Overview of Frameworks: Cobit, Jennifer F. Alfafara, CISA Consultant

Transcription

1 Overview of Frameworks: Cobit, COSO, ITIL, ISO, and more Jennifer F. Alfafara, CISA Consultant

2 Frameworks vs Standards

3 What is a Framework? Main Entry: frame work Pronunciation: \frām- wərk\ Function: noun Date: a:a a basic conceptional structure (as of ideas) <the framework of the United States Constitution> b: a skeletal, openwork, or structural frame 2: frame of reference 3: the larger branches of a tree that thtdt determine its shape 3

4 What is a Standard? Standard - a rule or principle that is used as a basis for judgment GAAP (FASB) Generally Accepted Accounting Principals (Financial Accounting Standards Board IFRS (IASB) International Financial Reporting Standards (International Accounting Standards Board) PCAOB (Public Companies Accounting Oversight Board) Auditing Standards ISO/IEC (International Organization for Standardization/International Electrotechnical Commission) 4

5 Then, what is HIPAA considered? HIPAA (American Health Insurance Portability and Accountability Act 1996) is a Guideline. More on HIPAA later. 5

6 Why have frameworks been developed? Lack of alignment between business practices and technology Provide guidance to Corporate management to ensure they are in compliance with regulatory requirements 6

7 Why adopt a framework? Regulatory requirement Business requirement Best in class 7

8 What is a Control Framework? Control Framework - A recognized system of control categories that covers all internal controls expected in an organization. 8

9 Control Framework To be comprehensive, the framework must: 1. Provide a favorable control environment 2. Provide for the continuing assessment of risk 3. Provide for the design, implementation, and maintenance of effective controlrelated policies and procedures, 9

10 Control Framework continued 4. Provide for the effective communication of information 5. Provide for the ongoing monitoring of the effectiveness of control-related policies and procedures as well as the resolution of potential problems identified by controls 10

11 SEC on Frameworks The COSO Framework satisfies our criteria and may be used as an evaluation framework for purposes of management's annual internal control evaluation and disclosure requirements. However, the final rules do not mandate use of a particular framework, such as the COSO Framework, in recognition of the fact that other evaluation standards exist outside of the United States, and that frameworks other than COSO may be developed within the United States in the future, that satisfy the intent of the statute without diminishing the benefits to investors." 11

12 Control Frameworks COSO COBIT 4.1 ITIL ISO/IEC (Actually a Standard) ISO/IEC (Guidelines for 27002) 12

13 COSO Committee of Sponsoring Organizations

14 COSO COSO - Committee of Sponsoring Organizations of the Treadway Commission COSO is a U.S. private-sector initiative, formed in

15 COSO Who are the Sponsors? 1. American Institute of Certified Public Accountants (AICPA) 2. American Accounting Association (AAA) 3. Financial Executives Institute (FEI) 4. The Institute of Internal Auditors (IIA) and 5. The Institute of Management Accountants (IMA). 15

16 COSO Major Objectives COSO's main objectives are to assist organizations regarding: 1) effectiveness and efficiency of operations; 2) reliability of financial reporting; 3) compliance with applicable laws and regulations. 16

17 COSO and Healthcare Internal control tools developed by the COSO in 1992 and by the Department of Health and Human Services (HHS) Office of the Inspector General (OIG) highlight the importance of the internal audit function in detecting and preventing violations. Tightened internal controls have helped fight Medicare and Medicaid abuse. 17

18 Medicare Losses 1996 $23 Billion 1999 $12 Billion an improvement; however $12 Billion still demands attention Much of these losses can be attributed to abuse, fraud, and inefficiencies. 18

19 COSO (1992) Internal Control Framework Five Components Monitoring Information & Communication Control Activities Risk Assessment Control Environment 19

20 COSO (2004) Enterprise Risk Management Framework This COSO ERM framework defines essential components, suggests a common language, and provides clear direction and guidance for enterprise risk management. 20

21 COSO (2004) Enterprise Risk Management Framework Eight Components Internal Environment Objective Setting Event Identification Risk Assessment Risk Response Control Activities Information & Communication Monitoring 21

22 COSO Components Internal Environment encompasses the tone of an organization sets the basis for how risk is viewed addressed by an entity s people, including risk management philosophy and risk appetite, integrity and ethical values, and the environment in which they operate. 22

23 COSO Components Objective Setting Objectives must exist before management can identify potential events affecting their achievement. 23

24 COSO Components Event Identification Internal and external events affecting achievement of an entity s objectives must be identified, distinguishing g between risks and opportunities. 24

25 COSO Components Risk Assessment Analysis of risk Consideration of likelihood and impact How risks should be managed 25

26 COSO Components Risk Response Avoid Risk Accept Risk Reduce Risk Share Risk 26

27 COSO Components Control Activities Policies and procedures are established and implemented. 27

28 COSO Components Information and Communication Relevant information is identified, captured, and communicated in a form and timeframe that enable people p to carry out their responsibilities. 28

29 COSO Components Monitoring The entirety of enterprise risk management is monitored and modifications made as necessary. 29

30 Financial vs Technical Issues Okay, that addresses issues related to Finance what about other Frameworks and Standards in Healthcare?

31 HIPAA Title II Focused on Preventing Healthcare Fraud and Abuse; Administrative Simplification; Medical Liability Reform Title II provides for the enactment of five rules. 31

32 HIPAA Title II Rules Privacy Rule Transactions and Code Sets Rule Security Rule Unique Identifiers Rule (National Provider Identifier) Enforcement Rule 32

33 HIPAA & Technology Challenges for Information Technology (IT) Transactions and Code Sets Privacy Security Rules 33

34 Transactions & Code Sets (X12 Transactions) These transactions and code Sets relate to EDI (Electronic Data Interchange). EDI the structured transmission of data between organizations by electronic means. There are 11 defined code sets. 34

35 Transactions & Code Sets (X12 Transactions) EDI Health Care Claim Transaction set (837) EDI Retail Pharmacy Claim Transaction (835) EDI Benefit Enrollment and Maintenance Set (834) EDI Payroll Deducted and other group Premium Payment for Insurance Products (820) 35

36 Transactions & Code Sets Rule (continued) EDI Health Care Eligibility/Benefit Inquiry (270) EDI Health Care Eligibility/Benefit Response (271) EDI Health Care Claim Status Request (276) EDI Health Care Claim Status Notification (277) EDI Health Care Service Review Information (278) EDI Functional Acknowledgement Transaction Set (997) 36

37 Privacy Rule It establishes regulations for the use and disclosure of Protected Health Information (PHI). PHI is any information held by a covered entity which concerns health status, provision of health care, or payment for health care that can be linked to an individual. 37

38 Security Rule Lays out three types of security safeguards required for compliance: Administrative Policies and Procedures Physical Access to Protected Data Technical Access to Computers that store and manage protected data 38

39 Obeying the Rules Implement Control Frameworks that facilitate compliance with the Rules COBIT ITIL ISO/IEC ISO

40 COBIT Control Objectives for Information and Related Technology

41 COBIT The Control Objectives for Information and related Technology (COBIT)) is a set of best practices (framework) for information technology (IT) management created by the Information Systems Audit and Control Association (ISACA), and the IT Governance Institute (ITGI) in COBIT 4.1, the most current version was released in

42 COBIT What COBIT Provides: A set of generally accepted measures Indicators Processes Best practices? 42

43 COBIT Structure Covers four domains 1. Plan and Organize (PO) 2. Acquire and Implement (AI) 3. Deliver and Support (DS) 4. Monitor and Evaluate (ME) 43

44 COBITT Plan and Organize covers: the use of information & technology how best it can be used in a company to help achieve the company s goals and objectives. also highlights the organizational and infrastructural form IT is to take in order to achieve the optimal results and to generate the most benefits from the use of IT 44

45 COBITT Acquire and Implement covers: Identification of IT requirements, Acquisition of technology, and Implementation within the company s current business processes. 45

46 COBITT Delivery and Support covers: The delivery aspects of the information technology The execution of the applications within the IT system and its results, The support processes that enable the effective and efficient execution of these IT systems. These support processes include security issues, training, Help Desk, and backup & recovery. 46

47 COBITT Monitor and Evaluate: Deals with a company s strategy in assessing the needs of the company Determines whether or not the current IT system still meets the objectives for which it was designed Identifies the controls necessary to comply with regulatory requirements. Deals with the issue of an independent assessment of the effectiveness of IT system in its ability to meet business objectives and the evaluation of the company s control processes by internal and external auditors. 47

48 COBIT, COSO & SOX The most referenced control frameworks for SOX and FIEL (Financial Instruments and Exchange Law aka JSOX ) Not all COBIT controls apply to ICFR (Internal Controls over Financial Reporting) COBIT Lite 48

49 COBIT Lite IT Control Objectives for Sarbanes - Oxley 49

50 ITIL The five ITIL V3 volumes

51 ITIL ITIL is published in a series of books, each of which covers an IT management topic. ITIL gives a detailed description of a number of important IT practices with comprehensive checklists, tasks and procedures that any IT organization can tailor to its needs. ITIL has been mapped to COBIT, but reporting requirements are not the same 51

52 ITIL Structure ITIL v3, published in May 2007, comprises 5 key volumes: 1. Service Strategy 2. Service Design 3. Service Transition 4. Service Operation 5. Continual Service Improvement 52

53 ITIL ITIL is owned and maintained by the UK Office of Government Commerce (OGC). The names ITIL and IT Infrastructure Library are registered trademarks of the OGC. 53

54 ISO/IEC ISO/IEC 27002:2005 (actually a Standard )

55 ISO/IEC ISO (International Organization for Standardization) is the world's largest developer and publisher of International Standards. IEC (International Electrotechnical Commission) is the international standards and conformity assessment body for all fields of electrotechnology. 55

56 ISO The standard is comprised in two parts: Part 1: ISO/IEC Contains guidance and explanatory information Formally published as ISO/IEC Code of Practice for Information Security Management 56

57 ISO Part 2: (British Standard) BS7799 / ISO Provides a model that can be used by businesses to set up and run an effective Information Security Management System (ISMS) Formally published as ISO/IEC Information Security Management Systems - Requirements 57

58 ISO This is essentially the set of security controls: the measures and safeguards for potential implementation. After the introduction, scope, terminology and structure sections, the remainder of ISO/IEC specifies control objectives categorized into 11 main sections to protect t information assets against threats to their confidentiality, integrity and availability. 58

59 ISO Security Controls Security Policy Organization of Information Security Asset Management Human Resources Physical and Environmental Security Communications and Operations Management 59

60 ISO Security Controls (cont ) Access Control Information Systems Acquisition, Development and Maintenance Information Security Incident Management Business Continuity Management Compliance 60

61 ISO This is the specification for an Information Security Management System (ISMS). It is the means to measure, monitor and control security management from the top down perspective. It explains how to apply ISO

62 ISO Defined as a six part process: Define a security ypolicy Define the scope of ISMS Undertake a risk assessment Manage the risk Select control objectives and controls to be implemented Prepare a statement of applicability 62

63 ISO Healthcare Challenges: ISO is extremely difficult to implement for large units Compliance scopes that cover no more than two to three sites or approximately 50 staff or approximately ten processes have been found to work very well. 63

64 ISO 27799:2008 Health informatics - Information security management in health using ISO/IEC 27002

65 ISO This International Standard provides guidance to healthcare organizations and other custodians of personal health information on how best to protect the confidentiality, integrity and availability of such information by implementing ISO/IEC

66 ISO Health information security Practical Action Plan for Implementing ISO 17799/27002 Healthcare Implications of ISO 17799/27002 Threats Tasks and documentation of the ISMS Potential benefits and tool attributes 66

67 Relationships Between Standards & Regulations Remember: ISO and BS 7799 are ISO HIPAA ISO BS7799 COBIT & ITIL 67

68 Questions?

69 For More Information: Jennifer F. Alfafara Consultant Resources Global Professionals usa.com 69

70 Thank you!