IT Governance and COSO Internal Controls
The need for strong and effective internal controls is a key element of enterprise IT governance. A good general definition for IT governance is that internal control is a process, effected by an entity’s board of directors, management, and other personnel, and designed to provide reasonable assurance regarding the achievement of objectives in the effectiveness and efficiency of operations, the reliability of an enterprise’s financial reporting, and an enterprise’s IT systems and processes, all in compliance with laws and regulations.
Enterprise managers are responsible for implementing and managing internal control processes, while their auditors act as independent parties to both review and perform tests of these internal controls as well as to report to management and other parties whether they are adequate.
An understanding and use of the COSO internal control framework is important for establishing effective IT governance processes. While these rules and procedures have origins in financial reporting and auditing, in today’s IT-centric world, COSO internal controls are important IT governance tools. These are rules that enterprises need to follow in order to assert or attest to regulators that their organizations have effective internal controls in place and that they are operating in compliance with those newer rules.
IMPORTANCE OF EFFECTIVE INTERNAL CONTROLS AND COSO
The need for strong and effective internal controls is a key element of enterprise IT governance. A good general definition for IT governance is that internal control is a process, effected by an entity’s board of directors, management, and other personnel, and designed to provide reasonable assurance regarding the achievement of objectives in the effectiveness and efficiency of operations, the reliability of an enterprise’s financial reporting, and an enterprise’s IT systems and processes, all in compliance with laws and regulations.
Enterprise managers are responsible for implementing and managing internal control processes, while their auditors act as independent parties to both review and perform tests of these internal controls as well as to report to management and other parties whether they are adequate.
An understanding and use of the COSO internal control framework is important for establishing effective IT governance processes. While these rules and procedures have origins in financial reporting and auditing, in today’s IT-centric world, COSO internal controls are important IT governance tools. These are rules that enterprises need to follow in order to assert or attest to regulators that their organizations have effective internal controls in place and that they are operating in compliance with those newer rules.
IMPORTANCE OF EFFECTIVE INTERNAL CONTROLS AND COSO
Internal controls are one of the most important and fundamental concepts that senior managers and business professionals at all levels must understand. The business professional builds and uses internal controls, while auditors review and test the operational, IT, and financial systems and processes with an objective of evaluating their internal controls.
An enterprise unit or process has good internal controls if it:
(1) accomplishes its stated mission in an ethical manner,
(2) produces accurate and reliable data,
(3) complies with applicable laws and enterprise policies,
(4) provides for the economical and efficient uses of its resources,
(5) provides for appropriate safeguarding of assets.
All members of an enterprise are responsible for the internal controls in their area of operation and for operating them effectively. From an internal control perspective, an enterprise can be compared to our automobile example. There are many enterprise systems and processes at work, such as accounting operations, sales processes, and IT systems. If management does not operate or direct these processes properly, the enterprise may operate out of control. All members of an enterprise should develop an understanding of the appropriate control systems and then determine if they are properly connected to manage the enterprise. These are referred to as the enterprise’s internal control systems.
COSO Internal Control Framework
COSO refers to the five professional auditing and accounting organizations that formed a committee to develop this internal control report; its official title is Integrated Control—Integrated Framework. COSO internal control framework and its use as an IT governance tool for internal controls assessments and evaluations.
COSO provides an excellent description of this multidimensional concept of internal controls, defining internal control as follows:
Internal control is a process, effected by an entity’s board of directors, management, and other personnel, designed to provide reasonable assurance regarding the achievement of objectives in the following categories:
• Effectiveness and efficiency of operations
• Reliability of financial reporting
• Compliance with applicable laws and regulations
COSO uses a three dimensional model or framework to describe an internal control system in an enterprise.
Exhibit 4.1 shows this COSO internal control framework as a three-dimensional model with five levels on the front-facing side and the three major components of internal control— effectiveness and efficiency of operations, reliability of financial reporting, and compliance with applicable laws and regulations— taking somewhat equal segments of the model with slices across its top. The right-hand side of Exhibit 4.1 shows three segments, but there could be multiples of these depending on the structure of the enterprise.
The point of the COSO internal control framework is that we should always consider each identified internal control in terms of how it relates to other associated internal control elements in the three-dimensional framework.
The point of the COSO internal control framework is that we should always consider each identified internal control in terms of how it relates to other associated internal control elements in the three-dimensional framework.
No comments:
Post a Comment