Control is defined as policies, procedures, practices and organization structure that are designed to provide reasonable assurance that business objectives are achieved, and undesired events are prevented or detected and corrected. These controls can be manual, automated or semi-automated (partially manual and partially automated). The objective of a control is to mitigate the risk.
- Manual Control: Manually verify that the goods ordered in PO are received in good quality and the vendor invoice reflects the quantity & price are as per the PO.
- Automated Control: The above verification is done automatically by the computer system by comparing and exceptions highlighted.
- Semi-Automated Control: Verification of Goods Receipt with PO could be automated but the vendor invoice matching could be done manually in a reconciliation process.
IMPORTANCE OF IT CONTROLS
Implementing right type of controls is responsibility of management.
APPLYING IT CONTROLS
A common classification of IT controls is General Controls and Application Controls. General Controls are macro in nature and the impact pervades the IT environment at different layers whereas Application Controls are controls which are specific to the application software.
INFORMATION TECHNOLOGY GENERAL CONTROLS(ITGC)
ITGC also known as Infrastructure Controls General controls include, but are not limited to:
- Information Security Policy: The security policy is approved by the senior management and encompasses all areas of enterprise.
- Administration, Access, and Authentication: Appropriate policies, procedures clear definition of the levels of access and authentication of users.
- Separation of key IT functions: Secure deployment of IT requires organization structure with key demarcation of duties for different personnel within IT department and to ensure Segregation of Duties (SOD).
- Management of Systems Acquisition and Implementation: Process of acquisition and implementation of systems should be properly controlled.
- Change Management: IT solutions deployed must be changed in tune with changing needs. All changes must be properly approved by the management, before implementation.
- Backup, Recovery and Business Continuity: Heavy dependence on IT and criticality makes it necessary to have appropriate backup, recovery and off-site data center.
- Proper Development and Implementation of Application Software: Application software. drives the business processes. These development and implementation must be proper.
- Confidentiality, Integrity and Availability of Software and data files: Security is implemented to ensure Confidentiality, Integrity and Availability of information.
- Incident response and management: There may be various incidents created due to failure of IT. These incidents need to be appropriately responded and managed.
- Monitoring of Applications and supporting Servers: The Servers and applications running on them are monitored to ensure that they are working continuously.
â€˘Value Add areas of Service Level Agreements (SLA):
SLA with vendors is regularly reviewed to ensure that the services are delivered as per specified performance parameters.
- User training and qualification of Operations personnel: The personnel deployed have required competencies and skill-sets to operate and monitor the IT environment.
It is important to note that proper and consistent operation of automated controls or IT functionality often depends upon effective IT general controls.
These controls are in-built in the application software to ensure accurate and reliable processing.
These are designed to ensure completeness, accuracy, authorization and validityof data capture and transaction processing.
Some examples of Application controls are as follows:
- Data edits (editing of data is allowed only for permissible fields);
- Separation of business functions (e.g., transaction initiation versus authorization);
- Balancing of processing totals (debit and credit of all transactions are tallied);
- Transaction logging (all transactions are identified with unique id and logged);
- Error reporting (errors in processing are reported); and
- Exception Reporting (all exceptions are reported).
KEY INDICATORS OF EFFECTIVE IT CONTROLS
- The ability of IT to support new products and services.
- Development of projects on time and within budget
- The efficient use of help desk
- availability and reliability of information.
- The ability to protect against threats and to recover from any disruption.
- Heightened security awareness.
ENTERPRISE RISK MANAGEMENT
In implementing controls, it is important to adapt a holistic and comprehensive approach.
Overall risk management strategy has to be adapted, which should be designed and promoted by the top management and implemented at all levels of enterprise operations as required in an integrated manner. Regulations also require enterprises to adapt a risk management strategy, which is appropriate for the enterprise. Hence, the type of controls implemented in information systems in an enterprise would depend on this risk management strategy.
BENEFITS OF ENTERPRISE RISK MANAGEMENT
No entity operates in a risk-free environment, and ERM does not create such an environment. Rather, it enables management to operate more effectively in environments filled with risks.
ERM provides enhanced capability to do the following:
â€˘Align risk appetite and strategy:
Risk appetite is the degree of risk, on a broad- based level that an enterprise is willing to accept.
Management considers the entityâ€™s risk appetite first in evaluating strategic alternatives, and in developing mechanisms to manage the related risks.
â€˘Link growth, risk and return:
ERM provides an enhanced ability to identify and assess risks, and establish acceptable levels of risk relative to growth and return objectives.
- Enhance risk response decisions: ERM provides the rigor to identify and select among alternative risk responses â€“ risk avoidance, reduction, sharing and acceptance. ERM provides methodologies and techniques for making these decisions.
â€˘Minimize operational surprises and losses:
Entities have enhanced capability to-
- identify potential events,
- assess risk and
- Establish responses,
- Thereby reducing the occurrence of surprises and related costs or losses.
â€˘Identify and manage cross-enterprise risks:
Management needs to not only manage individual risks, but also understand interrelated impacts
â€˘Provide integrated responses to multiple risks:
Business processes carry many inherent risks, and ERM enables integrated solutions for managing the risks.
Management gains an understanding of how certain events represent opportunities.
More robust information on an entityâ€™s total risk allows management to more effectively assess overall capital needs and improve capital allocation.
COMPONENTS OF ENTERPRISE RISK MANAGEMENT
ERM consists of eight interrelated components.
- Internal Environment: The internal environment sets the basis for how risk is viewed and addressed by an entityâ€™s. Management sets a philosophy regarding risk and establishes a risk appetite. The internal environment sets the foundation for how risk and control are viewed and addressed by an entityâ€™s people.
- Objective Setting: ERM ensures that management has a process in place to set objectives and that the chosen objectives support and align with the entityâ€™s mission/vision and are consistent with the entityâ€™s risk appetite.
- Event Identification: Potential events that might have an impact on the entity should be identified. It includes distinguishing between potential events that represent risks, those representing opportunities and those that may be both.
- Risk Assessment: Identified risks are analyzed to form a basis for determining how they should be managed.
- Risk Response: Management selects an approach or set of actions to align assessed risks with the entityâ€™s risk tolerance and risk appetite. Personnel identify and evaluate possible responses to risks, including avoiding, accepting, reducing and sharing risk.
- Control Activities: Policies and procedures are established and executed to help ensure that the risk responses management selected, are effectively carried out.
- Information and Communication: Relevant information is identified, captured and communicated in a form and time frame that enable people to carry out their responsibilities.
- Monitoring: The entire ERM process should be monitored, and modifications made as necessary. In this way, the system can react dynamically, changing as conditions warrant.
FRAMEWORK OF INTERNAL CONTROL AS PER SA 315
An Internal Control System â€“
- Helps safeguarding the assets of the entity.
- Helps ensure the reliability of internal and external financial reporting.
- facilitates the effectiveness and efficiency of operations.
- Assists compliance with applicable laws and regulations.
The five components of any internal control as they relate to a financial statement audit are explained below.
The Control Environment is the set of standards, processes, and structures that provide the basis for carrying out internal control across the organization.
Every entity faces a variety of risks from external and internal resources.
Risk Assessment involves a dynamic and iterative process for identifying and assessing risks to the achievement of objectives.
Thus, Risk Assessment forms the basis for determining how risks will be managed.
Control Activities are the actions established through policies and proceduresthat help ensure that managementâ€™s directives to mitigate risks to the achievement of objectives are carried out.
Control activities may be preventive or detective.
Information and Communication
Management obtains or generates information from both internal and external sources.
enables personnel to receive a clear message from senior management that control responsibilities should be taken seriously.
Monitoring of Controls
Evaluations are used to ascertain whether internal control, are present and functioning.
LIMITATIONS OF INTERNAL CONTROL SYSTEM
Internal control, no matter how effective, can provide an entity with only reasonable assurance and not absolute assurance about achieving the entityâ€™s objectives. Internal control systems are subject to certain inherent limitations, such as:
- Managementâ€™s consideration that the cost of an internal control does not exceed the expected benefits to be derived.
- The fact that most internal controls do not tend to be directed at transactions of unusual nature.
- The possibility of circumvention of internal controls through collusion with employees or with parties outside the entity.
- The possibility that a person responsible for exercising an internal control could abuse that responsibility, for example, a member of management overriding an internal control.
- The potential for human error, such as, due to carelessness, distraction, mistakes of judgement and misunderstanding of instructions.
- Manipulations by management with respect to transactions or estimates and judgements required in the preparation of financial statements.