Rolling Meadows, IL, USA (March 15, 2016) — Enterprises can extract value – not simply minimize risk – from their internal control policies, according to a new report from global IT association ISACA.
The white paper, titled “Internal Control Using COBIT 5,” assesses the role internal control can play in a well-run enterprise and contends that internal control often is misunderstood in the business world.
“Some enterprises see implementing internal controls as cumbersome, but with a properly executed, business-oriented internal control framework, they will have a clear path to achieving desirable outcomes and mitigating damaging consequences,” said Christos Dimitriadis, Ph.D., CISA, CISM, CRISC, Chair of ISACA’s Board of Directors and Group Director of Information Security for INTRALOT.
ISACA defines internal controls as “the policies, procedures, practices and organizational structures designed to provide reasonable assurance that business objectives will be achieved and undesired events will be prevented or detected and corrected.” In a business context, control typically refers to how activities are monitored and directed.
The paper describes a well-designed internal control environment as one ensuring that resources are used appropriately, legal compliance occurs and financial information and reporting are reliable. Enterprises are encouraged to use internal controls as a mechanism to be certain that value is created from an array of practice areas covering functions such as IT, enterprise risk management and finance. Multiple layers within an organization are encouraged to share ownership of the process.
COBIT 5 — a business framework for the governance and management of enterprise IT — identifies systematic goal-setting as a key aspect of establishing a well-designed internal control environment. COBIT 5 pinpoints seven enablers that help enterprises accomplish their internal control goals and deliver value to stakeholders:
- Principles, policies and frameworks
- Processes
- Organizational structures
- Culture, ethics and behavior
- Information
- Services, infrastructure and applications
- People, skills and competencies
COBIT 5 also supplies guidance about selecting controls that fit the goals of an organization. The process of determining control selection consists of three phases – identifying goals, determining opportunity/risk gaps and defining coverage. Once specific controls addressing the gaps have been identified, enterprises benefit from establishing a budget, success metrics and other factors that assist implementation.
“Effective internal control can keep business units from unintentionally undermining each other’s objectives,” said Dimitriadis. “Without a mechanism for central oversight, decisions made at the individual business-unit level might counteract or adversely impact other areas. This is the essence of internal control: to provide that oversight and the holistic viewpoint.”
According to the white paper, enterprises must regularly assess their internal control framework. Changing technologies, evolving business processes and updates to organizational structure dictate that internal control must be adaptable over time.
About ISACA
ISACA helps global professionals lead, adapt and assure trust in an evolving digital world by offering innovative and world-class knowledge, standards, networking, credentialing and career development. Established in 1969, ISACA is a global nonprofit association of 140,000 professionals in 180 countries. ISACA also offers the Cybersecurity Nexus (CSX), a holistic cybersecurity resource and COBIT, a business framework to govern enterprise technology.
