Internal Control & Risk Management Framework

SOX 404 Risk Management Framework
COSO Risk Governance Framework
COBIT 5 IT Risk Assessment
Framework
COBIT 5 Enabling Process
COBIT 5 Implementation Process
COBIT 5 Future Supporting Process
CAAT Tools Risk Assessment
Techniques
Index of the Presentation

Australia/NZ Standard
Turnbull Guidance
European FERMA
NIPP , 2006 Framework
NIST Risk Framework
STF – Phases of Risk Assessment
Process
International Risk Assessment Standard
Index of the Presentation
Indian IT Act 2000

Presentation Outline
I. An Overview of Internal Control
II. The Components of Internal Control
III. Process for Understanding Internal Control and Assessing
Control Risk
IV. Communications with the Audit Committee and Management
11/23/16 Internal Risk Assessment Process

I. An Overview of Internal Control
A. Internal Control Defined
B. Reasonable Assurance
C. Section 404 Reporting Requirements for Management
D. Key Components of Managements’ Assessment of Internal Control
E. Auditor Responsibilities for Understanding Internal Control

A. Internal Control Defined
Reliability of financial reporting
Compliance with applicable laws and regulations
Effectiveness and efficiency of operations
An entity’s system of internal control consists of policies and
procedures designed to provide management with reasonable
assurance that the company achieves its objectives and goals
including:

B. Reasonable Assurance
Reasonable assurance
involves two
considerations:
 The cost of the entity’s
internal control should
not exceed the expected
benefits.
 Limitations exist in any
entity’s internal control.
Code the
missing cash to
bad debts.
Collusion

C. Section 404 Reporting Requirements for Management
Section 404 of Sarbanes-Oxley requires the management of public
companies to issue an internal control report that includes:
A statement that management is responsible for establishing and
maintaining an adequate internal control structure and procedures for
financial reporting.
An assessment of the effectiveness of the internal control structure
and procedures for financial reporting as of the end of the company’s
fiscal year.

D. Key Components of Managements’ Assessment of Internal
Control
Management must
evaluate the design of
internal control over
financial reporting.
Management must test
the operating
effectiveness of those
controls.

E. Auditor Responsibilities for Understanding Internal Control
 Public and private companies – A sufficient understanding of internal
control is to be obtained to plan the audit and to determine the nature,
timing, and extent of tests to be performed. (2nd
standard of fieldwork)
 Public companies – Section 404 requires effort beyond that stated above
so that the auditor can provide a report on internal controls that
contains the following two opinions:
 Whether management’s assessment of the effectiveness of internal
control over financial reporting as of the end of the fiscal period is
fairly stated in all material respects.
 Whether the company maintained, in all material respects, effective
internal control over financial reporting as of the specified date.

A. The Control Environment
The control environment is concerned with the actions,
policies, and procedures that reflect the overall attitude of
the client’s top management, directors, and owners of an
entity about internal control and its importance.
1. Integrity and ethical values
2. Commitment to competence
3. Board of directors and audit committee
4. Management’s philosophy and operating style
5. Organizational structure
6. Assignment of authority and responsibility
7. Human resource policies and practices

1. Integrity and Ethical Values
Management actions to
remove incentives that
prompt a person to
behave improperly.
Communication of
behavioral standards by
codes of conduct and
example.

2. Commitment to Competence
Management’s
consideration of the
competence levels for
specific jobs and how
those translate into
requisite skills and
knowledge.

3. Board of Directors and Audit Committee
 Board delegates responsibility for
internal control to management and is
charged with regular independent
assessments of management-
established internal control.
 The major stock exchanges require
listed companies to have an audit
committee composed of entirely
independent directors who are
financially literate.

4. Management’s Philosophy and Operating Style
Management, through its activities, provides clear signals to employees
about the importance of internal control. For example, are sales and
earnings targets unrealistic, and are employees encouraged to take
aggressive actions to meet those targets.

5. Organizational Structure
Understanding the client’s
organizational structure
provides the auditor with
an understanding of how
the client’s business
functions and implements
controls.

6. Human Resource Policies and Practices
 If employees are honest and
trustworthy, other controls can
be absent and reliable financial
statements will still result.
 Methods by which persons are
hired, trained, promoted, and
compensated are important
elements of internal control.

What to do now !!

Oops !! What to do now !!

1. Risk
Identification
2. Risk
Quantification
3. Risk
Response
4. Implement
Solutions
Step
• Seek perspectives of
entity and key
stakeholders
• Structured self
assessment
• Interviews/surveys
• Benchmarking
• Individual risk
categories (strategic,
operational, financial,
legal/regulatory,
technological or human
capital)
• Risk mapping
Activities
• Risk inventory
• Risk map (qualitative)
Output
• Risk analysis/ modeling
•Financial impact
•Probability
•Interdependencies
• Actuarial analysis
• Risk portfolio modeling
• Key risks determined
• Risk map (quantitative)
• Quantitative risk profile
• Risk bearing capacity /
corporate risk tolerance
• Optimize risk financing
•DFA models
•Alternative Risk
finance (captive,
finite, etc.)
•Pricing models
• Risk management
solutions / action plans
• Advice to optimize
financial and
operational mitigation
strategies
• Develop risk finance
marketing strategy and
select markets/trading
partners
• Implement risk
mitigation strategies
• Implementation of risk
financing strategies
• Ongoing ERM process
and organization
• RM Information
Systems and
monitoring capabilities
• Risk finance programs
• Risk mitigation
programs
• Ongoing ERM process

Old Risk Paradigm (RM)
 Risk is defined as the probability
of an identified adverse financial
or operational event.
 Risks within an organization can
be identified and managed within
functional silos:
- Insurance
- Human Resources
- Finance
- Safety/Loss Control
 Partial or full risk transfer
maximizes shareholder value.
New Risk Paradigm (ERM)
 Risk management is capital
management.
 Risk has both an upside and
downside potential.
 Risks do not exist in isolation; they
often cross artificial organizational
structures.
 Risks are better managed in
portfolios. This perspective opens
new possibilities.
 There exists an “Efficient Frontier”
for risk decisions, balancing
expected risk and return.

Risk Identification-Risk Mapping

Risk Response Paths
Risk Response Strategies
Transfer
Strategy People Process Systems
Financing
solutions
Capital
Markets
Insurance Hybrid
Avoid Risk
Exit
risk area
Mitigate
Organizational
solutions
(Enhance management
processes to better
manage risk)
Mitigate,
then Transfer
Risk management
and mitigation

StakeholderValue
Enterprise Wide Risk
Awareness
• Adoption of an ERM framework
• Executive ownership of risk
management
• Communication of strategic risks to
the Audit Committee
• Routine risk assessments
Risk Management
Integration
• Fully integrated ERM structure
based on an S-O 404/ approach
for all types of risk
• Enterprise-wide risk monitoring
and reporting
• Coordinated ERM activities
Value/Risk Optimization
• Risk management embedded in strategic
decision making process
• Identification and monitoring of early
warning risk indicators based on key risk
indicators
• Linkage of risks to shareholder value
• Effective use of risk modeling tools
Risk Specialization
• Independent risk management
activities, including insurance
purchasing and S-O 404
compliance
• Limited focus on the linkage
between enterprise-wide risks
and strategies
Risk Management Sophistication
Risk Management
Integration
Value/Risk
Optimization
Indicators
Enterprise Risk
Awareness
Risk Specialization
RM
Audit
IS
Legal
Most organizations
currently reside
here on the
continuum
HR Ops.

Driving Forces Behind COSO
Organization
Investors
Demand increased financial
disclosure and regulatory
compliance
Market/Credit Analysts
Require that management
strengthen its risk
disclosure capabilities
Stakeholders
Demand that management
adequately identify all material
risks that impact cash flow, capital
and mission
Auditors
Current protocols require
organizations to report risks
in a forward-looking context

ERM & Sarbanes-Oxley
 Sarbanes-Oxley Section 404
• focuses immediate management attention on financial reporting risk and internal
control systems
• sets forth an ongoing requirement for annual attestation
• financial reporting risks are closely linked to enterprise wide risk monitoring and
reporting
 COSO Framework
• provides a comprehensive framework for addressing risk across the organization
• helps to organize project based initiatives surrounding Sarbanes-Oxley towards a
process oriented and sustainable approach

COSO CONTROL FRAMEWORKS
COSO developed a model to
illustrate the elements of ERM.

COSO CONTROL FRAMEWORKS – Strategic
Columns at the top represent the
four types of objectives that
management must meet to
achieve company goals.
Strategic objectives
• Strategic objectives are high-
level goals that are aligned
with and support the
company’s mission.

COSO CONTROL FRAMEWORKS – Operations
Operations objectives
• Operations objectives deal with
effectiveness and efficiency of
company operations, such as:
– Performance and profitability
goals
– Safeguarding assets

COSO CONTROL FRAMEWORKS – Reporting
Operations objectives
Reporting objectives
• Reporting objectives help ensure
the accuracy, completeness, and
reliability of internal and external
company reports of both a
financial and non-financial nature.
• Improve decision-making and
monitor company activities and
performance more efficiently.11/23/16 Internal Risk Assessment Process

COSO CONTROL FRAMEWORKS – Reporting
ERM can provide reasonable
assurance that reporting and
compliance objectives will be
achieved because companies have
control over them.
However, strategic and operations
objectives are sometimes at the
mercy of external events that the
company can’t control.
Therefore, in these areas, the only
reasonable assurance the ERM
can provide is that management
and directors are informed on a
timely basis of the progress the
company is making in achieving
them.

COSO CONTROL FRAMEWORKS– Entity Level
Columns on the right represent
the company’s units:
Entire company

COSO CONTROL FRAMEWORKS – Division
Entire company
Division

COSO CONTROL FRAMEWORKS – Business Unit
Entire company
Division
Business unit

COSO CONTROL FRAMEWORKS – Subsidiary level
Entire company
Division
Business unit
Subsidiary

COSO CONTROL FRAMEWORKS – Internal Control
 The horizontal rows are eight related
risk and control components, including:
 Internal environment
• The tone or culture of the company.
• Provides discipline and structure and
is the foundation for all other
components.
• Essentially, the same as control
environment in the COSO internal
control framework.

COSO CONTROL FRAMEWORKS – Objective Setting
risk and control components,
including:
 Objective setting
• Ensures that management implements a process to formulate strategic, operations,
reporting, and compliance objectives that support the company’s mission and are
consistent with the company’s tolerance for risk.
• Strategic objectives are set first as a foundation for the other three.
• The objectives provide guidance to companies as they identify risk-creating events and
assess and respond to those risks.

COSO CONTROL FRAMEWORKS – Event Identification
including:
 Event identification
• Requires management to identify events that may affect the company’s ability to
implement its strategy and achieve its objectives.
• Management must then determine whether these events represent:
– Risks (negative-impact events requiring assessment and response); or
– Opportunities (positive-impact events that influence strategy and objective-setting
processes).

COSO CONTROL FRAMEWORKS – Risk Assessment
• Identified risks are assessed to determine
how to manage them and how they affect
the company’s ability to achieve its
objectives.
• Qualitative and quantitative methods are
used to assess risks individually and by
category in terms of:
– Likelihood
– Positive and negative impact
– Effect on other organizational units
• Risks are analyzed on an inherent and a
residual basis.
• Corresponds to the risk assessment
element in COSO’s internal control
framework.

COSO CONTROL FRAMEWORKS – Risk Response
• Management aligns identified risks with
the company’s tolerance for risk by
choosing to:
– Avoid
– Reduce
– Share
– Accept
• Management takes an entity-wide or
portfolio view of risks in assessing the
likelihood of the risks, their potential
impact, and costs-benefits of alternate
responses.

COSO CONTROL FRAMEWORKS – Control Objectives
including:
 Event identification
 Risk assessment
 Risk response
 Control activities

COSO CONTROL FRAMEWORKS – Information & Communication
• Information about the company and ERM
components must be identified, captured,
and communicated so employees can
fulfill their responsibilities.
• Information must be able to flow through
all levels and functions in the company as
well as flowing to and from external
parties.
• Employees should understand their role
and importance in ERM and how these
responsibilities relate to those of others.
• Has a corresponding element in the COSO
internal control framework.

COSO CONTROL FRAMEWORKS – Monitoring
• ERM processes must be monitored on an
ongoing basis and modified as needed.
• Accomplished with ongoing management
activities and separate evaluations.
• Deficiencies are reported to management.
• Corresponding module in COSO internal
control framework.

COSO CONTROL FRAMEWORKS – Monitoring
 The ERM model is three-dimensional.
 Means that each of the eight risk and
control elements are applied to the
four objectives in the entire company
and/or one of its subunits.

COSO risks ~ Inherit risk / Residual risks
COSO indicates there are
two types of risk:
Inherent risk
Residual risk
• The risk that remains after
management implements internal
controls or some other form of
response to risk.

Information!
 Information is a key resource for all enterprises.
 Information is created, used, retained, disclosed and destroyed.
 Technology plays a key role in these actions.
 Technology is becoming pervasive in all aspects of business and personal life.
What benefits do information and technology bring to enterprises?

Enterprise Benefits
Enterprises and their executives strive to:
 Maintain quality information to support business decisions.
 Generate business value from IT-enabled investments, i.e., achieve strategic
goals and realise business benefits through effective and innovative use of IT.
 Achieve operational excellence through reliable and efficient application of
technology.
 Maintain IT-related risk at an acceptable level.
 Optimise the cost of IT services and technology.
How can these benefits be realized to create enterprise stakeholder value?

Stakeholder Value
 Delivering enterprise stakeholder value requires good governance and
management of information and technology (IT) assets.
 Enterprise boards, executives and management have to embrace IT like any
other significant part of the business.
 External legal, regulatory and contractual compliance requirements related
to enterprise use of information and technology are increasing, threatening
value if breached.
 COBIT 5 provides a comprehensive framework that assists enterprises to
achieve their goals and deliver value through effective governance and
management of enterprise IT.

The COBIT 5 Framework
 Simply stated, COBIT 5 helps enterprises create optimal value from IT by
maintaining a balance between realising benefits and optimising risk levels and
resource use.
 COBIT 5 enables information and related technology to be governed and
managed in a holistic manner for the entire enterprise, taking in the full end-to-
end business and functional areas of responsibility, considering the IT-related
interests of internal and external stakeholders.
 The COBIT 5 principles and enablers are generic and useful for enterprises of
all sizes, whether commercial, not-for-profit or in the public sector.

COBIT 5 Principles

COBIT 5 Enablers

Governance and Management
 Governance ensures that enterprise objectives are achieved by evaluating
stakeholder needs, conditions and options; setting direction through
prioritisation and decision making; and monitoring performance, compliance
and progress against agreed-on direction and objectives (EDM).
 Management plans, builds, runs and monitors activities in alignment with
the direction set by the governance body to achieve the enterprise objectives
(PBRM).

In Summary …
COBIT 5 brings together the five principles that allow the enterprise to build an
effective governance and management framework based on a holistic set of
seven enablers that optimises information and technology investment and use
for the benefit of stakeholders.

IT Governance
COBIT4.0/4.1
Management
COBIT3
Control
COBIT2
An business framework from ISACA, at www.isaca.org/cobit
Audit
COBIT1
COBIT 5: Now One Complete Business Framework for
2005/720001998
Evolutionofscope
1996 2012
Val IT 2.0
(2008)
Risk IT
(2009)

COBIT 5 Framework
COBIT 5:
 The main, overarching COBIT 5 product
 Contains the executive summary and the full description of all of the COBIT 5
framework components:
 The five COBIT 5 principles
 The seven COBIT 5 enablers plus
 An introduction to the implementation guidance provided by ISACA (COBIT 5
Implementation)
 An introduction to the COBIT Assessment Programme (not specific to COBIT 5)
and the process capability approach being adopted by ISACA for COBIT

COBIT 5 Product Family

• Generally applicable and accepted international standard for good practice
for IT controls
• For application to enterprise wide information systems
• Technology-independent
• Starting from business requirements for information
• Management- and business process owner-oriented
• Based on ISACA's Control Objectives
Aligned with de jure and de facto standards and regulations
Based on critical review of tasks and activities or process focus
• Includes existing standards and regulations
ISO, EDIFACT and others
Codes of Conduct issued by Council of Europe
Professional standards in auditing: COSO, IFAC, IIA, ISACA, AICPA, etc.
• First published in April 1996, second edition in 1998, third in July 2000
• Has become the de facto standard for control over IT
• Fundamental in achieving IT governance
• Generally applicable and accepted international standard for good practice
for IT controls
• For application to enterprise wide information systems
• Technology-independent
• Starting from business requirements for information
• Management- and business process owner-oriented
• Based on ISACA's Control Objectives
Aligned with de jure and de facto standards and regulations
Based on critical review of tasks and activities or process focus
• Includes existing standards and regulations
ISO, EDIFACT and others
Codes of Conduct issued by Council of Europe
Professional standards in auditing: COSO, IFAC, IIA, ISACA, AICPA, etc.
• First published in April 1996, second edition in 1998, third in July 2000
• Has become the de facto standard for control over IT
• Fundamental in achieving IT governance
COBIT: An IT Control FrameworkPrinciples

ITIT
DomainsDomains
ProcessesProcesses
IT ControlIT Control
ObjectivesObjectives
Critical Success FactorsCritical Success Factors
Outcome MeasuresOutcome Measures
Key Performance IndicatorsKey Performance Indicators
Maturity ModelMaturity ModelIT ControlIT Control
PracticesPractices
• IT is an important element of corporate
governance and management
accountability.
• Ensure business-oriented solutions.
• Framework for risk assessment
• As a means to communicate with all
stakeholders
• Authoritative basis (internationally
accepted, exhaustive, evolving)
Why should an organisation adopt CWhy should an organisation adopt COBIOBIT?T?
COBIT: An IT Control Framework

“In order to provide the information that the organization needs to
achieve its objectives, IT resources need to be managed by a set of
naturally grouped processes.”
 Relates to business requirements (expressed as
information criteria)
 Links to business processes
 Empowers business owners
 Decomposes IT into four domains and 34 processes
 Domains: (plan-build-run) + monitor
 Control, audit, implementation and performance
management knowledge structured by process
BusinessProcess
Business Orientation and Process Focus
ITIT
ProcessesProcesses
Business
Requirements
ITIT
ResourcesResources
ITIT
ProcessesProcesses
Business
Requirements
ITIT
ResourcesResources

COBIT Framework Definition
“To provide the information that the organisation needs to achieve its objectives,
IT resources need to be managed by a set of naturally grouped processes.”
IT
Processes
Business
Requirements
IT
Resources
IT
Processes
Business
Requirements
IT
Resources
I T RESOURCESI T RESOURCESI T RESOURCES
I T PROCESSESI T PROCESSESI T PROCESSES
BUSI NESS
REQUI REMENTS
BUSI NESSBUSI NESS
REQUI REMENTSREQUI REMENTS
BUSI NESS
REQUI REMENTS
BUSI NESSBUSI NESS
BUSI NESS
REQUI REMENTS
BUSI NESSBUSI NESS
A process orientation is a proven management approach to efficiently exerciseA process orientation is a proven management approach to efficiently exercise
responsibilities, achieve set goals and reasonably manage risks.responsibilities, achieve set goals and reasonably manage risks.WHYWHY

Quality RequirementsQuality Requirements:
• Quality
• Delivery
• Cost
Security RequirementsSecurity Requirements
• Confidentiality
• Integrity
• Availability
Fiduciary RequirementsFiduciary Requirements
(COSO Report)
• Effectiveness and efficiency of
operations
• Compliance with laws and
regulations
• Reliability of financial reporting
Effectiveness
Efficiency
Confidentiality
Integrity
Availability
Compliance
Reliability of
information
Business Requirements
IT
Processes
Business
Requirements
IT
Resources
IT
Processes
Business
Requirements
IT
Resources

Effectiveness –Deals with information being relevant and pertinent to the
business process as well as being delivered in a timely, correct, consistent and
usable manner
Efficiency –Concerns the provision of information through the optimal (most
productive and economical) usage of resources
Confidentiality –Concerns protection of sensitive information from
unauthorized disclosure
Integrity –Relates to the accuracy and completeness of information as well as
to its validity in accordance with the business‘s set of values and expectations
Availability –Relates to information being available when required by the
business process, and hence also concerns the safeguarding of resources
Compliance –Deals with complying with those laws, regulations and
contractual arrangements to which the business process is subject, i.e.,
externally imposed business criteria
Reliability of information–Relates to systems providing management with
appropriate information for it to use in operating the entity, providing financial
reporting to users of the financial information, and providing information to
report to regulatory bodies with regard to compliance with laws and
regulations
Business Requirements
IT
Processes
Business
Requirements
IT
Resources
IT
Processes
Business
Requirements
IT
Resources

Processes
A series of joined activities
with natural control breaks
Activities
or Tasks
Actions needed to achieve a
measurable result. Activities
have a life cycle, whereas
tasks are discrete.
Domains
Natural grouping of processes,
often matching an
organisational domain of
responsibility
Process Orientation
IT
Processes
Business
Requirements
IT
Resources
IT
Processes
Business
Requirements
IT
Resources

IT Domains
• Plan and
Organise
• Acquire and
Implement
• Deliver and
Support
• Monitor and
Evaluate
IT Processes
• IT strategy
• Computer operations
• Incident handling
• Acceptance testing
• Change management
• Contingency planning
• Problem management
Activities
• Record new problem
• Analyse
• Propose solution
• Monitor solution
• Record known problem
• Etc.
Natural grouping of
processes, often matching an
organisational domain of
responsibility A series of joined activities
with natural (control) breaks
Actions needed to achieve a
measurable result. Activities have
a life cycle, whereas tasks are
discrete.
Process Orientation
IT
Processes
Business
Requirements
IT
Resources
IT
Processes
Business
Requirements
IT
Resources

Five COBIT 5 Principles
The five COBIT 5 principles:
1. Meeting Stakeholder Needs
2. Covering the Enterprise End-to-end
3. Applying a Single Integrated Framework
4. Enabling a Holistic Approach
5. Separating Governance From Management

1. Meeting Stakeholder Needs
Principle 1. Meeting Stakeholder Needs
Enterprises exist to create value for their stakeholders.

1. Meeting Stakeholder Needs (cont.)
Principle 1. Meeting Stakeholder Needs:
 Enterprises have many stakeholders, and ‘creating value’ means different—and
sometimes conflicting—things to each of them.
 Governance is about negotiating and deciding amongst different stakeholders’
value interests.
 The governance system should consider all stakeholders when making benefit,
resource and risk assessment decisions.
 For each decision, the following can and should be asked:
Who receives the benefits?
Who bears the risk?
What resources are required?

Stakeholder needs have to be transformed
into an enterprise’s practical strategy.
The COBIT 5 goals cascade translates
stakeholder needs into specific, practical and
customised goals within the context of the
enterprise, IT-related goals and
enabler goals.

Benefits of the COBIT 5 goals cascade:
 It allows the definition of priorities for implementation, improvement and
assurance of enterprise governance of IT based on (strategic) objectives of the
enterprise and the related risk.
 In practice, the goals cascade:
 Defines relevant and tangible goals and objectives at various levels of
responsibility.
 Filters the knowledge base of COBIT 5, based on enterprise goals to extract
relevant guidance for inclusion in specific implementation, improvement or
assurance projects.
 Clearly identifies and communicates how (sometimes very operational)
enablers are important to achieve enterprise goals.

2. Covering the Enterprise End-to-end
Principle 2. Covering the Enterprise End-to-end:
 COBIT 5 addresses the governance and management of information and related
technology from an enterprise wide, end-to-end perspective.
 This means that COBIT 5:
 Integrates governance of enterprise IT into enterprise governance, i.e., the
governance system for enterprise IT proposed by COBIT 5 integrates
seamlessly in any governance system because COBIT 5 aligns with the latest
views on governance.
 Covers all functions and processes within the enterprise; COBIT 5 does not
focus only on the ‘IT function’, but treats information and related
technologies as assets that need to be dealt with just like any other asset by
everyone in the enterprise.

2. Covering the Enterprise End-to-end (cont.)
Principle 2. Covering the Enterprise End-to-end
Key components
of a governance
system
Source: COBIT®
5, figure 8. © 2012 ISACA®
All rights reserved.

3. Applying a Single Integrated Framework
Principle 3. Applying a Single Integrated Framework:
 COBIT 5 aligns with the latest relevant other standards and frameworks used
by enterprises:
 Enterprise: COSO, COSO ERM, ISO/IEC 9000, ISO/IEC 31000
 IT-related: ISO/IEC 38500, ITIL, ISO/IEC 27000 series, TOGAF,
PMBOK/PRINCE2, CMMI
 This allows the enterprise to use COBIT 5 as the overarching governance and
management framework integrator.
 ISACA plans a capability to facilitate COBIT user mapping of practices and
activities to third-party references.

4. Enabling a Holistic Approach
Principle 4. Enabling a Holistic Approach
COBIT 5 enablers are:
 Factors that, individually and collectively, influence whether something will
work—in the case of COBIT, governance and management over enterprise IT
 Driven by the goals cascade, i.e., higher-level IT-related goals define what the
different enablers should achieve
 Described by
 The COBIT 5 framework in seven categories

4. Enabling a Holistic Approach (cont.)

4. Enabling a Holistic Approach (cont.)
Principle 4. Enabling a Holistic Approach:
1. Processes—Describe an organised set of practices and activities to achieve certain objectives
and produce a set of outputs in support of achieving overall IT-related goals
2. Organisational structures—Are the key decision-making entities in an organisation
3. Culture, ethics and behaviour—Of individuals and of the organisation; very often
underestimated as a success factor in governance and management activities
4. Principles, policies and frameworks—Are the vehicles to translate the desired behaviour into
practical guidance for day-to-day management
5. Information—Is pervasive throughout any organisation, i.e., deals with all information produced
and used by the enterprise. Information is required for keeping the organisation running and
well governed, but at the operational level, information is very often the key product of the
enterprise itself.
6. Services, infrastructure and applications—Include the infrastructure, technology and
applications that provide the enterprise with information technology processing and services
7. People, skills and competencies—Are linked to people and are required for successful
completion of all activities and for making correct decisions and taking corrective actions

4. Enabling a Holistic Approach (cont.).
Principle 4. Enabling a Holistic Approach:
 Systemic governance and management through interconnected enablers—
To achieve the main objectives of the enterprise, it must always consider an
interconnected set of enablers, i.e., each enabler:
 Needs the input of other enablers to be fully effective, e.g., processes need
information, organisational structures need skills and behaviour
 Delivers output to the benefit of other enablers, e.g., processes deliver
information, skills and behaviour make processes efficient
 This is a KEY principle emerging from the ISACA development work around the
Business Model for Information Security (BMIS).

4. Enabling a Holistic Approach (cont.).
COBIT 5 Enabler Dimensions:
 All enablers have a set of common dimensions. This set of common dimensions:
 Provides a common, simple and structured way to deal with enablers
 Allows an entity to manage its complex interactions
 Facilitates successful outcomes of the enablers

5. Separating Governance From Management
Principle 5. Separating Governance From Management:
 The COBIT 5 framework makes a clear distinction between governance and
management.
 These two disciplines:
 Encompass different types of activities
 Require different organisational structures
 Serve different purposes
 Governance—In most enterprises, governance is the responsibility of the board
of directors under the leadership of the chairperson.
 Management—In most enterprises, management is the responsibility of the
executive management under the leadership of the CEO.

5. Separating Governance From Management (cont.)
•Governance ensures that stakeholders needs, conditions and options are
evaluated to determine balanced, agreed-on enterprise objectives to be achieved;
setting direction through prioritisation and decision making; and monitoring
performance and compliance against agreed-on direction and objectives (EDM).
•Management plans, builds, runs and monitors activities in alignment with the
direction set by the governance body to achieve the enterprise objectives (PBRM).

COBIT 5 is not prescriptive, but it advocates that organisations implement governance
and management processes such that the key areas are covered, as shown.

Principle 5. Separating Governance from Management:
 The COBIT 5 framework describes seven categories of enablers (Principle 4).
Processes are one category.
 An enterprise can organise its processes as it sees fit, as long as all necessary
governance and management objectives are covered. Smaller enterprises may
have fewer processes; larger and more complex enterprises may have many
processes, all to cover the same objectives.
 COBIT 5 includes a process reference model (PRM), which defines and
describes in detail a number of governance and management processes. The
details of this specific enabler model can be found in the COBIT 5: Enabling
Processes volume.

COBIT 5: Enabling Processes
 COBIT 5: Enabling Processes complements COBIT 5 and contains a detailed
reference guide to the processes that are defined in the COBIT 5 process reference
model:
 In Chapter 2, the COBIT 5 goals cascade is recapitulated and complemented
with a set of example metrics for the enterprise goals and the IT-related goals.
 In Chapter 3, the COBIT 5 process model is explained and its components
defined.
 Chapter 4 shows the diagram of this process reference model.
 Chapter 5 contains the detailed process information for all 37 COBIT 5
processes in the process reference model.

COBIT 5: Enabling Processes (cont.)

COBIT 5: Enabling Processes (Cont.)
COBIT 5: Enabling Processes:
• The COBIT 5 process reference model subdivides the IT-related practices and
activities of the enterprise into two main areas—governance and management—
with management further divided into domains of processes:
• The GOVERNANCE domain contains five governance processes; within each
process, evaluate, direct and monitor (EDM) practices are defined.
• The four MANAGEMENT domains are in line with the responsibility areas of
plan, build, run and monitor (PBRM).

COBIT 5 Implementation
• The improvement of the governance of enterprise IT (GEIT) is widely recognised
by top management as an essential part of enterprise governance.
• Information and the pervasiveness of information technology are increasingly
part of every aspect of business and public life.
• The need to drive more value from IT investments and manage an increasing
array of IT-related risk has never been greater.
• Increasing regulation and legislation over business use of information is also
driving heightened awareness of the importance of a well-governed and
managed IT environment.

COBIT 5 Implementation (cont.)
• ISACA has developed the COBIT 5 framework to help enterprises implement
sound governance enablers. Indeed, implementing good GEIT is almost
impossible without engaging an effective governance framework. Best practices
and standards are also available to underpin COBIT 5.
• Frameworks, best practices and standards are useful only if they are adopted and
adapted effectively. There are challenges that need to be overcome and issues that
need to be addressed if GEIT is to be implemented successfully.
• COBIT 5: Implementation provides guidance on how to do this.

• COBIT 5: Implementation covers the following subjects:
• Positioning GEIT within an enterprise
• Taking the first steps towards improving GEIT
• Implementation challenges and success factors
• Enabling GEIT-related organisational and behavioural change
• Implementing continual improvement that includes change enablement and
programme management
• Using COBIT 5 and its components

COBIT 5 Future Supporting Products
Future supporting products:
• Professional Guides:
• COBIT 5 for Information Security
• COBIT 5 for Assurance
• COBIT 5 for Risk
• Enabler Guides:
• COBIT 5: Enabling Information
• COBIT Online Replacement
• COBIT Assessment Programme:
• Process Assessment Model (PAM): Using COBIT 5
• Assessor Guide: Using COBIT 5
• Self-assessment Guide: Using COBIT 5

You Tube Videos
• https://www.youtube.com/watch?v=q7xexHtwSGI
• https://www.youtube.com/watch?v=OqxVzFHnmu4
• https://www.youtube.com/watch?v=1cAslMQu2kE

Selection and Application of CAATs

Today’s Environment
 Internal Auditors are advising organizations on internal control attributes and
ways to gain assurance from information.
 SOX compliance efforts have led companies to delve more deeply into their
financial statement reporting elements and into the data that feeds and supports
the financial data.
 Internal Audit groups faced with growing workloads and heightened
accountability
 Discovering that Computer Assisted Auditing Tools (CAATs) offer much needed
help
 Audit technology tools facilitate more granular analysis of data and help to
determine the accuracy of the information

CAATs- Review 100% of data
 Comprehensive approach of testing contrasts with traditional audit sampling
methods (extracting small data sets and extrapolating conclusions about the
population of transactions)
 Sampling techniques require audit judgment and confidence levels; whereas
CAATs deliver more definitive results because the entire population of data
can be tested

Tool selection
 The challenge
 Make sure you are looking at the right tools to deliver the benefits your
company needs
 It is the user’s responsibility to become familiar with the tools available in
order to pick the right one
 Have a solid knowledge of your business, your data, and the accounting
practices in your industry
 Filtering large volumes of data is much more practical and effective
 Work with greater quantities of data
 Work with data that is more complex
 Ability to identify financial leakage, policy noncompliance, and mistakes or
errors in data processing
 For example: duplicate vendor payments; fraudulent transactions,
circumvention of invoice approval limits

Tool selection
 The IIA conducted an audit software analysis and reported several key
recommendations for internal auditors to consider in the selection of CAATs:
1. Determine the enterprise’s audit mission, objectives and priorities
2. Determine the types and scope of audits
3. Consider the enterprise’s technology environment
4. Be aware of the risks

1. Determine the enterprise’s audit mission, objectives
and priorities
 Auditors must consult with management regarding what audit functions are of the
highest priority and where computer audit tools may be applied to help meet those
priorities.

2. Determine the types and scope of audits
What is the stated objective of the audits?
What kinds of questions will auditors be asking and what will be the
boundaries?
Arriving at answers to these questions will be critical in making an
appropriate software decision.

3. Consider the enterprise’s technology environment
 Any audit tools selected will have to mesh with the other software, hardware and
network systems already in place.
 In some cases, the existing IT infrastructure may incorporate tools that auditors
can use in concert with automated software tools for improved effect.

4. Be aware of the risks
 Applying software to any mission-critical function carries some risks, and auditing
software is no different.
 Automated software tools can prompt auditors to jump to faulty conclusions or
make assumptions that run counter to enterprise operations.

Tool Selection
 Consider:
 How many data sources you have
 Volume of transactions
 Characteristics to look for in CAATs:
 Ease of use
 Ease of data extraction
 Ability to access a wide variety of data files from different platforms
 Ability to integrate data with different format
 Ability to define fields and select from standard formats
 Menu-driven functionality for processing analysis commands
 Simplified query building and adjustments
 Logging features

Audit Data Analysis Techniques
 Execute tests for virtually all industries and almost all types of data:
 Accounts Receivable
 Payroll
 Cash Disbursements
 Purchasing
 Sales
 General Ledger
 Work in Progress
 Loss Prevention
 Asset Management
 Limiting factors:
 Access to data
 Understanding of the data fields
 Creativity of the auditor

ACL (Generalized Audit Software)
 Data is locked down as read-only
 No chance of inadvertently changing the data
 Much higher risk when using spreadsheets
 Commands are auditor-friendly
 Fairly easy to grasp what the commands will do once explained
 Reasonably short learning curve

ACL
 Automatically records all of the commands that are run and the results of the
procedures in its log
 LOG feature enables automation of work papers
 Export the log to a word processor or other file type
 Batch feature (Writing Scripts)
 Develop audit procedures to run in ACL
 Auditor puts together the various routines in a batch (similar to a macro)
 Next time the auditor can run one command (push a button), and all of those
procedures will run on autopilot with ACL dumping the results into the log
 Become much more efficient over time by running same tests periodically,
adding new procedures to the batch

Additional Keys to Success
 Identify a Champion- person with ability to motivate, supervise, and generally
make sure the technology is employed and becomes successful
 General Training- for the users of the software (www.acl.com)
 Identify power users- given more specific training and become leaders of
implementing the chosen software; assist other auditors; conduct in-house
training.

Audit Data Analysis Techniques
 CAATs especially valuable in environments that have:
 High volumes of transactions
 Complex processes
 Distributed operations
 Unrelated applications and systems

Advantage of CAATs
 Organizations gain assurance about the accuracy of transactional data, and the
extent to which business transactions adhere to controls and comply with policies
 Consistent use of automated transaction analysis and continuous monitoring,
CAATs enable real-time independent testing and validation of critical enterprise
data.

Advantage to Management
 Management can use such information to proactively identify exceptions to
controls and compliance policies and take immediate action.
 Implementing these programs can lead to increased confidence in the corporate
data underlying financial reporting.

Risk Equation
Risk = Vulnerability x Threat x Impact
*Probability
 Vulnerability = An error or a weakness in the design, implementation, or
operation of a system.
 Threat = An adversary that is motivated to exploit a system vulnerability and is
capable of doing so
 Impact = the likelihood that a vulnerability will be exploited or that a threat may
become harmful.
 *Probability = likelihood already factored into impact.

ERM Frameworks
 COSO’s ERM – Integrated Framework
 Australia/New Zealand Standard – Risk Management
 ISO Risk Management - Draft Standard
 The Combined Code and Turnbull Guidance
 A Risk Management Standard by the Federation of European Risk Management
Associations (FERMA)

Australia/New Zealand Standard
(ASS/NZS 4360:2004) – Risk Management

The Combined Code and Turnbull Guidance
Risk assessment
 Does the company have clear objectives and have they been communicated so as
to provide effective direction to employees on risk assessment and control issues?
For example, do objectives and related plans include measurable performance
targets and indicators?
 Are the significant internal and external operational, financial, compliance and
other risks identified and assessed on an ongoing basis? These are likely to include
the principal risks identified in the Operating and Financial Review.
 Is there a clear understanding by management and others within the company of
what risks are acceptable to the board?

122
Turnbull Report
Risk Assessment
Control Environment
Control Activities
Information and Communication
Monitoring

A Risk Management Standard by the Federation of European
Risk Management Associations (FERMA)

Risk Management Framework for Critical Infrastructure
Protection
National Infrastructure Protection Plan, 2006

NIST Risk Management Framework
Determine security control effectiveness (i.e.,
controls implemented correctly, operating as
intended, meeting security requirements)
SP 800-53A
ASSESS
Security Controls
Continuously track changes to the information
system that may affect security controls and
reassess control effectiveness
SP 800-37 / SP 800-53A
MONITOR
Security Controls
Document in the security plan, the security
requirements for the information system and
the security controls planned or in place
SP 800-18
DOCUMENT
Security Controls
SP 800-37
AUTHORIZE
Information System
Determine risk to agency operations, agency
assets, or individuals and, if acceptable,
authorize information system operation
SP 800-53 / SP 800-30
SUPPLEMENT
Security Controls
Use risk assessment results to supplement the
tailored security control baseline as needed to
ensure adequate security and due diligence
FIPS 200 / SP 800-53
SELECT
Security Controls
Select baseline (minimum) security controls to
protect the information system; apply tailoring
guidance as appropriate
Implement security controls; apply
security configuration settings
IMPLEMENT
Security Controls
SP 800-70
Define criticality /sensitivity of
information system according to
potential impact of loss
FIPS 199 / SP 800-60
CATEGORIZE
Information System
Starting Point

Risk Assessment Framework – Security Task Force
 Purpose of Framework: to provide a high-level overview on the subject of
conducting a risk assessment of information systems within higher education.
 Points to Consider:
 Risk Assessment (RA) is an ongoing process
 RA requires strong commitment from senior administration and collaboration
between cross-functional units
 RA is part of strategic and continuity planning
 RA requires planning and strategy that systematically increases the scope
 RA needs to become a part of the culture of the university community
 Effective Risk Management (RM) practices require a "risk aware" culture
 Effective RM can provide the basis for prioritizing and resolving possible
funding conflicts
 policy supporting ongoing risk assessment should be developed

Phases of Risk Assessment
 Phase 0: Establish Risk Assessment Criteria for the Identification and
Prioritization of Critical Assets (a one-time process)
 Phase 1: Develop Initial Security Strategies
 Phase 2: Technological View - Identify Infrastructure Vulnerabilities
 Phase 3: Risk Analysis - Develop Security Strategy and Plans

Phase 0: Establish Risk Assessment Criteria
 Goal: to quickly establish the overall criteria for the identification of critical data
assets and their appropriate priority level and to obtain senior management's
perspective on issues of strategic importance.
 Process 1: Establish Risk Assessment Criteria
 Process 2: Apply the Critical Asset Criteria to Classify Data Collections and Related
Resources

Phase 1: Develop Initial Security Strategies
 Goal: Once the information assets have been classified, strategic planning for the
rest of the risk management process can begin. Vulnerabilities can be identified,
and the process of mitigating the threats that can exploit those vulnerabilities can
begin. An institution can decide to specifically focus on the very highest risks, or it
may decide to focus first on mitigating risks broadly (or both). The mere process of
bringing management together to discuss the organization's strategy about risk
mitigation can be extremely fruitful.
 Process 1: Strategic Perspective - Senior Management
 Process 2: Operational Perspective - Departmental Management
 Process 3: Practice Perspective – Staff
 Process 4: Consolidated View of Security Requirements

Phase 2: Identify Infrastructure Vulnerabilities
 Goal: To identify areas of potential exposure associated with the systems
architecture.
 Process 1: Evaluation of Key Technology Components
 Process 2: Evaluation of Selected Technology Components

Phase 3: Develop Security Strategy and Plans
 Goal: After identifying key information systems resources and evaluating the
degree of vulnerability with the systems, quantitatively determine the level of risk
associated with each system and system component. This information may then be
used to prioritize the allocation of resources to ensure appropriate mitigation of
the highest risks and to make appropriate management decisions about the degree
of risk that the organization will be willing to accept.
 Process 1: Risk Assessment

Steps
1. Assess the potential impact of threats (and vulnerabilities) to critical assets
(qualitative and/or quantitative)
2. Evaluate the likelihood of occurrence of the threats (high, medium, low)
3. Create a consolidated analysis of risks, based on the impact value to critical
assets and the likelihood of occurrence
 Process 2: Protection Strategy and Mitigation Plans

Conclusion
It is important to note that this is a process that has no finish line. While a risk
assessment - the process of identifying and quantifying risks - might take place on
an infrequent basis (e.g., annually), the risk management process - the ongoing
process of mitigating the risks to the organization - should be ingrained into the
institution's culture to be most effective.

Content of presentation
 What is internal control?
 COSO, Intosai, EU view, UK view
 UK “methodology”
 Governance, role of audit committee, management of risk, role of internal and
external audit, statement on internal control
 How it all fits together
 Assessment against COSO/ INTOSAI
 Key concepts
 Accountability
 Delegation
 Proportionality

What is internal control?
INTOSAI (2004)
Internal control is an integral process that is effected by an entity’s management
and personnel and is designed to address risks and to provide reasonable
assurance that in pursuit of the entity’s mission, the following general objectives
are being achieved:
Executing orderly, economical, efficient and effective operations
Fulfilling accountability operations
Complying with applicable laws and regulations
Safeguarding resources against loss, misuse and damage

What is internal control?
COSO/ INTOSAI components
Control environment
Risk assessment
Control activities
Information and communication
Monitoring

The UK “Methodology”
Governance is the key
 Defined accountability – role of Minister and Accounting Officer, both
responsible and answerable to Parliament
 Corporate Governance Code: Responsibilities of departmental Board
 To ensure that effective arrangements exist to provide assurance on risk
management, governance and internal control
 Role of Audit Committee
 Internal Audit function

Role of audit committee: 5 principles
 Supports the Board and the Accounting Officer by reviewing the
comprehensiveness, reliability and integrity of assurances that risk management,
governance and internal control are functioning effectively
 Independent and objective with a good understanding of the priorities of the
organisation
 Provides an appropriate mix of skills
 Terms of reference to define scope of work
 Effective communication with Board, Head of Internal Audit, external audit and
other stakeholders

Role of internal audit:
To provide an independent and objective opinion to the Accounting Officer
on risk management, control and governance*, by measuring and evaluating
their effectiveness in achieving the organisation’s agreed objectives.
* The policies, procedures and operations established to ensure the achievement of
objectives, the appropriate assessment of risk, the reliability of internal and external
reporting and accountability processes, compliance with applicable laws and
regulations and compliance with behavioural and ethical standards.

Management of risk
 All government organisations must have basic risk management processes in place
 Guidance provided in “The Orange Book”
 Risk should managed to a level which is tolerable
 Effectiveness of risk management audited internally and externally
 Accounting Officer must comment on risk management in his annual “Statement on
Internal Control”

The Statement on Internal Control
 Every Accounting Officer must sign an annual Statement on Internal Control
 Prescribed format given in Financial Reporting Manual
 Scope of responsibility
 Purpose of the system of internal control
 Capacity to handle risk
 Risk and control framework
 Review of effectiveness (significant internal control issues must be mentioned)

The Statement on Internal Control: examples of significant internal control
issues
 Failure to achieve a Public Service Agreement target
 Organisation had to seek additional funding from Treasury
 Adverse opinion from external auditor – material impact on the accounts
 Head of Internal Audit and/or Audit Committee agree that an issue is significant
 Public interest and/or damage to the organisation’s reputation

Role of external audit (National Audit Office)
 To review the Statement on Internal Control for each government organisation
 Compliance with Treasury requirements
 Consistency with external auditor’s work on financial statements
 To provide an assurance to Parliament that the resource accounts have been
properly prepared, are free from material misstatement, and that transactions
have appropriate Parliamentary authority
 To provide value-for-money reports assessing the economy, efficiency and
effectiveness with which public money has been used

How do we match up against COSO/ INTOSAI?
Control environment:
Accountability to Parliament, Board and Audit Committee
Risk assessment:
Risk management systems widespread, audited internally and externally, reported
on in annual Statement on Internal Control
Control activities:
Delegated to the organisation, described in the Statement on Internal Control
Information and Communication:
Annual reports, regular reporting to Board and Audit Committee
Monitoring:
Internal audit reports, regular monitoring by Board and Audit Committee, results of
monitoring summarised in Annual Statement on Internal Control

Internal Control & Risk Management Framework

More Related Content

What's hot

Viewers also liked

Similar to Internal Control & Risk Management Framework

Internal Control & Risk Management Framework

Editor's Notes