Accounting

Information Systems
Week 7:
Internal Control

Jim Lim
Assistant Professor

UBSS Sydney CBD Campus

Level 10 & 11 233 Castlereagh Street
Sydney NSW2000

1-1
Internal Control (Ch 8)

1. Corporate governance
2. Corporate governance in Australia
3. IT Governance
4. COBIT 5
5. COSO

1-2
1-3
1. Corporate Governance
What is corporate governance?
• Organisation for Economic Co-operation and Development (OECD) definition:
“the set of relationships between a company’s management, its board, its shareholders and other stakeholders
. . . [it] provides the structure through which the objectives of the company are set, and the means of attaining
those objectives and monitoring performance are determined.”

• Australian Securities Exchange (ASX)* definition:

“the framework of rules, relationships, systems and processes within and by which authority is exercised and
controlled within corporations. It encompasses the mechanisms by which companies, and those in control, are
held to account.”
Note: *Corporate Governance Council released Corporate governance principles and recommendations (fourth edition) Feb 2019

1-4
1. Corporate Governance
• Corporate governance is the way organisations are managed and governed.
• Corporate governance means putting in place policies, procedures and
structures for all relationships in organisation to be managed successfully.
• By doing so, organisations can achive its goals and objectives.
• Reality is . . . if organisation does not manage corporate governance properly,
chances of business failure is HIGH!

1-5
1. Corporate Governance
So what does this all mean to Accountants and AIS?
• Accountants/organisations are required to produce financial statements that
are not materially misstated i.e. free from big errors
• Why? A lot of stakeholders rely on financial statements to make DECISIONS
e.g. invest or lend more?
• Good corporate governance, therefore, will not only achieve corporate goals
but also create an environment for producing financial statements that are
accurate and timely.

1-6
1. Corporate Governance
Brief history of Corporate governance
• 1980s and 1990’s major collapses of big corporates in Australia and UK.
• “The Cadbury Report 1992” (UK) concluded better financial reporting,
accountability and corporate governance required.
• Early 2000’s spectacular US corporate collapses e.g. Enron, Worldcom.
• As a result, Sarbanes Oxley Act 2002 USA (SOX) required strong corporate
governance and internal controls.
• February 2019, ASX publish Corporate Governance Principles (4th ed) with 8
principles recommended.

1-7
1. Corporate Governance

1-8
2. Corporate Governance in Australia

• ASX (Australian Stock Exchange) published Corporate Governance &

Principles recommendations in 2014
• There are 8 principles that are not mandatory but expected to be
followed
• An “if not, why not” approach to listed companies such that . . .
• If Companies do not follow principles, they are asked to explain “why”.

1-9
2. Corporate Governance in Australia

• Listed companies must disclose corporate governance

practice in annual reports or website. Rule 4.10.3
• An informative explanation is expected, not a tick box
exercise!
• Students: Open link and read 8 principles now.

1-10
2. Corporate Governance in Australia

1-11
3. IT Governance

What is IT governance?
• Information technology (IT) governance is an important issue
because IT investment is significant in most organisations
• IT governance, therefore, is a subset of corporate governance.
• The board of directors and Executives are responsible for IT
governance

1-12
3. IT Governance
• Objective of IT governance is to ensure IT used consistently and a
manner appropriate with overall organisational strategy and objectives.
• ISACA* stress IT governance is not an isolated discipline but embedded
in corporate governance.

Note:

*ISACA (Information Systems Audit and Control Association) an independent, non-profit global association engages in the development, adoption and
use of globally accepted, industry-leading knowledge and practices for information systems.

ISACA is also known as an international professional association focused on IT governance.

1-13
4. COBIT 5
• COBIT stands for Control Objectives for Information and Related
Technology.
• It is a framework created by ISACA (Information Systems Audit and
Control Association) for IT governance and management.
• It was designed to be a supportive tool for managers—and allows
bridging the crucial gap between technical issues, business risks, and
control requirements

1-14
4. COBIT 5
• COBIT 5 provides a framework for governing and managing IT across the
organisation.
• The framework enables IT to be governed and managed in a holistic
manner for entire organisation.
• COBIT 5 includes full end-to-end business and IT functional areas of
responsibility as well as the IT-related interests of internal and external
stakeholders.

1-15
4. COBIT 5

• COBIT 5 based on five key

principles

• COBIT 5 is designed to be
used by organisations of
all sizes, whether
commercial, not-for-
profit or in the public
sector.

1-16
4. COBIT 5
• COBIT 5, principle 5, “separating governance from management”
• Provides clear distinction between governance and management.
• COBIT 5 defines governance as follows:
“Governance ensures that stakeholder needs, conditions and options are evaluated to
determine balanced, agreed-on enterprise objectives to be achieved; setting direction
through prioritisation and decision making; and monitoring performance and compliance
against agreed-on direction and objectives.”

1-17
4. COBIT 5
• Management defined as:
Management plans, builds, runs and monitors activities in alignment with direction set by
governance body (usually Board/Executive) to achieve enterprise objectives.

• Good decisions are only made when a systematic approach to

governance and management of IT is taken.
• Stakeholder requirements are evaluated to ensure they’re taken into
account.

1-18
4. COBIT 5
• In summary . . .
• The COBIT 5 five principles enables the organisation to build an
effective governance and management framework for IT.

1-19
4. COBIT 5

A bit of history . . .

COBIT evolved
from an audit
focus to
integrating IT
processes and
functions across
organisation.

1-20
4. COBIT 5

1-21
5. COSO
• COSO - Committee of Sponsoring Organizations (COSO) of the Treadway
Commission is a joint initiative of five private sector organisations.
• The five organisations are the American Accounting Association, American
Institute of CPAs, Financial Executives International, the Association of
Accountants and Financial Professionals in Business and the Institute of
Internal Auditors.
• COSO is dedicated to providing thought leadership through the development
of frameworks and guidance on enterprise risk management, internal control
and fraud deterrence.

1-22
5. COSO
• COSO released their most current version of the framework Internal
Control — Integrated Framework in 2013.

“COSO’s Internal Control—Integrated Framework (Framework) enables

organizations to effectively and efficiently develop systems of internal control
that adapt to changing business and operating environments, mitigate risks
to acceptable levels, and support sound decision making and governance of
the organization”

1-23
5. COSO
So what is internal control?

Internal control is defined as follows by

COSO:

“Internal control is a process, effected by

an entity’s board of directors,
management, and other personnel,
designed to provide reasonable
assurance regarding the achievement of
objectives relating to operations,
reporting, and compliance.” “Prevention of fraud and material errors in financial statements”

1-24
5. COSO
Another definition . . .
The Australian Standard on Assurance Engagements ASAE 3150 Assurance
Engagements on Controls (January 2015), issued Auditing and Assurance
Standards Board, defines internal control as:
“The process designed, implemented and maintained by those charged with governance,
management and other personnel to mitigate the risks which may prevent achievement of control
objectives relating to the entity’s system. Controls included in the scope of the assurance
engagement may comprise any aspects of one or more components of control over an area(s) of
activity within a defined boundary, such as the group, entity, facility or location.”

1-25
5. COSO
Control Objectives

• COSO has . . .
➢3 Control objectives
➢5 control components

Control Components (17 Principles)

(with 17 principles)

Applied to the organisational

structure.

1-26
5. COSO
• 3 Control objectives
1. Operations Objectives. Effectiveness and efficiency of business operations and
safeguard against asset loss i.e. good controls increase profits and prevent fraud and
theft.
2. Reporting Objectives. Internal and external financial and non-financial reporting
obligations including reliability, timeliness, transparency or any other requirement
required by regulators i.e. sound controls means no material misstatements.
3. Compliance Objectives. Adherence to laws and regulations to which the organisation is
subject to e.g. health & safety, pollution.

1-27
5. COSO

• 5 control components (17 principles)

1. Control environment – Sets tone from top (Board/Management)
2. Risk assessment – Understand risks and assess impact
3. Control activities – i.e. mitigate (reduce) risks by prevention or detection.
4. Information and communication – i.e. advise and inform stakeholders to
carry out internal control activities.
5. Monitoring – is it working? Check, review, evaluate, feedback, improve

1-28
5. COSO

1-29
5. COSO

Good to know!
• Many organisations use COSO and COBIT in tandem
• COSO for financial framework and
• COBIT for IT control framework
• Why? Because both frameworks are compatible and complementary.

1-30
Weekly Question
❑ See question in Moodle.
❑ Do question in class.
❑ This is Assessment 1.

1-31
1-32