Governance may be defined as the development and implementation of business processes and monitoring systems by the administrative and oversight bodies of an organization. Governance consists of seven elements: (1) Organizational Strategy / Program Management; (2) Policies and Procedures; (3) Risk Management; (4) Performance Management; (5) Resource Management; (6) Staff Development &Training and (7) Communications.
Preventive controls are the first type of internal controls; and are designed to prevent errors, inaccuracy or fraud before it occurs. Preventive controls include such measures as the existence of policies and procedures, data validation, and other controls.
Detective controls are the second type of internal controls, which are designed to detect errors, inaccuracies or fraud after they occur. Detective controls are also a key component of the internal control environment. Detective controls include such activities such as account reconciliations, physical inventory observation, physical security, and intrusion detection systems.
Finally, the third and last type of internal controls is monitoring controls, which may be defined as internal controls that are implemented to ensure that internal controls operate effectively over time (COSO definition). Monitoring controls include periodic budgets and management reporting; key performance indicators (KPIs); and metrics.
The benefits to organizations when monitoring controls are designed and implemented appropriately include:
1. Identify and correction internal control weaknesses timely;
2. Produce more accurate and reliable information for use in decision-making;
3. Prepare accurate and timely financial statements; and
4. Be in a position to provide periodic certifications or assertions on the effectiveness of internal controls.
Information Technology General Controls (ITGCs) represent an integral component of the internal controls over financial reporting. ITGCs are internal controls that apply to all system components of a business application, processes or data. ITGCs must be used to evaluate the operational effectiveness of the internal controls over financial reporting since today’s business processes are driven by technology. The evaluation of the IT controls over business systems/applications consists of the five following areas:
1. IT Governance
2. Access to Programs & Data
3. Computer Operations
4. Change Management
5. System Development Life Cycle
In conclusion, the effective and efficient evaluation of internal controls over financial reporting must also include an evaluation of ITGCs. Without the proper consideration and evaluation of ITGCs, organizations are subjected to increased risks to their financial environment, including inappropriate access to business systems, inaccurate recording and reporting of transactions, and even fraud.
More from Dion:
ERM Intelligence Quotient: When Your Business Practices Screams the Need for ERMLearn more
Global ERM Survey ResultsLearn more