Image may be NSFW.
Clik here to view.
Enterprises can extract value not simply minimise risk from their internal control policies, according to a new report1 from the US-based IT association ISACA2. The white paper, titled Internal Control Using COBIT 5, assesses the role internal control can play in a well-run enterprise and contends that internal control often is misunderstood in the business world. Christos Dimitriadis, Ph.D., CISA, CISM, CRISC, chair of ISACA s board of directors and group director of information security for INTRALOT, said: Some enterprises see implementing internal controls as cumbersome, but with a properly executed, business-oriented internal control framework, they will have a clear path to achieving desirable outcomes and mitigating damaging consequences.
ISACA defines internal controls as the policies, procedures, practices and organizational structures designed to provide reasonable assurance that business objectives will be achieved and undesired events will be prevented or detected and corrected. In a business context, control typically refers to how activities are monitored and directed. The paper describes well-designed internal control as ensuring that resources are used appropriately, legal compliance occurs, and financial information and reporting are reliable. Enterprises are encouraged to use internal controls as a mechanism to be certain that value is created from an array of practice areas covering functions such as IT, enterprise risk management and finance. Multiple layers within an organization are encouraged to share ownership of the process. COBIT 5 a business framework for the governance and management of enterprise IT identifies systematic goal-setting as a key aspect of establishing a well-designed internal control environment. COBIT 5 pinpoints seven enablers that help enterprises accomplish their internal control goals and deliver value to stakeholders:
Principles, policies and frameworks
Processes
Organisational structures
Culture, ethics and behavior
Information
Services, infrastructure and applications; and
People, skills and competencies
COBIT 5 also supplies guidance about selecting controls that fit the goals of an organization.
The process of determining control selection consists of three phases identifying goals, determining opportunity/risk gaps and defining coverage. Once specific controls addressing the gaps have been identified, enterprises benefit from establishing a budget, success metrics and other factors that assist implementation. Dimitriadis added: Effective internal control can keep business units from unintentionally undermining each other s objectives. Without a mechanism for central oversight, decisions made at the individual business-unit level might counteract or adversely impact other areas. This is the essence of internal control: to provide that oversight and the holistic viewpoint.
According to the white paper, enterprises must regularly assess their internal control framework.
Changing technologies, evolving business processes and updates to organizational structure dictate that internal control must be adaptable over time.
Internal Control Using COBIT 5 is available as a free download at www.isaca.org/internal-control3.
