Internal controls have existed since the dawn of business activities. Internal controls are basically systems of checks and balances. The purpose is to keep the organization moving along desired lines as per the wishes of the owners and to protect assets of the business. Internal controls have received attention from auditors, managers, accountants, fraud examiners and legislatures. Sarbanes Oxley Act 2002 requires the annual report of a public company to contain a statement of management’s responsibility for establishing and maintaining an adequate internal control structure and procedures for financial reporting; and management’s assessment of the effectiveness of the company’s internal control structure and procedures for financial reporting. Section 404 of the Act also requires the auditor to attest to and report on management’s assessment of effectiveness of the internal controls in accordance with standards established by the Public Company Accounting Oversight Board (PCAOB).
Internal controls are also affected by changes in business and information technology. As such, the sophistication, scope and interpretations of internal controls have evolved over the years. However, internal controls do not have a standard definition, standard objective nor one owner. The basic questions tackled in this section are: What are internal controls? What function do they serve? Answers to these questions, of course, depend on who is answering the question.
The major U.S. organizations that have articulated concepts of internal controls include
Information Systems Audit and Control Association (ISACA), Institute of Internal Auditors (IIA), Committee of Sponsoring Organizations (COSO) and AICPA. These efforts are not independent, but borrow from each other in an evolutionary spiral.
Internal controls are viewed as an amalgam of business models, organizational processes, organizational procedures, people and information technology. These controls are used in safeguarding assets of the business, providing relevant and reliable information, promoting operational efficiency and complying with managerial policies and procedures.
The responsibility for instituting and maintaining internal controls rests with management. In the real world, involvement of various layers of management in internal controls varies widely. Internal controls provide reasonable, not absolute, assurance. Internal controls are subject to cost benefit analysis. And all internal controls have limitations, such as collusion by personnel to overcome controls, override by top management and human error. Internal controls ideally should evolve in tandem with changing business conditions; thus, the need for continuous management monitoring. Each organization defines components of internal controls differently, though there are a number of similarities. Components defined by COSO and adopted by the AICPA are comprehensive and briefly discussed below.
This is the foundation of internal controls, since it deals with the people aspect. Control environment signifies attitudes of the people in charge of the organization toward the controls. The tone set at the top soon permeates the entire organization. As such, no system of internal controls is effective unless actively supported by top management. The different elements of control environment are as follows:
- Management’s commitment to integrity and ethics
- Management’s philosophy and operating style
- Complexity of the organizational structure
- Oversight exercised by the board of directors, audit committee and internal auditors
- Procedures for delegating authority and responsibility
- Human resource policies and procedures
- External influences, such as requirements of the Sarbanes-Oxley Act
All businesses face internal and external threats. Risk analysis involves analyzing these threats and taking proactive and reactive steps to mitigate risks. The steps involved in the risk analysis are given below:
- Identify threats in financial, operational and strategic areas
- Estimate risks involved in each threat
- Assess cost of loss due to the risk; that is, likelihood of the occurrence of the risk multiplied by possible loss
- Manage risk by designing appropriate controls
- Make sure that all controls undergo cost/benefit analysis
These are policies and procedures that ensure that management’s directives are carried out. The five classes of these policies and procedures are given below:
- Appropriate authorization of transactions
- Separation of duties
- Proper design and usage of documents and records
- Safeguarding of assets and records via adequate access controls
- Independent verification; for example, internal and external audits
Information and Communication
Internal controls should identify, capture, process and report appropriate information, which may be financial or operational.
Internal controls should be evaluated, periodically or continuously, to assure that they are functioning as intended by management. The methods of evaluating internal controls depend on the type of controls being evaluated; for example, the evaluating tone set at the top will be different from evaluating separation of duties.
How does this discussion help understanding internal controls in the online world? Surprisingly, or, perhaps not surprisingly, the theoretical framework advocated by COSO fits well to the controls on the Internet. In the context of internal controls over business transactions over the Internet, risk management, control activities and monitoring aspects of the COSO framework are useful and applicable. Use of the Internet and Web-based tools, as seen so far, permeate almost every functional area of the business.
Problems regarding information flowing in and out of the organization via the Internet are similar to the problems encountered in EDI. Add to that a unique mixture of disparate technologies, networks and computing systems, along with people collaborating — perhaps from across the globe — who may not have ever met face to face. No wonder security is considered to be one of the prime problems for businesses and consumers already on the Internet or wishing to move processes to the Internet.
Please note, the objective of this post is not to list every internal control in the online world. You should be able to ask intelligent questions regarding the controls — What is being protected? Why? How? How effectively? Conceptual discussions of these issues are more important than the details, which can get very complicated very quickly.
A Conceptual Framework for Online Internal Controls
Internal controls, no matter the exotic terminology, have standard objectives. The objectives of online controls can be classified as validity of transactions, mutual authentication of identity, authorization, end-to-end data integrity and confidentiality, non-repudiation and audit-ability of transactions. These areas are not mutually exclusive, but provide a way to conceptually organize and discuss internal controls in the online world. Let us take a detailed look at elements of the conceptual framework. Some of the controls mentioned below:
Validity of transactions: The primary question in online transactions is its legal status. Transacting parties in EDI take care of this problem by using trading agreements. New laws, such as UETA, UCITA and E-SIGN, have facilitated validity of transactions in the online world, though compliance with these laws remains an important internal control issue.
Mutual authentication of identity: Authentication is a process of verifying identities of the transacting parties. It involves determining whether someone or something is, in fact, who or what it is declared to be. Authentication of identity has two facets: identity of the machines and identity of the humans operating the machine. Such authentication can be carried out by means of static or dynamic passwords or PINs, passwords or PINs and security tokens, automatic callbacks and biometric techniques. The use of digital certificates is also increasingly common. Establishing identity of a human at the end of the machine is primarily a matter of intra-organizational controls. It requires review of access controls and separation of duties within the organization. The human user is identified by something the user knows or carries. These criteria include passwords, ID cards or biometric measures, such as fingerprints.
Authorization: Authorization is the step after authentication. The machine and user are identified and allowed access to the computer system in the authentication phase. Then, the authorization phase deals with granting rights to the user to perform certain functions. These rights define types of resources and actions allowed to the user; for example, the user can read, write or modify but cannot delete files. The rights can be assigned via Access Control List (ACL). Accounting, which may follow authorization, involves collecting statistics and usage information for a particular user or class of users. This information is used for authorization control, billing, trend analysis, resource utilization and capacity planning.
Data integrity and confidentiality: Data integrity refers to transfer of data without any modification, intentional or unintentional, in the transit. Data confidentiality refers to inability of unauthorized parties to access data. Standard controls in this area include encryption, security algorithms and communication protocols such as SSL.
Non-repudiation: Non-repudiation refers to proof that the electronic document was sent by the sender and received by the receiver. The three aspects of non-repudiation are: non-repudiation of origin, non-repudiation of receipt and non-repudiation of submission. Non-repudiation covers the problem of post-facto denial of an electronic transaction by transacting parties. First, it proves that the transaction took place, and second, it establishes identity of the transacting parties. Controls such as digital signatures and digital certificates address non-repudiation.
Audit-ability of transactions: Audit-ability of transactions refers to the existence of an audit trail and the ability to verify past transactions. The transactions should be validated, controlled and recorded properly. A log of users, resources used by the users, and various system functions is also required for audit-ability. Audit trail problems can be solved by maintaining backups, time stamps and file linkages.
This classification does not cover every dimension of the internal control problem, though it helps ask the right questions. For example, if you want to evaluate internal controls over e-mail, you can ask the following questions based on the conceptual framework:
- How do you know the e-mail is valid?
- How do you know the e-mail came from the person identified in the e-mail?
- How do you grant permissions for users of e-mails to do e-mail-related activities?
- How do you know the e-mail was not altered in the process?
- How do you know that no one has seen the e-mail?
- How can we trace earlier e-mails?
These questions do not need any technical understanding of internal controls for the Internet. The framework simply enables us to ask intelligent and logical questions. These areas are not mutually exclusive, and a control technique can perform several or more functions, such as validity, authorization and authentication, at the same time. The identified characteristics of internal controls and COSO framework are now used to discuss standard internal controls in the online world.
Standard Online Internal Control Techniques
Internal control techniques must address technical, legal, human and audit dimensions of security in the online world. A well-designed internal control system should be supported by top management and cover a wide range of technical and managerial strategies and tactics. No single method provides reasonable, absolute — it is never absolute — protection. A mix of security mechanisms needs to be in place to protect information assets. Security and internal controls are an ongoing and evolving process experts in this area indicates a layered approach to security. The different layers of a security system are given below.
This is but a broad classification, and these areas intersect at various levels:
- Security policy for the organization
- Perimeter security
- Message content security
- Back-end infrastructure security
Security policy is a pervasive element of the security architecture. Security policy captures business issues and relates them with technical requirements. Perimeter defense refers to the defense of all contact points between the corporation’s internal network and external public/private networks. Perimeter defense has become more difficult due to collaborative activities with trading partners and new technologies, such as wireless networks. The perimeter has now become amorphous.
Message content security refers to maintaining integrity and confidentiality of a message, whether the message is traveling over the Internet or internal private networks. Finally, back-end infrastructure security refers to security of the hardware and software used by the organization to carry out its routine activities. On my next post, we are going to discuss about “Security Policy For an Online Financial Information System“.