Question

Who is responsible for maintaining controls concerning:

(1) Monitoring

(2) Information and Communications

(3) Information Technology (IT)

(4) Transaction approval

(5) Enterprise Risk Management (ERM)

Answer 1

1. Monitoring control:
Monitoring of internal control is performed through application of both ongoing evaluations and separate evaluations. These evaluations ascertain whether other components of internal control continue to function as designed and intended. In addition, these evaluations facilitate identification of internal control deficiencies and communicate them to appropriate officials responsible for taking corrective action. More serious deficiencies are communicated to higher levels of management and to the board of directors when appropriate.
The board is responsible for governance and oversight in their role of providing guidance to the management team. Boards of publicly traded companies have legal responsibilities that were enhanced by the Sarbanes-Oxley Act of 2002.

2.  Information and Communications
Information is necessary for the entity to carry out internal control responsibilities to support the achievement of its objectives. Management obtains or generates and uses relevant and quality information from both internal and external sources to support the functioning of internal control. Communication is the continual, iterative process of providing, sharing, and obtaining necessary information. Internal communication is the means by which information is disseminated throughout the organization, flowing up, down, and across the entity. It enables personnel to receive a clear message from senior management that control responsibilities must be taken seriously.
ICT controls are policies, procedures and activities put in place by an organisation to ensure the confi dentiality, integrity and availability of its ICT systems and data.

3. Information Technology (IT)
An IT control is a procedure or policy that provides a reasonable assurance that the information technology (IT) used by an organization operates as intended, that data is reliable and that the organization is in compliance with applicable laws and regulations. IT Controls can be categorized as either general controls (ITGC) or application controls (ITAC)
IT manager is responsible and accountable for an ongoing program of IT services.

4.Transaction approval
Authorization and approval are control activities that mitigate the risk ofinappropriate transactions. They serve as fraud deterrents and enforce segregation of duties. Thus, the authorizer and the approver should generally be two separate people.Authorization is the power granted to an employee to perform a task. It is adelegation of duties. Management defines the terms of the authorization and ensures that those terms are documented and clearly communicated. For example, an employee may be authorized to make small purchases without supervisory approval. Approval is the confirmation or sanction of employee decisions, events or transactions, based on an independent review.Management determines if an item requires approval based on its level of risk.
managers andemployees must have actual knowledge of the transactions they approve and should question any unusual items before signing.

Enterprise Risk Management:
Internal control is an important part of enterprise risk management. Enterprise risk management (ERM) is applied from strategy through execution, while relying on internal control at critical junctures. The two are interconnected, but not interchangeable. Indeed, when used together, they’re powerful complements in supporting management. For example, ERM helps in developing the objective used as a basis for developing controls, while internal control makes ERM more effective when control activities are in place over risk responses and other ERM processes.
Firms Managers monitors the control of ERM