Systems Auditability and Control Report (SAC). In 1991, the Institute of Internal Auditors Research Foundation issued a report entitled “Systems Auditability and Control” to provide a framework for internal auditors on internal control as it relates to information systems and information technology (IT). In this report, which was revised in 1994, the Institute defined internal control as a collection of methods, activities, functions, subsystems, and people who are consciously grouped together or segregated with a view to effectively achieving set goals and objectives. The SAC report stated that internal control is concerned with providing some reasonable assurance that even with the acceptance of risks, organizational goals will be achieved.
However, the broad definition of internal control as offered by SAC notwithstanding, the specific objectives of the information systems of an organization are the focus of the SAC Report. These include securing the correctness, hence the reliability of the information used for the purpose of making decisions, ensuring that IT assets of the organization are secured and protected, and complying with procedures and rules whether internally or externally required (Masli et al., 2010).
The SAC recognizes three components of internal control (Noorvee, 2006). The first is control environment, which includes the structure, policies and procedures of the organization, control framework, and possible outside influences. The second component is the manual and automated systems which are concerned with the ways in which the business information is processed, reported or stored. The third component is the control procedures which entail the IT, applications, and compensating controls. The SAC Report extensively discussed risk monitoring and assessment but did not particularly offer definitions for them.
Guidance on control (CoCo). In 1995, The Canadian Institute of Chartered Accountants presented a control model called guidance on control (CoCo). According to Pfister (2009), CoCo defined internal control more broadly as “all the resources, processes, culture, structure, and tasks that, taken together, support people in the achieving organizational objectives” (p. 19). Deriving from the definition, assessing internal control is as good as assessing how the organization is managed. In their report, CoCo (1995) reckoned that effectiveness and efficiency of operations; reliability of internal and external reporting; and compliance with applicable laws, regulations, and internal policies are the three categories of objectives that will be achieved by an organization.
IFAC (2006) stated that CoCo articulated 20 criteria of control within four control areas that can be used to assess the effectiveness or otherwise of an internal control system. CoCo contended that to ascertain how effective an internal control system has been cannot be achieved using only one criterion, and that an assessment of ICE can only be made concerning one of the objectives, not all of them as a category as in COSO. Thus, the totality of the effectiveness of internal control in an organization includes the dynamic interaction in its various elements.
The four areas of control are “purpose, commitment, capability, and monitoring and learning” (IFAC, 2006, pp. 4-5). Purpose criteria are the factors that affect the direction of the entity. They address the organization’s objectives, risks and opportunities, policies, planning and performance targets, and indicators (CoCo, 1995). Commitment criteria are such factors that give the entity a unique identification. They include the entity’s ethical values, personnel management practices, authority and responsibility, accountability, and control activities. Capability as an area of control addresses those factors that determine the competence of the organization. According to CoCo (1995), these include knowledge, skills, tools, communication processes, information, coordination and control activities. Monitoring and learning are concerned with the perpetuation of the entity. This includes such things as scanning the environment, ensuring that performance conforms to set targets, reviewing premises upon which past decisions were based, re-examining the system in relation to the adequacy of information, establishing processes to ensure that corrections are indeed effected, and assessing the effectiveness of control.
As stated by Jokipii (2006), between CoCo and COSO frameworks, there are many similarities such that the four control areas of CoCo can be restructured into the five components of COSO. He stated further that only minor differences exist between the two frameworks: CoCo includes two criteria not expressly stated in COSO viz: mutual trust between persons and the reviewing of the premises upon which assumptions were made. Whereas CoCo included setting of objectives, strategic planning and management of risks, and corrective actions, these are excluded in COSO. On a general note, despite that the CoCo model was built on COSO Report, it is seen as being more concrete and adaptable, thus overcoming the difficulty associated with reading and understanding the COSO Report.
Control objectives for information and related technology (COBIT). COBIT is an information technology framework designed to assist organizations in their quest for regulatory compliance, risk management, and effecting an alignment of IT strategy with organizational objective. Issued in 1996 by the Information Systems Audit and Control Association, COBIT defined internal control as the policies, methods, practices, and organizational structures designed to provide reasonable assurance that the objectives of the business will be achieved and that the occurrence of any undesired events will be prevented or detected and corrected (Bernroider & Ivanoc, 2011; Tuttle & Vandervelde, 2007).
COBIT is primarily concerned with the need to monitor information systems efficiently and effectively, and managers can use it to develop clear policy and good practice for control of IT (Ridley, Young, & Carroll, 2008; Tuttle & Vandervelde, 2007). It can facilitate the administration of internal controls in banks being inevitably connected with the reporting of financial information, the storage, processing and management of financial data and documents.