410 likes | 1.07k Views
COBIT 5 and COSO 2013: Comparing the Frameworks. Presented to ISACA Central Ohio Chapter Charles T. Saunders, PhD, CIA, CCSA, CRMA. COBIT 5: A Business Framework for the Governance and Management of Enterprise IT (ISACA). Overview of COBIT 5.
E N D
COBIT 5 and COSO 2013: Comparing the Frameworks Presented to ISACA Central Ohio Chapter Charles T. Saunders, PhD, CIA, CCSA, CRMA COSO/COBIT 5 Presentation
COBIT 5: A Business Framework for the Governance and Management of Enterprise IT (ISACA) COSO/COBIT 5 Presentation
Overview of COBIT 5 • “COBIT 5 is a framework that enables IT to be governed and managed in a holistic manner for the entire enterprise…enables managers to bridge the gap between business objectives, technical issues, and business risk” (ISACA, 2014). • Key concepts of COBIT 5: • IT Governance and the political dimension • Core concepts that explain general use of framework • Value creation and benefits realization • Risk management • Information security • Assurance COSO/COBIT 5 Presentation
COBIT 5: IT Governance and the Political Dimension • “IT governance is the process that ensures the efficient use of IT to achieve enterprise strategic objectives and goals” (ISACA, 2014). • IT governance frameworks: • Balanced Scorecard • Capability Maturity Model Integration • COBIT • COSO • ENISA guidelines • ISO/IEC 27001 • ITIL (focus on ITSM) • NIST guidelines • PRINCE2 (project management) • Six Sigma (operational performance, defect identification) COSO/COBIT 5 Presentation
COBIT 5 Structure At-a-Glance • Five Principles • 11 Stakeholder Needs • Four Balanced Scorecard (BSC) Dimensions • 17 Goals for Alignment within 4 BSC Dimensions • Alignment of IT Goals with Enterprise Goals COSO/COBIT 5 Presentation
COBIT 5 Principles COSO/COBIT 5 Presentation
COBIT 5 Goals Cascade COSO/COBIT 5 Presentation
COBIT 5 Use of Balanced Scorecard (BSC) Dimensions: Alignment of IT and Enterprise Goals - Examples • BSC Dimensions and Related Goals (17 total): • Financial – 5 Enterprise goals, 6 IT goals (aligned IT goals in parentheses, below) • Example # 1: Stakeholder value of business investments (Alignment of IT and business strategy) • Customer – 5 Enterprise goals, 2 IT goals • Example # 2: Customer-oriented service culture (Delivery of IT services in line with business requirements) • Internal – 5 Enterprise goals, 7 IT goals • Example # 3: Operational and staff productivity (Availability of reliable and useful information for decision making) • Learning and Growth – 2 Enterprise and 2 IT goals • Example # 4: Product and business innovation culture (Knowledge, expertise, and initiatives for business innovation) COSO/COBIT 5 Presentation
COBIT 5: Categories of Enablers • Principles, Policies, and Frameworks • Processes • Organizational Structures • Culture, Ethics, and Behaviour • Information • Services, Infrastructure, and Applications • People, Skills, and Competencies COSO/COBIT 5 Presentation
COBIT 5 Enabler: Processes • Process: “a collection of practices influenced by the enterprise’s policies and procedures that takes inputs from a number of sources (including other processes), manipulates the inputs and produces outputs (e.g., products, services)” (ISACA, 2012, p. 69). COSO/COBIT 5 Presentation
COBIT 5 – Process Reference Model:Processes for Governance of Enterprise IT (examples) • Evaluate, Direct, and Monitor (5 processes) • EDM02: Ensure benefits delivery • Align, Plan, and Organize (13 processes) • APO02: Manage strategy • Build, Acquire, and Implement (10 processes) • BAI09: Manage assets • Deliver, Service, and Support (6 processes) • DSS01: Manage operations • Monitor, Evaluate, and Assess (3 processes) • Monitor, evaluate, and assess performance and conformance • NOTE: Metrics recommended for all Enablers and Processes: • Questions: Needs addressed? Goals achieved? Life cycle managed? Good practices applied? • Lag indicators – for Achievement of goals • Lead indicators – for Applications of practice COSO/COBIT 5 Presentation
COBIT 5: Enabler Dimensions • Stakeholders • Internal • External • Goals • Intrinsic quality • Contextual quality (relevance, effectiveness) • Accessibility and security • Life Cycle • Plan • Design • Build/Acquire/Create/ Implement • Use/Operate • Evaluate/Monitor • Update/Dispose • Good Practices • Process practices, activities, detailed activities • Work products (Inputs/Outputs) COSO/COBIT 5 Presentation
COSO Internal Control – Integrated Framework (2013) COSO/COBIT 5 Presentation
Defining Internal Control (COSO, 2013) • Internal control is defined as follows: Internal control is a process, effected by an entity’s board of directors, management, and other personnel, designed to provide reasonable assurance regarding the achievement of objectives relating to operations, reporting, and compliance. COSO/COBIT 5 Presentation
Fundamental Concepts of Internal Control • Geared to the achievement of objectivesin one or more categories— operations, reporting, and compliance • A processconsisting of ongoing tasks and activities—a means to an end, not an end in itself • Effected by people—not merely about policy and procedure manuals, systems, and forms, but about people and the actions they take at every level of an organization to affect internal control • Able to provide reasonable assurance—but not absolute assurance, to an entity’s senior management and board of directors • Adaptable to the entity structure—flexible in application for the entire entity or for a particular subsidiary, division, operating unit, or business process COSO/COBIT 5 Presentation
Objectives The Framework provides for three categories of objectives, which allow organizations to focus on differing aspects of internal control: • Operations Objectives—These pertain to effectiveness and efficiency of the entity’s operations, including operational and financial performance goals, and safeguarding assets against loss. • Reporting Objectives—These pertain to internal and external financial and non-financial reporting and may encompass reliability, timeliness, transparency, or other terms as set forth by regulators, recognized standard setters, or the entity’s policies. • Compliance Objectives—These pertain to adherence to laws and regulations to which the entity is subject. COSO/COBIT 5 Presentation
Components of Internal Control Internal control consists of five integrated components: • Control Environment - The control environment is the set of standards, processes, and structures that provide the basis for carrying out internal control across the organization. • Risk Assessment - Every entity faces a variety of risks from external and internal sources. Risk is defined as the possibility that an event will occur and adversely affect the achievement of objectives. Risk assessment involves a dynamic and iterative process for identifying and assessing risks to the achievement of objectives. COSO/COBIT 5 Presentation
Components of Internal Control • Control Activities - the actions established through policies and procedures that help ensure that management’s directives to mitigate risks to the achievement of objectives are carried out. • Information and Communication - Information is necessary for the entity to carry out internal control responsibilities to support the achievement of its objectives.Communication is the continual, iterative process of providing, sharing, and obtaining necessary information. COSO/COBIT 5 Presentation
Components of Internal Control • Monitoring Activities - Ongoing evaluations, separate evaluations, or some combination of the two are used to ascertain whether each of the five components of internal control, including controls to effect the principles within each component, is present and functioning. COSO/COBIT 5 Presentation
COSO – Relationship of Objectives and Components (Source: COSO) COSO/COBIT 5 Presentation
Components and Principles:Control Environment • The organization demonstrates a commitment to integrity and ethical values. • The board of directors demonstrates independence from management and exercises oversight of the development and performance of internal control. • Management establishes, with board oversight, structures, reporting lines, and appropriate authorities and responsibilities in the pursuit of objectives. • The organization demonstrates a commitment to attract, develop, and retain competent individuals in alignment with objectives. • The organization holds individuals accountable for their internal control responsibilities in the pursuit of objectives. COSO/COBIT 5 Presentation
Components and Principles:Risk Assessment • The organization specifies objectives with sufficient clarity to enable the identification and assessment of risks relating to objectives. • The organization identifies risks to the achievement of its objectives across the entity and analyzes risks as a basis for determining how the risks should be managed. • The organization considers the potential for fraud in assessing risks to the achievement of objectives. • The organization identifies and assesses changes that could significantly impact the system of internal control. COSO/COBIT 5 Presentation
Components and Principles:Control Activities • The organization selects and develops control activities that contribute to the mitigation of risks to the achievement of objectives to acceptable levels. • The organization selects and develops general control activities over technology to support the achievement of objectives. • The organization deploys control activities through policies that establish what is expected and procedures that put policies into action. COSO/COBIT 5 Presentation
Components and Principles:Information and Communication • The organization obtains or generates and uses relevant, quality information to support the functioning of other components of internal control. • The organization internally communicates information, including objectives and responsibilities for internal control, necessary to support the functioning of internal control. • The organization communicates with external parties regarding matters affecting the functioning of other components of internal control. COSO/COBIT 5 Presentation
Components and Principles:Monitoring • The organization selects, develops, and performs ongoing and/or separate evaluations to ascertain whether the components of internal control are present and functioning. • The organization evaluates and communicates internal control deficiencies in a timely manner to those parties responsible for taking corrective action, including senior management and the board of directors, as appropriate. COSO/COBIT 5 Presentation
COSO Enterprise risk management Framework (2004) COSO/COBIT 5 Presentation
Since Risk Management is Mentioned in COBIT 5…Here is an Overview of COSO’s ERM Integrated Framework (COSO, 2004) • COSO Definition of ERM: Enterprise risk management is a process, effected by an entity’s board of directors, management and other personnel, applied in strategy setting and across the enterprise, designed to identify potential events that may affect the entity, and manage risk to be within its risk appetite, to provide reasonable assurance regarding the achievement of entity objectives. • Achievement of Objectives: • Strategic – high-level, aligned with and supporting mission • Operations – effective and efficient use of its resources • Reporting – reliability of reporting • Compliance – with applicable laws and regulations COSO/COBIT 5 Presentation
COSO: Components of Enterprise Risk Management • Internal environment (tone, risk management philosophy, risk appetite, integrity, ethical values) • Objective setting (set by management, align with mission and risk appetite) • Event identification (internal and external events affecting achievement of objectives; risks vs. opportunities) • Risk assessment (analysis: likelihood and impact; inherent and residual risks) • Risk response (i.e., avoiding, accepting, reducing, sharing) • Control activities (policies and procedures) • Information and communication (relevant information to enable accomplishment of objectives; effective communication flowing down, across, and up the entity) • Monitoring (through ongoing management activities, separate evaluations, or both) COSO/COBIT 5 Presentation
Summary: Comparing COBIT 5 and COSO Frameworks COSO/COBIT 5 Presentation
References • COSO (2013). COSO: Internal control – integrated framework. Durham, NC: AICPA. • COSO (2004). Enterprise risk management – integrated framework. Durham, NC: AICPA. • ISACA (2014). Basic foundational concepts student book: Using COBIT 5. Rolling Meadows, IL: ISACA. • ISACA (2012). COBIT 5: A business framework for the governance and management of enterprise IT. Rolling Meadows, IL: ISACA. COSO/COBIT 5 Presentation
On a Personal Note • Dr. Saunders is available to perform a sabbatical research project in your organization. Sabbaticals are 15-week projects which, with approval by Franklin University, enable faculty to pursue a supported research project in their field of interest. ERM, COSO, and COBIT 5 are within my field of interest and are directly related to courses I teach at Franklin. If there might be an opportunity within your organization, please take a business card today, and contact Dr. Saunders to discuss possibilities. Sabbatical projects are being planned for the 2015 – 2016 academic year. COSO/COBIT 5 Presentation
Your Questions/Comments? Thank You! COSO/COBIT 5 Presentation