●Risk evaluation and response
Measures against risk are reviewed after identifying, analyzing and evaluating risks that pose a threat to the achievement of organizational objectives.
●Control activities
“Control activities” are policies and procedures for incorporating internal
control into business activities.
In order to implement them, a company must consider the following points.
Reference
Segregation of duties
“Segregation of duties” refers to dividing
the authorities and responsibilities of a
single job among several people.
• Identify the risks that are produced by business processes, illegal acts,
fraudulent acts, etc.
• Identify the authority and responsibilities of the persons in charge and work
on the segregation of duties.
• Establish rules to be followed when responding to risks along with a system
for checking whether they are properly implemented.
●Information and communications
An environment is established in which everyone within the environment
can properly acquire, communicate, and share the necessary information.
●Monitoring
Evaluations are carried out to make sure internal controls are functioning
properly.
This includes “daily monitoring,” which is carried out on an ongoing basis, regular “independent evaluations” and a “whistle-blowing system”
for people to report illegal and fraudulent acts. These monitoring activities
are utilized to monitor, evaluate, and correct the internal control situation.
●Response to IT
“Response to IT” is the act of appropriately incorporating the necessary
information systems within operations after establishing policies and procedures to achieve the organizational objectives. A better system of internal control is constructed by introducing information systems and improving the efficiency and effectiveness of operations.
Reference
IT strategy
An “IT strategy” is a medium- to longterm strategy established to define the
company’s information system strategy,
how much it will invest, etc. in order to
make the information system an effective part of the business strategy.
Reference
IT governance
The definition of IT governance as provided by the Ministry of International
Trade and Industry (now the Ministry of
Economy, Trade and Industry) is “the
organizational capacity of a company to
control the formulation and implementation of an IT strategy and guide it in the
proper direction to establish a competitive advantage.”
151
2
IT Governance
“IT governance” is a framework for establishing an IT strategy to utilize
information systems and governing its implementation.
A company’s relative merits and competitiveness depend on how well it
utilizes information systems. For example, even if a large investment is
made to introduce information systems, there will not have a significant
investment effect if they do not conform to the management policy or meet
the users’ needs.
The purpose of IT governance, therefore, is to ensure the achievement of
the goals of the business strategy through the utilization of information
systems, and to improve competitiveness.