Introduction to COSO & COBIT

IntroductiontoCOSO&COBIT
SteveShofner,MossAdamsITConsultant
DebraMallette,SeniorProcess
Consultant/Specialist,KaiserPermanente
/
CoreCompetencies C31

Learning Objectives
LearningObjectives
History
HistoryofControlsFrameworks
of Controls Frameworks
OverviewofFinancialControls&Their
Use
COSOOverview
COBITOverview

HISTORYOFCONTROLS
FRAMEWORKS

History of Controls Frameworks

HistoryofControlsFrameworks
1929:WallStreetCrash
9 9: a St eet C as
1934:USSecurityandExchangeCommission
(SEC)formed
PublicCompaniesrequired toperform
annualaudits

1987:Treadway Commission,inresponseto
corruptmid1970saccountingpractices,
retains Coopers & Lybrand to perform
retainsCoopers&Lybrandtoperform
projecttocreateanaccountingcontrol
a e o .
framework.
4

History of Controls Frameworks

HistoryofControlsFrameworks
1992:
1992:Internal
InternalControl
Control Integrated
Integrated
Framework,afourvolumereport,was
released by the Committee of Sponsoring
releasedbytheCommitteeofSponsoring
Organizations(COSO)
PerCFOMagazine,COSOusedby82%of
Per CFO Magazine COSO used by 82% of
surveyrespondents

Substantive vs. Control Testing

Substantivevs.ControlTesting

ControlsTesting

SubstantiveTesting

or

History of Controls Frameworks

HistoryofControlsFrameworks
1996:
1996:InformationTechnology
Information Technology
GovernanceInstitute(ITGI)releasesthe
Control Objectives for Information and
ControlObjectivesforInformationand
RelatedTechnology(COBIT)Framework
2002:SarbanesOxley(SOX)ActPassed,
2002: Sarbanes Oxley (SOX) Act Passed
requiringcompaniestoadoptanddeclare
a framework used to define and assess
aframeworkusedtodefineandassess
internalcontrols
7

Evo
olutionofscop
pe

History of COBIT
HistoryofCOBIT
Governance of Enterprise IT
IT Governance
Management

Val IT 2.0
((2008))

Risk IT
(2009)

Control
Audit

COBIT4.0
T40
COBIT1 COBIT2 COBIT3 COBIT4.1 COBIT5

1996

1998 2000
19982000

2005/7
2005/72012
2012

AbusinessframeworkfromISACA,atwww.isaca.org/cobit

OVERVIEWOFFINANCIAL
CONTROLS&THEIRUSE

Controls
CONTROL:Aproactivesteptakenbymanagementto
accomplishanobjective
Managementisany employeeofthefirm
Thetermmanagementisusedbecausetheyareusuallyresponsiblefor
implementing and maintaining effective controls
implementingandmaintainingeffectivecontrols

ControlsattainOBJECTIVES:Thepurposeone'seffortsor
actions are intended to attain or accomplish (to address risks)
actionsareintendedtoattainoraccomplish(toaddressrisks)

ObjectivesaddressRISKS:Thepotentialforloss(financialor
operational)

10

Types Of Objectives
TypesOfObjectives
FinancialObjectives
j

Completeness
Accuracy
Validity
Authorization
Real
Rights&Obligations
Presentation&Disclosure

IT&Operational
p
Objectives

Security
Availability
Confidentiality
Integrity
Scalability
Reliability
Effectiveness
Efficiency

11

Types of Controls
TypesofControls
AutomatedControls
Theseareprogrammedfinancialcontrols
Theyarevery strong:Theprogrammedlogicwillfunctionthesameway
every time,aslongasthelogicisnotchanged
Testofoneversusastatisticaltestofmany
Test of one versus a statistical test of many

PartiallyAutomatedControls
Peopleenabledcontrols
PeoplerelyoninformationfromITsystems(alsoreferredtoas
People rely on information from IT systems (also referred to as
ElectronicEvidence)forthecontroltofunction

ManualControls(noITDependence)
Peopleenablethecontrol
Controlsthatare100%independentofITsystems

12

Other Ways To Categorize Controls

OtherWaysToCategorizeControls
PreventControls
Thelocksonyourcardoors

DetectControls
Yourcaralarm

CorrectControls
Your
Yourautoinsurance
auto insurance
ALoJack system(adevice
thattransmitsasignalused
by a e o ce e t to
bylawenforcementto
locateyourstolencar)

13

YetMoreWaysToCategorize
Controls
l
EnvironmentalControls
Environmental Controls
(a.k.a.Governance)

FinancialControls
Financial Controls
OperationalControls
ITGeneralControls
IT General Controls
UserAdministration
ChangeManagement
Change Management
ITOperations
Physical
PhysicalEnvironment
Environment
14

Controls: Multidimensional
Controls:Multidimensional

IT General

Operationa
al

Financ
cial

Partially-Automated

Envirronmental

Automated

Manual

15

Classifying Controls
ClassifyingControls
Toensurethatonly
authorized payments
payments
aremade,allchecks
issuedrequirea
signature.

Accomplishesthefinancial
objective,authorized.
Someonemanually signsthe
check
Anunsignedcheckprevents it
frombeingcashed

All
Alluserrequests(on
t (
MACforms)musthave
asupervisorssignature
authorizing theusers
access.

AccomplishestheITGeneral
j
,
Control objective,authorized.
Someonemanually signsthe
MACform
UnsignedMACformswillnot
beprocessed,thereby
preventing unauthorized
access

16

Control Activities (Examples)

ControlActivities(Examples)
Objective

ManualControl

AutomatedControl

BuyerswillonlyopenPurchaseOrders
uponreceiptofanapprovedPurchase
Request

Buyercomparessignature
onPurchaseRequestto
listofapprovers

Goodscanonlybepurchasedfrom
vendorswhohavebeenpreapproved

Buyeronlypurchasesfrom POsystemprovideslimited
hardcopylistofapproved optionsinadropdownmenu,
vendors
populatedfromalistof
approvedvendors.

Applicationonlyallows
authorizedapproversto
approve

APClerkpreparesavoucherpackage, APClerktiesoutall
including:
informationacrossthree
sources
PurchaseOrder
ShippingSlip
Invoice
Check(Payment)
APClerktiesoutallinformationacross
threedocumentstoensure
completeness&accuracy

Applicationtiesoutall
informationacrossallthree
d (
sources,and(seenext
control)

ReceivingClerkcountsallitems
received,tiesthemtoshippingslip,
andwillonlyreceivecomplete
shipments

<none>

ReceivingClerkmanually
performscontrol

17

COSOOVERVIEW

18

COSO Framework
COSOFramework

ControlEnvironment
Control
Environment
RiskAssessment
C
ControlActivities
l
i ii
InformationandCommunication
Monitoring

19

EnvironmentalControlsor

EntityLevelControls
l
l

ControlEnvironment
Control
Environment
RiskAssessment
C
ControlActivities
l
i ii
InformationandCommunication
Monitoring

20

Control Environment
ControlEnvironment
Setsthetoneofanorganization,influencingthe
controlconsciousnessofitspeople
Isthefoundationforallothercomponentsofinternal
control
Providesdisciplineandstructure
Factorsinclude:
The
Theintegrity,ethicalvaluesandcompetenceofthe
integrity ethical values and competence of the
entity'speople;
Management'sphilosophyandoperatingstyle;
Thewaymanagementassignsauthorityand
The way management assigns authority and
responsibility,andorganizesanddevelopsitspeople;
Theattentionanddirectionprovidedbytheboardof
directors.
21

Risk Assessment
RiskAssessment
Evaluates
Evaluatesrisksfromexternalandinternal
risks from external and internal
sources,throughtheidentificationand
analysisofrelevantriskstoachievement
oftheobjectives,formingabasisfor
determininghowtherisksshouldbe
managed
d
Economic,industry,regulatoryand
operatingconditionswillcontinueto
i
di i
ill
i
change
22

Information and Communication

InformationandCommunication
Pertinentinformationmustbeidentified,,
capturedandcommunicatedinaformand
timeframethatenablepeopletocarryout
their responsibilities
theirresponsibilities.
Informationsystems(notnecessarily
technology)producereportscontaining
operational,financialandcompliance
relatedinformationthatmakeitpossibleto
run and control the business
runandcontrolthebusiness.
Informationneedstoflowup,down,and
acrosstheorganization
23

Monitoring
Monitoring
Monitoringofinternalcontrol
of internal control
effectiveness
Accomplishedthroughongoing
Accomplished through ongoing
monitoringactivities,separate
evaluations or a combination of the two
evaluationsoracombinationofthetwo

24

Control Activities
ControlActivities
COSOFinancialAssertions
COSO Financial Assertions
Existence
Occurrence
Completeness
Valuation
V l ti
Rights&Obligations
Presentation&Disclosure
P
i & Di l
Reasonableness
25

WHYCOSO(ALONE)ISNOT
(
)
ENOUGH

26

Q1

Q2

Q3

Q4

Application Control Test

Testingapplicationcontrolsonlytellyouthat
thecontrolworkedforthattransactiononthat
day.
Howcanyougetcoverageforthewholeperiod?

IT General Controls

27

 ChangeManagement
UserAdministration
IT Operations
ITOperations
PhysicalEnvironment

28

BusinessProcesses

Data/Information
used for Partially
usedforPartially
AutomatedControls

Automated
Controls

GeneralControls

29

Potential For Significant Problems Exists

Automatted
Controls
30

COBITOVERVIEW

31

COBIT
COBIT
TheFrameworkformerlyknownasControl
ObjectivesforInformationTechnology
IntellectualPropertyofISACAandtheIT
Governance Institute
GovernanceInstitute
ISACADownloadlinksforreferences:
COBIT5.0AnIntroduction
COBIT4.1
ITAssuranceGuide:UsingCOBIT
IT Assurance Guide: Using COBIT
ITControlObjectivesForSarbanesOxleyTheRoleofITinthe
DesignandImplementationofInternalControlOver
Financial Reporting 2nd Edition 2006ITGI
FinancialReporting,2
2006 ITGI
32