Weitere ähnliche Inhalte
Ähnlich wie Coso Internal Control Integrated Framework (20)
Coso Internal Control Integrated Framework
- 1. COSO’s Proposed R i i t
COSO’ P d Revision to
Internal Control - Integrated
g
Framework and its Implications
on I f
Information Technology
ti T h l
Ken Vander Wal, ISACA International President
David Landsittel, Chairman of COSO
Cara Beston, Partner at PricewaterhouseCoopers
p
2012 ISACA Webinar Program. © 2012 ISACA. All rights reserved.
- 2. Today’s webinar:
• Text in questions using the Ask A Question
button
• All audio is streamed over your computer
– Having technical issues? Click the ?
button
• Download the slide deck from the Event
Home Page
• No CPEs being offered for this event
• Question or suggestion? Email them to
eLearning@isaca.org
L i @i
2012 ISACA Webinar Program. © 2012 ISACA. All rights reserved.
- 3. Presenters:
Ken Vander Wal
ISACA International President
David Landsittel
Chairman of COSO
Cara Beston
Partner at PricewaterhouseCoopers
2012 ISACA Webinar Program. © 2012 ISACA. All rights reserved.
- 4. Agenda
• Introd ction
Introduction
• COSO, Project Overview, Scope and
Structure
• Proposed Updates
• I
Impact of Updates to Technology
t fU d t t T h l
• Open Discussion
• C ll to Action – N t St
Call t A ti Next Steps
2012 ISACA Webinar Program. © 2012 ISACA. All rights reserved.
- 5. Introduction
• Background
• ISACA Membership on COSO’s Advisory
Council
– Represented by Ken Vander Wal
– Supported by Global Task Force
• Today’s Presenters
– David Landsittel
– Cara Beston
2012 ISACA Webinar Program. © 2012 ISACA. All rights reserved.
- 7. About COSO
– Formed in 1985 to sponsor a Commission to examine
fraudulent financial reporting
f d l t fi i l ti
– A joint initiative of five private sector organizations
– Sponsors:
• American Accounting Association
• American Institute of Certified Public Accountants
• Financial Executives International
• Institute of Management Accountants
• The Institute of Internal Auditors
2012 ISACA Webinar Program. © 2012 ISACA. All rights reserved.
- 8. Mission of COSO
• “To provide thought leadership through the development of
To
comprehensive frameworks and guidance on enterprise risk
management, internal control and fraud deterrence designed
to improve organizational performance and governance and to
reduce the extent of fraud in organizations.”
Fundamental Principle
• Good risk management and internal control are necessary for
the long-term success of organizations
2012 ISACA Webinar Program. © 2012 ISACA. All rights reserved.
- 9. Project Overview
j
– Internal Control - Integrated
Framework
• First published in 1992
• M t widely used
Most id l d
framework in the US
• Also widely used around
the
th worldld
– However, since 1992, the
operating environment has
evolved
l d
– Framework concepts
timeless, but context needs
updating
pdating
2012 ISACA Webinar Program. © 2012 ISACA. All rights reserved.
- 10. Project Objectives
j j
– The goal of the project is to “refresh” the Framework, by
providing a context that is current.
– Enhancements are not intended to alter the core concepts
developed in the original Framework
– Other project objectives include:
• Explicitly identifying principles and attributes to
provide efficiency and a basis for evaluating
effectiveness
• Adding more f focus on operational and compliance
control objectives
• Expanding “Financial Reporting” objective to
encompass “ “reporting” more broadly
i ” b dl
2012 ISACA Webinar Program. © 2012 ISACA. All rights reserved.
- 11. Project Governance Structure and
Participants
COSO
Board of Directors
PricewaterhouseCoopers
Project Team
COSO Advisory Council Companies & Other Stakeholders
(nominated by the COSO Board)
• Industry Associations
• AICPA • Academia
• AAA • Not-for-profit, government entities
• IIA • Professional associations
• FEI • Risk management professionals
• IMA
• Lawyers
• Regulatory Observers
• Public Accounting Firms • Regulators
• Others • Other rule-makers
2012 ISACA Webinar Program. © 2012 ISACA. All rights reserved.
- 12. Project Scope and Deliverables
• Three Products Contemplated:
– An updated Internal Control – Integrated Framework
– A companion document focusing on applying framework
for Internal Control over External Financial Reporting
(ICEFR)
– Evaluation tools for use in assessing the overall
effectiveness of internal control
2012 ISACA Webinar Program. © 2012 ISACA. All rights reserved.
- 13. Project Timetable
j
2010 2011 2012
Sept – Jan Feb - Oct Dec - Mar Apr - Dec
Assess & Survey Design & Public
Finalize
Stakeholder Build Exposure
2012 ISACA Webinar Program. © 2012 ISACA. All rights reserved.
- 14. Obtaining Input: Survey of
Stakeholders
– Over 700 responses
– Responses come from wide range of organizations and
individuals
• Large, small and non-profit organizations well
represented
• 1 in 4 respondents are international (27%)
• The majority of respondents have been using the
Framework for over 5 years
– Overall, a large majority of respondents (85%) support
updating, but not a major overhaul in the Framework
2012 ISACA Webinar Program. © 2012 ISACA. All rights reserved.
- 15. What’s Changed
• The experienced reader will find much familiar in the updated
Framework, which builds on what has proven effective in the original
version.
What is not changing... What is changing...
1. Definition of internal control 1. Updating context to reflect
2. Five components of internal current environment
control 2. Codification of principles used
3.
3 Criteria used to assess in developing and evaluating
effectiveness of systems of effectiveness of systems
internal control 3. Expanded financial reporting
4. Use of judgment in evaluating objective to address internal
the ff ti
th effectiveness of systems of
f t f and external, financial and non-
external non
internal control financial reporting objectives
4. Increased focus on operations,
compliance objectives
2012 ISACA Webinar Program. © 2012 ISACA. All rights reserved.
- 17. Summary of Updates
A changing business environment... Drives updates to the Framework...
Expectations for governance oversight
Globalization of markets and operations
Changes in business models
Demands and complexity of rules,
p y ,
regulations and standards
Expectations for competencies and
accountabilities
Use and reliance on evolving technology
Expectations for preventing and detecting
fraud
f d
2012 ISACA Webinar Program. © 2012 ISACA. All rights reserved.
- 18. Summary of Updates
Codification of 17 principles embedded in original Framework
Control Environment 1. Demonstrates commitment to integrity and ethical values
2. Exercises oversight responsibility
3.
3 Establishes t
E t bli h structure, authority and responsibility
t th it d ibilit
4. Demonstrates commitment to competence
5. Establishes accountability
6. Specifies relevant objectives
Risk Assessment 7. Identifies and assesses risk
Risk Assessment 8. Identifies and assesses significant change
9. Assesses fraud risk
Control Activities 10. Selects and develops control activities
11. Selects and develops general controls over technology
12. Deploys through policies and procedures
Information & 13. Generates relevant information
Communication
C i ti 14. Communicates internally
15. Communicates externally
16. Conducts ongoing and separate evaluations
Monitoring Activities
17. Evaluates and communicates deficiencies
2012 ISACA Webinar Program. © 2012 ISACA. All rights reserved.
- 19. Impact of Updates to
Technology
2012 ISACA Webinar Program. © 2012 ISACA. All rights reserved.
- 20. Impact of Updates to Technology
• Concepts related to technology were retained
– Application controls v. General Controls
– Language updated to reflect more current terms
• Original Framework addressed technology as a key component
of control activities and the information system
• Today, technology is embedded in virtually every enterprise
– Supports new business models and delivers business value
– Enables business processes
– Drives efficiency in controls
– Generates expanded information
p
– Enhances speed and breadth of communication
• Updated Framework considers technology across all internal
control components
p
2012 ISACA Webinar Program. © 2012 ISACA. All rights reserved.
- 21. Impact of Updates to Technology
• Technology does not change the internal control landscape,
but may affect how a company implements internal control
• As an enabler, technology
– Creates new opportunities
pp
– Presents new risks
– Promotes efficiency and effectiveness
– Simplifies previously challenging activities
– Adds complexity
– Increases rate of change
• Updated Framework considers the continuous evolution of
technology, but does not attempt to address various types
• Anticipates that technology will exist, but recognizes that it
will be adopted differently from entity to entity
2012 ISACA Webinar Program. © 2012 ISACA. All rights reserved.
- 22. Impact of Updates to Technology
• Control Environment
– Improve access to senior management and vice versa
• Risk Assessment
– Facilitate risk assessment process through improved data and
analytics
– Create new risks
• Control Activities
– P id new responses t risks
Provide to i k
– Increase efficiency of risk responses
• Information & Communication
– Increases available information
– Expands communication channels
• Monitoring Activities
g
– Considers new methods to monitor
2012 ISACA Webinar Program. © 2012 ISACA. All rights reserved.
- 23. Examples of Technology & Updates
• Increased importance of technology skills in assessing
competence (par 161)
• Identification of risks related to technological developments
that may impact achievement of objectives (par 228 and 274)
• Technology impact on risk of business continuity (par 248)
• Entity-level considerations of the impact of systems (par 282)
• Technology can both support business processes and also
act as control activities (par 295)
– The extent of IT dependence on processes may indicate a greater
reliance on IT for controls
– Management has the option to choose between manual,
automated or a combination of both in selecting and developing
control activities
2012 ISACA Webinar Program. © 2012 ISACA. All rights reserved.
- 24. Examples of Technology & Updates
• Technology is not prominently discussed in the area of
segregation of duties (par 303- 305)
– Management has several alternative control activities to select
from in addressing risks associated with incompatible duties
– Assessing risks associated with access to technology is important
precedent to selecting control activities
• Impact of technology on volume and complexity of data and
information raise awareness of:
– High volume of data available through electronic means increases
complexity of systems needed to process data
– Benefits of increased information may be offset by the operational
or compliance risks
– Increased importance of security, protection and retention of data
2012 ISACA Webinar Program. © 2012 ISACA. All rights reserved.
- 26. Open Discussion
Text in questions using the Ask A
Question b tt
Q ti button
2012 ISACA Webinar Program. © 2012 ISACA. All rights reserved.
- 27. Call to Action – Next Steps
2012 ISACA Webinar Program. © 2012 ISACA. All rights reserved.
- 28. Call to Action – Next Steps:
• Review and Provide Comments: Internal
Control - Integrated Framework
http://www.ic.coso.org
p g
• Deadline --- 31 March 2012
• Draft of Internal Control over External
Financial Reporting (ICEFR)
• Embrace and Utilize COSO Internal Control -
Integrated Framework in Your Enterprise
• COBIT 5 - Coming 2nd Q 2012
2012 ISACA Webinar Program. © 2012 ISACA. All rights reserved.
- 29. Register Now!
Upcoming ISACA T i i
U i Training:
• 4-day courses include:
– COBIT
– Fundamentals of IT Audit and Assurance
– IT Audit and Assurance Practices
A dit d A P ti
• 27 – 30 March in Atlanta, Georgia
• www.isaca.org/training
i / i i
2012 ISACA Webinar Program. © 2012 ISACA. All rights reserved.