The five-element framework contained in the basic norms of enterprise internal control;
(1) internal environment. Internal environment is the general name of various internal factors that affect and restrict the establishment and implementation of internal control in enterprises, and it is the basis of implementing internal control. The internal environment mainly includes governance structure, organizational structure and distribution of rights and responsibilities, corporate culture, human resources policies, internal audit institutions and anti-fraud mechanisms.
(2) Risk assessment. Risk assessment is a process of timely identifying, scientifically analyzing and evaluating all kinds of uncertain factors that affect the realization of internal control objectives of enterprises and taking corresponding measures, which is an important link in implementing internal control. Risk assessment mainly includes goal setting, risk identification, risk analysis and risk response.
(3) Control measures. Control measures are methods and means to ensure the realization of internal control objectives of enterprises according to risk assessment results and combined with risk coping strategies, and are concrete ways to implement internal control. According to the characteristics and requirements of the specific business and matters of the enterprise, control measures are formulated, which mainly include division of responsibilities control, authorization control, examination and approval control, budget control, property protection control, accounting system control, internal reporting control, economic activity analysis control, performance evaluation control and information technology control.
(4) Information and communication. Information and communication is a process of timely, accurate and complete collection of all kinds of information related to enterprise management, and timely transmission, effective communication and correct application of these information among relevant levels of enterprises in an appropriate way, which is an important condition for implementing internal control.
(5) supervision and inspection. Supervision and inspection is a process in which an enterprise supervises, inspects and evaluates the soundness, rationality and effectiveness of its internal control, forms a written report and makes corresponding treatment, which is an important guarantee for the implementation of internal control.
Accordingly, the internal control framework of information technology should also pay attention to the five-element framework of enterprise internal control:
(1) The internal control environment of information technology. The internal environment of enterprise IT field is the IT internal control environment, and the same IT internal control environment is the basis of implementing IT internal control. IT mainly includes IT governance structure, IT organization and responsibilities, IT decision-making mechanism, IT compliance and IT audit.
(2) Information technology risk assessment. IT risk brought by enterprise informatization has become the main aspect of enterprise risk management. Risk assessment mainly includes goal setting, risk identification, risk analysis and risk response. IT target setting can be understood as IT strategy and IT planning, and IT risk identification, analysis and response include information asset risk, IT process risk and application system risk.
(3) Information technology control measures. According to the results of risk assessment, IT is necessary to implement specific IT control measures in IT, including IT technical control measures, such as firewall, antivirus, intrusion detection, identity management, authority management, etc. And IT management control measures, including various IT management controls and processes, such as development management, project management, change management, safety management, operation management, separation of responsibilities, authorization and approval.
(4) Information and communication. In the IT field, IT is also necessary to define specific IT management systems and communication mechanisms, establish service desks and event management procedures, and timely convey information related to internal levels and external enterprises.
(5) supervision and inspection. It is necessary to establish an audit mechanism of IT internal control system to evaluate the effectiveness of IT control. Through the IT technical means such as log, monitoring system and comprehensive analysis platform. And internal IT audit, management review and special inspection. We will continue to improve the internal control of enterprise IT.
Comprehensive analysis of IT internal control elements, Gu 'an Tianxia divides IT control into three levels:
(1) Company-level control. Establish IT governance structure at the company level, improve IT organization and responsibilities, formulate IT decision-making mechanism, implement performance appraisal of IT personnel, and strengthen IT compliance and IT audit.
(2) Process and application layer control. Analyze the business processes and activities of enterprises, and establish the control of business processes, application systems and general IT processes, focusing on the technical control and process control of various business and application systems related to financial statements.
(3) Resource layer control. Aiming at all kinds of information assets and IT resources on which the business operation of an enterprise depends, this paper analyzes the risks of each specific resource point and establishes risk control measures.
References:
The answer comes from related articles published by Gu 'an Tianxia website consultants.
The key words are: enterprise internal control and IT internal control.