COSO 2013 and its Impact on Information Technology

Institute of Internal AuditorsLong Island Chapter

Annual Information Technology Conference

Disclosures• The presentation assumes that attendees already have a basic

understanding of COSO products and the 2013 update in particular.

• The presentation will focus on information technology considerations that may need further elaboration or supplementation to what was provided in the COSO documents.

• Although Joel is a member of the AICPA’s “IT Implications of COSO 2013 Task Force,” the views presented are his own and not of the Task Force.

Joel Lanz, CPA.CGMA.CITP.CFF, CISA, CISM, CISSP, CFE

Technology Risk Advisory Practice

Thought Leadership

Graduate School Professor

Joel’s niche CPA practice has provided IT Audit, Information Security Management, Risk Assessment and IT Regulatory Compliance services to clients in and firms serving the Financial Services, Healthcare, Education, Non-Profit and Technology sectors since 2001.

• Monthly technology column in the Trusted Professional.

• Editorial Board member of “The CPA Journal.”

• Previously chaired both the NYSSCPA Technology Assurance and Information Technology Committees.

• Chair of the AICPA’s CITP Specialist Credential committee..

• Co-chaired the AICPA’s 2010 & 2011 Top Tech Task Force.

• Previously served on the AICPA’s IT Executive Committee.

• IIA – Long Island Chapter Board of Governors.

Adjunct Professor in the School of Business at The State University of New York – College at Old Westbury. Courses instructed include;• Auditing, • Advanced Assurance• Forensic Accounting• Accounting Information

Systems• Accounting Research.Adjunct Assistant Professor at NYU Stern Graduate School of Business teaching IT Auditing in the M.S. in Accounting program.

Prior to starting his niche IT Audit and Information Security Management practice in 2001, Joel was a Technology Risk Partner in Arthur Andersen’s Business Risk Consulting and Assurance Practice, and was a Manager at Price Waterhouse. His industry experience includes Vice President and Audit Manager at The Chase Manhattan Bank and senior IT auditor positions at two insurance companies.

DO WE REALLY NEED TO WORRY ABOUT IT?

“Technology Guidance abundant in COSO Internal Control Proposal” (Journal of Accountancy interview with Kenneth Vander Wal – COSO Advisory Council Member and ISACA

President (online) 12/10/2012)

• Control environment. There is a need for technology competence on the board of directors and in senior management. “That’s now a requirement in many instances, depending on the nature of the organization,” Vander Wal said. In addition, there are more regulatory requirements to consider based on the use of technology.

• Risk assessment. The availability of more data as a result of technology allows for more risk assessment analytics, but also creates new risks. And technology is identified as an entity-level risk in the proposed framework. “Think about the risk associated with implementing cloud computing in your organization, or the impact of technology failure, which is much more significant now than it would have been in 1992,” Vander Wal said. “How long could you operate successfully if your technology failed, and what are the provisions for addressing that risk? In other words, what is the business continuity planning?”

• Control activities. Technology provides new responses to risks, as well as increased efficiency of risk responses.

• Information and communication. As a result of technology, more internal and external information is available over more channels. “So what are the controls over access to that?” Vander Wal said. “How do I analyze it? How do I use it? All of those things are considered when you look at that section and the technology in that particular component.”

• Monitoring activities. The guidance focuses on new methods for monitoring technology, and new ways to use technology for monitoring. “We’re using dashboards now, for example,” Vander Wal said. “We’re using technology to monitor controls. We’re using technology to report key performance indicators.”

…..and more from the interview• Principle 11, which is under the “control

activities” component, deals primarily with technology. It states that an organization should select and develop general control activities over technology to support the achievement of objectives.

• The points of focus for organizations to consider include:– Determining the dependency between the use of

technology in business processes and technology general controls.

– Establishing relevant control activities for technology infrastructure, security management processes, and technology acquisition, development, and maintenance.

• The proposal also addresses the impact of technology on the volume and complexity of data and information, and how that affects organizations. It says:– Systems need to be increasingly complex

to process and maintain control over the high volume of data available through electronic means.

– Operational or compliance risks may offset the benefits of increased information.

– Security, protection, and retention of data are increasingly important.

Bill Schneider’s Blog on AICPA Insights(Bill is Director-Accounting, AT&T, serves on the AICPA Council and the

COSO Advisory Council

The new and easier to understand framework will clarify what's needed - and what's not. The new modernized COSO framework will affect businesses in three big ways by: 1. Articulating the role of a company when outsourcing. While today's

businesses can outsource many activities, they can never outsource responsibility. 

2. Putting fraud right out in the forefront. A business's control structure must now address issues of fraud directly.  

3. Highlighting the critical nature of IT. Information technology is a needed component that cannot be avoided in today's business environment. Let's face it, we simply don't use manual ledgers anymore!

• - See more at: http://blog.aicpa.org/2013/06/3-ways-the-new-coso-framework-may-affect-your-business.html#sthash.WoRNYK7y.dpuf

EXTREME BRIEF BACKGROUND

Note: The attached section is taken or adapted from a May 2013 COSO Outreach Powerpoint Deck. It is available from COSO’s Home Page (www.coso.org) What’s New Section (May 14, 2013 Internal Control-Integrated Framework Released).

Product #1 - Internal Control-Integrated Framework (2013 Edition)

• Consists of three volumes:– Executive Summary– Framework and Appendices– Illustrative Tools for Assessing

Effectiveness of a System of Internal Control

• Sets out: – Definition of internal control– Categories of objectives– Components and principles of

internal control– Requirements for effectiveness

Product #2 - Internal Control over External Financial Reporting: A Compendium....

• Illustrates approaches and examples of how principles are applied in preparing financial statements

• Considers changes in business and operating environments during past two decades

• Provides examples from a variety of entities – public, private, not-for-profit, and government

• Aligns with the updated Framework

Environments changes... …have driven Framework updates

Expectations for governance oversight

Globalization of markets and operations

Changes and greater complexity in business

Demands and complexities in laws, rules, regulations, and standards

Expectations for competencies and accountabilities

Use of, and reliance on, evolving technologies

Expectations relating to preventing and detecting fraud

COSO Cube (2013 Edition)

Update considers changes in business and operating environments – that increasingly rely on information technology

Control Environment

Risk Assessment

Control Activities

Information & Communication

Monitoring Activities

Update articulates 17 principles of effective internal control(so that’s what they meant by the five components)

1.Demonstrates commitment to integrity and ethical values2.Exercises oversight responsibility3.Establishes structure, authority and responsibility4.Demonstrates commitment to competence5.Enforces accountability

6.Specifies suitable objectives7.Identifies and analyzes risk8.Assesses fraud risk9.Identifies and analyzes significant change

10.Selects and develops control activities11. Selects and develops general controls over technology12.Deploys through policies and procedures

13.Uses relevant information14.Communicates internally15.Communicates externally

16.Conducts ongoing and/or separate evaluations17.Evaluates and communicates deficiencies

Update clarifies requirements for effective internal control

• Effective internal control provides reasonable assurance regarding the achievement of objectives and requires that:

– Each component and each relevant principle is present and functioning– The five components are operating together in an integrated manner

• Each principle is suitable to all entities; all principles are presumed relevant except in rare situations where management determines that a principle is not relevant to a component (e.g., governance, technology)

• Components operate together when all components are present and functioning and internal control deficiencies aggregated across components do not result in one or more major deficiencies

• A major deficiency represents an internal control deficiency or combination thereof that severely reduces the likelihood that an entity can achieve its objectives

Update describes important characteristics of principles, e.g.,

– Points of focus may not be suitable or relevant, and others may be identified– Points of focus may facilitate designing, implementing, and conducting internal

control– There is no requirement to separately assess whether points of focus are in

place

Control Environment 1. The organization demonstrates a commitment to integrity and ethical values.

Points of Focus:• Sets the Tone at the Top• Establishes Standards of Conduct• Evaluates Adherence to Standards of Conduct• Addresses Deviations in a Timely Manner

INFORMATION TECHNOLOGY IMPACT ON THE 17 PRINCIPLES

NEED TO CONSIDER BOTHGeneral and Application Controls

CONTROL ENVIRONMENT• How is the IT function positioned at the organization and

does it have appropriate organizational structures and reporting lines?

• Are IT-related policies such as information security and vendor management appropriate given the business objectives of the organization?

• How is the policy deviation process governed?• What types of IT-related issues is the Board involved

with and for what issues does it provide oversight?• How much turnover is occurring in IT functions?• How is decentralized and end-user computing governed?• Do employees – both within and outside the IT functions

have current and appropriate skills/knowledge to enable the organization to achieve business objectives in a efficient and effective manner?

• What type of performance measures are used to assess IT effectiveness and efficiency/

1. The organization demonstrates a commitment to integrity and ethical values.

2. The board of directors demonstrates independence from management and exercises oversight of the development and performance of internal control.

3. Management establishes, with board oversight, structures, reporting lines, and appropriate authorities and responsibilities in the pursuit of objectives.

4. The organization demonstrates a commitment to attract, develop, and retain competent individuals in alignment with objectives.

5. The organization holds individuals accountable for their internal control responsibilities in the pursuit of objectives.

RISK ASSESSMENT • Have systems/data been appropriately classified to determine appropriate risk tolerances?

• To what extent are recognized IT standards/frameworks employed?

• Are IT regulatory requirements understood and defined?• Do applications provide the ability to record accounting

transactions using relevant principles and criteria?• Are IT risk assessments periodically performed and are

results used to prioritize remediation?• To what extent is end user and/or cloud computing

considered in IT risk assessment activities?• Is computer-facilitated fraud considered during fraud risk

assessments including threats from both external and internal sources?

• What type of technology-related changes are planned/have occurred and how will that impact the organization’s control environment?

6. The organization specifies objectives with sufficient clarity to enable the identification and assessment of risks relating to objectives.

7. The organization identifies risks to the achievement of its objectives across the entity and analyzes risks as a basis for determining how the risks should be managed.

8. The organization considers the potential for fraud in assessing risks to the achievement of objectives.

9. The organization identifies and assesses changes that could significantly impact the system of internal control.

CONTROL ACTIVITIES(see #11 General IT Controls on next page)

• Does the organization understand and have they mapped business processes reliance on technology?

• How and to what extent is technology used to automate control activities?

• How effective are application controls and do they enable the organization to enforce completeness, accuracy and validity objectives?

• Do the applications enforce organizational and departmental segregation of duties controls?

• Are appropriate monitoring controls designed into applications to facilitate detective control abilities as needed?

• Have appropriate systems configuration guidelines been developed and appropriately reviewed?

• Do IT policies reflect the guidance needed to take advantage of business opportunities created by evolving technologies including mobile and cloud computing?

10. The organization selects and develops control activities that contribute to the mitigation of risks to the achievement of objectives to acceptable levels.

11. The organization selects and develops general control activities over technology to support the achievement of objectives.

12. The organization deploys control activities through policies that establish what is expected and procedures that put policies into place.

General IT Controls (#11) Deep Dive(Points of Focus)

• Determine dependency between the use of technology in business processes and technology general controls.– Linkage between business processes, automated control activities, and technology general

controls.• Establish relevant technology infrastructure control activities.

– Ensure the completeness, accuracy, and availability of technology processing.• Establish relevant security management process control activities.

– Restrict technology access rights to authorized users commensurate with their responsibilities and protect assets from external threats.

• Establish relevant technology acquisition, development, and maintenance process controls activities.– Control activities over the acquisition, development, and maintenance of technology and its

infrastructure.

INFORMATION AND COMMUNICATION

• Can the organization rely on information supplied by third parties to manage and monitor business activities?

• To what extent has the organization established information governance activities?

• How is the quality of information assured and maintained and can we rely on it to make business decisions?

• How can we leverage organizational investments in Big Data to enhance overall internal control and reduce fraud?

• How is confidential information protected?• Do application interfaces and similar processes ensure

that regulatory agencies are provided with complete and accurate information in the prescribed formats?

• Is the Board and Executive management receiving information produced by reliable systems?

• Is the IT vendor management oversight program effective in ensuring that customer’s non-public information is protected in accordance with regulatory requirements?

13. The organization obtains or generates and uses relevant, quality information to support the functioning of internal control.

14. The organization internally communicates information, including objectives and responsibilities for internal control, necessary to support the functioning of internal control.

15. The organization communicates with external parties regarding matters affecting the functioning of internal control.

MONITORING ACTIVTIES• Has the organization developed and implemented an

appropriate logging strategy to monitor technology-related activities?

• Are there sufficient logs and application audit trails to support incident response and computer forensic examination as needed?

• Does the organization have an effective internal audit function that can evaluate technology risk?

• Do end users periodically conduct technology risk assessments and application benchmarks to identify IT-related targets of opportunity?

• Does the enterprise wide risk management group understand IT risks and are such risks included and monitored in the organization’s risk register?

• To what extent are data analysis/computer assisted audit techniques/data mining employed to proactively identify issues requiring Management attention?

16. The organization selects, develops, and performs ongoing and/or separate evaluations to ascertain whether the components of internal control are present and functioning.

17. The organization evaluates and communicates internal control deficiencies in a timely manner to those parties responsible for taking corrective action, including senior management and the board of directors, as appropriate.

QUESTIONS?

FOR FURTHER INFORMATION

• Contact Joel directly at:Joel LanzJoel Lanz, CPA, P.C.471 N. BroadwayJericho, NY 11753(516) 933-3662jlanz@cpa.comwww.joellanzcpa.comhttp://www.linkedin.com/in/joellanz

Thank you for attending today’s conference.

Should you have any follow-up questions please do not hesitate to call or email me.