Even among IT practitioners the idea of control—in general and business terms—can sometimes be difficult to understand. It is a critical concept to grasp, however, because controls, specifically internal controls, can help organizations succeed and maximize the value they deliver to stakeholders.
The term ‘control’ can be confusing because it is applied differently across different industries. Generally, control refers to guidance, regulation, restraint and oversight. In a business context, control usually refers to how activities are monitored and directed.
This is the essence of internal control: providing oversight and, if done well, a holistic viewpoint. Internal control provides insight into what individual operational units are doing. Why are they acting in a certain way? Why do they consider those actions to be most efficient and effective? What measures are they taking to prevent undesired outcomes? Addressing these and other questions is what internal control is all about. Because without a central oversight mechanism, the goals of individual business units or areas might conflict with one another.
Going Beyond Risk
Every business needs internal controls to provide the oversight to realize the most business value, optimize risk and best support its mission. ISACA defines internal control as the policies, procedures, practices and organizational structures designed to provide reasonable assurance that business objectives will be achieved and undesired events will be prevented or detected and corrected. In the past, a control was usually understood from a risk management point of view only (for example, a mechanism to mitigate risk). Looking at internal control from a risk-only perspective dramatically limits its potential. Just as controls can mitigate potentially negative consequences (i.e., risk), they also support the creation of value. Enterprises exist to create value for their stakeholders and internal control is integral to that process.
In that context, internal controls are structures, tools, processes or mechanisms that help ensure an outcome. This applies to any activity related to value creation, including benefits realization, risk optimization, resource optimization, disruption minimization, business enablement and potentially any other activity. A systematic approach for internal control helps to identify gaps in control objective coverage and facilitate internal audit planning to support the enterprise’s objectives. This can include awareness of the measures (i.e., individual control activities) used to manage and meet objectives and the value that the enterprise places on those measures.
In COBIT terms, a control enables the achievement of one or more control objectives resulting from the implementation of a relevant process, practice, principle, tool, organizational unit, symbol or other capability. All controls and control activities must be put into a systematic structure—the internal control system—that clearly identifies risks and objectives. These objectives include effectiveness; efficiency and economy of operations; reliability of management; and compliance with applicable laws, regulations and internal policies.
Delivering Stakeholder Value
A successful internal control system permits the operation of control-related practice areas, including controlling, risk management, quality management, audit and assurance, and information security. These areas cover functions such as IT, enterprise risk management (ERM), operations, sales or finance. Practice areas set the tone for effective, efficient internal control. COBIT 5 covers the enablers of internal control that help enterprises accomplish their goals and deliver value to stakeholders. Enablers include:
- Principles, Policies and Frameworks
- Organizational Structures
- Culture, Ethics and Behavior
- Services, Infrastructure and Applications
- People, Skills and Competencies
It is necessary to bring all of the controls and control activities together into a systematic structure that clearly identifies the risk being managed and the objectives being served. When a successful internal control system is in place, an organization can gain reasonable assurance that business objectives will be achieved.
Click here to read the white paper on internal control by Jimmy Heschl, CISA, CISM, CGEIT, head of digital security, Red Bull, Fuschl, Austria.