Professional Documents
Culture Documents
IntroductiontoCOSO&COBIT
SteveShofner,MossAdamsITConsultant
DebraMallette,SeniorProcess
Consultant/Specialist,KaiserPermanente
/
CoreCompetencies C31
Learning Objectives
LearningObjectives
History
HistoryofControlsFrameworks
of Controls Frameworks
OverviewofFinancialControls&Their
Use
COSOOverview
COBITOverview
HISTORYOFCONTROLS
FRAMEWORKS
1987:Treadway Commission,inresponseto
corruptmid1970saccountingpractices,
retains Coopers & Lybrand to perform
retainsCoopers&Lybrandtoperform
projecttocreateanaccountingcontrol
a e o .
framework.
4
ControlsTesting
SubstantiveTesting
or
Evo
olutionofscop
pe
History of COBIT
HistoryofCOBIT
Governance of Enterprise IT
IT Governance
Management
Val IT 2.0
((2008))
Risk IT
(2009)
Control
Audit
COBIT4.0
T40
COBIT1 COBIT2 COBIT3 COBIT4.1 COBIT5
1996
1998 2000
19982000
2005/7
2005/72012
2012
AbusinessframeworkfromISACA,atwww.isaca.org/cobit
OVERVIEWOFFINANCIAL
CONTROLS&THEIRUSE
Controls
CONTROL:Aproactivesteptakenbymanagementto
accomplishanobjective
Managementisany employeeofthefirm
Thetermmanagementisusedbecausetheyareusuallyresponsiblefor
implementing and maintaining effective controls
implementingandmaintainingeffectivecontrols
ControlsattainOBJECTIVES:Thepurposeone'seffortsor
actions are intended to attain or accomplish (to address risks)
actionsareintendedtoattainoraccomplish(toaddressrisks)
ObjectivesaddressRISKS:Thepotentialforloss(financialor
operational)
10
Types Of Objectives
TypesOfObjectives
FinancialObjectives
j
Completeness
Accuracy
Validity
Authorization
Real
Rights&Obligations
Presentation&Disclosure
IT&Operational
p
Objectives
Security
Availability
Confidentiality
Integrity
Scalability
Reliability
Effectiveness
Efficiency
11
Types of Controls
TypesofControls
AutomatedControls
Theseareprogrammedfinancialcontrols
Theyarevery strong:Theprogrammedlogicwillfunctionthesameway
every time,aslongasthelogicisnotchanged
Testofoneversusastatisticaltestofmany
Test of one versus a statistical test of many
PartiallyAutomatedControls
Peopleenabledcontrols
PeoplerelyoninformationfromITsystems(alsoreferredtoas
People rely on information from IT systems (also referred to as
ElectronicEvidence)forthecontroltofunction
ManualControls(noITDependence)
Peopleenablethecontrol
Controlsthatare100%independentofITsystems
12
DetectControls
Yourcaralarm
CorrectControls
Your
Yourautoinsurance
auto insurance
ALoJack system(adevice
thattransmitsasignalused
by a e o ce e t to
bylawenforcementto
locateyourstolencar)
13
YetMoreWaysToCategorize
Controls
l
EnvironmentalControls
Environmental Controls
(a.k.a.Governance)
FinancialControls
Financial Controls
OperationalControls
ITGeneralControls
IT General Controls
UserAdministration
ChangeManagement
Change Management
ITOperations
Physical
PhysicalEnvironment
Environment
14
Controls: Multidimensional
Controls:Multidimensional
IT General
Operationa
al
Financ
cial
Partially-Automated
Envirronmental
Automated
Manual
15
Classifying Controls
ClassifyingControls
Toensurethatonly
authorized payments
payments
aremade,allchecks
issuedrequirea
signature.
Accomplishesthefinancial
objective,authorized.
Someonemanually signsthe
check
Anunsignedcheckprevents it
frombeingcashed
All
Alluserrequests(on
t (
MACforms)musthave
asupervisorssignature
authorizing theusers
access.
AccomplishestheITGeneral
j
,
Control objective,authorized.
Someonemanually signsthe
MACform
UnsignedMACformswillnot
beprocessed,thereby
preventing unauthorized
access
16
ManualControl
AutomatedControl
BuyerswillonlyopenPurchaseOrders
uponreceiptofanapprovedPurchase
Request
Buyercomparessignature
onPurchaseRequestto
listofapprovers
Goodscanonlybepurchasedfrom
vendorswhohavebeenpreapproved
Buyeronlypurchasesfrom POsystemprovideslimited
hardcopylistofapproved optionsinadropdownmenu,
vendors
populatedfromalistof
approvedvendors.
Applicationonlyallows
authorizedapproversto
approve
APClerkpreparesavoucherpackage, APClerktiesoutall
including:
informationacrossthree
sources
PurchaseOrder
ShippingSlip
Invoice
Check(Payment)
APClerktiesoutallinformationacross
threedocumentstoensure
completeness&accuracy
Applicationtiesoutall
informationacrossallthree
d (
sources,and(seenext
control)
ReceivingClerkcountsallitems
received,tiesthemtoshippingslip,
andwillonlyreceivecomplete
shipments
<none>
ReceivingClerkmanually
performscontrol
17
COSOOVERVIEW
18
COSO Framework
COSOFramework
ControlEnvironment
Control
Environment
RiskAssessment
C
ControlActivities
l
i ii
InformationandCommunication
Monitoring
19
EnvironmentalControlsor
EntityLevelControls
l
l
ControlEnvironment
Control
Environment
RiskAssessment
C
ControlActivities
l
i ii
InformationandCommunication
Monitoring
20
Control Environment
ControlEnvironment
Setsthetoneofanorganization,influencingthe
controlconsciousnessofitspeople
Isthefoundationforallothercomponentsofinternal
control
Providesdisciplineandstructure
Factorsinclude:
The
Theintegrity,ethicalvaluesandcompetenceofthe
integrity ethical values and competence of the
entity'speople;
Management'sphilosophyandoperatingstyle;
Thewaymanagementassignsauthorityand
The way management assigns authority and
responsibility,andorganizesanddevelopsitspeople;
Theattentionanddirectionprovidedbytheboardof
directors.
21
Risk Assessment
RiskAssessment
Evaluates
Evaluatesrisksfromexternalandinternal
risks from external and internal
sources,throughtheidentificationand
analysisofrelevantriskstoachievement
oftheobjectives,formingabasisfor
determininghowtherisksshouldbe
managed
d
Economic,industry,regulatoryand
operatingconditionswillcontinueto
i
di i
ill
i
change
22
Monitoring
Monitoring
Monitoringofinternalcontrol
of internal control
effectiveness
Accomplishedthroughongoing
Accomplished through ongoing
monitoringactivities,separate
evaluations or a combination of the two
evaluationsoracombinationofthetwo
24
Control Activities
ControlActivities
COSOFinancialAssertions
COSO Financial Assertions
Existence
Occurrence
Completeness
Valuation
V l ti
Rights&Obligations
Presentation&Disclosure
P
i & Di l
Reasonableness
25
WHYCOSO(ALONE)ISNOT
(
)
ENOUGH
26
Q1
Q2
Q3
Q4
Testingapplicationcontrolsonlytellyouthat
thecontrolworkedforthattransactiononthat
day.
Howcanyougetcoverageforthewholeperiod?
IT General Controls
27
ChangeManagement
UserAdministration
IT Operations
ITOperations
PhysicalEnvironment
28
BusinessProcesses
Data/Information
used for Partially
usedforPartially
AutomatedControls
Automated
Controls
GeneralControls
29
Automatted
Controls
30
COBITOVERVIEW
31
COBIT
COBIT
TheFrameworkformerlyknownasControl
ObjectivesforInformationTechnology
IntellectualPropertyofISACAandtheIT
Governance Institute
GovernanceInstitute
ISACADownloadlinksforreferences:
COBIT5.0AnIntroduction
COBIT4.1
ITAssuranceGuide:UsingCOBIT
IT Assurance Guide: Using COBIT
ITControlObjectivesForSarbanesOxleyTheRoleofITinthe
DesignandImplementationofInternalControlOver
Financial Reporting 2nd Edition 2006ITGI
FinancialReporting,2
2006 ITGI
32