An effective system of internal controls should exist in all organizations to:
•Help them achieve their missions and goals.
•Minimize surprises.
•ERM defines risk management as:
–A process effected by an entity’s board of directors, management, and other personnel.
–Applied in strategy setting and across the enterprise.
–To identify potential events that may affect the entity.
–And manage risk to be within its risk appetite.
–In order to provide reasonable assurance of the achievement of entity objectives.
Risk is defined as:
The possibility that something will happen to:
–Adversely affect the ability to create value; or
–Erode existing value.
•Examining controls without first examining purposes and risks of business processes provides little context for evaluating the results.
•Makes it difficult to know:
–Which control systems are most important.
–Whether they adequately deal with risk.
–Whether important control systems are missing.
•Why AIS threats are increasing
–Control risks have increased in the last few years because:
•There are computers and servers everywhere, and information is available to an unprecedented number of workers.
•Distributed computer networks make data available to many users, and these networks are harder to control than centralized mainframe systems.
•Wide area networks are giving customers and suppliers access to each other’s systems and data, making confidentiality a major concern.
•Control and security are important
–Companies are now recognizing the problems and taking positive steps to achieve better control, including:
•Devoting full-time staff to security and control concerns.
•Educating employees about control measures.
•Establishing and enforcing formal information security policies.
•Making controls a part of the applications development process.
•Moving sensitive data to more secure environments.
•To use IT in achieving control objectives, accountants must:
–Understand how to protect systems from threats.
–Have a good understanding of IT and its capabilities and risks.
•Control objectives are the same regardless of the data processing method, but a computer-based AIS requires different internal control policies and procedures because:
–Computer processing may reduce clerical errors but increase risks of unauthorized access or modification of data files.
–Segregation of duties must be achieved differently in an AIS.
–Computers provide opportunities for enhancement of some internal controls.
•One of the primary objectives of an AIS is to control a business organization.
–Accountants must help by designing effective control systems and auditing or reviewing control systems already in place to ensure their effectiveness.
•Management expects accountants to be control consultants by:
–Taking a proactive approach to eliminating system threats; and
Detecting, correcting, and recovering from threats when they do occur.
•Internal control is the process implemented by the board of directors, management, and those under their direction to provide reasonable assurance that the following control objectives are achieved:
–Assets (including data) are safeguarded. This objective includes prevention or timely detection of unauthorized acquisition, use, or disposal of material company assets.
–Records are maintained in sufficient detail to accurately and fairly reflect company assets.
–Accurate and reliable information is provided.
–There is reasonable assurance that financial reports are prepared in accordance with GAAP.
–Operational efficiency is promoted and improved. This objective includes ensuring that company receipts and expenditures are made in accordance with management and directors’ authorizations.
–Adherence to prescribed managerial policies is encouraged
–The organization complies with applicable laws and regulations.
•Internal control is a process because:
–It permeates an organization’s operating activities.
–It is an integral part of basic management activities.
•Internal control provides reasonable, rather than absolute, assurance, because complete assurance is difficult or impossible to achieve and prohibitively expensive.
•Internal control systems have inherent limitations, including:
–They are susceptible to errors and poor decisions.
–They can be overridden by management or by collusion of two or more employees.
•Internal control objectives are often at odds with each other.
–EXAMPLE: Controls to safeguard assets may also reduce operational efficiency.
•Internal controls perform three important functions:
–Preventive controls. Deter problems before they arise
–Detective controls. Discover problems quickly when they do arise.
–Corrective controls. Remedy problems that have occurred by:
•Identifying the cause;
•Correcting the resulting errors; and
•Modifying the system to prevent future problems of this sort.
–
Internal controls are often classified as:
General controls –
•Those designed to make sure an organization’s control environment is stable and well managed.
•They apply to all sizes and types of systems.
•Examples: Security management controls.
Application controls –
•Prevent, detect, and correct transaction errors and fraud.
•Concerned with accuracy, completeness, validity, and authorization of the data captured, entered into the system, processed, stored, transmitted to other systems, and reported.
•COBIT framework
–Also know as the Control Objectives for Information and Related Technology framework.
–Developed by the Information Systems Audit and Control Foundation (ISACF).
–A framework of generally applicable information systems security and control practices for IT control.
•The COBIT framework allows:
–Management to benchmark security and control practices of IT environments.
–Users of IT services to be assured that adequate security and control exists.
–Auditors to substantiate their opinions on internal control and advise on IT security and control matters.
•COBIT consolidates standards from 36 different sources into a single framework.
•It is having a big impact on the IS profession.
–Helps managers to learn how to balance risk and control investment in an IS environment.
–Provides users with greater assurance that security and IT controls provided by internal and third parties are adequate.
–Guides auditors as they substantiate their opinions and provide advice to management on internal controls.