IT Governance and COSO Internal Controls
THE NEED FOR STRONG AND EFFECTIVE INTERNAL CONTROLS is a key element of enterprise IT governance. The need to establish and then assess internal controls has been around since the early days of auditing and has also been an important concern going back to the very early days of information technology (IT) auditing. While there have been many definitions of internal controls in past years, a good general definition for IT governance is that internal control is a process, effected by an entity’s board of directors, management, and other personnel, and designed to provide reasonable assurance regarding the achievement of objectives in the effectiveness and efficiency of operations, the reliability of an enterprise’s financial reporting, and an enterprise’s IT systems and processes, all in compliance with laws and regulations. This definition is similar to the well-recognized definition established by the U.S. Committee of Sponsoring Organizations (COSO), an important internal controls guidance authority that we will be discussing further in this chapter.
Enterprise managers are responsible for implementing and managing internal control processes, while their auditors act as independent parties to both review and perform tests of these internal controls as well as to report to management and other parties whether they are adequate. These internal control reviewers consist of both internal and external auditors, with external auditors ...