Chapter 8: Internal controls I

Question 1

What are the eight principles for corporate governance outlined by the ASX Corporate Governance Council?

Answer 1

1. Lay solid foundations and oversight for management.
2. Structure the board to add value.
3. Promote ethical and responsible decision making.
4. Safeguard integrity in financial reporting.
5. Make timely and balanced disclosure.
6. Respect the rights of shareholders.
7. Recognise and manage risk.
8. Remunerate fairly and responsibly.

Question 2

What are the three main objectives of IT governance?

Answer 2

The three main objectives of IT governance include:

• agenda setting for IT integration into the overall business strategy
• ensuring an appropriate level of investment in IT business capability
• successful operational use of IT in routine business activity

Question 3

Identify and briefly explain the drivers for developing COBIT 5.

Answer 3

1. To provide stakeholders with the opportunity to voice the benefits, risks and derived value of IT.
2. To address the increasing dependency of organisational success on external business and IT, including, partners, suppliers, outsourcers, cloud and other service providers.
3. To deal with vast data volume and enable enterprises to select relevant and credible information that will lead to effective and efficient business decisions.
4. To deal with more pervasive IT and integrate it into business projects, organisational structures, risk management, policies, skills and processes.
5. To provide further guidance in the area of innovation and emerging technologies.
6. To cover the full end-to-end business and IT functional responsibilities and cover all aspects that lead to effective governance and management of enterprise IT.
7. To get better control over increasing user-initiated and user-controlled IT solutions.
8. To achieve organisational value creation through effective and innovative use of enterprise IT.
9. To connect to and align with other major frameworks and standards in the marketplace to help stakeholders understand how various frameworks, acceptable practices and standards are positioned relative to each other.​
10. To integrate all principal ISACA frameworks and guidance, with a primary focus on COBIT, Val IT and Risk IT.

Question 4

What are the six principles that encapsulate the domain of IT governance, as outlined by Standards Australia?

Answer 4

1. Establish clear ICT (information and communication technology) responsibilities throughout the organisation.
2. Plan for ICT to support the current and future organisational needs and to be consistent with its overall objectives.
3. Ensure ICT acquisitions are based on analysis and meet organisational needs to offer both long- and short-term benefits.
4. Ensure ICT performs well, such as fulfilling business needs and supporting organisational activities.
5. Ensure ICT conforms with any external and internal organisational obligations and policies.
6. Ensure ICT use respects human factors, particularly meeting the needs of the different system stakeholders.

Question 5

List and briefly discuss at least four specific components of the control environment to be aware of, as mentioned in ASA 315.

Answer 5

1. The communication and policing of ethical behaviour in the organisation:

An organisation that does not strive to enforce proper conduct among its staff will face problems regardless of how well-designed the control system is.

2. Commitment to competence:

Refers to the awareness by management that different tasks and responsibilities in the organisation will have other pre-requisite skills and knowledge. As such, the organisation should have policies and procedures in place for gaining reasonable assurance that those within the organisation have the necessary skills and expertise to perform their jobs at a competent level.

3. Management philosophy and operating style:

This component looks at how management addresses the issues and risks that the organisation faces in its day-to-day activities. A sound control environment is one where managers are aware of the risks and are continually evaluating the extent of their potential impact on financial reporting, compliance with legislation and operating performance.

4. Organisational structure:

Refers to the way we design the organisation to facilitate the planning, execution, control and review of business activities.

5. Distribution of responsibility:

This section looks at how to distribute responsibility in the organisation, including who has the power to authorise, review and execute events, as well as the reporting and accountability relationships put in place to monitor them.

6. Recruitment policies:

It is concerned with the policies and procedures followed by the organisation in managing its people. It will include the processes for hiring staff, the mechanisms in place to monitor staff performance and the means in place for employee removal and dispute resolution.

Question 6

Describe the merits and nature of audit committees.

Answer 6

Firms establish audit committees to monitor the organisation’s financial performance and as a point of liaison between the company and the internal and external auditors.

The audit committee consists of several company directors to represent the company’s shareholders.

An influential audit committee features four essential characteristics:

• it is independent and can discuss openly any emerging sensitive issues
• it can nominate an auditor and determine a commensurate fee
• it monitors the perception of auditor independence
• it provides a forum to discuss sensitive control-related issues

To reinforce audit committee independence, most of its members should be non-executive directors.

Question 7

What is the relationship between corporate and IT governance?

Answer 7

IT governance is a subset of corporate governance.

Corporate governance is the way that organisations are managed and governed and includes the interests of all stakeholders, including shareholders, individuals, organisations and society at large.

Therefore, corporate governance concerns managing an organisation’s internal and external relationships.

IT governance, on the other hand, ensures that the use of IT is consistent with the organisational strategy.

Question 8

Explain who the stakeholders are in corporate and IT governance and why.

Answer 8

The stakeholders in corporate governance and IT governance include shareholders, individuals, organisations and society.

Shareholders are significant stakeholders because they invest in the organisation.

Therefore, shareholders need to have timely, accurate and complete information to make investment decisions.

They also need to have confidence that corporate and IT governance is taken seriously by the Board.

Another key stakeholder is the individual (who may also be a shareholder), for example, an employee.

An employee may feel compromised if they are working in an environment that does not practice good corporate and IT governance.

A recent example is Volkswagen and the emissions scandal, which was allowed to flourish because of a lack of corporate governance.

Compromising the quality of the service or product impacts customers.

Furthermore, ethical values and customer service are essential for achieving competitive advantage.

Organisations and governments are stakeholders in corporate and IT governance.

Governments collect taxes and make regulations to protect other stakeholders and ensure an appropriate competitive environment.

Suppliers and partners rely on organisations for providing services and products.

Since creditors, such as banks, provide credit, they are exposed if corporate and IT governance is insufficient.

Other stakeholders, including the community or society, rely on organisations for jobs and contributions to the community, such as providing grants to worthy causes or volunteering.

Question 9

What are some current technology trends and why is it important for an organisation to understand trends?

Answer 9

Technology trends include robotics, driverless cars, internet of things, cloud-based computing, big data and data analytics, 3D printing, and wearable devices.

The trend is moving towards more ethical use of technology and mobility.

Management needs to follow trends to incorporate new technologies and provide a competitive advantage.

Successfully deploying new technologies requires a structured framework, such as COBIT 5, to ensure meeting organisational goals and objectives.

Question 10

Describe the importance of managing financial risks, including the possible consequences to an organisation.

Answer 10

Risks could lead to unreliable financial reporting through material misstatement on financial reports.

Potential threats could include data entry errors or the loss of a significant customer.

Other risks may impact on the operation of business processes and procedures and the organisation’s ability to achieve its objectives.

There are four COSO principles relating to risk assessment:

1. The organisation specifies objectives to identify and evaluate the related risks.
2. The organisation identifies and analyses risks to determine how to manage them.
3. The organisation considers the potential for fraud in assessing risks to the achievement of objectives.
4. The organisation identifies and assesses changes that could significantly impact the system of internal control.