INTERNAL CONTROL IN AN ICT ENVIRONMENT PROBLEMS AND SOLUTIONS
CHAPTER ONE
INTRODUCTION
1.1 BACKGROUND STUDY
As a result of some notorious recent audit failures involving large corporations around the world especially in the United States, the
Sarbanes Oxley Act (SOX) was enacted in United States of America since 2002. This ACT has become a factor international standard for
good governance and controls of Companies. It requires that (Section 302) the chief executive and chief financial officers of public
companies attest to the accuracy of financial reports and auditing process, in most cases, must provide a reasonable safeguard against
fraudulent and inaccurate financial reporting. ‘Financial statements cannot be useful if they are based on unreliable and inaccurate
recordings of transactions’ Elmaleh, ( 2012). Following the financial crisis and the catalogue of public sector scandals, better education and
improvements in the transparency of the audit process are needed (ACCA, 2010).
According to Michelson, Stryker and Thorne (2009), Sarbanes-Oxley Act (SOX), Section 404 requires public companies to establish
adequate internal controls over financial reporting. Turn bull Report 1999 in the UK provided principle-based guidance for creating strong
internal control system and later incorporated into Combined Code, revised in 2005 also presents standalone document on internal
controls.
“The application of information technology (IT) has become central to the strategy and business processes of many entities. So, just as IT
has become an integral part of the business, IT governance is now seen as an integral part of enterprise governance. In recognition of the
importance of IT governance, an IT governance framework, Control Objectives for Information and Related Technology (COBIT) was
developed in 1996 as a reference framework for developing and managing internal controls and appropriate levels of security in IT. COBIT
provides a set of generally accepted IT control objectives to assist entities in maximizing the benefits derived through the use of IT and
developing the appropriate IT governance and control in a company” (IFAC, 2006). While Committee of Sponsoring Organizations of the
Tread way Commission, (COSO) in the US and Turn bull report in the UK focus on the achievement of business objectives at the overall
entity level, COBIT focuses specifically on information technology. These developments in internal controls issues have created
similar developments in some other countries such as Canada, the European Union, Hong Kong, South Africa etc.
Organizations that can survive the currents in the uncertain competitive business environments must, as matter of necessity, ‘know how to
take advantage of opportunities and counter threats, in many instances through effective application of controls, and therefore improve
their performance’. Internal control is, therefore, a vital aspect of an organization’s governance system. Thus, internal controls involve
putting in place the right kind of internal measures that will enable an organization to capitalize on opportunities while setting the
threats. An ability to understand risk, manage risk, implemented, and actively monitor risk by the governing body, management, and other
personnel is key to taking advantage of the opportunities and countering the threats in order to achieve the organization’s objectives (Li,
2012).
Apart from the prevention and detection of fraud, internal controls are put in place to reflect the strength of the overall accounting
environment in an organisation as well as the accuracy of its financial and operational records. “Data security failures can cost a company in
several ways. Fines for a single
Incident have reached as high as $15 million. Legal, IT recovery, and other costs can be several times that. Violations of data security laws
can lead to increased regulatory oversight. And then there’s the damage to reputation” (Drew, 2012).
One main managerial function that centrally is tasked with the business of capitalising on opportunities and osetting the threats is
the role of internal audit. Internal audit as a whole, in essence, can be seen as a special kind of economic control which is concerned with
any phase of business activity which may be of relevant to management. ICT has virtually become indispensable part in the operations
of any modern accounting and management information systems. Auditing, therefore, involves going beyond the accounting information
or financial records to obtain a comprehensive understanding of the operations under review (Chun, 1997). This is done by testing and
understanding of the system is required ‘to substantiate their opinions and/or provide advice to management on internal controls’ (IT
Governance Institute, 2007).
1.2 STATEMENT OF PROBLEM
Professional Auditors must make judgements based on the knowledge, skills and experience that they have acquired or developed while
training, or while working as a qualified professional. Those judgements must also be based on certain ethical values as well as a duty to
serve the public interest. Identifying and assessing audit risk is a key part of the audit process. These risks must then be considered when
designing the audit plan. A critical emphasis of the procedures of in identifying audit risks is making inquiries of management and Internal
Auditors among others within the entity in order to place some reliance on internal controls (Jones, 2009). The objective of these auditing
procedures is identifying risks, fraud and errors by testing Internal controls within the entity in order to place some reliance on
management assertions.
According to Pine (2011) when determining the extent to which they may rely on Accounting Application Controls, auditors need to consider
the extent to which specified controls have been implemented correctly. Information and Computer technology (ICT) has, by necessity,
become fundamental part to any modern accounting information systems. Paper-based audit evidence is giving way to electronic ones in
audit engagements. It is an understatement; however, to state that ICT is a high risk discipline due to high level of vulnerabilities and
threats. Auditors’ responsibility in identifying fraud, however, has now been acknowledged by regulatory standards and the law. Auditing
computerised accounting information systems has, therefore, become quite challenging.
It has become, therefore, very vital that auditors show significant competence ICT and become fully aware the impact of contemporary ICT
issues on the audit of a client’s financial statements, both in the context of how it is used by a client to gather accounting data, process the
data and report the resulting accounting information in its financial statements, and how the auditor can use ICT in the process of auditing
the financial statements. The level of Skills in information technology has become a great concern for Audit service providers. The auditor’s
ICT skill is trailing behind the competence required to complete an engagement successfully. Top concerns are how to bridge the huge skills
gap between what the ICT skills expectations of auditors and the status quo.
1.3 OBJECTIVE OF THE STUDY
- To know the extent to which computerized accounting information systems present audit risk challenges and hence risk to the
reliability of Audit report? - To find out whether training of future accountants and auditors require revolution to reflect the IT competence requirements by
the regulatory environment? - To know is there are problems of internal control in an ICT environment.
- To find out the solutions to the problems of internal control in an ICT environment.
1.6 SIGNIFICANCE OF THE STUDY
The study is expected to make recommendations to accountant and auditors in the accounting profession on the problems and solutions of
internal control in the ICT environment. The opinions of this study will also open up future vents for young practitioners /scholars in the
accounting profession and academic field in topical area under investigation and finally, this study will also be a useful guide and
information to other students that will carry out their studies in the future.
1.7 SCOPE OF THE STUDY
The study limit scope to professional accountants and auditor and the accounting profession in Nigerian bottling company PLC and
breweries.
1.8 LIMITATION OF THE STUDY
In carrying out an investigation of his kind, the researcher must of necessity be faced the following constraint.
Time: The time frame provision for this study was too short.
Financial constraints: Usually, a study of this nature involved some level of expenditure therefore; finance was also a limiting factor.
Poor response: The poor response from the respondent and inability to access the entire population also was another constrain to the
study.
Organizational policy: The policies of the organizations also were another factor that limited the study.
INTERNAL CONTROL IN AN ICT ENVIRONMENT PROBLEMS AND SOLUTIONS
