Internal Control revision

Internal Control Definition

Describes the policies, plans, and procedures implemented by management to protect assets, ensure data accuracy/completeness, and meet business objectives.

Who are the people involved?

Board of directors, Management, and other key personnel.

Reasonable Assurance Goals

Efficiency of operations , reliability of reporting , protection of assets , and compliance with laws

SAS No. 94

Guidance for auditors on how IT affects internal controls and adjusting audit procedures accordingly.

Sarbanes-Oxley (2002)

Law to protect investors by improving reporting accuracy, preventing fraud, and restoring trust

Internal Control Objectives

Safeguard assets , check accuracy/reliability of data , promote operational efficiency , and enforce managerial policies.

Governance Frameworks

COSO, CoCo, UK Corporate Governance Code, and INTOSAI

ERM Component 1: Internal Environment

Integrity, ethical values , employee competence , management philosophy , board attention , authority assignment , and HR policies.

ERM Component 2: Objective Setting

Strategic (high-level) , Operations (efficiency) , Reporting (accuracy) , and Compliance.

ERM Component 3: Event Identification

Identifying internal/external events ; negative impacts = Risks , positive impacts = Opportunities

Risk Examples

Personnel changes , new info systems , new tech , industry changes , new products , new rules/laws

ERM Component 4/5: Assessment & Response

Management selects actions to align with risk tolerance. Four responses: Accept, Avoid, Reduce, or Share

ERM Component 6: Control Activities

Establish policies/procedures. Includes: Audit trail , asset protection , performance reports , personnel policies , and separation of duties.

The Audit Trail

Allows following transaction data from source to financial report and back ; prevents undetected errors/irregularities.

Personnel Policy Examples

Hiring procedures , training , supervision , fair salary guidelines , job rotation , enforced vacations , insurance for liquid asset handlers , performance reviews

Segregation of Duties

Separation of: Custody of assets, Recording transactions, and Authorizing transactions

Internal Audit Function

Separate subsystem reporting to board/high-level management ; performs periodic operational audits to appraise info systems, controls, and compliance

ERM Component 7: Info & Communication

Info: identifies, assembles, and records transactions. Communication: ensuring personnel understand policies and reporting exceptions to management.

ERM Component 8: Monitoring

Ongoing process of assessing control quality over time and taking corrective action

Natural/Political Threats

Fire, floods, war, terrorism

Software/Equipment Threats

Hardware failures, software bugs, OS crashes, power fluctuations.

Human Threats

Unintentional: error/carelessness. Intentional: crimes like sabotage, fraud, embezzlement

Definitions (Risk/Opportunity/Control)

Risk: exposure to injury/loss. Opportunity: positive potential. Control: activity to minimize risk.

Why Threats are Increasing

Ubiquity of PCs/laptops , difficulty controlling LANs , and system integration with partners

Reasons for Lack of Protection

Underestimating problems , not understanding network implications , failing to see security as survival , and productivity pressures