governance spice model v24 for trusted businesses

7/30/2019 Governance SPICE Model v24 for Trusted Businesses

1/71

Governance Model

for Trusted Businesses

Version:Revision:Date:Page

2.4123.09.20111/71

Implemented with the financial support of the Commission of the European Communities under the LEONARDO DA VINCIProgramme (Project number: LLP-LdV-TOI-2010-HU-001).This publication reflects the views only of the authors, and the

Commission cannot be held responsible for any use which may be made of the information contained therein.

Governance Model for

Trusted BusinessesLinking Governance to Sustainable Value

Creation

Deliverable of the

Business Process Modellingfor Governance SPICE and

Internal Financial Control

BPM GOSPELProject


2/71

Governance Model



2.4123.09.20112/71



File: Governance SPICE Model v24

Contents1. INTRODUCTION ........................................................................................................................................ 3

1.1 OBJECTIVE .................................................................................................................................................. 31.2 PURPOSE OF THE MATERIAL ............................................................................................................................ 3

1.3 THE BPMGOSPEL PROJECT ......................................................................................................................... 3

1.4 REFERENCES................................................................................................................................................ 5

2. GOVERNANCE OBJECTIVES FOR TRUSTED BUSINESSES ............................................................................. 6

2.1 USING GOVERNANCE CAPABILITY ASSESSMENT (GOVERNANCE SPICE) .................................................................. 6

2.2 SCOPE OF THE GOVERNANCE OBJECTIVES.......................................................................................................... 8

2.3 SETTING GOVERNANCE OBJECTIVES FOR CONTROLLED BUSINESS OPERATION .......................................................... 9

2.3.1 Risk Awareness ................................................................................................................................ 92.3.2 Accountability ................................................................................................................................ 10

2.3.3 Competency ................................................................................................................................... 11

2.3.4 Accuracy ........................................................................................................................................ 12

2.3.5 Process Integrity ............................................................................................................................ 13

2.3.6 Data Protection ............................................................................................................................. 14

2.3.7 Commitment.................................................................................................................................. 152.3.8 Control Efficiency ........................................................................................................................... 16

2.4 SETTING GOVERNANCE OBJECTIVES FOR SUSTAINABLE BUSINESS OPERATION ........................................................ 17

2.4.1 Competitiveness ............................................................................................................................ 17

2.4.2 Exploitability .................................................................................................................................. 182.4.3 Satisfaction .................................................................................................................................... 19

3. GOVERNANCE PROCESSES FOR TRUSTED BUSINESSES ............................................................................ 20

3.1 GOVERNANCE OF CONTROLLED BUSINESS OPERATION APPLICATION CATEGORY ..................................................... 20

3.1.1 Control Risks .................................................................................................................................. 213.1.2 Control Management .................................................................................................................... 25

3.1.3 Control Competence ...................................................................................................................... 29

3.1.4 Information Reliability ................................................................................................................... 333.1.5 Process Control .............................................................................................................................. 37

3.1.6 Data Protection ............................................................................................................................. 41

3.1.7 Integrity Assurance ........................................................................................................................ 46

3.1.8 Control Efficiency ........................................................................................................................... 513.2 GOVERNANCE OF SUSTAINABLE BUSINESS OPERATION APPLICATION CATEGORY ..................................................... 55

3.2.1 Competitive Operation .................................................................................................................. 56

3.2.2 Exploitable Operation .................................................................................................................... 603.2.3 Satisfactory Operation .................................................................................................................. 64

3.3 LINKING GOVERNANCE PROCESSES TO SUSTAINABLE VALUE CREATION................................................................. 67

4. APPLICABILITY FOR OUTSOURCING SERVICE ORGANIZATIONS ............................................................... 69

4.1 NEED FOR REPORTING ON SERVICE ORGANIZATIONS CONTROLS ......................................................................... 69

4.2 REPORT ON CONTROLS AT A SERVICE ORGANIZATION RELEVANT TO USER ENTITIESINTERNAL CONTROL OVER FINANCIAL

REPORTING........................................................................................................................................................... 69

4.3 REPORT ON CONTROLS AT A SERVICE ORGANIZATION RELEVANT TO SECURITY,AVAILABILITY,PROCESSING INTEGRITY,

CONFIDENTIALITY OR PRIVACY .................................................................................................................................. 704.4 USE OF GOVERNANCE MODEL BY SERVICE MANAGEMENT ................................................................................. 71


3/71

Governance Model



2.4123.09.20113/71



1. Introduction

1.1 Objective

The objective of this material is providing governance objectives based process descriptions withpractices as special application areas of Enterprise Governance by using COSO [1], COBIT [2] andEnterprise SPICE [3] models in a format, which is conformant with the ISO/IEC 15504 ProcessAssessment standard (currently transitioning to ISO/IEC 33001-99) [4] and applicable for managementassertions and audit reports on design and operation effectiveness of internal controls over financialreporting and for providing assurance of trusted and sustainable business operation.

1.2 Purpose of the material

This material will be used as training and knowledge-sharing resource being exploited by the BPMGOSPEL project consortium members available via public internet site(www.governancecapability.com) for governance system implementation, concerning skill self-assessment and process assessment exercises.

1.3 The BPM GOSPEL project

The objective of the BPM GOSPEL - Business Process Modelling for Governance SPICE and InternalFinancial Control - project (2010-2012) is the transfer of the already proved innovation from Germanyto Hungary, where the existing results of IA-Manager (2005-2007) and MONTIFIC (2008-2010)training development projects are further enriched by the adapted "Stages" process management

platform (see: www.methodpark.com/en/product.html) for multi-layer Business Process Modelling(BPM). The project aims to provide ready to use scenarios for enterprises and best practice cases forteaching and learning in vocational trainings demanded by both sides of the labour market.

Implemented BPM layers are presented below:

Figure 1: Implemented layers for Business Process Modelling (BPM GOSPEL)


4/71

Governance Model



2.4123.09.20114/71



This Governance Model - as a key conceptual deliverable of the BPM GOSPEL project - providesreference processes for mapping operational management to compliance and audit managementimplemented by Stages platform. The best practice case studies aim to present all the above layersin different instances.

Adding business driven case studies into training programmes (like www.training.ia-manager.org)supports understanding the competencies needed and best practices relevant for businesspractitioners. Employers are interested in on-the-job trainings where the acquired skills and knowledgecan be directly tested and certified by applying the offered methodology and tools in live environment.

The platform system "Stages" is adapted as a multi-layer BPM master example for teaching and even"coaching" practical implementation of internal financial controls with IT support applied by private andpublic sector companies following internationally recognized control frameworks like COSO andCOBIT, and related assessment (audit) approach (Governance SPICE).

The BPM GOSPEL Project Partnership

Prime Contractor: Budapest Business SchoolCountry: HU-HungaryHomepage: www.bgf.hu

Contact PersonsJzsef ROZ, rector emeritusLszl VARGA, project managerAddress: Mark utca 29-31, H-1055 BudapestTelephone: +36 1 301 3427Fax: +36 1 301 3431E-mail: [email protected]

Project Coordinator: Memolux Ltd. / Trusted Business Partners LtdCountry: HU-HungaryHomepages: www.memolux.hu

www.trustedbusinesspartners.huContact PersonName: Jnos IVANYOSAddress: Keleti K. u 46, H-1024 BudapestTelephone: +36 2 0941 7075E-mail: [email protected]

Partners:Gemma Ltd.Country: HU-Hungary

Homepage: www.gemma.huMethod Park Software AGCountry: DE-GermanyHomepage: www.methodpark.de

International Software Consulting Network - ISCN Ltd.Country: IE-IrelandHomepage: www.iscn.com

See more details at: www.ia-manager.org andhttp://www.adam-europe.eu/adam/project/view.htm?prj=6635


5/71

Governance Model



2.4123.09.20115/71



1.4 References

[1] Internal Control over Financial Reporting Guidance for Smaller Public CompaniesCopyright 2006 by The Committee of Sponsoring Organization, C/O AICPA, HarborsideFinancial Center, 201 Plaza Three, Jersey City, NJ 07311 3881, USA. All rights reserved.

[2] Control Objectives for Information and related Technology - COBIT 4.1Copyright 2007 by the IT Governance Institute. 3701 Algonquin Road, Suite 1010 RollingMeadows, IL 60008 USA. All rights reserved.

[3] Enterprise SPICE - An Integrated Model for Enterprise-wide Assessment and ImprovementTechnical Report Issue 1 September 2010Copyright The SPICE User Group 2010.

[4] ISO/IEC 15504-1:2004 Information technology -- Process assessment -- Part 1: Conceptsand vocabularyISO/IEC 15504-2:2003 Information technology -- Process assessment -- Part 2: Performing anassessmentISO/IEC 15504-2:2003/Cor 1:2004ISO/IEC 15504-3:2004 Information technology -- Process assessment -- Part 3: Guidance onperforming an assessmentISO/IEC 15504-4:2004 Information technology -- Process assessment -- Part 4: Guidance onuse for process improvement and process capability determination

[5] J. Ivanyos, J. Roz and R. Messnarz, Governance Capability Assessment: Using ISO/IEC15504 for Internal Financial Controls and IT Management, in: The MONTIFIC Book,MONTIFIC-ECQA Joint Conference Proceedings, 2010

[6] Trust Services Principles, Criteria, and IllustrationsCopyright 2009 by the American Institute of Certified Public Accountants, Inc. and CanadianInstitute of Chartered Accountants.

[7] Statement on Standards for Attestation Engagements (SSAE) No. 16, Reporting on Controlsat a Service OrganizationCopyright 2010 American Institute of Certified Public Accountants, Inc. New York, NY10036-8775

[8] Reporting on Controls at a Service Organization Relevant to Security, Availability, ProcessingIntegrity, Confidentiality, or Privacy (SOC 2)Copyright 2011, American Institute of Certified Public Accountants, Inc. All Rights Reserved.


6/71

Governance Model



2.4123.09.20116/71



2. Governance Objectives for Trusted Businesses

2.1 Using Governance Capability Assessment (Governance SPICE)

The term of Governance Capability Assessment [5] is used in context of Governance, RiskManagement and Internal Control processes based on different concepts:

Corporate Governance Principles (OECD)

Recognized Control Frameworks and Reference Models (like COSO, COBIT, EnterpriseSPICE, etc.)

Risk Tolerance and Risk Appetite (as of COSO ERM)

Performance Measurement (as of COBIT)

Process Capability Assessment (ISO/IEC 15504-2:2003)

Evaluating Process-related Risk (ISO/IEC 15504-4:2004)

Organizational Maturity (ISO/IEC TR 15504-7:2008)

Governance Capability is the COSO objective-category based characterization of the ability of aprocess to meet current or projected business goals:

Figure 2: Implementing Governance Capability Levels


7/71

Governance Model



2.4123.09.20117/71



Internal and external audit standards (like IIA and ISA) recommend system based evaluation ofexisting internal controls against internationally recognized control frameworks like COSO (InternalControl Integrated Framework) and COBIT (Control Objectives for Information and relatedTechnology). The contents of these frameworks are applicable to set up Process Reference Models incompliance with ISO/IEC 15504-2 requirements.

Figure 3 presents the general concept of how the ISO/15504 capability measurement is applicable forassessing governance systems implementing the most acknowledged control frameworks such asCOSO and COBIT. The presented 3 dimensions are those derived from the COSO enterprise riskmanagement and internal control models:

Management supervision and control of business processes and activities

Governance processes supporting the design and operation of internal control system

Objective categories measuring achievement of entity-level and operational goals

Figure 3: Governance SPICE Model

The COSO and COBIT based Process Reference Models associated with the process attributesdefined in ISO/IEC 15504-2 provide a common basis for performing assessments of governancecapability regarding internal controls and reporting of results by using a common rating scale. ISO/IEC15504 offers not only transparent method for assessing performance of relevant governanceprocesses, but also tools for assessing control risk areas based on the gaps between target andassessed capability profiles.


8/71

Governance Model



2.4123.09.20118/71



2.2 Scope of the Governance Objectives

The well established and recognized control frameworks and process reference models could be usedfor effective and efficient enterprise governance, if only the management established its owngovernance related objectives. Unfortunately, structures of control frameworks and reference modelsare not easily interpretable by enterprise management for setting their business specific governanceobjectives. Furthermore, the external and internal audit standards and literatures are also not reallysupportive in these terms.

The Governance Model keeps both enterprise management and audit assurance logics in mind bypresenting governance processes in line with the objectives relevant for enterprise management,together with an exact mapping to processes of control frameworks (reference models) accepted andused by auditors for compliance attestation.

The reference to applicable ISO/IEC 15504 conformant processes allows management and auditors touse governance capability profiles in context of the governance objectives.

The Governance Model interprets the following governance objectives for determining governanceprocesses as special applications of the recognized reference models (COSO, COBIT and EnterpriseSPICE) and trusted business principles [6]:

Supporting Organizations Internal Control System

Risk Awareness Accountability Competency Accuracy Process Integrity Data Protection Commitment Control Efficiency

Supporting Business Sustainability

Competitiveness Exploitability Satisfaction

Governance Capability Levels and related Process Attributes for processes supporting the above objectives

as application practices can be applied as qualitative and quantitative measures for setting affordableenterprise specific requirements (risk appetite) relevant for achieving the business goals within a tolerabledeviation (risk tolerance).

The Governance Model provides descriptions and application practices of governance processes formanagement assertions and audit reports on design and operation effectiveness of internal controls overfinancial reporting and for providing assurance of trusted and sustainable business operation.

For rationale of the Governance Model structure, the following parts present the governance objectives bydetermining the concerning key risks and risk factors. The risk responses should be decided by theenterprise management as adequate applications of the referred (COSO, COBIT and Enterprise SPICE)processes at the defined governance capability levels.


9/71

Governance Model



2.4123.09.20119/71



2.3 Setting Governance Objectives for Controlled Business Operation

2.3.1 Risk Awareness

Key Risk Risk Factors ResponsesApplicable

COSO processesApplication Practices

Relevantgovernancerisks are notconsidered

Governanceobjectives for

businessprocesses areinadequatelyestablished

Managementsets clearly

definedobjectives forgovernance

including risktolerance andrisk appetite

Governance(FinancialReporting)Objectives(COSO)

Management specifiesgovernance objectivesrelevant for financial reportingand trusted businessoperation with sufficient clarityand criteria to enable theidentification of risks to theachievement of thegovernance objectivesrelevant for financial reportingand trusted businessoperation.

Inconsistency inrisk assessment

Riskassessments are

periodicallyperformed by

considering thetime horizon ofthe governanceobjectives, risktolerance andrisk appetite

Governance(Financial

Reporting) Risks(COSO)

The organization identifiesand analyses risks to theachievement of governanceobjectives relevant for theorganizations financialreporting and trusted businessoperation as a basis fordetermining how the risksshould be managed.

Risks relevant fororganizationsinternal controlsystem are not

addressed

Control activitiesdeveloped byreflecting to all

assertionsrelevant for

organizationsinternal control

system

Integration withRisk Assessment

(COSO)

Actions are taken to addressrisks to the achievement ofgovernance objectivesrelevant for financial reportingand trusted businessoperation.


10/71

Governance Model



2.4123.09.201110/71



2.3.2 Accountability



Managementis unable to

controlbusiness

processes

No consistent orproperly

communicated

policies andprocedures

Policies andprocedures are

maintained andused in operation

Policies andProcedures

(COSO)

Governance policies relatedto reliable financial reportingand trusted businessoperation are established andcommunicated throughout the

organisation, withcorresponding proceduresresulting in managementdirectives being carried out.

Managementstructure isinadequate

Roles andresponsibilitiesare identified

Authority andResponsibility

(COSO)

Management and employeesare assigned appropriatelevels of authority andresponsibility to facilitateeffective internal control overfinancial reporting and trusted

business operation.

Managementattitude is not

exemplary

Managementtakes stimulating

behaviour

ManagementsPhilosophy andOperating Style

(COSO)

Managements philosophyand operating style supportachieving effective internalcontrol over financial reportingand trusted businessoperation.


11/71

Governance Model



2.4123.09.201111/71



2.3.3 Competency



Staff is unableto perform

control tasks

Lack of skilledstaff

Recruitment,compensationand trainingactivities are

performedsystematically

HumanResources

(COSO)

Human resource policies andpractices are designed andimplemented to facilitateeffective internal control over

financial reporting and trustedbusiness operation.

Staff membersdo not know

procedures andprocessing

requirements

Staff membersare continually

informed,feedbacks are

periodicallyreviewed

InternalCommunication

(COSO)

Communications enable andsupport understanding andexecution of internal controlobjectives, processes, andindividual responsibilities at alllevels of the organization.

Changes of SkillsRequirements

Adequate humanresource

practices aredetermined and

used

Governance(FinancialReporting)

Competencies(COSO)

The organization retainsindividuals competent inrelation to the organizationsbusiness operation, financialreporting and relatedoversight roles.


12/71

Governance Model



2.4123.09.201112/71



2.3.4 Accuracy


COSO&COBITprocesses

Application Practices

Inconsistencyin data

architectureand disclosure

elements

Informationarchitecture is

inconsistent with

processingrequirements

Maintainingeffective

information

architecture anddata model

Define theInformationArchitecture

(COBIT)

Satisfy the businessrequirement of being agile inresponding to requirements;provide reliable, consistent

information, and seamlesslyintegrate applications intobusiness processes.

Non-compliancewith rules andregulations arenot detected in

time

Information issystematicallycollected andassessed to

detectcompliance

issues, privacyproblems and

fraud

Governance(FinancialReporting)Information

(COSO)

Pertinent information isidentified, captured, used atall levels of the organisation,and distributed in a form andtimeframe that supports theachievement of theorganizations financialreporting and trusted business

operation objectives.

Availability andquality of controlinformation arenot sufficient

Controlinformation for

automatedprocess settings,

datamanipulations

and calculationsare maintainedsystematically

Internal ControlInformation

(COSO)

Information used to executeother control components isidentified, captured, anddistributed in a form andtimeframe that enablespersonnel to carry out theirinternal controlresponsibilities.


13/71

Governance Model



2.4123.09.201113/71



2.3.5 Process Integrity



Defectiveprocess level

controls

Processperformance is

wholly dependenton key staff

Control activitiesover access,amendments,

adjustments andother usage of

businessinformation are

maintainedsystematically

Selection andDevelopment of

Control Activities(COSO)

Control activities are selectedand developed consideringtheir cost and their potentialeffectiveness in mitigating

risks to the achievement offinancial reporting and trustedbusiness operation objectives.

Data processingand processautomation

controlsmalfunction

Application andgeneral IT

controls aremaintained and

evaluatedsystematically

InformationTechnology

(COSO)

Information technologycontrols, where applicable,are designed andimplemented to support theachievement of financialreporting and trusted business


Failures ofdetecting errorsand reacting to

incidents

Processperformancemetrics are

collected andevaluated

Ongoing andSeparate

Evaluations(COSO)

Ongoing and/or separateevaluations enablemanagement to determinewhether internal control overfinancial reporting and trustedbusiness operation is presentand functioning.


14/71

Governance Model



2.4123.09.201114/71



2.3.6 Data Protection

Key Risk Risk Factors Responses

ApplicableCOSO&COBITprocesses and

GAAP


Unauthorizedaccess to and

misuse ofconfidential

data

System securityand

confidentialityfailures

Preventivecontrols

maintained toavoid systemsecurity incidents

Ensure Systems

Security (COBIT)

Satisfy the businessrequirement of maintainingthe confidentiality, integrityand availability of informationand the processinginfrastructure aligned tobusiness needs andminimising the impact ofsecurity vulnerabilities.

Intentionalmisuse of data

Anti-fraudmanagement

programmaintained

Fraud Risks(COSO)

The potential for materialmisstatement due to fraud isexplicitly considered inassessing risks to theachievement of financialreporting and trusted business


Breachingprivacy

requirements

Active policiesand proceduresare in place toensure privacyrequirements

GenerallyAccepted Privacy

Principles(AICPA/CICA)

Personal information iscollected, used, retained,disclosed, and destroyed inconformity with thecommitments in the entitysprivacy notice and with criteriaset forth in generally acceptedprivacy principles (GAPP).


15/71

Governance Model



2.4123.09.201115/71



2.3.7 Commitment


COSO&COBITprocesses


Businessintegrity is notrespectable

No commitmentto ethical values

Ethical valuesare not

articulated or

followed

Integrity andEthical Values

(COSO)

Sound integrity and ethicalvalues, particularly of topmanagement, are developedand understood and set the

standard of conduct forfinancial reporting and trustedbusiness operation.

Interruption ofinformation andcommunication

systems

Active policiesand proceduresare in place to

ensure businesscontinuity

EnsureContinuous

Service (COBIT)

Satisfy the businessrequirement of ensuringminimal business impact inthe event of an IT serviceinterruption.

Externalfeedbacks and

opinions are notconsidered

Information fromexternal parties

are collected andreviewed

systematically

ExternalCommunication

(COSO)

Matters affecting theachievement of the financialreporting and trusted businessoperation objectives arecommunicated with outsideparties.


16/71

Governance Model



2.4123.09.201116/71



2.3.8 Control Efficiency



Inefficientusage ofcontrol

resources

Inadequatestructures for

control operation

and reporting

Managementmaintainsadequate

organizational

structure andreporting lines

OrganizationalStructure

(COSO)

The entitys organizationalstructure supports effectiveinternal control over financial

reporting and trusted businessoperation.

Operation andreporting of

controls dontprovide sufficient

evidences toassess

effectiveness ofthe internal

control system

Oversightactivities ensure

periodicassessment on

governancecapabilities

Oversight Board(COSO)

The oversight boardunderstands and exercisesoversight responsibility relatedto trusted business operation,financial reporting and relatedinternal control.

Necessarycorrective actionsare not taken in

time

Managementreviews controldeficiencies and

actions taken

ReportingDeficiencies

(COSO)

Internal control deficienciesare identified andcommunicated in a timelymanner to those partiesresponsible for takingcorrective action, and to themanagement and theoversight board asappropriate.


17/71

Governance Model



2.4123.09.201117/71



2.4 Setting Governance Objectives for Sustainable Business Operation

2.4.1 Competitiveness


ApplicableEnterprise

SPICEprocesses


Loosingmarket

Businessobjectives are

not reflecting tothe changes of

economicenvironment

Business goalsand targets aresystematically

maintained

EnterpriseGovernance(ESPICE)

The organization applypractices to establish strategicenterprise direction andensure the enterpriseachieves its goals andobjectives.

Market needs arenot respected

Improvement ofproduct or

service featuresare considered

periodically

Needs (ESPICE)

The organization applypractices to elicit, analyze,

clarify, and document evolvingcustomer and otherstakeholder needs andexpectations.

Businessproposals are not

convincing

Improvement ofproposal

preparation

Tendering(ESPICE)

The organization applypractices to identify, selectand bid for acquirer requestsfor information, quotationsand proposals based ondecisions that appropriately

consider customer needs,risks, organizational abilitiesand competitor capabilities.


18/71

Governance Model



2.4123.09.201118/71



2.4.2 Exploitability



SPICEprocesses


Opportunitiesare not

exploited

Necessaryinvestments are

not taken

Investmentneeds and

potentials are

consideredsystematically

InvestmentManagement

(ESPICE)

The organization applypractices to ensure thatorganization realize optimalvalue from strategically

aligned business investmentsat an affordable cost with aknown and acceptable level ofrisk.

Managementinefficiently use

resources

Systematicproject

managementpractices applied

ProjectManagement

(ESPICE)

The management applypractices to ensure thebusiness projects achievetheir objectives within givenresource constraints byinitiating, planning, executing,monitoring, controlling and

closing the project activitiesand resources.

Product orservice quality is

not ensured

Systematicquality

managementpractices applied

QualityAssurance andManagement

(ESPICE)

The organization applypractices to assure the qualityof the product or service andof the processes used, andprovide management withappropriate visibility into allrelevant quality aspects.


19/71

Governance Model



2.4123.09.201119/71



2.4.3 Satisfaction



SPICEprocesses


Losses due tocustomer

dissatisfaction

Requirementsare not

establishedadequately

Requirementsare established

based oncustomer needs

Requirements

(ESPICE)

The organization applypractices to develop adetailed and precise set ofrequirements that meet

customer needs andexpectations and managethose requirementsthroughout the life cycle.

Ineffectivebusiness

relationshipmanagement

Businessrelationship

management ismaintained

BusinessRelationshipManagement

(ESPICE)

The organization applypractices to establish andmaintain a mutually satisfyingrelationship between theproduct or service supplierand the business partnerbased on understanding the

business partner and itsbusiness drivers.

Product orservice delivery

default

Monitoring basedon agreed

service levels

Operation andSupport

(ESPICE)

The organization applypractices to operate theproduct or service at agreedservice levels and support itsusers.


20/71

Governance Model



2.4123.09.201120/71



3. Governance Processes for Trusted Businesses

3.1 Governance of Controlled Business Operation Application Category

The Governance of Controlled Business Operation application category has the focus on howeffectively enterprise governance applies the Internal Control (COSO 2006) Principles together withthe Security, Availability, Processing Integrity, Confidentiality and Privacy Principles.

Eight processes relate to the Governance of Controlled Business Operation application category:

Control Risks The organization and its staff adequately address risks to the governanceobjectives relevant for financial reporting and trusted business operation and consider those

risks in management of business operation. Control Management The management of the organization is able to control business

processes in a way which is adequate to the objectives of internal control over financialreporting and trusted business operation.

Control Competence Sufficient skills and knowledge relevant for the objectives of internalcontrol over financial reporting and trusted business operation are available and used.

Information Reliability Data architecture and disclosure elements relevant for financialreporting objectives and trusted business operation, and for supporting data processingintegrity are accurate and consistent.

Process Control Design and operation of process-level controls relevant to the objectives offinancial reporting and trusted business operation, and processing integrity principle areeffective.

Data Protection The organization and its staff are committed to security, confidentiality andprivacy principles to avoid unauthorized access to and misuse of confidential data effected bybusiness operation.

Integrity Assurance The organization and its staff are committed to comply with ethical andbusiness integrity requirements relevant to the objectives of financial reporting and trustedbusiness operation, and availability principle.

Control Efficiency Efficient usage of control resources relevant to the objectives of financial

reporting and trusted business operation.


21/71

Governance Model



2.4123.09.201121/71



3.1.1 Control Risks

Process ID GOV.CR

Process Name Control Risks

Process Purpose The purpose of the Control Risks process is to ensure that the organizationand its staff adequately address risks to the governance objectives relevantfor financial reporting and trusted business operation and consider those risksin management of business operation.

NOTE1: The Control Risks process is a special application of the COSO2006 model in the context of the Risk Awareness governance objective.Thus this process is denoted an Application Area. The practices, called

application practices, are implemented using selected processes based onthe COSO 2006 principles in the context of this special application. Thisfacilitates the re-use of the elements of the COSO 2006 based referencemodel without recreating processes that are already well established.

NOTE2: The descriptions of the COSO 2006 Principles are applicable todefine ISO/IEC 15504 conformant process reference model and processperformance indicators for assessing process capability according to theISO/IEC 15504 standard.

Process Outcomes As a result of successful implementation of the Control Risks process:

1) Governance objectives relevant for financial reporting and trustedbusiness operation are established.

2) Risk assessments are performed consistently.3) Organizations internal controls are integrated with risks to achievement of

organizations objectives relevant for financial reporting and trustedbusiness operation.

Application practices AP01 Establish governance objectives for financial reporting andtrusted business operation. Management specifies governance objectivesrelevant for financial reporting and trusted business operation with sufficientclarity and criteria to enable the identification of risks to the achievement ofthe governance objectives relevant for financial reporting and trustedbusiness operation. [Outcome: 1]

NOTE1: This practice is implemented by performing practices of the COSO2006 Financial Reporting Objectives process with a specific focus on howenterprise governance supports internal control over financial reporting and

trusted business operation:IFC.RA.FRO.BP1 Identify Management assertions. To identifyrelevant management assertions, management starts with thegovernance reports, including disclosures, and identifies significantgovernance objectives, based on managements estimate ofmateriality. For each governance report and disclosure managementthen identifies relevant assertions, underlying transactions andevents, and processes supporting these governance objectives.

IFC.RA.FRO.BP2 Consider the Range of Assessment Activities.Management, with oversight board review, considers the range of theorganizations activities to assess whether all are appropriatelycaptured in the governance reports, and considers whether the

governance reports appropriately communicate to readers economic


22/71

Governance Model



2.4123.09.201122/71



reality in a useful form.

IFC.RA.FRO.BP3 Compare Governance Policies. Management

compares the governance principles adopted for the organization tothose used by companies of similar size and industry. Managementalso compares the content and level of detail in the organizationsgovernance reports to those organizations reports. Significantvariations are considered by management and summarized for boardreview.

AP02 Perform consistent risk assessment. The organization identifies andanalyses risks to the achievement of governance objectives relevant for theorganizations financial reporting and trusted business operation as a basisfor determining how the risks should be managed. [Outcome: 2]

NOTE2: This practice is implemented by performing practices of the COSO

2006 Financial Reporting Risks process with a specific focus on howenterprise governance supports internal control over financial reporting andtrusted business operation:

IFC.RA.FRR.BP1 Apply Risk Identification Process.Managements risk identification process includes identifying:

Relevant management assertions for each significantgovernance objectives.

Business processes and business units supportinggovernance objectives and disclosures.

Information technology (IT) systems supporting key businessprocesses relevant to governance objectives.

IFC.RA.FRR.BP2 Map Controls. Management maps its controls tothe five internal control components, with headers that list theactivity's control objectives and risks. This approach targets activitiesthat might generate governance errors.

IFC.RA.FRR.BP3 Interact with External Parties. As part of anorganisations risk identification, management interacts with externalparties that may affect the reliability of governance reporting,including suppliers, investors, creditors, shareholders, employees,customers, intermediaries, and industry peers.

IFC.RA.FRR.BP4 Consider External Factors. Managementconsiders external factors that impact its ability to achieve itsgovernance objectives, such as economic, competitive, and industryconditions; regulatory and political environment; and changes intechnology, supply sources, customer demands, or creditorrequirements. Management also considers how internal factors andchanges in them impact the organisations ability to achieve itsgovernance objectives. These include governance reportcharacteristics, business process characteristics, and entity-widefactors.

IFC.RA.FRR.BP5 Update Risk Assessments. Managementupdates risk assessments periodically (e.g. on a quarterly basis),considering:

Newly identified risks determined to be significant.


23/71

Governance Model



2.4123.09.201123/71



Escalation of previously identified risks to higher relevance.

The status of action plans to mitigate significant risks.

This risk assessment evaluates risk based on potential impact andlikelihood of risks. The resulting assessment is used as a key input indetermining required control activities.

IFC.RA.FRR.BP6 Meet with Relevant Personnel. Key governancepersonnel meet on a regular basis with:

Executive management to identify new initiatives,commitments, and activities affecting risks to financialreporting and trusted business operation.

Information technology personnel to monitor changes ininformation technology that may affect risks related to

financial reporting and trusted business operation. Human resources staff to identify and assess how changes

in the workforce may affect competencies needed for internalcontrol over financial reporting and trusted businessoperation.

Legal counsel to stay abreast of legal/regulatory changes.

AP03 Address risks relevant for financial reporting and trustedbusiness operation. Actions are taken to address risks to the achievementof the governance objectives relevant for financial reporting and trustedbusiness operation. [Outcome: 3]

NOTE3: This practice is implemented by performing practices of the COSO2006 Integration with Risk Assessment process with a specific focus on howenterprise governance supports internal control over financial reporting andtrusted business operation:

IFC.CA.IRA.BP1 Consider Entity-Wide Controls. Managementconsiders entity-wide controls that are pervasive across theorganisation when considering whether control activities are sufficientto address identified risks.

IFC.CA.IRA.BP2 Use Workshops to Identify and EvaluateControls. Management uses workshops to identify appropriatecontrol activities for each identified risk to a governance objective andto train its employees in proper implementation of control activities.

IFC.CA.IRA.BP3 Use Matrices to Identify and Evaluate Controls.Management uses risk/control matrices developed in the process ofassessing risks and designing controls in each business process toperform a gap analysis to evaluate the need for any additionalcontrols that might be needed to mitigate risks to the achievement ofgovernance objectives.

IFC.CA.IRA.BP4 Use an Inventory of Controls to Identify andEvaluate Controls. Management uses register or software thatprovides an inventory of controls typically aligned to specified risks tofinancial reporting and trusted business operation.

IFC.CA.IRA.BP5 Use independent assessment of outsourcingservice providers internal control over processing transactions


24/71

Governance Model



2.4123.09.201124/71



for user organization. When outsourcing all or a portion of itsfunction related to financial reporting and trusted business operation,the CFO or CGO obtains an independent assessment report (likeSOC 1 Type II) or undertakes procedures to assess controls in placefor the initiation, recording, and processing of significant classes oftransactions at the third-party outsourcer.

Relationship Notes The relationships between the Control Risks process and applicationpractices, and other processes in COSO 2006 model, have been noted foreach practice above. This innovative concept of including Application Areasin a process assessment model instantiates the idea of using alreadyestablished processes with respect to a particular application.

Sources COSO 2006: IFC.RA.FRO Financial Reporting Objectives, IFC.RA.FRRFinancial Reporting Risks, IFC.CA.IRA Integration with Risk Assessment

References Internal Control over Financial Reporting Guidance for Smaller Public

CompaniesCopyright 2006 by The Committee of Sponsoring Organization, C/OAICPA, Harborside Financial Center, 201 Plaza Three, Jersey City, NJ 07311 3881, USA. All rights reserved.

Work ProductsInputs Outputs

Governance Policies and Procedures[Outcomes: 1, 2]

Governance Objectives [Outcome: 1]

Governance Objectives [Outcome: 1] Related Business Activities [Outcome: 1]

Governance Objectives [Outcome: 1, 2] Review Records [Outcome: 1]Management assertions [Outcome: 2] Governance Objectives [Outcome: 1]

Organizational Structure [Outcome: 2] Management assertions [Outcome: 1]

Related Business Activities [Outcome: 2] Risk and Control Documentation [Outcomes: 2, 3]

Related IT Systems [Outcome: 2] Risk Assessment Reports [Outcome: 2]

Governance Competencies [Outcome: 2] Inventory of Controls [Outcome: 3]

Skill Assessment Reports [Outcome: 2]

Risk and Control Documentation [Outcomes:2,3]

Outsourcing Assessment Report [Outcome: 3]

Note: Above performance indicators driven by the COSO 2006 model are applicable for assessingthe effectiveness of controls in relation to objectives of financial reporting and trusted businessoperation. However they should be considered as a starting point for judgment whether, given theapplication context, they are contributing to the intended purpose of the process, not as a compulsorycheck-list of what every organization must have.


25/71

Governance Model



2.4123.09.201125/71



3.1.2 Control Management

Process ID GOV.CM

Process Name Control Management

Process Purpose The purpose of the Control Management process is to ensure that themanagement of the organization is able to control business processes in away which is adequate to the objectives of internal control over financialreporting and trusted business operation.

NOTE1: The Control Management process is a special application of theCOSO 2006 model in the context of the Accountability governanceobjective. Thus this process is denoted an Application Area. The practices,

called application practices, are implemented using selected processesbased on the COSO 2006 principles in the context of this special application.This facilitates the re-use of the elements of the COSO 2006 basedreference model without recreating processes that are already wellestablished.


Process Outcomes As a result of successful implementation of the Control Management process:

1) Policies and procedures relevant for the governance objectives of financialreporting and trusted business operation are consistently implementedand communicated.

2) Management structure is adequate to internal control over financialreporting and trusted business operation.

3) Management takes stimulating behavior for supporting internal controlover financial reporting and trusted business operation.

Application practices AP01 Establish governance policies and procedures relevant for thegovernance objectives of financial reporting and trusted businessoperation. Governance policies related to reliable financial reporting andtrusted business operation are established and communicated throughout theorganisation, with corresponding procedures resulting in managementdirectives being carried out. [Outcome: 1]

NOTE1: This practice is implemented by performing practices of the COSO

2006 Policies and Procedures process with a specific focus on howenterprise governance supports internal control over financial reporting andtrusted business operation:

IFC.CA.PP.BP1 Develop and Document Policies and Procedures.Management develops and documents policies and procedures for allsignificant financial reporting and trusted business operation relatedactivities using various formats such as narratives, flowcharts, andcontrol matrices.

IFC.CA.PP.BP2 Consider Preventative and Detective Controls.Management includes both preventative and detective controls withineach process, using process maps, narratives, spreadsheets, orother mechanisms to document and communicate the control


26/71

Governance Model



2.4123.09.201126/71



activities.

IFC.CA.PP.BP3 Develop Policies for Entity-Wide Application.

Central management develops policies for areas that have entity-wide application, such as its code of conduct, delegation of authority,safeguarding of assets, and so forth. In addition, managementdevelops policies at the business unit level that support and align withentity-wide policies.

AP02 Assign governance roles and responsibilities. Management andemployees are assigned appropriate levels of authority and responsibility tofacilitate effective internal control over financial reporting and trustedbusiness operation. [Outcome: 2]

NOTE2: This practice is implemented by performing practices of the COSO2006 Authority and Responsibility process with a specific focus on how

enterprise governance supports internal control over financial reporting andtrusted business operation:IFC.CE.AR.BP1 Define Objectives and Responsibilities.Management sets forth clear business and management objectivesand position descriptions to reinforce managements responsibility foreffective internal control over financial reporting and trusted businessoperation.

IFC.CE.AR.BP2 Review Key Positions. For key financial reportingand trusted business operation positions, the oversight board reviewsmanagements descriptions of the positions responsibilities andauthorities, and considers how those positions affect the strength ofinternal control over financial reporting and trusted business

operation, calling for re-evaluation where needed.IFC.CE.AR.BP3 Assign Authorities and Responsibilities. Inassigning authorities and responsibilities, management considers theimpact on the effectiveness of the control environment andimportance of maintaining effective segregation of duties.Management establishes an appropriate balance between theauthority needed to get the job done and the need to maintainadequate internal control over key processes.

IFC.CE.AR.BP4 Empower Employees. Management empowersemployees to correct problems or implement improvements in theirassigned business processes as necessary, balanced withappropriate monitoring of performance.

IFC.CE.AR.BP5 Align Positions with Responsibilities andAuthorities. Management considers the nature of employeepositions within the organization when assigning responsibilities toindividuals or determining certain levels of authority for positions.

AP03 Management takes stimulating behaviour. Managementsphilosophy and operating style support achieving effective internal controlover financial reporting and trusted business operation. [Outcome: 3]

NOTE3: This practice is implemented by performing practices of the COSO2006 Managements Philosophy and Operating Style process with a specificfocus on how enterprise governance supports internal control over financial

reporting and trusted business operation:


27/71

Governance Model



2.4123.09.201127/71



IFC.CE.MPO.BP1 Emphasize Risk Mitigation. Managementemphasizes the importance of minimizing risks related to financial

reporting and trusted business operation in its interactions with othersinvolved in the financial reporting and trusted business operationprocess, and through its dealings with customers, suppliers ordistributors, and employees.

IFC.CE.MPO.BP2 Emphasize Processing Requirements. Theorganisations operating philosophy requires that all journal entries,including those reflecting assumptions and estimates, be properlyauthorized, supported by adequate documentation and subject toreview by an appropriate senior financial executive.

IFC.CE.MPO.BP3 Emphasize Importance of Diligence.Management provides sufficient direction such that employeesrecognize the importance of applying appropriate diligence and

business judgment in the performance of assigned jobresponsibilities.

IFC.CE.MPO.BP4 Establish and Articulate GovernanceObjectives. Management establishes and articulates governanceobjectives, including those relating to complete, accurate and fairfinancial reporting and trusted business operation, with personnelinvolved in the financial reporting and trusted business operationprocess.

Relationship Notes The relationships between the Control Management process and applicationpractices, and other processes in COSO 2006 model, have been noted foreach practice above. This innovative concept of including Application Areasin a process assessment model instantiates the idea of using already

established processes with respect to a particular application.Sources COSO 2006: IFC.CA.PP Policies and Procedures, IFC.CE.AR Authority and

Responsibility, IFC.CE.MPO Managements Philosophy and Operating Style

References Internal Control over Financial Reporting Guidance for Smaller PublicCompanies

Copyright 2006 by The Committee of Sponsoring Organization, C/OAICPA, Harborside Financial Center, 201 Plaza Three, Jersey City, NJ 07311 3881, USA. All rights reserved.


Inventory of Controls [Outcome: 1] Governance Policies and Procedures [Outcome:1]

Related Business Activities [Outcomes: 1, 3] Review Records [Outcomes: 1, 2]

Organizational Structure [Outcomes: 1, 2] Roles and Responsibilities [Outcome: 2]

Roles and Responsibilities [Outcomes: 1] Nomination Records [Outcome: 2]

Job Descriptions [Outcome: 2] Governance Objectives [Outcome: 3]

Code of Conduct [Outcome: 3] Management Records [Outcome: 3]

Governance Objectives [Outcome: 3]


28/71

Governance Model



2.4123.09.201128/71





29/71

Governance Model



2.4123.09.201129/71



3.1.3 Control Competence

Process ID GOV. CC

Process Name Control Competence

Process Purpose The purpose of the Control Competence process is to ensure the availabilityand usage of sufficient skills and knowledge relevant for the objectives ofinternal control over financial reporting and trusted business operation.

NOTE1: The Control Competence process is a special application of theCOSO 2006 model in the context of the Competency governance objective.Thus this process is denoted an Application Area. The practices, calledapplication practices, are implemented using selected processes based on

the COSO 2006 principles in the context of this special application. Thisfacilitates the re-use of the elements of the COSO 2006 based referencemodel without recreating processes that are already well established.


Process Outcomes As a result of successful implementation of the Control Competence process:

1) Recruitment, compensation and training activities are performedsystematically.

2) Staff members are continually informed, feedbacks are periodicallyreviewed.

3) Competent individuals are retained in relation to the business operation,financial reporting and related oversight roles.

Application practices AP01 Use human resource policies and practices relevant for financialreporting and trusted business operation objectives. Human resourcepolicies and practices are designed and implemented to facilitate effectiveinternal control over financial reporting and trusted business operation.[Outcome: 1]

NOTE1: This practice is implemented by performing practices of the COSO2006 Human Resources process with a specific focus on how enterprisegovernance supports internal control over financial reporting and trustedbusiness operation:

IFC.CE.HR.BP1 Develop and Maintain Position Descriptions.

Management develops and maintains position descriptions thatreflect its values and the competencies needed to execute positionrequirements.

IFC.CE.HR.BP2 Develop and Maintain Human Resource Policiesand Procedures. The human resource function develops andperiodically updates materials outlining the organisations humanresource policies and procedures.

IFC.CE.HR.BP3 Review Resumes and Perform ReferenceChecks. Management reviews resumes and performs referencechecks in considering candidates for key financial reporting andtrusted business operation positions. For positions with high levelresponsibility and authority, the organisation also performs


30/71

Governance Model



2.4123.09.201130/71



background checks.

IFC.CE.HR.BP4 Provide Training and Awareness. The human

resource function provides training and awareness programs topromote ethical behaviour throughout the organization. Additionaltraining programs related to financial reporting and trusted businessoperation are provided to all employees with direct and indirectinvolvement in financial reporting and trusted business operation.

IFC.CE.HR.BP5 Establish a Review and Appraisal Process.Management establishes a review and appraisal process thatconfirms knowledge of each employees progress and status withinthe organization.

IFC.CE.HR.BP6 Perform Exit Interviews. An organizations processfor performing exit interviews includes inquiries about any concernsrelated to the organizations governance and internal control.

IFC.CE.HR.BP7 Design Compensation Plans. Compensation plansfor senior executives include a significant element tied toachievement of non-financial goals (for example, customersatisfaction, employee retention, and successful systemsimplementation) and is not excessively tied to short-term results asreflected in governance reports.

IFC.CE.HR.BP8 Review Compensation Plans. The oversight boardreviews management compensation plans, including bonus and stockcompensation components, to determine whether the plans createinappropriately high risk of financial reporting and trusted businessoperation misstatements and implements controls as needed toreduce risk to an acceptable level.

IFC.CE.HR.BP9 Evaluate Competency of Personnel. Managementevaluates the sufficiency and competency of personnel involved inrecording and reporting financial information.

AP02 Provide effective internal communication over controlrequirements relevant for financial reporting and trusted businessoperation objectives. Communications enable and support understandingand execution of internal control objectives, processes, and individualresponsibilities at all levels of the organization. [Outcome: 2]

NOTE2: This practice is implemented by performing practices of the COSO2006 Internal Communication process with a specific focus on how enterprisegovernance supports internal control over financial reporting and trustedbusiness operation:

IFC.IC.IC.BP1 Communicate Information Regarding GovernanceObjectives. Management communicates information about theorganisations governance objectives, relevant internal controlpolicies and procedures and how they work, and related individualresponsibilities.

IFC.IC.IC.BP2 Communicate Through an Intranet Site.Management develops and maintains an intranet site, accessible toall appropriate personnel, for disseminating information regarding theorganisations internal control processes over financial reporting andtrusted business operation.

IFC.IC.IC.BP3 Review Financial Information with the Oversight


31/71

Governance Model



2.4123.09.201131/71



Board. At regular oversight board meetings, the CFO reviewsfinancial information, analysis and related internal control, and entersinto open discussion on all matters of directors interest.

IFC.IC.IC.BP4 Communicate Between the Board and InternalAuditor. The oversight board and the chief internal auditors meetperiodically and whenever events or circumstances warrant.

IFC.IC.IC.BP5 Communicate the Whistle-blower Program toStaff. The organisation maintains a whistle-blower process thatenables employees to communicate misconduct, including mattersrelating to reliable governance.

IFC.IC.IC.BP6 Communicate Alternative Reporting Channels.Management provides an alternative to reporting to a line manager either a coaching or mentoring program or a professional or technicalreporting channel so that employees are confident that they will be

heard.IFC.IC.IC.BP7 Develop Guidelines for Communication to theOversight Board. The oversight board develops guidelines formaterials it expects to receive.

IFC.IC.IC.BP8 Consult with Outside Advisors. The oversight boardconsults with outside advisors whenever committee members feelmanagement might lack the capability to adequately address animportant issue.

AP03 Retain competent individuals. The organization retains individualscompetent in relation to the organizations business operation, financial

reporting and related oversight roles. [Outcome: 3]NOTE3: This practice is implemented by performing practices of the COSO2006 Financial Reporting Competences process with a specific focus on howenterprise governance supports internal control over financial reporting andtrusted business operation:

IFC.CE.FRC.BP1 Establish Required Knowledge, Skills andAbilities. Before hiring for key financial positions, managementestablishes and agrees on the knowledge, skills, and abilities (andrelated credentials) needed to effectively carry out the associatedresponsibilities.

IFC.CE.FRC.BP2 Supplement Competencies. The organizationsupplements in-house financial reporting and trusted businessoperation competencies as needed by establishing arrangementswith outside specialists.

IFC.CE.FRC.BP3 Provide Training. Management provides trainingfor employees involved in financial reporting and trusted businessoperation processes, either in-house or through outside serviceproviders.

IFC.CE.FRC.BP4 Evaluate Competencies in Key GovernanceRoles. The oversight board (board of directors and/or auditcommittee) evaluates the competencies of individuals serving in keygovernance roles, such as CEO, CGO or CFO.

IFC.CE.FRC.BP5 Review and Evaluate Competencies.


32/71

Governance Model



2.4123.09.201132/71



Management periodically reviews and evaluates employees relativeto their assigned roles to determine whether the employees skills areappropriate for their current job responsibilities.

Relationship Notes The relationships between the Control Competence process and applicationpractices, and other processes in COSO 2006 model, have been noted foreach practice above. This innovative concept of including Application Areasin a process assessment model instantiates the idea of using alreadyestablished processes with respect to a particular application.

Sources COSO 2006: IFC.CE.HR Human Resources, IFC.IC.IC InternalCommunication, IFC.CE.FRC Financial Reporting Competencies

References Internal Control over Financial Reporting Guidance for Smaller PublicCompanies

Copyright 2006 by The Committee of Sponsoring Organization, C/OAICPA, Harborside Financial Center, 201 Plaza Three, Jersey City, NJ 07311 3881, USA. All rights reserved.


Code of Conduct [Outcome: 1] Job Descriptions [Outcome: 1]

Job Descriptions [Outcome: 1] HR Policies and Procedures [Outcome: 1]

Roles and Responsibilities [Outcome: 1] HR Records [Outcome: 1]

Nomination Records [Outcome: 1] Training Plans [Outcomes: 1, 3]

Training Plans [Outcomes: 1, 3] Periodic Staff Information [Outcome: 1]

Periodic Staff Information [Outcomes: 1, 2] Review and Appraisal Process [Outcome: 1]

Governance Competencies [Outcome: 1] Compensation Plans [Outcome: 1]

Skill Assessment Reports [Outcomes: 1, 3] Review Records [Outcomes: 1, 2]

Governance Information Repository [Outcome:2]

Skill Assessment Reports [Outcomes: 1, 3]

Financial Control Information Repository[Outcome: 2]

Guidelines for Communication to the OversightBoard [Outcome: 2]

Oversight Agenda [Outcome: 2] Governance Competencies [Outcome: 3]

Audit Files [Outcome: 2] Outsourcing Arrangements [Outcome: 3]

Operating and Compliance Information[Outcome: 2]



33/71

Governance Model



2.4123.09.201133/71



3.1.4 Information Reliability

Process ID GOV.IR

Process Name Information Reliability

Process Purpose The purpose of the Information Reliability process is to ensure the accuracyand consistency in data architecture and disclosure elements relevant forgovernance objectives and trusted business operation, and for supportingdata processing integrity.

NOTE1: The Information Reliability process is a special application of theCOSO 2006 and COBIT 4.1 models in the context of the Accuracygovernance objective. Thus this process is denoted an Application Area.

The practices, called application practices, are implemented usingselected processes based on the COSO 2006 principles and the COBIT 4.1framework in the context of this special application. This facilitates the re-use of the elements of the COSO 2006 and COBIT 4.1 based referencemodels without recreating processes that are already well established.

NOTE2: The descriptions of the COBIT 4.1 processes and the COSO 2006Principles are applicable to define ISO/IEC 15504 conformant processreference models and process performance indicators for assessingprocess capability according to the ISO/IEC 15504 standard.

Process Outcomes As a result of successful implementation of the Information Reliabilityprocess:

1) Effective information architecture and data model are maintained.2) Information is systematically collected and assessed to detect

compliance issues, privacy problems and fraud.3) Control information for automated process settings, data manipulations

and calculations are maintained systematically.Application practices AP01 Ensure the integrity and consistency of all data stored in

electronic form. Satisfy the business requirement of being agile inresponding to requirements; provide reliable, consistent information, andseamlessly integrate applications into business processes. [Outcome: 1]

NOTE1: This practice is implemented by performing practices (controlobjectives) of the COBIT 4.1 Define the Information Architecture processwith a specific focus on how enterprise governance supports internal controlover financial reporting and trusted business operation:

PO2.1 Create and maintain enterprise information model.Establish and maintain an enterprise information model to enableapplications development and decision-supporting activities,consistent with IT plans. The model should facilitate the optimalcreation, use and sharing of information by the business in a waythat maintains integrity and is flexible, functional, cost-effective,timely, secure and resilient to failure.

PO2.2 Create and maintain enterprise data dictionary(ies).Maintain an enterprise data dictionary that incorporates theorganisations data syntax rules. This dictionary should enable thesharing of data elements amongst applications and systems,promote a common understanding of data amongst IT and business


34/71

Governance Model



2.4123.09.201134/71



users, and prevent incompatible data elements from being created.

PO2.3 Establish and maintain data classification scheme.

Establish a classification scheme that applies throughout theenterprise, based on the criticality and sensitivity (e.g., public,confidential, top secret) of enterprise data. This scheme shouldinclude details about data ownership; definition of appropriatesecurity levels and protection controls; and a brief description ofdata retention and destruction requirements, criticality andsensitivity. It should be used as the basis for applying controls suchas access controls, archiving or encryption.

PO2.4 Manage data integrity. Define and implement procedures toensure the integrity and consistency of all data stored in electronicform, such as databases, data warehouses and data archives.

AP02 Manage processing information. Pertinent information is identified,captured, used at all levels of the organisation, and distributed in a form andtimeframe that supports the achievement of the organizations financialreporting and trusted business operation objectives. [Outcome: 2]

NOTE2: This practice is implemented by performing practices of the COSO2006 Financial Reporting Information process with a specific focus on howenterprise governance supports internal control over financial reporting andtrusted business operation:

IFC.IC.FRI.BP1 Use Matrices to Detail Information Flows.Process owners maintain matrices that, for each process impactingfinancial reporting and trusted business operation, detail the flow ofinformation from the point of capture through reporting.

IFC.IC.FRI.BP2 Obtain Information from External Sources.Management obtains information from external sources, such asindustry publications, trade associations and conferences to identifyevents affecting industry trends, suppliers, customers, competitors,and the economic climate.

IFC.IC.FRI.BP3 Meet with Personnel from Other Business Area.Management in charge of governance meets periodically withpersonnel from other areas of the business such as operations,compliance, human resources, or product development to obtaininformation that may affect financial reporting and trusted businessoperation.

AP03 Manage control information. Information used to execute othercontrol components is identified, captured, and distributed in a form andtimeframe that enables personnel to carry out their internal controlresponsibilities. [Outcome: 3]

NOTE3: This practice is implemented by performing practices of the COSO2006 Internal Control Information process with a specific focus on howenterprise governance supports internal control over financial reporting andtrusted business operation:

IFC.IC.ICI.BP1 Develop and Maintain Internal ControlInformation Maps. Process owners develop and maintaininformation maps.

IFC.IC.ICI.BP2 Identify Internal Control Information through


35/71

Governance Model



2.4123.09.201135/71



Discussion. In assessing information needs, managementidentifies through discussions with various personnel informationused to man

governance spice model v24 for trusted businesses

Documents