CHAPTER ONE INTRODUCTION 1.1 BACKGROUND STUDY Internal audits are designed to evaluate the effectiveness of an operation’s internal controls by first gathering information about how a unit operates, identifying points at which errors or inefficiencies are possible, and identifying system controls designed to prevent or detect such occurrences. Then, they test the application and performance of those controls to assess how well they work. Managers ought to routinely evaluate controls in their department’s operations by following the same process.
Computers and networks provide most of the information needed for auditing. In order to be effective, auditors must use the computer as an auditing tool, audit automated systems and data, understand the business purposes for the systems, and understand the environment in which the systems operate. The other important uses for computers and networks by auditors are in audit administration. By seeking new uses for computers and communications, auditors improve their ability to review systems and information and manage their activities more effectively. Automated tools allow auditors to increase individual productivity and that of the audit function.
As a result of some notorious recent audit failures involving large corporations around the world especially in the United States, the Sarbanes Oxley Act (SOX) was enacted in United States of America since 2002. This ACT has become a de facto international standard for good governance and controls of Companies. It requires that (Section 302) the chief executive and chief financial officers of public companies attest to the accuracy of financial reports and auditing process, in most cases, must provide a reasonable safeguard against fraudulent and inaccurate financial reporting. ‘Financial statements cannot be useful if they are based on unreliable and inaccurate recordings of transactions’ Elmaleh, ( 2012). Following the financial crisis and the catalogue of public sector scandals, better education and improvements in the transparency of the audit process are needed (ACCA, 2010).
According to Michelson, Stryker and Thorne (2009), Sarbanes-Oxley Act (SOX), Section 404 requires public companies to establish adequate internal controls over financial reporting. Turnbull Report 1999 in the UK provided principle-based guidance for creating strong internal control system and later incorporated into Combined Code, revised in 2005 also presents standalone document on internal controls.
“The application of information technology (IT) has become central to the strategy and business processes of many entities. So, just as IT has become an integral part of the business, IT governance is now seen as an integral part of enterprise governance. In recognition of the importance of IT governance, an IT governance framework, Control Objectives for Information and Related
Technology (COBIT) was developed in 1996 as a reference framework for developing and managing internal controls and appropriate levels of security in IT. COBIT provides a set of generally accepted IT control objectives to assist entities in maximizing the benefits derived through the use of IT and developing the appropriate IT governance and control in a company” (IFAC, 2006). While Committee of Sponsoring Organizations of the Treadway Commission, (COSO) in the US and Turnbull report in the UK focus on the achievement of business objectives at the overall entity level, COBIT focuses specifically on information technology. These developments in internal controls issues have created similar developments in some other countries such as Canada, the European Union, Hong Kong, South Africa etc.
Organizations that can survive the currents in the uncertain competitive business environments must, as matter of necessity, ‘know how to take advantage of opportunities and counter threats, in many instances through effective application of controls, and therefore improve their performance’. Internal control is, therefore, a vital aspect of an organization’s governance system. Thus, internal controls involve putting in place the right kind of internal measures that will enable an organization to capitalize on opportunities while offsetting the threats. An ability to understand risk, manage risk, implemented, and actively monitor risk by the governing body, management, and other personnel is key to taking advantage of the opportunities and countering the threats in order to achieve the organization’s objectives (Li, 2012).
Apart from the prevention and detection of fraud, internal controls are put in place to reflect the strength of the overall accounting environment in an organisation as well as the accuracy of its financial and operational records. “Data security failures can cost a company in several ways. Fines for a single Incident have reached as high as $15 million. Legal, IT recovery, and other costs can be several times that. Violations of data security laws can lead to increased regulatory oversight. And then there’s the damage to reputation” (Drew, 2012).
One main managerial function that centrally is tasked with the business of capitalising on opportunities and offsetting the threats is the role of internal audit. Internal audit as a whole, in essence, can be seen as a special kind of economic control which is concerned with any phase of business activity which may be of relevant to management. ICT has virtually become indispensable part in the operations of any modern accounting and management information systems. Auditing, therefore, involves going beyond the accounting information or financial records to obtain a comprehensive understanding of the operations under review (Chun, 1997). This is done by testing and understanding of the system is required ‘to substantiate their opinions and/or provide advice to management on internal controls’ (IT Governance Institute, 2007).
1.2 STATEMENT OF PROBLEM
Professional Auditors must make judgments based on the knowledge, skills and experience that they have acquired or developed while training, or while working as a qualified professional. Those judgments must also be based on certain ethical values as well as a duty to serve the public interest. Identifying and assessing audit risk is a key part of the audit process. These risks must then be considered when designing the audit plan. A critical emphasis of the procedures of in identifying audit risks is making inquiries of management and Internal Auditors among others within the entity in order to place some reliance on internal controls. The objective of these auditing procedures is identifying risks, fraud and errors by testing Internal controls within the entity in order to place some reliance on management assertions.When determining the extent to which they may rely on Accounting Application Controls, auditors need to consider the extent to which specified controls have been implemented correctly. Information and Computer technology (ICT) has, by necessity, become fundamental part to any modern accounting information systems. Paper-based audit evidence is giving way to electronic ones in audit engagements. It is an understatement; however, to state that ICT is a high risk discipline due to high level of vulnerabilities and threats. Auditors’ responsibility in identifying fraud, however, has now been acknowledged by regulatory standards and the law. Auditing computerised accounting information systems has, therefore, become quite challenging.
It has become, therefore, very vital that auditors show significant competence ICT and become fully aware the impact of contemporary ICT issues on the audit of a client’s financial statements, both in the context of how it is used by a client to gather accounting data, process the data and report the resulting accounting information in its financial statements, and how the auditor can use ICT in the process of auditing the financial statements. The level of Skills in information technology has become a great concern for Audit service providers. The auditor’s ICT skill is trailing behind the competence required to complete an engagement successfully. Top concerns are how to bridge the huge skills gap between what the ICT skills expectations of auditors and the status quo.
1.3 OBJECTIVE OF THE STUDY
The main objective of the study is to examine the role of ICT in developing and effective internal control system. The specific objective is as follows:
1. To suggest a detailed role of internal auditor and required skills and competencies in IT related audit.
2. To address and detail out IT system (software/hardware) for continuous auditing.
3. To know if there are problems of effective internal control system in an ICT environment.
4. To find out the solutions to the problems of effective internal control system in an ICT environment.
1. What is the role of internal auditor and required skills and competencies in IT related audit?
2. What are the IT system (software/hardware) for continuous auditing?
3. Are there problems of effective internal control system in an ICT environment?
4. Are there solutions to the problems of effective internal control system in an ICT environment?
1.5 RESEARCH HYPOTHESES
HO: There is no significant impact of ICT in developing an effective internal control system.
HA: There is a significant impact of ICT in developing an effective internal control system.
1.6 SIGNIFICANCE OF THE STUDY
The study is expected to make recommendations to accountant and auditors in the accounting profession on the role of ICT in developing an effective internal control system. The opinions of this study will also open up future vents for young practitioners /scholars in the accounting profession and academic field in topical area under investigation and finally, this study will also be a useful guide and information to other students that will carry out their studies in the future.
1.7 SCOPE OF THE STUDY
The scope of the study covers the role of ICT in developing an effective internal control system. The study limit scope to Shell Petroleum Corporation (SPDC) Port Harcourt, Rivers State.
1.8 LIMITATION OF THE STUDY
In carrying out an investigation of this kind, the researcher must of necessity be faced the following constraint.
Time: The time frame provision for this study was too short.
Financial constraints: Usually, a study of this nature involved some level of expenditure therefore; finance was also a limiting factor.
Poor response: The poor response from the respondent and inability to access the entire population also was another constrain to the study.
Organizational policy: The policies of the organizations also were another factor that limited the study.
1.9 DEFINITION OF TERMS
Internal control: Itis a process for assuring achievement of an organization’s objectives in operational effectiveness and efficiency, reliable financial reporting, and compliance with laws, regulations and policies.
Auditor: A person who conducts an audit.
Accountant: A person whose job is to keep or inspect financial accounts.
ICT: ICT (information and communications technology – or technologies) is an umbrella term that includes any communication device or application,
Internal auditor: An employee of a company charged with providing independent and objective evaluations of the company’s financial and operational business activities, including its corporate governance.
External auditor: An external auditor performs an audit, in accordance with specific laws or rules, of the financial statements of a company, government entity, other legal entity, or organization, and is independent of the entity being audited.