cobit 5 and coso 2013 comparing the frameworks n.
Download
Skip this Video
Loading SlideShow in 5 Seconds..
COBIT 5 and COSO 2013: Comparing the Frameworks PowerPoint Presentation
Download Presentation
COBIT 5 and COSO 2013: Comparing the Frameworks

Loading in 2 Seconds...

play fullscreen
1 / 32

COBIT 5 and COSO 2013: Comparing the Frameworks - PowerPoint PPT Presentation


  • 329 Views
  • Uploaded on

COBIT 5 and COSO 2013: Comparing the Frameworks. Presented to ISACA Central Ohio Chapter Charles T. Saunders, PhD, CIA, CCSA, CRMA. COBIT 5: A Business Framework for the Governance and Management of Enterprise IT (ISACA). Overview of COBIT 5.

loader
I am the owner, or an agent authorized to act on behalf of the owner, of the copyrighted work described.
capcha
Download Presentation

PowerPoint Slideshow about 'COBIT 5 and COSO 2013: Comparing the Frameworks' - sibyl


Download Now An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.


- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript
cobit 5 and coso 2013 comparing the frameworks

COBIT 5 and COSO 2013: Comparing the Frameworks

Presented to ISACA Central Ohio Chapter

Charles T. Saunders, PhD, CIA, CCSA, CRMA

COSO/COBIT 5 Presentation

cobit 5 a business framework for the governance and management of enterprise it isaca
COBIT 5: A Business Framework for the Governance and Management of Enterprise IT (ISACA)

COSO/COBIT 5 Presentation

overview of cobit 5
Overview of COBIT 5
  • “COBIT 5 is a framework that enables IT to be governed and managed in a holistic manner for the entire enterprise…enables managers to bridge the gap between business objectives, technical issues, and business risk” (ISACA, 2014).
  • Key concepts of COBIT 5:
    • IT Governance and the political dimension
    • Core concepts that explain general use of framework
    • Value creation and benefits realization
    • Risk management
    • Information security
    • Assurance

COSO/COBIT 5 Presentation

cobit 5 it governance and the political dimension
COBIT 5: IT Governance and the Political Dimension
  • “IT governance is the process that ensures the efficient use of IT to achieve enterprise strategic objectives and goals” (ISACA, 2014).
  • IT governance frameworks:
    • Balanced Scorecard
    • Capability Maturity Model Integration
    • COBIT
    • COSO
    • ENISA guidelines
    • ISO/IEC 27001
    • ITIL (focus on ITSM)
    • NIST guidelines
    • PRINCE2 (project management)
    • Six Sigma (operational performance, defect identification)

COSO/COBIT 5 Presentation

cobit 5 structure at a glance
COBIT 5 Structure At-a-Glance
  • Five Principles
  • 11 Stakeholder Needs
  • Four Balanced Scorecard (BSC) Dimensions
  • 17 Goals for Alignment within 4 BSC Dimensions
    • Alignment of IT Goals with Enterprise Goals

COSO/COBIT 5 Presentation

cobit 5 principles
COBIT 5 Principles

COSO/COBIT 5 Presentation

cobit 5 goals cascade
COBIT 5 Goals Cascade

COSO/COBIT 5 Presentation

cobit 5 use of balanced scorecard bsc dimensions alignment of it and enterprise goals examples
COBIT 5 Use of Balanced Scorecard (BSC) Dimensions: Alignment of IT and Enterprise Goals - Examples
  • BSC Dimensions and Related Goals (17 total):
    • Financial – 5 Enterprise goals, 6 IT goals (aligned IT goals in parentheses, below)
      • Example # 1: Stakeholder value of business investments (Alignment of IT and business strategy)
    • Customer – 5 Enterprise goals, 2 IT goals
      • Example # 2: Customer-oriented service culture (Delivery of IT services in line with business requirements)
    • Internal – 5 Enterprise goals, 7 IT goals
      • Example # 3: Operational and staff productivity (Availability of reliable and useful information for decision making)
    • Learning and Growth – 2 Enterprise and 2 IT goals
      • Example # 4: Product and business innovation culture (Knowledge, expertise, and initiatives for business innovation)

COSO/COBIT 5 Presentation

cobit 5 categories of enablers
COBIT 5: Categories of Enablers
  • Principles, Policies, and Frameworks
  • Processes
  • Organizational Structures
  • Culture, Ethics, and Behaviour
  • Information
  • Services, Infrastructure, and Applications
  • People, Skills, and Competencies

COSO/COBIT 5 Presentation

cobit 5 enabler processes
COBIT 5 Enabler: Processes
  • Process: “a collection of practices influenced by the enterprise’s policies and procedures that takes inputs from a number of sources (including other processes), manipulates the inputs and produces outputs (e.g., products, services)” (ISACA, 2012, p. 69).

COSO/COBIT 5 Presentation

cobit 5 process reference model processes for governance of enterprise it examples
COBIT 5 – Process Reference Model:Processes for Governance of Enterprise IT (examples)
  • Evaluate, Direct, and Monitor (5 processes)
    • EDM02: Ensure benefits delivery
  • Align, Plan, and Organize (13 processes)
    • APO02: Manage strategy
  • Build, Acquire, and Implement (10 processes)
    • BAI09: Manage assets
  • Deliver, Service, and Support (6 processes)
    • DSS01: Manage operations
  • Monitor, Evaluate, and Assess (3 processes)
    • Monitor, evaluate, and assess performance and conformance
  • NOTE: Metrics recommended for all Enablers and Processes:
    • Questions: Needs addressed? Goals achieved? Life cycle managed? Good practices applied?
    • Lag indicators – for Achievement of goals
    • Lead indicators – for Applications of practice

COSO/COBIT 5 Presentation

cobit 5 enabler dimensions
COBIT 5: Enabler Dimensions
  • Stakeholders
    • Internal
    • External
  • Goals
    • Intrinsic quality
    • Contextual quality (relevance, effectiveness)
    • Accessibility and security
  • Life Cycle
    • Plan
    • Design
    • Build/Acquire/Create/

Implement

    • Use/Operate
    • Evaluate/Monitor
    • Update/Dispose
  • Good Practices
    • Process practices, activities, detailed activities
    • Work products (Inputs/Outputs)

COSO/COBIT 5 Presentation

defining internal control coso 2013
Defining Internal Control (COSO, 2013)
  • Internal control is defined as follows:

Internal control is a process, effected by an entity’s board of directors, management, and other personnel, designed to provide reasonable assurance regarding the achievement of objectives relating to operations, reporting, and compliance.

COSO/COBIT 5 Presentation

fundamental concepts of internal control
Fundamental Concepts of Internal Control
  • Geared to the achievement of objectivesin one or more categories—

operations, reporting, and compliance

  • A processconsisting of ongoing tasks and activities—a means

to an end, not an end in itself

  • Effected by people—not merely about policy and procedure

manuals, systems, and forms, but about people and the actions

they take at every level of an organization to affect internal

control

• Able to provide reasonable assurance—but not absolute assurance,

to an entity’s senior management and board of directors

• Adaptable to the entity structure—flexible in application for

the entire entity or for a particular subsidiary, division, operating

unit, or business process

COSO/COBIT 5 Presentation

objectives
Objectives

The Framework provides for three categories of objectives,

which allow organizations to focus on differing aspects of internal

control:

• Operations Objectives—These pertain to effectiveness and efficiency

of the entity’s operations, including operational and

financial performance goals, and safeguarding assets against

loss.

• Reporting Objectives—These pertain to internal and external

financial and non-financial reporting and may encompass reliability,

timeliness, transparency, or other terms as set forth

by regulators, recognized standard setters, or the entity’s

policies.

• Compliance Objectives—These pertain to adherence to laws

and regulations to which the entity is subject.

COSO/COBIT 5 Presentation

components of internal control
Components of Internal Control

Internal control consists of five integrated components:

  • Control Environment - The control environment is the set of standards, processes, and structures that provide the basis for carrying out internal control across the organization.
  • Risk Assessment - Every entity faces a variety of risks from external and internal sources. Risk is defined as the possibility that an event will occur and adversely affect the achievement of objectives. Risk assessment involves a dynamic and iterative process for identifying and assessing risks to the achievement of objectives.

COSO/COBIT 5 Presentation

components of internal control1
Components of Internal Control
  • Control Activities - the actions established through policies and procedures that help ensure that management’s directives to mitigate risks to the achievement of objectives are carried out.
  • Information and Communication - Information is necessary for the entity to carry out internal control responsibilities to support the achievement of its objectives.Communication is the continual, iterative process of providing, sharing, and obtaining necessary information.

COSO/COBIT 5 Presentation

components of internal control2
Components of Internal Control
  • Monitoring Activities - Ongoing evaluations, separate evaluations, or some combination of the two are used to ascertain whether each of the five components of internal control, including controls to effect the principles within each component, is present and functioning.

COSO/COBIT 5 Presentation

components and principles control environment
Components and Principles:Control Environment
  • The organization demonstrates a commitment to integrity and ethical values.
  • The board of directors demonstrates independence from management and exercises oversight of the development and performance of internal control.
  • Management establishes, with board oversight, structures, reporting lines, and appropriate authorities and responsibilities in the pursuit of objectives.
  • The organization demonstrates a commitment to attract, develop, and retain competent individuals in alignment with objectives.
  • The organization holds individuals accountable for their internal control responsibilities in the pursuit of objectives.

COSO/COBIT 5 Presentation

components and principles risk assessment
Components and Principles:Risk Assessment
  • The organization specifies objectives with sufficient clarity to enable the identification and assessment of risks relating to objectives.
  • The organization identifies risks to the achievement of its objectives across the entity and analyzes risks as a basis for determining how the risks should be managed.
  • The organization considers the potential for fraud in assessing risks to the achievement of objectives.
  • The organization identifies and assesses changes that could significantly impact the system of internal control.

COSO/COBIT 5 Presentation

components and principles control activities
Components and Principles:Control Activities
  • The organization selects and develops control activities that contribute to the mitigation of risks to the achievement of objectives to acceptable levels.
  • The organization selects and develops general control activities over technology to support the achievement of objectives.
  • The organization deploys control activities through policies that establish what is expected and procedures that put policies into action.

COSO/COBIT 5 Presentation

components and principles information and communication
Components and Principles:Information and Communication
  • The organization obtains or generates and uses relevant, quality information to support the functioning of other components of internal control.
  • The organization internally communicates information, including objectives and responsibilities for internal control, necessary to support the functioning of internal control.
  • The organization communicates with external parties regarding matters affecting the functioning of other components of internal control.

COSO/COBIT 5 Presentation

components and principles monitoring
Components and Principles:Monitoring
  • The organization selects, develops, and performs ongoing and/or separate evaluations to ascertain whether the components of internal control are present and functioning.
  • The organization evaluates and communicates internal control deficiencies in a timely manner to those parties responsible for taking corrective action, including senior management and the board of directors, as appropriate.

COSO/COBIT 5 Presentation

slide27
Since Risk Management is Mentioned in COBIT 5…Here is an Overview of COSO’s ERM Integrated Framework (COSO, 2004)
  • COSO Definition of ERM: Enterprise risk management is a process, effected by an entity’s board of directors, management and other personnel, applied in strategy setting and across the enterprise, designed to identify potential events that may affect the entity, and manage risk to be within its risk appetite, to provide reasonable assurance regarding the achievement of entity objectives.
  • Achievement of Objectives:
    • Strategic – high-level, aligned with and supporting mission
    • Operations – effective and efficient use of its resources
    • Reporting – reliability of reporting
    • Compliance – with applicable laws and regulations

COSO/COBIT 5 Presentation

coso components of enterprise risk management
COSO: Components of Enterprise Risk Management
  • Internal environment (tone, risk management philosophy, risk appetite, integrity, ethical values)
  • Objective setting (set by management, align with mission and risk appetite)
  • Event identification (internal and external events affecting achievement of objectives; risks vs. opportunities)
  • Risk assessment (analysis: likelihood and impact; inherent and residual risks)
  • Risk response (i.e., avoiding, accepting, reducing, sharing)
  • Control activities (policies and procedures)
  • Information and communication (relevant information to enable accomplishment of objectives; effective communication flowing down, across, and up the entity)
  • Monitoring (through ongoing management activities, separate evaluations, or both)

COSO/COBIT 5 Presentation

references
References
  • COSO (2013). COSO: Internal control – integrated framework. Durham, NC: AICPA.
  • COSO (2004). Enterprise risk management – integrated framework. Durham, NC: AICPA.
  • ISACA (2014). Basic foundational concepts student book: Using COBIT 5. Rolling Meadows, IL: ISACA.
  • ISACA (2012). COBIT 5: A business framework for the governance and management of enterprise IT. Rolling Meadows, IL: ISACA.

COSO/COBIT 5 Presentation

on a personal note
On a Personal Note
  • Dr. Saunders is available to perform a sabbatical research project in your organization. Sabbaticals are 15-week projects which, with approval by Franklin University, enable faculty to pursue a supported research project in their field of interest. ERM, COSO, and COBIT 5 are within my field of interest and are directly related to courses I teach at Franklin. If there might be an opportunity within your organization, please take a business card today, and contact Dr. Saunders to discuss possibilities. Sabbatical projects are being planned for the 2015 – 2016 academic year.

COSO/COBIT 5 Presentation

your questions comments

Your Questions/Comments?

Thank You!

COSO/COBIT 5 Presentation