COBIT 5 With COSO 2013

Similar documents
PREPARING FOR SOC CHANGES. AN ARMANINO WHITE PAPER By Liam Collins, Partner-In-Charge, SOC Audit Practice

The Experience of Generali Group in Implementing COBIT 5. Marco Salvato, CISA, CISM, CGEIT, CRISC Andrea Pontoni, CISA

Integrating ITIL and COBIT 5 to optimize IT Process and service delivery. Johan Muliadi Kerta

ISACA Cincinnati Chapter March Meeting

COURSE BROCHURE. COBIT5 FOUNDATION Training & Certification

Table of Contents. Preface xiii PART I: IT GOVERNANCE CONCEPTS. Chapter 1: Importance of IT Governance for All Enterprises 3

The HITRUST CSF. A Revolutionary Way to Protect Electronic Health Information

ISACA. Certification Details for Certified in the Governance of Enterprise IT (CGEIT )

Altius IT Policy Collection Compliance and Standards Matrix

Altius IT Policy Collection Compliance and Standards Matrix

HITRUST CSF Assurance Program HITRUST, Frisco, TX. All Rights Reserved.

Turning Risk into Advantage

Information for entity management. April 2018

IT Audit Process. Prof. Mike Romeu. January 30, IT Audit Process. Prof. Mike Romeu

Table of Contents. Preface xvii PART ONE: FOUNDATIONS OF MODERN INTERNAL AUDITING

CISM Certified Information Security Manager

Information Technology Branch Organization of Cyber Security Technical Standard

COBIT 5 Implementation

Exploring Emerging Cyber Attest Requirements

Ready, Willing & Able. Michael Cover, Manager, Blue Cross Blue Shield of Michigan

Retirement of SAS 70 and a new generation of Service Organization Control (SOC) Reports

Security and Privacy Governance Program Guidelines

SAS 70 Audit Concepts. and Benefits JAYACHANDRAN.B,CISA,CISM. August 2010

01.0 Policy Responsibilities and Oversight

Auditing and Monitoring for HIPAA Compliance. HCCA COMPLIANCE INSTITUTE 2003 April, Presented by: Suzie Draper Sheryl Vacca, CHC

Chapter 8: SDLC Reviews and Audit Learning objectives Introduction Role of IS Auditor in SDLC

SOC for cybersecurity

IT Audit Process Prof. Liang Yao Week Two IT Audit Function

USING QUALYSGUARD TO MEET SOX COMPLIANCE & IT CONTROL OBJECTIVES

3/13/2015. COSO Revised: Implications for Compliance and Ethics Programs. Session Agenda. The COSO Framework

Risk Management in Electronic Banking: Concepts and Best Practices

Modern Database Architectures Demand Modern Data Security Measures

EVERYONE SHOULD HAVE AN IT COMPLIANCE OFFICER OR SUFFER THE CONSEQUENCES. About Ralph Villanueva. Objectives

Three Key Challenges Facing ISPs and Their Enterprise Clients

Effective COBIT Learning Solutions Information package Corporate customers

Cyber Security in M&A. Joshua Stone, CIA, CFE, CISA

IS Audit and Assurance Guideline 2002 Organisational Independence

OF ACCOUNTANTS IAASB CAG MEETING MARCH 7, 2011

Information Security Risk Strategies. By

MNsure Privacy Program Strategic Plan FY

Cyber Risks in the Boardroom Conference

Institute of Internal Auditors 2019 CONNECT WITH THE IIA CHICAGO #IIACHI

IT risks and controls

Information Security Strategy

locuz.com SOC Services

Cybersecurity: Considerations for Internal Audit. Gina Gondron Senior Manager Frazier & Deeter Geek Week August 10, 2016

Choosing the Right Solution for Strategic Deployment of Encryption

SSAE 18 & new SOC approach to compliance. Moderator Name: Patricio Garcia Managing Partner ControlCase Attestation Services

Avanade s Approach to Client Data Protection

Cybersecurity & Privacy Enhancements

Continuous protection to reduce risk and maintain production availability

ISO/IEC overview

Citation for published version (APA): Berthing, H. H. (2014). Vision for IT Audit Abstract from Nordic ISACA Conference 2014, Oslo, Norway.

PCI Policy Compliance Using Information Security Policies Made Easy. PCI Policy Compliance Information Shield Page 1

Frameworks and Standards

Introduction to AWS GoldBase

IMPLEMENTING SECURITY, PRIVACY, AND FAIR DATA USE PRINCIPLES

Performing a Vendor Security Review TCTC 2017 FALL EVENT PRESENTER: KATIE MCINTOSH

Manchester Metropolitan University Information Security Strategy

Singapore Quick Guide to the COSO. Enterprise Risk Management and Internal Control Frameworks Edition

WHO SHOULD ATTEND? ITIL Foundation is suitable for anyone working in IT services requiring more information about the ITIL best practice framework.

Implementing ITIL v3 Service Lifecycle

GOVERNANCE, RISK MANAGEMENT AND COMPLIANCE TRENDS BY FCPAK ERIC KIMANI

SOLUTION BRIEF RSA ARCHER IT & SECURITY RISK MANAGEMENT

Texas Reliability Entity, Inc. Strategic Plan for 2017 TEXAS RE STRATEGIC PLAN FOR 2017 PAGE 1 OF 13

Risk Advisory Academy Training Brochure

BHConsulting. Your trusted cybersecurity partner

HIPAA Security and Privacy Policies & Procedures

A SERVICE ORGANIZATION S GUIDE SOC 1, 2, & 3 REPORTS

Exam4Tests. Latest exam questions & answers help you to pass IT exam test easily

BPS Suite and the OCEG Capability Model. Mapping the OCEG Capability Model to the BPS Suite s product capability.

Symantec Data Center Transformation

Isaca EXAM - CISM. Certified Information Security Manager. Buy Full Product.

IBM i (iseries, AS/400) Security: the Good, the Bad, and the downright Ugly

HIPAA Compliance: What it is, what it means, and what to do about it. Adam Carlson, Security Solutions Consultant Intapp

A Checklist for Compliance in the Cloud 1. A Checklist for Compliance in the Cloud

COPYRIGHTED MATERIAL. Index

Oracle Buys Automated Applications Controls Leader LogicalApps

The Honest Advantage

Certified Information Security Manager (CISM) Course Overview

354 & Index Board of Directors Responsibilities Audit Committee and Risk Committee Coordination, 244 Audit Committee Functions and Responsibilities, 2

THE POWER OF TECH-SAVVY BOARDS:

IT Governance ISO/IEC 27001:2013 ISMS Implementation. Service description. Protect Comply Thrive

BRING EXPERT TRAINING TO YOUR WORKPLACE.

RSA Solution Brief. The RSA Solution for Cloud Security and Compliance

Rethinking Information Security Risk Management CRM002

Incentives for IoT Security. White Paper. May Author: Dr. Cédric LEVY-BENCHETON, CEO

CYBERSECURITY RISK ASSESSMENT

Understanding and Evaluating Service Organization Controls (SOC) Reports

Achieving third-party reporting proficiency with SOC 2+

MANUAL OF UNIVERSITY POLICIES PROCEDURES AND GUIDELINES. Applies to: faculty staff students student employees visitors contractors

ROLE DESCRIPTION IT SPECIALIST

IT SECURITY OFFICER. Department: Information Technology. Pay Range: Professional 18

Security In A Box. Modular Security Services Offering - BFSI. A new concept to Security Services Delivery.

Best Practices for PCI DSS Version 3.2 Network Security Compliance

Data Sheet The PCI DSS

REPORT 2015/149 INTERNAL AUDIT DIVISION

IT Service Management: Southeast Area Practice Gary West Solution director Business Service Optimization

EXAM PREPARATION GUIDE

Weighing in on the Benefits of a SAS 70 Audit for Third Party Administrators

Transcription:

Integrating COBIT 5 With COSO 2013 Stephen Head Senior Manager, IT Risk Advisory Services 1

Our Time This Evening Importance of Governance COBIT 5 Overview COSO Overview Mapping These Frameworks Stakeholder Expectations Implementation Considerations Other Frameworks/Guidance Questions COSO 2013 COBIT 5 Improved Governance 2

Why Is Governance Important? Source: ITGI Global Status Report on the Governance of Enterprise IT (GEIT) 2011. 3

Use of Frameworks 4

Allocation of IT Audit Hours by Framework 5

COBIT Overview

What Is COBIT? A Business Framework for the Governance and Management of Enterprise IT Developed by ISACA in 1996, 5 th Edition published in Spring 2012 Accepted globally as a set of tools that ensures IT is working effectively Provides common language to communicate goals, objectives and expected results to all stakeholders Based on, and integrates, industry standards and good practices in: Strategic alignment of IT with business goals Value delivery of services and new projects Risk management Resource management Performance measurement 7

COBIT 5 Key Areas (EDM) Source: COBIT 5 Framework, page 32, 2012 ISACA. All rights reserved. 8

Source: COBIT 5 Framework, figure 16, page 33. 2012 ISACA. All rights reserved. 9

Source: COBIT 5 Enabling Processes, page 185. 2012 ISACA. All rights reserved. 10

Source: COBIT 5 Enabling Processes, page 187. 2012 ISACA. All rights reserved. 11

COSO Overview

What is COSO? Definition: COSO is a leading framework for designing, implementing, and conducting internal control and assessing the effectiveness of internal control. Source: COSO, Internal Control Integrated Framework Executive Summary, USA, May 2013. 13

COSO Internal Control Framework 22 years ago.. Most of the developments in business and technology that we take for granted today had not been realized Companies were just starting to connect through EDI Smartphones, Google, and Facebook did not exist Internet was still ramping up Most everyone used dial-up modems Internal Control evaluation was relatively unsophisticated Internal Auditors struggled to address evolving client-server networks Many of today s financial reporting regulations had yet to be written Source: Internal Auditor August 2013 14

Why COSO 2013? Business and operating environments have changed dramatically, becoming increasingly complex, technology driven, and global Large scale governance and internal control breakdowns have occurred in the last 20+ years Stakeholders are more engaged, seeking transparency and accountability Increased expectations for risk assessments at all levels of the organization (financial, operations, regulatory, IT) 15

Summary of Changes The Update increases ease of use and broadens application What did not change... What did change... Core definition of internal control Three categories of objectives and five components of internal control Each of the five components of internal control are required for effective internal control Important role of judgment in designing, implementing and conducting internal control, and in assessing its effectiveness 17 Principles codified Role of objective setting clarified Reflects increased role and relevance of technology Incorporates enhanced discussion of governance Expands Reporting objective Enhances consideration of antifraud expectations Increases focus on non-financial reporting objectives 16

COSO 2013 5 Components 17 Principles 77 Points of Focus Source: COSO.org 17

COSO Mapping Coverage by Principle Financial Controls IT Controls Data Quality Management Oversight Assessment Process 18

Mapping COBIT 5 to COSO 2013

COSO 2013 5 Components 17 Principles 77 Points of Focus Source: COSO.org 20

Source: COBIT 5 Framework, figure 16, page 33. 2012 ISACA. All rights reserved. 21

Mapping COBIT 5 to COSO 2013 Source: Relating The COSO Internal Control-Integrated Framework and COBIT. 2014 ISACA. All rights reserved. 22

Source: COBIT 5 Framework, figure 16, page 33. 2012 ISACA. All rights reserved. 1 2 3 8 2 2 7 2 2 15 17 All Processes 5, 6, 10 1 3 4 8 1 9 12 14 4 8 13 7 13 9 9 9 9 13 16 17 11 8 23

COSO Principle 1 The organization demonstrates a commitment to integrity and ethical values. COBIT 5 Coverage: EDM01 Ensure Governance Framework Setting and Maintenance APO01 Manage the IT Management Framework APO07 Manage Human Resources 24

COSO Principle 2 The board of directors demonstrates independence from management and exercises oversight of the development and performance of internal control. COBIT 5 Coverage: EDM01 Ensure Governance Framework Setting and Maintenance EDM02 Ensure Benefits Delivery EDM03 Ensure Risk Optimization EDM04 Ensure Resource Optimization EDM05 Ensure Stakeholder Transparency 25

COSO Principle 3 Management establishes, with board oversight, structures, reporting lines, and appropriate authorities and responsibilities in the pursuit of objectives. COBIT 5 Coverage: EDM01 Ensure Governance Framework Setting and Maintenance APO01 Manage the IT Management Framework 26

COSO Principle 4 The organization demonstrates a commitment to attract, develop, and retain competent individuals in alignment with objectives. COBIT 5 Coverage: APO01 Manage the IT Management Framework APO07 Manage Human Resources 27

COSO Principle 5 The organization holds individuals accountable for their internal control responsibilities in the pursuit of objectives. COBIT 5 Coverage: All COBIT 5 Processes 28

COSO Principle 6 The organization specifies objectives with sufficient clarity to enable the identification and assessment of risks relating to objectives. COBIT 5 Coverage: All COBIT 5 Processes 29

COSO Principle 7 The organization identifies risks to the achievement of its objectives across the entity and analyzes risks as a basis for determining how the risks should be managed. COBIT 5 Coverage: EDM03 Ensure Risk Optimization APO12 Manage Risk 30

COSO Principle 8 The organization considers the potential for fraud in assessing risks to the achievement of objectives. COBIT 5 Coverage: EDM01 Ensure Governance Framework Setting and Maintenance APO01 Manage the IT Management Framework APO07 Manage Human Resources MEA03 Monitor, Evaluate and Assess Compliance With External Requirements 31

COSO Principle 9 The organization identifies and assesses changes that could significantly impact the system of internal control. COBIT 5 Coverage: APO01 Manage the IT Management Framework BAI02 Manage Requirements Definition BAI05 Manage Organizational Change Enablement BAI06 Manage Changes BAI07 Manage Change Acceptance and Transitioning 32

COSO Principle 10 The organization selects and develops control activities that contribute to the mitigation of risks to the achievement of objectives to acceptable levels. COBIT 5 Coverage: All COBIT 5 Processes 33

COSO Principle 11 The organization selects and develops general control activities over technology to support the achievement of objectives. COBIT 5 Coverage: DSS06 Manage Business Process Controls 34

COSO Principle 12 The organization deploys control activities through policies that establish what is expected and procedures that put policies into action. COBIT 5 Coverage: APO01 Manage the IT Management Framework 35

COSO Principle 13 The organization obtains or generates and uses relevant, quality information to support the functioning of internal control. COBIT 5 Coverage: APO11 Manage Quality MEA01 Monitor, Evaluate and Assess Performance and Conformance MEA02 Monitor, Evaluate and Assess the System of Internal Control 36

COSO Principle 14 The organization internally communicates information, including objectives and responsibilities for internal control, necessary to support the functioning of internal control. COBIT 5 Coverage: APO01 Manage the IT Management Framework 37

COSO Principle 15 The organization communicates with external parties regarding matters affecting the functioning of internal control. COBIT 5 Coverage: EDM05 Ensure Stakeholder Transparency 38

COSO Principle 16 The organization selects, develops, and performs ongoing and/or separate evaluations to ascertain whether the components of internal control are present and functioning. COBIT 5 Coverage: MEA02 Monitor, Evaluate and Assess the System of Internal Control 39

COSO Principle 17 The organization evaluates and communicates internal control deficiencies in a timely manner to those parties responsible for taking corrective action, including senior management and the board of directors, as appropriate. COBIT 5 Coverage: EDM05 Ensure Stakeholder Transparency MEA02 Monitor, Evaluate and Assess the System of Internal Control 40

Expectations

Regulatory Expectations What methodology does your organization use for IT governance? Regulatory Expectations (tomorrow s expectations, not today s expectations) Remember, you are aiming at a moving target How do you want to be viewed (A market leader, middle of the pack, or late adopter) Domestic vs. International Regulators 42

External Audit and Professional Expectations Can External Auditors rely on the work of Internal Audit? IIA Standard 1210 Are you proficient if you are using outdated standards? IIA Standard 2110 Are you making appropriate recommendations for improving the governance process? 43

Audit Committee Expectations In the opening keynote address at the 2014 Governance, Risk, and Control Conference, IIA Global Chairman Anton van Wyk made the point that 60% of board members want to spend more time on IT. Board members are growing increasingly concerned about IT governance and the organization s ability to stand up to regulatory and public scrutiny. Don t wait for an audit committee member to ask an embarrassing question (Have you implemented COBIT 5 and COSO 2013?) 44

Implementation Considerations

Implementation Considerations Getting from Point A to Point B Gap Assessment Management Support Project Plan/Manager/Sponsor Timing and Metrics 46

Implementation Considerations - Continued Lead time Metric weight factors and coverage Dashboard redesign Cutover point 47

Implementation Considerations - Continued Data Quality Upgrading/Creating SAPs Coordinating with Stakeholders Training 48

Transition Methodology Build Internal Awareness and Expertise Perform Impact Assessment/ Prepare Project Plan Execute the Transition Plan Engage, Communicate and Train Build Awareness Obtain Relevant Publications Revisit Concepts and Definitions Internal Control Definition Categories of Objectives Control Components Entity Structure Management Judgment Understand the Principles Principles (17) Points of Focus Approaches Examples Understand Definition of Effective Internal Control Present and Functioning Understand the Definition of Internal Control Deficiencies Revisit Existing Controls Documentation to Determine Adequacy Financial Reporting Objectives Risk Assessments Significant Accounts / Disclosures Assertions Processes and Transactions Define the Project Plan and Methodology Finalize Methodology and Approach Define the Project Team Develop the Project Plan Documentation and Evaluation Map the Principles and Components (Using Points of Focus, Approaches, and Examples) to the Existing Documentation Confirm Existing Understanding with Control Owners Control Design Evaluation and Gap Remediation Evaluate the Control Design Define Gaps Remediate Identified Gaps External Review Coordinate with External Auditor Engage Broader Organization Communicate with Key Stakeholders Perform Training Overall Project Management 49

Other Frameworks/Guidance

PCI-DSS 3.0 Version 3.0 of PCI-DSS was released in November 2013 Regulated by the PCI Security Standards Council and the major credit card brands Any entity that stores, processes, or transmits cardholder information MUST COMPLY with the PCI Data Security Standard (DSS) Entities include but are not limited to: Acquirers Merchants Service providers Trusted third parties Each card brand has their own compliance requirements based on this general requirement 51

PCI-DSS 3.0 Source: Payment Card Industry (PCI) Data Security Standard, 2013 52

ITIL The Information Technology Infrastructure Library (ITIL), is a set of best-practices for IT service management (ITSM) that focuses on aligning IT services with the needs of the business. In its current form (known as ITILv3 and ITIL 2011 edition), ITIL is published in a series of five core publications, each of which covers an ITSM lifecycle stage. ITIL describes procedures, tasks and checklists that are not organization-specific, used by an organization for establishing a minimum level of competency. It allows the organization to establish a baseline from which it can plan, implement, and measure. It is used to demonstrate compliance and to measure improvement. 53

ITIL Requests for change Service improvement Usage guidelines, policies, and incentives to change utilization patterns Guidelines, policies, and information for Service Desk to support incidents Service transition Requests for change How service is utilized How service is supported Service design Possible service incidents Service operation How service is deployed How service is delivered (Filtering) Requests for change Requests for change Design limitations Compensating resources and requests for change Objectives, policies and guidelines Service strategy 54

HIPAA Health Insurance Portability and Accountability Act of 1996 (HIPAA), Department of Health and Human Services (DHHS). Privacy of health information Restricts the use and dissemination of identifiable health information Provides individuals with greater access and control of their medical information Regulates business partners and business partner agreements Security of health information Ensures information integrity and confidentiality Protects against information tampering and unauthorized information uses and disclosures 55

HIPAA 56

HIPAA 57

Summary The latest versions of COBIT and COSO are complimentary frameworks that can be mapped to one another. Regulators, external auditors and audit committees will expect some form of governance framework to be in place and functioning. Implementation requires sufficient planning and lead time. Other frameworks and guidance exist that may be applicable to your organization. 58

Questions? S t e p h e n H e a d s t e p h e n. h e a d @ e x p e r i s. c o m 704-953- 6 6 8 8 59

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback