Controls for information technology and reporting and evaluation

Internal Control Reporting Options The company to be discussed here is Protection Ltd. It is a company that provides security guards and surveillance weapons to its customers. It has recently implemented a computerized database system that stores all information about its employees, security guards, inventory, customers, and competitors. It also helps one branch to electronically interact with branches in other cities.
Generally, the internal control reporting options include generic tools, document management and work flow tools, real-time compliance tools, and data-mining tools. The above-mentioned company implements real-time compliance tools to obtain company-wide data through one and only one source of information, which is its database. These tools notify the management about any compliance problems, and tend to provide accurate and timely information, making the company more open to the varying business requirements. These tools also help the management to prepare reliable financial statements. Apart from the real-time compliance tools, my company implements all the five components of internal control: control environment, risk assessment, information and communication systems, control activities, and monitoring.
To evaluate the internal controls, it is first important to understand the definition of internal control; organize a project team to conduct the evaluation; evaluate internal control at the entity level; understand and evaluate internal control at the process, transaction, or application level; and, evaluate overall effectiveness, identify matters for improvement, and establish monitoring system. The criteria against which the internal controls of my company are to be evaluated is the Sarbanes-Oxley Act of 2002, which requires that the management must include an internal control reporting assessment with its annual report. My company uses AICPA/CICA Trust Services framework in their IT-based work, as an information systems auditor, to evaluate internal controls over information technology.
Section 404 of the Sarbanes-Oxley Act of 2002 requires that I, as a manager of internal controls, should include a statement of my responsibility for implementing and maintaining proper internal controls, along with a report that should summarize how effective these internal controls have been through the year, in the company’s annual report. The Act also requires me to submit a report that summarizes the framework that I use to evaluate the internal controls, along with a statement or report that states that an external auditor has issued an attestation testimony on my internal control evaluation. The framework is to be established by group of people, who follow the correct procedure that is free of bias, allows qualitative and quantitative measurements, and is relevant to the evaluation of internal control option in financial reporting. My company uses COSO as a criteria or framework to evaluate IT based internal controls. COSO is issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO), and satisfies the SEC criteria.
To conclude, my company evaluates its internal controls against the Sarbanes-Oxley Act of 2002, and makes sure that suitable internal controls are implemented and maintained on a regular basis. At the end of the year, the internal control assessment report is submitted with the company’s annual report, along with information on the COSO framework used to evaluate the internal controls of the company.