coso monitoring project update fei - cfit meeting september 25, 2008
DESCRIPTION
COSO Monitoring Project Update FEI - CFIT Meeting September 25, 2008. Project Overview. Drivers: COSO observed that many organizations were not fully utilizing the monitoring component of a system of internal control. SOX response provided confirmation. Objectives: - PowerPoint PPT PresentationTRANSCRIPT
© Grant Thornton
| | | | | Guidance on Monitoring Internal Control Systems
COSO Monitoring Project Update
FEI - CFIT MeetingSeptember 25, 2008
Slide 2Guidance on Monitoring Internal Control Systems
Project Overview
Drivers:• COSO observed that many
organizations were not fully utilizing the monitoring component of a system of internal control.
• SOX response provided confirmation.
Objectives:• Help organizations improve the
effectiveness and efficiency of their internal control systems.
• Provide practical guidance that illustrates how monitoring can be incorporated into an organization’s internal control processes.
Slide 3Guidance on Monitoring Internal Control Systems
Project Overview
Process– GT authoring team, supported by large task force– Last summer – conceptual whitepaper– This summer – proposed guidance - public comments –
July to August 15
Content– Volume I – Guidance – 15 pages– Volume II – Theory & Application – 54 pages– Volume III – Practical Examples – 116 pages
Final guidance will be issued shortly but there are still some minor wording issues “in play”
Slide 4Guidance on Monitoring Internal Control Systems
Guiding Principles
Without monitoring, even good controls deteriorate over time
Slide 5Guidance on Monitoring Internal Control Systems
Organization Structure
Role of Management & The Board– Management has primary responsibility for internal control system– Board should determine that management has fulfilled their
obligations– “Evaluating” controls performed by senior management requires focus
and consideration
Characteristics of Evaluators– Competence – knowledge of control and implications of failure– Objectivity – perform evaluation without fear of repudiation or
personal interest in outcome
Slide 6Guidance on Monitoring Internal Control Systems
Importance of Having A “Baseline”
You have to know that you have good internal controls before you can implement monitoring of those controls & you have to adapt as things change
Slide 7Guidance on Monitoring Internal Control Systems
Design & Execute Monitoring
Slide 8Guidance on Monitoring Internal Control Systems
Persuasive Information (about a control) is . .
1. Suitable• Relevant
– Direct– Indirect
• Reliable• Timely
2. Sufficient• Quantity Of Information – Do We Have Enough To
Support A Conclusion?
Relevant
TimelyReliable
Need Timely
Info
Need Reliable
Info
Need Relevant
Info
Relevant,Reliable &
Timely
Relevant
TimelyReliable
Need Timely
Info
Need Reliable
Info
Need Relevant
Info
Relevant,Reliable &
Timely
Both require judgment that depends on the level of risk and the control’s susceptibility to failure
Slide 9Guidance on Monitoring Internal Control Systems
Relevance of Information
• Direct information – Substantiates control operation through observation
and/or re-performance of a given control
• Indirect information– Anything other than Direct information
• Only allows the user to infer the continued effective operation of controls
• Can only influence the type, timing, and extent of monitoring using direct information
Slide 10Guidance on Monitoring Internal Control Systems
Information Technology References & Implications
Volume I – Guidance• None
Volume II – Theory & Application• Tools Enabling The Monitoring Process• Tools That Monitor Controls
Volume III – Practical Examples• Company Specific Uses Of IT Tools Used To Monitor Process Risks• Comprehensive “Example” Of Identifying & Monitoring Controls Over
“Common” IT Risks• Examples Of Common IT Processes That MIGHT Be Considered
Monitoring• Examples Of How Tools Are Used
Slide 11Guidance on Monitoring Internal Control Systems
Tools Enabling The Monitoring Process
Tools to make the process of assessing risks, defining and evaluating controls and communicating their operating effectiveness efficient and sustainable. Example uses:
– Coordinate the risk assessment process– Provide a repository for documentation– Enhance the communication process– Support the “roll-up” of information at various levels and
points within an organization– Provide performance indicators
Slide 12Guidance on Monitoring Internal Control Systems
Tools That Monitor Controls
General Observations– Typically enhance both efficiency and effectiveness of the
monitoring process– Can be very specific or very broad in terms of the types of
controls they help monitor– Can be a control and simultaneously play a role in
monitoring of controls– Can be independent or be part of the reporting capability
of a tool that is functioning as a control– Apply to both IT processes and application controls– Do have limitations
Slide 13Guidance on Monitoring Internal Control Systems
Tools That Monitor Controls
• Tools that “monitor” controls typically do so by focusing on one or more of the following:– Transaction Data– Conditions– Changes– Processing Integrity– Error Management
Slide 14Guidance on Monitoring Internal Control Systems
Transaction Data
Tools extract either/both processed transactions, or master file data, and analyze them against a set of control rules to highlight exceptions to:
– Highlight exceptions and/or anomalies– Analyze unusual trends in activities, values and volumes– Compare balances or details between two systems or
between distinct parts of a process
Can be “ad hoc” reporting tool or an integrated application solution or suite
Slide 15Guidance on Monitoring Internal Control Systems
Conditions
Tools that monitor the settings, parameters, rules or configuration data that govern IT processing within either/both infrastructure resources and application systems. • Works by comparing the configuration information to either
“baseline” information, a prior analysis, or both to determine if they are consistent with the organization’s expectations.
• Increases the speed and effectiveness of the monitoring process while simultaneously allowing it to be performed on a more frequent, or even continuous, basis.
• Can be “scanning” or “agent” based
Slide 16Guidance on Monitoring Internal Control Systems
Changes
Tools that identify and report changes to critical resources, data or information:
– Usually operate on a continuous basis (i.e., they are "agent-based")
– Provide independent ability to identify a change so that it can be verified as appropriate and authorized
– Most likely will be considered a control as well as a method for monitoring controls
Slide 17Guidance on Monitoring Internal Control Systems
Processing Integrity
Tools used to verify and monitor the completeness and accuracy of the various processing steps that might occur in an overall IT process:
– Typically focus on balancing and controlling data as it progresses through processes and systems
– Can also be designed to maintain an audit trail of key information that can be used for monitoring or trending studies
– Most likely will be considered a control as well as a method for monitoring controls
Slide 18Guidance on Monitoring Internal Control Systems
Error Management
Application systems frequently capture transactions with certain types of errors in a suspense area where they are later corrected and re-processed.
– Monitoring of the volume and resolution of activity in these suspense area provide information that the controls are operating effectively
– Will almost always be seen as a control activity first
Slide 19Guidance on Monitoring Internal Control Systems
“Continuous Control Monitoring” Tools
• Tools typically complement normal transaction processing by checking transactions or other data for anomalies.
• In most cases, they operate as “control activities” allowing for the identification of control failures and ability to correct errors before they become significant.
• When used as a control, the tool itself should be subject to monitoring.
• Addressing the impact of change is also a key requirement for these tools.
Slide 20Guidance on Monitoring Internal Control Systems
Volume III - Examples
Information Used To Monitor “Common” Controls That Are Relevant To Financial Reporting Risks
– Application Security– Application Program/Configuration Change Control– Data Security & Change Control– Program Testing– Job Scheduling & Management– Data Redundancy
Slide 21Guidance on Monitoring Internal Control Systems
Volume III - Examples
Common IT Management Processes That MIGHT Be Considered Monitoring Of Controls
– Access Recertification– Security Log Monitoring– Peer/Quality Review Processes– Change Review Boards– Post-Implementation Reviews– Recovery Testing
© Grant Thornton
| | | | | Guidance on Monitoring Internal Control Systems
Questions???