Any organization that has dealings on the financial markets (which pretty much includes everyone, these days) will no doubt be aware of the existence of measures put in place in the wake of recent high-profile cases of financial malpractice, insider dealing, and fraud. But the mechanics and details of the relevant standards and controls may not be so clear.
In this article, we’ll consider one of the little-known but nonetheless influential mechanisms used in corporate financial governance: the COBIT COSO frameworks.
COBIT COSO – Origins to Sarbanes-Oxley (SOX)
The Wall Street Crash of 1929 which precipitated The Great Depression ultimately led to the creation in 1934 of the US Security and Exchange Commission or SEC. Its rules required public companies to perform a financial audit once a year.
Fast forward to 1987, in a response to widespread accounting malpractices during the mid-1970s, and the Treadway Commission hired Coopers & Lybrand to develop a broad control framework to regulate the accounting industry.
In 1992, the Committee of Sponsoring Organizations or COSO released a report in four volumes, setting out its “Internal Control–Integrated 1992: Internal Control Integrated Framework,” for financial regulation. The framework was updated, in 2004.
1996 saw the publication of the “Control Objectives for Information and Control Objectives for Information and Related Technology (COBIT) Framework”, by the Information Technology Governance Institute (ITGI).
In 2002, the Sarbanes-Oxley (or SOX) Act was passed, making it mandatory for enterprises to declare and adopt a framework which would be used to “define and assess internal controls.”
What is a COSO Framework?
The Committee of Sponsoring Organizations (COSO) defines “internal control” as a process, designed to provide assurances of efficiency and effectiveness in achieving a company’s objectives, and confirming the reliability of its financial reporting, in line with relevant laws and regulatory compliance issues. It’s an ongoing process, affected by a commercial organization’s board of directors, management staff, and other team members.
Components of Internal Control
The COSO framework defines a “control” as any proactive measure put in place by management to achieve an objective. Management’s objectives in this sense are intended to address risks, such as the possibility of financial or operational losses.
As well as financial objectives of an enterprise, controls may also address issues such as integrity, confidentiality, and security, as well as more broad operational aims like efficiency, stability, reliability, and scaling.
Controls may assume various forms, such as:
- Automated: These are strong financial controls, programmed with a robust logic that should stand up to intense statistical testing.
- Partially-Automated: These controls are implemented by people, interacting with IT systems. Under the framework, these systems are referred to as “Electronic Evidence”.
- Manual: These are entirely dependent on human operations, with no IT element involved.
The Control Environment
Within the framework’s control environment, management first assesses the risks associated with not being able to meet specified business objectives. Controls are then implemented to ensure that any risks identified are properly addressed.
To maintain an effective overview of the organization and its control environment, relevant data is captured and transmitted throughout the enterprise, on an ongoing basis. In response to changing business conditions or changes in the compliance regime, the whole process is continuously monitored, and modified as necessary.
What is COBIT?
Maintaining compliance with Sarbanes-Oxley and other regimes requires more than just a series of directives from management. And as well as ensuring that financial reports are compiled with integrity, the reliability and security of their underlying data is also an essential part of the mix. So an element of IT is unavoidable.
Control Objectives for Information and Related Technology (COBIT) is an international framework bringing together global IT standards such as ITIL, CMMI and ISO 17799. Based on recommendations by the Information Systems Audit and Control Association (ISACA), it sets out standards that management should apply to their business operations, to ensure the sound deployment of IT resources.
Elements of COBIT
COBIT comprises a tool-kit for compliance with SOX and other regulatory schemes, including the following:
- An Executive Summary: Gives an overview of COBIT’s founding principles.
- The compliance framework: Gives detailed descriptions of high-level control objectives for IT, and the business requirements for information and IT input required, for each.
- Objectives for control: Statements of the purpose of each control objective, and its desired results.
- Guidelines for performing and passing audits: Step by step guides for each control objective.
- Primers for management: A summary of the methods employed by organizations that have successfully applied the COBIT framework in their own environments, and some related tools.
- Reference materials: These include the IT Control Practice Statement – a detailed layout of the reasons for the controls set out for IT and operational risk assessment, and best practices for dealing with them.
Functions of COBIT
In addition to ensuring regulatory compliance, COBIT sets out to help IT to better understand the needs of a business, and defines the practices needed for IT operations to become more efficient and effective.
The framework includes methods to determine whether IT practices are meeting business objectives, and provides facilities for documenting and developing the tools, processes, and organizational structures required for effective IT management.
Compliance audits can be stressful, so here are some tips to help smooth over the process.
- Make security and due diligence a part of your day to day operations, rather than applying these principles only at audit time.
- Take measures to protect your data – especially the financial information used for compiling reports.
- Document the security protocols you have in place, and ensure strict and secure audit trails.
- As well as the COBIT guidelines, ISO 27001 may provide assistance in communicating the compliance of measures you already have in place.
There’s software available, to help. Mapping engines (IT governance packages) such as those offered by ControlPath Inc., Archer Technologies, and OpenPages Inc. have been specifically designed for COBIT and SOX compliance issues.
You might also look into hiring a consultancy, or (if your budget won’t stretch to it) constructing your own control maps in-house.
Share this Post