Sunday, October 17, 2004

Mapping COSO and CobiT for Sarbanes-Oxley Compliance

ITAudit The IIA

Vol. 7, October 1, 2004

Audit and Control

Mapping COSO and CobiT for Sarbanes-Oxley Compliance

By Sally Chan, CMA, ACIS, PADM
RBC Financial Group

Two control frameworks have been widely adopted by public companies subject to the requirements of the U.S. Sarbanes-Oxley Act of 2002: the Committee of Sponsoring Organizations of the Treadway Commission (COSO) Internal Control — Integrated Framework, released in 1992, and the IT Governance Institute's Control Objectives for Information and Related Technology (CobiT). Although the U.S. Securities and Exchange Commission (SEC) suggests that public companies consider the control components of COSO when seeking Sarbanes-Oxley compliance, neither the SEC nor the U.S. Public Company Accounting Oversight Board has openly endorsed a specific information technology control framework. Interestingly, as companies subject to the act's requirements get closer to first-year certification, more practical questions are being raised about the relationship and alignment between the COSO internal control framework and CobiT objectives.

UNDERLYING CONCEPTS AND CONTROL OBJECTIVES
COSO internal control framework states that internal control is a process — established by an entity's board of directors, management, and other personnel — designed to provide reasonable assurance regarding the achievement of stated objectives. CobiT approaches IT control by looking at information — not just financial information — that is needed to support business requirements and the associated IT resources and processes.

COSO control objectives cover effectiveness, efficiency of operations, reliable financial reporting, and compliance with laws and regulations. Its primary role is fiduciary. On the other hand, while the IT Governance Institute — which is affiliated with the Information Systems Audit and Control Association — acknowledges and makes explicit reference to COSO's fiduciary role, it extends CobiT's role to cover quality and security requirements in seven overlapping categories: effectiveness, efficiency, confidentiality, integrity, availability, compliance, and reliability of information. These categories form the foundation of CobiT's 34 control objectives within its four domains: planning and organization, acquisition and implementation, delivery and support, and monitoring.

COSO and CobiT cater to different audiences. While COSO's target audience is management at large, CobiT is intended for management, users, and auditors (mostly IT auditors). Both COSO and CobiT view control as an entitywide process, but CobiT specifically focuses on IT controls. This distinction in effect defines and determines to a large extent the scope of each control framework.

Because of these differences, auditors should not expect a one-to-one relationship between the five COSO control components and the four CobiT objective domains. The purpose of the following high-level mapping is to give auditors a COSO point of reference when discussing the role of technology in the assessment of internal controls for financial reporting. Auditors can then select the relevant CobiT control objectives for Sarbanes-Oxley under the four domains when mapped to the COSO internal control framework.

AN ALTERNATIVE MAP
Below is an alternative view of the COSO-CobiT mapping depicted in the IT Governance Institute's document IT Control Objectives for Sarbanes-Oxley [PDF], which was released earlier this year. That document presents the relationships between COSO, CobiT, and Sarbanes-Oxley Sections 302 and 404 as horizontal layers of a three-dimensional cube. In reality, the nature and extent of this tripartite relationship is neither equal nor direct — processes take place in a continuum. Mapping CobiT to COSO's internal control framework can only capture a high concentration of the associated processes.

COSO Internal Control Components

CobiT Domains

With sample control objectives relevant to Sarbanes-Oxley.

1. Control Environment

Planning and Organization (PO):

  • PO 4.2 – Organizational placement of the IT function.
  • PO 6.1 – Positive information control environment.
  • PO 6.2 – Management’s responsibility for policies.

2. Risk Assessment

Planning and Organization (PO):

  • PO 9.0 – Assess risks.

3. Control Activities

Acquisition and Implementation (AI):

  • AI 1.4 – Third-party service requirements.
  • AI 6.0-6.8 – Manage changes.

Delivery and Support (DS):

  • DS 5.0-5.21 – Ensure system security.
  • DS 11.0-11.30 – Manage data*.

* Application control evaluations and the American Institute of Certified Public Accountants' SysTrust reports can supplement CobiT's data management control objectives.

4. Information and Communication

Planning and Organization (PO):

  • PO 6.0-6.11 – Communicate management aims and direction.

5. Monitoring

Monitoring (M):

  • M 2.0-2.4 – Assess internal control.

The fact that CobiT does not map 100 percent to COSO should not deter auditors from using these existing frameworks alongside each other. Organizations can treat these frameworks as essential reference material and as a sound basis for formulating their own integrated and customized control framework for Sarbanes-Oxley.

COSO ERM AND COBIT
With the recent release of the COSO Enterprise Risk Management (ERM) — Integrated Framework, which identifies interrelationships between risk and risk management, organizations and auditors should consider whether it is warranted to map CobiT to COSO ERM, as well. COSO ERM takes a broader view of risk that the risk-assessment component contained in the COSO internal control framework. In CobiT, risk assessment is a process — not a distinct and separate domain — therefore, it may be more appropriate to compare COSO ERM to the IT Governance Institute's Board Briefing on IT Governance. Regardless of the outcome of any comparison, COSO ERM is expected to further expand auditors' focus towards disciplined risk management. As a result, auditors should critically assess whether COSO and CobiT provide sufficient risk coverage as stand-alone control frameworks for the 21st century auditor.

Even before the final COSO ERM recommendations were published, there was already an increased sensitivity and a growing trend towards addressing risk issues upfront as a condition precedent to control issues at both the entity and activity levels. After all, controls are risk-driven, so understanding risk is a prerequisite to the appreciation and application of control. Understanding the risks in an organization's business environment makes control design more effective and reduces the effort required to remedy control deficiencies in both manual and automated environments. From a Sarbanes-Oxley perspective, the highly publicized significant deficiencies and material weaknesses in internal control reported by external auditors at many companies have added yet another challenging dimension to financial reporting and a new meaning to reputational and compliance risks, according to Compliance Week. There are already emerging views that suggest building ERM on the foundation laid by Sarbanes-Oxley.

USE COBIT SELECTIVELY
Because Sarbanes-Oxley Section 404 is strictly focused on internal controls over financial reporting, any user of CobiT must first determine the relevance of a significant IT process or IT-dependent process by assessing its primary contribution to internal controls over financial reporting rather than to the broad spectrum of IT control processes encompassed by CobiT. One way to ensure that IT is properly anchored to a significant account, business process, or major class of transaction is to critically question the role of IT in risk mitigation and in enhancing the integrity of financial reporting and financial-statement assertions. IT auditors have a new opportunity to add value by evaluating the design and operating effectiveness of automated application controls end-to-end in addressing fraud, yet this scope is not explicit in CobiT.

It is important that auditors select relevant IT control objectives from CobiT when defining their Sarbanes-Oxley scope. IT's unique contribution centers around its ability to enhance the integrity, security, and availability of financial information within those identified business processes, as well as the safeguarding of assets — especially information assets.

For internal auditors, COSO is the primary Sarbanes-Oxley reference and CobiT a secondary resource, but for IT auditors, understanding COSO is only the beginning. IT auditors should start with COSO and selectively adapt CobiT for Sarbanes-Oxley without excluding other established IT control models such as the ISO/IEC 17799 Code of Practice for Information Security Management, established by the International Organization for Standardization (ISO) and the International Electrotechnical Commission (IEC). For a broader overview of IT guidance, readers can refer to the IT Governance Institute's research paper CobiT Mapping – Overview of International IT Guidance [PDF], which maps several commonly used IT standards and guidance against the CobiT framework. That publication maps the COSO internal control framework from the vantage point of CobiT in the pre-Sarbanes-Oxley environment.

FOR MORE INFORMATION

Committee of Sponsoring Organizations of the Treadway Commission (COSO), www.coso.org

IT Governance Institute, www.itgi.org

The findings, interpretations, and opinions expressed in the published materials are those of the author of the work only.



No comments:

Post a Comment