ACCOUNTING
INFORMATION SYSTEM
INTERNAL CONTROL
GROUP MEMBERS
• Phan Trúc Quyền - 2006197
• Đặng Nguyễn Anh Đào – 2132921
• Hồ Thảo Vy – 2005226
• Phạm Hải Yến - 2004279
OUTLINE
• Introduce generally about internal control
• Introduce about COSO 2013
• Introduce about COBIT 2013
• Comparision between COSO 2013 and COBIT
2013
• Conclusion
Internal Control
A process
An entity's board of
directors
Other
personnel
Management
Objectives
Effectiveness and
efficiency of
operations.
Reliability of
financial
reporting
Compliance
with laws
and
regulations
Control Environment
•
•
Sets the tone of the organization
Influences the control
consciousness of its people
Inclusion areas:
• Integrity and ethical behavior
• Commitment to competence
• Board of directors and audit
committee participation
• Management philosophy and
operating style
• Organization structure
• Assignment of authority and
responsibility
• Human resource policies and
practices
Control Activities
The policies and procedures
-> ensure management directives
are carried out.
-> ensure necessary actions
are taken to address risks to
achievement of the entity's
objectives
Inclusion a range of activities :
• Approvals
• Authorizations
• Verifications
• Reconciliations
• Reviews of operating performance
• Security of assets
• Segregation of duties
Scope of operations
•
•
•
•
•
Achieving entity performance and
profitability targets
Preventing loss of resources
Helping ensure reliable financial
reporting
Ensuring enterprise complies with
laws and regulations
Avoiding damage to its reputation
and other consequences
Restrictions
• Cannot change an inherently poor
manager into a good one
• Cannot ensure success, or even
survival
• Not absolutely assurance to achieve
entity's objectives
• Judgments in decision-making can
be faulty, and breakdowns can
occur
• The design of an internal control
system must reflect the fact that
there are resource constraints
• The benefits of controls must be
considered relative to their costs.
COSO (Committee of Sponsoring
Organizations )
A joint initiative of five private sector organizations, established in the United States:
– The Institute of Management Accountants (IMA)
– The American Accounting Association (AAA)
– The American Institute of Certified Public Accountants (AICPA)
– The Institute of Internal Auditors (IIA)
– Financial Executives International (FEI)
-> to provide thought leadership to executive management and governance entities
on critical aspects of organizational governance, business ethics, internal control,
enterprise risk management, fraud, and financial reporting
COSO 2013 Objectives
•
•
•
The effectiveness and efficiency of operations including operational and
financial performance goals, and safeguarding assets against loss. In the
1992 Framework, the operations objective was limited to “effective and
efficient use of the entity’s resources.”
The reliability of financial reporting. In the 1992 Framework, the reporting
objective was called the financial reporting objective and it was described
as “relating to the preparation of reliable financial statements.”
Compliance with laws and regulations. The 2013 Framework considers the
increased demands and complexities in laws, regulations, and accounting
standards that have occurred since 1992.
COSO Framework
Control
Environment
Risk Assessment
• Demonstrates commitment to integrity and ethical values
• Exercises oversight responsibility
• Establishes structure, authority, and responsibility
• Demonstrates commitment to competence
• Enforces accountability
• Specifies suitable objectives
• Identifies and analyzes risk
• Assesses fraud risk
• Identifies and analyzes significant change
Control Activities
• Selects and develops control activities
• Selects and develops general controls over technology
• Deploys through policies and procedures
Information and
Communication
• Uses relevant information
• Communicates internally
• Communicates externally
Monitoring
• Conducts ongoing and/or separate evaluations
• Evaluates and communicates deficiencies
Changes in COSO 1992 to 2013
COBIT (Control Objectives for Information
and related Technology)
•
An IT governance framework and supporting toolset that allows managers to bridge
the gap between control requirements, technical issues and business risks
•
Enables clear policy development and good practice for IT control throughout
organizations
•
Helps organizations to increase the value attained from IT
•
Enables alignment and simplifies implementation of the COBIT framework
The Purpose of COBIT
•
•
•
•
•
•
•
Improves IT efficiency and effectiveness
Helps IT understand the needs of the business
Puts practices in place to meet the business needs as efficiently as
possible
Helps executives understand and mange IT investments throughout their
life cycle
Provides a method to assess whether IT services and new initiatives are
meeting business requirements and are likely to deliver the benefits
expected
Helps to develop and document the appropriate organizational structures,
processes and tools for effective management of IT
Provides an authoritative, international set of generally accepted practices
that helps boards of directors, executives and managers increase the
value of IT and reduce related risks
Principles
Stakeholders’ needs
Internal Stakeholders
Board
CxOs
Business process owners & managers
Risk and security managers
HR managers
IT managers and IT audit
IT users
Needs
Value from IT
Performance of IT
Strategic use of new technology
Compliance with regulations
IT-related risk control
Control IT costs (+ sourcing options)
IT skills
IT programmed/project control
External Stakeholders
Shareholders
Business partners and suppliers
Regulators./government
Customers
External users
External auditors
Needs
Security/reliability of partners?
Is enterprise compliant?
Effective enterprise internal controls?
Enterprises exist to create value for their stakeholders. Consequently, any
enterprise—commercial or not—will have value creation as a governance
objective. Value creation means realizing benefits at an optimal resource cost
while optimizing risk.
Step1.
Stakeholder
Drivers
Influence
Stakeholder
Needs
• Stakeholder needs
are influenced by a
number of drivers,
e.g., strategy
changes, a
changing business
and regulatory
environment, and
new technologies.
Step 2.
Stakeholder
Needs Cascade
To Enterprise
Goals
• Stakeholder needs
can be related to a
set of generic
enterprise goals.
These enterprise
goals have been
developed using
the balanced
scorecard (BSC).
Step 3.
Enterprise Goals
Cascade To ITrelated Goals
• Achievement of
enterprise goals
requires a number
of IT-related
outcomes, 2 which
are represented by
the IT-related
goals. IT-related
stands for
information and
related
technology, and
the IT-related
goals are
structured along
the dimensions of
the IT balanced
scorecard (IT BSC)
Step 4. ITrelated Goals
Cascade To
Enabler Goals
• Achieving ITrelated goals
requires the
successful
application and
use of a number of
enablers.
Covering the Enterprise End-to-End
•
•
•
•
Covers governance & management of IT (GEIT)
Integrates GEIT into Enterprise Governance
Seamless integration since aligned with latest views
Not focused ONLY on the IT function
• Covers all functions and processes with the enterprise
• IT is like all other assets in an enterprise
Single Integrated Framework
COBIT 5 is a single and integrated framework because:
1. It aligns with other latest relevant standards and frameworks, and thus
allows the enterprise to use COBIT 5 as the overarching governance and
management framework integrator.
2. It is complete in enterprise coverage, providing a basis to integrate
effectively other frameworks, standards and practices used.
3. A single overarching framework serves as a consistent and integrated
source of guidance in a nontechnical, technology-agnostic common
language.
4. It provides a simple architecture for structuring guidance materials and
producing a consistent product set.
5. It integrates all knowledge previously dispersed over different ISACA
frameworks.
Enabling a Holistic Approach
•
Principles, policies and frameworks are the vehicle to translate the desired
behavior into practical guidance for day-to-day management.
•
Processes describe an organized set of practices and activities to achieve
certain objectives and produce a set of outputs in support of achieving overall
IT-related goals.
Organizational structures are the key decision-making entities in an
enterprise.
Culture, ethics and behavior of individuals and of the enterprise are very
often underestimated as a success factor in governance and management
activities.
•
•
•
•
•
•
Culture, ethics and behavior of individuals and of the enterprise are very
often underestimated as a success factor in governance and management
activities.
Information is pervasive throughout any organization and includes all
information produced and used by the enterprise. Information is required
for keeping the organization running and well governed, but at the
operational level, information is very often the key product of the
enterprise itself.
Services, infrastructure and applications include the infrastructure,
technology and applications that provide the enterprise with information
technology processing and services.
People, skills and competencies are linked to people and are required for
successful completion of all activities and for making correct decisions and
taking corrective actions.
Enabling a Holistic Approach
Enablers must be interconnected
– Inputs from other enablers
– Outputs to benefit other enablers
Information
People, Skills and
Competencies
Organization
al Structures
Process
Information
Separating Governance From
Management
Governance ensures that stakeholder needs, conditions and options are
evaluated to determine balanced, agreed-on enterprise objectives
to be achieved; setting direction through prioritisation and decision
making; and monitoring performance and compliance against
agreed-on direction and objectives.
VS
Management plans, builds, runs and monitors activities in alignment with the
direction set by the governance body to achieve the enterprise
objectives.
Separating Governance From
Management