Control Self-Assessment for Information and Related Technology

...

Technology adoption has expanded concern about internal controls from simply being confined to accounting functions to encompassing the entire business enterprise. In the US, increased attention to controls began in the 1970s with the passage of the Foreign Corrupt Practices Act of 1977 and later with the Treadway Commission on Fraudulent Financial Reporting in 1987. More recently, the Federal Deposit Insurance Improvement Act (FDIIA) of 1991 and the Federal Sentencing Guidelines of 1991 have also piqued interest in understanding and applying internal control concepts.

In 1992, the Committee of Sponsoring Organizations (COSO) of the Treadway Commission published a report that established a generally accepted definition of internal control. This new and comprehensive framework marked a US standard for implementation and evaluation of business controls. Control Objectives for Information and related Technology (COBIT), published by the IT Governance Institute, followed and continues to refine these controls.

The 2002 Sarbanes-Oxley Act has added new dimensions to internal controls. Though the act was primarily passed to protect investors' interests, it has direct implications on internal controls of organizations. According to the Act, CEOs and CFOs must personally certify that they are responsible for disclosure controls and procedures. Each quarterly filing must contain a certification that they have performed an evaluation of the design and effectiveness of these controls. The certification must also state that they have disclosed to their audit committee and independent auditor any significant control deficiencies, material weaknesses and fraudulent acts.

It also mandates an annual evaluation of internal controls and procedures for financial reporting. In addition, the company's internal auditor must issue a separate report that attests to management's assertion on the effectiveness of internal controls and procedures for financial reporting. This last requirement necessitates the adoption of a control framework against which the internal controls can be measured.

For example, the COBIT framework:

- Helps management to ensure that its IT decisions balance risks and controls

- Helps users obtain assurance on security and control of the products and services they acquire

- Helps auditors provide a tool for apprising management of the internal controls that exist, form opinions on internal controls for management and identify the minimum cost-beneficial controls necessary for the organization

Other documents were developed in Canada, the Criteria of Control Committee (CoCo) document, and in the UK, the Cadbury Report.

Internal control is defined by COSO as:

A process, effected by an entity's board of directors, management and other personnel, designed to provide reasonable assurance regarding the achievement of objectives in the following categories:

- Effectiveness and efficiency of operations

- Reliability of financial reporting

- Compliance with applicable laws and regulations"2

COSO also identified five components of internal control that support the achievement of the separate, but overlapping, operational, financial reporting and compliance objectives.

The enhancement of internal controls requires strengthening the internal audit function.

CSA is a tool designed to assist in the internal audit function, and to test the effectiveness of internal controls. A concise definition of CSA is not available; however, many organizations have described CSA in the following ways:

- CSA is a risk management program in which risks and controls are examined and assessed to provide reasonable assurance to management that its business objectives will be achieved. The responsibility of the CSA program is shared among all employees.3

- CSA is a self-assessment conducted on a system (major application or general support system), or a set of multiple self-assessments conducted for a group of interconnected systems (internal or external to the organization). It is one method used to measure IT security assurance, which is the degree of confidence one has that the managerial, technical and operational security measures work as intended to protect the system and the information it processes.4

- CSA asks employees and managers who are directly involved in a business activity to determine whether the processes in place are effective and the objectives are being achieved.5

- CSA is a powerful tool because it is inclusive and sets an expectation of high performance and a high level of knowledge about the work structure and policies. CSA helps evaluate informal or subjective controls in such areas as ethical practices, management philosophy and human resource policies. By employees' involvement of all levels, CSA solicits open communication and teamwork, and encourages improvement.6

- From the senior management perspective, CSA assists in determining whether the organization is meeting its objectives. Key advantages to implementing a CSA program include early detection of risk and the development of concrete action plans that safeguard organizational programs against significant business risk. The CSA goals are to:

- Reduce or eliminate costly and ineffective controls while creating valuable alternatives

- Pinpoint risk areas while developing adequate control measures

- Evaluate the control standards that are already in place

- Emphasize management's responsibility for developing and monitoring effective internal control systems

- Communicate the results to others7

- CSA is a technique that involves bringing the staff members together for a facilitated workshop where they can discuss risk and control issues and devise action plans to address those issues. The process offers a means of identifying control problems and recommendations for improvement. The facilitator helps the group reach agreement.8

- Self-assessments provide a method for employees and management to determine the current status of their information security programs and, if necessary, establish a target for improvement. The method utilizes specific control objectives and techniques in which an unclassified system, or group of interconnected systems,