Designing Internal Controls in

Computer and Electronic

System
What Are Internal Controls?
• Internal controls are the policies and procedures or technical
safeguards that organizations implement to prevent problems and
protect assets. Internal controls are typically established to avoid or
minimize loss.
• Organizations can implement three different types of internal controls:
detective, preventative, and corrective.
• Detective controls try to identify an adverse event after it has occurred.
• Corrective controls are implemented to remedy whatever
vulnerabilities allowed the event to happen.
• Preventative controls actually attempt to prevent those risks from
occurring in the first place
• In information security, internal controls consist of security
policies and procedures, plans, devices, and software
intended to strengthen cybersecurity.
• A process, effected by an entity’s board of directors,
management, and other personnel, designed to provide
reasonable assurance regarding the achievement of
objectives relating to operations, reporting and compliance.
Internal Control Objectives
Effective internal control provides bankers reasonable assurance that:
1. Bank operations are efficient and effective.
2. Recorded transactions are accurate.
3. Financial reporting is reliable.
4. Risk management systems are effective.
5. The bank complies with banking laws and regulations, internal
policies, and internal procedures.
 Reasons for setting up a good system of
internal control
• To provide reliable data: example, the price to charge for services
rendered
• (ii) To safeguard assets and records: Physical Assets and digital
information
• (iii) To promote operational efficiency- time saving
• (iv)To encourage adherence to prescribed policies.
• v) To comply with the Foreign Corrupt Practices Act of 1977:
What Are the Five Component Internal Controls?

1. Control environment
2. Risk assessment
3. Control activities
4. Information and communication
5. Monitoring activities

They help with designing, implementing, conducting,

monitoring, and assessing internal control processes.
Control Environment
• it encompasses your organization’s attitude about internal
controls.
An effective control environment should include:
1. A commitment to integrity and ethical values
2. Independent board of directors’ oversight- Non- Executive members
3. Well-documented structures, reporting lines, authorities, and responsibilities
4. A drive to attract, develop and retain competent people
5. Accountability for internal control responsibilities
Risk Assessment
• The risk assessment process includes identifying and analyzing your organization’s
risks. It forms the basis for how risks should be managed and mitigated.

Your risk assessment should:

• Clearly specify objectives
• Identify risks to the achievement of objectives
• Consider the potential for fraud
• Identify and assess significant changes
Types of Risk
• Credit Risk
• Risk of Fraud
• Operational Risk
• Cyber attack
Control Activities
• These are the actions established by policies and procedures
that help to assure management directives are carried out.
To be successful, your control activities should:
• Address the risks identified in your risk assessment
• Be clearly documented and communicated to stakeholders and staff
• Evolve with the changing needs of your business
Information and Communication
• The systems and processes that support identifying,
capturing, and exchanging information allow people to carry
out their duties effectively.
Your information and communication systems should:
• Facilitate the generation, gathering, and use of quality information throughout your
enterprise
• Define the processes for internally communicating information about internal
controls
Monitoring Activities
• These are the processes that identify, monitor, and report on
the quality of your internal controls.
Your monitoring activities should include:
• Ongoing and/or separate evaluations
• Evaluation and communication for any internal control deficiencies
4 steps in Designing controls
• 1. Identify the potential error( Risk)
• 2. Decide if you want to prevent or detect error
• Design effective and efficient internal Controls - cost vs benefit ,
manual or computer
• Monitoring
Control in Electronic Payment System
• Electronic payments have many benefits: they are faster and cheaper than
checks, they can’t get “lost in the mail,” and they can be processed
remotely
• Switching from paper checks to E-payments can sometimes cause a
breakdown in an organization’s internal controls
• With electronic payments, there is no check to sign
• The best way to reduce fraud risk (and prevent simple mistakes) is to split
up the parts of a transaction between two or more people.
• For check payments, this segregation of duties is very clear. A bookkeeper
can enter payments into the accounting system, but cannot sign checks.
Control in Electronic Payment System
• With electronic payments, there is no check to sign. So how do you
keep these duties separated?
• In this kind of system, one person enters the bill information and
second person approves the release of funds.
• The person entering the bill cannot approve payment, and the person
approving the bill cannot make changes to the amount or recipient of
the payment
• The approver can view an electronic image of the original bill or
invoice, and compare it to the information that was entered into the
accounting system
• The best electronic bill payment systems will automatically sync to
your accounting system, reducing the time spent on data-entry.
• All supporting documentation and transaction information is right at
your fingertips
• By implementing a strict approval process with the help of an
electronic bill payment system, you can rest easy about your internal
controls, no matter what new challenges lie ahead.
Designing Controls for Control Environment
1. Set criteria that lay emphasis on integrity, ethics and competence
for appointment into board
2. Establish effective corporate governance
3. Board members and senior should have at least basic knowledge
about E- Payment
4. Control must be clear about cyber security and must be of priority
5. Senior officer should need assistance of subordinate to complete
some task
6. Policy on regular review of controls
Designing Controls for Risk Assessment
• Establishment of Risk Management committee of the board
• Identify the risks- Operational(Payment without approval), Cyber
crime, Credit etc.
• Audit personnel and internal control experts should be involved in risk
assessment and risk evaluation
• When bank is developing new products internal control experts
should be involved
• IT experts should implement control designed by internal control
experts
Practical- Design Control-Risk Assessment
• Payment without Approval
• Unauthorized Staff making payment
Designing Controls for Control Activities
• Determine whether policies and procedures exist to ensure that decisions
are made with appropriate approvals and authorizations for transactions
and activities
• Are safeguards in place for access to and use of sensitive assets and
records, ATM, Cards safe and wire transfer activities etc.
• Separation of duties should be emphasized in the organizational structure
• Internal review of employee accounts
• To whom, or to what level, the function reports the results of work
performed.
• Control must ensure compliance – Cash limits
Practical – Design Control – Control
Activities
Lets Look this up in a payment Systems
• Split up the parts of a transaction between two or more people.
• Access Control- Password , Token and One Time Password OTP
• Audit Trail
Designing Controls for Information and
Communication
• The systems should properly identify, assemble, analyze, classify,
record, and report the institution’s transactions in accordance with
GAAP
• The type, number, and depth of reports generated for operational,
financial, managerial, and compliance-related activities
• Access to information systems should be properly restricted.
• The frequency of testing given the level of risk and sophistication of
the systems.
Practical – Design Control - Control
Communication
Lets Look this up in a payment Systems
• Who can send report to Senior manager, Customer, Suppliers etc.
• Is report recipient registered or can be manually typed
Designing Controls for Self-assessment and
Monitoring
• How the board should respond to identified control weaknesses
should be defined
• Qualifications and independence of personnel evaluating controls
must be adequate.
• Control personal, internal auditors, must have some level of
independence
Practical – Design Control - Monitoring
Lets Look this up in a payment Systems
• Who create users
• Who sets up task
• What the control process – Restrict access or delete user
Thank You