Introduction to COSO & COBIT® - ISACA

1 Introduction to coso & cobit . Introduction to coso & cobit . Steve Shofner, Moss Adams IT Consultant Debra Mallette, Senior Process Consultant/Specialist, Kaiser Permanente /. Core Competencies C31. Learning Objectives Learning Objectives History History of Controls Frameworks of Controls Frameworks Overview of Financial Controls & Their Use coso Overview cobit Overview 2. HISTORY OF CONTROLS FRAMEWORKS. 3. History of Controls Frameworks History of Controls Frameworks 1929: Wall Street Crash 9 9: a St eet C as 1934: US Security and Exchange Commission (SEC) formed Public Companies required to perform annual audits 1987: Treadway Commission, in response to corrupt mid 1970s accounting practices, retains Coopers & Lybrand to perform retains Coopers & Lybrand to perform project to create an accounting control a e o.

2 Framework. 4. History of Controls Frameworks History of Controls Frameworks 1992: 1992: Internal Internal Control Control Integrated Integrated Framework, a four volume report, was released by the Committee of Sponsoring released by the Committee of Sponsoring Organizations ( coso ). Per CFO Magazine, coso used by 82% of Per CFO Magazine coso used by 82% of survey respondents 5. Substantive vs. Control Testing Substantive vs. Control Testing Controls Testing Substantive Testing or ? 6. History of Controls Frameworks History of Controls Frameworks 1996: 1996: Information Technology Information Technology Governance Institute (ITGI) releases the Control Objectives for Information and Control Objectives for Information and Related Technology ( cobit ) Framework 2002: Sarbanes Oxley (SOX) Act Passed, 2002: Sarbanes Oxley (SOX) Act Passed requiring companies to adopt and declare a framework used to define and assess a framework used to define and assess internal controls 7.

3 History of cobit . History of cobit . Governance of Enterprise IT. pe olution of scop IT Governance Val IT ((2008)). Management Risk IT. Evo (2009). Control Audit cobit T40. cobit 1 cobit 2 cobit 3 cobit cobit 5. 1996 1998 2000. 1998 2000 2005/7. 2005/7 2012. 2012. A business framework from ISACA , at 8. OVERVIEW OF FINANCIAL CONTROLS & THEIR USE. 9. Controls CONTROL: A proactive step taken by management to accomplish an objective Management is any employee of the firm The term management is used because they are usually responsible for implementing and maintaining effective controls implementing and maintaining effective controls Controls attain OBJECTIVES: The purpose one's efforts or actions are intended to attain or accomplish (to address risks).

4 Actions are intended to attain or accomplish (to address risks). Objectives address RISKS: The potential for loss (financial or operational). 10. Types Of Objectives Types Of Objectives Financial Objectives j IT & Operational p Completeness Objectives Accuracy Security Validity Availability Authorization Confidentiality Real Integrity Rights & Obligations Scalability Presentation & Disclosure Reliability Effectiveness Efficiency 11. Types of Controls Types of Controls Automated Controls These are programmed financial controls They are very strong: The programmed logic will function the same way every time, as long as the logic is not changed Test of one versus a statistical test of many Test of one versus a statistical test of many Partially Automated Controls People enabled controls People rely on information from IT systems (also referred to as People rely on information from IT systems (also referred to as Electronic Evidence) for the control to function Manual Controls (no IT Dependence).)

5 People enable the control Controls that are 100% independent of IT systems 12. Other Ways To Categorize Controls Other Ways To Categorize Controls Prevent Controls The locks on your car doors Detect Controls Your car alarm Correct Controls Your Your auto insurance auto insurance A LoJack system (a device that transmits a signal used by a e o ce e t to by law enforcement to locate your stolen car). 13. Yet More Ways To Categorize Controls l Environmental Controls Environmental Controls ( Governance ). Financial Controls Financial Controls Operational Controls IT General Controls IT General Controls User Administration Change Management Change Management IT Operations Physical Environment Physical Environment 14.

6 Controls: Multidimensional Controls: Multidimensional IT General Operationa Financ Automated Envirronmental cial al Partially-Automated Manual 15. Classifying Controls Classifying Controls To ensure that only Accomplishes the financial objective, authorized. authorized payments payments Someone manually signs the are made, all checks check issued require a An unsigned check prevents it signature. from being cashed Accomplishes the IT General j , Control objective, authorized. All All user requests (on t ( Someone manually signs the MAC forms) must have MAC form a supervisor's signature Unsigned MAC forms will not authorizing the user's be processed, thereby preventing unauthorized access.)

7 Access 16. Control Activities (Examples). Control Activities (Examples). Objective Manual Control Automated Control Buyers will only open Purchase Orders Buyer compares signature Application only allows upon receipt of an approved Purchase on Purchase Request to authorized approvers to Request list of approvers approve Goods can only be purchased from Buyer only purchases from PO system provides limited vendors who have been pre approved hardcopy list of approved options in a drop down menu, vendors populated from a list of approved vendors. AP Clerk prepares a voucher package, AP Clerk ties out all Application ties out all including: information across three information across all three Purchase Order sources d (.)

8 Sources, and (see next Shipping Slip control). Invoice Check (Payment) AP Clerk ties out all information across three documents to ensure completeness & accuracy Receiving Clerk counts all items Receiving Clerk manually <none>. received, ties them to shipping slip, performs control and will only receive complete shipments 17. coso OVERVIEW. 18. coso Framework coso Framework Control Environment Control Environment Risk Assessment C. Control Activities l i ii Information and Communication Monitoring 19. Environmental Controls or . Entity Level Controls . l l . Control Environment Control Environment Risk Assessment C. Control Activities l i ii Information and Communication Monitoring 20.

9 Control Environment Control Environment Sets the tone of an organization, influencing the control consciousness of its people Is the foundation for all other components of internal control Provides discipline and structure Factors include: The The integrity, ethical values and competence of the integrity ethical values and competence of the entity's people; Management's philosophy and operating style; The way management assigns authority and The way management assigns authority and responsibility, and organizes and develops its people; The attention and direction provided by the board of directors. 21. Risk Assessment Risk Assessment Evaluates Evaluates risks from external and internal risks from external and internal sources, through the identification and analysis of relevant risks to achievement of the objectives, forming a basis for determining how the risks should be managed d Economic, industry, regulatory and operating conditions will continue to i di i ill i change 22.

10 Information and Communication Information and Communication Pertinent information must be identified, , captured and communicated in a form and timeframe that enable people to carry out their responsibilities their responsibilities. Information systems (not necessarily technology) produce reports containing operational, financial and compliance . related information that make it possible to run and control the business run and control the business. Information needs to flow up, down, and across the organization 23. Monitoring Monitoring Monitoring of internal control of internal control effectiveness Accomplished through ongoing Accomplished through ongoing monitoring activities, separate evaluations or a combination of the two evaluations or a combination of the two 24.