Corporate Governor Providing vision and advice for management, boards of directors and audit committees Summer 2014 New COSO Framework links IT and business process Michael Rose, Partner, Business Advisory Services In May 2013, the Committee of Sponsoring Organizations of the Treadway Commission (COSO), a joint initiative of private sector organizations dedicated to providing thought leadership on enterprise risk management, internal control and fraud deterrence, issued its updated Internal Control Integrated Framework 1 (2013 Framework). The 2013 Framework is expected to be used by most public companies listed in the United States as well as other companies in various jurisdictions starting Dec. 31, 2014, and possibly earlier, in assessing the effectiveness of their internal control over financial reporting (ICFR) and by auditors in reporting on ICFR when required. 1 See www.coso.org for more information. The 2013 Framework does not fundamentally alter the key concepts of the original 1992 Framework consisting of five components: control environment, risk assessment,, information and communication, and monitoring. Instead, it clarifies and builds on core strengths by (1) formalizing the concepts embedded within the five components into 17 principles, (2) considering changes in business and operating environments, and (3) expanding the financial reporting objective to address other important forms of reporting 2. The 2013 Framework also includes points of focus that describe each principle s characteristics and help users evaluate whether a principle is present and functioning. Points of focus aren t explicit requirements. You don t need a separate evaluation of points of focus in order to demonstrate that a relevant principle is present and functioning. Management may determine that some points of focus are not suitable or relevant; they may also identify and consider others based on company circumstances. Points of focus may be particularly helpful in assisting management and auditors in evaluating principles that weren t as thoroughly developed in the 1992 Framework, such as those relating to fraud prevention and to the use of IT.
Principle 11 points of focus The 2013 Framework recognizes the importance of technology in achieving operations and compliance objectives, as well as reporting objectives. Principle 11 and its points of focus address the importance of IT controls. 1. Determines dependency between the use of technology in business processes and technology general controls Management must understand the linkages between its business processes, general technology controls and controls that are automated in its control activities. Control activities are the tasks that ensure the existing technology continues to function as originally designed. Technology general controls are also referred to as general computer controls, general controls or IT controls. The overall reliability of technology in business processes, which would include automated controls (controls embedded in an application), will result from an effective design upfront, and then continued execution of general over technology from an operating effectiveness perspective. Technology general controls operating as designed will support automated controls and ensure that they are functioning properly. An example of an automated control would be the three-way match among purchasing, receiving and invoicing. The technology general controls determine that the correct files are being matched and the process is complete and accurate. In addition, the security make sure that only authorized individuals have access to the files. Principle 11 The organization selects and develops general control activities over technology to support the achievement of objectives. The following points of focus highlight important characteristics relating to this principle: Determines dependency between the use of technology in business processes and technology general controls Establishes relevant technology infrastructure Establishes relevant security management process Establishes relevant technology acquisition, development and maintenance process The COSO model for technology general controls touches all five components of the 2013 Framework, as evidenced in the following list. The emphasis here is illustrative as it relates to the five components. Control environment Tone from the top, IT governance identifying controls as important Technology policies and procedures and information security policies Various committees established for technology governance 2 Read more about the new framework and 17 principles in CorporateGovernor Summer 2013. See www.grantthornton.com/issues/library/newsletters/ advisory/2013/bas-grc-updated-coso-framework.aspx for details. 2 CorporateGovernor Summer 2014
Risk assessment IT risk assessments link to corporate and business risk assessments IT controls determined for high-risk business units and functions IT risk assessment for IT information security identifying threats and matching to vulnerabilities Risk assessment for business continuity Control activities Approval of IT plans and system architecture Committee approval for change management Compliance with information and security standards Information and communication IT corporate communications Best-practice IT communication Review of user access to information and reports IT and security training Monitoring Review of periodic technology assessments Review of technology organization Review of high-risk IT areas Review of technology metrics Additional may be selected or designed to be used in the mitigation of specific risks in the overall use of technology processes. 2. Establishes relevant technology infrastructure Technology general controls include over technology infrastructure, networks, operating systems, data management and applications. They apply to mainframe computers, clients/servers, desktops, end-user computing, portable computers and mobile device technology to operational technology. The over each of these will depend on a number of factors, including risk as it relates to the underlying business processes, complexity of technology and overall outside threats. The technology general controls could be manual or automated. Following are over newer technologies. These are some areas of interest with some control objectives attached, and are not meant to be all-inclusive. End-user computing (EUC) Identification of all EUC as it relates to critical business processes in the organization Monitored security and access to where the EUC is located Integrity of change management process for changes made, tested, reviewed and approved Accuracy and completeness of all information in the EUC Mobile devices Mobile device policies and procedures are in place Access control and encryption for mobile devices are in place and provide adequate coverage Non-company owned mobile devices are segregated for data in a complete and effective manner Mobile device incident management processes and controls are in place and effectively functioning 3 CorporateGovernor Summer 2014
Cloud Prepare a clear governance model to follow, including policies and procedures Assess service levels, infrastructure and applications used, and related metrics and outcomes Understand cloud vendor management ability, including people s skills and competencies, processes and technology Review cloud security and compliance requirements Agree on service-level metrics, outcomes and effectiveness of services Identify where risks are present and integrate into existing risk assessment Review results criteria periodically, and have a mechanism to document exceptions and gaps and a process to correct issues 3. Establishes relevant security management process The security management process includes all control activities over access to an organization s technology, including transaction processing, data, operating systems, network applications and physical access. Security controls over access prevent the unauthorized access and use of systems, changes to the system, and changes to data and program integrity from common error or malicious intent. It protects against segregation of duties to eliminate an individual having access to incompatible functions within the system, and it also reduces the likelihood of fraud. 00000 00000010010 000010101111 001010111011111 010101111111111 Security risks are both internal and external. External threats can come in many different forms, depend on telecommunication networks and use the Internet. A company has customers, employees, vendors and others using its system. The pervasive use of technology in business operations presents significant threats on a daily basis. Internal threats come from within the organization through former or disgruntled employees who have extensive knowledge of the organization s security system and are better equipped because of this to succeed. Here are a few preventive actions to consider: External cybersecurity threats Establish cybersecurity governance, including policies and procedures Classify all information based on its restriction of privacy Determine what applications use highly private information Perform a vulnerability analysis on these higher-risk applications Identify potential threats to these applications Understand vendor access and determine safeguards Perform a risk assessment regarding the highest risks based on the above Determine where investments are needed to protect private information Identify and treat attacks and breaches in a timely and appropriate manner Monitor cybersecurity activity and report to senior management 4 CorporateGovernor Summer 2014
Internal threats Develop policies and procedures regarding employees access to data and applications and termination of those rights when employees leave the organization Identify all employees that have access to incompatible data and applications in high-risk transactions When access can t be changed, provide a monitoring process/review of transactions those employees perform Periodically review access rights of employees 4. Establishes relevant technology acquisition, development and maintenance process The technology general controls should support the life cycle of technology throughout acquisition, development and maintenance. Organizations rarely use one methodology for all systems development projects, and they choose a methodology based on factors such as size of the project. The chosen methodology should provide controls over changes to technology: acquiring the appropriate approvals for a change, reviewing the change, testing results and implementing a process to make sure the changes are completed properly. The methodology provides a structure for system design and implementation. It outlines requirements such as documentation, approvals and controls over the technology life cycle. Organizations need some basic controls that are similar in all systems acquisition and development work. User requirements are always documented and results measured. A formal process should be followed for system design to determine that user requirements and controls are designed in the system. System development is carried out in a formal manner to ensure that design features are included in the final product. Testing should include users, the functionality is reviewed and system interfaces operate as intended. Maintenance processes should ensure that changes in application systems are controlled and change management has a validation process. All outsourced system development work would be reviewed and determined to have a similar set of controls over the entire process. All work must be under project management control, whether it s developed in-house or outsourced. A communication and reporting mechanism must be in place to ensure that all projects are completed in a timely manner and on budget. 5 CorporateGovernor Summer 2014
Conclusion COSO recognizes the importance of technology in achieving operations and compliance objectives, and it wrote Principle 11 of the 2013 Framework to link business processes to technology general controls. The points of focus can help users evaluate whether the principle is present and functioning properly. While these points of focus aren t explicit requirements, use them as a tool to thoroughly address your IT controls. IT controls are pervasive throughout an organization, so it is critical to have a strong control environment across all business units. Contact Michael Rose Partner, Business Advisory Services T 215.376.6020 E michael.rose@us.gt.com Editor Evangeline Umali Hannum E evangeline.umalihannum@ us.gt.com About the newsletter CorporateGovernor is published by Grant Thornton LLP. The people in the independent firms of Grant Thornton International Ltd provide personalized attention and the highest-quality service to public and private clients in more than 100 countries. Grant Thornton LLP is the U.S. member firm of Grant Thornton International Ltd, one of the world s leading organizations of independent audit, tax and advisory firms. Grant Thornton International Ltd and its member firms are not a worldwide partnership, as each member firm is a separate and distinct legal entity. Content in this publication is not intended to answer specific questions or suggest suitability of action in a particular case. For additional information about the issues discussed, consult a Grant Thornton LLP client service partner or another qualified professional. Connect with us grantthornton.com @grantthorntonus linkd.in/grantthorntonus Grant Thornton refers to Grant Thornton LLP, the U.S. member firm of Grant Thornton International Ltd (GTIL). GTIL and its member firms are not a worldwide partnership. All member firms are individual legal entities separate from GTIL. Services are delivered by the member firms. GTIL does not provide services to clients. GTIL and its member firms are not agents of, and do not obligate, one another and are not liable for one another s acts or omissions. Please visit grantthornton.com for details. 2014 Grant Thornton LLP All rights reserved U.S. member firm of Grant Thornton International Ltd