A COMPARISON OF INTERNAL CONTROLS, WITH SPECIFIC REFERENCE TO COBIT, SAC, COSO, AND SAS 55/78. by SUZANNE STEYN

Transcription

1 A COMPARISON OF INTERNAL CONTROLS, WITH SPECIFIC REFERENCE TO COBIT, SAC, COSO, AND SAS 55/78 by SUZANNE STEYN SHORT DISSERTATION SUBMITTED FOR THE PARTIAL FULFILMENT OF THE REQUIREMENTS FOR THE DEGREE OF MASTER OF COMMERCE in COMPUTER AUDITING in the FACULTY OF ECONOMIC AND MANAGEMENT SCIENCES at the RAND AFRIKAANS UNIVERSITY STUDY LEADER: PROF. A. DU TOIT NOVEMBER 1997

2 CONTENTS CHAPTER PAGE LIST OF ACRONYMS AND ABBREVIATIONS OPSOMMING IN AFRIKAANS SYNOPSIS II VIII INTRODUCTION 1 A SUMMARY OF SAS55178, COBIT, COSO AND SAC 14 A COMPARISON BETWEEN SAS55/78, COBIT, COSO AND SAC 28 AN INTEGRATED REFERENCE FRAMEWORK 72 FOR INTERNAL CONTROL CONCLUSION 89 BIBLIOGRAPHY 92

3 LIST OF ACRONYMS AND ABBREVIATIONS AICPA - COBIT - IC IT American Control - Internal - Information Institute of Certified Public Accountants Objectives for Information and related Technology Control Technology COSO - Committee of Sponsoring Organizations of the Treadway Commission SAC SAS - SDLCM - ISACF - - Systems Statement System Information Auditability and Control on Auditing Standards Development Life Cycle Methodology System Audit and Control Foundation

4 'N VERGELYKING VAN INTERNE BEHEERMAATREELS MET SPESIFIEKE VERWYSING NA COBIT, SAC, COSO EN SAS 55/78 deur SUZANNE STEYN OPSOMMING VAN DIE SKRIPSIE INGEDIEN VIR DIE GRAAD MAGISTER COMMERCII in REKENAAROUDITERING in die FAKULTEIT EKONOMIESE EN BESTUURSWETENSKAPPE aan die RANDSE AFRIKAANSE UNIVERSITEIT STUDIELEIER: PROF. A. DU TOIT NOVEMBER 1997 II

5 Die doel met die opsomming is om die agtergrond, metodiek en gevolgtrekking, van die navorsing oor die vergelyking van interne beheermaatreels, met spesifieke verwysing na CobiT, COSO, SAC en SAS55/78, weer te gee. Hierdie opsomming word onder die volgende hoofde uiteengesit: PROBLEEMOMSKRYWING EN DOEL MET HIERDIE NAVORSING NAVORSINGMETODIEK EN BEPERKINGS RESULTATE GEVOLGTREKKING 1. PROBLEEMOMSKRYWING EN DOEL MET HIERDIE NAVORSING Oor die afgelope jare het 'n groot behoefte aan 'n verwysingsraamwerk vir interne beheer en sekuritiet in 'n rekenaaromgewing ontstaan. Hierdie behoefte het onstaan nadat die Nasionale Kommissie van Bedrieglike Finansiele Verslagdoening bevind het dat die mees algemene redes vir die ineenstorting van sakeondernemings the swak verslagdoening is the, maar swak etiek, korrupsie by topbestuur, swak kommunikasie en onbekwaamheid. `n Balans moet gevind word tussen koste en risikobeheer in 'n rekenaaromgewing. Dit is duidefilc dat daar 'n behoefte bestaan vir 'n raamwerk vir algemeen aanvaarbare rekenaarsekuriteit- en beheerpraktyke. Bestuur kan sodandige raamwerk as 'n hulpmiddel gebruik waarteen hulle hul bestaande of 'n beplande nuwe rekenaarbeheeromgewing kan meet. Die raamwerk kan aan gebruikers die versekering gee dat daar voldoende sekuriteit en beheer bestaan, terwyl ouditeure die raamwerk kan gebruik om hul ouditmening te stag Verskeie organisasies het al onderneem om, die behoefte aan 'n algemeen aanvaarde raamwerk, op te los. Elk van hierdie organisasies het egter 'n ander idee van hoe so 'n raamwerk daar moet uitsien, wat verwarring veroorsaak. ITSEC, TCSEC, IS9 en COSO stel elk 'n ander evaluasiemetode voor, met die gevolg dat die implementering van goeie interne rekenaarbeheer in die wiele gery word. Ten einde die verwarring uit die weg te probeer ruim, het spesialiste van dwarsoor die w'ereld deelgeneem in 'n intensiewe navorsingspoging om 'n internasionale raamwerk te ontwikkel wat die standaarde van 18 primere bronne harmoniseer. Die resultaat van hierdie poging is III

6 CobiT. Vier ander gepubliseerde dokumente was ook die resultaat van voortgesette pogings om 'n verbeterde interne beheeromgewing te definieer. Die Institute of Internal Auditors Research Foundation het 'n dokument genaamd SAC ontwikkel. So ook het die Committee of Sponsoring Organisations of the Treadway Commission 'n geintegreerde raamwerk gepubliseer wat hulle COSO genoem het, terwyl die American Institute of Certified Public Auditors twee dokumente gepubliseer het naamlik SAS55 en SAS78. CobiT, COSO, SAC en SAS55/78 fokus elk op 'n ander faset van interne beheer, aangesien elk 'n ander groep professionele mense aanspreek. Die doel van hierdie skripsie, is om te bepaal of CobiT die ander dokumente kan vervang, aangesien dit koste oneffektief sou wees om 'n addisionele raamwerk te ontwikkel as 'n bestaande dokument reeds die behoefte aan 'n algemeen aanvaarbare dokument bevredig. CobiT word vergelyk met elk van die ander dokumente ten einde te bepaal of CobiT inderdaad 'n oplossing bied vir al die interne beheerprobleme wat tans deur ouditeursfirmas en ander organisasies ervaar word. Deur die vier dokumente te vergelyk, en insette uit ander ander dokumente te gebruik, is 'n matriks ontwikkel wat as raamwerk gebruik kan word vir die keuse van interne beheermaatreels. 2. NAVORSINGSMETODIEK EN BEPERKINGS Die skripsie fokus op die vergelyking van van interne beheermaatreels. Alhoewel daar verskeie dokumente bestaan wat interne beheer behandel, is daar slegs op die volgende vyf dokumente gekonsentreer: CobiT The Information Systems Audit and Control Foundation; SAC The Institute of Internal Auditors Research Foundation; COSO The Committee of Sponsoring Organisation of the Treadway Commission; SAS55 The American Institute of Certified Public Accountants; en SAS78 The American Institute of Certified Public Accountants. IV

7 Metodiek 'n Literatuurstudie van bestaande gesaghebbende literatuur oor interne beheerraamwerke is uitgevoer. 'n Matriks is uit die bestaande raamwerke ontwikkel, wat as hulpmiddel dien om die mees toepaslike raamwerk te kies. Nadat al die inligting verkry is, is 'n vergelyking getref tussen die inteme beheermaatreels wat deur CobiT en die ander dokumente gepropageer word. 'n Gevolgtrekking is gemaak dat CobiT inderdaad die beste raamwerk uit 'n ouditeursoogpunt is om te gebruik. Ten einde die studieveld of te baken en sodoende 'n betekenisvolle studie te kon doen, is die volgende uitgesluit: Alle dokumente, gesprekke, raamwerke, riglyne, kodes, praktyk benaderings oor interne beheer, met die uitsondering van die volgende wat wel ingesluit is: CobiT The Information Systems Audit and Control Foundation; SAC The Institute of Internal Auditors Research Foundation; COSO The Committee of Sponsoring Organisations of the Treadway Commission; en SAS55/78 The American Institute of Certified Public Accountants; COSO se rapportering aan eksteme partye; SAC modules Module 11: Toekomstige tegnologie; Module 12: Die meester indeks; Module 13: Gevorderde tegnologie aanhangsel; en CobiT: die raamwerk en uitvoerende opsomming.

8 3. RESULTATE EN GEVOLGTRE1UUNGS 1-lierdie skripsie bled 'n opsomming van elk van die vier dokumente ten einde elke dokument beter te kan verstaan. Die dokumente word vergelyk en prosedures word vasgestel om dit moontlik te maak om tussen tussen die vier raamwerke te kies. Die prosedures word in 'n matriks saamgevat waarin die dokumente teen mekaar opgeweeg word na gelang van die fokuspunt wat vooropgestel word. Die studie verloop soos volg: 3.1 'n Opsonuning van elk van die vier raamwerke; 3.2 'n Vergelykking van die vier dokumente; en 3.3 Die resultate van die vergelyking en die ontwikkeling van die matriks. 3.1 'n Opsonuning van elk van die vier dokumente `n Opsomming word van elk van die vier dokumente gemaak ten einde lesers van die nodige inligting te voorsien om dit vir hulle moontlik te maak om die vergelyking van die dokumente ten voile te begryp en om verskille tussen die dokumente te identifiseer. 3.2 'n Vergelyking van die vier dokumente Die rede vir die vergelyking word vasgestel en eksteme ouditeure se behoeftes word ontleed ten einde te bepaal wafter fokuspunte vir hulle van belang sal wees. Ongeveer dertig fokuspunte word geidentifiseer vir vergelyking. Die dertig fokuspunte word in tabelformaat uiteengesit en die vier dokumente word vervolgens aan die hand van elke fokuspunt ontleed. Op die manier word die sterk en swak punte van elke dokument geldentifiseer. In sekere gevalle beklemtoon al vier dokumente verskillende aspekte met betrekking tot 'n spesifieke fokuspunt, wat nogtans almal ewe belangrik is. In so geval sal 'n kombinasie van die vier dokumente die ideale beheermaatreel vorm. In ander gevalle skenk slegs twee van die vier dokumente aandag aan 'n spesifieke fokuspunt, wat dus as 'n swakpunt geidentifiseer word in die twee dokumente wat die betrokke fokuspunt buite rekening hat. VI

9 3.3 Die resultate van die vergelyking en die ontwikkeling van die matriks. Die dertig fokuspunte word in vyftien groepe ingedeel en die resultate van die vergelyking bespreek. Uit die vergelyking was dit maklik om te bepaal watter dokument elk van die fokuspunte die beste adresseer. 'n Matriks word ontwikkel wat aandui wafter dokument om te gebruik met water fokuspunt in gedagte. Uit die matriks is vasgestel dat CobiT 25 van die dertig fokuspunte aanspreek, SAC 15, COSO 12 en SAS GEVOLGTREKKING Alhoewel daar gevalle sal wees waar een van die ander dokumente beter standaarde sal stel vir interne beheer, wil dit voorkom of CobiT die ander tot 'n groot mate kan vervang. Die ander dokumente se sterkpunte is soos volg: Geen ander dokument beskryf die ouditproses beter as SAS nie. SAC identifiseer sekere gevallestudies, en bespreek dan interne beheer aan die hand van hierdie gevallestudies. Indien een van hierdie gevallestudies spesifiek op 'n organisasie van toepassing is, sal geen dokument die beheermaatreels beter bespreek as SAC the. COSO is 'n waardevolle hulpmiddel vir persone sonder enige agtergrond in interne beheer, deurdat dit hulle van noodsaaklike evaluasiehulpmiddels voorsien. Hierdie skipsie bied dus 'n voorbeeld van hoe om 'n keuse uit te oefen tussen die verskillende raamwerke vir 'n spesifieke organisasie. Die matriks probeer geensins om rigiede reels neer te le wat noodwendig gevolg moet word om 'n keuse oor 'n gepaste raamwerk uit te oefen the. Dit is slegs 'n hulpmiddel wat deur 'n ouditeur gebruik kan word om 'n besluit te neem oor die mees gepaste 'n raamwerk vir 'n gegewe organisasie. VII

10 SYNOPSIS I. PROBLEM DESCRIPTION AND OBJECTIVE OF THIS SHORT DISSERTATION Internal control has come under the attention of many organizations, and each has its own views on the most appropriate framework and evaluation methods to be adopted for specific purposes. As a result of the confusion arising from the different evaluation methods that are in vogue, the implementation of good information technology controls is hampered. Experts from around the world have participated in exhaustive research to develop an internationally acceptable tool that harmonizes standards. Their work has culminated in the development of CobiT. SAC, COSO, SAS 55 and SAS78 were also the result of continuing efforts to define, assess, report on and improve internal control, but each of these documents addresses a different audience, and therefore focuses on different aspects of internal control, and may even completely disregard some areas which may be of crucial importance to other users. It has been suggested that CobiT can replace COSO, SAC, and SAS 55/78, and there is a need to determine whether this is indeed the case. This short dissertation attempts to answer this question, while also putting in place a matrix to aid auditors in deciding which framework to use for a given application. 2. RESEARCH METHODOLOGY A literature survey has been done on existing authoritative text books and other literature, such as material available on the Internet. The information obtained in the literature survey established a sound basis for a comparison of CobiT, COSO, SAC and SAS55/78, and the construction of a decisionmaking matrix. VIII

11 3. SCOPE AND LIMITATIONS This short dissertation focuses on the comparison of internal controls. Although different documents deal with this topic, this project focuses on five authoritative source documents recently released by well-known institutions: CobiT SAC COSO SAS55 SAS78 - The Information Systems Audit and Control Foundation; - The Institute of Internal Auditors Research Foundation; - The Committee of Sponsoring Organizations of the Treadway Commission; - The American Institute of Certified Public Accountants; and - The American Institute of Certified Public Accountants. The following exclusions apply to this short dissertation: All documents, discussions, frameworks, guidelines, and codes of practice dealing with internal controls, and all approaches to the subject, except: CobiT, SAC, COSO, SAS55/78; COSO Reporting to External Parties ; SAC modules 11-13; and CobiT. Framework Executive Summary. 4. RESULTS AND CONCLUSION In summary, this research has provided a basis for understanding each of the five source documents, as well as a procedure for deciding which framework to use for a given purpose. A summary of each document was made to establish a basis for the identification of the differences between the documents, after which thirty focus points were identified. The five source documents were compared with reference to each focus point. From the comparison it was easy to determine the strengths and weaknesses of each document. Finally, a matrix was constructed indicating which document to use for each focus point. It IX

12 was also determined that CobiT dealt effectively with twenty-five of the focus points, while SAC dealt with fifteen, COSO with twelve, and SAS with thirteen. From these results one could conclude that CobiT can indeed replace the other documents as a universal framework for internal control. 5. CONCLUSION The research merely sought to provided an example of how to decide which framework to use for a specific organization or purpose. No effort has been made to establish a rigid set of rules to follow in all cases in order to decide on a framework. Nevertheless, the author believes that this study can assist auditors in deciding on the most appropriate framework and methodology to adopt for a given purpose, and will provide them with arguments to convince management of the soundness of their decision.

13 CHAPTER 1 INTRODUCTION CONTENTS PAGE 1.1. BACKGROUND Internal control A comparison of a few control concepts PROBLEM DESCRIPTION OBJECTIVE OF THIS RESEARCH SCOPE, LIMITATIONS AND EXCLUSIONS The predefined environment Limitations/exclusions DEFINITIONS AND METHODOLOGY Definitions Methodology RESEARCH APPROACH SUMMARY OF RESULTS CONCLUSION 12 1

14 1.1 BACKGROUND Internal Control For many companies and organisations the documents SAC, COSO, SAS55/78 and CobiT set the standards for internal control. The problem is that these documents were all developed by different bodies who were concerned with providing them with frameworks and evaluation methods for internal control appropriate to the needs of their own audiences. It is therefore unavoith. le that some discrepancies and disparities may exist between these documents, although they all deal with essentially the same aspects of internal control. The four documents define internal control as follows: SAC: A set of processes, functions, activities, subsystems, and people who are grouped together or consciously segregated to ensure the effective achievement of specific objectives which has to be translated into measurable goals. COSO: A process, effected by an entity's board of directors, management, and other personnel, designed to provide reasonable assurance regarding the achievement of objectives in the following categories: Effectiveness and efficiency of operations; Reliability of financial reporting; and Compliance with applicable laws and regulations. SAS78: A process, effected by an entity's board of directors, management, and other personnel, designed to provide reasonable assurance regarding the achievement of objectives in the following categories: Reliability of financial reporting; Effectiveness and efficiency of operations; and Compliance with applicable laws and regulations. 2

15 CobiT: The policies, procedures, practices, and organisational structures designed to provide reasonable assurance that business objectives will be achieved and that undesired events will be prevented or detected and corrected. From the definitions one can conclude that SAC views internal control as a system (a set of functions and people and their interrelationship). It identifies people as an integral part of the internal control system. SAC also states that objectives should be translated into measurable goals. Although COSO also accentuates internal control as a process that is an integrated part of business activities, it notes that the people involved are members of the board of directors, management or other entity personnel. COSO places objectives into three categories called operational, financial reporting, and compliance. The SAS definition is exactly the same as the COSO definition, but it emphasises the importance of reliable financial reporting, while COSO shifts the emphasis to effectiveness and efficiency of operations. The CobiT definition emphasises the importance of internal control as a process that includes organisational structures, policies, practices and procedures that support business processes. It classifies people as a primary resource that is managed by various information technology processes. CobiT also states that processes support operational objectives, that these processes are in turn supported by information through IT resources, and that business requirements for that information are only satisfied through adequate control measures. From the definitions one can conclude that all four documents are familiar with the concept of reasonable assurance in relation to internal control and acknowledge the concept of cost/benefit, and that they are equally conscious of the negative result that could flow from not implementing all controls effectively A comparison of a few control concepts The easiest way to identify the strengths and weaknesses of each of these documents is to compare them. This is proved by Table

16 Table 1.1 Comparison of Control Concepts (Colbert & Bowen, 1996: 26). ti Primary Audience CobiT SAC COSO SAS's 55/78 Management, users, information system auditors IC viewed as a Set of processes including policies, procedures, practices, and organizational structures. IC Objectives organizational Components or Domains Focus IC Effectiveness Evaluated Responsibility for IC system Size Effective & efficient operations Confidentiality, Integrity and availability of information. Reliable financial reporting Compliance with laws & regulations Domains: Planning and organization Acquisition and implementation Delivery and support Monitoring Information Technology For a period of time Internal auditors Management Set of processes, subsystems, and people. Effective and efficient operations Reliable financial reporting Compliance with laws & regulations Components: Control Environment Manuals & Automated System Control Procedures Information Technology For a period of time Process Effective and efficient operations Reliable financial reporting Compliance with laws & regulations Components: Control Environment Risk Management Control Activities Information & Communication Monitoring Overall Entity At a point in time External auditors Process Reliable financial reporting Effective and efficient operations Compliance with laws & regulations Components: Control Environment Risk Assessment Control Activities Information &Communication Monitoring Financial Statement For a period of time. Management Management Management Management 187 pages in four documents 1193 pages in 12 modules 353 pages in four volumes 63 pages in two documents From this comparison in table 1.1 it is clear that SAC offers assistance to internal auditors on the control and audit of IT, while COSO tells management how to evaluate, report, and improve control systems. SAS55 and SAS78 guide external auditors on the impact of internal control on planning and performing an audit of an organisation's financial statements. CobiT is a tool for business process owners to discharge their computer control responsibilities 4

17 (Colbert & Bowen, 1996:26) PROBLEM DESCRIPTION Introduction In the past few years, it has become evident to lawmakers, regulators, users of IT and service providers that there is a need for a reference framework for security and control in an information technology (IT) environment. This became evident when the National Commission on Fraudulent Financial Reporting (Treadway) revealed that the most common causes of breakdown were not poor record keeping but bad ethics, corruption at the top, incompetence and poor communication (ISACF, 1996: 12). Management has to find a balance between risk control in an IT environment and the costs involved. They therefore need a framework for generally accepted IT security and control practices to benchmark their existing and planned IT environment. Users of IT services, on the other hand, need to be assured, by the performance of audits, that adequate security and control exist and, last but not least, auditors need a framework to substantiate their opinion on internal control to management (ISACF, 1996). Many organizations have become aware of the need for reliable internal control, but each has its own ideas of the most appropriate framework and evaluation methods to be used. The implementation of good IT controls is hampered by the confusion arising from the different evaluation methods advocated by ITSEC, TCSEC, IS9 and the emerging COSO methodology. To overcome this confusion, experts from around the world have participated in exhaustive research to develop an international tool that harmonizes standards from 18 different primary sources world-wide. These people were instrumental in the development of the Information System Audit and Control Foundation's CobiT. The four other documents with which this dissertation deals were also the result of continuing efforts to define, assess, report on and improve internal control,. They are: 5

18 System Auditability and Control, drafted by the Institute of Internal Auditors Research Foundation; Internal Control-Integrated Framework, drafted by the Committee of Sponsoring Organizations of the Treadway Commission; Consideration of the Internal Control Structure in a Financial Statement Audit (SAS 55), drafted by the American Institute of Certified Public Accountants; and The latter was amended by Consideration of Internal Control in a Financial Audit: An Amendment to SAS 55 (SAS 78). 1.3 OBJECTIVE OF THIS RESEARCH There exists a need to determine whether CobiT can indeed replace COSO, SAC, and SAS 55/78. In order to prevent the expensive process of reinventing a similar product it is important to subject the CobiT project to a detailed study. CobiT should also be compared with other documents to see if the approach it advocates will indeed resolve all the internal control discrepancies currently experienced by audit firms and other organizations. By comparing the four documents, and drawing on other documents, a matrix will be prepared that will serve as a framework and evaluating method for internal control. 1.4 SCOPE, LIMITATIONS AND EXCLUSIONS The predefined environment This short dissertation focuses on the comparison of internal controls. Although there are many documents that deal with this topic, this project focuses on five documents recently released by well-known institutes, and which have already been referred to above, i.e.: CobiT The Information Systems Audit and Control Foundation; SAC The Institute of Internal Auditors Research Foundation; COSO The Committee of Sponsoring Organizations of the Treadway Commission; SAS55 The American Institute of Certified Public Accountants; and SAS78 The American Institute of Certified Public Accountants. 6

19 1.4.2 Limitations and exclusions Because of the limitations imposed on the length of this dissertation, the study is restricted to the five documents published by the four bodies mentioned above, in other words: CobiT SAC COSO SAS55/78 The Information Systems Audit and Control Foundation; The Institute of Internal Auditors Research Foundation; The Committee of Sponsoring Organizations of the Treadway Commission; and The American Institute of Certified Public Accountants. With the exception of these five documents, no other document, discussions, frameworks, guidelines, or codes of practice were considered. The following documents emanating from these four bodies have also been excluded: COSO Reporting to External Parties (September 1992); SAC modules Module 11: Emerging Technologies (June 1994) - Module 12: Master index (December 1991) - Module 13: Advanced Technology Supplement (June 1994); and CobiT - Framework - Executive Summary. 1.5 DEFINITIONS AND METHODOLOGY Definitions CobiT defines control as: The policies, procedures, practices, and organizational structures, designed to provide reasonable assurance that 7

20 business objectives will be achieved and that undesired events will be prevented or detected and corrected (CobiT, 1996:9). From an auditing perspective, it is necessary to enquire whether there are policies and procedures in place to ensure that an entity will record, process, summarize, and report financial data in a manner consistent with the assertions embodied in its financial statements (SAS55,1988: 4). In a computerized environment data is captured by entering "events", in the form of "messages", onto a data application system which draws on computer technology, facilities and people to deliver information, usually referred to as the system's "service output" (see below for definitions of words in italics). COSO defines control as: Exercising, restraining, or directing influence; power or authority to guide or manage direction, regulation and co-ordination of business activities; and a mechanism used to regulate or guide the operation of a system (COSO, 1992:11). Internal: Existing or situated within the limits or surface of something (for the purposes of this study the "something" is an entity or enterprise) (COSO, 1992:11). Data: Data is defined in its widest sense. It can be external or internal, structured or unstructured, and it can be in the form of text, graphics, sound etc. (CobiT, 1996:9). Application system: The sum of manual and programmed procedures (CobiT, 1996:9). Technology: Computer hardware, operating systems, database management systems, networking, multimedia etc. (CobiT, 1996:9). Facilities: Resources to house and support information systems (CobiT, 1996:9). 8

21 People: Staff skills, awareness and productivity appropriate for the planning, organizing, acquisition, delivery, support and monitoring of information systems and services (CobiT, 1996:9). Certain control objectives should be kept in mind when constructing internal control policies and procedures for a computerized environment. Control objective: A statement of the desired result or purpose to be achieved by implementing control procedures in a particular activity (CobiT, 1996:9). The control objective should make provision for: COMPLETENESS of input, processing, file-updating and output. ACCURACY of input, processing, file-updating and output. INTEGRITY of data both in a transient (being manipulated) and a static (having been updated) state. AUTHORITYNALIDITY of business processing. CONTINUITY: ensuring that the products is operating, and is capable of continuing to operate in accordance with business practice and management expectations" (Diamianides, 1991:5). CobiT determines that information needs to conform to seven criteria, or business requirements, to satisfy business objectives (CobiT, 1996:9): Effectiveness: Whether the information is pertinent to the business process and is delivered in a timely, correct, consistent and usable manner. Efficiency: Whether the information is being provided by using resources optimally, i.e. in the most productive and economical way. 9

22 Confidentiality: Whether sensitive information is adequately protected from unauthorized disclosure. Integrity: Whether the information is valid and sufficiently accurate and complete to satisfy business values and expectations. Availability: Whether information is available when required by the business process and whether the resources and associated capabilities needed in order to make the information available, are adequately safeguarded. Compliance: Whether the entity is complying with externally imposed business criteria, such as laws, regulations and contractual arrangements to which the business process is subject. Reliability of Information: Whether appropriate information is made available to enable management to operate the entity and exercise its financial and compliance reporting responsibilities Methodology The following methodology has been used: In this chapter, the need for research to compare the internal controls propagated by SAC, COSO, CobiT and SAS55/78 respectively has been established, and it has also been established that there is a need to determine whether any of these is able to satisfy current needs in full, or whether two or more of them may have to be used in concert. In chapter 2 and 3 a comparison will be made between CobiT, SAS 55/78, COSO and SAC with the emphasis on their respective strengths and weaknesses and their appropriateness for the purposes of an auditing firm. Chapter 4 will consists of a framework developed from the research, summarizing the results of the previous chapters. Chapter 5 will conclude the short dissertation, and indicate whether its objectives have been met. 1

23 1.6 RESEARCH APPROACH A literature survey has been undertaken of existing authoritative documents and other background material, as well as discussions with people with technical knowledge, on the SAC, COSO, SAS and CobiT frameworks. With all the information obtained in the literature survey a comparison has been made between the internal controls propagated by CobiT and the internal controls advocated in each of the tidier frameworks. A conclusion was then drawn whether CobiT is the most appropriate framework to adopt by an auditing firm. 1.7 SUMMARY OF RESULTS The main problem identified is the choice to make between four well-known frameworks for internal control. Each of these documents was developed by a different organization with a specific audience in mind, which has resulted in many discrepancies between the four documents. In summary, this research provides a basis for understanding each of these documents, as well as providing a procedure for deciding which framework to use. In chapter 2 each document is summarized in order to provide the reader with background information regarding the documents. The summaries also expand the reader's knowledge regarding internal control, thus preparing readers for the comparison in chapter 3. The summaries establish a basis for the identification of the differences between the documents. In chapter 3 more penetrating reasons for a comparison of the documents are identified. This research focuses on an external auditor's point of view, and thirty points of focus of particular interest to internal auditors are identified from the four documents. These thirty focus points were captured in a table and the four documents were compared with reference to each focus point. This seemed to be the best way to identify the strengths and weaknesses of each document. In some instances all four documents devoted considerable attention to the same focus points, but concentrated on different, though equally important, aspects. In such instances a combination of the documents would have provided one with an ideal framework. 11

24 In other instances, only two of the four documents dealt with a given focus point, and in these instances it seems clear that the documents omitting this particular focus point could be regarded as flawed by the omission. In chapter 4 the thirty points of focus were grouped together into fifteen groups, and the results of the comparison discussed for each group individually. From the comparison it was easy to determine which document provided the best approach to the focus point and a conclusion could thus be reached after each group was discussed. In the conclusion of chapter 4 a matrix is presented indicating which documents to use for which focus points. We conclude that CobiT provides the best approach for 25, SAC for 15, COSO for 12 and SAS for 13 of the focus points. From these results one could conclude that CobiT can indeed replace the other documents in most cases as a basis for internal control. There are indeed still instances where the other documents will set better standards for internal control than CobiT. Because SAS is solely focused on the audit process, none of the other document is better able to explain the audit process than SAS. Because SAC identifies certain scenarios and discusses in detail the internal control procedures that would be appropriate to these scenarios, no other document would be able to explain the control issues better than SAC in cases where one of these scenarios is applicable to a specific organization. COSO, again, is a very helpful document for a person without an audit background because it provides evaluation tools with examples of how to use them. It is therefore not always easy to determine which document to use for a particular purpose. The research therefore merely provides guidelines on how to decide which framework to use for a specific organization. The research in no way attempts to provide a rigid set of rules prescribing which framework to use. Nevertheless, it will almost certainly assist auditors in deciding on an appropriate framework as well as providing them with a rational basis to convince management of the appropriateness of their choice. 1.8 CONCLUSION The objective of this short dissertation has been met; that is to help the auditor to decide which document or combination of documents to use as a guideline for internal control, and to 12

25 determine whether CobiT can indeed replace COSO, SAC and SAS55/78 for most or all purposes. By using the comparison of the four documents in chapter 3, an auditor will be able to determine which document or documents are most suitable for a specific control objective. This will aid auditors in deciding which framework to use for their own work, as well as providing them with sound arguments to convince a client which framework to use for internal control in a given case. By using the matrix developed in chapter 4 auditors can now: Determine which document to use, depending on what their focus point is going to be; Decide which document to recommend to their customers, taking into account the focus points of the customer; and Determine whether CobiT is suitable to replace the other four documents. The matrix and comparison do not attempt to provide auditors with a rigid set of rules to follow when making a decision regarding the documents, but merely set an example of how to make such a decision. It is hoped that this short dissertation will open new fields for academic research in the area of internal control. A specific organization can be identified, focus points for that organization can be determined, and an investigation can then be undertaken into which document will be most suitable for the purposes of the organization being studied. This research focused on an auditor's perspective. Research can also be performed from management's perspective or from the Information System department's perspective. The points of focus were not compared in detail. Academic research can also be performed in more detail on specific points of focus. 13

26 CHAPTER 2 A SUMMARY OF SAS55/78, COBIT, COSO AND SAC CONTENTS PAGE 2.1. OBJECTIVE NATURE OF THE LITERATURE SURVEY SCOPE, LIMITATIONS AND EXCLUSIONS Scope Limitations and exclusions BACKGROUND SUMMARY OF COBIT SUMMARY OF SAS55/ SUMMARY OF SAC SUMMARY OF COSO CONCLUSION 26 14

27 2.1 OBJECTIVE In order to derive maximum benefit from the literature survey, the objectives have been defined to allow comparative analysis of references and to facilitate the analysis of strengths and weaknesses in frameworks for internal control. The objectives for this chapter are to obtain authoritative views on: CobiT; SAS 55/78; SAC; and COSO. 2.2 NATURE OF THE LITERATURE SURVEY To ensure credibility and acceptance of the findings and proposals of this short dissertation, it is essential that the underlying concepts should be based on authoritative views and be generally accepted among business and computer auditing professionals. Theory based on an individual's experience without taking generally accepted professional views into account may be subject to personal bias. Other factors which may introduce bias are the individual's background and the absence of formal research. To avoid these problems, references have been restricted to documents mainly used by auditors and auditing firms and to authoritative frameworks (Lubbe, 1995: 15). The main sources of these documents are: The Institute of Internal Auditors Research Foundation; The Information Systems Audit and Control Foundation; The Committee of Sponsoring Organisations of the Treadway Commission; and The American Institute of Certified Public Accountants. The reasons for choosing these sources are the following: In their publications, they present most of the internationally accepted guidelines and frameworks for internal control. 15

28 The emphasis on auditor-related sources provides more and better background for finding risks relevant to the auditor involved in auditing internal controls. In total, their documented findings represent a properly balanced view of internal controls and frameworks needed to evaluate it in an entity. Each of the documents will be discussed and, where necessary, material drawn from the sources representing the different views on internal control, will also be included. 2.3 SCOPE, LIMITATIONS AND EXCLUSIONS Scope Existing internal control frameworks, or principles governing internal controls, with various focus points had to be surveyed in order to establish a representative framework for internal control. The purpose when examining existing frameworks and documentation was not to attempt to include every possible point of view on internal control, but rat* to identify the basic focus points of internal control about which there was some degree of consensus in the literature. Each of the documents examined deals in some detail with internal control principles, objectives, risks, the control environment, the audit process and the monitoring of internal control, and these issues had to be analysed in greater depth in our main sources. Once the main source documents, CobiT, COSO, SAS55/78 and SAC had been examined, other relevant literature was then surveyed for the absence or presence of any important information on internal control from an auditor's point of view. These points were compared and only the strengths of each document were included in the final representative framework Limitations and Exclusions To achieve the objectives of the literature survey, it was necessary to examine and analyse control frameworks from as many points as view and in as much detail as possible. However, in the context of a short dissertation, the following limitations and exclusions had to be placed on the scope of the literature survey: 16

29 Only issues raised in discussions dealing with non-technical aspects of internal control were included. Sections in the sources which dealt with technical issues, such as telecommunications, business systems, end-user departments, etc. were thus excluded. Because the objectives of the survey require authoritative references, sources of doubtful authority, as well as individual opinions, were ignored. Because this short dissertation is principally concerned with a comparison of SAC, COSO, CobiT and SAS, only comparative information was considered. Certain detailed areas of discussion which were exclusive to particular documents, such as SAC's continuity planning and COSO's reporting to external parties, therefore had to be excluded. A great deal of preparatory work was done to ensure that the short dissertation would be based on sound theory. The limitations and exclusions imposed on the author did not detract from the overall objectives of the study; in fact, they imposed a discipline on the work by narrowing the investigation down to the principal issues which are relevant in a short dissertation of this nature. 2.4 BACKGROUND The source material was briefly surveyed to identify the principles for internal control in as detailed a manner as possible, bearing in mind the objectives of this survey. The idea of comparing the four documents, SAC, COSO, CobiT and SAS 55/78, in order to determine which one provides us with the most generally acceptable framework, was conceived by Janet L. Colbert, and Paul L. Bowen in When the three documents COSO, SAC and CobiT were compared with the auditing guidelines for internal control provided by SAS55/78, a proper link between these documents and audit-related references was found. The objective of these guidance notes in this chapter is to introduce the four documents to a computer auditor and highlight the basic differences between them. It will also assist the computer auditor in making a decision about which model to use, and it contains summaries of CobiT, SAS55/78, SAC and COSO. 17

30 2.5 SUMMARY OF COBIT (CONTROL OBJECTIVES FOR INFORMATION AND RELATED TECHNOLOGY) The design objective of CobiT was that it should: Serve as a framework of generally applicable good practice governing information services security and the control of information technology. Establish a benchmark for management against which they can measure their security and control practices in the information technology environment. Assure users of information technology services that adequate security and control exist to enable auditors to substantiate their opinions on internal control and to advise management on information technology security and control matters. Facilitate the development of clear policy and good practices for information technology control throughout industry world wide (Colbert & Bowen, 1996: 26). The contents of CobiT consists of an Executive Summary, a Framework for Control of Information Technology, a list of Control Objectives, and a set of Audit Guidelines. The audit guidelines and control objectives are referenced back to the framework (Colbert & Bowen, 1996: 26). Like SAS78, CobiT adapted part of its definition of control from COSO. The policies, procedures, practices, and organisational structures are designed to provide reasonable assurance that business objectives will be achieved, and that undesired events will be prevented or detected and corrected. The rest of CobiT's definition was adapted from that part of SAC's definition which stipulates the desired result or purpose to be achieved by implementing control procedures in a particular information technology activity (Colbert & Bowe; 1996: 26). The CobiT documentation classifies information technology resources as follows: (See Colbert & Bowen, 1996: 26, and paragraph of chapter 1 of this dissertation) Data (numbers, text, dates, graphics and sound); Application systems (a set of manual and programmed procedures); Technology (hardware, operating systems, networking equipment, and the like); 18

31 Facilities (resources used to house and support information systems); and People (individuals' skills and abilities to plan, organise, acquire, deliver, support, and monitor information systems and services). To satisfy business objectives, CobiT also requires that information should conform to the following criteria: Effectiveness; Efficiency; Confidentiality; Integrity; Availability; Compliance; and Reliability. CobiT combines the principles embedded in existing reference models in the three broad categories of quality, fiduciary responsibility, and security. The quality requirement includes not only quality itself, but also cost and delivery. The fiduciary requirements are drawn from COSO, and include effectiveness and efficiency of operations, reliability of information, and compliance with laws and regulations. Security requirements include confidentiality, integrity and availability. CobiT classifies information technology processes into four domains: Planning and organisation; Acquisition and implementation; Delivery and support; and Monitoring. Planning and organisation: This domain covers strategy and tactics and concerns the identification of the way information technology can best contribute to the achievement of the business objectives. Furthermore, the realization of the strategic vision needs to be planned, communicated and managed for different perspectives. Finally, a proper organisational as well 19

32 as technological infrastructure must be put in place (CobiT, 1996: 15). Acquisition and implementation: To realize an organization's information technology strategy, information technology solutions need to be identified, developed or acquired, as well as implemented and integrated into the business process. In addition, changes in and maintenance of existing systems are covered by this domain (CobiT, 1996: 15). Delivery and support: In this domain one is concerned with the actual delivery of required services, which range from traditional operations over security and continuity aspects to training. In order to deliver services the necessary support processes must be established. This domain includes the actual processing of data by application systems, often classified under application controls (CobiT, 1996: 15). Monitoring: All information technology processes need to be regularly assessed for quality and compliance with control requirements (CobiT, 1996: 15). CobiT presents a framework of control for business process owners, but the responsibility and authority for business processes is still in the hands of management. CobiT includes definitions of both internal control and information technology control objectives, four domains of processes, 271 control objectives referenced to those 32 processes, and audit guidelines linked to the control objectives (Colbert & Bowen, 1996: 26). Framework: The CobiT framework provides a high-level control statement for certain information technology processes. It also identifies the business need satisfied by the control statement, identifies the information technology resources managed by the processes, states the enabling controls and lists the major applicable control objectives (Colbert & Bowen, 1996: 26). 2.6 SUMMARY OF SAS55/78 SAS55 and SAS78 are statements of auditing standards published by the Auditing Standards Board of AICPA (American Institute of Certified Public Accountants). These documents define internal control, describe its components and provide guidance on the impact of controls when planning and performing financial statement audits (Colbert & Bowen, 2

33 1996: 3). SAS55 and SAS78 include the following: A definition: SAS 78 replaces the definition of the internal control structure in SAS 55 with that of COSO. The only difference between the COSO and SAS definitions is that SAS 78 emphasises the reliability of financial reporting by placing it first in their definition of internal control. A process, effected by an entity's board of directors, management, and other personnel, designed to provide reasonable assurance regarding the achievement of objectives in the following categories (Colbert & Bowen, 1996: 3): Reliability of financial reporting; Effectiveness and efficiency of operations; and Compliance with applicable laws and regulations. SAS55/78 focus primarily on controls that affect the scrutiny of the reliability of an entity's financial reporting. This is proved through discussions on the components, impact and opinion of S AS55/78. Components: SAS78 replaces the three elements of the internal control structure (control environment, the accounting system, and the control procedures) with the five components of the internal control system presented in COSO, i.e. the control environment, risk assessment, control activities, information and communication, and monitoring (Colbert & Bowen, 1996: 3). Impact: SAS 55/78 requires of the external auditor to perform procedures to obtain a sufficient understanding of each of the five components to plan the audit. The auditor should analyse and understand the design of the entity's policies and procedures, and determine whether the design has been put into operation. Because the opinion rendered by auditors refers to financial statements which cover a period of time, external auditors are interested in controls affecting the capture and processing of financial information for the entire period under review, and not just the date on which 21

34 the audit is carried out. External auditors are forced to provide the audit committee with reports on any significant internal control deficiencies that could affect financial reporting (AICPA, 1988: SAS 6). They also have the option to communicate other control matters to the entity, for example proposals to improve certain systems (Colbert & Bowen, 1996: 3). Opinion: The auditor must draft an opinion assessing the extent to which controls aimed at assuring the reliability of account balances, the correct allocation of transactions to income and expenditure categories, and full and proper disclosure of financial statements are exposed to risk. The auditor may assess control risk at the maximum level, which implies that the probability that a material misstatement in the financial statements will not be prevented or detected on a timely basis by an entity's internal control structure is at a maximum. Such an opinion will only be rendered if the auditor believes that policies and procedures are unlikely to be effective or because evaluating their effectiveness would be inefficient. Alternatively, the auditor might decide to perform tests to support a lower assessed level of control risk. The auditor uses the knowledge provided by the understanding of the internal control structure and the assessed level of control risk in determining the nature, timing, and extent of substantive tests for financial statement assertions (AICPA, 1988: SAS 55). 2.7 SUMMARY OF SAC The SAC report defines internal control, describes its components, provides several classifications of controls, defines control objectives and risks, and defines the internal auditor's role. The report provides guidance on using, managing, and protecting information technology resources, and discusses the effects of end-user computing, telecommunications, and emerging technologies on the auditor (Colbert & Bowen, 1996:29). The definition of SAC defines a system of internal control as: a set of processes, functions, activities, subsystems, and people who are grouped together or consciously segregated to ensure the effective achievement of objectives and goals (Colbert & Bowen, 1996:29). The report emphasises the role and impact of computerised information systems on the system of internal controls. It stresses the need to assess risks, to weigh costs and benefits, and to 22

35 build controls into systems in the design phase rather than adding them on after implementation (Colbert & Bowen, 1996: 29). According to the SAC documentation, the system of internal control consists of three components: The control environment; Manual and automated systems; and Control procedures. The control environment is made up of an organisational structure, a control framework, policies and procedures and external influences. The automated system consist of systems and application software. SAC discusses the control risks associated with end-user and departmental system, but neither describes nor defines manual systems. According to the SAC documents, control procedures consist of general, application, and compensating controls (Colbert & Bowe; 1996: 29). SAC provides five classification schemes for internal controls in information systems. Preventive, detective, and corrective; Discretionary and non-discretionary; Voluntary and mandated; Manual and automated; and Application and general controls. These schemes focus on when the control is applied, whether the control can be bypassed, who wanted the control, how the control was implemented, and where in the software the control was implemented (Colbert & Bowen, 1996: 29). Control objectives and risks: SAC describes risks as fraud, errors, business interruptions, and inefficient and ineffective use of resources. Appropriate control objectives seek to reduce these risks and to assure information integrity, security, and compliance. Information integrity is guarded by quality controls governing input, processing, output and software. Security measures include data, physical, and program security controls. Compliance controls ensure 23

36 conformance with laws and regulations, accounting and auditing standards, and internal policies and procedures (Colbert & Bowen, 1996: 29). SAC defines the role of the internal auditor as follows: The responsibilities of internal auditors include ensuring the adequacy of the system of internal control, the reliability of data, and the efficient use of the organisation's resources. They should also be concerned with preventing and detecting fraud, and coordinating activities with external auditors. The integration of auditing and information system skills and an understanding of the impact of information technology on the auditing process are necessary for internal auditors. These professionals now perform financial, operational and information system audits (Colbert & Bowen, 1996: 29). 2.8 Summary of COSO The COSO report also defines internal control, describes its components, and provides criteria against which control systems can be evaluated. The report provides materials that management, auditors, and others can use to evaluate an internal control system. It also offers guidance for public reporting on internal control. The report has two major goals (Colbert & Bowen, 1996: 29): to establish a common definition of internal control that serves many different parties; and to provide a standard against which organisations can assess their control systems and determine how to improve them. The report emphasises that the internal control system is a tool of, but not a substitute for, management and that controls should be built into, rather than built onto, operating activities. The report recommends the evaluating of the effectiveness of internal control as of a point in time and not for a period of time (Colbert & Bowen, 1996: 29). 24

37 According to COSO, the internal control system consists of five interrelated components: Control environment; Risk assessment; Control activities; Information and communication; and Monitoring. The control environment provides the foundation for the other components. It encompasses such factors as management's operating style, philosophy, human resource policies and practices, the integrity and ethical values of employees, the attention and direction of the board of directors, and the organisational structure (Colbert & Bowen, 1996: 29). COSO describes risk assessment as the identification and analysis of risk. Risk identification includes examining the potential risks that could arise from external factors, such as technological developments, competition, and economic changes, and from internal factors such as personnel quality, the nature or the entity's activities, and the characteristics of information system processing. Risk analysis involves estimating the significance of the risk, assessing the likelihood of the risk occurring, and considering how to manage the risk should it occur (Colbert & Bowen, 1996: 29). Control activities consist of the policies and procedures that ensure that employees will carry out management directives. Control activities include reviews of the control system, physical controls, segregation of duties, and information system controls. Information system controls include general and application controls. General controls are those covering access, software, and system development. Application controls are those which prevent errors from entering the system or detect and correct errors present in the system (Colbert & Bowen, 1996: 29). Any entity should obtain pertinent information and communicate it throughout the organisation. The information system identifies, captures, and reports financial and operating information that is useful to control the organisation's activities. Within the organisation, personnel must receive the message that they must understand their roles in the internal control system, take their internal control responsibilities seriously and, if necessary, report 25

38 problems to higher levels of management. Outside the entity, individuals and organisations supplying or receiving goods or services must clearly understand that the entity will not tolerate improper actions (Colbert & Bowen, 1996: 3). By conducting special evaluations and by reviewing the output generated by regular control activities, management can monitor the control system. Regular control activities include comparing physical assets with recorded data, training seminars, and examinations by internal and external auditors. Deficiencies found during regular control activities are usually reported to the supervisor in charge; deficiencies located during special evaluations are normally com unicated to higher levels of the organisation (Colbert & Bowen, 1996: 3), Other concepts included in the COSO report include the limitations inherent in an internal control system and the roles and responsibilities of the parties that affect a system. Limitations include faulty human judgment, misunderstanding of instruction, human errors, management overriding of controls, collusion, and cost versus benefit considerations. The COSO report defines deficiencies as "conditions within an internal control system worthy of attention." Deficiencies should be reported to the person responsible for the activity and to management at least one level above the individual responsible (Colbert & Bowen, 1996: 3). The effectiveness of an internal control system is judged on the basis of how well an entity performs with regard to operations, financial reporting and compliance. 2.9 CONCLUSION One of the objectives of the literature survey is to compare CobiT, COSO, SAC and SAS55/78 with each other. To make it possible to accomplish this objective, it is important to have good background knowledge and a basic understanding of each of the documents. Not all the references to the literature in this dissertation relate directly to the objectives, but they are necessary to enable one to understand the comparison between the documents. Some references are also made in order to explain terms used by the authors. In the writer's opinion, the objectives of the literature survey have been achieved. No further background information regarding documents that have not been specifically excluded, should be further exposed. 26

39 In chapter three, the four basic source documents will be compared in order to emphasise the strengths and weaknesses of each. In chapter four we shall attempt to satisfy the objectives of this short dissertation by drawing on the strengths of all four documents and distilling an ideal reference module, while identifying the document which is most suitable to be used for a wide range of purposes. 27

40 CHAPTER 3 A COMPARISON BETWEEN SAS55/78, COBIT, COSO AND SAC CONTENTS PAGE 3.1 OBJECTIVE SCOPE, LIMITATIONS AND EXCLUSIONS Scope Limitations and exclusions A COMPARISON OF SAS55/78, COBIT, SAC, AND COSO CONCLUSION 71 28

41 3.1 OBJECTIVE The objective of this chapter is to compare the most important features of CobiT, COSO, SAC and SAS55/78 in order to point out the strengths and weaknesses of each document. 3.2 SCOPE, LIMITATIONS AND EXCLUSIONS Scope Existing frameworks for internal control and current internal control structures have had to be surveyed, but it had to be from an external auditor's point of view. The objective of the survey was to decide which framework will be best suited for external auditing purposes and to create a framework for internal control Limitations and exclusions To achieve the objectives of the literature survey, it has been necessary to examine and analyse the internal control frameworks and control structures of CobiT, SAC, COSO and SAS55/78. Consequently the following limitations and exclusions have been placed on the scope of the literature survey: Only issues which deal with the perspective from an external auditor's point of view have been included. Sections in the references which deal with any other party's involvement in the process have this been excluded. SAC module 2, chapter 4 "The Internal Auditor's role" has thus been excluded. A great deal of preparatory work was done to ensure that the short dissertation would be based on sound theory. The limitations and exclusions imposed on the author did not detract from the overall objectives of the study; in fact, they imposed a discipline on the work by narrowing the investigation down to the principal issues which are relevant in a short dissertation of this nature. 3.3 Detailed comparison of CobiT, SAS 55/78, COSO and SAC The comparison between CobiT, COSO, SAC and SAS55/78 is set out in table

42 - - I. g a i g s i ci. CO C -?I,' c- go... c>1' g -c). g h;. 9. a ST g......; ' -..;i g ca.3 g.4 It %E.,,E z..s I' 6 E - ug 4) :1 t g 2 EE... 1 g a 1. -`6' a).-?".ece v-.e " +4 gt. 1.1 'a SI.-4..c fai... C., e Jai ' 1. ng al.--. I' m " o a. o 3 a) E g r.3., ' vj 2 ti. E i -,,,.c o 4E' (8..3.) E. t).. g a, ed.8 g Nb..4-. 'N 2..; -1.),...ota..) g a --'4 2 E.g.c p E a.) ca..;... 'E E 2 it, in ;.'.2 = E-I. -a ca c g -, g E :z c i....., 2 8 e., 7,..12 = = P. a E go S 2 g 15 :E c c'rt 5 ca'. a - T, T.; c 8 t, - ao, '2 3 (;) 8 5. a,...c tc. ej (COSO, 1 992: I) Ta ble 3. 1 The comparison between SAS55/78, CobiT, SAC and COSO per point of focus. SAS 55 and 78

43 Cl 9 O ' ca :1 2 OD CD cd. g c Cl U cr) ri :5 U SAS 55 and 78 ca E Ci.o VQ

44 9 O : cti - g " ci. O t. E a, - t.. co_. al u) a -c Tt. of g a c a - 2 celc id.-, ed Z Cli tn. C." t.2 2 v, - co. ytors E r.,.a" C " -C 1 Q.) gr M te 4 ca Ls a.,,., E a) n " 61) 51 c>. 1 4Z C g E 4 6 Y. sa 1.1..c ' *4 AS 11 c.) p g - 2 :a 4.) - Le a.) 5 E g E 5.1 o -5 g -6 'el C,C, tc ti a (Colbert & Bowen, 1996: 29). U SAS 55 and :a..se Cd 16...c a)..5 g C :I.= of et a.)..) ct..., oa.2;.4 tis g )... z g = bo E..,.., es c a) it 4.. a). E -... T.) a,2 a -, CA (4"i Ggr. Ur 2 1:3.-1 1'1 ij a - CA ". rn <I, cn.1+ d, VI...Sid *a >- td C) d.) -.7 CA 6...a 4.)..W +E; g -.5, se,:c.;.n

45 cn C... vi cti es cri 2 5 = c 4) -6 c 1... E a6 a to C > 1g2 -,1 2 a o2 % = n= -1 2I a i - 3 u g _c cu..c c..),.-:. cn ca...! trs 5, ;4,..- )-- (et en SAS 55 and 78 Control activities are the (AICPA, 1 995: 3)

46 C Information and, ca as. o E -..c..c Ts las 4) ui TA ea o to = a.) p..c -a -4- E u > J' a 8 a E-1 % 1:$.2 as... ta E r, r, - E go 9: s L7' ), E..t..1.) a in - 7 os mi 8 -c F. 2 g 41..c. >-., 'et trosivact, g. ba >, = c _.2 D.'«a cc. 4- cd C..c.c 6 C.Et - a.g C) 5. : 5 't v ( I a.. a, ao. zi. -c. F. :ts 1... ± cd.o>' soficg cr, ca ' (Colbert & Bowen, U Mt% 111:11;:r SAS 55 and 78

47 C C * control system. I-., -c, -2 3 <4., C o 3 o..,_ =.c. cg..c.cn = cs, - E 2 cii '2 >, rj.2..; ---., v-,. 2 _ 1.2 ' I. = 2 4! lig 1! e i o N 1.. c co C _co on -a,.. _. E :7). v, c. 'a ''' - r = S2 5 2-) C C.). En CI `" Ch C >, E 4.) U. C4-. tn to C.) C ra... QS - = al.,?; -5_, " trl 5 a c- z.5 4. (COSO, 1 992: 6). C: 14 :!C 6. rj! c Li t, _ 5 4..a..., -5:6. : or- :3 b. Ea I '2:. P.. og WI i S 16..-P. F,...,.) CO I sr.- " C Ct. Z CA C4.A Cy...., CI)..., 8 [, c a. HI al ci... SAS 55 a nd 78

48 ce >- TD X ,-, (4 X cd c I-. c 1..; au e - 4.,...; g "Cl g C..c.-t,... gg,..,.13 id a g -a 6`),.,_,...r. Ty ' I" 4-I 4-.c - -a 6 as z > 5 (4_, ro 4.) a V o "4 Oa... CU co. o _ co. r., ti 61 t 4..,... ii r-. e 1 iti 7do 42z3 t i..ar) 4-4> 5 F.. 4 '82". rd. P.,9, 8 E.1. 5 F... = g c c (ISACF, 1 996: 8) SAS 55 and 78

49 r- U (COSO, 1 992: 5) U Cin U resources SAS 55 and 78

50 Ct E- :E U SAS 55 and 78

51 O U (Colbert & Bowen, 1996: 26) Top level review. U ct) (Colbert & Bowen, 1996: 26) Integrity of information 1 1 4ath c COI...I [Si c,,i...cli. N O 4.).2 c E e 6. o >, d Q..- `e' 872. g.,-,.5-5 _.c., 'd.k5 le d d Ct tt g "' 2 2.).,, o 1 o g..-, c..) -a - > 8 g I.4, g V E %It. - (1) G.).1., IE E -= cu '5 2 T) E e bb 4". CI th C 3 o g o n e CU> Sb c 731 c a, c ' 4) tiltri A. 7. a. a,... li: te a o n a 1 I I I I E- 1 U rn 1 SAS 55 and 78 with laws and (a (Colbert & Bowen, (AICPA, 1996: 11) :I...o.3 t ti k et 2:.ts o c L. o ba' PI., 4 o c ti., zi C *4..,-, o E t g 1 at EE e. c o.a-43 iu & g re, 42 a ta tj (..) " ci 1;1.... (4, 41/.. g 2: E... -tit -t v..., tl Clo SZI. PC e is t9.s. v..è rel -E 1

52 U Information processing : C TO ii v, it u i 'c. -or. fn vc..c,., 13 cn ce-.).2 ca co = t.., = -6 se co - cd as...:._ i.... o -1 C..= t V g ", 5 Is' ea ui : r> -5,...c 8 u, c ;.,- O... - (4-.f.)., cu co.) O - C.") >. V as : ^ "a 't5 6 I) " V 1- Z) u) a E t2 RE'. a" _ g. 2 > E cr. 1.., CL g ` co re C3 Oc6 a) 7 et i eti C 1- oii lett.- o t -C3 CC. C a X 'CI rs. et 46) &.5 o a.) " 4- in N./ oi -6 % cill = x 4:::,i X u, N..2 es " "R 174 " " col.)..e E.P......A. 4.4 C) 1.) -o iti... a E 3 I-. t.) Ca {5 +4. "i 7 ra. ca. ca u -a - > 2 - al g 5 N TT '- it.1- >1 9., g > ct) et9."' v = bi) 4., "ro Ey "g.2 - o wi a.111 v ti ca tu x -. cl 4- o p ts o fzi cn = t2 E vi.--. grcitatuooitra,,,,, 5 a.) 4.) = I-. c Cej. E 1 = 5. I! "8 >). - u a E oo.2.-,) ) c 6. lal 41 '.47,1 tija 'th' 2 v g 4 C > 2 2 Lei V ezi en Z 2 >1., 15 > sm. ta c.) o., V) ;4 = c4 Ou a. cl) E.9 I.111 cr. :3 U SAS 55 and 78

53 ca I CA...."' - >, al ',_, -a > leal c- z', _ g : ' 8 ifi it c) "e c 4,9 --el - : ". in 4a O. c-) c-)..a. g 6...a- - En 8 C.. CA CO g be 14 t C CI (1) 8 to.2 c.)! :61 to rcs. to co vi ` ) 6: e bb a a) a.) a %Lis 114,_..c... ac..- 2 co > - c.o.= 1- _ 4.) ca. o c -a,... - c.) c.) -= c o.= as cc: Segregation of duties. cci. ; (COSO, 1992: 46) Ca E >11 to-13 5 c ;,.a =,,-) = i on t E k - :2 e4) C a) --a g,., 4.)..,6 ;, eci) 2.ty C 1: ,.4.:;' ' '.2 V M E al OS P.. -. Mt g t 'a t a,--. 5:1. ei.9 t II+) Z..4 Z C,... 5.o t. o o t.:5 ch.. v t,' o J-.) (.2.5 ri -o r. ) ma c ' t ta. " "Cc ) C t.:,e '19 "8 v c co c I t4_, (1) C4 8 to c4 2 c..) ;.-A. c4.5 c) as a, C4 S 1 :2 V ni C. 55 rn fa 8. c 1 11 SAS 55 and 78

54 Program security Physical security "c) 'ay' E. gt, , t. 'a 2 u 2 4, oc.. if,. g 6- > s.a o E c...,,,. c, -5,, cu lil ++) 8 C,t - a ts..a..a.4 isr, 1 z :. ro) Ea ot.)..ccu _, 13. :E 4. 9C >,2 2.co E..c.i, :. 4, : O. > 1E' t en ' -a.1:3 's a.._, o u,, to, o = -. 8 ' '. E 'ro to 2,t1 c) St E cr.,r, o o -o 2. 8., _ l" 1...?..) -.E...t( 2 g a 1... II IL g SAS 55 and 78

55 9 C,- c., c4, t o JD gm= wie, "..= ti 1 1 E a Vi..5 4 E r., 4) = C a 1) ea g Cip = Ri Cfl V cp 4)... c) '-' CU. ) en ' C = 8 > ,84. K, ". 4) 1 c4. OC 4-g._. 2. a -.9 x 4., tes _= - ro " Ls,-- ca... 4.) a.) En > le ttt c.) G te e us- co.ta gi ca t e "' Z) C 4) v) E-. ra'.9-1- ) c -o= 6 a g 8 2 'a 73 " u,. _.3 a `a "Cdt en. al PA. 4) 6- rn" tu a "i CL I-. ' IA E "" -,.....c 2 C -..., (-2 > 'no tel.c ce o = c.). n,-, CL. - C.O. C. 4) las ",6 c.-..,c2 $., C, + > To 1 2 <2,.., 1 L2 L2.,.., ie., Go gi,. I-, co.,.a CA -6 c 4.9. C cts '2 >..a, ca 1,-, t...) "En 6.4 gi 71 ra lai Cl) g 3... a -o, (13 i e=c1",.= 3 V CHn 'CU."Pg _ c... z -=ooo..c t -.E, E ci *-2 (,-) 8 % 8 cin os... (4- a. rn a E-1. to I I I 1 cr. a SAS 55 and 78

56 U v..e 4-.) C E = 2. v C 2 viz a, c, ,./2 ea g - c 44 -E,,. a r. cn ' ), (4-z o >r,.,_, 1-1.._ g c 44 6 c -..o -5 Ca o v co> g. r,... - cu.t; c al..... =..c.174 cu a."6 E '- 3 g. L' -5 c ' C.) os - -ED E..7 4.) --,.4 t.5 v c c... - o ),a I 2. b) iị cf) ch., g 8 =.,:,. -,- en CA U3, a 8 I...., C) C) ' '-' > co- co - c. - c $.) g -re o. C "2 (L).. p..,,,c nz'.., 2 '". t',.. 'C. u, vi -.) ca'' c hl ii bo u),;..1 9 tt, ' o c C o.,..8 o. Us a.. 1.) 8.. ' C mi - crwo.5 I- - -6,. irtl,..., i 1 pi 4.. u) g I : 1-:... et... : 7, 8,2" ' I,.;.1 ort :3:, `.) cdei...;(.. ii...c a,-,.7 41c Li CA +.1 al a) cl g g ti; ri, 4) (COSO, 1 992: 3) N I U SAS 55 and 78 L s1; :": J1:11, w -i ' '' NV1 g...

57 ci) O C.. -" u. c a) a? - a) Clf I-, c) fa - f+-- cs - o C co... En a; V c v - 3 ca en I-. = 8.3 v c 5 'a' - ctt.. a -, 4-, c. in. - t ra. a b- s- o.4-4. (... o c o.2-88.s35.5. so E e - no w pa2a, C a.) C CA 75 LIS t " "" X f.9)... a to ox ryi IC) En ce, To I.. sat 7) E tn ) "S..LE-i =,,.., te,,, V -o a. -' s cn- OOVAC... a; 1/2 no La, co.-. o - AC c) 21, F u5.2 g = y, cd 4?,., co - ad.e c ca co" C C.) t) c) in U v' o u tp,4,7 6. cc" 7,. a a s' c 2 - s"...-; - E eu ad -c ri a 7.4 ' E c.) 7 ica (2 1 i.42 g a c" O. c c a = cn E 1 = a; 4.)...? g ) ch. 4's ( ti 2.) I- co-1 a -- = - "2<4. TA. g 2 -e.. - 4, o u) to.= m > 2 5. s... o -, - > o 7,,, _., = c." -- r.)) :1 =I g o-,., s., E 4)... c.4 Li 4-1 sti 4) 4 = 4 4-). 44 ri) -C) `12, 4) 4). - o '..c ' = E te 8 3., zi vi cti Ce- t.. F o. a.) 1- co U LC) SAS 55 and 78 environment: (AICPA, 1 995: 1)

58 O U C i... M 141 4as «,. c *4-8 t 5 ) c $.2-2 t = -ch. 15 = 1- > (" P... c *E ḇ tu c ca. E cre) 5 c It' 6 c. c - a, ), o c al. 5 :o ',2. op.,... t i i g. - 2 i,,, 4).. (-. ctil..-. c.) 8. CCS ca >b 2. -a it i.,) i. O.) Ce ' C - I g -C) "1 8 r bi 2 3 (4-I o u e. -.2 `n c...! EL,-. o " id ce " o > -o.. o S L. 47; C). RI CO C4a CI ce g t c 'a s, r. z a) -) 2 Lai ' 2 'a F.).,- c H?,.7,.....-, 71; CC I to, _r! r 2 g r;,....- E c E E.-. c..) o,-. rt...co = o a) u -Ze 9,-.2 8 'E 8 ra.m. G. (COSO, 1 992: 3). :. Lium)) MINIMI;!::... 7)W 591E1.... it, "" - kr1:4': kr, cm U ' E,, Harapiammlamire.5;:::::maininuu OMB! SAS 55 and 78 C '! IC. = te 2 ' 3 M C ' - ao.2 = g, g 3i,..E.g ' Ta. in 3 En co)",. 7; CI sm. 3 = 2 z: tip 44 C ias -. c o..2 I% o g u..is al sy) 5 -a 1.) E c.) _ = = C.), : r.:...: cn cti..c C I. al CZ CA C..) C.) in.., CA = (AICPA, 1995: 17)

59 . SAS 55 and 78 P.". t tu.l. ts E " s -a ti. tic c c t3 t t. to.s. 1 ;4' C14 k:,s, -a,. )"' a ti *C m z a' Ste E,P., t N - ta ut..t {,, *tr. -t -E, :A_ t, 1 Nal WI I%..:1.., a ca 44.2.J-$. La 6-,.s. zi

60 SAS 55 and 78 - Control framework. Organization structure.. -. cis. 1 g m a to..,.. _ V CI c..s. i. et c4 -.9l 2 1 8!... g ' ill r. ; s. ;.' 5 E. its t a ca g ott o. a... to I., En 1., v B 8 8. r p E...+4 =.-. c co.,. o c {A ta. C.) E ti Cr E 4 E a C I. ejj I-, s... '.C ".C3 E * - - g 1..s. 4) g. ea) t t 7,.. T., 1) Q? CA " c v., C (.1.,1= MS = '773 CA... 4a arts :::.C)1 t g r3 E.1.),,:t CO Z 'a_ , I-1 is IS.b 14...i t Fa MI 3 U sa :1 r:4 al ft R, ) 1 I i i I I I I a..). e.t) I-. C :45 >1 g V) = V..... o a t a. 112 t` 5 sm. 1..,.2 2 a. o -a 2 o ri o 2 o uowta. :Ā2-ta n :2 8 E)" Q. 's%... Ca = crj - v r.) ti t. - a,,,, 2 'z' 2 a ei &I Z.' g cl) 'a.:.-j. a :-.: 2,c3 41E t :e' g 12; 11 : 1 i E.43.c. 1 mo. -2 = g V rn C.. c A. la' "CI C5I) COM Vi Ci 1 ""..t le) :1 a g a < E.) = g (ISACF, 1996: 2) en CO

61 9 O U 1 a t. nc; (4, yr, 9- ES. C-) ea - 4. N - u, g 3..5., g,z, -,:, Q., -,., c cs :-. - n g r,.5 8.!F o c.c. -,c, 5. g a. 5z' O 41.) -5. go.1. i 'Ti = 1...t.b u.f cn co cn -4-, cticn,, 1 S ta ED coosc8 C1).,En - C g 4 c t -! ' ) 1:1 - ).5)(1. s >O'... ca,,2..c 4., al.c --.al-,` S t 1... c. cn..., an, 2 r.4,. 2 t.4.::: _t) a rs. 3.) E R o z.-at nvut -3. A., Cid ) 3.).._. "... oi - a.,... E.z. -.,. `n S OE mg.!! /I-. 5 A!...= o f-. E N ig '6' o o..23. o c3 o o Gn :3 U aut c te *C ki..., c'a M 4-.1 te.) C c3 Si A s CZ 1.4 Col ty I.) "ti c til ir, t 72 V *ill E c c i.. '.--, E. a`.9. mo Cog I) 3 ca -o cc c g t-' a, I "!; "ti ise iss, o i'1, * E E il 1 E t %,-,.. c cn >, -... _ c v) A (..) aa - c cz c;-; 8 c7 `4, a 4. cre: t t it. v on c.l. C C C 2.2 ao ;En c m... ',t 2 ti.e t5 4) - t to * 5 TO. 32 me ' -g o Cr MCI. CV C =,---. cvs a 7). CA cn co) ca in ca ta t co. co, 4) a) v c., 4 cia 8 A c., c...) = 4,, ei a, ree7 a. 5 E "FE g 4 Sn rn Cr SAS 55 and 78

62 in U - Review operations or programs to ascertain whether results are consistent with established objectives and goals, and whether the operations of..,, I c co -13 G c..) e = 3 c,,... -,. rn.- ci ca > -, t" u 2 Iv - g.2,c cin g t. il-q,,,, -- --' -- -a...a.h. 2 ' ticg.:4' c I- --Q au " o. o o.- 6. as as c-, `1-1 c tu &I I- "C - g Vs 8 5 vg It...,..., L. <IN,. a ce) en CU) Ca G.,_,e, 4-, Ce-,.5. E ie -a CO v, c ; C. I.. =,_, u, Cl) poca6 -&-ootgra U Oh,3` ;) g'' g tt.' 8 E '.7) (-) c.) le co,, of..4. e 4) = -ea' " g ti vi oo cf cn U2 t- t tl [-C: -C - ' 1-1 t t.. c a C C N i y o 4 c-) bp - cn - > >., a. c c - c co o$ la.4m..". Ccg e..5 E I-; M ul 22 t. ill eh C - C o 5. tura 9, (-).. i tali 8 i. " V) >, cd as iluipa,,,a;:i.. gr" c,.,... '''', : ao O LI) 14i. - SAS 55 and 78. i -... ::-. a -cer) v E h a...:2 :. i tk in` V 4 m t ta t F. t g E cy sc a ta = cj IA c:6...5 CJ., 4.; P3/ :: :., yy... t. :. j. : ID i C CD n ) 4=' E C 2 c.?,, 6.-.4% R C.) ".a. C 4a 41) 15 co. n 7 PO 8 Ia. 8 8 ±4..;-; a cuc,.. 7,..). Es e...g _ u I...v u cn uj it 5..t c`l.9., " C o,_.,.. 6.)... c.- on a. Q. to= 8 g 1 co osc cd2± to -8= o u..5 rn t v3 5 t > -. c> a? ''' - t a.) '1:1 cu.. ' I.. Eteo c:boe e.=. o... d.- n.- 4? t-t & E 2 E 6 in E ou.- v :-.. a I. E -o - <b 2 E C"'.45c En 2? cn.=,...) G.) ec c to g'," o 8 IS v h E.4 in c) 2a. 4-., 1- C = es es m -es.1., t. t. h ta ti V M as b t t..) cy %C 1

63 U _ti c ui CA i N O..., o c..-. U c.) o E :3 <I I- I.... lai Q. >-. rn g - >-. 'C En.,_. o 7 c = 6 o 8 O g C rn En 7.: C.) cl) r y a C U = u, a) v as - a.) 4.) r.,.. T.) ti U "" 4-1 u Ci. -P. et - t u) > c a 8 c:ii ' 43 E I I I Application controls (COSO, 1992: 48) U I I t SAS 55 and 78 (AICPA, 1 988: 1) ISACF, 1 996; 13 (AICPA; 1995: 1 7, 18)

64 Ct U U 4 F PC U SAS 55 and 78

65 . " ed) C 1 g.4 5 r, ,) cux ' dr, 4a. Jo go ro'.e c F-1 : 5-2 c u 3,5 o 4- R R a; c -a co et- E-g -8,._,,, 47, ct,?.:,,-...--i s.). :ma _ ,-3 2 c.e. 3 ( -a c a. E -411 ' 9. 1 g r.,, a a2 E r. gi E =./ ,,- >, a a +4 Ea Ci. "t" C.) U).. Ca al El ii 5 r. i = Tr! "g'6) cdt > er) f - SAS 55 and 78. z el/ r,,2 - i-. ca "a, ig. r.7) -W '''' c 5.`62 I k9 =. a. P.c.2.4 V E t IC; 'Ea, 2 su -d g 8 ra E =.5... c;. `Ic) = 7, o t. -a.5 O.- o.c c9o ct (4. 2 o c c's) c = cocl I I (AICPA, 1988: 26, 39)

66 :..2 C (... o >, E - -a 1- a.) to. 1-. g X tci ' ui CI r.) E E. ' C c. 2 C., g... 3 a C? >, cu ry ag C 9 I-,... I-. p. En C..= 3 -..=... C VS' e z.se 8 t - - o ra. = =.r. r =.n -a ' -.." 7. > - i, -a 3 c n as a., as (COSO, 1 992: 69) ct SAS 55 and 78 (AICPA: 1 996, 5)

67 O O U O co.) C U U Ct Physical security c: 8.c o ') -a Th e 8 'a' E - c.) g. r.-8 5 >, - a. ix. I I I In it4 (IIA EF, 1991: 915) LI) u) :3 U SAS 55 and 78

68 U U (/) - Computer viruses. LI) E-1 :15 U SAS 55 and 78 CO :Y. c ^ 1..'?:.% g +. con c =. +4 w O. v y= 2 <6.) C cn I G ea t 4 in,....4 on cc; b, 1 in E). R g - r-- ).4 %I a Q. I-. its 4- E rn c tu o., tg c g CU C t-, <et 5 i...3.) us 6 g <15) t "I la A. N 2 2 O ai " E. la..4 ). O Z' oo rtg a' 2 A. 2 a. 2, > -...: = E od 't ZZ vi e g 1 lial Go 611 I I I I I N

69 U U tin E" C U N In SAS 55 and 78 I I I (AICPA, 1 996: 1)

70 en SG...; 8. `6) g o "aa g v oo - v...= E tri. g ui o rn I'6 Oaci WI g > 4a.E u,.a. u u,.15 m, -a Ili.2D co - i c t g > c /2 o =.m :Es t wi cd,1) 2..= o 5 E 1. 7:, I C I ") " " ti I n 1 fa I -, t..= - c I 2 t cd 4.1 I 1 I I SAS 55 a nd 78 cal eni

71 IC SAS 55 and 78

72 SAS 55 and 78 -a 2 > > 8 c.:1 g, a.) a.) t..z;.c g -c 7..) 8 -c g., = E g 2 E t 8,,,, i g tr) CO ;5, -C rn DS cia "lo :74.F_, :-, ca >".. 61) c.'.7s -- in cw51 C 4' Ca CO or a =... o to. to V V En I- ' - SS - '1.' co). ry " IC ca ca tr 4- `15, 1/2-t, t3 c a b.) E E `le tia Lc _ E a g OC si c) cat) O. = = c; t g..-, _,", CL),= '-' =.. C I-. C L) I-.. " C c2 'la rg...a tii.1z) c at. i rt3 1 E 2!,)' M 2 2 E F. g ItE E t wiz cla " 41(4-' R t m E E c E o ce che

73 9 SAS 55 and 78 - o :s. o - t) E g E u, >, r>,z 2w).-Eo±tm co, oj 3 45 a.) wtgul c oo CS. Crt cri. t 28.t-ca g E.V. Eeg2 ft <tr co "t o **t Uco)

74 O O U te E-1 U SAS 55 and 78 "ar' l d t ty E ot E i....t a it (1) ISA a E t "t' a o c "ii, E 4.) ea t

75 SAS 55 and 78 "c? '22 c 1; %ILE E E tt Ca. to, &CI 'a Et (LI" C ors et fvt PS. r g i fig wet t rtt c il. ts, c tck t tie rc i`JtE E e, t e t. tha -E3-41 E J.: z "ts S..S P.1

76 O O U PC U SAS 55 and 78 tu.5 t -- "et. c c c -,.a.,..,4 ri.e,..,,c., E t to -c,., ts E,,,..) t w t, t ej zti ta b cu t ta z r". t pi ' "es C4. -) c...a wa:s. tec %a's :1-4. a PE -1 t *S. E t (NI

77 SAS 55 and 78 (AICPA, 1995: 12)

78 Cl) SAS 55 and 78

79 SAS 55 a nd 78

80 (6) -,... " 'A t 1 1.,-.,17).] - -5 go yr 'as 'a' 2, g V.2 _vrdoge -ao -E,,.. Ea VI C2 ". Ir. =. a... E. il E 4 c 4) cn > tu -= ts, cc c E s 4.) 'it of) `'. c c 4? E to o. 4.) >, 4) a ui, erf C.) E a. en.g om t ti..3 (4-1..o ii, c" g I-. cn..., (4... C - r.i>,-. :: i.2... "E E e.,2 +6.g al. Es 4) tg., a.) 45. g P. ta ui a c E 4.) c.-. r 4E a. Ts -o.a o. 42r. a;.;-, o ct re IN.E Ea = 2, ul L..4u a..2 a cc - crl LI 4-' c.-. 5 g E E -8 Ḷ13, tcj 2 4.-at..g g.` t oo at *,..,. a co ' CI. ui.) c S g al. is ca) u = v C,.,,, 4.) ni...,.... c,..).,..-.. to..- r to,. It cil 4E cif...1 C.) OD... "gm rot cd... 'V I o» o,. ". r. r a bi ) - g.. a. 2 E = v n -. - at -,N.4r., 4) 1 8" tri i 41. -ri &n, 1-.1, E 2 g) c... *4-1 fd -49 g Ou On c 1-4 ct E on_ c.,.,2.i Is. -. r a. (..... >,. a (49. fra it; c 3 {4 -: a th z o rd,t2 cg.z.-._.,, E ck. tat o as E o a, E -o E a),3 '''. f... 4.)= ti.o 2.) = '6 5 Es) as. 8 -a --..::.c: c `" ; = Alt '21 es I-.- >, V) 'IS 'CI > Oa ).4 cn p -c.4 it 7 cn cd 5 I-4 f-i SAS 55 a nd 78

81 O U cu..,n.4 ( c my 4., - a.) g I...t 1..= 1 >, >, coo,,, -=..2 Ct.."6 a E e.2 >cli. 4)..9.. E c. as 4 g. ii,42 i S ' L 41 c 147) 8 ) GI X.2 r, ed...c co ca,/, _e.. - a.9 E c 'a' [t 1.4 6, tii q o..,c3 3 -a vi.c g 2 a) E a) be ru "a >, g 5= ", i...c co.4 c o -. i,i tvo.f.c.ogoe...ctist 46 1) ; >, 7, '5 E it ct) ' t). MI. al 2 CPI 5, C o r. ci cr tn F il I {1)2 lal. 8 at. ox 7- o rip = ti -R 1 I I U4.1 t U In rn ld. U SAS 55 and 78 42;