Control Self-Assessment for Information and Related Technology
Essay by mahani • June 7, 2015 • Essay • 5,911 Words (24 Pages) • 1,553 Views
Essay Preview: Control Self-Assessment for Information and Related Technology
Control Self-assessment for Information and Related Technology
To ensure smooth functioning of an enterprise striving to achieve predetermined objectives, business processes are identified and defined. To ensure the proper completion of process work, procedures are defined, documented and established. Business procedures need to be properly controlled to ensure smooth completion. Out-of-control procedures are expensive; therefore, controls need to be in place. These controls can be preventive, detective and/or corrective in nature. However, the adequacy of controls over procedures depends on various factors, including a balance between costs incurred for implementing controls and the resulting benefits derived. Many controls are essential overheads for the business, and therefore, their effectiveness must be reviewed periodically. Internal audit of controls, an essential overhead, helps avoid relaxation on controls. Ultimately, the control overheads constitute a major expenditure item.
Assurance that the controls are in place and effective is essential. This assurance can be given through control self-assessment (CSA), also referred to as control self-assurance.
Systems and procedures for many business organizations within various sectors have evolved over time. For example, banking is the oldest service sector and the controls over banking procedures are essential not only for the bank, but also for society in general. Controls in banking procedures have also evolved over time; however, adoption of information technology by banks has prompted changes in banking operations, which have necessitated changes in control structures. What is applicable to banking can also be applied to other organizations and industries, particularly to medium and large organizations with diversified activities and more than one department/section/branch/office.
Provisions of the US Sarbanes-Oxley Act of 2002 require corporate management to assure investors and satisfy audit committees about the adequacy of operational controls. CSA of the IT operations in these organizations will help assure customers, stakeholders and government agencies that controls are in place and effective.
This paper explains the importance of CSA for IT and suggests three models to develop the CSA program. The examples and discussions are mainly conceptual and cannot be implemented without considering the internal procedures of the individual organization.
Note: Control self-assessment, control self-assurance and control coassessment are three different methods based on the same concept. This paper refers to all three methods as CSA, since the purpose of this paper is not to point out the differences in these methods, but to introduce a basic model for developing CSA.
Need for Internal Controls
There are a number of reasons for the use of internal controls:
- Changing business process—Developments in information and related technology over the last 40 years have made it increasingly evident to managers, controllers, regulators, government authorities, lawmakers, users and service providers that there is a need for a reference framework for security and control in IT. Effective IT management is critically important to the success of an organization, due to:
- The increasing dependence on information systems
- The increasing vulnerabilities and cyberthreats
- The scale and cost of current and future investments in IT
- The potential for technologies to change the business processes, procedures and practices of an organization
- The likelihood that technology will create new business opportunities at reduced costs
- The fact that information can travel through cyberspace without the constraints of time, distance and spee
- Change of focus on IT—Organizations, particularly service sector organizations, are increasingly dependent on information technology.
In its earlier days, this technology consisted primarily of costly batch operations. Hence, it was used only as a support function for management. With the reduction in size and computer cost, online operations became possible and the use of IT shifted from a support function to a business enabler. Today, IT is integrated into business processes and it is no longer a separate function.
Organizations are also creating new IT-enabled products and services, and technocrats are predicting that future organizations will exist only in cyberspace. - Control investment—To maintain a successful organization, understanding and managing the risks associated with implementing new technology is essential, and to provide effective direction and adequate controls, management should have an appreciation for and a basic understanding of the risks and constraints of IT.
Management must decide what to invest for security and control in IT and how to balance risk and control investment in an often unpredictable IT environment. While information systems security and control help to manage risks, they do not eliminate them. Management, however, must decide on the level of risk it is willing to accept. Judging what level can be tolerated, particularly when weighted against the cost, can be a difficult management decision. Users of IT services need assurance, through accreditation and the audit of IT services, that adequate security and control exists. - Competition—Global competition is here. Organizations are restructuring to streamline operations, take advantage of the advances in IT and improve their competitive position. Business reengineering, right-sizing, outsourcing, empowerment, flattened organizations and distributed processing are all changes that impact the way in which business and governmental organizations operate. These changes are having, and will continue to have, profound implications for the management and operational control structures within organizations.
Emphasis on attaining competitive advantage and cost-efficiency implies an ever-increasing reliance on technology as a major component in the strategy of most organizations. Automating organizational functions, by its very nature, dictates the incorporation of more powerful control mechanisms into computers and networks, both hardware- and software-based. Furthermore, the fundamental structural characteristics of these controls are evolving at the same rate and in the same manner as the underlying computing and networking technologies.
Within this framework of accelerated change, the skills of managers, information systems specialists and auditors must evolve as rapidly as the technology and the environment, if they are going to be able to effectively fulfill their roles. If one is to exercise reasonable and prudent judgment in evaluating control practices found in typical business or governmental organizations, one must understand the technology of controls involved and its changing nature. - Nature of business—The administrative structure of banks is based on a decentralized model and this branch office structure is applicable to many organizations. The administrator, responsible for the accomplishment of a branch's goals and objectives, is also responsible for the establishment, maintenance and monitoring of the internal control system, which helps ensure the accomplishment of goals and objectives.
Good internal controls provide reliable financial reporting to assist management's decisions in maintaining sound business conditions, protection of assets including human resources, and compliance with the policies of the board of directors, internal and statutory rules, regulations and procedures.
Poor internal controls can result in increased bureaucracy, reduced productivity, increased complexity, increased transaction processing time and an increase in nonvalue activities. In addition, poor internal controls interfere with the accomplishment of the branch's goals and objectives, allow misuse or abuse of assets, and may leave an entity open to public mistrust. - Sarbanes-Oxley Act—This US Act has redefined the rules for corporate governance, disclosure and reporting. Sarbanes-Oxley requires that company management should be:
- Aware of material information that is filed with the government and released to investors
- Held accountable for the fairness, thoroughness and accuracy of this information
- Control self-assessment—While internal and statutory audits assist management in evaluating procedures and internal controls, auditors are unable to visit and work with each branch/office on a regular basis. To assist management in evaluating internal controls and increase the employees' understanding of those controls, CSA needs to be developed and implemented. Many organizations have considered implementation of CSA because of the constraints on internal audit resources due to downsizing and budget tightening.1 CSA assists management in defining objectives; implementing the self-assessment of risks, controls and residual risks; and developing action plans to mitigate excessive risk.
The Need for CSA
CSA is an extension of the internal control mechanism. Unless internal controls are implemented, it cannot function. Therefore, an understanding of internal control is required.
...
...