This document discusses internal controls and information system (IS) audits. It defines control as any input given to a dynamic system to produce a desired output. The level of control required increases as a system becomes more dynamic and complex. Effective controls require understanding a system's dynamism so control measures can operate effectively. Controls should be focused on specific outputs and evaluated to provide further appropriate inputs. Internal controls aim to ensure business objectives are achieved and undesired risks prevented or detected and corrected through policies, procedures and organizational structure. Controls can be preventive, detective, or corrective and take both manual and automated forms depending on the environment.

1. Internal Control and IS Audit

2. Control
• “Any input given to a dynamic system to produce a desired
output.”
• Here the word dynamic and desired output are very
important.
Input Dynamic
System
Desired
output

3. Control
• Dynamism of the system and Control Requirement
– Static system – control is not required
– More dynamism – the greater will be the control requirement of
the system
– Computer system – control not required, if it is not being used
for any application or switched off
– As complexity increases – its control requirement will also rise.
– This implies that
• Lesser control is required for stand-alone system
• Greater for one which is connected to network or Internet

4. Control
• Knowledge of Dynamism of the System Makes Control
Effective
– The predictability of the complexity of the disease has helped in
development of vaccines to prevent and cure
– Similarly, in computer system – control measures would operate
effectively if the dynamism and complexity were known.

5. Control
• The Input should be Directed towards Achieving the
Desired Output
– If the inputs are not focused and directed towards specific
outputs – then control mechanism will not be successful.
– There are No thumb rule
– Each input or control measure should be directed towards
achieving a specific output.

6. Control
• The Output Should be Evaluated for Giving further
Appropriate Input to the System
– Example: Automobile driving system
– This example shows how input can be effectively altered on
the basis of evaluation of actual performance to achieve the
desired output.
– The same is true for complex computer system.

7. Control
• The Output Should be Evaluated for Giving further
Appropriate Input to the System
– Example: Automobile driving system
– This example shows how input can be effectively altered on the
basis of Antivirus software is deployed
• It acts as a detective , or preventive some time corrective control
• The output can be observed by regular scanning
• When the output is not at desired level – system is infected with some
viruses
• Based this evaluation patches can be loaded or new anti-virus software
deployed

8. Internal Control
• Basic purpose:
– Business objectives are achieved
– Undesired risk events are prevented or detected and
corrected
• How this can be achieved
– By designing an effective internal control framework,
comprises
• Policies, procedures, practices, and organizational structure that gives
reasonable assurance that the business objectives will be achieved
• Discrete activities and supporting process
• Either manual or automated

9. Internal Control
• Manual or automated process
• Implementation of internal control differs in both, essence
remains the same
• It not solely a procedure or policy performed at certain
point of time
• Rather this is an ongoing activity, based on
– Risk assessment of the organization
• Role of auditor is very important in evaluating the strength
of the control

10. Internal Control
• Elements of Control
– Nature of controls
• Preventive or Detective
• Manual or Programmed
– Preventive Control
• Those inputs, designed to protect the organization from unlawful
activities
• The broad characteristics of preventive controls are:
– A clear cut understanding about the vulnerabilities of the asset
– Understanding the probable threats
– Provision of necessary controls for probable threats from materializing

11. Internal Control
• Some examples of preventive controls and how the
same control is implemented in different
environments.
– Employ qualified personnel
– Access control
– Vaccination against diseases
– Prescribing appropriate book for a course
– Authorization of transaction
– Firewalls
– Anti-virus software passwords

12. Internal Controls
Purpose Manual Control Computerized Control
Restrict unauthorized
Entry into the premises
Build a gate and post a
security guard
Use access control
software, smart card,
biometrics
Restrict unauthorized
entry into software
application
Keep the computer in a
secured location and
allow only authorized
persons to use the
applications
Use access control, viz.
user ID, password, smart
card

13. Detective Control
• Detect and report the occurrences of an error,
omission, or malicious act in the IS
• Main characteristics are as follows:
– Clear understanding of lawful activities so that anything
which deviates from these is reported as unlawful,
malicious, etc.
– An established mechanism to refer the reported unlawful
activities to the appropriate person or group
– Interaction with preventive control to prevent such acts
from occurring

14. Detective Control
• Examples of Detective Controls
– Surprise checks by supervisor
– Check point in production jobs
– Error messages over tape labels
– Duplicate checking of calculations
– Periodic performance reporting with variances
– Past-due accounts report
– The internal audit functions
– Intrusion detection system
– Cash counts and bank reconciliation
– Monitoring expenditure against budgeted amount

15. Corrective Controls
• Are very important
• Prevention and detection alone cannot be effective
unless there is an appropriate corrective mechanism in
place.
• Main characteristics are:
– Minimize the impacts of threat
– Identify the cause of the problem
– Remedy problems discovered by detective controls
– Get feedback from detective and preventive controls
– Modify the processing system to minimize future occurrence
of the problem

16. Compensatory Control
• The cost of the lock should not be more than the cost of
the asset it protects.

17. Corrective Control
• Examples of Corrective Controls
– Contingency planning
– Backup procedure
– Treatment procedures for a diseases
– Change input value to an application system
– Investigate budget variance and report violations

20. CISCO Security – Monitoring Analysis & Response System