220 likes | 350 Views
COSO Monitoring Project Update FEI - CFIT Meeting September 25, 2008. Project Overview. Drivers: COSO observed that many organizations were not fully utilizing the monitoring component of a system of internal control. SOX response provided confirmation. Objectives:
E N D
COSO Monitoring Project UpdateFEI - CFIT MeetingSeptember 25, 2008
Project Overview • Drivers: • COSO observed that many organizations were not fully utilizing the monitoring component of a system of internal control. • SOX response provided confirmation. • Objectives: • Help organizations improve the effectiveness and efficiency of their internal control systems. • Provide practical guidance that illustrates how monitoring can be incorporated into an organization’s internal control processes.
Project Overview Process • GT authoring team, supported by large task force • Last summer – conceptual whitepaper • This summer – proposed guidance - public comments – July to August 15 Content • Volume I – Guidance – 15 pages • Volume II – Theory & Application – 54 pages • Volume III – Practical Examples – 116 pages Final guidance will be issued shortly but there are still some minor wording issues “in play”
Guiding Principles Without monitoring, even good controls deteriorate over time
Organization Structure Role of Management & The Board • Management has primary responsibility for internal control system • Board should determine that management has fulfilled their obligations • “Evaluating” controls performed by senior management requires focus and consideration Characteristics of Evaluators • Competence – knowledge of control and implications of failure • Objectivity – perform evaluation without fear of repudiation or personal interest in outcome
Importance of Having A “Baseline” You have to know that you have good internal controls before you can implement monitoring of those controls & you have to adapt as things change
Persuasive Information (about a control) is . . • 1. Suitable • Relevant • Direct • Indirect • Reliable • Timely • 2. Sufficient • Quantity Of Information – Do We Have Enough To Support A Conclusion? Both require judgment that depends on the level of risk and the control’s susceptibility to failure
Relevance of Information • Direct information • Substantiates control operation through observation and/or re-performance of a given control • Indirect information • Anything other than Direct information • Only allows the user to infer the continued effective operation of controls • Can only influence the type, timing, and extent of monitoring using direct information
Information Technology References & Implications • Volume I – Guidance • None • Volume II – Theory & Application • Tools Enabling The Monitoring Process • Tools That Monitor Controls • Volume III – Practical Examples • Company Specific Uses Of IT Tools Used To Monitor Process Risks • Comprehensive “Example” Of Identifying & Monitoring Controls Over “Common” IT Risks • Examples Of Common IT Processes That MIGHT Be Considered Monitoring • Examples Of How Tools Are Used
Tools Enabling The Monitoring Process • Tools to make the process of assessing risks, defining and evaluating controls and communicating their operating effectiveness efficient and sustainable. Example uses: • Coordinate the risk assessment process • Provide a repository for documentation • Enhance the communication process • Support the “roll-up” of information at various levels and points within an organization • Provide performance indicators
Tools That Monitor Controls • General Observations • Typically enhance both efficiency and effectiveness of the monitoring process • Can be very specific or very broad in terms of the types of controls they help monitor • Can be a control and simultaneously play a role in monitoring of controls • Can be independent or be part of the reporting capability of a tool that is functioning as a control • Apply to both IT processes and application controls • Do have limitations
Tools That Monitor Controls • Tools that “monitor” controls typically do so by focusing on one or more of the following: • Transaction Data • Conditions • Changes • Processing Integrity • Error Management
Transaction Data • Tools extract either/both processed transactions, or master file data, and analyze them against a set of control rules to highlight exceptions to: • Highlight exceptions and/or anomalies • Analyze unusual trends in activities, values and volumes • Compare balances or details between two systems or between distinct parts of a process • Can be “ad hoc” reporting tool or an integrated application solution or suite
Conditions • Tools that monitor the settings, parameters, rules or configuration data that govern IT processing within either/both infrastructure resources and application systems. • Works by comparing the configuration information to either “baseline” information, a prior analysis, or both to determine if they are consistent with the organization’s expectations. • Increases the speed and effectiveness of the monitoring process while simultaneously allowing it to be performed on a more frequent, or even continuous, basis. • Can be “scanning” or “agent” based
Changes • Tools that identify and report changes to critical resources, data or information: • Usually operate on a continuous basis (i.e., they are "agent-based") • Provide independent ability to identify a change so that it can be verified as appropriate and authorized • Most likely will be considered a control as well as a method for monitoring controls
Processing Integrity • Tools used to verify and monitor the completeness and accuracy of the various processing steps that might occur in an overall IT process: • Typically focus on balancing and controlling data as it progresses through processes and systems • Can also be designed to maintain an audit trail of key information that can be used for monitoring or trending studies • Most likely will be considered a control as well as a method for monitoring controls
Error Management • Application systems frequently capture transactions with certain types of errors in a suspense area where they are later corrected and re-processed. • Monitoring of the volume and resolution of activity in these suspense area provide information that the controls are operating effectively • Will almost always be seen as a control activity first
“Continuous Control Monitoring” Tools • Tools typically complement normal transaction processing by checking transactions or other data for anomalies. • In most cases, they operate as “control activities” allowing for the identification of control failures and ability to correct errors before they become significant. • When used as a control, the tool itself should be subject to monitoring. • Addressing the impact of change is also a key requirement for these tools.
Volume III - Examples • Information Used To Monitor “Common” Controls That Are Relevant To Financial Reporting Risks • Application Security • Application Program/Configuration Change Control • Data Security & Change Control • Program Testing • Job Scheduling & Management • Data Redundancy
Volume III - Examples • Common IT Management Processes That MIGHT Be Considered Monitoring Of Controls • Access Recertification • Security Log Monitoring • Peer/Quality Review Processes • Change Review Boards • Post-Implementation Reviews • Recovery Testing