Introduction to COSO & COBIT IntroductiontoCOSO&COBIT

SteveShofner,MossAdamsITConsultant
DebraMallette,SeniorProcess
/ Consultant/Specialist,KaiserPermanente
CoreCompetencies C31
Learning Objectives LearningObjectives
History of Controls Frameworks HistoryofControlsFrameworks
OverviewofFinancialControls&Their
Use Use
COSOOverview
COBITOverview
2
HISTORYOFCONTROLS
FRAMEWORKS
3
History of Controls Frameworks HistoryofControlsFrameworks
1929:WallStreetCrash 9 9: a St eet C as
1934:USSecurityandExchangeCommission
(SEC)formed
PublicCompaniesrequired toperform
annualaudits
1987:Treadway Commission,inresponseto
corruptmid1970saccountingpractices,
retains Coopers & Lybrand to perform retainsCoopers&Lybrandtoperform
projecttocreateanaccountingcontrol
framework.
4
a e o .
History of Controls Frameworks HistoryofControlsFrameworks
1992: Internal Control Integrated 1992: InternalControl Integrated
Framework,afourvolumereport,was
released by the Committee of Sponsoring releasedbytheCommitteeofSponsoring
Organizations(COSO)
Per CFO Magazine COSO used by 82% of PerCFOMagazine,COSOusedby82%of
surveyrespondents
5
Substantive vs. Control Testing Substantivevs.ControlTesting
ControlsTesting
SubstantiveTesting
or ?
6
History of Controls Frameworks HistoryofControlsFrameworks
1996: Information Technology 1996:InformationTechnology
GovernanceInstitute(ITGI)releasesthe
Control Objectives for Information and ControlObjectivesforInformationand
RelatedTechnology(COBIT)Framework
2002: Sarbanes Oxley (SOX) Act Passed 2002:SarbanesOxley(SOX)ActPassed,
requiringcompaniestoadoptanddeclare
a framework used to define and assess aframeworkusedtodefineandassess
internalcontrols
7
History of COBIT HistoryofCOBIT
Governance of Enterprise IT
p
e
IT Governance
o
f

s
c
o
p
Val IT 2.0
(2008)
Management
o
l
u
t
i
o
n

( )
Risk IT
(2009)
Control
Audit
E
v
o
COBIT 4 0
(2009)
Audit
1996 1998 2000 2005/7 2012
COBIT1 COBIT2COBIT3
COBIT4.0
COBIT4.1 COBIT5
8
1996 19982000 2005/72012
AbusinessframeworkfromISACA,atwww.isaca.org/cobit
OVERVIEWOFFINANCIAL
CONTROLS&THEIRUSE
9
Controls Controls
CONTROL:Aproactivesteptakenbymanagementto
accomplishanobjective
Managementisany employeeofthefirm
Thetermmanagementisusedbecausetheyareusuallyresponsiblefor
implementing and maintaining effective controls implementingandmaintainingeffectivecontrols
ControlsattainOBJECTIVES:Thepurposeone'seffortsor
actions are intended to attain or accomplish (to address risks) actionsareintendedtoattainoraccomplish(toaddressrisks)
ObjectivesaddressRISKS:Thepotentialforloss(financialor
operational) operational)
10
Types Of Objectives TypesOfObjectives
FinancialObjectives IT&Operational j
Completeness
Accuracy
Validity
p
Objectives
Security
Availability Validity
Authorization
Real
Availability
Confidentiality
Integrity
Rights&Obligations
Presentation&Disclosure
Scalability
Reliability
Effectiveness
Efficiency
11
Types of Controls TypesofControls
AutomatedControls
Theseareprogrammedfinancialcontrols
Theyarevery strong:Theprogrammedlogicwillfunctionthesameway
every time,aslongasthelogicisnotchanged
Test of one versus a statistical test of many Testofoneversusastatisticaltestofmany
PartiallyAutomatedControls
Peopleenabledcontrols
People rely on information from IT systems (also referred to as PeoplerelyoninformationfromITsystems(alsoreferredtoas
ElectronicEvidence)forthecontroltofunction
ManualControls(noITDependence)
Peopleenablethecontrol
Controlsthatare100%independentofITsystems
12
Other Ways To Categorize Controls OtherWaysToCategorizeControls
PreventControls
Thelocksonyourcardoors
DetectControls
Yourcaralarm
CorrectControls
Your auto insurance Yourautoinsurance
ALoJack system(adevice
thattransmitsasignalused
bylawenforcementto by a e o ce e t to
locateyourstolencar)
13
YetMoreWaysToCategorize
l Controls
Environmental Controls EnvironmentalControls
(a.k.a.Governance)
Financial Controls FinancialControls
OperationalControls
IT General Controls ITGeneralControls
UserAdministration
Change Management ChangeManagement
ITOperations
Physical Environment
14
PhysicalEnvironment
Controls: Multidimensional Controls:Multidimensional
F
i
n
a
n
c
E
n
v
i
r
O
p
e
r
a
t
i
o
n
a
I
T

G
e
n
e
r
a
l
Automated
c
i
a
l
r
o
n
m
e
n
t
a
l
a
l
Partially-Automated
Manual
15
Classifying Controls ClassifyingControls
Toensurethatonly
authorized payments
Accomplishesthefinancial
objective,authorized.
authorized payments
aremade,allchecks
issuedrequirea
Someonemanually signsthe
check
Anunsignedcheckprevents it
signature.
All t (
frombeingcashed
AccomplishestheITGeneral
Control objective,authorized.
Alluserrequests(on
MACforms)musthave
asupervisorssignature
j ,
Someonemanually signsthe
MACform
UnsignedMACformswillnot
authorizing theusers
access.
beprocessed,thereby
preventing unauthorized
access
16
Control Activities (Examples) ControlActivities(Examples)
Objective ManualControl AutomatedControl
BuyerswillonlyopenPurchaseOrders Buyercomparessignature Applicationonlyallows
uponreceiptofanapprovedPurchase
Request
onPurchaseRequestto
listofapprovers
authorizedapproversto
approve
Goodscanonlybepurchasedfrom
vendorswhohavebeenpreapproved
Buyeronlypurchasesfrom
hardcopylistofapproved
POsystemprovideslimited
optionsinadropdownmenu,
vendors populatedfromalistof
approvedvendors.
APClerkpreparesavoucherpackage,
including:
APClerktiesoutall
informationacrossthree
Applicationtiesoutall
informationacrossallthree
d (
PurchaseOrder
ShippingSlip
Invoice
Check(Payment)
sources sources,and(seenext
control)
APClerktiesoutallinformationacross
threedocumentstoensure
completeness&accuracy
ReceivingClerkcountsallitems ReceivingClerkmanually <none>
17
received,tiesthemtoshippingslip,
andwillonlyreceivecomplete
shipments
performscontrol
COSOOVERVIEW
18
COSO Framework COSOFramework
Control Environment ControlEnvironment
RiskAssessment
C l i i i ControlActivities
InformationandCommunication
Monitoring
19
EnvironmentalControlsor
l l EntityLevelControls
Control Environment ControlEnvironment
RiskAssessment
C l i i i ControlActivities
InformationandCommunication
Monitoring
20
Control Environment ControlEnvironment
Setsthetoneofanorganization,influencingthe
controlconsciousnessofitspeople
Isthefoundationforallothercomponentsofinternal
control
Providesdisciplineandstructure
Factorsinclude:
The integrity ethical values and competence of the Theintegrity,ethicalvaluesandcompetenceofthe
entity'speople;
Management'sphilosophyandoperatingstyle;
The way management assigns authority and Thewaymanagementassignsauthorityand
responsibility,andorganizesanddevelopsitspeople;
Theattentionanddirectionprovidedbytheboardof
directors.
21
Risk Assessment RiskAssessment
Evaluates risks from external and internal Evaluatesrisksfromexternalandinternal
sources,throughtheidentificationand
analysisofrelevantriskstoachievement
oftheobjectives,formingabasisfor
determininghowtherisksshouldbe
d managed
Economic,industry,regulatoryand
i di i ill i operatingconditionswillcontinueto
change
22
Information and Communication InformationandCommunication
Pertinentinformationmustbeidentified, ,
capturedandcommunicatedinaformand
timeframethatenablepeopletocarryout
their responsibilities theirresponsibilities.
Informationsystems(notnecessarily
technology)producereportscontaining
operational,financialandcompliance
relatedinformationthatmakeitpossibleto
run and control the business runandcontrolthebusiness.
Informationneedstoflowup,down,and
acrosstheorganization
23
Monitoring Monitoring
Monitoring of internal control Monitoringofinternalcontrol
effectiveness
Accomplished through ongoing Accomplishedthroughongoing
monitoringactivities,separate
evaluations or a combination of the two evaluationsoracombinationofthetwo
24
Control Activities ControlActivities
COSO Financial Assertions COSOFinancialAssertions
Existence
Occurrence Occurrence
Completeness
V l ti Valuation
Rights&Obligations
P i & Di l Presentation&Disclosure
Reasonableness
25
WHYCOSO(ALONE)ISNOT ( )
ENOUGH
26
Q1 Q2 Q3 Q4
Application Control Test
Testingapplicationcontrolsonlytellyouthat
IT General Controls
thecontrolworkedforthattransactiononthat
day.
IT General Controls
27
Howcanyougetcoverageforthewholeperiod?
ChangeManagement
UserAdministration
IT Operations ITOperations
PhysicalEnvironment
28
BusinessProcesses
Data/Information
used for Partially
Automated
usedforPartially
AutomatedControls
Controls
GeneralControls
29
Potential For Significant Problems Exists
AA
u
t
o
m
a
t
C
o
n
t
r
o
t
e
d

l
s
30
COBITOVERVIEW
31
COBIT COBIT
TheFrameworkformerlyknownasControl
ObjectivesforInformationTechnology
IntellectualPropertyofISACAandtheIT
Governance Institute GovernanceInstitute
ISACADownloadlinksforreferences:
COBIT5.0AnIntroduction
COBIT4.1
IT Assurance Guide: Using COBIT ITAssuranceGuide:UsingCOBIT
ITControlObjectivesForSarbanesOxleyTheRoleofITinthe
DesignandImplementationofInternalControlOver
Financial Reporting 2
nd
Edition 2006 ITGI
32
FinancialReporting,2 Edition 2006ITGI