Page 105 - CITP Review
P. 105

spreadsheet. It also represents a significant IR related to fraud, because it is fairly easy for the end user
            to manipulate the data in the spreadsheet offline from the primary accounting information system (AIS).

            These risks can usually be sufficiently mitigated, including the Excel and EUC risks. But the IR of these
            issues can be, and usually are, relatively high.

            It could also be that either the entity or a third party has written middleware to transfer data from one
            computerized system to another — an automated transfer process. Although this type of transfer is
            generally considered relatively high IR as a process, it is the lowest of the three because the data is
            transferred without human intervention and because the receiving system is an automated one — not a
            tool like an Excel spreadsheet or Access database.




            IT control frameworks


            The use of frameworks in understanding, managing, and evaluating controls is generally seen as
            beneficial. One of the benefits is the need to standardize an approach to controls across time, business
            units, or clients. Using the same framework helps to provide a consistency.
            In this section, several frameworks are presented to provide a tool for the CITP and to illustrate some of
            the IT-related concerns, potentially beneficial activities, and effective evaluation methods. Each one takes
            a slightly different perspective of controls.

              The COSO framework is a management perspective of controls, and more or less, a comprehensive
               view.
              The COBIT framework is IT process-focused, and is known for its practical application in performing
               evaluation of internal controls. The systems model looks at controls from a data processing, or
               information systems, view.
              The Preventive-Detective-Corrective (P-D-C) framework looks at controls from the perspective of an
               undesirable event, in a chronological order.

            Each framework makes its own contribution to the evaluation and proper operations of internal controls,
            and can work jointly with one or more of the others. In fact, it is fairly common to see COBIT used to
            evaluate controls (that is, used to design and perform the IT audit procedures), and then the results
            mapped to COSO (for example, for reporting purposes) — this joint use appears to be somewhat
            common for public companies and SOX section 404 compliance. The same kind of joint use and
            mapping could be done with the other frameworks as well.



            COSO
            The Committee of Sponsoring Organizations (COSO) developed an integrated framework of internal
            controls between about 1985 and 1992. This model provides a way to view controls, specifically a
            management view of controls. COSO provides the following definition of internal control:







            © 2019 Association of International Certified Professional Accountants. All rights reserved.    3-21
   100   101   102   103   104   105   106   107   108   109   110