bharathraob.com

14

Areas of IT General controls

Physical Access Data Center IS Security

SDLC and Change

Management (CM)

Logical Controls Backup and Recovery

End User Computing

10/19/2013

blog.bharathraob.com

15The IS audit

Checking the Documentation of Policies, Processes

Understanding the solutions that are present other than

business applications and

their role

Reviewing Logs that are generated

by applications

Testing and gathering of evidences based on Sampling• Screen shots,

Photos, Email Conversations, Scans

10/19/2013

blog.bharathraob.com

16

RCM – Risk control matrix

• Link

10/19/2013

blog.bharathraob.com

17Sampling

Suggested Sample Size

Nature of Control Frequency of Performance Number of Items to Test per

AnnualNumber of Items to Test per

Quarter

Manual General Controls Many times per day 25 6-7

Manual General Controls Daily 20 5

Manual General Controls Weekly 10 2-3

Manual General Controls Monthly 3 1

Manual General Controls Quarterly 2 0-1

Manual General Controls Annually 1  

Programmed General Controls Test one instance of each programmed control activity.

10/19/2013

blog.bharathraob.com

18Thank you

• BHARATH RAO B• +91 96113 19421 | bharath@bharathraob.com• www.bharathraob.comblog.bharathraob.com/bharathraob

10/19/2013