Internal controls can help meet business goals, says ISACA
IT and business control policies can not only minimize risk but help create value, according to report
Internal control policies can help companies to get value from their business processes, as well as minimizing business risk, according to a new report from ISACA.
The IT industry association has published a new report that illustrates how proper internal controls such as COBIT 5 can ensure that organisations define and achieve their goals, as well as manage their risk exposure.
The white paper, titled ‘Internal Control Using COBIT 5', assesses the role internal control can play in a well-run enterprise and contends that internal control often is misunderstood in the business world.
"Some enterprises see implementing internal controls as cumbersome, but with a properly executed, business-oriented internal control framework, they will have a clear path to achieving desirable outcomes and mitigating damaging consequences," said Christos Dimitriadis, Ph.D., CISA, CISM, CRISC, chair of ISACA's board of directors and group director of information security for INTRALOT.
"Effective internal control can keep business units from unintentionally undermining each other's objectives," said Dimitriadis. "Without a mechanism for central oversight, decisions made at the individual business-unit level might counteract or adversely impact other areas. This is the essence of internal control: to provide that oversight and the holistic viewpoint."
ISACA defines internal controls as "the policies, procedures, practices and organisational structures designed to provide reasonable assurance that business objectives will be achieved and undesired events will be prevented or detected and corrected." In a business context, control typically refers to how activities are monitored and directed.
The paper describes a well-designed internal control environment as one ensuring that resources are used appropriately, legal compliance occurs, and financial information and reporting are reliable. Enterprises are encouraged to use internal controls as a mechanism to be certain that value is created from an array of practice areas covering functions such as IT, enterprise risk management and finance. Multiple layers within an organisation are encouraged to share ownership of the process.
COBIT 5-a business framework for the governance and management of enterprise IT -identifies systematic goal-setting as a key aspect of establishing a well-designed internal control environment. COBIT 5 pinpoints seven enablers that help enterprises accomplish their internal control goals and deliver value to stakeholders:
- Principles, policies and frameworks
- Organisational structures
- Culture, ethics and behavior
- Services, infrastructure and applications
- People, skills and competencies
COBIT 5 also supplies guidance about selecting controls that fit the goals of an organization. The process of determining control selection consists of three phases - identifying goals, determining opportunity/risk gaps and defining coverage. Once specific controls addressing the gaps have been identified, enterprises benefit from establishing a budget, success metrics and other factors that assist implementation.
According to the white paper, enterprises must regularly assess their internal control framework. Changing technologies, evolving business processes and updates to organisational structure dictate that internal control must be adaptable over time.