Introduction to Coso & Cobit
Transcript of Introduction to Coso & Cobit
8/12/2019 Introduction to Coso & Cobit
http://slidepdf.com/reader/full/introduction-to-coso-cobit 1/32
®
Steve Shofner, Moss Adams IT Consultant
Debra Mallette,
Senior
Process
Consultant Specialist, Kaiser PermanenteCore Competencies – C31
8/12/2019 Introduction to Coso & Cobit
http://slidepdf.com/reader/full/introduction-to-coso-cobit 2/32
•
• Overview of
Financial
Controls
&
Their
• COSO Overview
• COBIT® Overview
2
8/12/2019 Introduction to Coso & Cobit
http://slidepdf.com/reader/full/introduction-to-coso-cobit 3/32
HISTORY OF CONTROLS FRAMEWORKS
3
8/12/2019 Introduction to Coso & Cobit
http://slidepdf.com/reader/full/introduction-to-coso-cobit 4/32
• 1929: Wall Street Crash
• 1934: US
Security
and
Exchange
Commission
(SEC) formed
– Public Companies required to perform
annual audits
• 1987: Treadway Commission, in response to
corrupt mid‐1970s accounting practices,
project to create an accounting control framework.
4
8/12/2019 Introduction to Coso & Cobit
http://slidepdf.com/reader/full/introduction-to-coso-cobit 5/32
• “ –
Framework,” a four
‐volume
report,
was
Organizations (COSO)
– ,
survey respondents
5
8/12/2019 Introduction to Coso & Cobit
http://slidepdf.com/reader/full/introduction-to-coso-cobit 6/32
Controls Testing
Substantive Testing
or ?
6
8/12/2019 Introduction to Coso & Cobit
http://slidepdf.com/reader/full/introduction-to-coso-cobit 7/32
•
Governance Institute
(ITGI)
releases
the
Related Technology (COBIT) Framework
‐ ,
requiring companies to adopt and declare
internal controls
7
8/12/2019 Introduction to Coso & Cobit
http://slidepdf.com/reader/full/introduction-to-coso-cobit 8/32
Governance of Enterprise IT e
IT Governance o f s c o
Val IT 2.02008
Management l u
t i o n
Risk IT
Control E v
COBIT 1 COBIT 2 COBIT 3
.COBIT 4.1 COBIT 5
8
A business
framework
from
ISACA,
at
www.isaca.org/cobit
8/12/2019 Introduction to Coso & Cobit
http://slidepdf.com/reader/full/introduction-to-coso-cobit 9/32
OVERVIEW OF FINANCIAL CONTROLS & THEIR USE
9
8/12/2019 Introduction to Coso & Cobit
http://slidepdf.com/reader/full/introduction-to-coso-cobit 10/32
• CONTROL: A proactive step taken by “management” to
accomplish an objective
• Management is
any employee
of
the
firm
• The term management is used because they are usually responsible for
• Controls attain
OBJECTIVES:
The purpose
one's
efforts
or
• Objectives address RISKS: The potential for loss (financial or
10
8/12/2019 Introduction to Coso & Cobit
http://slidepdf.com/reader/full/introduction-to-coso-cobit 11/32
• Financial Ob ectives • IT & O erational
– Completeness – Accuracy
Objectives – Security
–
– Authorization
– Real
–
– Confidentiality
– Integrity
– Rights & Obligations
– Presentation & Disclosure
– Scalability
– Reliability
– Effectiveness
– Efficiency
11
8/12/2019 Introduction to Coso & Cobit
http://slidepdf.com/reader/full/introduction-to-coso-cobit 12/32
• Automated Controls
– These are programmed financial controls
– They are
very strong:
The
programmed
logic
will
function
the
same
way
every time, as long as the logic is not changed
–
• Partially‐Automated Controls
– People‐
enabled
controls –
Electronic Evidence) for the control to function
• Manual Controls (no IT‐Dependence)
– People enable the control
– Controls that
are
100%
independent
of
IT
systems
12
8/12/2019 Introduction to Coso & Cobit
http://slidepdf.com/reader/full/introduction-to-coso-cobit 13/32
• Prevent Controls
– The
locks
on
your
car
doors• Detect Controls
– Your car alarm
• Correct Controls
– Your auto insurance
– A LoJack system (a device
that transmits a signal used
b law enforcement to
locate your
stolen
car)
13
8/12/2019 Introduction to Coso & Cobit
http://slidepdf.com/reader/full/introduction-to-coso-cobit 14/32
Yet More Ways To Categorize
Controls
•
– (a.k.a. “Governance”)
•
• Operational Controls
– User Administration
–
– IT Operations
–
14
8/12/2019 Introduction to Coso & Cobit
http://slidepdf.com/reader/full/introduction-to-coso-cobit 15/32
F i n an c
E nv i
O p er a
t i on
I T G en er al
Automated
i al
onm en t al
l
Partially-Automated
Manual
15
8/12/2019 Introduction to Coso & Cobit
http://slidepdf.com/reader/full/introduction-to-coso-cobit 16/32
8/12/2019 Introduction to Coso & Cobit
http://slidepdf.com/reader/full/introduction-to-coso-cobit 17/32
Objective Manual Control Automated Control
Buyers will only open Purchase Orders Buyer compares signature Application only allows
upon receipt of an approved Purchase
Request
on Purchase Request to
list of
approvers
authorized approvers to
approveGoods can only be purchased from
vendors who have been pre‐approved
Buyer only purchases from
hardcopy list of approved
PO system provides limited
options in a drop‐down menu,
vendors populated from a list of
approved vendors.
AP Clerk prepares a “voucher package,”
including:
AP Clerk ties out all
information across
three
Application ties out all
information across
all
three
• Purchase Order
• Shipping Slip
• Invoice
• Check (Payment)
sources sources, an … see next
control)
AP Clerk
ties
out
all
information
across
three documents to ensure
completeness & accuracy
Receiving Clerk counts all items Receiving Clerk manually <none>
17
received, ties them to shipping slip,
and will only receive complete
shipments
performs control
8/12/2019 Introduction to Coso & Cobit
http://slidepdf.com/reader/full/introduction-to-coso-cobit 18/32
COSO OVERVIEW
18
8/12/2019 Introduction to Coso & Cobit
http://slidepdf.com/reader/full/introduction-to-coso-cobit 19/32
•
• Risk Assessment
• Contro Activities
• Information and
Communication
• Monitoring
19
8/12/2019 Introduction to Coso & Cobit
http://slidepdf.com/reader/full/introduction-to-coso-cobit 20/32
“Environmental Controls” or
“Entity‐Level
Controls”
•
• Risk Assessment
• Contro Activities
• Information and
Communication
• Monitoring
20
8/12/2019 Introduction to Coso & Cobit
http://slidepdf.com/reader/full/introduction-to-coso-cobit 21/32
• Sets the tone of an organization, influencing the
control consciousness of its people
• Is the
foundation
for
all
other
components
of
internal
control
• Provides discipline and structure
• Factors include: – ,
entity's people;
– Management's philosophy and operating style;
– The wa mana ement assi ns authorit and
responsibility, and
organizes
and
develops
its
people;
– The attention and direction provided by the board of directors.
21
8/12/2019 Introduction to Coso & Cobit
http://slidepdf.com/reader/full/introduction-to-coso-cobit 22/32
•
sources, through
the
identification
and
analysis of relevant risks to achievement of the objectives, forming a basis for
determining how
the
risks
should
be
manage
• Economic, industry, regulatory and
operat ng con t ons
w
cont nue
to
change
22
8/12/2019 Introduction to Coso & Cobit
http://slidepdf.com/reader/full/introduction-to-coso-cobit 23/32
• Pertinent information must be identified,
captured
and
communicated
in
a
form
and
timeframe that
enable
people
to
carry
out
.
• “Information systems” (not necessarily
technology) produce
reports
containing
operational, financial and compliance‐
related information that make it possible to
.
• Information needs
to
flow
up,
down,
and
across the organization
23
8/12/2019 Introduction to Coso & Cobit
http://slidepdf.com/reader/full/introduction-to-coso-cobit 24/32
•
effectiveness
monitoring activities, separate
24
8/12/2019 Introduction to Coso & Cobit
http://slidepdf.com/reader/full/introduction-to-coso-cobit 25/32
•
– Existence
–
– Completeness
– a ua on
– Rights & Obligations
– resentat on
sc osure – Reasonableness
25
8/12/2019 Introduction to Coso & Cobit
http://slidepdf.com/reader/full/introduction-to-coso-cobit 26/32
WHY COSO ALONE IS NOT ENOUGH
26
8/12/2019 Introduction to Coso & Cobit
http://slidepdf.com/reader/full/introduction-to-coso-cobit 27/32
Q1 Q2 Q3 Q4
Application Control Test
• Testing application controls only tell you that
the control
worked
for
that
transaction
on
that
day.
27
• How can you get coverage for the whole period?
8/12/2019 Introduction to Coso & Cobit
http://slidepdf.com/reader/full/introduction-to-coso-cobit 28/32
• Change Management
• User Administration
•
•Physical Environment
28
8/12/2019 Introduction to Coso & Cobit
http://slidepdf.com/reader/full/introduction-to-coso-cobit 29/32
Business Processes
Data/Information
‐ Automated
Automated Controls Controls
General Controls
29
8/12/2019 Introduction to Coso & Cobit
http://slidepdf.com/reader/full/introduction-to-coso-cobit 30/32
Potential For Significant Problems Exists
u t o m
a t
C o n
t r o e d
l s
30
8/12/2019 Introduction to Coso & Cobit
http://slidepdf.com/reader/full/introduction-to-coso-cobit 31/32
COBIT OVERVIEW
31
8/12/2019 Introduction to Coso & Cobit
http://slidepdf.com/reader/full/introduction-to-coso-cobit 32/32
®• The Framework formerly known as “Control
Objectives for Information Technology”
• Intellectual Property
of
ISACA®
and
the
IT
ISACA Download
links
for
references:
• COBIT® 5.0 An Introduction
• COBIT® 4.1
• IT Control Objectives For Sarbanes‐Oxley The Role of IT in the
Design and Implementation of Internal Control Over nd
32
,