الصفحات

  • RSS
  • Twitter

تعلم Internal control

0

Posted by admin | Posted on 2:44 م

Posted in


Internal control  objectives

1-Effectiveness & efficiency of operation
2-Reliability of financial reporting
3-Compliance with laws & regulations
4-Safeguarding Assets


Internal control 5 components            CRIME

1- Environment           2-Risk              3-Activities                 4-Monitoring
5-Information & communications

Classifications of system controls

General Controls
Application Controls
1-Organization & Operation
2-Procedures & Documentation
3-Hardware control
4-Access control
1-Input Controls
2-Processing Controls
3-Output Controls
4-Storage Controls


1st     General Controls
General control designed to ensure that the company's control environment is stable and well managed. General controls include controls over the development, modifications  and  maintenance of computer programs.
1-Organization & Operation
Including Segregation of duties within computer Department and from other Dept's as follows

System Analyst
Responsible for reviewing the current system to make sure that it is meeting the needs of the organization.
Review current system and Provide design specification to programmer.
Should not do programming, nor should they have access to hardware ,software or data files.

Programmer
Write , test , document the system .he is able to modify programs ,data files ,and control.
He should have No access for HW , SW that are in the actual use for processing .

Computer Operator
Operate computer to process data
He should have No programming function and should not be able to program.
Exam Note /:-   The most critical segregation of duties is between programmer & computer operators

Data control group
Monitor input , process , output
Have access codes & coordinate security controls with other computer personnel.
Should be organizationally independent of computer operations.

Librarians
Maintain programs , documents , data files
He should have no access to equipment .

2-Procedures & Documentations  
including written procedures and manuals. And also specify the process to be followed in system development and system changes, in order to provide reasonable assurance that development of, and changes to, computer programs are authorized, tested, and approved prior to the use of the program.
A-SDLC System Development Life Cycle Controls
1-Top management commitment is needed for effective system development , this is normally achieved through forming a ( steering committee ) for approvals and progress review
2- Studies of Economic , Operation , & Technical feasibility  to evaluate existing and proposed system
3- Establishing standards for (System design and programming) stage – to match users needs 
4-Changes controls
       Changes should be subject to strict controls :           
    Authorized written request from the user department and approved
           Redesign the program using working copy ( not the original in use )
           Tested by ( user , internal auditor , IT rep )
     Approval by system manager + acceptance by user .
5-The proposed program should be tested using  ( incorrect , incomplete ) and real data to determine the proper implementation
6-Software licenses should be maintained

B-Documents Controls
-Systems documentation (narrative description, flowcharts, Input &output forms     ,authorizations for any changes and backup procedures)
- programs documentation( description of the program, program flowcharts, listings of source code, operator instructions and controls.)
     -operating documentation((information about the performance of the program)
     - Procedural documentation(provide information about the master plan and the handling of files)  
    -user documentation (all the information a user will need to use the program)



3-Access controls(to equipment and data)
A-Logical security
                                          Control access to equipment and data
                                          Including virus protection , firewalls , encryption 
B-Physical security
For servers , , secured rooms , UPS , protection of media library , insurance , personal badges , keys , magnetic ID cards
-File Security controls:
-External and internal file , disk , tape labeling
-Read only file attribute
-Data Base System uses (lockout ) to prevent ( deadly embrace )
  Or ( preventing two applications from updating the same record at same time )
Note: A deadly embrace occurs when two different applications or transactions each have a lock on data that is needed by the other application or transaction. Neither process is able to proceed, because each is waiting for the other to do something. In these cases the system must have a method of determining which transaction goes first, and then it must let the second transaction be completed using the updated information after the first transaction

-The librarian's function is particularly critical, because documentation, programs and     data files are assets of the organization and require protection the same as any other asset would.
- Backup & contingency
In any computer system, it is essential that the company have plans for the backup of data and the recovery of data, especially disaster recovery. Several different processes and back-up plans function as part of the back up and recovery plan.

1-Primary  ( Backup )
►For programs and data
Using ( rollback ) to get most recent backup of transaction log
 ► Backups should be stored at a secure, remote location, so that in the event data is destroyed due to a physical disaster, it can be reconstructed. Transmitting data electronically to a secured backup site is called ( electronic vaulting )
►( Grand / Parent / Child ) during or after processing work. Files from previous  periods are retained, and if a file is damaged during updating  the previous files can be used to reconstruct a new current file
-UPS (uninterruptible power supply )
   For protection in the event of power failure
2-Secondary ( Disaster recovery)
an organization should have a formal disaster recovery plan specifies:
Which employees will participate in disaster recovery and what their responsibilities will be ,What hardware, software, and facilities will be used. The priority of applications that should be processed.
The different locations should be a good distance away from the original processing site. and recovery team should each keep a current copy of the plan at home.
Disaster recovery sites may be either
-A hot site: is a backup facility that has a computer system similar to the one used regularly. The hot site must be fully operational and immediately available.
- A cold site is a facility where power and space are available to install processing equipment, but it is not immediately available.
A mobile recovery" centers. On a contracted basis, in the event of a disaster that destroys operations facilities, they arrive within hours with their client's platform requirements, to assist in recovery.
4- Hardware control
 Fault tolerant system
Fault-Tolerant Systems are systems designed to tolerate faults or errors. They often
utilize redundancy in hardware design, so that if one system fails, another one will take over. Computer networks can be made redundant in several ways:

-With two processors, the second processor can serve as a watchdog processor. If
something happens to the primary processor, the watchdog processor takes over.
-With multiple processors, consensus-based protocols specify that if one processor disagrees with the others, it should be ignored.
-A CPU could have two disks, and all data on the first disk is mirrored on the second disk. This is called disk mirroring or disk shadowing. Should one disk fail, the processing continues on the good disk.

 Rollback processing may be used to prevent any transactions being written to disk
until they are complete. If there is a power failure or another fault during processing,
the program automatically rolls itself back to its pre-fault state at its first opportunity.
Duplicate circuitry is the double wiring of key hardware elements to ensure that if one program malfunctions, the other will take over.
A redundancy check is the process of sending repeated sets of data to confirm the
original data sent.
An echo check is the process of sending the received data back to the sending computer to compare what was actually sent to make sure that it is the same.
In a dual read check, data is read twice during input and compared.
Boundary protection is protection against unauthorized entry (read or write) to a
tape, disk or other storage device.

Graceful degradation means that if a part of the system malfunctions, other components can be programmed to continue the processing, although on a less efficient basis.
Overflow check means that the data is checked and an error message activated if
data is lost through arithmetic operations that exceed the planned capacity of the
receiving fields or registers.

D – HW controls for networks
Check point:-
      ( like rollback & recovery )
To enable recovery in case of failure using check point , taking backups several times per hour , this is recorded in a separate media

Routing verification procedures:-
Protect against routing to wrong receiver, using header label to identify message destination (for verification), through matching the destination code and the message header
Message Acknowledgement
To assure message completion and sequence , using trailer labels ( to assure receiving all parts of message )  
Exam note:- Both above 2 techniques – route verification , message acknowledgement – are used to prevent   Eavesdropping


2nd Applications controls

A – Input controls
1-Data observation & recording
Feedback mechanism Are manual systems like ( authorization , endorsement …..
Dual observation  More than one employee sees the input
Point of sale device To encode data automatically ( with no error )
Preprinted forms To ensure filling all data –ex ( confirmation & receipt )

2-Data transcription
Is preparation of data for processing ( organizing source documents )
Preformatted input screen ex : date filed -/ - /-
Format check ( for entering data at proper mode ) exLnumeric data in a numeric field)
1-      Edit tests  ( built in programs )
Too many tests to check validity / completeness / accuracy as follows

Completeness check                      All required fields are filled
Limits Check                                 Only data within limit accepted
Validity check                               Match input with acceptable sets
Overflow check                            No of digits is below field capacity
Check digits                                  Is a function of other digits – to recognize errors
Key verifications                           inputting again – mainly for accuracy


B ) Processing controls

1-    Data access controls
Transmittal documents to control movement of data like batch sequence numbers ( used to number data to make sure all batches are accounted for )
Batch controls totals to ensure that all inputs are processed correctly
Hash total   A kind of sums , useful only for control purposes , like summing customer accounts numbers.
Record Count Counting number of transaction twice.

2-    Data manipulation controls
Software documentation like all kind of flow charts
Compilers              used to check program language errors
Test data   to test computer programs
System test to test interaction of different program
Batch balancing   Compare with predetermined control total
Run to run totals output of one process used as input to other process
Default option Auto use of predefined value where certain value is left blank

C-Output controls
used to check that input and processing has resulted in valid output.
 1-Validating processing results
Proof listings for all changes to master file This provides detailed information about all changes to master files .
Reconciliations     Analysis of differences between 2 files that should be substantially the same.
Suspense Account is used as a control total for items awaiting further processing.
Discrepancy report is a listing of items that have violated some detective control and need to be investigated.
Upstream resubmission is a Submitting corrected errors again to pass by all controls

2-Printing output controls
Forms control like physical controls over checks – prenumbered forms
Authorized distribution list (for reports distribution)
Shredding Machine (when doc. No longer needed)

D-Storage controls
Are controls that are designed to ensure that only the data that an organization desires to be stored is actually stored – as storing too little data is ineffective and storing too much data is inefficient
Also to ensure that data stored is accurate , valid & virus free 

Note
Preventive controls like segregation of duties , dual access controls , preformatted inputs ,
Detective controls like transmittal documents , batch control totals , check digit , limit check , validity check , completeness check , hash totals , turnaround documents
Corrective controls like discrepancy reports , upstream resubmission






Internet Security
 At a minimum the system should include
1- User Account   giving every employee account no. and password
2- Anti virus

Virus
Trojan horse
Worm
Program that execute itself
And replicate itself
Using host file
Hidden in something desirable
Do not replicate itself
Replicate itself but without using host file

Virus Hoax            false email asking you to delete system file

3-      Firewall  Barrier between internal & external network  Prevent unauthorized access.
It provide protection if the hackers attempt to misuse the data.

    Proxy server  is HW + SW that creates gateway to and from Internet
4-      Intrusion detection system  is a centralized system designed to prevent hackers from penetrating the network .
5-      Password: protect system from unauthorized person to enter the network
6-      Encryption Convert data to code , then requires a key to convert back to data
    Two types            Secret key system
                                Public key / private key


The major types. of software encryption

 




  Public-key /private -key                                                                                    secret-key
use two keys as follow :-                                                            use one key for each pair of parties.
. Public-key widely known                                                       ex: data encryption standards (DES)
. Private-key kept secret by recipient.                                     is the most prevalent secret key method             
                                                                                                       that developed by the US government.
                                                                                                                                                                                                 

. Flowcharting
One of the methods available to an internal auditor for documenting his understanding of the company's internal controls is describing them by means of a flowchart. A flowchart also enables the auditor to identify areas in which internal controls are required and necessary for the company.
A flowchart is used not only to understand and describe a firm's internal controls, but also to assess the effectiveness of those internal controls.
The main elements that are shown in a flowchart are:
Data sources (where the information comes from);
Data destinations (where the information goes);
Data flows (how the data gets there);
Transformation process (what happens to the data); and
Data storage (how the data is stored for the long term)
There are two main types of flowcharts.
1)A systems, or horizontal flowchart,
shows the different departments or functions involved in a process, horizontally .It documents the manual processes as well as the computer processes and the input, output and processing steps.
2)A program, or vertical flowchart:
 depicts the specific steps in a process and how they will be executed. It does not, however, usually show the system components as clearly as a horizontal flowchart. This type of flowchart is not used much now.

A data flow diagram is a graphic illustration (symbolic) of a system's processes and data flows.-

Note:
Computers have made the process of initially creating a flowchart and updating a flowchart much easier. Because of this, you do not need to be familiar with the drawing of or the symbols used in a flowchart.
Read More

Building an environment that values and rewards innovation will help Egyptian businesses compete in a dynamic global marketplace.

3

Posted by admin | Posted on 2:33 م

Posted in


Plato once said that necessity is the mother of invention. So when the Bibliotheca Alexandrina wanted to digitize ancient manuscripts and found that standard object character recognition technology wasn’t up to the job, an Egypt-based innovation center developed a solution based on artificial intelligence. 
In the wake of a landmark global economic downturn, businesses that want to stay in business must adapt and innovate. As Steve Jobs, CEO of Apple, has said: “Innovation distinguishes between a leader and a follower.”
When examining some of the most cutting-edge companies in Egypt, it is clear that innovation, while rarely easy, is possible. It can require a flexible structure and a skilled and engaged workforce, a corporate culture that encourages thinking outside the box and supportive government regulations.

Starting within
Google is known for a corporate environment that fosters creativity and innovation; the company was recognized by CNNMoney/Fortune magazine as the “Best place to work” in 2007 and 2008.

Google’s “70:20:10 model” requires employees to spend 70 percent of their time on routine job tasks, 20 percent on innovative ideas and 10 percent on professional development. Top management determines strategy and vision, but it is largely left to employees to decide the best ways to achieve them. Wael Ghonim is Google’s head of product marketing for the MENA region. “We are a technology company, and hence our assets are the intellectual abilities of our employees. We empower them and allow them... to innovate,” he says. Gmail, Google’s e-mail, and Google News had their beginnings in the 20 percent of time allocated for employees to come up with and develop ideas that could benefit the company. 
Because Google employees are  empowered users, the solutions they create can address their own needs as well as the company’s. Google’s dynamic advertising platform, for example, filters user preferences based on sites visited and was designed not to annoyingly pop up in the middle of the screen. 
Innovation depends on attracting and retaining the right talent, and corporate culture can be an effective tool in reaching that goal. Professional chefs cater to Google employees around the world, for example, and Ghonim’s use of words such as “Googler” (who they are) and “Googly” (what they do) is an indication of the company’s powerful corporate culture.

What does Google look for when hiring? “Communication skills, humility and high levels of curiosity are highly ranked,” Ghonim says. “But the number one priority is the ability to do things differently and to have done something different with your life. In the US, we have employed those with Olympic medals; one of our employees climbed Mount Everest before joining us.”  
However, innovators needn’t climb mountains or be world-class athletes. “The most important non-technical characteristic needed to make a person innovative is reading. And I mean reading anything outside the scope of your career,” says Tarek Elabbady, who heads the Cairo Microsoft Innovation Center in Maadi. “Sitting in front of the TV or listening to your professor will dictate a certain way of thinking. I need independent thinkers to fulfill the mission and vision of the center.”
Finding entry-level employees usually is not a problem, since recent graduates undergo rigorous filtering procedures before they are hired. Attracting experienced middle managers can be difficult, Elabbady says, since “qualified candidates are mostly working outside Egypt and don’t want to come back.” Comparably experienced candidates in Egypt often don’t have the necessary technical skills or are not interested in leaving their employers, he adds. 
The right idea
Innovation originates from ideas. The traditional research and development model consists of a separate department with a substantial budget that attracts some of the company’s most talented and creative employees. While this model has long proved its worth, it has become an expensive solution that tends to discourage creativity and innovative ideas elsewhere in a company. 

As part of its R&D strategy, Microsoft created eight innovation centers around the world, including the one in Maadi. Elabbady emphasizes that while his center is owned by Microsoft, it is independent from the company’s commercial operations. “The centers reach out to talent anywhere in the world without the need to relocate them to the US,” he says. The Maadi center uses the Indian model to try to attract talented people by creating a work environment that mirrors work environments abroad.
The Innovation Center provides concept-inspired innovation solutions, where patents generated are the property of Microsoft. A case in point is the digitization project at the Bibliotheca Alexandrina. “The conventional object character recognition method yielded 50 percent correct output due to the complexity of different Arabic writing styles,” Elabbady says. “Our engineers produced an image processing solution that uses artificial intelligence and neural networks.” The solution was then registered to Microsoft for future use.
The great advantage of such a model is that ideas are still generated in-house, but tailored toward the specific needs of innovation center clients, unencumbered by pre-existing Microsoft solutions. The center’s solutions can be integrated into specialized applications or used in Microsoft’s consumer products.
Another alternative is to outsource research and development (R&D). In 2000, Procter & Gamble (P&G) was a successful company with large, established brands and substantial market shares. Nonetheless, the company was faced with increasing competition and flat sales revenues. R&D was done in-house, with considerable personnel and equipment costs.
P&G began to shift its innovation strategy from research and development to “connect and develop.” The concept relies on opening a communication channel with customers, partners, suppliers and academics to generate ideas that might be developed into new products. “P&G’s connect-and-develop strategy already has resulted in more than 1,000 agreements. Types of innovations vary widely, as do the sources and business models,” says Bruce Brown, chief technology officer of Procter & Gamble. “We are interested in all types of high-quality, on-strategy business partners, from individual inventors or entrepreneurs to smaller companies and those listed in the Fortune 500 – even competitors,” Brown says on the company website. The Swiffer Duster, Olay Regenerist, Pringles Stixx and Mr. Clean Eraser all grew out of partnerships.
Google, on the other hand, generates many of its innovative ideas from 20 percent projects, but Ghonim is adamant that crowd-sourcing, or accessing the general population, and user-generated content are paramount to creative product development. “Innovation is the art of collecting the wisdom of the crowd and converting it into a product,” he says. The company treats the first 20,000 clients like employees and they give us feedback on new products. “A lot of them improve the product and even make it a more innovative product.”
Obstacles
While favorable regulations often attract foreign direct investment, and encourage exporting and importing, they don’t necessarily act as a catalyst for innovation. Ahmed Ezzat is managing director of Endeavor Egypt, a non-governmental organization specializing in opening foreign markets to Egyptian entrepreneurs. “Entrepreneurship and the innovative ideas which result from it are not generated by regulations... individuals innovate and regulations change to support this innovation,” he says.

Innovation can be hindered by entrepreneurs’ lack of business know-how and corporate cultures that discourage creativity and new ideas. “The problem is not coming up with a bright idea, the problem is having the right business sense to make it work,” Ezzat says.   
Other obstacles include entrepreneurs’ reluctance to collaborate and companies’ hands-off treatment of projects or products that generate significant revenue. Even potentially lucrative ideas often languish from a lack of initiative. Ezzat offers an example that he says highlights the lack of innovation in Egypt: “Egyptians don’t trust online financial transactions; anyone would attest to that. People wait for more than an hour to pay their Internet or mobile phone bills. And yet nobody is addressing the confidence problem with online transactions.”
Another significant hindrance is the difficulty of obtaining financing for small and medium enterprises (SMEs), which are widely seen by the banking sector as risky. An alternative financing route is the Technology Development Fund (TDF), a venture capital pool managed by EFG-Hermes, one of Egypt’s largest investment banks. Its core focus is providing telecom startups with the necessary funding to enter the market. Among the ventures supported by the TDF are: Flat World Engineering Services, a computer-aided design company; Ostaz Online, an education services website; and Timeline Interactive, developers of the first Egyptian-licensed video game. The fund consists of TDF I, with $10 million in capital, and TDF II, with $40 million. The SME stock exchange NileX still has only seven listings more than two years after it was established. While the TDF is a step in the right direction, many experts say, the Egyptian venture capital system still is not as established as those in the United States or European Union.
Technology companies have become catalysts for innovation around the world, but not to the same extent in Egypt. Since 2005, Prime Minister Ahmed Nazif’s cabinet has focused on building the nation’s IT infrastructure and more than 900 IT companies operate in the country. “Most, if not all, the IT sector is driven by commercial needs, which is not a bad thing, but it is not conducive to innovation,” Elabbady says.
Because Egypt’s IT infrastructure grew and improved so quickly, few are aware of   its value and capabilities so its utilization rate is low. “We can’t form synergies within the market. We are still scratching the surface of technological innovation,” Elabaddy says. “Call centers highlight the importance of operational and technological innovation. As corporations look to reduce operational costs, we need to innovate to accommodate different scenarios to make call centers cheaper to operate and more effective.” 
Legal obstacles 
Laws governing intellectual property rights (IPR) provide crucial regulatory support for innovation by ensuring legal protection for ideas. IPR law in Egypt is managed by the Organization for Standardization & Quality, a division of the Ministry of Trade & Industry.

Hany Barakat, head of the Organization for Standardization & Quality, describes a three-part mission for the agency, including defining and maintaining patent standards. “One of the major issues is what to register in a patent. I can’t register a pen, for example; it has to be something with certain aspects that make it unique because I don’t want to stop the pen production industry.”
Secondly, the organization controls the Industry Monitoring Authority, which watches the market for fraudulent products – no easy task since violators are not registered. “We use a two-tier system that monitors producers and retailers. This monitoring is based on risk assessment of the producer and product. Some products are more likely to be copied than others, or can be hazardous. Producer risk is based on previous offenses,” according to Barakat.
Economic courts, which are overseen by the organization and specialize in corporate disputes, were established in 2007 to expedite legal actions. Nonetheless, the courts’ value remains unproven, says Mokhtar El Birairy, professor of maritime and trade law at Cairo University and a partner at the law firm of Ibrachy and Dermarkar. “The problem is that the judges in the economic courts were transferred from normal courts; they don’t have any special qualifications,” El Birairy says. “I don’t believe that prosecution times will decrease because it still takes a long time to prepare for cases.” 
In 2009, the International Intellectual Property Alliance “recommends that Egypt be elevated to the Priority Watch List.” “What should be a shining economic success story of ingenuity and creativity in Egypt’s rich creative industries, instead is a nightmare market for right holders, stunted by piracy, difficult bureaucracy, and almost unparalleled market access hurdles,” says the report’s executive summary.

The road to innovation
Building an innovative workforce starts with education, and Elabbady is optimistic about Egypt’s potential. “As a matter of fact, we are so thirsty for research. You can see it when you talk to college students,” he says. “Professors who really did research at one point in their careers show even more thirst for the chance to do research once again. We are a nation that is ready.” Ghonim has a similar understanding, saying that while the education system does not do enough to encourage or teach entrepreneurship, the vast amount of content and knowledge sharing on the Internet can be easily and widely accessed. “Those who want to learn, can learn,” he says. “We don’t lack street-smart minds.”

Commercializing innovative ideas can be more difficult to achieve; it depends largely on social and macroeconomic factors. The robust economies of China, India and Taiwan had their beginnings in entrepreneurial capitalism, Ezzat explains. “There is a continuous stream of new, innovative ideas that are converted to products and then sold to established brands worldwide.” 
From the government’s perspective, innovation goes beyond the mere processing of raw materials. “In clothes, there is very little textile differentiation; the value is in design, and it is what makes you pay more,” Barakat says. “The idea is to promote a design culture among producers.” Since 2005, the Ministry of Trade & Industry has established design centers for fashion, leather products, jewelry, engineering products and garments. “We started with 50 students; now there are over 500,” he says.
For Egypt, an effective model might include minimal government interference. Says Barakat: “We need to lower [business] barriers for the system to grow at its own pace and leave competition to decide the look of the market.”
One thing is certain: the argument for innovation and entrepreneurship has been made emphatically of late. In the past month, Tarek Kamel, minister of communications and information technology, and Ahmed Zewail, US science and technology envoy and Nobel laureate, have spoken about the need for Egypt to create a culture that encourages creativity.
While building such an environment is an inexact science, most agree it will require a fundamental commitment by business and support from government. As the global financial crisis fades, the ability of economies and businesses to innovate is likely to become more important than ever.

from amcham
http://www.amcham.org.eg

Read More

الاشتراك في: الرسائل (Atom)