COSO Monitoring Project Update FEI - CFIT Meeting September 25, 2008

© Grant Thornton

| | | | | Guidance on Monitoring Internal Control Systems

COSO Monitoring Project Update

FEI - CFIT MeetingSeptember 25, 2008

Slide 2Guidance on Monitoring Internal Control Systems

Project Overview

Drivers:• COSO observed that many

organizations were not fully utilizing the monitoring component of a system of internal control.

• SOX response provided confirmation.

Objectives:• Help organizations improve the

effectiveness and efficiency of their internal control systems.

• Provide practical guidance that illustrates how monitoring can be incorporated into an organization’s internal control processes.


Project Overview

Process– GT authoring team, supported by large task force– Last summer – conceptual whitepaper– This summer – proposed guidance - public comments –

July to August 15

Content– Volume I – Guidance – 15 pages– Volume II – Theory & Application – 54 pages– Volume III – Practical Examples – 116 pages

Final guidance will be issued shortly but there are still some minor wording issues “in play”


Guiding Principles

Without monitoring, even good controls deteriorate over time


Organization Structure

Role of Management & The Board– Management has primary responsibility for internal control system– Board should determine that management has fulfilled their

obligations– “Evaluating” controls performed by senior management requires focus

and consideration

Characteristics of Evaluators– Competence – knowledge of control and implications of failure– Objectivity – perform evaluation without fear of repudiation or

personal interest in outcome


Importance of Having A “Baseline”

You have to know that you have good internal controls before you can implement monitoring of those controls & you have to adapt as things change


Design & Execute Monitoring


Persuasive Information (about a control) is . .

1. Suitable• Relevant

– Direct– Indirect

• Reliable• Timely

2. Sufficient• Quantity Of Information – Do We Have Enough To

Support A Conclusion?

Relevant

TimelyReliable

Need Timely

Info

Need Reliable

Info

Need Relevant

Info

Relevant,Reliable &

Timely

Relevant

TimelyReliable

Need Timely

Info

Need Reliable

Info

Need Relevant

Info

Relevant,Reliable &

Timely

Both require judgment that depends on the level of risk and the control’s susceptibility to failure


Relevance of Information

• Direct information – Substantiates control operation through observation

and/or re-performance of a given control

• Indirect information– Anything other than Direct information

• Only allows the user to infer the continued effective operation of controls

• Can only influence the type, timing, and extent of monitoring using direct information


Information Technology References & Implications

Volume I – Guidance• None

Volume II – Theory & Application• Tools Enabling The Monitoring Process• Tools That Monitor Controls

Volume III – Practical Examples• Company Specific Uses Of IT Tools Used To Monitor Process Risks• Comprehensive “Example” Of Identifying & Monitoring Controls Over

“Common” IT Risks• Examples Of Common IT Processes That MIGHT Be Considered

Monitoring• Examples Of How Tools Are Used


Tools Enabling The Monitoring Process

Tools to make the process of assessing risks, defining and evaluating controls and communicating their operating effectiveness efficient and sustainable. Example uses:

– Coordinate the risk assessment process– Provide a repository for documentation– Enhance the communication process– Support the “roll-up” of information at various levels and

points within an organization– Provide performance indicators


Tools That Monitor Controls

General Observations– Typically enhance both efficiency and effectiveness of the

monitoring process– Can be very specific or very broad in terms of the types of

controls they help monitor– Can be a control and simultaneously play a role in

monitoring of controls– Can be independent or be part of the reporting capability

of a tool that is functioning as a control– Apply to both IT processes and application controls– Do have limitations


Tools That Monitor Controls

• Tools that “monitor” controls typically do so by focusing on one or more of the following:– Transaction Data– Conditions– Changes– Processing Integrity– Error Management


Transaction Data

Tools extract either/both processed transactions, or master file data, and analyze them against a set of control rules to highlight exceptions to:

– Highlight exceptions and/or anomalies– Analyze unusual trends in activities, values and volumes– Compare balances or details between two systems or

between distinct parts of a process

Can be “ad hoc” reporting tool or an integrated application solution or suite


Conditions

Tools that monitor the settings, parameters, rules or configuration data that govern IT processing within either/both infrastructure resources and application systems. • Works by comparing the configuration information to either

“baseline” information, a prior analysis, or both to determine if they are consistent with the organization’s expectations.

• Increases the speed and effectiveness of the monitoring process while simultaneously allowing it to be performed on a more frequent, or even continuous, basis.

• Can be “scanning” or “agent” based


Changes

Tools that identify and report changes to critical resources, data or information:

– Usually operate on a continuous basis (i.e., they are "agent-based")

– Provide independent ability to identify a change so that it can be verified as appropriate and authorized

– Most likely will be considered a control as well as a method for monitoring controls


Processing Integrity

Tools used to verify and monitor the completeness and accuracy of the various processing steps that might occur in an overall IT process:

– Typically focus on balancing and controlling data as it progresses through processes and systems

– Can also be designed to maintain an audit trail of key information that can be used for monitoring or trending studies

– Most likely will be considered a control as well as a method for monitoring controls


Error Management

Application systems frequently capture transactions with certain types of errors in a suspense area where they are later corrected and re-processed.

– Monitoring of the volume and resolution of activity in these suspense area provide information that the controls are operating effectively

– Will almost always be seen as a control activity first


“Continuous Control Monitoring” Tools

• Tools typically complement normal transaction processing by checking transactions or other data for anomalies.

• In most cases, they operate as “control activities” allowing for the identification of control failures and ability to correct errors before they become significant.

• When used as a control, the tool itself should be subject to monitoring.

• Addressing the impact of change is also a key requirement for these tools.


Volume III - Examples

Information Used To Monitor “Common” Controls That Are Relevant To Financial Reporting Risks

– Application Security– Application Program/Configuration Change Control– Data Security & Change Control– Program Testing– Job Scheduling & Management– Data Redundancy


Volume III - Examples

Common IT Management Processes That MIGHT Be Considered Monitoring Of Controls

– Access Recertification– Security Log Monitoring– Peer/Quality Review Processes– Change Review Boards– Post-Implementation Reviews– Recovery Testing

© Grant Thornton

| | | | | Guidance on Monitoring Internal Control Systems

Questions???

Documents

COSO Monitoring Project Update FEI - CFIT Meeting September 25, 2008