1 / 22

COSO Framework

COSO Framework. A company should include IT in all five COSO components: Control Environment Risk Assessment Control activities Information and communication Monitoring NOTE: COBIT developed to help achieve this goal. Control Environment.

alannis
Download Presentation

COSO Framework

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript


  1. COSO Framework • A company should include IT in all five COSO components: • Control Environment • Risk Assessment • Control activities • Information and communication • Monitoring NOTE: COBIT developed to help achieve this goal

  2. Control Environment • IT should be included in company-wide ethics policies • Capital expenditure policies should include specifics regarding IT purchases, included approval requirements • Support the achievement of organizations financial reporting control objectives • Appropriate segregation of duties in IT department itself

  3. Computer systems - Segregation of Duties Recommended IT department segregation of duties: Systems Analyst, Programmer, Computer operator, Testing group, AIS Librarian (data, programs), Manager. What type of control is this? Preventive One way for a company to address this risk is to? Share it – can use external consultant for pieces of application support, or utilize a web based application

  4. Risk Assessment • IT factors should be included in determining the risk that management objectives related to reliable financial reporting will not occur (SOX section404). • Examples of IT risks: • Key system/application not available when needed • Significant information integrity failure (e.g., completeness, validity, etc.) • Implementation of an unauthorized change to a key system/application • Failure to properly maintain or update a key system/application

  5. Risk Assessment IT Factors • Factors that could increase the likelihood of a risk occurring: • Complex system and related application(s) • High volume of transactions being processed • History of significant error • High customization of applications • Old/dated system/application • High extent and complexity of revisions made to system

  6. Control Activity: Computerized Controls Friend or Foe? Benefits: Decrease human error, restrict access, decrease duplication of input, audit trail Detriments: Confidentiality, system integrity, completeness, input errors, audit trail

  7. Internal Controls -Computerized AIS Environment • Some concepts of controls do not change • Objective: mitigate risks • Control Environment: its importance & impact

  8. Internal Controls -Computerized AIS Environment • Concepts of controls that change: • Characteristics: Imbedded/automated • Frequency: Continuous vs. periodic • Errors: Systemic vs. random

  9. Categories of IT Internal Controls: • General Controls – pervasive, relate to the entire system Examples: physical access restrictions, backup process, policies, disaster recovery, segregation of duties • Application Controls – specific, relate to individual portions of the system—or types of transactions Examples: passwords, security matrix, edit reports, smart fields, batch totals

  10. Control Activities • Management should ensure that both IT general and application controls exist and support the objectives of the compliance effort. Some of the key areas related to IT include: • Designing and implementing controls designed to mitigate significant identified IT risks • Monitoring key IT controls for continued effectiveness • Documenting and testing IT controls related to §404

  11. Information and Communication • IT items to consider: • Define, implement, and maintain system security levels. Periodically review and modify. • Develop, document and communicate IT policies and procedures • Process in place to assess compliance with IT policies, procedures and standards • Investigate IT compliance deviations, remediate as needed

  12. Monitoring Companies need to evaluate the actual ability of designed controls to reduce risk to an appropriate and planned level. For example: • Perform evaluation of operating effectiveness of control activities periodically and document them • Leverage technology to its fullest extent to document processes, control activities, identify gaps and evaluate effectiveness of controls • Controls are continuously evaluated and updated to reflect necessary major process or organizational changes

  13. Accessand safeguarding • Data protection –passwords, smart fields, firewalls, backup files, security matrix, etc. • Physical protection – restrict access to computer rooms, monitor access to IT computers/programs, restrict access to internet, etc. • Uninterruptible power sources-separate grid, backup generator, etc. • Disaster recovery-hot sites, cold sites, etc.

  14. Security Matrix (Access Control) • A table listing all authorized users and their corresponding abilities within a system. This should include type of access as well • Read • Change • Delete • Powerful SOD tool • Change management is key to remaining effective • Type of control? • Preventive

  15. Problem 7.3 Take 10 minutes and complete Problem 7.3 a. NOTE: Processing is equal to a 3 (read, modify, create and delete).

  16. 7.3 a.: Access Control Matrix

  17. Problem 7.3 Complete part b of problem 7.3. 5 minutes

  18. 7.3 b. Inventory control: Should not have create and delete rights to the inventory file. This analyst should only have read, display, and update rights to the inventory program. Human resources manager: Should only have read access right to the payroll file. Also add read to Transaction File as a management review tool. NOTE:CIO is part of a small company without proper IT segregation of duties. How could this added risk be addressed?

  19. Things to keep in mind regarding IT • General computer controls should be: • based on financial reporting requirements • signed off by key business process owners • not left to the sole responsibility of the IT function. • IT application controls should also be defined by business-user requirements, and not the IT function.

  20. IT Controls and SOX • IT controls are embedded into controls critical to reliable financial reporting. For example: • Establishment of data classification (e.g. chart of accounts, account groupings, or aging) • User management (e.g., authentication, authorization, or initiation) • Monitoring of transaction thresholds and tolerance levels (e.g. smart fields, exception reports, etc.) • Data processing integrity and validation

  21. SOX and IT • Management must identify where technology is critical in the support of the financial statement process, including the key systems and subsystems that need to be included in the scope of the SOX compliance project. • Systems may be within the scope, if they are involved in the initiation, recording, processing, and/or reporting of financial information. • Only IT systems that are associated with a significant account or related business process need to be considered for compliance purposes. The higher the risk, the greater the need for relevant IT control assurance.

  22. Factors to consider for SOX inclusion • Factors that should be considered when determining whether systems need to be reviewed and tested as part of a Sarbanes-Oxley compliance project include: • Volume of transactions • Dollar-value of transactions • Complexity of transactions • Sensitivity of financial data and reports

More Related