This Lecture Covers

• Review of Internal Control Definitions

Control

Behavioural Processes

Readily Observable

Difficult to Observe

Well Specified

Cybernetic Combination Goals, Tasks, Outcomes Poorly

Specified Combination Socio-cultural

Control

OECD Principles

Accountability. The responsibilities and accountability of owners, providers, and users of information systems and other parties concerned with the security of information systems should be explicit.

Awareness. In order to foster confidence in information systems, owners, providers, and users of information systems and other parties should readily be able, consistent with maintaining security, to gain appropriate knowledge of and be informed about the existence and general extent of measures, practices, and procedures for the security of information systems.

Ethics. Information systems and the security of information systems should be provided and used in such a manner that the rights and legitimate interests of others are respected.

Multidisciplinary. Measures, practices, and procedures for the security of information systems should take account of and address all relevant considerations and viewpoints, including technical, administrative, organizational, operational, commercial, educational, and legal.

Proportionality. Security levels, costs, measures, practices, and procedures should be appropriate and proportionate to the value of and degree of reliance on the information systems and to the severity, probability, and extent of potential harm, as the requirements for security vary depending upon the particular information systems.

Integration. Measures, practices, and procedures for the security of information systems should be coordinated and integrated with each other and with other measures, practices, and procedures of the organization so as to create a coherent system of security.

Timeliness. Public and private parties at both national and international levels should act in a timely, coordinated manner to prevent and to respond to breaches of security of information systems.

Reassessment. The security of information systems should be reassessed periodically, as information systems and the requirements for their security vary over time

Democracy. The security of information systems should be compatible with the legitimate use and flow of data and information in a democratic society.

Internal Control

• General Control Frameworks– CICA/COCO– AICPA/COSO

• IT Control Frameworks – ITCG– ISACA (CoBIT)– SysTrust

• They all compete to varying degrees

Internal Control - CICA HB - Section 5200 Internal Control - CICA HB - Section 5200

Management discharges responsibility:Management discharges responsibility:

• Optimizing use of resources - ensure that reliable info is provided for business policies and monitoring implementation and compliance with the policies

• Prevention/detection of error fraud - using cost/benefit

• Safeguarding of assets - unintentional exposure

• Maintaining reliable control systems - to enhance reliability of financial information

CoCo

Purpose Commitment Capability Monitoring and Learning – objectives (including mission,

vision and strategy) – risks – policies – planning – performance targets and indicators

– ethical values including integrity – human resource policies – authority, responsibility and

accountability – mutual trust

– knowledge, skills and tools – communication processes – information co-ordination – control activities

– monitoring internal and external environments

– monitoring performance – challenging assumptions – reassessing information needs and

information systems – follow-up procedures – assessing the effectiveness of

control

ACTION

MONITORING

& LEARNING

PURPOSE

COMMITMENT

CAPABILITY

AICPA/COSO

• 1988 SAS 55 issued for Internal Control

• 1995 SAS 78 issued - it embodied COSO model of internal control into standards

• 2001 SAS 94 issued - it describes the effect of IT controls on auditor

Committee of Sponsoring Organizations of Treadway Commission

• COSO control objectives: - effectiveness/efficiency of operations - reliability of fin. reporting - compliance with applicable laws and regulations.

COSO’s 5 components of Internal Control • Control environment - integrity , ethical values and competence of

personnel

• Risk Assessment - identifying, analyzing and managing risks

• Control Activities - selecting appropriate internal control policies &

procedures

to address risks and achieve the objectives

• Information and communication - enabling the entity's personnel

to develop and exchange info needed to conduct, manage and control

operations

• Monitoring - help determine and report on the effectiveness of I/C

procedures