it control framework1
TRANSCRIPT
I.T. Control Framework
Internal Control
Internal Control
Risk
.
1
Internal Control Defined
• Reliability of financial reporting• Compliance with applicable laws and regulations• Effectiveness and efficiency of operations
An entity’s system of internal control consists of policies and procedures designed to provide management with reasonable assurance that the company achieves its objectives and goals including:
2
What Internal Control Can DoInternal control can help an entity
• achieve its performance and profitability targets, and prevent loss of resources
• ensure reliable financial reporting
• help ensure that the enterprise complies with laws and regulations, avoiding damage to its reputation and other consequences
3
Section 404 Reporting Requirements for ManagementSection 404 of Sarbanes-Oxley requires the management of
public companies to issue an internal control report that includes:
• A statement that management is responsible for establishing and maintaining an adequate internal control structure and procedures for financial reporting.
• An assessment of the effectiveness of the internal control structure and procedures for financial reporting as of the end of the company’s fiscal year.
4
Control Framework
• a data structure that organizes and categorizes an organization’s internal controls, which are practices and procedures established to create business value and minimize risk.
5
The Components of Internal Control
The Control EnvironmentRisk Assessment
Control ActivitiesInformation and Communication
Monitoring
The internal control framework for most companies is the Committee of Sponsoring Organizations of the Treadway Commission (COSO) Internal Control—Integrated Framework, issued in 1992.
6
1. The Control Environment• sets the tone for the organization, influencing the
control consciousness of its personnel
• is the foundation for all other components of internal control, as it provides the discipline and structure for the achievement of the primary objectives of the Organization.
7
• Communication and enforcement of integrity and ethical values
• Commitment to competence
• Participation by those charged with governance
• Management’s philosophy and operating style
• Organizational structure
Assignment of authority and responsibility
Human resources policies and practices
8
Integrity and Ethical values
• Management actions to remove incentives that prompt a person to behave improperly.
• Communication of behavioral standards by codes of conduct and example.
9
Commitment to Competence
• Competence is the knowledge and skills necessary to accomplish tasks that define the individual’s job.
• if individual employees are tasked with carrying out duties that are beyond their competence levels, then desired objectives are unlikely to be met.
10
Participation by those charged with Governance
• The directors of a limited liability/limited company are charged with the company’s governance.
• As such, they are responsible for overseeing the strategic direction of the company and its obligations related to its accountability
11
Management’s Philosophy and Operating StyleManagement, through its activities, provides clearsignals to employees about the importance ofinternal control.
• are sales and earnings targets unrealistic?
• are employees encouraged to take aggressive actions to meet those targets?
12
Organizational Structure
Understanding the client’s organizational structure provides the auditor with an understanding of how the client’s business functions and implements controls.
13
Assignment of Authority and Responsibility
Formal methods of communication including:
• Top management memoranda concerning internal control
• Organizational operating plans
• Employee job descriptions
14
Human Resources Policies and Practices
• ‘human resource policies and practices demonstrate important matters in relation to the control consciousness of an entity’
• methods by which persons are hired, trained, promoted, and compensated.
15
2. Risk Assessment• is the identification and analysis of relevant risks associated with achieving the objectives of the entity, forming a basis for how the risks should be managed through controls.
• Client Management’s Risk Assessment• Auditor Risk Assessment
16
Client Management’s Risk Assessment
Client management assesses risk as part of designing and operating internal controls to minimize errors and fraud. Three steps involve:
• Identify factors that may increase risk• Determine significance of risk and likelihood of occurrence• Develop specific actions to reduce risk to an acceptable level.
17
Auditor Risk AssessmentThe auditor obtains knowledge about management’s risk assessment process by:
• Determining how management identifies risks relevant to financial reporting
• Evaluating their significance and likelihood of occurrence
• Deciding the actions needed to address the risks.
18
3. Control Activities
• Control activities are the policies, procedures and practices observed so that business objectives are achieved and risk mitigation strategies are carried out.
• They help ensure that necessary actions are taken to address the risks that may hinder the achievement of the entity's objectives.
19
Control Activities• Control activities occur throughout the organization, at all
levels and in all functions.
• Without reliable information systems and effective IT control activities, companies would not be able to generate accurate financial reports.
20
Classes of Control Activities• General controls are controls that apply to all systems
components, processes, and data for a given organization.
• The objectives are to ensure the proper development and implementation of processes, as well as the integrity of programs, data files, and computer operations.
21
General ControlsThe most common general controls: • Data center operation controls• System software acquisition, change and maintenance• Access security controls• Application system development and maintenance controls• Physical security of assets• Authorization for access to computer programs and data files
22
Application Controls
• These are controls that relate to specific computer software applications and the individual transactions.
23
Application ControlsExamples include:• Balancing control activities• Check digits• Predefined data listings• Data reasonableness tests• Logic tests
24
4. Information and Communication
• Information systems play a key role in internal control systems as they produce reports, including operational, financial and compliance-related information, that make it possible to run and control the business.
• COSO states that information is needed at all levels of an organization to run the business and achieve the entity’s control objectives.
25
Information and Communication• For example, formalized procedures exist for people to report
suspected fraud. Effective communication should also be ensured with external parties, such as customers, suppliers, regulators and shareholders about related policy positions.
26
Information Quality• Information quality (IQ) is a term to describe the quality of
the content of information systems.• It is often pragmatically defined as: "The fitness for use of the
information provided.“• Accuracy, Timeliness, Completeness, and Accessibility of
information
27
Effectiveness of Communication
• A key purpose of effective communication is sustaining the on-going work with maximum efficiency.
• In a broader sense, effective communication must ensure information flows down, across and up the organization
28
5. Monitoring• This is a process that assesses the quality of the system's
performance over time.
• IT performance and effectiveness are being continuously monitored using performance measures that indicate if an underlying control is operating effectively.
29
Types of Monitoring Activities1. Ongoing monitoring activities include regularly performed supervisory and management activities such as continuous monitoring of customer complaints, or reviewing the reasonableness of management reports. Continuous monitoring is often performed with the use of technology such as embedded software.
2. Separate Evaluations are monitoring activities that are performed on a nonroutine basis such as periodic audits by internal auditors.
30
Examples of Monitoring Activities
• Defect identification and management—Establishing metrics and analysing the trends of actual results against those metrics can provide a basis for understanding the underlying reasons for processing failures.
• Correcting these causes can improve system accuracy, completeness of processing and system availability.
31
Examples of Monitoring Activities• Security monitoring— Building an effective IT security
infrastructure reduces the risk of unauthorized access. • Improving security can reduce the risk of processing
unauthorized transactions and generating inaccurate reports, and should result in a reduction of the unavailability of key systems if applications and IT infrastructure components have been compromised.
32
Monitoring• Internal control deficiencies detected through these monitoring
activities should be reported upstream and corrective actions should be taken to ensure continuous improvement of the system.
33
Benefits of Monitoring Activities• Identify and correct internal control problems on a timely basis• Produce more accurate and reliable information for use in decision-making• Be in a position to provide periodic certifications or assertions on the effectiveness of internal control.
34
COBITControl Objectives for
Information and Related Technology
35
• COSO’s Internal Control—Integrated Framework has become the most commonly used framework by companies complying with Sarbanes-Oxley;
• COSO does not provide a great deal of guidance to assist companies in the design and implementation of IT controls.
• IT controls are a subset of internal controls related to information technology (IT).
• IT control frameworks include COBIT and ISO
36
• COBIT is a framework for developing, implementing, monitoring and improving information technology (IT) governance and management practices.
• COBIT (Control OBjectives for Information and related Technology) is a supporting toolset that allows managers to bridge the gap between control requirements, technical issues and business risks.
37
• The COBIT framework is published by the IT Governance Institute and the Information Systems Audit and Control Association (ISACA).
• GOAL: To provide a common language for business executives to communicate with each other about goals, objectives and results.
38
Enterprise BenefitsEnterprises and their executives strive to:Maintain quality information to support business decisions.Generate business value from IT-enabled investments, i.e.,
achieve strategic goals and realise business benefits through effective and innovative use of IT.
Achieve operational excellence through reliable and efficient application of technology.
Maintain IT-related risk at an acceptable level.Optimise the cost of IT services and technology.
How can these benefits be realized to create enterprise stakeholder value?
39
Stakeholder Value• Delivering enterprise stakeholder value requires good
governance and management of information and technology (IT) assets.
• Enterprise boards, executives and management have to embrace IT like any other significant part of the business.
• External legal, regulatory and contractual compliance requirements related to enterprise use of information and technology are increasing, threatening value if breached.
• COBIT 5 provides a comprehensive framework that assists enterprises to achieve their goals and deliver value through effective governance and management of enterprise IT.
40
COBIT 4.1 to COBIT 5
COBIT 5 has clarified management level processes and integrated COBIT 4.1, Val IT and Risk IT content into one process reference model
41
The COBIT 5 Framework• COBIT 5 helps enterprises create optimal value from IT by
maintaining a balance between realising benefits and optimising risk levels and resource use.
• COBIT 5 enables information and related technology to be governed and managed in a holistic manner for the entire enterprise, taking in the full end-to-end business and functional areas of responsibility, considering the IT-related interests of internal and external stakeholders.
• The COBIT 5 principles and enablers are generic and useful for enterprises of all sizes, whether commercial, not-for-profit or in the public sector.
42
© 2012 ISACA. All rights reserved. 43
PROCESS DOMAINSThe COBIT 5 process reference model subdivides the IT-related practices and activities of the enterprise into two main areas—governance and management—with management further divided into domains of processes:
• The GOVERNANCE domain contains five governance processes; within each process, evaluate, direct and monitor (EDM) practices are defined.
• The four MANAGEMENT domains are in line with the responsibility areas of plan, build, run and monitor (PBRM)
43
Governance and Management Defined
• Governance ensures that enterprise objectives are achieved by evaluating stakeholder needs, conditions and options; setting direction through prioritisation and decision making; and monitoring performance, compliance and progress against agreed-on direction and objectives (EDM).
• Management plans, builds, runs and monitors activities in alignment with the direction set by the governance body to achieve the enterprise objectives (PBRM).
44
COBIT 5 Information Life Cycle
45
COBIT 5 PRINCIPLES
46
1. Meeting Stakeholder Needs• is critical to define and link enterprise goals and IT-related
goals to best support stakeholder needs.Goals Cascade1. Stakeholder Driver influences Stakeholder Needs2. Stakeholder Needs Cascade to Enterprise Goals3. Enterprise Goals cascade to IT-related Goals4. It-related Goals cascade to Enablers Goals
47
2. Covering the Enterprise End to End• Companies must shift from managing IT as a cost to managing
IT as an asset, and business managers must take on the accountability for governing and managing IT-related assets within their own functions.
48
3. Applying a Single Integrated Framework
• Using a single, integrated governance framework can help organizations deliver optimum value from their IT assets and resources.
• COBIT 5 aligns with the latest relevant other standards and frameworks used by enterprises:
• Enterprise: COSO, COSO ERM, ISO/IEC 9000, ISO/IEC 31000
• IT-related: ISO/IEC 38500, ITIL, ISO/IEC 27000 series, TOGAF, PMBOK/PRINCE2, CMMI
• This allows the enterprise to use COBIT 5 as the overarching governance and management framework integrator.
49
4. Enabling a Holistic Approach• Governance of enterprise IT (GEIT) requires a holistic
approach that takes into account many components, also known as enablers.
• Enablers influence whether something will work. COBIT 5 features seven enablers for improving GEIT, including principles, policies and frameworks; processes; culture; information and people.
50
5. Separating Governance From Management• Governance—In most enterprises, governance is the
responsibility of the board of directors under the leadership of the chairperson.
• Management—In most enterprises, management is the responsibility of the executive management under the leadership of the CEO.
• The COBIT 5 framework makes a clear distinction between governance and management. These two disciplines:
• Encompass different types of activities• Require different organisational structures• Serve different purposes
51
COBIT 5 ENABLERS
52
1. Processes—Describe an organised set of practices and activities to achieve certain objectives and produce a set of outputs in support of achieving overall IT-related goals
2. Organisational structures—Are the key decision-making entities in an organisation3. Culture, ethics and behaviour—Of individuals and of the organisation; very often
underestimated as a success factor in governance and management activities4. Principles, policies and frameworks—Are the vehicles to translate the desired
behaviour into practical guidance for day-to-day management5. Information—Is pervasive throughout any organisation, i.e., deals with all
information produced and used by the enterprise. Information is required for keeping the organisation running and well governed, but at the operational level, information is very often the key product of the enterprise itself.
6. Services, infrastructure and applications—Include the infrastructure, technology and applications that provide the enterprise with information technology processing and services
7. People, skills and competencies—Are linked to people and are required for successful completion of all activities and for making correct decisions and taking corrective actions
53
Systemic governance and management through interconnected enablers - To achieve the main objectives of the enterprise, it must always consider an interconnected set of enablers, i.e., each enabler:
Needs the input of other enablers to be fully effective, e.g., processes need information, organisational structures need skills and behaviourDelivers output to the benefit of other enablers, e.g., processes deliver information, skills and behaviour make processes efficient
This is a KEY principle emerging from the ISACA development work around the Business Model for Information Security (BMIS).
54
ISO/IEC 27002
55
DefinitionISO/IEC 27002 is a popular, internationally-recognized standard of good practice for information security. It published by the International Organization for Standardization (ISO) and by the International Electrotechnical Commission (IEC).
56
Implementation Example of ISO/IEC 27002
• Physical and Environmental Security
• Human Resources Security
• Access Control
(Note: These are merely illustrations. The list of example controls is incomplete and not universally applicable.)
57
• Physical access to premises and support infrastructure must be monitored and restricted to prevent, detect and minimize the effects of unauthorized and inappropriate access, tampering, vandalism, criminal damage, theft etc.
Physical and Environmental Security
• The list of people authorized to access secure areas must be reviewed and approved periodically (at least once a year) by Administration or Physical Security Department, and cross-checked by their departmental managers.
58
• Photography or video recording is forbidden inside Restricted Areas without prior permission from the designated authority.
• Access cards permitting time-limited access to general and/or specific areas may be provided to trainees, vendors, consultants, third parties and other personnel who have been identified, authenticated, and authorized to access those areas.
59
• Other than in public areas such as the reception foyer, and private areas such as rest rooms, visitors should be escorted at all times by an employee while on the premises.
• The date and time of entry and departure of visitors along with the purpose of visits must be recorded in a register maintained and controlled by Site Security or Reception.
60
• Everyone on site (employees and visitors) must wear and display their valid, issued pass at all times, and must present their pass for inspection on request by a manager, security guard or concerned employee.
• Access control systems must themselves be adequately secured against unauthorized/ inappropriate access and other compromises.
• Smoking is forbidden inside the premises other than in designated Smoking Zones.
61
Human Resources Security
• Prior to Employment
Objective:• To ensure that employees, contractors and third party users
understand their responsibilities, and are suitable for the roles they are considered for, and to reduce the risk of theft, fraud or misuse of facilities.
62
• 1 .Roles and ResponsibilitiesControl
Security roles and responsibilities of employees, contractors and third party users should be defined and documented in accordance with the organization’s information security policy.• 2. ScreeningControl
Background verification checks on all candidates for employment, contractors, and third party users should be carried out in accordance with relevant laws, regulations and ethics, and proportional to the business requirements, the classification of the information to be accessed, and the perceived risks.• 3. Terms and Conditions of EmploymentControl
As part of their contractual obligation, employees, contractors and third party users should agree and sign the terms and conditions of their employment contract, which should state their and the organization’s responsibilities for information security.
63
During Employment
Objective:
To ensure that employees, contractors and third party users are aware of information security threats and concerns, their responsibilities and liabilities, and are equipped to support organizational security policy in the course of their normal work, and to reduce the risk of human error.
64
• 1. Management ResponsibilitiesControl
Management should require employees, contractors and third party users to apply security in accordance with established policies and procedures of the organization.• 2. Information Security Awareness, Education and
TrainingControl
All employees of the organization and, where relevant, contractors and third party users should receive appropriate awareness training and regular updates in organizational policies and procedures, as relevant for their job function.• 3. Disciplinary ProcessControl
There should be a formal disciplinary process for employees who have committed a security breach.
65
Termination or Change of Employment
Objective:
To ensure that employees, contractors and third party users exit an organization or change employment in an orderly manner.
66
• 1.Termination ResponsibilitiesControl
Responsibilities for performing employment termination or change of employment should be clearly defined and assigned.• 2. Return of AssetsControl
All employees, contractors and third party users should return all of the organization’s assets in their possession upon termination of their employment, contract or agreement.• 3. Removal of access rightsControl
The access rights of all employees, contractors and third party users to information and information processing facilities should be removed upon termination of their employment, contract or agreement, or adjusted upon change..
67
Access Control• 1. Business requirements of access controlThe organization’s requirements to control access to information assets should be clearly documented in an access control policy and procedures. Network access and connections should be restricted. • 2. User access managementThe allocation of access rights to users should be controlled from initial user registration through to removal of access rights when no longer required, including special restrictions for privileged access rights and the management of passwords (now called “secret authentication information”) plus regular reviews and updates of access rights.
68
• 3. User responsibilitiesUsers should be made aware of their responsibilities towards maintaining effective access controls e.g. choosing strong passwords and keeping them confidential.
• 4. System and application access controlInformation access should be restricted in accordance with the access control policy e.g. through secure log-on, password management, control over privileged utilities and restricted access to program source code.
69
Building a strong IT control program can help to:
• Enhance overall IT governance• Enhance the understanding of IT among executives• Enable better business decisions by providing higher-quality,
more timely information• Align project initiatives with business requirements• Prevent loss of intellectual assets and the possibility of system
breach
70
Building a strong IT control program can help to:
• Contribute to the compliance of other regulatory requirements, such as privacy
• Gain competitive advantage through more efficient and effective operations
• Optimize operations with an integrated approach to security, availability and processing integrity
• Enhance risk management competencies and prioritization of initiatives
71