200 likes | 345 Views
Specialized Control Matrix – IT. Book discusses Trust Services framework developed by AICPA and Canadian Institute of Chartered Accountants (CICA) More widely accepted in industry is COBIT developed by the IT Governance Institute: C=Control OB=Objectives for I=Information and related
E N D
Specialized Control Matrix – IT • Book discusses Trust Services framework developed by AICPA and Canadian Institute of Chartered Accountants (CICA) • More widely accepted in industry is COBIT developed by the IT Governance Institute: C=Control OB=Objectives for I=Information and related T=Technology
COBIT-what is it? • Provide companies with an information systems governance model that helps in understanding and managing the risks associated with technology. • Meant to facilitate bridging the gap between business risk, management needs and technical issues. • Augments COSO/ERM, not a replacement
COBIT Processes • The primary COBIT® processes that have the most direct relevance to COSO’s internal control structure can be categorized into 4 broad categories: • Plan and organize • Acquire and implement • Deliver and support • Monitor and evaluate
COBIT: Plan and Organize Control Category • IT strategic plan developed, monitored, communicated • Define information capture, processing, and reporting controls • IT staff has adequate knowledge and experience; roles defined and documented; proper segregation of duties; IT employees trained and developed, kept up to date with new technology
COBIT: Plan and Organize Control Category • Policies and Procedures documented and updated; issues reported and resolved • System changes are authorized and monitored; adequate controls surround change management • IT performs security assessments; monitors/updates access restrictions; ensures continuity • Set standard requirements; assess variances with standards
COBIT: Acquire and Implement Control Category • Applications: • Financial Reporting requirements met • Supports complete, accurate, timely, authorized and valid transaction processing • Development method includes security, availability and processing integrity requirements • Aligns with business strategy • Users are appropriately involved in design, selection and testing of application • Post-implementation reviews performed to ensure controls are operating as intended
COBIT: Acquire and Implement Control Category • Technology Infrastructure • Provides the appropriate platforms to support financial reporting applications • Ensure that infrastructure (including network devices and software) acquired is based on requirements of financial applications intended to support
COBIT: Acquire and Implement Control Category • Policies and Procedures • Exist • Define required acquisition and maintenance processes, including documentation to support proper use and technological solutions put in place • Regularly reviewed, updated and approved by management
COBIT: Acquire and Implement Control Category • Install/Test Application SW & Infrastructure: • Systems appropriately tested and validated prior to being placed into production • Controls tested to ensure operating as intended and support financial reporting • Testing strategy developed and followed during significant changes to ensure system continues to operate as intended • Interfaces w/other systems tested to confirm data transmissions are complete, accurate, timely and valid
COBIT: Acquire and Implement Control Category • Change Management: • System changes of financial reporting significance are authorized and tested before movement into production • Requests for program/system changes and maintenance standardized, documented and subject to change management procedures and approvals • Emergency control requests documented and approved • Restrict migration of programs to production only by authorized personnel • Protect security of data and programs being stored by the system
COBIT: Deliver and Support Control Category • Define and manage service levels • Quality of service levels are defined, documented, and monitored • Key performance indicators are established to manage both internal and external service agreements
COBIT: Deliver and Support Control Category • Manage third party services • Common understanding of performance levels by which quality will be measured • Service levels defined and managed to support financial reporting system requirements • Define framework to manage internal and external service level agreement key performance indicators
COBIT: Deliver and Support Control Category • Manage performance and capacity • Monitor performance and capacity levels of systems and network • Respond to suboptimal performance and capacity measures in a timely manner • Planning for performance and capacity included in system design and implementation phases
COBIT: Deliver and Support Control Category • Educate and train users • Identify and document the training needs of personnel • Provide education and ongoing training programs that include: • Ethical conduct • System security practices • Confidentiality standards • Integrity standards • Security responsibilities of staff
COBIT: Deliver and Support Control Category • Manage Facilities • Adequate environmental controls at data center facility to maintain systems and data • Fire suppression, uninterrupted power service, air conditioning and elevated floors considered
COBIT: Monitor and Evaluate Control Category • Monitoring • Data collected and reported regarding achievement of performance indicator benchmarks • Established appropriate metrics to effectively manage the day-to-day activities of the IT Department
COBIT: Monitor and Evaluate Control Category • Internal Control Adequacy • Monitor effectiveness of internal controls via management reviews, comparisons and benchmarks • Serious deviations in internal controls communicated to upper management, BOD, etc. when applicable • Assessments of internal controls performed periodically
COBIT: Monitor and Evaluate Control Category • Independent Assurance • Independent reviews prior to implementing significant IT systems • Obtain independent internal control reviews of third-party service providers (SAS70 review)
COBIT: Monitor and Evaluate Control Category • Internal Audit • Consider IT internal audit department to review IT activities and controls • Risk Assessment and subsequent audit plan include IT considerations • Follow-up on IT control issues in a timely manner
SOX and COBIT The Public Company Accounting Oversight Board (PCAOB) suggests in the Auditing Standard No. 2, An Audit of Internal Control Over Financial Reporting Performed in Conjunction with an Audit of Financial Statements: IT controls have: • a pervasive effect on the achievement of controls related to reliable financial reporting • should be evaluated in order to assess the likelihood of potential misstatements in each significant account • the extent of information technology involvement in the period-end financial reporting process should be evaluated