CHAPTER ONE INTRODUCTION 1.1 BACKGROUND STUDY
As a result of some notorious recent audit failures involving large corporations around the world especially in the United States, the Sarbanes Oxley Act (SOX) was enacted in United States of America since 2002. This ACT has become a de facto international standard for good governance and controls of Companies. It requires that (Section 302) the chief executive and chief financial officers of public companies attest to the accuracy of financial reports and auditing process, in most cases, must provide a reasonable safeguard against fraudulent and inaccurate financial reporting. ‘Financial statements cannot be useful if they are based on unreliable and inaccurate recordings of transactions’ Elmaleh, ( 2012). Following the financial crisis and the catalogue of public sector scandals, better education and improvements in the transparency of the audit process are needed (ACCA, 2010).
According to Michelson, Stryker and Thorne (2009), Sarbanes-Oxley Act (SOX), Section 404 requires public companies to establish adequate internal controls over financial reporting. Turnbull Report 1999 in the UK provided principle-based guidance for creating strong internal control system and later incorporated into Combined Code, revised in 2005 also presents standalone document on internal controls.
“The application of information technology (IT) has become central to the strategy and business processes of many entities. So, just as IT has become an integral part of the business, IT governance is now seen as an integral part of enterprise governance. In recognition of the importance of IT governance, an IT governance framework, Control Objectives for Information and Related Technology (COBIT) was developed in 1996 as a reference framework for developing and managing internal controls and appropriate levels of security in IT. COBIT provides a set of generally accepted IT control objectives to assist entities in maximizing the benefits derived through the use of IT and developing the appropriate IT governance and control in a company” (IFAC, 2006). While Committee of Sponsoring Organizations of the Treadway Commission, (COSO) in the US and Turnbull report in the UK focus on the achievement of business objectives at the overall entity level, COBIT focuses specifically on information technology. These developments in internal controls issues have created similar developments in some other countries such as Canada, the European Union, Hong Kong, South Africa etc.
Organizations that can survive the currents in the uncertain competitive business environments must, as matter of necessity, ‘know how to take advantage of opportunities and counter threats, in many instances through effective application of controls, and therefore improve their performance’. Internal control is, therefore, a vital aspect of an organization’s governance system. Thus, internal controls involve putting in place the right kind of internal measures that will enable an organization to capitalize on opportunities while offsetting the threats. An ability to understand risk, manage risk, implemented, and actively monitor risk by the governing body, management, and other personnel is key to taking advantage of the opportunities and countering the threats in order to achieve the organization’s objectives (Li, 2012).
Apart from the prevention and detection of fraud, internal controls are put in place to reflect the strength of the overall accounting environment in an organisation as well as the accuracy of its financial and operational records. “Data security failures can cost a company in several ways. Fines for a single
Incident have reached as high as $15 million. Legal, IT recovery, and other costs can be several times that. Violations of data security laws can lead to increased regulatory oversight. And then there’s the damage to reputation” (Drew, 2012).
One main managerial function that centrally is tasked with the business of capitalising on opportunities and offsetting the threats is the role of internal audit. Internal audit as a whole, in essence, can be seen as a special kind of economic control which is concerned with any phase of business activity which may be of relevant to management. ICT has virtually become indispensable part in the operations of any modern accounting and management information systems. Auditing, therefore, involves going beyond the accounting information or financial records to obtain a comprehensive understanding of the operations under review (Chun, 1997). This is done by testing and understanding of the system is required ‘to substantiate their opinions and/or provide advice to management on internal controls’ (IT Governance Institute, 2007).
1.2 STATEMENT OF PROBLEM
Professional Auditors must make judgements based on the knowledge, skills and experience that they have acquired or developed while training, or while working as a qualified professional. Those judgements must also be based on certain ethical values as well as a duty to serve the public interest. Identifying and assessing audit risk is a key part of the audit process. These risks must then be considered when designing the audit plan. A critical emphasis of the procedures of in identifying audit risks is making inquiries of management and Internal Auditors among others within the entity in order to place some reliance on internal controls (Jones, 2009). The objective of these auditing
procedures is identifying risks, fraud and errors by testing Internal controls within the entity in order to place some reliance on management assertions.
According to Pine (2011) when determining the extent to which they may rely on Accounting Application Controls, auditors need to consider the extent to which specified controls have been implemented correctly. Information and Computer technology (ICT) has, by necessity, become fundamental part to any modern accounting information systems. Paper-based audit evidence is giving way to electronic ones in audit engagements. It is an understatement; however, to state that ICT is a high risk discipline due to high level of vulnerabilities and threats. Auditors’ responsibility in identifying fraud, however, has now been acknowledged by regulatory standards and the law. Auditing computerised accounting information systems has, therefore, become quite challenging.
It has become, therefore, very vital that auditors show significant competence ICT and become fully aware the impact of contemporary ICT issues on the audit of a client’s financial statements, both in the context of how it is used by a client to gather accounting data, process the data and report the resulting accounting information in its financial statements, and how the auditor can use ICT in the process of auditing the financial statements. The level of Skills in information technology has become a great concern for Audit service providers. The auditor’s ICT skill is trailing behind the competence required to complete an engagement successfully. Top concerns are how to bridge the huge skills gap between what the ICT skills expectations of auditors and the status quo.
1.3 OBJECTIVE OF THE STUDY
1.4 RESEARCH QUESTIONS
1.5 RESEARCH HYPOTHESES
HO: there are problems of internal control in the ICT environment.
HI: there is solution to problems of internal control in the ICT environment.
1.6 SIGNIFICANCE OF THE STUDY
The study is expected to make recommendations to accountant and auditors in the accounting profession on the problems and solutions of internal control in the ICT environment. The opinions of this study will also open up future vents for young practitioners /scholars in the accounting profession and academic field in topical area under investigation and finally, this study will also be a useful guide and information to other students that will carry out their studies in the future.
1.7 SCOPE OF THE STUDY
The study limit scope to professional accountants and auditor and the accounting profession in Nigerian bottling company PLC and breweries.
1.8 LIMITATION OF THE STUDY
In carrying out an investigation of this kind, the researcher must of necessity be faced the following constraint.
Time: The time frame provision for this study was too short.
Financial constraints: Usually, a study of this nature involved some level of expenditure therefore; finance was also a limiting factor.
Poor response: The poor response from the respondent and inability to access the entire population also was another constrain to the study.
Organizational policy: The policies of the organizations also were another factor that limited the study.
1.9 DEFINITION OF TERMS
Internal control: It is a process for assuring achievement of an organization’s objectives in operational effectiveness and efficiency, reliable financial reporting, and compliance with laws, regulations and policies.
Auditor: A person who conducts an audit.
Accountant: A person whose job is to keep or inspect financial accounts.
ICT: ICT (information and communications technology – or technologies) is an umbrella term that includes any communication device or application,
encompassing: radio, television, cellular phones, computer and network hardware and software, satellite systems and so on, as well as the various services and applications.
Internal auditor: An employee of a company charged with providing independent and objective evaluations of the company’s financial and operational business activities, including its corporate governance.
External auditor: An external auditor performs an audit, in accordance with specific laws or rules, of the financial statements of a company, government entity, other legal entity, or organization, and is independent of the entity being audited.