Audit Controls

Audit Controls

 

 

Internal control, as defined in accounting and auditing, is a process for assuring achievement of an organization's objectives in operational effectiveness and efficiency, reliable financial reporting, and compliance with laws, regulations and policies.

It is a means by which an organization's resources are directed, monitored, and measured. It plays an important role in detecting and preventing fraud and protecting the organization's resources, both physical (e.g., machinery and property) and intangible (e.g., reputation or intellectual property such as trademarks). 

Dowwnload Also:

• Planning and Schedule Free Templates
• Over 500 Contract Templates Free Download
  

At the organizational level, internal control objectives relate to the reliability of financial reporting, timely feedback on the achievement of operational or strategic goals, and compliance with laws and regulations. At the specific transaction level, internal control refers to the actions taken to achieve a specific objective (e.g., how to ensure the organization's payments to third parties are for valid services rendered.) Internal control procedures reduce process variation, leading to more predictable outcomes.

If the mitigation of risk is the central focus of Information Security, Controls are the primary tools to achieve this goal.  A control is any device or process that is used to reduce risk. Keep in mind - our goal as managers of Information Security and operational risk is not to eliminate all risk for the business.

Perfection is unachievable , since operational risk stems from the frailties of human nature and acts of god – neither of which can be completely controlled. Instead, our goal in designing and implementing controls is to reach a balance between achieving an acceptable level of risk for the business (minimizing losses) and an acceptable level of expense (minimizing the resources necessary to manage those risks).   For this reason not all processes or tasks require the same level of controls to mitigate the risk to an acceptable level.

The risk from a process failure may be so slight or the controls for other components within the process may provide adequate protection such that no additional controls are necessary. Conversely, some controls are required regardless of the risk, such as regulatory requirements.  Since each business has limited resources, controls ideally should be limited to those mandated by policy, law or regulation or where the risk of loss is greater than the cost of the control. If the cost to the business from a failed control is minimal or non-existent, you should consider whether the control is necessary.

The other aspect to consider is whether the control is efficient and effective. Consider the need to protect check stock.  To prevent internal fraud, the business might implement a control that all checks require dual signature, but that control will not prevent an employee from forging one or both of the signatures.  To prevent forgery the checks could be locked in a secure cabinet, however that will not prevent an authorized signatory with a key from removing a check, signing it and forging the other signature.

A solution would be to use a cabinet that requires two keys for access and the implementation of a process that the authorized signatories need to sign the checks in the presence of the other authorized signatory.  Alternative solutions would be to use an armed guard to protect the checks on a 24X7 basis, train all employees in ethical behavior or implement technology that would replace all payments with electronic transfers. 

 

As can be seen in this example, there are a multitude of potential controls that could be used. Assuming that the risk from forged check is significant, it is clear that a simple locked cabinet or ethics training are not effective controls.  Conversely, the risk is typically not significant enough to warrant the expense involved with an armed guard.

Controls can be broken down into three types:

Types of Controls  In terms of taxonomy, there are three, commonly accepted forms of  Controls:

• Administrative - These are the laws, regulations, policies, practices and guidelines that govern the overall requirements and controls for an Information Security or other operational risk program. For example, a law or regulation may require merchants and financial institutions to protect and implement controls for customer account data to prevent identity theft. The business, in order to comply with the law or regulation, may adopt policies and procedures laying out the internal requirements for protecting this data, which requirements are a form of control.      
• Logical - These are the virtual, application and technical controls (systems and software), such as firewalls, anti virus software, encryption and maker/checker application routines.      
• Physical - Whereas a firewall provides a "logical" key to obtain access to a network, a "physical" key to a door can be used to gain access to an office space or storage room. Other examples of physical controls are video surveillance systems, gates and barricades, the use of guards or other personnel to govern access to an office, and remote backup facilities.

All three of these elements are critical to the creation of an effective control environment. However, these elements do not provide clear guidance on measuring the degree to which the controls mitigate the risk.

 

Instead, the Simple Risk Model utilizes an alternative set of elements that provide a better means of weighting the level of mitigation:      

• Preventive - These are controls that prevent the loss or harm from occurring. For example, a control that enforces segregation of responsibilities (one person can submit a payment request, but a second person must authorize it), minimizes the chance an employee can issue fraudulent payments.      
• Detective - These controls monitor activity to identify instances where practices or procedures were not followed. For example, a business might reconcile the general ledger or review payment request audit logs to identify fraudulent payments      
• Corrective - Corrective controls restore the system or process back to the state prior to a harmful event. For example, a business may implement a full restoration of a system from backup tapes after evidence is found that someone has improperly altered the payment data. 

Of the three types of controls, preventative controls are clearly the best, since they minimize the possibility of loss by preventing the event from occurring.  Corrective controls are next in line, since they minimize the impact of the loss by restoring the system to the point before the event.  However, the restoration procedure may result in some degree of loss, since the restoration procedure may lead to the unavailability of systems and applications along with possible lost productivity, customer dissatisfaction, etc. The least effective form of control, but the one most frequently used, is detective controls - identifying events after they have happened. Depending on how soon the detective control is invoked after an event, a business may uncover a loss long after there is any opportunity to limit the amount of damages. 

In the Proof of Concept application, the Control is weighted by whether it is a preventative, detective or corrective control. One other valuable distinction to be made with controls is whether they are manual or automated. A business can implement manual controls to minimize the chance of fraudulent payments, such as requiring an administrator and a manager to manually sign the applicable paperwork to indicate that the transaction was authorized and approved. As an alternative, the business could automate these controls by introducing a computer program with logical access, segregation of duties and maker/checker controls.

Related Topics:

• Incorporating Information Security Risk Assessments into the Third-Party Risk 
• Risk, Risk Managment and ISO 31000
  

The Author: Ala'a Elbeheri

 

                                         

About:

A versatile and highly accomplished senior certified IT risk management Advisor and Senior IT Lead Auditor with over 20 years of progressive experience in all domains of ICT.  

• Program and portfolio management, complex project management, and service delivery, and client relationship management.      

• Capable of providing invaluable information while making key strategic decisions and spearheading customer-centric projects in IT/ICT in diverse sectors.

• Displays strong business and commercial acumen and delivers cost-effective solutions contributing to financial and operational business growth in international working environments.      

• Fluent in oral and written English, German, and Arabic with an Professional knowledge of French.  

• Energetic and dynamic relishes challenges and demonstrates in-depth analytical and strategic ability to facilitate operational and procedural planning.  

• Fully conversant with industry standards, with a consistent track record in delivering cost-effective strategic solutions.    

• Strong people skills, with proven ability to build successful, cohesive teams and interact well with individuals across all levels of the business. Committed to promoting the ongoing development of IT skills  throughout an organization