Introduction to Coso & Cobit

8/12/2019 Introduction to Coso & Cobit

http://slidepdf.com/reader/full/introduction-to-coso-cobit 1/32

®

Steve Shofner, Moss Adams IT Consultant

Debra Mallette,

Senior

Process

Consultant Specialist, Kaiser PermanenteCore Competencies – C31



•

• Overview of

Financial

Controls

&

Their

• COSO Overview

• COBIT® Overview

2



HISTORY OF CONTROLS FRAMEWORKS

3



• 1929: Wall Street Crash

• 1934: US

Security

and

Exchange

Commission

(SEC) formed

– Public Companies required to perform

annual audits

• 1987: Treadway Commission, in response to

corrupt mid‐1970s accounting practices,

project to create an accounting control framework.

4



• “ –

Framework,” a four

‐volume

report,

was

Organizations (COSO)

– ,

survey respondents

5



Controls Testing

Substantive Testing

or ?

6



•

Governance Institute

(ITGI)

releases

the

Related Technology (COBIT) Framework

‐ ,

requiring companies to adopt and declare

internal controls

7



Governance of Enterprise IT e

IT Governance o f s c o

Val IT 2.02008

Management l u

t i o n

Risk IT

Control E v

COBIT 1 COBIT 2 COBIT 3

.COBIT 4.1 COBIT 5

8

A business

framework

from

ISACA,

at

www.isaca.org/cobit



OVERVIEW OF FINANCIAL CONTROLS & THEIR USE

9



• CONTROL: A proactive step taken by “management” to

accomplish an objective

• Management is

any employee

of

the

firm

• The term management is used because they are usually responsible for

• Controls attain

OBJECTIVES:

The purpose

one's

efforts

or

• Objectives address RISKS: The potential for loss (financial or

10



• Financial Ob ectives • IT & O erational

– Completeness – Accuracy

Objectives – Security

–

– Authorization

– Real

–

– Confidentiality

– Integrity

– Rights & Obligations

– Presentation & Disclosure

– Scalability

– Reliability

– Effectiveness

– Efficiency

11



• Automated Controls

– These are programmed financial controls

– They are

very strong:

The

programmed

logic

will

function

the

same

way

every time, as long as the logic is not changed

–

• Partially‐Automated Controls

– People‐

enabled

controls –

Electronic Evidence) for the control to function

• Manual Controls (no IT‐Dependence)

– People enable the control

– Controls that

are

100%

independent

of

IT

systems

12



• Prevent Controls

– The

locks

on

your

car

doors• Detect Controls

– Your car alarm

• Correct Controls

– Your auto insurance

– A LoJack system (a device

that transmits a signal used

b law enforcement to

locate your

stolen

car)

13



Yet More Ways To Categorize

Controls

•

– (a.k.a. “Governance”)

•

• Operational Controls

– User Administration

–

– IT Operations

–

14



F i n an c

E nv i

O p er a

t i on

I T G en er al

Automated

i al

onm en t al

l

Partially-Automated

Manual

15





Objective Manual Control Automated Control

Buyers will only open Purchase Orders Buyer compares signature Application only allows

upon receipt of an approved Purchase

Request

on Purchase Request to

list of

approvers

authorized approvers to

approveGoods can only be purchased from

vendors who have been pre‐approved

Buyer only purchases from

hardcopy list of approved

PO system provides limited

options in a drop‐down menu,

vendors populated from a list of

approved vendors.

AP Clerk prepares a “voucher package,”

including:

AP Clerk ties out all

information across

three

Application ties out all

information across

all

three

• Purchase Order

• Shipping Slip

• Invoice

• Check (Payment)

sources sources, an … see next

control)

AP Clerk

ties

out

all

information

across

three documents to ensure

completeness & accuracy

Receiving Clerk counts all items Receiving Clerk manually <none>

17

received, ties them to shipping slip,

and will only receive complete

shipments

performs control



COSO OVERVIEW

18



•

• Risk Assessment

• Contro Activities

• Information and

Communication

• Monitoring

19



“Environmental Controls” or

“Entity‐Level

Controls”

•

• Risk Assessment

• Contro Activities

• Information and

Communication

• Monitoring

20



• Sets the tone of an organization, influencing the

control consciousness of its people

• Is the

foundation

for

all

other

components

of

internal

control

• Provides discipline and structure

• Factors include: – ,

entity's people;

– Management's philosophy and operating style;

– The wa mana ement assi ns authorit and

responsibility, and

organizes

and

develops

its

people;

– The attention and direction provided by the board of directors.

21



•

sources, through

the

identification

and

analysis of relevant risks to achievement of the objectives, forming a basis for

determining how

the

risks

should

be

manage

• Economic, industry, regulatory and

operat ng con t ons

w

cont nue

to

change

22



• Pertinent information must be identified,

captured

and

communicated

in

a

form

and

timeframe that

enable

people

to

carry

out

.

• “Information systems” (not necessarily

technology) produce

reports

containing

operational, financial and compliance‐

related information that make it possible to

.

• Information needs

to

flow

up,

down,

and

across the organization

23



•

effectiveness

monitoring activities, separate

24



•

– Existence

–

– Completeness

– a ua on

– Rights & Obligations

– resentat on

sc osure – Reasonableness

25



WHY COSO ALONE IS NOT ENOUGH

26



Q1 Q2 Q3 Q4

Application Control Test

• Testing application controls only tell you that

the control

worked

for

that

transaction

on

that

day.

27

• How can you get coverage for the whole period?



• Change Management

• User Administration

•

•Physical Environment

28



Business Processes

Data/Information

‐ Automated

Automated Controls Controls

General Controls

29



Potential For Significant Problems Exists

u t o m

a t

C o n

t r o e d

l s

30



COBIT OVERVIEW

31



®• The Framework formerly known as “Control

Objectives for Information Technology”

• Intellectual Property

of

ISACA®

and

the

IT

ISACA Download

links

for

references:

• COBIT® 5.0 An Introduction

• COBIT® 4.1

• IT Control Objectives For Sarbanes‐Oxley The Role of IT in the

Design and Implementation of Internal Control Over nd

32

,

Documents

Introduction to Coso & Cobit