Transcription
Introduction to COSO & COBIT Steve Shofner, Moss Adams IT ConsultantDebra Mallette, Senior ProcessConsultant/Specialist,/Kaiser PermanenteCore Competencies – C31
Learning Objectives History of Controls Frameworks Overview of Financial Controls & TheirUse COSO Overview COBIT Overview2
HISTORY OF CONTROLSFRAMEWORKS3
History of Controls Frameworks 1929:9 9: Walla StreetSt eet CCrashas 1934: US Security and Exchange Commission(SEC) formed– Public Companies required to performannual audits 1987: Treadway Commission, in response tocorrupt mid‐1970s accounting practices,retains Coopers & Lybrand to performproject to create an accounting controla e o .framework.4
History of Controls Frameworks 1992: “InternalInternal Control – IntegratedFramework,” a four‐volume report, wasreleased by the Committee of SponsoringOrganizations (COSO)– Per CFO Magazine,Magazine COSO used by 82% ofsurvey respondents5
Substantive vs. Control TestingControls TestingSubstantive Testingor?6
History of Controls Frameworks 1996: Information TechnologyGovernance Institute (ITGI) releases theControl Objectives for Information andRelated Technology (COBIT) Framework 2002: SarbanesSarbanes‐OxleyOxley (SOX) Act Passed,Passedrequiring companies to adopt and declarea framework used to define and assessinternal controls7
Evoolution of scoppeHistory of COBITGovernance of Enterprise ITVal IT 2.0IT Governance((2008))ManagementRisk IT(2009)ControlAuditCOBIT 44.00COBIT 1 COBIT 2 COBIT 3 COBIT 4.1 COBIT 51996199820002005/7A business framework from ISACA, at www.isaca.org/cobit20128
OVERVIEW OF FINANCIALCONTROLS & THEIR USE9
Controls CONTROL: A proactive step taken by “management” toaccomplish an objective Management is any employee of the firm The term management is used because they are usually responsible forimplementing and maintaining effective controls Controls attain OBJECTIVES: The purpose one's efforts oractions are intended to attain or accomplish (to address risks) Objectives address RISKS: The potential for loss (financial oroperational)10
Types Of Objectives Financial cyValidityAuthorizationRealRights & ObligationsPresentation & Disclosure IT & yReliabilityEffectivenessEfficiency11
Types of Controls Automated Controls– These are programmed financial controls– They are very strong: The programmed logic will function the same wayevery time, as long as the logic is not changed– Test of one versus a statistical test of many Partially‐Automated Controls– People‐enabled controls– People rely on information from IT systems (also referred to asElectronic Evidence) for the control to function Manual Controls (no IT‐Dependence)– People enable the control– Controls that are 100% independent of IT systems12
Other Ways To Categorize Controls Prevent Controls– The locks on your car doors Detect Controls– Your car alarm Correct Controls– Your auto insurance– A LoJack system (a devicethat transmits a signal usedby lawa eenforcemento ce e t tolocate your stolen car)13
Yet More Ways To CategorizeControlsl Environmental Controls–(a.k.a. “Governance”) Financial Controls Operational Controls IT General Controls–User Administration–ChangeChange Management–IT Operations–PhysicalPhysical Environment14
Controls: MultidimensionalIT virronmentalAutomatedManual15
Classifying Controls To ensure that onlyauthorized paymentsare made, all checksissued require asignature. Accomplishes the financialobjective, authorized. Someone manually signs thecheck An unsigned check prevents itfrom being cashed All user requestst ((onMAC forms) must havea supervisor’s signatureauthorizing the user’saccess. Accomplishes the IT Generalj, authorized.Control objective, Someone manually signs theMAC form Unsigned MAC forms will notbe processed, therebypreventing unauthorizedaccess16
Control Activities (Examples)ObjectiveManual ControlAutomated ControlBuyers will only open Purchase Ordersupon receipt of an approved PurchaseRequestBuyer compares signatureon Purchase Request tolist of approversApplication only allowsauthorized approvers toapproveGoods can only be purchased fromvendors who have been pre‐approvedBuyer only purchases fromhardcopy list of approvedvendorsPO system provides limitedoptions in a drop‐down menu,populated from a list ofapproved vendors.AP Clerk prepares a “voucher package,”including: Purchase Order Shipping Slip Invoice Check (Payment)AP Clerk ties out all information acrossthree documents to ensurecompleteness & accuracyAP Clerk ties out allinformation across threesourcesApplication ties out allinformation across all threed (see(nextsources, and control)Receiving Clerk counts all itemsreceived, ties them to shipping slip,and will only receive completeshipmentsReceiving Clerk manuallyperforms control none 17
COSO OVERVIEW18
COSO Framework Control EnvironmentRisk AssessmentCControll Activitiesi iiInformation and CommunicationMonitoring19
“Environmental Controls” or““Entity‐Levell Controls”l” Control EnvironmentRisk AssessmentCControll Activitiesi iiInformation and CommunicationMonitoring20
Control Environment Sets the tone of an organization, influencing thecontrol consciousness of its people Is the foundation for all other components of internalcontrol Provides discipline and structure Factors include:– The integrity,integrity ethical values and competence of theentity's people;– Management's philosophy and operating style;– The way management assigns authority andresponsibility, and organizes and develops its people;– The attention and direction provided by the board ofdirectors.21
Risk Assessment Evaluates risks from external and internalsources, through the identification andanalysis of relevant risks to achievementof the objectives, forming a basis fordetermining how the risks should bemanagedd Economic, industry, regulatory andoperatingi conditionsdi iwillill continueitochange22
Information and Communication Pertinent information must be identified,,captured and communicated in a form andtimeframe that enable people to carry outtheir responsibilitiesresponsibilities. “Information systems” (not necessarilytechnology) produce reports containingoperational, financial and compliance‐related information that make it possible torun and control the business.business Information needs to flow up, down, andacross the organization23
Monitoring Monitoring of internal controleffectiveness Accomplished through ongoingmonitoring activities, separateevaluations or a combination of the two24
Control Activities COSO Financial Assertions– Existence– Occurrence– Completeness– ValuationV l ti– Rights & Obligations– PresentationPi & DisclosureDi l– Reasonableness25
WHY COSO ((ALONE)) IS NOTENOUGH26
Q1Q2Q3Q4Application Control Test Testing application controls only tell you thatthe control worked for that transaction on thatday. How can you get coverage for the whole period?IT General Controls27
Change Management User Administration IT Operations Physical Environment28
Business ProcessesData/Informationused for Partially‐Automated ControlsAutomatedControlsGeneral Controls29
Potential For Significant Problems ExistsAutomattedControls30
COBIT OVERVIEW31
COBITCOBIT The Framework formerly known as “ControlObjectives for Information Technology” Intellectual Property of ISACA and the ITGovernance InstituteISACA Download links for references: COBIT 5.0 An Introduction COBIT 4.1 IT Assurance Guide: Using COBIT IT Control Objectives For Sarbanes‐Oxley The Role of IT in theDesign and Implementation of Internal Control OverFinancial ReportingReporting, 2nd Edition 2006 ITGI32
COBIT The Framework formerly known as “Control Objectives for Information Technology” Intellectual Property of ISACA and the IT Governance Institute ISACA Download links for references: COBIT 5.0 An Introduction COBIT 4.1 IT AssuranceAssurance Guide:Guide: UsingUsing COBITCOBIT IT Control Objectives For Sarbanes‐Oxley The Role of IT in the Design and .
