What are controls?
In accounting and auditing, internal control is defined as a process affected by an organization's structure, work and authority flows, people and management information systems, designed to help the organization accomplish specific goals or objectives. It is a means by which an organization's resources are directed, monitored, and measured. It plays an important role in preventing and detecting fraud and protecting the organization's resources, both physical (e.g., machinery and property) and intangible (e.g., reputation or intellectual property such as trademarks). At the organizational level, internal control objectives relate to the reliability of financial reporting, timely feedback on the achievement of operational or strategic goals, and compliance with laws and regulations. At the specific transaction level, internal control refers to the actions taken to achieve a specific objective (e.g., how to ensure the organization's payments to third parties are for valid services rendered.) Internal control procedures reduce process variation, leading to more predictable outcomes. Internal control is a key element of the Foreign Corrupt Practices Act (FCPA) of 1977 and the Sarbanes-Oxley Act of 2002, which required improvements in internal control in United States public corporations. Internal controls within business entities are called also business controls.
Internal controls have existed from ancient times. In Hellenistic Egypt there was a dual administration, with one set of bureaucrats charged with collecting taxes and another with supervising them.
There are many definitions of internal control, as it affects the various constituencies (stakeholders) of an organization in various ways and at different levels of aggregation
Under the COSO Internal Control-Integrated Framework, a widely-used framework in the United States, internal control is broadly defined as a process, affected by an entity's board of directors, management, and other personnel, designed to provide reasonable assurance regarding the achievement of objectives in the following categories:
a) Effectiveness and efficiency of operations;
b) Reliability of financial reporting; and
c) Compliance with laws and regulations.
COSO defines internal control as having five components:
||Control Environment-sets the tone for the organization, influencing the control consciousness of its people. It is the foundation for all other components of internal control.
||Risk Assessment-the identification and analysis of relevant risks to the achievement of objectives, forming a basis for how the risks should be managed
||Information and Communication-systems or processes that support the identification, capture, and exchange of information in a form and time frame that enable people to carry out their responsibilities
||Control Activities-the policies and procedures that help ensure management directives are carried out
||Monitoring-processes used to assess the quality of internal control performance over time.
The COSO definition relates to the aggregate control system of the organization, which is composed of many individual control procedures.
Discrete control procedures or controls are defined by the SEC as: "...a specific set of policies, procedures, and activities designed to meet an objective. A control may exist within a designated function or activity in a process. A control's impact...may be entity-wide or specific to an account balance, class of transactions or application. Controls have unique characteristics - for example, they can be: automated or manual; reconciliations; segregation of duties; review and approval authorizations; safeguarding and accountability of assets; preventing or detecting error or fraud. Controls within a process may consist of financial reporting controls and operational controls (that is, those designed to achieve operational objectives).
Why integrate controls?
To achieve a holistic solution by leveraging multiple frameworks and standards, management must first align IT strategy with business objectives. In many companies, the IT department is not considered a true partner, but is viewed as a service provider only. As a partner, IT will be challenged to increase business revenue and will be required to focus on the most critical internal controls.
For example, integrating a IT Governance framework like COBIT and ISO/IEC 27001 with a Corporate Governance framework like COSO allows IT to align itself to your organization's business goals and mission.
If alignment of priorities is not performed, IT may be concentrating on disaster recovery for IT assets only and not on the most critical business processes. IT priorities should be aligned with those of the business strategy, to effectively mitigate the most relevant risks. This will also increase return on investment to the business.
To derive the benefits from different standards and frameworks, a risk-based approach to information security management should be taken. The risks within the organization that are more likely to occur and affect the critical assets and business processes should be identified. The organization should concentrate on the incidents that are more likely to occur and result in damages, and identify and prioritize the implementation of countermeasures to strengthen the security posture.
The obvious benefit of this integrated approach is that enterprises are able to demonstrate that they have good internal controls over financial processes and, even more important, that they will mitigate potential security risks. By implementing this holistic approach, internal controls will be comprehensive. Management will then have ongoing measurements to maintain and monitor information security and identify possible security breaches sooner.
A holistic approach will also assist in meeting industry, legal, contractual and regulatory requirements imposed on an enterprise.
As a result, a sustainable and effective information security management program will be adopted, managed and monitored by combining implementation of multiple standards and frameworks.
Forward-thinking enterprises that take this integrated approach will also be able to meet and exceed Sarbanes-Oxley, SAS 70, PCI-DSS, HIPAA, GLBA, FISMA and EU Directive requirements.
In addition, there are efficiencies and cost savings that result from taking an integrated approach. Ultimately, enterprises will end up with a strong and robust information security management programs, based on international best practices. This approach will increase shareholder value, strengthen competitive advantage, and ensure customer and business partner information assurance.
How can eFortresses assist?
By leveraging eFortresses unique Holistic Information Security Practitioner (HISP) training program and Implement-Once-Comply-Many GRC consulting methodology we are able to assist our clients to integrate controls from multiple regulations and standards in the most practical and cost-effective manner by leveraging the existing controls mappings from HISP developed over several years as well as deliverables from several consulting engagement that we have successfully delivered to our clients.
We can also work with your internal team to review and enhance existing controls mappings and also assist in the implementation of such mappings.
For more information, please contact us by filling out this form