In: Accounting
Who is responsible for maintaining controls concerning:
(1) Monitoring
(2) Information and Communications
(3) Information Technology (IT)
(4) Transaction approval
(5) Enterprise Risk Management (ERM)
1. Monitoring control:
Monitoring of internal control is performed through application of
both ongoing evaluations and separate evaluations. These
evaluations ascertain whether other components of internal control
continue to function as designed and intended. In addition, these
evaluations facilitate identification of internal control
deficiencies and communicate them to appropriate officials
responsible for taking corrective action. More serious deficiencies
are communicated to higher levels of management and to the board of
directors when appropriate.
The board is responsible for governance and oversight in their role
of providing guidance to the management team. Boards of publicly
traded companies have legal responsibilities that were enhanced by
the Sarbanes-Oxley Act of 2002.
2. Information and Communications
Information is necessary for the entity to carry out internal
control responsibilities to support the achievement of its
objectives. Management obtains or generates and uses relevant and
quality information from both internal and external sources to
support the functioning of internal control. Communication is the
continual, iterative process of providing, sharing, and obtaining
necessary information. Internal communication is the means by which
information is disseminated throughout the organization, flowing
up, down, and across the entity. It enables personnel to receive a
clear message from senior management that control responsibilities
must be taken seriously.
ICT controls are policies, procedures and activities put in place
by an organisation to ensure the confi dentiality, integrity and
availability of its ICT systems and data.
3. Information Technology (IT)
An IT control is a procedure or policy that provides a reasonable
assurance that the information technology (IT) used by an
organization operates as intended, that data is reliable and that
the organization is in compliance with applicable laws and
regulations. IT Controls can be categorized as either general
controls (ITGC) or application controls (ITAC)
IT manager is responsible and accountable for an ongoing program of
IT services.
4.Transaction approval
Authorization and approval are control activities that mitigate the
risk ofinappropriate transactions. They serve as fraud deterrents
and enforce segregation of duties. Thus, the authorizer and the
approver should generally be two separate people.Authorization is
the power granted to an employee to perform a task. It is
adelegation of duties. Management defines the terms of the
authorization and ensures that those terms are documented and
clearly communicated. For example, an employee may be authorized to
make small purchases without supervisory approval. Approval is the
confirmation or sanction of employee decisions, events or
transactions, based on an independent review.Management determines
if an item requires approval based on its level of risk.
managers andemployees must have actual knowledge of the
transactions they approve and should question any unusual items
before signing.
Enterprise Risk Management:
Internal control is an important part of enterprise risk
management. Enterprise risk management (ERM) is applied from
strategy through execution, while relying on internal control at
critical junctures. The two are interconnected, but not
interchangeable. Indeed, when used together, they’re powerful
complements in supporting management. For example, ERM helps in
developing the objective used as a basis for developing controls,
while internal control makes ERM more effective when control
activities are in place over risk responses and other ERM
processes.
Firms Managers monitors the control of ERM