governance spice model v24 for trusted businesses
TRANSCRIPT
-
7/30/2019 Governance SPICE Model v24 for Trusted Businesses
1/71
Governance Model
for Trusted Businesses
Version:Revision:Date:Page
2.4123.09.20111/71
Implemented with the financial support of the Commission of the European Communities under the LEONARDO DA VINCIProgramme (Project number: LLP-LdV-TOI-2010-HU-001).This publication reflects the views only of the authors, and the
Commission cannot be held responsible for any use which may be made of the information contained therein.
Governance Model for
Trusted BusinessesLinking Governance to Sustainable Value
Creation
Deliverable of the
Business Process Modellingfor Governance SPICE and
Internal Financial Control
BPM GOSPELProject
-
7/30/2019 Governance SPICE Model v24 for Trusted Businesses
2/71
Governance Model
for Trusted Businesses
Version:Revision:Date:Page
2.4123.09.20112/71
Implemented with the financial support of the Commission of the European Communities under the LEONARDO DA VINCIProgramme (Project number: LLP-LdV-TOI-2010-HU-001).This publication reflects the views only of the authors, and the
Commission cannot be held responsible for any use which may be made of the information contained therein.
File: Governance SPICE Model v24
Contents1. INTRODUCTION ........................................................................................................................................ 3
1.1 OBJECTIVE .................................................................................................................................................. 31.2 PURPOSE OF THE MATERIAL ............................................................................................................................ 3
1.3 THE BPMGOSPEL PROJECT ......................................................................................................................... 3
1.4 REFERENCES................................................................................................................................................ 5
2. GOVERNANCE OBJECTIVES FOR TRUSTED BUSINESSES ............................................................................. 6
2.1 USING GOVERNANCE CAPABILITY ASSESSMENT (GOVERNANCE SPICE) .................................................................. 6
2.2 SCOPE OF THE GOVERNANCE OBJECTIVES.......................................................................................................... 8
2.3 SETTING GOVERNANCE OBJECTIVES FOR CONTROLLED BUSINESS OPERATION .......................................................... 9
2.3.1 Risk Awareness ................................................................................................................................ 92.3.2 Accountability ................................................................................................................................ 10
2.3.3 Competency ................................................................................................................................... 11
2.3.4 Accuracy ........................................................................................................................................ 12
2.3.5 Process Integrity ............................................................................................................................ 13
2.3.6 Data Protection ............................................................................................................................. 14
2.3.7 Commitment.................................................................................................................................. 152.3.8 Control Efficiency ........................................................................................................................... 16
2.4 SETTING GOVERNANCE OBJECTIVES FOR SUSTAINABLE BUSINESS OPERATION ........................................................ 17
2.4.1 Competitiveness ............................................................................................................................ 17
2.4.2 Exploitability .................................................................................................................................. 182.4.3 Satisfaction .................................................................................................................................... 19
3. GOVERNANCE PROCESSES FOR TRUSTED BUSINESSES ............................................................................ 20
3.1 GOVERNANCE OF CONTROLLED BUSINESS OPERATION APPLICATION CATEGORY ..................................................... 20
3.1.1 Control Risks .................................................................................................................................. 213.1.2 Control Management .................................................................................................................... 25
3.1.3 Control Competence ...................................................................................................................... 29
3.1.4 Information Reliability ................................................................................................................... 333.1.5 Process Control .............................................................................................................................. 37
3.1.6 Data Protection ............................................................................................................................. 41
3.1.7 Integrity Assurance ........................................................................................................................ 46
3.1.8 Control Efficiency ........................................................................................................................... 513.2 GOVERNANCE OF SUSTAINABLE BUSINESS OPERATION APPLICATION CATEGORY ..................................................... 55
3.2.1 Competitive Operation .................................................................................................................. 56
3.2.2 Exploitable Operation .................................................................................................................... 603.2.3 Satisfactory Operation .................................................................................................................. 64
3.3 LINKING GOVERNANCE PROCESSES TO SUSTAINABLE VALUE CREATION................................................................. 67
4. APPLICABILITY FOR OUTSOURCING SERVICE ORGANIZATIONS ............................................................... 69
4.1 NEED FOR REPORTING ON SERVICE ORGANIZATIONS CONTROLS ......................................................................... 69
4.2 REPORT ON CONTROLS AT A SERVICE ORGANIZATION RELEVANT TO USER ENTITIESINTERNAL CONTROL OVER FINANCIAL
REPORTING........................................................................................................................................................... 69
4.3 REPORT ON CONTROLS AT A SERVICE ORGANIZATION RELEVANT TO SECURITY,AVAILABILITY,PROCESSING INTEGRITY,
CONFIDENTIALITY OR PRIVACY .................................................................................................................................. 704.4 USE OF GOVERNANCE MODEL BY SERVICE MANAGEMENT ................................................................................. 71
-
7/30/2019 Governance SPICE Model v24 for Trusted Businesses
3/71
Governance Model
for Trusted Businesses
Version:Revision:Date:Page
2.4123.09.20113/71
Implemented with the financial support of the Commission of the European Communities under the LEONARDO DA VINCIProgramme (Project number: LLP-LdV-TOI-2010-HU-001).This publication reflects the views only of the authors, and the
Commission cannot be held responsible for any use which may be made of the information contained therein.
1. Introduction
1.1 Objective
The objective of this material is providing governance objectives based process descriptions withpractices as special application areas of Enterprise Governance by using COSO [1], COBIT [2] andEnterprise SPICE [3] models in a format, which is conformant with the ISO/IEC 15504 ProcessAssessment standard (currently transitioning to ISO/IEC 33001-99) [4] and applicable for managementassertions and audit reports on design and operation effectiveness of internal controls over financialreporting and for providing assurance of trusted and sustainable business operation.
1.2 Purpose of the material
This material will be used as training and knowledge-sharing resource being exploited by the BPMGOSPEL project consortium members available via public internet site(www.governancecapability.com) for governance system implementation, concerning skill self-assessment and process assessment exercises.
1.3 The BPM GOSPEL project
The objective of the BPM GOSPEL - Business Process Modelling for Governance SPICE and InternalFinancial Control - project (2010-2012) is the transfer of the already proved innovation from Germanyto Hungary, where the existing results of IA-Manager (2005-2007) and MONTIFIC (2008-2010)training development projects are further enriched by the adapted "Stages" process management
platform (see: www.methodpark.com/en/product.html) for multi-layer Business Process Modelling(BPM). The project aims to provide ready to use scenarios for enterprises and best practice cases forteaching and learning in vocational trainings demanded by both sides of the labour market.
Implemented BPM layers are presented below:
Figure 1: Implemented layers for Business Process Modelling (BPM GOSPEL)
-
7/30/2019 Governance SPICE Model v24 for Trusted Businesses
4/71
Governance Model
for Trusted Businesses
Version:Revision:Date:Page
2.4123.09.20114/71
Implemented with the financial support of the Commission of the European Communities under the LEONARDO DA VINCIProgramme (Project number: LLP-LdV-TOI-2010-HU-001).This publication reflects the views only of the authors, and the
Commission cannot be held responsible for any use which may be made of the information contained therein.
This Governance Model - as a key conceptual deliverable of the BPM GOSPEL project - providesreference processes for mapping operational management to compliance and audit managementimplemented by Stages platform. The best practice case studies aim to present all the above layersin different instances.
Adding business driven case studies into training programmes (like www.training.ia-manager.org)supports understanding the competencies needed and best practices relevant for businesspractitioners. Employers are interested in on-the-job trainings where the acquired skills and knowledgecan be directly tested and certified by applying the offered methodology and tools in live environment.
The platform system "Stages" is adapted as a multi-layer BPM master example for teaching and even"coaching" practical implementation of internal financial controls with IT support applied by private andpublic sector companies following internationally recognized control frameworks like COSO andCOBIT, and related assessment (audit) approach (Governance SPICE).
The BPM GOSPEL Project Partnership
Prime Contractor: Budapest Business SchoolCountry: HU-HungaryHomepage: www.bgf.hu
Contact PersonsJzsef ROZ, rector emeritusLszl VARGA, project managerAddress: Mark utca 29-31, H-1055 BudapestTelephone: +36 1 301 3427Fax: +36 1 301 3431E-mail: [email protected]
Project Coordinator: Memolux Ltd. / Trusted Business Partners LtdCountry: HU-HungaryHomepages: www.memolux.hu
www.trustedbusinesspartners.huContact PersonName: Jnos IVANYOSAddress: Keleti K. u 46, H-1024 BudapestTelephone: +36 2 0941 7075E-mail: [email protected]
Partners:Gemma Ltd.Country: HU-Hungary
Homepage: www.gemma.huMethod Park Software AGCountry: DE-GermanyHomepage: www.methodpark.de
International Software Consulting Network - ISCN Ltd.Country: IE-IrelandHomepage: www.iscn.com
See more details at: www.ia-manager.org andhttp://www.adam-europe.eu/adam/project/view.htm?prj=6635
-
7/30/2019 Governance SPICE Model v24 for Trusted Businesses
5/71
Governance Model
for Trusted Businesses
Version:Revision:Date:Page
2.4123.09.20115/71
Implemented with the financial support of the Commission of the European Communities under the LEONARDO DA VINCIProgramme (Project number: LLP-LdV-TOI-2010-HU-001).This publication reflects the views only of the authors, and the
Commission cannot be held responsible for any use which may be made of the information contained therein.
1.4 References
[1] Internal Control over Financial Reporting Guidance for Smaller Public CompaniesCopyright 2006 by The Committee of Sponsoring Organization, C/O AICPA, HarborsideFinancial Center, 201 Plaza Three, Jersey City, NJ 07311 3881, USA. All rights reserved.
[2] Control Objectives for Information and related Technology - COBIT 4.1Copyright 2007 by the IT Governance Institute. 3701 Algonquin Road, Suite 1010 RollingMeadows, IL 60008 USA. All rights reserved.
[3] Enterprise SPICE - An Integrated Model for Enterprise-wide Assessment and ImprovementTechnical Report Issue 1 September 2010Copyright The SPICE User Group 2010.
[4] ISO/IEC 15504-1:2004 Information technology -- Process assessment -- Part 1: Conceptsand vocabularyISO/IEC 15504-2:2003 Information technology -- Process assessment -- Part 2: Performing anassessmentISO/IEC 15504-2:2003/Cor 1:2004ISO/IEC 15504-3:2004 Information technology -- Process assessment -- Part 3: Guidance onperforming an assessmentISO/IEC 15504-4:2004 Information technology -- Process assessment -- Part 4: Guidance onuse for process improvement and process capability determination
[5] J. Ivanyos, J. Roz and R. Messnarz, Governance Capability Assessment: Using ISO/IEC15504 for Internal Financial Controls and IT Management, in: The MONTIFIC Book,MONTIFIC-ECQA Joint Conference Proceedings, 2010
[6] Trust Services Principles, Criteria, and IllustrationsCopyright 2009 by the American Institute of Certified Public Accountants, Inc. and CanadianInstitute of Chartered Accountants.
[7] Statement on Standards for Attestation Engagements (SSAE) No. 16, Reporting on Controlsat a Service OrganizationCopyright 2010 American Institute of Certified Public Accountants, Inc. New York, NY10036-8775
[8] Reporting on Controls at a Service Organization Relevant to Security, Availability, ProcessingIntegrity, Confidentiality, or Privacy (SOC 2)Copyright 2011, American Institute of Certified Public Accountants, Inc. All Rights Reserved.
-
7/30/2019 Governance SPICE Model v24 for Trusted Businesses
6/71
Governance Model
for Trusted Businesses
Version:Revision:Date:Page
2.4123.09.20116/71
Implemented with the financial support of the Commission of the European Communities under the LEONARDO DA VINCIProgramme (Project number: LLP-LdV-TOI-2010-HU-001).This publication reflects the views only of the authors, and the
Commission cannot be held responsible for any use which may be made of the information contained therein.
2. Governance Objectives for Trusted Businesses
2.1 Using Governance Capability Assessment (Governance SPICE)
The term of Governance Capability Assessment [5] is used in context of Governance, RiskManagement and Internal Control processes based on different concepts:
Corporate Governance Principles (OECD)
Recognized Control Frameworks and Reference Models (like COSO, COBIT, EnterpriseSPICE, etc.)
Risk Tolerance and Risk Appetite (as of COSO ERM)
Performance Measurement (as of COBIT)
Process Capability Assessment (ISO/IEC 15504-2:2003)
Evaluating Process-related Risk (ISO/IEC 15504-4:2004)
Organizational Maturity (ISO/IEC TR 15504-7:2008)
Governance Capability is the COSO objective-category based characterization of the ability of aprocess to meet current or projected business goals:
Figure 2: Implementing Governance Capability Levels
-
7/30/2019 Governance SPICE Model v24 for Trusted Businesses
7/71
Governance Model
for Trusted Businesses
Version:Revision:Date:Page
2.4123.09.20117/71
Implemented with the financial support of the Commission of the European Communities under the LEONARDO DA VINCIProgramme (Project number: LLP-LdV-TOI-2010-HU-001).This publication reflects the views only of the authors, and the
Commission cannot be held responsible for any use which may be made of the information contained therein.
Internal and external audit standards (like IIA and ISA) recommend system based evaluation ofexisting internal controls against internationally recognized control frameworks like COSO (InternalControl Integrated Framework) and COBIT (Control Objectives for Information and relatedTechnology). The contents of these frameworks are applicable to set up Process Reference Models incompliance with ISO/IEC 15504-2 requirements.
Figure 3 presents the general concept of how the ISO/15504 capability measurement is applicable forassessing governance systems implementing the most acknowledged control frameworks such asCOSO and COBIT. The presented 3 dimensions are those derived from the COSO enterprise riskmanagement and internal control models:
Management supervision and control of business processes and activities
Governance processes supporting the design and operation of internal control system
Objective categories measuring achievement of entity-level and operational goals
Figure 3: Governance SPICE Model
The COSO and COBIT based Process Reference Models associated with the process attributesdefined in ISO/IEC 15504-2 provide a common basis for performing assessments of governancecapability regarding internal controls and reporting of results by using a common rating scale. ISO/IEC15504 offers not only transparent method for assessing performance of relevant governanceprocesses, but also tools for assessing control risk areas based on the gaps between target andassessed capability profiles.
-
7/30/2019 Governance SPICE Model v24 for Trusted Businesses
8/71
Governance Model
for Trusted Businesses
Version:Revision:Date:Page
2.4123.09.20118/71
Implemented with the financial support of the Commission of the European Communities under the LEONARDO DA VINCIProgramme (Project number: LLP-LdV-TOI-2010-HU-001).This publication reflects the views only of the authors, and the
Commission cannot be held responsible for any use which may be made of the information contained therein.
2.2 Scope of the Governance Objectives
The well established and recognized control frameworks and process reference models could be usedfor effective and efficient enterprise governance, if only the management established its owngovernance related objectives. Unfortunately, structures of control frameworks and reference modelsare not easily interpretable by enterprise management for setting their business specific governanceobjectives. Furthermore, the external and internal audit standards and literatures are also not reallysupportive in these terms.
The Governance Model keeps both enterprise management and audit assurance logics in mind bypresenting governance processes in line with the objectives relevant for enterprise management,together with an exact mapping to processes of control frameworks (reference models) accepted andused by auditors for compliance attestation.
The reference to applicable ISO/IEC 15504 conformant processes allows management and auditors touse governance capability profiles in context of the governance objectives.
The Governance Model interprets the following governance objectives for determining governanceprocesses as special applications of the recognized reference models (COSO, COBIT and EnterpriseSPICE) and trusted business principles [6]:
Supporting Organizations Internal Control System
Risk Awareness Accountability Competency Accuracy Process Integrity Data Protection Commitment Control Efficiency
Supporting Business Sustainability
Competitiveness Exploitability Satisfaction
Governance Capability Levels and related Process Attributes for processes supporting the above objectives
as application practices can be applied as qualitative and quantitative measures for setting affordableenterprise specific requirements (risk appetite) relevant for achieving the business goals within a tolerabledeviation (risk tolerance).
The Governance Model provides descriptions and application practices of governance processes formanagement assertions and audit reports on design and operation effectiveness of internal controls overfinancial reporting and for providing assurance of trusted and sustainable business operation.
For rationale of the Governance Model structure, the following parts present the governance objectives bydetermining the concerning key risks and risk factors. The risk responses should be decided by theenterprise management as adequate applications of the referred (COSO, COBIT and Enterprise SPICE)processes at the defined governance capability levels.
-
7/30/2019 Governance SPICE Model v24 for Trusted Businesses
9/71
Governance Model
for Trusted Businesses
Version:Revision:Date:Page
2.4123.09.20119/71
Implemented with the financial support of the Commission of the European Communities under the LEONARDO DA VINCIProgramme (Project number: LLP-LdV-TOI-2010-HU-001).This publication reflects the views only of the authors, and the
Commission cannot be held responsible for any use which may be made of the information contained therein.
2.3 Setting Governance Objectives for Controlled Business Operation
2.3.1 Risk Awareness
Key Risk Risk Factors ResponsesApplicable
COSO processesApplication Practices
Relevantgovernancerisks are notconsidered
Governanceobjectives for
businessprocesses areinadequatelyestablished
Managementsets clearly
definedobjectives forgovernance
including risktolerance andrisk appetite
Governance(FinancialReporting)Objectives(COSO)
Management specifiesgovernance objectivesrelevant for financial reportingand trusted businessoperation with sufficient clarityand criteria to enable theidentification of risks to theachievement of thegovernance objectivesrelevant for financial reportingand trusted businessoperation.
Inconsistency inrisk assessment
Riskassessments are
periodicallyperformed by
considering thetime horizon ofthe governanceobjectives, risktolerance andrisk appetite
Governance(Financial
Reporting) Risks(COSO)
The organization identifiesand analyses risks to theachievement of governanceobjectives relevant for theorganizations financialreporting and trusted businessoperation as a basis fordetermining how the risksshould be managed.
Risks relevant fororganizationsinternal controlsystem are not
addressed
Control activitiesdeveloped byreflecting to all
assertionsrelevant for
organizationsinternal control
system
Integration withRisk Assessment
(COSO)
Actions are taken to addressrisks to the achievement ofgovernance objectivesrelevant for financial reportingand trusted businessoperation.
-
7/30/2019 Governance SPICE Model v24 for Trusted Businesses
10/71
Governance Model
for Trusted Businesses
Version:Revision:Date:Page
2.4123.09.201110/71
Implemented with the financial support of the Commission of the European Communities under the LEONARDO DA VINCIProgramme (Project number: LLP-LdV-TOI-2010-HU-001).This publication reflects the views only of the authors, and the
Commission cannot be held responsible for any use which may be made of the information contained therein.
2.3.2 Accountability
Key Risk Risk Factors ResponsesApplicable
COSO processesApplication Practices
Managementis unable to
controlbusiness
processes
No consistent orproperly
communicated
policies andprocedures
Policies andprocedures are
maintained andused in operation
Policies andProcedures
(COSO)
Governance policies relatedto reliable financial reportingand trusted businessoperation are established andcommunicated throughout the
organisation, withcorresponding proceduresresulting in managementdirectives being carried out.
Managementstructure isinadequate
Roles andresponsibilitiesare identified
Authority andResponsibility
(COSO)
Management and employeesare assigned appropriatelevels of authority andresponsibility to facilitateeffective internal control overfinancial reporting and trusted
business operation.
Managementattitude is not
exemplary
Managementtakes stimulating
behaviour
ManagementsPhilosophy andOperating Style
(COSO)
Managements philosophyand operating style supportachieving effective internalcontrol over financial reportingand trusted businessoperation.
-
7/30/2019 Governance SPICE Model v24 for Trusted Businesses
11/71
Governance Model
for Trusted Businesses
Version:Revision:Date:Page
2.4123.09.201111/71
Implemented with the financial support of the Commission of the European Communities under the LEONARDO DA VINCIProgramme (Project number: LLP-LdV-TOI-2010-HU-001).This publication reflects the views only of the authors, and the
Commission cannot be held responsible for any use which may be made of the information contained therein.
2.3.3 Competency
Key Risk Risk Factors ResponsesApplicable
COSO processesApplication Practices
Staff is unableto perform
control tasks
Lack of skilledstaff
Recruitment,compensationand trainingactivities are
performedsystematically
HumanResources
(COSO)
Human resource policies andpractices are designed andimplemented to facilitateeffective internal control over
financial reporting and trustedbusiness operation.
Staff membersdo not know
procedures andprocessing
requirements
Staff membersare continually
informed,feedbacks are
periodicallyreviewed
InternalCommunication
(COSO)
Communications enable andsupport understanding andexecution of internal controlobjectives, processes, andindividual responsibilities at alllevels of the organization.
Changes of SkillsRequirements
Adequate humanresource
practices aredetermined and
used
Governance(FinancialReporting)
Competencies(COSO)
The organization retainsindividuals competent inrelation to the organizationsbusiness operation, financialreporting and relatedoversight roles.
-
7/30/2019 Governance SPICE Model v24 for Trusted Businesses
12/71
Governance Model
for Trusted Businesses
Version:Revision:Date:Page
2.4123.09.201112/71
Implemented with the financial support of the Commission of the European Communities under the LEONARDO DA VINCIProgramme (Project number: LLP-LdV-TOI-2010-HU-001).This publication reflects the views only of the authors, and the
Commission cannot be held responsible for any use which may be made of the information contained therein.
2.3.4 Accuracy
Key Risk Risk Factors ResponsesApplicable
COSO&COBITprocesses
Application Practices
Inconsistencyin data
architectureand disclosure
elements
Informationarchitecture is
inconsistent with
processingrequirements
Maintainingeffective
information
architecture anddata model
Define theInformationArchitecture
(COBIT)
Satisfy the businessrequirement of being agile inresponding to requirements;provide reliable, consistent
information, and seamlesslyintegrate applications intobusiness processes.
Non-compliancewith rules andregulations arenot detected in
time
Information issystematicallycollected andassessed to
detectcompliance
issues, privacyproblems and
fraud
Governance(FinancialReporting)Information
(COSO)
Pertinent information isidentified, captured, used atall levels of the organisation,and distributed in a form andtimeframe that supports theachievement of theorganizations financialreporting and trusted business
operation objectives.
Availability andquality of controlinformation arenot sufficient
Controlinformation for
automatedprocess settings,
datamanipulations
and calculationsare maintainedsystematically
Internal ControlInformation
(COSO)
Information used to executeother control components isidentified, captured, anddistributed in a form andtimeframe that enablespersonnel to carry out theirinternal controlresponsibilities.
-
7/30/2019 Governance SPICE Model v24 for Trusted Businesses
13/71
Governance Model
for Trusted Businesses
Version:Revision:Date:Page
2.4123.09.201113/71
Implemented with the financial support of the Commission of the European Communities under the LEONARDO DA VINCIProgramme (Project number: LLP-LdV-TOI-2010-HU-001).This publication reflects the views only of the authors, and the
Commission cannot be held responsible for any use which may be made of the information contained therein.
2.3.5 Process Integrity
Key Risk Risk Factors ResponsesApplicable
COSO processesApplication Practices
Defectiveprocess level
controls
Processperformance is
wholly dependenton key staff
Control activitiesover access,amendments,
adjustments andother usage of
businessinformation are
maintainedsystematically
Selection andDevelopment of
Control Activities(COSO)
Control activities are selectedand developed consideringtheir cost and their potentialeffectiveness in mitigating
risks to the achievement offinancial reporting and trustedbusiness operation objectives.
Data processingand processautomation
controlsmalfunction
Application andgeneral IT
controls aremaintained and
evaluatedsystematically
InformationTechnology
(COSO)
Information technologycontrols, where applicable,are designed andimplemented to support theachievement of financialreporting and trusted business
operation objectives.
Failures ofdetecting errorsand reacting to
incidents
Processperformancemetrics are
collected andevaluated
Ongoing andSeparate
Evaluations(COSO)
Ongoing and/or separateevaluations enablemanagement to determinewhether internal control overfinancial reporting and trustedbusiness operation is presentand functioning.
-
7/30/2019 Governance SPICE Model v24 for Trusted Businesses
14/71
Governance Model
for Trusted Businesses
Version:Revision:Date:Page
2.4123.09.201114/71
Implemented with the financial support of the Commission of the European Communities under the LEONARDO DA VINCIProgramme (Project number: LLP-LdV-TOI-2010-HU-001).This publication reflects the views only of the authors, and the
Commission cannot be held responsible for any use which may be made of the information contained therein.
2.3.6 Data Protection
Key Risk Risk Factors Responses
ApplicableCOSO&COBITprocesses and
GAAP
Application Practices
Unauthorizedaccess to and
misuse ofconfidential
data
System securityand
confidentialityfailures
Preventivecontrols
maintained toavoid systemsecurity incidents
Ensure Systems
Security (COBIT)
Satisfy the businessrequirement of maintainingthe confidentiality, integrityand availability of informationand the processinginfrastructure aligned tobusiness needs andminimising the impact ofsecurity vulnerabilities.
Intentionalmisuse of data
Anti-fraudmanagement
programmaintained
Fraud Risks(COSO)
The potential for materialmisstatement due to fraud isexplicitly considered inassessing risks to theachievement of financialreporting and trusted business
operation objectives.
Breachingprivacy
requirements
Active policiesand proceduresare in place toensure privacyrequirements
GenerallyAccepted Privacy
Principles(AICPA/CICA)
Personal information iscollected, used, retained,disclosed, and destroyed inconformity with thecommitments in the entitysprivacy notice and with criteriaset forth in generally acceptedprivacy principles (GAPP).
-
7/30/2019 Governance SPICE Model v24 for Trusted Businesses
15/71
Governance Model
for Trusted Businesses
Version:Revision:Date:Page
2.4123.09.201115/71
Implemented with the financial support of the Commission of the European Communities under the LEONARDO DA VINCIProgramme (Project number: LLP-LdV-TOI-2010-HU-001).This publication reflects the views only of the authors, and the
Commission cannot be held responsible for any use which may be made of the information contained therein.
2.3.7 Commitment
Key Risk Risk Factors ResponsesApplicable
COSO&COBITprocesses
Application Practices
Businessintegrity is notrespectable
No commitmentto ethical values
Ethical valuesare not
articulated or
followed
Integrity andEthical Values
(COSO)
Sound integrity and ethicalvalues, particularly of topmanagement, are developedand understood and set the
standard of conduct forfinancial reporting and trustedbusiness operation.
Interruption ofinformation andcommunication
systems
Active policiesand proceduresare in place to
ensure businesscontinuity
EnsureContinuous
Service (COBIT)
Satisfy the businessrequirement of ensuringminimal business impact inthe event of an IT serviceinterruption.
Externalfeedbacks and
opinions are notconsidered
Information fromexternal parties
are collected andreviewed
systematically
ExternalCommunication
(COSO)
Matters affecting theachievement of the financialreporting and trusted businessoperation objectives arecommunicated with outsideparties.
-
7/30/2019 Governance SPICE Model v24 for Trusted Businesses
16/71
Governance Model
for Trusted Businesses
Version:Revision:Date:Page
2.4123.09.201116/71
Implemented with the financial support of the Commission of the European Communities under the LEONARDO DA VINCIProgramme (Project number: LLP-LdV-TOI-2010-HU-001).This publication reflects the views only of the authors, and the
Commission cannot be held responsible for any use which may be made of the information contained therein.
2.3.8 Control Efficiency
Key Risk Risk Factors ResponsesApplicable
COSO processesApplication Practices
Inefficientusage ofcontrol
resources
Inadequatestructures for
control operation
and reporting
Managementmaintainsadequate
organizational
structure andreporting lines
OrganizationalStructure
(COSO)
The entitys organizationalstructure supports effectiveinternal control over financial
reporting and trusted businessoperation.
Operation andreporting of
controls dontprovide sufficient
evidences toassess
effectiveness ofthe internal
control system
Oversightactivities ensure
periodicassessment on
governancecapabilities
Oversight Board(COSO)
The oversight boardunderstands and exercisesoversight responsibility relatedto trusted business operation,financial reporting and relatedinternal control.
Necessarycorrective actionsare not taken in
time
Managementreviews controldeficiencies and
actions taken
ReportingDeficiencies
(COSO)
Internal control deficienciesare identified andcommunicated in a timelymanner to those partiesresponsible for takingcorrective action, and to themanagement and theoversight board asappropriate.
-
7/30/2019 Governance SPICE Model v24 for Trusted Businesses
17/71
Governance Model
for Trusted Businesses
Version:Revision:Date:Page
2.4123.09.201117/71
Implemented with the financial support of the Commission of the European Communities under the LEONARDO DA VINCIProgramme (Project number: LLP-LdV-TOI-2010-HU-001).This publication reflects the views only of the authors, and the
Commission cannot be held responsible for any use which may be made of the information contained therein.
2.4 Setting Governance Objectives for Sustainable Business Operation
2.4.1 Competitiveness
Key Risk Risk Factors Responses
ApplicableEnterprise
SPICEprocesses
Application Practices
Loosingmarket
Businessobjectives are
not reflecting tothe changes of
economicenvironment
Business goalsand targets aresystematically
maintained
EnterpriseGovernance(ESPICE)
The organization applypractices to establish strategicenterprise direction andensure the enterpriseachieves its goals andobjectives.
Market needs arenot respected
Improvement ofproduct or
service featuresare considered
periodically
Needs (ESPICE)
The organization applypractices to elicit, analyze,
clarify, and document evolvingcustomer and otherstakeholder needs andexpectations.
Businessproposals are not
convincing
Improvement ofproposal
preparation
Tendering(ESPICE)
The organization applypractices to identify, selectand bid for acquirer requestsfor information, quotationsand proposals based ondecisions that appropriately
consider customer needs,risks, organizational abilitiesand competitor capabilities.
-
7/30/2019 Governance SPICE Model v24 for Trusted Businesses
18/71
Governance Model
for Trusted Businesses
Version:Revision:Date:Page
2.4123.09.201118/71
Implemented with the financial support of the Commission of the European Communities under the LEONARDO DA VINCIProgramme (Project number: LLP-LdV-TOI-2010-HU-001).This publication reflects the views only of the authors, and the
Commission cannot be held responsible for any use which may be made of the information contained therein.
2.4.2 Exploitability
Key Risk Risk Factors Responses
ApplicableEnterprise
SPICEprocesses
Application Practices
Opportunitiesare not
exploited
Necessaryinvestments are
not taken
Investmentneeds and
potentials are
consideredsystematically
InvestmentManagement
(ESPICE)
The organization applypractices to ensure thatorganization realize optimalvalue from strategically
aligned business investmentsat an affordable cost with aknown and acceptable level ofrisk.
Managementinefficiently use
resources
Systematicproject
managementpractices applied
ProjectManagement
(ESPICE)
The management applypractices to ensure thebusiness projects achievetheir objectives within givenresource constraints byinitiating, planning, executing,monitoring, controlling and
closing the project activitiesand resources.
Product orservice quality is
not ensured
Systematicquality
managementpractices applied
QualityAssurance andManagement
(ESPICE)
The organization applypractices to assure the qualityof the product or service andof the processes used, andprovide management withappropriate visibility into allrelevant quality aspects.
-
7/30/2019 Governance SPICE Model v24 for Trusted Businesses
19/71
Governance Model
for Trusted Businesses
Version:Revision:Date:Page
2.4123.09.201119/71
Implemented with the financial support of the Commission of the European Communities under the LEONARDO DA VINCIProgramme (Project number: LLP-LdV-TOI-2010-HU-001).This publication reflects the views only of the authors, and the
Commission cannot be held responsible for any use which may be made of the information contained therein.
2.4.3 Satisfaction
Key Risk Risk Factors Responses
ApplicableEnterprise
SPICEprocesses
Application Practices
Losses due tocustomer
dissatisfaction
Requirementsare not
establishedadequately
Requirementsare established
based oncustomer needs
Requirements
(ESPICE)
The organization applypractices to develop adetailed and precise set ofrequirements that meet
customer needs andexpectations and managethose requirementsthroughout the life cycle.
Ineffectivebusiness
relationshipmanagement
Businessrelationship
management ismaintained
BusinessRelationshipManagement
(ESPICE)
The organization applypractices to establish andmaintain a mutually satisfyingrelationship between theproduct or service supplierand the business partnerbased on understanding the
business partner and itsbusiness drivers.
Product orservice delivery
default
Monitoring basedon agreed
service levels
Operation andSupport
(ESPICE)
The organization applypractices to operate theproduct or service at agreedservice levels and support itsusers.
-
7/30/2019 Governance SPICE Model v24 for Trusted Businesses
20/71
Governance Model
for Trusted Businesses
Version:Revision:Date:Page
2.4123.09.201120/71
Implemented with the financial support of the Commission of the European Communities under the LEONARDO DA VINCIProgramme (Project number: LLP-LdV-TOI-2010-HU-001).This publication reflects the views only of the authors, and the
Commission cannot be held responsible for any use which may be made of the information contained therein.
3. Governance Processes for Trusted Businesses
3.1 Governance of Controlled Business Operation Application Category
The Governance of Controlled Business Operation application category has the focus on howeffectively enterprise governance applies the Internal Control (COSO 2006) Principles together withthe Security, Availability, Processing Integrity, Confidentiality and Privacy Principles.
Eight processes relate to the Governance of Controlled Business Operation application category:
Control Risks The organization and its staff adequately address risks to the governanceobjectives relevant for financial reporting and trusted business operation and consider those
risks in management of business operation. Control Management The management of the organization is able to control business
processes in a way which is adequate to the objectives of internal control over financialreporting and trusted business operation.
Control Competence Sufficient skills and knowledge relevant for the objectives of internalcontrol over financial reporting and trusted business operation are available and used.
Information Reliability Data architecture and disclosure elements relevant for financialreporting objectives and trusted business operation, and for supporting data processingintegrity are accurate and consistent.
Process Control Design and operation of process-level controls relevant to the objectives offinancial reporting and trusted business operation, and processing integrity principle areeffective.
Data Protection The organization and its staff are committed to security, confidentiality andprivacy principles to avoid unauthorized access to and misuse of confidential data effected bybusiness operation.
Integrity Assurance The organization and its staff are committed to comply with ethical andbusiness integrity requirements relevant to the objectives of financial reporting and trustedbusiness operation, and availability principle.
Control Efficiency Efficient usage of control resources relevant to the objectives of financial
reporting and trusted business operation.
-
7/30/2019 Governance SPICE Model v24 for Trusted Businesses
21/71
Governance Model
for Trusted Businesses
Version:Revision:Date:Page
2.4123.09.201121/71
Implemented with the financial support of the Commission of the European Communities under the LEONARDO DA VINCIProgramme (Project number: LLP-LdV-TOI-2010-HU-001).This publication reflects the views only of the authors, and the
Commission cannot be held responsible for any use which may be made of the information contained therein.
3.1.1 Control Risks
Process ID GOV.CR
Process Name Control Risks
Process Purpose The purpose of the Control Risks process is to ensure that the organizationand its staff adequately address risks to the governance objectives relevantfor financial reporting and trusted business operation and consider those risksin management of business operation.
NOTE1: The Control Risks process is a special application of the COSO2006 model in the context of the Risk Awareness governance objective.Thus this process is denoted an Application Area. The practices, called
application practices, are implemented using selected processes based onthe COSO 2006 principles in the context of this special application. Thisfacilitates the re-use of the elements of the COSO 2006 based referencemodel without recreating processes that are already well established.
NOTE2: The descriptions of the COSO 2006 Principles are applicable todefine ISO/IEC 15504 conformant process reference model and processperformance indicators for assessing process capability according to theISO/IEC 15504 standard.
Process Outcomes As a result of successful implementation of the Control Risks process:
1) Governance objectives relevant for financial reporting and trustedbusiness operation are established.
2) Risk assessments are performed consistently.3) Organizations internal controls are integrated with risks to achievement of
organizations objectives relevant for financial reporting and trustedbusiness operation.
Application practices AP01 Establish governance objectives for financial reporting andtrusted business operation. Management specifies governance objectivesrelevant for financial reporting and trusted business operation with sufficientclarity and criteria to enable the identification of risks to the achievement ofthe governance objectives relevant for financial reporting and trustedbusiness operation. [Outcome: 1]
NOTE1: This practice is implemented by performing practices of the COSO2006 Financial Reporting Objectives process with a specific focus on howenterprise governance supports internal control over financial reporting and
trusted business operation:IFC.RA.FRO.BP1 Identify Management assertions. To identifyrelevant management assertions, management starts with thegovernance reports, including disclosures, and identifies significantgovernance objectives, based on managements estimate ofmateriality. For each governance report and disclosure managementthen identifies relevant assertions, underlying transactions andevents, and processes supporting these governance objectives.
IFC.RA.FRO.BP2 Consider the Range of Assessment Activities.Management, with oversight board review, considers the range of theorganizations activities to assess whether all are appropriatelycaptured in the governance reports, and considers whether the
governance reports appropriately communicate to readers economic
-
7/30/2019 Governance SPICE Model v24 for Trusted Businesses
22/71
Governance Model
for Trusted Businesses
Version:Revision:Date:Page
2.4123.09.201122/71
Implemented with the financial support of the Commission of the European Communities under the LEONARDO DA VINCIProgramme (Project number: LLP-LdV-TOI-2010-HU-001).This publication reflects the views only of the authors, and the
Commission cannot be held responsible for any use which may be made of the information contained therein.
reality in a useful form.
IFC.RA.FRO.BP3 Compare Governance Policies. Management
compares the governance principles adopted for the organization tothose used by companies of similar size and industry. Managementalso compares the content and level of detail in the organizationsgovernance reports to those organizations reports. Significantvariations are considered by management and summarized for boardreview.
AP02 Perform consistent risk assessment. The organization identifies andanalyses risks to the achievement of governance objectives relevant for theorganizations financial reporting and trusted business operation as a basisfor determining how the risks should be managed. [Outcome: 2]
NOTE2: This practice is implemented by performing practices of the COSO
2006 Financial Reporting Risks process with a specific focus on howenterprise governance supports internal control over financial reporting andtrusted business operation:
IFC.RA.FRR.BP1 Apply Risk Identification Process.Managements risk identification process includes identifying:
Relevant management assertions for each significantgovernance objectives.
Business processes and business units supportinggovernance objectives and disclosures.
Information technology (IT) systems supporting key businessprocesses relevant to governance objectives.
IFC.RA.FRR.BP2 Map Controls. Management maps its controls tothe five internal control components, with headers that list theactivity's control objectives and risks. This approach targets activitiesthat might generate governance errors.
IFC.RA.FRR.BP3 Interact with External Parties. As part of anorganisations risk identification, management interacts with externalparties that may affect the reliability of governance reporting,including suppliers, investors, creditors, shareholders, employees,customers, intermediaries, and industry peers.
IFC.RA.FRR.BP4 Consider External Factors. Managementconsiders external factors that impact its ability to achieve itsgovernance objectives, such as economic, competitive, and industryconditions; regulatory and political environment; and changes intechnology, supply sources, customer demands, or creditorrequirements. Management also considers how internal factors andchanges in them impact the organisations ability to achieve itsgovernance objectives. These include governance reportcharacteristics, business process characteristics, and entity-widefactors.
IFC.RA.FRR.BP5 Update Risk Assessments. Managementupdates risk assessments periodically (e.g. on a quarterly basis),considering:
Newly identified risks determined to be significant.
-
7/30/2019 Governance SPICE Model v24 for Trusted Businesses
23/71
Governance Model
for Trusted Businesses
Version:Revision:Date:Page
2.4123.09.201123/71
Implemented with the financial support of the Commission of the European Communities under the LEONARDO DA VINCIProgramme (Project number: LLP-LdV-TOI-2010-HU-001).This publication reflects the views only of the authors, and the
Commission cannot be held responsible for any use which may be made of the information contained therein.
Escalation of previously identified risks to higher relevance.
The status of action plans to mitigate significant risks.
This risk assessment evaluates risk based on potential impact andlikelihood of risks. The resulting assessment is used as a key input indetermining required control activities.
IFC.RA.FRR.BP6 Meet with Relevant Personnel. Key governancepersonnel meet on a regular basis with:
Executive management to identify new initiatives,commitments, and activities affecting risks to financialreporting and trusted business operation.
Information technology personnel to monitor changes ininformation technology that may affect risks related to
financial reporting and trusted business operation. Human resources staff to identify and assess how changes
in the workforce may affect competencies needed for internalcontrol over financial reporting and trusted businessoperation.
Legal counsel to stay abreast of legal/regulatory changes.
AP03 Address risks relevant for financial reporting and trustedbusiness operation. Actions are taken to address risks to the achievementof the governance objectives relevant for financial reporting and trustedbusiness operation. [Outcome: 3]
NOTE3: This practice is implemented by performing practices of the COSO2006 Integration with Risk Assessment process with a specific focus on howenterprise governance supports internal control over financial reporting andtrusted business operation:
IFC.CA.IRA.BP1 Consider Entity-Wide Controls. Managementconsiders entity-wide controls that are pervasive across theorganisation when considering whether control activities are sufficientto address identified risks.
IFC.CA.IRA.BP2 Use Workshops to Identify and EvaluateControls. Management uses workshops to identify appropriatecontrol activities for each identified risk to a governance objective andto train its employees in proper implementation of control activities.
IFC.CA.IRA.BP3 Use Matrices to Identify and Evaluate Controls.Management uses risk/control matrices developed in the process ofassessing risks and designing controls in each business process toperform a gap analysis to evaluate the need for any additionalcontrols that might be needed to mitigate risks to the achievement ofgovernance objectives.
IFC.CA.IRA.BP4 Use an Inventory of Controls to Identify andEvaluate Controls. Management uses register or software thatprovides an inventory of controls typically aligned to specified risks tofinancial reporting and trusted business operation.
IFC.CA.IRA.BP5 Use independent assessment of outsourcingservice providers internal control over processing transactions
-
7/30/2019 Governance SPICE Model v24 for Trusted Businesses
24/71
Governance Model
for Trusted Businesses
Version:Revision:Date:Page
2.4123.09.201124/71
Implemented with the financial support of the Commission of the European Communities under the LEONARDO DA VINCIProgramme (Project number: LLP-LdV-TOI-2010-HU-001).This publication reflects the views only of the authors, and the
Commission cannot be held responsible for any use which may be made of the information contained therein.
for user organization. When outsourcing all or a portion of itsfunction related to financial reporting and trusted business operation,the CFO or CGO obtains an independent assessment report (likeSOC 1 Type II) or undertakes procedures to assess controls in placefor the initiation, recording, and processing of significant classes oftransactions at the third-party outsourcer.
Relationship Notes The relationships between the Control Risks process and applicationpractices, and other processes in COSO 2006 model, have been noted foreach practice above. This innovative concept of including Application Areasin a process assessment model instantiates the idea of using alreadyestablished processes with respect to a particular application.
Sources COSO 2006: IFC.RA.FRO Financial Reporting Objectives, IFC.RA.FRRFinancial Reporting Risks, IFC.CA.IRA Integration with Risk Assessment
References Internal Control over Financial Reporting Guidance for Smaller Public
CompaniesCopyright 2006 by The Committee of Sponsoring Organization, C/OAICPA, Harborside Financial Center, 201 Plaza Three, Jersey City, NJ 07311 3881, USA. All rights reserved.
Work ProductsInputs Outputs
Governance Policies and Procedures[Outcomes: 1, 2]
Governance Objectives [Outcome: 1]
Governance Objectives [Outcome: 1] Related Business Activities [Outcome: 1]
Governance Objectives [Outcome: 1, 2] Review Records [Outcome: 1]Management assertions [Outcome: 2] Governance Objectives [Outcome: 1]
Organizational Structure [Outcome: 2] Management assertions [Outcome: 1]
Related Business Activities [Outcome: 2] Risk and Control Documentation [Outcomes: 2, 3]
Related IT Systems [Outcome: 2] Risk Assessment Reports [Outcome: 2]
Governance Competencies [Outcome: 2] Inventory of Controls [Outcome: 3]
Skill Assessment Reports [Outcome: 2]
Risk and Control Documentation [Outcomes:2,3]
Outsourcing Assessment Report [Outcome: 3]
Note: Above performance indicators driven by the COSO 2006 model are applicable for assessingthe effectiveness of controls in relation to objectives of financial reporting and trusted businessoperation. However they should be considered as a starting point for judgment whether, given theapplication context, they are contributing to the intended purpose of the process, not as a compulsorycheck-list of what every organization must have.
-
7/30/2019 Governance SPICE Model v24 for Trusted Businesses
25/71
Governance Model
for Trusted Businesses
Version:Revision:Date:Page
2.4123.09.201125/71
Implemented with the financial support of the Commission of the European Communities under the LEONARDO DA VINCIProgramme (Project number: LLP-LdV-TOI-2010-HU-001).This publication reflects the views only of the authors, and the
Commission cannot be held responsible for any use which may be made of the information contained therein.
3.1.2 Control Management
Process ID GOV.CM
Process Name Control Management
Process Purpose The purpose of the Control Management process is to ensure that themanagement of the organization is able to control business processes in away which is adequate to the objectives of internal control over financialreporting and trusted business operation.
NOTE1: The Control Management process is a special application of theCOSO 2006 model in the context of the Accountability governanceobjective. Thus this process is denoted an Application Area. The practices,
called application practices, are implemented using selected processesbased on the COSO 2006 principles in the context of this special application.This facilitates the re-use of the elements of the COSO 2006 basedreference model without recreating processes that are already wellestablished.
NOTE2: The descriptions of the COSO 2006 Principles are applicable todefine ISO/IEC 15504 conformant process reference model and processperformance indicators for assessing process capability according to theISO/IEC 15504 standard.
Process Outcomes As a result of successful implementation of the Control Management process:
1) Policies and procedures relevant for the governance objectives of financialreporting and trusted business operation are consistently implementedand communicated.
2) Management structure is adequate to internal control over financialreporting and trusted business operation.
3) Management takes stimulating behavior for supporting internal controlover financial reporting and trusted business operation.
Application practices AP01 Establish governance policies and procedures relevant for thegovernance objectives of financial reporting and trusted businessoperation. Governance policies related to reliable financial reporting andtrusted business operation are established and communicated throughout theorganisation, with corresponding procedures resulting in managementdirectives being carried out. [Outcome: 1]
NOTE1: This practice is implemented by performing practices of the COSO
2006 Policies and Procedures process with a specific focus on howenterprise governance supports internal control over financial reporting andtrusted business operation:
IFC.CA.PP.BP1 Develop and Document Policies and Procedures.Management develops and documents policies and procedures for allsignificant financial reporting and trusted business operation relatedactivities using various formats such as narratives, flowcharts, andcontrol matrices.
IFC.CA.PP.BP2 Consider Preventative and Detective Controls.Management includes both preventative and detective controls withineach process, using process maps, narratives, spreadsheets, orother mechanisms to document and communicate the control
-
7/30/2019 Governance SPICE Model v24 for Trusted Businesses
26/71
Governance Model
for Trusted Businesses
Version:Revision:Date:Page
2.4123.09.201126/71
Implemented with the financial support of the Commission of the European Communities under the LEONARDO DA VINCIProgramme (Project number: LLP-LdV-TOI-2010-HU-001).This publication reflects the views only of the authors, and the
Commission cannot be held responsible for any use which may be made of the information contained therein.
activities.
IFC.CA.PP.BP3 Develop Policies for Entity-Wide Application.
Central management develops policies for areas that have entity-wide application, such as its code of conduct, delegation of authority,safeguarding of assets, and so forth. In addition, managementdevelops policies at the business unit level that support and align withentity-wide policies.
AP02 Assign governance roles and responsibilities. Management andemployees are assigned appropriate levels of authority and responsibility tofacilitate effective internal control over financial reporting and trustedbusiness operation. [Outcome: 2]
NOTE2: This practice is implemented by performing practices of the COSO2006 Authority and Responsibility process with a specific focus on how
enterprise governance supports internal control over financial reporting andtrusted business operation:IFC.CE.AR.BP1 Define Objectives and Responsibilities.Management sets forth clear business and management objectivesand position descriptions to reinforce managements responsibility foreffective internal control over financial reporting and trusted businessoperation.
IFC.CE.AR.BP2 Review Key Positions. For key financial reportingand trusted business operation positions, the oversight board reviewsmanagements descriptions of the positions responsibilities andauthorities, and considers how those positions affect the strength ofinternal control over financial reporting and trusted business
operation, calling for re-evaluation where needed.IFC.CE.AR.BP3 Assign Authorities and Responsibilities. Inassigning authorities and responsibilities, management considers theimpact on the effectiveness of the control environment andimportance of maintaining effective segregation of duties.Management establishes an appropriate balance between theauthority needed to get the job done and the need to maintainadequate internal control over key processes.
IFC.CE.AR.BP4 Empower Employees. Management empowersemployees to correct problems or implement improvements in theirassigned business processes as necessary, balanced withappropriate monitoring of performance.
IFC.CE.AR.BP5 Align Positions with Responsibilities andAuthorities. Management considers the nature of employeepositions within the organization when assigning responsibilities toindividuals or determining certain levels of authority for positions.
AP03 Management takes stimulating behaviour. Managementsphilosophy and operating style support achieving effective internal controlover financial reporting and trusted business operation. [Outcome: 3]
NOTE3: This practice is implemented by performing practices of the COSO2006 Managements Philosophy and Operating Style process with a specificfocus on how enterprise governance supports internal control over financial
reporting and trusted business operation:
-
7/30/2019 Governance SPICE Model v24 for Trusted Businesses
27/71
Governance Model
for Trusted Businesses
Version:Revision:Date:Page
2.4123.09.201127/71
Implemented with the financial support of the Commission of the European Communities under the LEONARDO DA VINCIProgramme (Project number: LLP-LdV-TOI-2010-HU-001).This publication reflects the views only of the authors, and the
Commission cannot be held responsible for any use which may be made of the information contained therein.
IFC.CE.MPO.BP1 Emphasize Risk Mitigation. Managementemphasizes the importance of minimizing risks related to financial
reporting and trusted business operation in its interactions with othersinvolved in the financial reporting and trusted business operationprocess, and through its dealings with customers, suppliers ordistributors, and employees.
IFC.CE.MPO.BP2 Emphasize Processing Requirements. Theorganisations operating philosophy requires that all journal entries,including those reflecting assumptions and estimates, be properlyauthorized, supported by adequate documentation and subject toreview by an appropriate senior financial executive.
IFC.CE.MPO.BP3 Emphasize Importance of Diligence.Management provides sufficient direction such that employeesrecognize the importance of applying appropriate diligence and
business judgment in the performance of assigned jobresponsibilities.
IFC.CE.MPO.BP4 Establish and Articulate GovernanceObjectives. Management establishes and articulates governanceobjectives, including those relating to complete, accurate and fairfinancial reporting and trusted business operation, with personnelinvolved in the financial reporting and trusted business operationprocess.
Relationship Notes The relationships between the Control Management process and applicationpractices, and other processes in COSO 2006 model, have been noted foreach practice above. This innovative concept of including Application Areasin a process assessment model instantiates the idea of using already
established processes with respect to a particular application.Sources COSO 2006: IFC.CA.PP Policies and Procedures, IFC.CE.AR Authority and
Responsibility, IFC.CE.MPO Managements Philosophy and Operating Style
References Internal Control over Financial Reporting Guidance for Smaller PublicCompanies
Copyright 2006 by The Committee of Sponsoring Organization, C/OAICPA, Harborside Financial Center, 201 Plaza Three, Jersey City, NJ 07311 3881, USA. All rights reserved.
Work ProductsInputs Outputs
Inventory of Controls [Outcome: 1] Governance Policies and Procedures [Outcome:1]
Related Business Activities [Outcomes: 1, 3] Review Records [Outcomes: 1, 2]
Organizational Structure [Outcomes: 1, 2] Roles and Responsibilities [Outcome: 2]
Roles and Responsibilities [Outcomes: 1] Nomination Records [Outcome: 2]
Job Descriptions [Outcome: 2] Governance Objectives [Outcome: 3]
Code of Conduct [Outcome: 3] Management Records [Outcome: 3]
Governance Objectives [Outcome: 3]
-
7/30/2019 Governance SPICE Model v24 for Trusted Businesses
28/71
Governance Model
for Trusted Businesses
Version:Revision:Date:Page
2.4123.09.201128/71
Implemented with the financial support of the Commission of the European Communities under the LEONARDO DA VINCIProgramme (Project number: LLP-LdV-TOI-2010-HU-001).This publication reflects the views only of the authors, and the
Commission cannot be held responsible for any use which may be made of the information contained therein.
Note: Above performance indicators driven by the COSO 2006 model are applicable for assessingthe effectiveness of controls in relation to objectives of financial reporting and trusted businessoperation. However they should be considered as a starting point for judgment whether, given theapplication context, they are contributing to the intended purpose of the process, not as a compulsorycheck-list of what every organization must have.
-
7/30/2019 Governance SPICE Model v24 for Trusted Businesses
29/71
Governance Model
for Trusted Businesses
Version:Revision:Date:Page
2.4123.09.201129/71
Implemented with the financial support of the Commission of the European Communities under the LEONARDO DA VINCIProgramme (Project number: LLP-LdV-TOI-2010-HU-001).This publication reflects the views only of the authors, and the
Commission cannot be held responsible for any use which may be made of the information contained therein.
3.1.3 Control Competence
Process ID GOV. CC
Process Name Control Competence
Process Purpose The purpose of the Control Competence process is to ensure the availabilityand usage of sufficient skills and knowledge relevant for the objectives ofinternal control over financial reporting and trusted business operation.
NOTE1: The Control Competence process is a special application of theCOSO 2006 model in the context of the Competency governance objective.Thus this process is denoted an Application Area. The practices, calledapplication practices, are implemented using selected processes based on
the COSO 2006 principles in the context of this special application. Thisfacilitates the re-use of the elements of the COSO 2006 based referencemodel without recreating processes that are already well established.
NOTE2: The descriptions of the COSO 2006 Principles are applicable todefine ISO/IEC 15504 conformant process reference model and processperformance indicators for assessing process capability according to theISO/IEC 15504 standard.
Process Outcomes As a result of successful implementation of the Control Competence process:
1) Recruitment, compensation and training activities are performedsystematically.
2) Staff members are continually informed, feedbacks are periodicallyreviewed.
3) Competent individuals are retained in relation to the business operation,financial reporting and related oversight roles.
Application practices AP01 Use human resource policies and practices relevant for financialreporting and trusted business operation objectives. Human resourcepolicies and practices are designed and implemented to facilitate effectiveinternal control over financial reporting and trusted business operation.[Outcome: 1]
NOTE1: This practice is implemented by performing practices of the COSO2006 Human Resources process with a specific focus on how enterprisegovernance supports internal control over financial reporting and trustedbusiness operation:
IFC.CE.HR.BP1 Develop and Maintain Position Descriptions.
Management develops and maintains position descriptions thatreflect its values and the competencies needed to execute positionrequirements.
IFC.CE.HR.BP2 Develop and Maintain Human Resource Policiesand Procedures. The human resource function develops andperiodically updates materials outlining the organisations humanresource policies and procedures.
IFC.CE.HR.BP3 Review Resumes and Perform ReferenceChecks. Management reviews resumes and performs referencechecks in considering candidates for key financial reporting andtrusted business operation positions. For positions with high levelresponsibility and authority, the organisation also performs
-
7/30/2019 Governance SPICE Model v24 for Trusted Businesses
30/71
Governance Model
for Trusted Businesses
Version:Revision:Date:Page
2.4123.09.201130/71
Implemented with the financial support of the Commission of the European Communities under the LEONARDO DA VINCIProgramme (Project number: LLP-LdV-TOI-2010-HU-001).This publication reflects the views only of the authors, and the
Commission cannot be held responsible for any use which may be made of the information contained therein.
background checks.
IFC.CE.HR.BP4 Provide Training and Awareness. The human
resource function provides training and awareness programs topromote ethical behaviour throughout the organization. Additionaltraining programs related to financial reporting and trusted businessoperation are provided to all employees with direct and indirectinvolvement in financial reporting and trusted business operation.
IFC.CE.HR.BP5 Establish a Review and Appraisal Process.Management establishes a review and appraisal process thatconfirms knowledge of each employees progress and status withinthe organization.
IFC.CE.HR.BP6 Perform Exit Interviews. An organizations processfor performing exit interviews includes inquiries about any concernsrelated to the organizations governance and internal control.
IFC.CE.HR.BP7 Design Compensation Plans. Compensation plansfor senior executives include a significant element tied toachievement of non-financial goals (for example, customersatisfaction, employee retention, and successful systemsimplementation) and is not excessively tied to short-term results asreflected in governance reports.
IFC.CE.HR.BP8 Review Compensation Plans. The oversight boardreviews management compensation plans, including bonus and stockcompensation components, to determine whether the plans createinappropriately high risk of financial reporting and trusted businessoperation misstatements and implements controls as needed toreduce risk to an acceptable level.
IFC.CE.HR.BP9 Evaluate Competency of Personnel. Managementevaluates the sufficiency and competency of personnel involved inrecording and reporting financial information.
AP02 Provide effective internal communication over controlrequirements relevant for financial reporting and trusted businessoperation objectives. Communications enable and support understandingand execution of internal control objectives, processes, and individualresponsibilities at all levels of the organization. [Outcome: 2]
NOTE2: This practice is implemented by performing practices of the COSO2006 Internal Communication process with a specific focus on how enterprisegovernance supports internal control over financial reporting and trustedbusiness operation:
IFC.IC.IC.BP1 Communicate Information Regarding GovernanceObjectives. Management communicates information about theorganisations governance objectives, relevant internal controlpolicies and procedures and how they work, and related individualresponsibilities.
IFC.IC.IC.BP2 Communicate Through an Intranet Site.Management develops and maintains an intranet site, accessible toall appropriate personnel, for disseminating information regarding theorganisations internal control processes over financial reporting andtrusted business operation.
IFC.IC.IC.BP3 Review Financial Information with the Oversight
-
7/30/2019 Governance SPICE Model v24 for Trusted Businesses
31/71
Governance Model
for Trusted Businesses
Version:Revision:Date:Page
2.4123.09.201131/71
Implemented with the financial support of the Commission of the European Communities under the LEONARDO DA VINCIProgramme (Project number: LLP-LdV-TOI-2010-HU-001).This publication reflects the views only of the authors, and the
Commission cannot be held responsible for any use which may be made of the information contained therein.
Board. At regular oversight board meetings, the CFO reviewsfinancial information, analysis and related internal control, and entersinto open discussion on all matters of directors interest.
IFC.IC.IC.BP4 Communicate Between the Board and InternalAuditor. The oversight board and the chief internal auditors meetperiodically and whenever events or circumstances warrant.
IFC.IC.IC.BP5 Communicate the Whistle-blower Program toStaff. The organisation maintains a whistle-blower process thatenables employees to communicate misconduct, including mattersrelating to reliable governance.
IFC.IC.IC.BP6 Communicate Alternative Reporting Channels.Management provides an alternative to reporting to a line manager either a coaching or mentoring program or a professional or technicalreporting channel so that employees are confident that they will be
heard.IFC.IC.IC.BP7 Develop Guidelines for Communication to theOversight Board. The oversight board develops guidelines formaterials it expects to receive.
IFC.IC.IC.BP8 Consult with Outside Advisors. The oversight boardconsults with outside advisors whenever committee members feelmanagement might lack the capability to adequately address animportant issue.
AP03 Retain competent individuals. The organization retains individualscompetent in relation to the organizations business operation, financial
reporting and related oversight roles. [Outcome: 3]NOTE3: This practice is implemented by performing practices of the COSO2006 Financial Reporting Competences process with a specific focus on howenterprise governance supports internal control over financial reporting andtrusted business operation:
IFC.CE.FRC.BP1 Establish Required Knowledge, Skills andAbilities. Before hiring for key financial positions, managementestablishes and agrees on the knowledge, skills, and abilities (andrelated credentials) needed to effectively carry out the associatedresponsibilities.
IFC.CE.FRC.BP2 Supplement Competencies. The organizationsupplements in-house financial reporting and trusted businessoperation competencies as needed by establishing arrangementswith outside specialists.
IFC.CE.FRC.BP3 Provide Training. Management provides trainingfor employees involved in financial reporting and trusted businessoperation processes, either in-house or through outside serviceproviders.
IFC.CE.FRC.BP4 Evaluate Competencies in Key GovernanceRoles. The oversight board (board of directors and/or auditcommittee) evaluates the competencies of individuals serving in keygovernance roles, such as CEO, CGO or CFO.
IFC.CE.FRC.BP5 Review and Evaluate Competencies.
-
7/30/2019 Governance SPICE Model v24 for Trusted Businesses
32/71
Governance Model
for Trusted Businesses
Version:Revision:Date:Page
2.4123.09.201132/71
Implemented with the financial support of the Commission of the European Communities under the LEONARDO DA VINCIProgramme (Project number: LLP-LdV-TOI-2010-HU-001).This publication reflects the views only of the authors, and the
Commission cannot be held responsible for any use which may be made of the information contained therein.
Management periodically reviews and evaluates employees relativeto their assigned roles to determine whether the employees skills areappropriate for their current job responsibilities.
Relationship Notes The relationships between the Control Competence process and applicationpractices, and other processes in COSO 2006 model, have been noted foreach practice above. This innovative concept of including Application Areasin a process assessment model instantiates the idea of using alreadyestablished processes with respect to a particular application.
Sources COSO 2006: IFC.CE.HR Human Resources, IFC.IC.IC InternalCommunication, IFC.CE.FRC Financial Reporting Competencies
References Internal Control over Financial Reporting Guidance for Smaller PublicCompanies
Copyright 2006 by The Committee of Sponsoring Organization, C/OAICPA, Harborside Financial Center, 201 Plaza Three, Jersey City, NJ 07311 3881, USA. All rights reserved.
Work ProductsInputs Outputs
Code of Conduct [Outcome: 1] Job Descriptions [Outcome: 1]
Job Descriptions [Outcome: 1] HR Policies and Procedures [Outcome: 1]
Roles and Responsibilities [Outcome: 1] HR Records [Outcome: 1]
Nomination Records [Outcome: 1] Training Plans [Outcomes: 1, 3]
Training Plans [Outcomes: 1, 3] Periodic Staff Information [Outcome: 1]
Periodic Staff Information [Outcomes: 1, 2] Review and Appraisal Process [Outcome: 1]
Governance Competencies [Outcome: 1] Compensation Plans [Outcome: 1]
Skill Assessment Reports [Outcomes: 1, 3] Review Records [Outcomes: 1, 2]
Governance Information Repository [Outcome:2]
Skill Assessment Reports [Outcomes: 1, 3]
Financial Control Information Repository[Outcome: 2]
Guidelines for Communication to the OversightBoard [Outcome: 2]
Oversight Agenda [Outcome: 2] Governance Competencies [Outcome: 3]
Audit Files [Outcome: 2] Outsourcing Arrangements [Outcome: 3]
Operating and Compliance Information[Outcome: 2]
Note: Above performance indicators driven by the COSO 2006 model are applicable for assessingthe effectiveness of controls in relation to objectives of financial reporting and trusted businessoperation. However they should be considered as a starting point for judgment whether, given theapplication context, they are contributing to the intended purpose of the process, not as a compulsorycheck-list of what every organization must have.
-
7/30/2019 Governance SPICE Model v24 for Trusted Businesses
33/71
Governance Model
for Trusted Businesses
Version:Revision:Date:Page
2.4123.09.201133/71
Implemented with the financial support of the Commission of the European Communities under the LEONARDO DA VINCIProgramme (Project number: LLP-LdV-TOI-2010-HU-001).This publication reflects the views only of the authors, and the
Commission cannot be held responsible for any use which may be made of the information contained therein.
3.1.4 Information Reliability
Process ID GOV.IR
Process Name Information Reliability
Process Purpose The purpose of the Information Reliability process is to ensure the accuracyand consistency in data architecture and disclosure elements relevant forgovernance objectives and trusted business operation, and for supportingdata processing integrity.
NOTE1: The Information Reliability process is a special application of theCOSO 2006 and COBIT 4.1 models in the context of the Accuracygovernance objective. Thus this process is denoted an Application Area.
The practices, called application practices, are implemented usingselected processes based on the COSO 2006 principles and the COBIT 4.1framework in the context of this special application. This facilitates the re-use of the elements of the COSO 2006 and COBIT 4.1 based referencemodels without recreating processes that are already well established.
NOTE2: The descriptions of the COBIT 4.1 processes and the COSO 2006Principles are applicable to define ISO/IEC 15504 conformant processreference models and process performance indicators for assessingprocess capability according to the ISO/IEC 15504 standard.
Process Outcomes As a result of successful implementation of the Information Reliabilityprocess:
1) Effective information architecture and data model are maintained.2) Information is systematically collected and assessed to detect
compliance issues, privacy problems and fraud.3) Control information for automated process settings, data manipulations
and calculations are maintained systematically.Application practices AP01 Ensure the integrity and consistency of all data stored in
electronic form. Satisfy the business requirement of being agile inresponding to requirements; provide reliable, consistent information, andseamlessly integrate applications into business processes. [Outcome: 1]
NOTE1: This practice is implemented by performing practices (controlobjectives) of the COBIT 4.1 Define the Information Architecture processwith a specific focus on how enterprise governance supports internal controlover financial reporting and trusted business operation:
PO2.1 Create and maintain enterprise information model.Establish and maintain an enterprise information model to enableapplications development and decision-supporting activities,consistent with IT plans. The model should facilitate the optimalcreation, use and sharing of information by the business in a waythat maintains integrity and is flexible, functional, cost-effective,timely, secure and resilient to failure.
PO2.2 Create and maintain enterprise data dictionary(ies).Maintain an enterprise data dictionary that incorporates theorganisations data syntax rules. This dictionary should enable thesharing of data elements amongst applications and systems,promote a common understanding of data amongst IT and business
-
7/30/2019 Governance SPICE Model v24 for Trusted Businesses
34/71
Governance Model
for Trusted Businesses
Version:Revision:Date:Page
2.4123.09.201134/71
Implemented with the financial support of the Commission of the European Communities under the LEONARDO DA VINCIProgramme (Project number: LLP-LdV-TOI-2010-HU-001).This publication reflects the views only of the authors, and the
Commission cannot be held responsible for any use which may be made of the information contained therein.
users, and prevent incompatible data elements from being created.
PO2.3 Establish and maintain data classification scheme.
Establish a classification scheme that applies throughout theenterprise, based on the criticality and sensitivity (e.g., public,confidential, top secret) of enterprise data. This scheme shouldinclude details about data ownership; definition of appropriatesecurity levels and protection controls; and a brief description ofdata retention and destruction requirements, criticality andsensitivity. It should be used as the basis for applying controls suchas access controls, archiving or encryption.
PO2.4 Manage data integrity. Define and implement procedures toensure the integrity and consistency of all data stored in electronicform, such as databases, data warehouses and data archives.
AP02 Manage processing information. Pertinent information is identified,captured, used at all levels of the organisation, and distributed in a form andtimeframe that supports the achievement of the organizations financialreporting and trusted business operation objectives. [Outcome: 2]
NOTE2: This practice is implemented by performing practices of the COSO2006 Financial Reporting Information process with a specific focus on howenterprise governance supports internal control over financial reporting andtrusted business operation:
IFC.IC.FRI.BP1 Use Matrices to Detail Information Flows.Process owners maintain matrices that, for each process impactingfinancial reporting and trusted business operation, detail the flow ofinformation from the point of capture through reporting.
IFC.IC.FRI.BP2 Obtain Information from External Sources.Management obtains information from external sources, such asindustry publications, trade associations and conferences to identifyevents affecting industry trends, suppliers, customers, competitors,and the economic climate.
IFC.IC.FRI.BP3 Meet with Personnel from Other Business Area.Management in charge of governance meets periodically withpersonnel from other areas of the business such as operations,compliance, human resources, or product development to obtaininformation that may affect financial reporting and trusted businessoperation.
AP03 Manage control information. Information used to execute othercontrol components is identified, captured, and distributed in a form andtimeframe that enables personnel to carry out their internal controlresponsibilities. [Outcome: 3]
NOTE3: This practice is implemented by performing practices of the COSO2006 Internal Control Information process with a specific focus on howenterprise governance supports internal control over financial reporting andtrusted business operation:
IFC.IC.ICI.BP1 Develop and Maintain Internal ControlInformation Maps. Process owners develop and maintaininformation maps.
IFC.IC.ICI.BP2 Identify Internal Control Information through
-
7/30/2019 Governance SPICE Model v24 for Trusted Businesses
35/71
Governance Model
for Trusted Businesses
Version:Revision:Date:Page
2.4123.09.201135/71
Implemented with the financial support of the Commission of the European Communities under the LEONARDO DA VINCIProgramme (Project number: LLP-LdV-TOI-2010-HU-001).This publication reflects the views only of the authors, and the
Commission cannot be held responsible for any use which may be made of the information contained therein.
Discussion. In assessing information needs, managementidentifies through discussions with various personnel informationused to man