Specialized Control Matrix IT

Book discusses Trust Services framework developed by AICPA and Canadian Institute of Chartered Accountants (CICA) More widely accepted in industry is COBIT developed by the IT Governance Institute: C=Control OB=Objectives for I=Information and related T=Technology

COBIT-what is it?
Provide companies with an information systems governance model that helps in understanding and managing the risks associated with technology. Meant to facilitate bridging the gap between business risk, management needs and technical issues. Augments COSO/ERM, not a replacement

COBIT Processes
The primary COBIT processes that have the most direct relevance to COSOs internal control structure can be categorized into 4 broad categories: Plan and organize Acquire and implement Deliver and support Monitor and evaluate

COBIT: Plan and Organize Control Category

IT strategic plan developed, monitored, communicated Define information capture, processing, and reporting controls IT staff has adequate knowledge and experience; roles defined and documented; proper segregation of duties; IT employees trained and developed, kept up to date with new technology

COBIT: Plan and Organize Control Category

Policies and Procedures documented and updated; issues reported and resolved

System changes are authorized and monitored; adequate controls surround change management
IT performs security assessments; monitors/updates access restrictions; ensures continuity Set standard requirements; assess variances with standards

COBIT: Acquire and Implement Control Category

Applications: Financial Reporting requirements met Supports complete, accurate, timely, authorized and valid transaction processing Development method includes security, availability and processing integrity requirements Aligns with business strategy Users are appropriately involved in design, selection and testing of application Post-implementation reviews performed to ensure controls are operating as intended

COBIT: Acquire and Implement Control Category

Technology Infrastructure
Provides the appropriate platforms to support financial reporting applications Ensure that infrastructure (including network devices and software) acquired is based on requirements of financial applications intended to support

COBIT: Acquire and Implement Control Category

Policies and Procedures
Exist

Define required acquisition and maintenance processes, including documentation to support proper use and technological solutions put in place
Regularly reviewed, updated and approved by management

COBIT: Acquire and Implement Control Category

Install/Test Application SW & Infrastructure:
Systems appropriately tested and validated prior to being placed into production Controls tested to ensure operating as intended and support financial reporting Testing strategy developed and followed during significant changes to ensure system continues to operate as intended Interfaces w/other systems tested to confirm data transmissions are complete, accurate, timely and valid

COBIT: Acquire and Implement Control Category

Change Management:
System changes of financial reporting significance are authorized and tested before movement into production
Requests for program/system changes and maintenance standardized, documented and subject to change management procedures and approvals Emergency control requests documented and approved Restrict migration of programs to production only by authorized personnel Protect security of data and programs being stored by the system

COBIT: Deliver and Support Control Category

Define and manage service levels
Quality of service levels are defined, documented, and monitored Key performance indicators are established to manage both internal and external service agreements

COBIT: Deliver and Support Control Category

Manage third party services Common understanding of performance levels by which quality will be measured Service levels defined and managed to support financial reporting system requirements Define framework to manage internal and external service level agreement key performance indicators

COBIT: Deliver and Support Control Category

Manage performance and capacity Monitor performance and capacity levels of systems and network Respond to suboptimal performance and capacity measures in a timely manner Planning for performance and capacity included in system design and implementation phases

COBIT: Deliver and Support Control Category

Educate and train users Identify and document the training needs of personnel Provide education and ongoing training programs that include: Ethical conduct System security practices Confidentiality standards Integrity standards Security responsibilities of staff

COBIT: Deliver and Support Control Category

Manage Facilities Adequate environmental controls at data center facility to maintain systems and data Fire suppression, uninterrupted power service, air conditioning and elevated floors considered

COBIT: Monitor and Evaluate Control Category

Monitoring
Data collected and reported regarding achievement of performance indicator benchmarks Established appropriate metrics to effectively manage the day-to-day activities of the IT Department

COBIT: Monitor and Evaluate Control Category

Internal Control Adequacy
Monitor effectiveness of internal controls via management reviews, comparisons and benchmarks Serious deviations in internal controls communicated to upper management, BOD, etc. when applicable Assessments of internal controls performed periodically

COBIT: Monitor and Evaluate Control Category

Independent Assurance Independent reviews prior to implementing significant IT systems Obtain independent internal control reviews of thirdparty service providers (SAS70 review)

COBIT: Monitor and Evaluate Control Category

Internal Audit Consider IT internal audit department to review IT activities and controls Risk Assessment and subsequent audit plan include IT considerations Follow-up on IT control issues in a timely manner

SOX and COBIT

The Public Company Accounting Oversight Board (PCAOB) suggests in the Auditing Standard No. 2, An Audit of Internal Control Over Financial Reporting Performed in Conjunction with an Audit of Financial Statements:

IT controls have:
a pervasive effect on the achievement of controls related to reliable financial reporting should be evaluated in order to assess the likelihood of potential misstatements in each significant account the extent of information technology involvement in the period-end financial reporting process should be evaluated