Information Technology Audit Process - Evaluation of Internal Controls

Evaluation of Internal Controls

COSO defines internal control as, “a process, influenced by an entity’s board of directors, management, and other personnel, that is designed to provide reasonable assurance in the effectiveness and efficiency of operations, reliability of financial reporting, and the compliance of applicable laws and regulations”. The auditor evaluates the organization’s control structure by understanding the organization’s five interrelated control components. They include:

1. Control Environment Provides the foundation for the other components. Encompasses such factors as management’s philosophy and operating style.
2. Risk Assessment Consists of risk identification and analysis.
3. Control Activities Consists of the policies and procedures that ensure employees carry out management’s directions. Types of control activities an organization must implement are preventative controls (controls intended to stop an error from occurring), detective controls (controls intended to detect if an error has occurred), and mitigating controls (control activities that can mitigate the risks associated with a key control not operating effectively).
4. Information and Communication Ensures the organization obtains pertinent information, and then communicates it throughout the organization.
5. Monitoring Reviewing the output generated by control activities and conducting special evaluations.

In addition to understanding the organization’s control components, the auditor must also evaluate the organization’s General and Application controls. there are three audit risk componenets which are control risk, detection risk and inherent risk.