Upload
khawarsher
View
225
Download
0
Embed Size (px)
Citation preview
7/30/2019 COSO Update Sept 2008
1/22
Grant Thornton
||||| Guidance on Monitoring Internal Control Systems
COSO Monitoring Project Update
FEI - CFIT MeetingSeptember 25, 2008
7/30/2019 COSO Update Sept 2008
2/22
Slide 1Guidance on Monitoring Internal Control Systems
Project Overview
Drivers: COSO observed that many
organizations were not fully utilizing
the monitoring component of a system
of internal control.
SOX response provided confirmation.
Objectives:
Help organizations improve the
effectiveness and efficiency of their
internal control systems.
Provide practical guidance that
illustrates how monitoring can be
incorporated into an organizations
internal control processes.
7/30/2019 COSO Update Sept 2008
3/22
Slide 2Guidance on Monitoring Internal Control Systems
Project Overview
Process
GT authoring team, supported by large task force
Last summer conceptual whitepaper
This summer proposed guidance - public commentsJuly to August 15
Content
Volume I Guidance 15 pages
Volume II Theory & Application 54 pages
Volume III Practical Examples 116 pages
Final guidance wi l l be issued sho rt ly bu t there
are still some minor wording issues in play
7/30/2019 COSO Update Sept 2008
4/22
Slide 3Guidance on Monitoring Internal Control Systems
Guiding Principles
Without m oni tor ing, even good contro ls
deter iorate over t ime
7/30/2019 COSO Update Sept 2008
5/22
Slide 4Guidance on Monitoring Internal Control Systems
Organization Structure
Role of Management & The Board
Management has primary responsibility for internal control system
Board should determine that management has fulfilled their
obligations
Evaluating controls performed by senior management requires focus
and consideration
Characteristics of Evaluators
Competence knowledge of control and implications of failure Objectivity perform evaluation without fear of repudiation or personal
interest in outcome
7/30/2019 COSO Update Sept 2008
6/22
Slide 5Guidance on Monitoring Internal Control Systems
Importance of Having A Baseline
You have to know that you have good internal controls
before you can imp lement moni tor ing of those
con trols & you have to adapt as things change
7/30/2019 COSO Update Sept 2008
7/22Slide 6Guidance on Monitoring Internal Control Systems
Design & Execute Monitoring
7/30/2019 COSO Update Sept 2008
8/22Slide 7Guidance on Monitoring Internal Control Systems
Persuasive Information (about a
control) is . .
1. Suitable
Relevant
Direct
Indirect Reliable
Timely
2. Sufficient
Quantity Of Information Do We Have Enough To
Support A Conclusion?
Relevant
TimelyReliable
Need
Timely
Info
Need
Reliable
Info
Need
Relevant
Info
Relevant,
Reliable &Timely
Relevant
TimelyReliable
Need
Timely
Info
Need
Reliable
Info
Need
Relevant
Info
Relevant,
Reliable &Timely
Bo th require judgment that depends on the level of
risk and the controls susceptibility to failure
7/30/2019 COSO Update Sept 2008
9/22Slide 8Guidance on Monitoring Internal Control Systems
Relevance of Information
Direct information
Substantiates control operation through observation
and/or re-performance of a given control
Indirect information Anything other than Direct information
Only allows the user to infer the continued effective
operation of controls
Can only influence the type, timing, and extent of
monitoring using direct information
7/30/2019 COSO Update Sept 2008
10/22Slide 9Guidance on Monitoring Internal Control Systems
Information Technology References &
Implications
Volume I Guidance
None
Volume II Theory & Application
Tools Enabling The Monitoring Process
Tools That Monitor Controls
Volume III Practical Examples
Company Specific Uses Of IT Tools Used To Monitor Process Risks
Comprehensive Example Of Identifying & Monitoring Controls Over
Common IT Risks
Examples Of Common IT Processes That MIGHT Be Considered
Monitoring
Examples Of How Tools Are Used
7/30/2019 COSO Update Sept 2008
11/22Slide 10Guidance on Monitoring Internal Control Systems
Tools Enabling The Monitoring Process
Tools to make the process of assessing risks, defining and
evaluating controls and communicating their operating
effectiveness efficient and sustainable. Example uses:
Coordinate the risk assessment process
Provide a repository for documentation
Enhance the communication process
Support the roll-up of information at various levels and
points within an organization
Provide performance indicators
7/30/2019 COSO Update Sept 2008
12/22Slide 11Guidance on Monitoring Internal Control Systems
Tools That Monitor Controls
General Observations Typically enhance both efficiency and effectiveness of the
monitoring process
Can be very specific or very broad in terms of the types of
controls they help monitor Can be a control and simultaneously play a role in
monitoring of controls
Can be independent or be part of the reporting capability
of a tool that is functioning as a control Apply to both IT processes and application controls
Do have limitations
7/30/2019 COSO Update Sept 2008
13/22
Slide 12Guidance on Monitoring Internal Control Systems
Tools That Monitor Controls
Tools that monitor controls typically do so by
focusing on one or more of the following:
Transaction Data
Conditions Changes
Processing Integrity
Error Management
7/30/2019 COSO Update Sept 2008
14/22
Slide 13Guidance on Monitoring Internal Control Systems
Transaction Data
Tools extract either/both processed transactions, or
master file data, and analyze them against a set of
control rules to highlight exceptions to:
Highlight exceptions and/or anomalies Analyze unusual trends in activities, values and volumes
Compare balances or details between two systems or
between distinct parts of a process
Can be ad hoc reporting tool or an integratedapplication solution or suite
7/30/2019 COSO Update Sept 2008
15/22
Slide 14Guidance on Monitoring Internal Control Systems
Conditions
Tools that monitor the settings, parameters, rules or
configuration data that govern IT processing within either/both
infrastructure resources and application systems.
Works by comparing the configuration information to either
baseline information, a prior analysis, or both to determineif they are consistent with the organizations expectations.
Increases the speed and effectiveness of the monitoring
process while simultaneously allowing it to be performed on
a more frequent, or even continuous, basis. Can be scanning or agent based
7/30/2019 COSO Update Sept 2008
16/22
Slide 15Guidance on Monitoring Internal Control Systems
Changes
Tools that identify and report changes to critical
resources, data or information:
Usually operate on a continuous basis (i.e., they are
"agent-based") Provide independent ability to identify a change so that it
can be verified as appropriate and authorized
Most likely will be considered a control as well as a
method for monitoring controls
7/30/2019 COSO Update Sept 2008
17/22
Slide 16Guidance on Monitoring Internal Control Systems
Processing Integrity
Tools used to verify and monitor the completeness
and accuracy of the various processing steps that
might occur in an overall IT process:
Typically focus on balancing and controlling data as itprogresses through processes and systems
Can also be designed to maintain an audit trail of key
information that can be used for monitoring or trending
studies Most likely will be considered a control as well as a
method for monitoring controls
7/30/2019 COSO Update Sept 2008
18/22
Slide 17Guidance on Monitoring Internal Control Systems
Error Management
Application systems frequently capture transactions
with certain types of errors in a suspense area where
they are later corrected and re-processed.
Monitoring of the volume and resolution of activity in thesesuspense area provide information that the controls are
operating effectively
Will almost always be seen as a control activity first
7/30/2019 COSO Update Sept 2008
19/22
Slide 18Guidance on Monitoring Internal Control Systems
Continuous Control Monitoring Tools
Tools typically complement normal transaction processing bychecking transactions or other data for anomalies.
In most cases, they operate as control activities allowing forthe identification of control failures and ability to correct
errors before they become significant. When used as a control, the tool itself should be subject to
monitoring.
Addressing the impact of change is also a key requirementfor these tools.
7/30/2019 COSO Update Sept 2008
20/22
Slide 19Guidance on Monitoring Internal Control Systems
Volume III - Examples
Information Used To Monitor Common Controls That
Are Relevant To Financial Reporting Risks
Application Security
Application Program/Configuration Change Control Data Security & Change Control
Program Testing
Job Scheduling & Management
Data Redundancy
7/30/2019 COSO Update Sept 2008
21/22
Slide 20Guidance on Monitoring Internal Control Systems
Volume III - Examples
Common IT Management Processes That MIGHT Be
Considered Monitoring Of Controls
Access Recertification
Security Log Monitoring Peer/Quality Review Processes
Change Review Boards
Post-Implementation Reviews
Recovery Testing
7/30/2019 COSO Update Sept 2008
22/22
Grant Thornton
||||| Guidance on Monitoring Internal Control Systems
Questions???