The impact of an IT governance framework on the internal control environment
| DOI | https://doi.org/10.1108/RMJ-03-2016-0007 |
| Date | 20 March 2017 |
| Pages | 19-41 |
| Published date | 20 March 2017 |
| Author | Michele Rubino,Filippo Vitolla,Antonello Garzoni |
| Subject Matter | Information & knowledge management,Information management & governance |
The impact of an IT governance
framework on the internal
control environment
Michele Rubino, Filippo Vitolla and Antonello Garzoni
Department of Economics and Management, University LUM Jean Monnet,
Casamassima, Italy
Abstract
Purpose –The purpose of this paper is to analyze how an IT governance framework [Control Objectives for
Information and related Technology (COBIT)] inuences the control environment and the internal control
system. In particular, it aims to illustrate how the COBIT’s structure and processes impact on the seven
categories of factors that compose the control environment.
Design/methodology/approach –This paper aims to highlight how an IT governance framework with
its processes enables to improve the control environment assessment and implementation.
Findings –The analysis indicates that the implementation of the COBIT framework provides some
indications for managers and auditors, which must implement or assess internal control system.
Practical implications –The adoption of the framework allows managers to focus effectively on
integrating, aligning and linking processes. This improves the understanding of the key aspects connected to
the control environment. In addition, the adoption of the framework allows overcoming some limitations
regarding the Committee of Sponsoring Organizations framework.
Originality/value –This paper addresses an area of relevance to both practitioners and academics. This
analysis focuses on Accounting Information Systems themes and, through the examination of an IT
governance framework, suggests solutions and tools than can help managers and auditors to address the
control environment assessment.
Keywords Internal control system, COBIT 5, Control environment, COSO report, IT governance
Paper type Viewpoint
1. Introduction
The internal control continues to represent an important topic in the business world
(Arwinge, 2013). Firms have a constant need to have an internal control system, as they are
exposed to various risks that prevent the achievement of specic objectives (Simons, 1995;
COSO, 2013). Past corporate experiences and the global nancial crisis have shown the
importance of the internal control and risk management system. Such events have led to the
full recognition of the strategic role of the controls especially when considering the internal
control system as crucial element for any organization (Collier et al., 2007;Fraser and
Simkins, 2010).
An effective internal control system is ensured by a clear identication and evaluation of
the control environment, which represents the overall control consciousness of an entity
(Zack, 2013). The control environment provides the basis on which management determines
the design of the internal control system and has an inuence on each of the three internal
control objectives and on all activities (COSO, 1992,2013;Moeller, 2011). It includes a set of
elements such as integrity and ethical values, the attitude of top management in the eld of
control, the management philosophy, competence and professionalism of those working in
the rm and other variables such as the allocation of powers and responsibilities as well as
The current issue and full text archive of this journal is available on Emerald Insight at:
www.emeraldinsight.com/0956-5698.htm
Impact of an
IT governance
framework
19
Received 12 March 2016
Revised 3 June 2016
Accepted 20 July 2016
RecordsManagement Journal
Vol.27 No. 1, 2017
pp.19-41
©Emerald Publishing Limited
0956-5698
DOI 10.1108/RMJ-03-2016-0007
the existence of policies and procedures. These elements together dene the level of the
importance that the organization allocate to the controller (Beretta and Pecchiari, 2007;
Graham, 2015).
Most rms use the Committee of Sponsoring Organizations (COSO) Internal Control
Framework as a benchmark for assessing the effectiveness of their internal controls
including their control environment. This framework helped companies to detect, as well as
to prevent errors in the internal controls system but, despite the update, the new 2013 version
has still some limitations (Rubino and Vitolla, 2014a). Although one of the most relevant
components of the COSO framework is information and communication, it should be noted
that this framework did not consider explicitly internal control concepts related to
information technology (Janvrin et al., 2012;Chen et al., 2014;Rubino and Vitolla, 2014a).
Presently, more than ever before, information technology (IT) has been recognized as a core
competitive and strategic competency for most organizations (Bendoly et al., 2009;Ojiako,
2012). IT became an increasingly important part of the operations within rms, which use
computers to process information. Moreover, IT impacts every aspect of accounting,
including nancial reporting, managerial accounting, auditing and tax (Bagranoff et al.,
2010). Considering that most accounting systems are computerized, accountants should
understand how hardware, software and human procedures turn data into decision-useful
nancial information and how to develop and evaluate internal controls (Simkin et al., 2015).
Therefore, it is necessary to understand the activity of control that information systems
manage to obtain an effective evaluation of the key aspects connected to the control
environment.
From this perspective, it should be recognized that every rm needs an effective IT
governance which ensures that IT is efcient and effective that also meets the needs of the
organization considering those relating to the internal control system (Weill and Ross, 2004;
Haislip et al., 2015). One of the widely accepted IT governance frameworks is represented by
the Control Objectives for Information and related Technology (COBIT). This framework,
now in its fth iteration, became a tool of corporate governance focused on the governance of
information systems, and it gained some signicance not only in IT but also in relation to
issues of accounting information systems (AIS). Larger rms, especially in the USA, adopted
it to ensure an effective internal control system and to satisfy an ever growing number of
statutory, regulatory and contractual requirements such as the Sarbanes Oxley Act (SOX). In
this context, while the COSO framework should be considered as an overall evaluation
framework for internal control, COBIT provides a useful guidance and background material
in the consideration of specic controls over technology (Protiviti, 2014).
Although the growing importance that the framework is taking in IT governance studies,
there has been limited research describing the benets and the opportunities that rms could
receive using the COBIT framework in the process of assessing and implementing the
internal control and its control environment. Based on these motivations, the purpose of this
article is to analyze how an IT governance framework such as COBIT can improve the
assessment of the control environment, which is considered the foundation of all of the other
components of internal control (Whittington, 2014). Understanding the COBIT-related
processes may help managers and auditors to implement internal control system when
applying the COSO framework, as well. This approach improves internal controls and helps
organizations to better identify the key elements that constitute the control environment.
The remainder of the paper is organized as follows. Section 2 focuses on IT governance
and internal control. Section 3 presents the main factors that constitute the control
environment (COSO, 1992). Section 4 briey illustrates the structure of COBIT and examines
RMJ
27,1
20
To continue reading
Request your trial