FINAL - Technically Speaking-Control Activities - Technically Speaking...Technically Speaking:...

download FINAL - Technically Speaking-Control Activities - Technically Speaking...Technically Speaking: Control Activities Over Technology and ... technologically driven and global in scale

of 64

  • date post

    25-May-2018
  • Category

    Documents

  • view

    217
  • download

    0

Embed Size (px)

Transcript of FINAL - Technically Speaking-Control Activities - Technically Speaking...Technically Speaking:...

  • Presenters:

    QRCode

    Date:

    Technically Speaking: Control Activities Over Technology and the New COSO

    StephenW.Blann,Principal,RehmannBertNuehring,Partner,CroweHorwathLLPScottM.Petree,SeniorManager,Plante &Moran,PLLC

    May20,2014,2:00 3:40pm

  • Agenda

    o ReviewofCOSO BackgroundandFramework

    o KeyAreasofITRisk

    o InformationSecurityFrameworkbyCOSO

    o CodificationofFramework

    o ITControls

    o CurrentandNewTechnology

    o APracticalApproachtoICforSmallerGovernments

    o PublishedDocumentsaboutCOSO

    2

  • REVIEW OF COSOBACKGROUND AND FRAMEWORK

    3

  • COSO Project Backgroundo InNovember2010,COSOannouncedaprojecttoreview andupdate theInternal

    Control IntegratedFramework (Framework)originallyissuedin1992.o ThedecisiontorevisetheoriginalFramework wasdrivenbythefollowingfactors:

    o TheCOSOBoardsdesiretomaketheFrameworkmorerelevantandusefulo Businessandoperatingenvironmentshavebecomemorecomplex,

    technologicallydrivenandglobalinscalesincetheoriginalFrameworkwasissuedmorethantwentyyearsago

    o Keystakeholdersaremoreengagedandareseekinggreatertransparencyandaccountabilityfortheintegrityofsystemsofinternalcontrolthatsupportbusinessandgovernance

    o TheBoardofDirectorsofCOSOapprovedtheupdatedFramework andissueditonTuesday,May14,2013.It incorporatesinputfromvariousorganizations(e.g.,AICPA,IIA,PublicAccountingFirms,Regulators,etc.)andnearly1,000keystakeholders.Themajorityofrespondentssupportedupdating,butnotoverhaulingtheFramework.

    o TherevisedFramework isexpectedtohelporganizationsreducerisk,improvecompliance,andstrengtheninternalcontrols

    4

  • Integrated Framework: Overview

    Firstpublishedin1992

    Gainedwideacceptancefollowingthefinancialcontrolfailuresintheearly2000sandinitialSOXyears

    MostwidelyusedFramework forevaluatingcontrolsintheU.S

    Widelyusedaroundtheworld

    MostcompaniespubliclydiscloseiftheyarefollowingtheFramework

    5

  • Integrated Framework: Project Objectives

    COSOsInternalControl IntegratedFramework(1992Edition)COSOsInternalControl IntegratedFramework(1992Edition)

    AddressSignificantChangestotheBusinessEnvironment

    andAssociatedRisks

    AddressSignificantChangestotheBusinessEnvironment

    andAssociatedRisks

    CodifyCriteriaUsedintheDevelopmentand

    AssessmentofInternalControl

    CodifyCriteriaUsedintheDevelopmentand

    AssessmentofInternalControl

    IncreaseFocusonOperations,ComplianceandNonFinancialReporting

    Objectives

    IncreaseFocusonOperations,ComplianceandNonFinancialReporting

    Objectives

    Updated,EnhancedandClarifiedFramework

    Updated,EnhancedandClarifiedFramework

    SeventeenPrinciplesAlignedWiththeFiveComponentsof

    InternalControl

    SeventeenPrinciplesAlignedWiththeFiveComponentsof

    InternalControl

    ExpandedInternalandNonFinancial

    ReportingGuidance

    ExpandedInternalandNonFinancial

    ReportingGuidance

    COSOsInternalControl IntegratedFramework(2013Edition)COSOsInternalControl IntegratedFramework(2013Edition)

    OriginalFramework

    EnhancementObjectives

    KeyChanges

    UpdatedFramework

    6

  • o GeneralinternalcontrolCOSO

    o Informationtechnologyinternalcontrol COBIT

    o ControlObjectivesforInformation&relatedTechnology(COBIT)

    o DevelopedbyISACAInformationSystemsAudit&ControlAssociation

    COSO, COBIT

    7

  • EFFECTIVENESSDeals with information being relevant and pertinent to the business process as well as being delivered in a timely, correct, consistent and usable manner

    EFFICIENCYConcerns the provision of the information through the optimal use of resources

    CONFIDENTIALITYConcerns the protection of sensitive information from unauthorized disclosure

    INTEGRITYRelates to the accuracy and completeness of information as well as to its validity in accordance with business values and expectations

    AVAILABILITYRelates to the information being available when required by the business process now and in the future

    COMPLIANCEDeals with complying with laws, regulations and contractual arrangements.

    RELIABILITYOF

    INFORMATION

    Relates to the provision of appropriate information for the workforce of the organization

    Information Criteria

    8

  • Control Objectives

    DefineStrategicITPlan

    DefineInformationArchitecture

    ManageQuality

    DetermineTechnologicalDirection

    DefineITProcesses,

    Organization,Relationships

    ManageITInvestment

    CommunicateManagement

    Aims&Direction

    ManageITHuman

    Resources

    ManageProjectsAssess&ManageITRisks

    IdentifyAutomatedSolutions

    Acquire&MaintainApplicationSoftware

    Acquire&MaintainTechnologyinfrastructure

    EnableOperation&Use

    ProcureITResources ManageChanges

    Define&ManageService

    Level

    EnsureContinuousService

    Educate&TrainUsers

    ManageThirdpartyServices

    ManagePerformance&

    Capacity

    EnsureSystemSecurity

    Identify&AllocateCosts

    ManageServiceDesk&Incidents

    ManageConfiguration

    Monitor&EvaluateITPerformance

    Monitor&EvaluateInternal

    Control

    EnsureRegulatorycompliance

    Install&AccreditSolutions&Changes

    ManageProblems ManageData

    ManagePhysicalEnvironment

    ProvideITGovernance

    ManageOperations

    9

  • ITriskforgovernmentalorganizations StartswithRiskAssessment

    10

  • {Technology}o Social Media

    7

    Whereismydata? Type Storage Usage Sharing

    11

  • TypeStorageUsageSharing

    12

    Where is my data?

  • Where is my data?

    TypeStorageUsageSharing

    13

  • Where is my data?

    TypeStorageUsageSharing

    14

  • 15

    What can go wrong?

  • 16

  • How can we fix it?

    17

  • Information Security Framework

    18

  • Risk-Based Information Security Process

    PerformanInformationSecurityRiskAssessmentDesignatesecurityprogramresponsibilityDevelopanInformationSecurityProgram Implementinformationsecuritycontrols ImplementemployeeawarenessandtrainingRegularlytestormonitoreffectivenessofcontrolsPrepareaneffectiveIncidentResponseProcedureManagevendorrelationshipsPeriodicallyevaluateandadjusttheInformationSecurityProgram

    19

  • IT Risk Assessment IT Assets - What should be protected?

    Threats - From what do the assets need protection and what is the likelihood that a threat will occur?

    Impacts - What are the immediate damages if the threat is realized (e.g. disclosure of information, modification of data)?

    Consequences - What are the long-term effects of the threat being realized (e.g. damage to reputation of organization, loss of business)?

    Controls - What are the effective security measures (security services and mechanisms) needed to protect the assets?

    Residual Risk - After implementation of the security controls, is the remaining risk acceptable? 20

    Framework - How to implement? NIST Standards 800-XX & Cybersecurity Framework Executive Order

  • CODIFICATION OF FRAMEWORK

    21

  • COSOs Codification of Framework Principles1. Demonstrates commitmenttointegrityandethicalvalues2. Exercisesoversightresponsibility3. Establishesstructure,authorityandresponsibility4. Demonstratescommitmenttocompetence5. Enforcesaccountability

    6.Specifies suitableobjectives7.Identifiesandanalyzesrisk8.Assessesfraudrisk9.Identifiesandanalyzessignificantchanges

    10.Selectsanddevelopscontrolactivities11.Selectsanddevelopsgeneralcontrolsovertechnology12.Deploys throughpoliciesandprocedures

    13.Usesrelevantinformation14.Communicates internally15.Communicatesexternally

    16.Conductsongoingand/orseparateevaluations17.Evaluatesandcommunicatesdeficiencies

    Note:Companieswillneedtolinktheirinternalcontrolstothe17i i l

    22

    ControlEnvironment

    MonitoringActivities

    Information&Communication

    ControlActivities

    RiskAssessment

  • Principles and Attributes Related to the Controls Activity Component

    Theorganizationselectsanddevelopsgeneralcontrolactivitiesovertechnologytosupporttheachievementofobjectives:

    Determinesdependencybetweentheuseoftechnologyinbusinessprocessesandtechnologygeneralcontrols

    Establishesrelevanttechnologyinfrastructurecontrolactivities Establishesrelevantsecuritymanagementcontrolactivities Establishesrelevanttechnologyacquisition,development,and

    maintenancecontrolactivities

    23

  • Information Technology Controlso InformationTechnologyControls (orITcontrols)arespecificactivities

    performedbypersonsorsystemsdesignedtoensurethatbusinessobjectivesaremet

    o Subsetofanenterprise'sinternalcontrolo ITcontrolobjectivesrelatetotheconfidentiality,integrity,andavailability

    ofdataandtheoverallmanagementoftheITfunctionofthebusinessenterprise

    o ITcontrolsareoftendescribedintwocategories:ITgeneralcontrols(ITGC)andITapplicationcontrols

    o ITGCincludecontrolsovertheInformationTechnology(IT)environment,computeroperations,accesstoprogramsanddata,programdevelopmentandprogramchanges

    o ITapplicationcontrolsrefertotransactionprocessingcontrols,sometimescalled"inputprocessingoutput"controls

    24

  • IT General ControlsAdministrativeControls Policies Riskassessment Securityresponsibility Useraccessprocess(newuser,

    terminations,changes) Accessauthorization Securityawareness&training Securityincidentresponse Contingencyplanning/data

    backup

    PhysicalControls Facilityaccesscontrols Workstationcontrols Deviceandmediacontrols