This Lecture Covers Review of Internal Control Definitions.
-
Upload
alison-mccoy -
Category
Documents
-
view
213 -
download
1
Transcript of This Lecture Covers Review of Internal Control Definitions.
This Lecture Covers
• Review of Internal Control Definitions
Control
Behavioural Processes
Readily Observable
Difficult to Observe
Well Specified
Cybernetic Combination Goals, Tasks, Outcomes Poorly
Specified Combination Socio-cultural
Control
OECD Principles
Accountability. The responsibilities and accountability of owners, providers, and users of information systems and other parties concerned with the security of information systems should be explicit.
Awareness. In order to foster confidence in information systems, owners, providers, and users of information systems and other parties should readily be able, consistent with maintaining security, to gain appropriate knowledge of and be informed about the existence and general extent of measures, practices, and procedures for the security of information systems.
Ethics. Information systems and the security of information systems should be provided and used in such a manner that the rights and legitimate interests of others are respected.
Multidisciplinary. Measures, practices, and procedures for the security of information systems should take account of and address all relevant considerations and viewpoints, including technical, administrative, organizational, operational, commercial, educational, and legal.
Proportionality. Security levels, costs, measures, practices, and procedures should be appropriate and proportionate to the value of and degree of reliance on the information systems and to the severity, probability, and extent of potential harm, as the requirements for security vary depending upon the particular information systems.
Integration. Measures, practices, and procedures for the security of information systems should be coordinated and integrated with each other and with other measures, practices, and procedures of the organization so as to create a coherent system of security.
Timeliness. Public and private parties at both national and international levels should act in a timely, coordinated manner to prevent and to respond to breaches of security of information systems.
Reassessment. The security of information systems should be reassessed periodically, as information systems and the requirements for their security vary over time
Democracy. The security of information systems should be compatible with the legitimate use and flow of data and information in a democratic society.
Internal Control
• General Control Frameworks– CICA/COCO– AICPA/COSO
• IT Control Frameworks – ITCG– ISACA (CoBIT)– SysTrust
• They all compete to varying degrees
Internal Control - CICA HB - Section 5200 Internal Control - CICA HB - Section 5200
Management discharges responsibility:Management discharges responsibility:
• Optimizing use of resources - ensure that reliable info is provided for business policies and monitoring implementation and compliance with the policies
• Prevention/detection of error fraud - using cost/benefit
• Safeguarding of assets - unintentional exposure
• Maintaining reliable control systems - to enhance reliability of financial information
CoCo
Purpose Commitment Capability Monitoring and Learning – objectives (including mission,
vision and strategy) – risks – policies – planning – performance targets and indicators
– ethical values including integrity – human resource policies – authority, responsibility and
accountability – mutual trust
– knowledge, skills and tools – communication processes – information co-ordination – control activities
– monitoring internal and external environments
– monitoring performance – challenging assumptions – reassessing information needs and
information systems – follow-up procedures – assessing the effectiveness of
control
ACTION
MONITORING
& LEARNING
PURPOSE
COMMITMENT
CAPABILITY
AICPA/COSO
• 1988 SAS 55 issued for Internal Control
• 1995 SAS 78 issued - it embodied COSO model of internal control into standards
• 2001 SAS 94 issued - it describes the effect of IT controls on auditor
Committee of Sponsoring Organizations of Treadway Commission
• COSO control objectives: - effectiveness/efficiency of operations - reliability of fin. reporting - compliance with applicable laws and regulations.
COSO’s 5 components of Internal Control • Control environment - integrity , ethical values and competence of
personnel
• Risk Assessment - identifying, analyzing and managing risks
• Control Activities - selecting appropriate internal control policies &
procedures
to address risks and achieve the objectives
• Information and communication - enabling the entity's personnel
to develop and exchange info needed to conduct, manage and control
operations
• Monitoring - help determine and report on the effectiveness of I/C
procedures