SlideShare a Scribd company logo
Guidance to Validate
Internal Control
Assertions in Indian
Financial Reporting
Guidance to Validate Internal Control Assertions in Indian Financial Reporting
1
TABLE OF CONTENTS
Acknowledgements ....................................................................................................................................................................... 3
Section 1 – Executive Summary.......................................................................................................................................................... 4
Need for This publication ............................................................................................................................................................... 4
Objective Statement....................................................................................................................................................................... 5
Identified Stakeholders .................................................................................................................................................................. 5
An Introduction to This document ................................................................................................................................................. 5
Benefits Derived From This Document........................................................................................................................................... 7
Approach to This publication.......................................................................................................................................................... 8
An Example of How to Read the Document................................................................................................................................. 10
References for the Publication ..................................................................................................................................................... 17
Section 2 – Detailed Publication ....................................................................................................................................................... 18
Definitions .................................................................................................................................................................................... 18
Chapter 1 - Governance and Risk Management in India – Regulatory Requirements to Comply With Indian Regulations ........ 22
Governance.............................................................................................................................................................................. 22
Risk Management..................................................................................................................................................................... 24
Assurance................................................................................................................................................................................. 25
Information Technology Act, 2000 (as Amended by Information Technology Amendment Act, 2008).................................. 27
Summary .................................................................................................................................................................................. 28
Chapter 2: Introduction to COBIT 5.............................................................................................................................................. 29
Chapter 3 – How COBIT 5 Can Be Used to Comply With Governance.......................................................................................... 32
Stakeholder 1 – Board of Directors.......................................................................................................................................... 38
Stakeholder 2 - Management................................................................................................................................................... 46
Stakeholder 3 – Auditor ........................................................................................................................................................... 77
Summary .................................................................................................................................................................................. 92
Section 3 Checklists........................................................................................................................................................................... 92
Checklist 1 – General Checklist for Governance........................................................................................................................... 93
Checklist 2 – General Checklist for Risk Management ................................................................................................................. 94
Checklist 3 – General Checklist Audit and Assurance................................................................................................................... 94
Checklist 4 – Compliance With the Data Protection Areas of IT Act ............................................................................................ 95
Checklist 5 – Sample Checklist for the Auditor to Gain Assurance on the Controls That Are in Place to Protect Personally
Identifiable Information ............................................................................................................................................................... 98
Guidance to Validate Internal Control Assertions in Indian Financial Reporting
2
ISACA
With more than 115,000 constituents in 180 countries, ISACA(www.isaca.org) helps business and IT leaders build trust in, and
value from, information and information systems. Established in 1969, ISACA is the trusted source of knowledge, standards,
networking, and career development for information systems audit, assurance, security, risk, privacy and governance
professionals. ISACA offers the Cybersecurity Nexus
™
, a comprehensive set of resources for cybersecurity professionals, and
COBIT
®
, a business framework that helps enterprises govern and manage their information and technology. ISACA also advances
and validates business-critical skills and knowledge through the globally respected Certified Information Systems Auditor
®
(CISA
®
), Certified Information Security Manager
®
(CISM
®
), Certified in the Governance of Enterprise IT
®
(CGEIT
®
) and Certified in
Risk and Information Systems Control
™
(CRISC
™
) credentials. The association has more than 200 chapters worldwide.
Disclaimer
This book is not intended to, and does not, provide legal, technical or other advice on compliance or related matters. Every
entity or individual using this book should seek expert technical, legal or other advice as appropriate to its respective needs and
circumstances. ISACA, its office bearers, its advisors/consultants, the authors, the reviewers and other persons associated with
the writing, reviewing, printing or publication of this book do not guarantee or warrant the accuracy, adequacy, completeness or
suitability of the content of this publication and they hereby disclaim any and all responsibility or liability for damages incurred
as a result of the content contained herein. They also hereby disclaim any responsibility or liability whatsoever for the
consequences of the use of this book by any person or entity. Courts in Cook County, state of Illinois, USA, alone shall have
jurisdiction relating to any lawsuits pertaining to this book.
The opinions and views expressed in Guidance to Validate Internal Control Assertions in Indian Financial Reporting are solely
those of the authors of this publication, as a practical application and implementation of COBIT 5 principles and good practices.
The opinions and views of the authors do not necessarily reflect those of ISACA.
Reservation of Rights
© 2014 ISACA. All rights reserved. No part of this publication may be used, copied, reproduced, modified, distributed, displayed,
stored in a retrieval system or transmitted in any form by any means (electronic, mechanical, photocopying, recording or
otherwise) without the prior written authorization of ISACA. Reproduction and use of all or portions of this publication are solely
permitted for academic, internal and noncommercial use and for consulting/advisory engagements, and must include full
attribution of the material’s source. No other right or permission is granted with respect to this work.
This text uses relevant ISACA publications with permission.
ISACA
3701 Algonquin Road, Suite 1010 Rolling Meadows, IL 60008 USA
Phone: +1.847.253.1545
Fax: +1.847.253.1443
Email: info@isaca.org
Web site: www.isaca.org
ISACA® and COBIT® are registered trademarks of ISACA.
Participate in the ISACA Knowledge Center: www.isaca.org/topic-India
Follow ISACA on Twitter: https://twitter.com/ISACANews
Join ISACA on LinkedIn: ISACA (Official), http://linkd.in/ISACAOfficial
Like ISACA on Facebook: www.facebook.com/ISACAHQ
Guidance to Validate Internal Control Assertions in Indian Financial Reporting
3
ACKNOWLEDGMENTS
ISACA Wishes to Recognize:
The ISACA India Task Force
Chairman, Mr. S.V. Sunder Krishnan, CISA, Reliance Life Insurance Company Ltd., Mumbai, India
Mr. Avinash W. Kadam, CISA, CISM, CGEIT, CRISC, CISSP, CSSLP, GSEC, GCIH, CBCP, MBCI, PMP, CCSK,
COBIT 5 Approved Trainer—Foundation, Advisor, ISACA’s India Task Force
Mr. Sunil Bakshi, CISA, CISM, CGEIT, CRISC, CISSP, PMP, CeHv6, ISO 27001:2005 LA, ISO 14001 LA,
Freelance consultant and trainer, Pune, India
Mr. Anil Bhandari, CISA, CIA, DISA, AICWA, FCA, ANB Consulting Co., Mumbai, India
Mr. Madhav Chablani, CISA, CISM, TippingEdge Consulting Pvt. Ltd, New Delhi, India
Mr. Sandeep Godbole, CISA, CISM, CGEIT, Syntel, Pune, India
Mr. Niraj Kapasi, CISA, Kapasi Bangad Tech Consulting Pvt, Ltd., Hyderabad, India
Mr. Vaibhav Patkar, CISA, CISM, CRISC, CGEIT, Sutherland, Mumbai, India
Mr. Vittal Raj, CISA, CISM, CGEIT, Kumar and Raj, Chennai, India
Mr. Raghavendra Rao Hulgeri, CISA, Oracle Financial Services Software Ltd., Bangalore, India
Project Coordinator and Advisor
Mr. S.V. Sunder Krishnan, CISA, Reliance Life Insurance Company Ltd., Mumbai, India
Content Development Team
Mr. Anand Prakash Jangid CISA, CISM, CFE, ACA, Quadrisk Advisors, Bangalore, India
Mr. Rajiv Gupta CISA, CFE, ACA, Coca-Cola India
Ms. Vishakha Chhawchharia CISA, ACA, Quadrisk Advisors, Bangalore, India
Mr. Amarnath Daga CISA, ACA, Quadrisk Advisors, Bangalore, India
Mr. Bharath Rao B CeHv8, Quadrisk Advisors, Bangalore, India
Mr. Anish Jain ACA, Quadrisk Advisors, Bangalore, India
Ms. Shefalika Sahu ACA, Quadrisk Advisors, Bangalore, India
Mr. Firoz Attarwala ACA, Quadrisk Advisors, Bangalore, India
Expert Reviewers
Mr. Abdul Rafeq, CISA, CGEIT, CIA, FCA, A. Rafeq and Associates, India
Mr. S.V. Sunder Krishnan, CISA, Reliance Life Insurance Company Ltd., Mumbai, India
Mr. Avinash W. Kadam, CISA, CISM, CGEIT, CRISC, CISSP, CSSLP, GSEC, GCIH, CBCP, MBCI, PMP, CCSK,
COBIT 5 Approved Trainer—Foundation, Advisor, ISACA’s India Task Force
Mr. Sunil Bakshi, CISA, CISM, CGEIT, CRISC, CISSP, PMP, CeHv6, ISO 27001:2005 LA, ISO 14001 LA,
Freelance consultant and trainer, Pune, India
Mr. Madhav Chablani, CISA, CISM, TippingEdge Consulting Pvt. Ltd, New Delhi, India
Mr. Niraj Kapasi, CISA, Kapasi Bangad Tech Consulting Pvt, Ltd., Hyderabad, India
Mr. Vittal Raj, CISA, CISM, CGEIT, Kumar and Raj, Chennai, India
Mr. Shrikant Patil
Mr. Shashikant Shirahatti
Guidance to Validate Internal Control Assertions in Indian Financial Reporting
4
SECTION 1 – EXECUTIVE SUMMARY
NEED FOR THIS PUBLICATION
As a part of "Management's Responsibility for Financial Statements", executive management of Indian companies assert to their
stakeholders the relevance of "the design, implementation and maintenance of internal controls" for the preparation and
presentation of financial statements that need to give a true and fair view of financial position on a particular date and
performance for the relevant period. Financial statements need to be devoid of any material misstatements, whether due to
fraud or error. This responsibility is an onerous one.
Under Section 211 (7) of the Indian Companies Act, 1956, in the event that a company fails to take all reasonable steps to secure
compliance, the willful negligence may be punishable with imprisonment for a term which may extend up to six months or a fine
which may extend to ten thousand rupees or with both imprisonment and a fine. The new Companies Act, 2013 has not only
emphasized the above requirements, but also has upped the ante in increasing a number of corporate governance and risk
management requirements.
This publication is aimed at solving the problems of C-level executives of various Indian enterprises signing financial statements
and committing to assertions on internal controls. This publication guides the board, management and auditors in complying
with the corporate governance and internal control requirements arising out of Clause 49 of the Listing Agreement of the
Securities and Exchange Board of India (SEBI) and the new Companies Act, 2013 in using ISACA’s COBIT 5 framework.
With the changing times, there also is a need for greater accountability of companies to their shareholders and customers. A
need for governance arises from the separation of management from ownership. For a firm success, companies need to
concentrate on both economic and social aspects. Companies needs to be fair with producers, shareholders, customers, etc.,
and have various responsibilities toward employees, and communities. Companies need to serve their responsibilities in all
aspects.
There are several important issues in governance and they play a great role. All the issues are inter-related and interdependent
with each other. Each of the issues connected with governance has different priorities in each of the corporate bodies.
The issues are:
1. Value-based corporate culture
2. Holistic view
3. Compliance with laws
4. Disclosure, transparency, and accountability
5. Governance and human resource management
6. Innovation
Corporate scandals, internally or at other companies, have shed light on the need to manage strategically in an effort to avoid
such catastrophes that often leave executives unemployed. Many executives believe that risks are higher than ever before.
However, they are unsure about how to manage them; therefore, many executives are welcoming risk management plans and
infrastructures. Finally, companies have learned that managing risk correctly can lead to increased shareholder value.
Companies are hoping to shift from a simple control process to a value creation process using an enterprisewide approach.
The concept of governance hinges on total transparency, integrity and accountability of management and the board of directors.
The importance of governance along with efficient risk management lies in its contribution both to business prosperity and to
accountability.
Guidance to Validate Internal Control Assertions in Indian Financial Reporting
5
OBJECTIVE STATEMENT
This publication is aimed at solving the problems of C-level executives of various Indian enterprises signing financial statements
and committing to assertions on internal controls. This publication guides the board, management and auditors in complying
with the corporate governance and internal control requirements arising out of Clause 49 of the Listing Agreement of the
Securities and Exchange Board of India (SEBI) and the new Companies Act, 2013 in using ISACA’s COBIT 5 framework.
IDENTIFIED STAKEHOLDERS
This publication is targeted at the following audience, as their roles play the most crucial role in developing, maintaining and
evaluating governance. COBIT® 5 is a business framework for the governance and management of enterprise IT, and hence their
roles are restricted to the areas in which IT Information is present.
• Board of directors
• Management
o Chief executive officer (CEO)
o Chief financial officer (CFO)
o Chief information officer (CIO)
o Chief risk officer (CRO)
o Chief information security officer (CISO)
• Auditors (external and internal)
AN INTRODUCTION TO THIS DOCUMENT
Today, there is a growing dialogue among stakeholders about governance and how it should evolve to cope with the increasingly
dynamic and global nature of capital markets. This dialogue is taking place against a background of legislative and regulatory
change. There has been a significant increase in the scope of audit and other internal control and risk management along with
increased public scrutiny.
It is only with dialogue and active participation of all stakeholders that the appropriate balance can be reached between:
• Strengthened central controls and fast local responsiveness
• Effective risk management and the enduring need for innovation
• The costs of compliance with the new governance regulation and the value it brings
The following factors disrupt the normal operations of the company.
Internal Factors
The Board of Directors/Management
The board advises the company’s CEO, who runs the daily operations, and reviews the quality of recommendations the CEO
receives from others in corporate management.
Some board members may be employees or family members (most often from the extended family of the company’s founder).
Other board members may be affiliated with the company through a banking relationship, a law company retained by the
company, or someone who represents a customer or supplier. Such members may be subject to potential conflicts of interest
that cause them to act in ways not necessarily in the shareholders’ best interests. This has led some observers to argue that
boards should be composed primarily of independent directors and different individuals should hold the CEO and board
chairperson positions.
Guidance to Validate Internal Control Assertions in Indian Financial Reporting
6
Internal Controls
Well-designed systems generate information that poses a reduced threat of material misstatements. However, simply having
systems in place—even if they are properly engineered and constructed—is not sufficient to guarantee both the effectiveness of
the required actions and the reliability of the collected data. Thus, extra procedures are built into every system by management
to help ensure that every operation is performed as intended and the resulting financial data are reliable. Internal controls over
financial reporting is a formal system of checks and balances, monitored by management and the board of directors and
reviewed by the outside auditor. To be efficient and effective, these systems must be carefully designed and maintained. They
need to keep company assets secure at a minimum cost. In addition, appropriate record keeping is a required aspect of virtually
every system.
Anti-takeover Defenses
A company’s management and board may employ defenses to gain leverage in negotiating with a potential suitor or to solidify
current management’s position within the company.
Corporate Culture and Values
While internal systems and controls are important, good governance also results when the employee culture is instilled with
appropriate core values and behaviors. Setting the right tone and direction comes from the board of directors and senior
management and their willingness to behave in a manner consistent with what they demand from other employees.
Impact Due to Internal Factors
One can conclude that if the company’s internal controls are not aligned for achieving governance, the company can face serious
repercussions regarding integrity and professionalism of the company, which in turn affects the goodwill of the company.
Internal controls help the company to achieve long-term stability. If there is chaos in the company, loss of shareholder faith and
loss of money would be inevitable.
External Factors
Federal and state legislation, the court system, regulators, institutional activists and the corporate takeover market all play an
important role in maintaining good governance practices.
Institutional Activists
Pension funds, hedge funds, private equity investors and mutual funds have become increasingly influential institutions that can
affect the policies of companies in which they invest. There is growing evidence that institutional activism, in combination with
merger and acquisition activity, has become an important factor in disciplining underperforming managers.
Amalgamations and Acquisitions
Changes in corporate control can occur because of a hostile (i.e., bids contested by the target’s board and management) or
friendly takeover of a target company or because of a proxy contest initiated by dissident shareholders. When a company’s
internal mechanisms that govern management control are relatively weak, the corporate takeover market seems to act as a
“court of last resort” to discipline inappropriate management behavior. Strong internal governance mechanisms, by contrast,
lessen the role of the takeover threat as a disciplinary factor. Moreover, the disciplining effect of a takeover threat on a
company’s management can be reinforced when it is paired with a large shareholding by an institutional investor.
Impact Due to External Factors
After establishing an ideal internal control environment for achieving governance, it is crucial that the company maintains the
same. External factors also affect the company’s governance. Thus, events like accounting frauds, cyberattacks, social
engineering attacks and market instability would be unavoidable if governance is not implemented correctly. Any changes in
legal, compliance, statutory, etc., areas has to be fulfilled by the company to sustain itself in the market and grow accordingly.
Guidance to Validate Internal Control Assertions in Indian Financial Reporting
7
This publication is aimed at giving guidance in developing, maintaining and evaluating the governance that arises out of the
governance, risk management and information security regulatory requirements from the Companies Act, 2013, Clause 49 and
the Information Technology Act, 2008 (as amended).
BENEFITS DERIVED FROM THIS DOCUMENT
Using this guidance note results in a number of easier governance and enterprise risk management (ERM) solutions to the
enterprise and in a number of enterprise benefits, such as:
• Reduced complexity and increased cost-effectiveness due to improved and easier integration of governance and risk
management compliances, best practices, etc.
• Increased user satisfaction with governance arrangements and outcomes
• Improved integration of governance and ERM in the enterprise
• Informed risk decisions and risk awareness
• Reduced (impact of) costs of noncompliance of governance and ERM
• Improved management of costs related to the governance and ERM
• Better understanding of governance, ERM and internal controls
• Enhanced support for innovation and competitiveness
Guidance to Validate Internal Control Assertions in Indian Financial Reporting
8
Regulations of
Companies Act,
2013 and Clause 49
• Regulations related to governance and risk
management and data privacy were identified.
• Stakeholders were identified.
Stakeholder Needs
Identification
• Questions are given from COBIT.
• Questions are selected based on the regulation that is
applicable to the stakeholder.
Enterprise Goals
Identification
• Respective enterprise goals are selected for stakeholder
needs.
IT Goals
Identification
• Enterprise goals are converted to relevant IT goals
according to the mapping that is given in the annexure
of the COBIT 5 framework.
Process Enablers &
Management
Practices
• Process enablers and practices from COBIT are selected
and applied in the relevant section.
APPROACH TO THIS PUBLICATION
This publication was prepared in keeping with the following:
The COBIT enablers are tailored for compliance of governance requirements, enterprise risk management (ERM) and data
security requirements based on the previous chart. Section two of this publication is divided into three chapters. The first
chapter gives a broad view of the following:
Guidance to Validate Internal Control Assertions in Indian Financial Reporting
9
• Regulation requirements are captured in detail with respect to each identified stakeholder of the Companies Act, 2013,
Clause 49 and Information Technology Act, 2008, covering areas of governance, risk management, assurance and data
security.
• Relevant practices are suggested by COBIT 5 that can be implemented to comply with these areas.
Chapter 2 gives an idea of the COBIT 5 framework and the COBIT 5 methodology through its principles and enablers.
Chapter 3 gives the relevant guidance for compliance to the listed regulations, keeping the stakeholders in mind, by using COBIT
5. This chapter has segregated the requirements that were applicable for each stakeholder, respectively, and the respective
COBIT enabler usage to meet the stakeholder requirements is explained. Therefore, it is crucial that the previous chart be kept in
mind while going through the document.
Stakeholders are expected to follow these steps in order to bring value to their company:
Chapter 1
•Regulatory requirements from the
Companies Act, 2013, Clause 49 and
Information Technology Act, 2008
•Governance, risk management,
assurance and security
Chapter 2
•Introduction to COBIT 5
•Principles and enablers
Chapter 3
•Stakeholder segregation
•RACI charts for the role of the
stakeholder in an activity
•COBIT 5 recommended practices for
each stakeholder
Guidance to Validate Internal Control Assertions in Indian Financial Reporting
10
AN EXAMPLE OF HOW TO READ THE DOCUMENT
Risk management compliance is to be performed by the company.
Step 1 – Identify the regulation with which the user needs to comply (from chapter 1).
Section Reference Regulatory Requirement
Companies Act, 2013
Section 134, Clause 3(n)
There shall be attached to statements laid before a company in general meeting, a
report by its board of directors, which shall include a statement indicating development
and implementation of a risk management policy for the company including
identification of elements of risk, if any, which in the opinion of the board may threaten
the existence of the company.
How this document will be
useful:
Provides guidance by mapping to COBIT 5 processes EDM03, APO12 and their relevant
management practices as identified for the various stakeholders in chapter 3
Step 2 – Determine the stakeholders that are affected. Classify them as primary and secondary.
Primary stakeholder identified—Board of Directors
Secondary stakeholder Identified—Management
Step 3 – Identify the required processes of COBIT that need to be incorporated in order to comply with the selected regulation
from the “How this document will be useful” row.
Identified processes – EDM03, APO12
Step 1 - Identify the regulation with which the company needs to comply
(from chapter 1).
Step 2 - Determine the stakeholders that are affected. Classify them as
primary and secondary.
Step 3 - Identify the required processes of COBIT that need to be
incorporated in order to comply with the selected regulation from the
“How this document will be useful” row.
Step 4 - Locate the processes under the respective stakeholder (in chapter
3) and identify the role of the stakeholder in the RACI (Responsible,
Accountable, Consulted, Informed) chart that has been provided.
Step 5 - Incorporate the activities that are described in detail under the
respective stakeholder in the RACI chart (in chapter 3).
Guidance to Validate Internal Control Assertions in Indian Financial Reporting
11
Step 4 – Locate the processes under the respective stakeholder (in chapter 3) and identify the role of the stakeholder in the RACI
chart (Responsible, Accountable, Consulted, Informed) that has been provided.
RACI Chart – Board of Directors
Governance Practice Board
EDM03.01 Evaluate risk management. A
EDM03.02 Direct risk management. A
EDM03.03 Monitor risk management. A
RACI Chart - Management
Management Practice
ChiefExecutiveOfficer
ChiefFinancialOfficer
ChiefInformationSecurityOfficer
ChiefRiskOfficer
ChiefInformationOfficer
APO12.01 Collect data. I R R A
APO12.02 Analyze risk. I C R A
APO12.03 Maintain a risk profile. I C A R
APO12.04 Articulate risk. I C R A
APO12.05 Define a risk management action portfolio. I C A R
APO12.06 Respond to risk. I R R A
Step 5 – Incorporate the activities that are described in detail under the respective stakeholder in the RACI chart (in chapter 3).
Board of Directors –
1. EDM03.01 Evaluate risk management.
Continually examine and make judgment on the effect of risk on the current and future use of IT in the enterprise.
Consider whether the enterprise’s risk appetite is appropriate and that risk to enterprise value related to the use of IT is
identified and managed.
Guidance to Validate Internal Control Assertions in Indian Financial Reporting
12
ACTIVITY DETAILED ACTIVITIES
1. Determine the level of IT-related risk that the
enterprise is willing to take to meet its risk
objectives.
2. Evaluate and approve proposed IT risk tolerance
thresholds against the enterprise’s acceptable risk
and opportunity levels.
3. Determine the extent of alignment of the IT risk
strategy to enterprise risk strategy.
4. Proactively evaluate IT risk factors in advance of
pending strategic enterprise decisions and ensure
that risk-aware enterprise decisions are made.
5. Determine that IT use is subject to appropriate risk
assessment and evaluation, as described in relevant
international and national standards.
6. Evaluate risk management activities to ensure
alignment with the enterprise’s capacity for IT-
related loss and leadership’s tolerance of it.
The board needs to actively take part in the risk evaluation
process of the enterprise, which also includes the IT-related
risks, and, in assessing the risk, define a risk tolerance
threshold for acceptable risks and opportunity levels.
The board needs to evaluate the risk factors before taking
decisions on strategies to ensure that impact of risk has
been factored.
The board should evaluate the risk management activities
and regularly define the enterprise’s capacity for loss and
the tolerance limits.
2. EDM03.02 Direct risk management.
Direct the establishment of risk management practices to provide reasonable assurance that IT risk management
practices are appropriate to ensure that the actual IT risk does not exceed the board’s risk appetite.
ACTIVITY DETAILED ACTIVITIES
1. Promote an IT risk-aware culture and empower the
enterprise to proactively identify IT risk,
opportunity and potential business impacts.
2. Direct the integration of the IT risk strategy and
operations with the enterprise strategic risk
decisions and operations.
3. Direct the development of risk communication
plans (covering all levels of the enterprise) as well
as risk action plans.
4. Direct implementation of the appropriate
mechanisms to respond quickly to changing risk and
report immediately to appropriate levels of
management, supported by agreed-on principles of
escalation (what to report, when, where and how).
5. Direct that risk, opportunities, issues and concerns
may be identified and reported by anyone at any
time. Risk should be managed in accordance with
published policies and procedures and escalated to
the relevant decision makers.
6. Identify key goals and metrics of risk governance
and management processes to be monitored, and
approve the approaches, methods, techniques and
processes for capturing and reporting the
measurement information.
The board needs to actively take part in promoting a culture
where opportunities, risks and their impacts are proactively
identified.
The board should ensure that there is integration within the
risk strategies for IT and the enterprise and there are no
conflicts.
The board should direct the development of risk
communication plans and action plans to all levels of the
enterprise, which shall ensure timely responses to a
changing risk environment.
The board should encourage reporting of incidents by any
level of management in a timely manner and direct handling
of incidents according to the defined policies and
procedures.
Guidance to Validate Internal Control Assertions in Indian Financial Reporting
13
3. EDM03.03 Monitor risk management.
Monitor the key goals and metrics of the risk management processes and establish how deviations or problems will be
identified, tracked and reported for remediation.
ACTIVITY DETAILED ACTIVITIES
1. Monitor the extent to which the risk profile is
managed within the risk appetite thresholds.
2. Monitor key goals and metrics of risk governance
and management processes against targets, analyze
the cause of any deviations, and initiate remedial
actions to address the underlying causes.
3. Enable key stakeholders’ review of the enterprise’s
progress towards identified goals.
The board needs to monitor the extent to which the risk
profile is managed and whether the profile is within the
thresholds of risk appetite.
The board should ensure that deviations of the processes
against the defined targets are analyzed and corrective
action needed is taken.
Management -
1. APO12.01 Collect data.
Identify and collect relevant data to enable effective IT-related risk identification, analysis and reporting.
ACTIVITIES DETAILED ACTIVITIES
1. Establish and maintain a method for the collection,
classification and analysis of IT risk-related data,
accommodating multiple types of events, multiple
categories of IT risk and multiple risk factors.
2. Record relevant data on the enterprise’s internal and
external operating environment that could play a
significant role in the management of IT risk.
3. Survey and analyze the historical IT risk data and loss
experience from externally available data and trends,
industry peers through industry-based event logs,
databases, and industry agreements for common event
disclosure.
4. Record data on risk events that have caused or may
cause impacts to IT benefit/value enablement, IT
program and project delivery, and/or IT operations and
service delivery. Capture relevant data from related
issues, incidents, problems and investigations.
5. For similar classes of events, organize the collected data
and highlight contributing factors. Determine common
contributing factors across multiple events.
6. Determine the specific conditions that existed or were
absent when risk events occurred and the way the
conditions affected event frequency and loss
magnitude.
7. Perform periodic event and risk factor analysis to
identify new or emerging risk issues and to gain an
understanding of the associated internal and external
risk factors.
Management needs to establish and maintain a method for
collection, classification and analysis of risk-related data,
which accommodates multiple events, categories of risk and
risk factors.
Management can record relevant data on the enterprise
internal and external operating environment that would play
a significant role in management of risk.
There can be a survey and analysis of historical risk data and
loss experience from externally available trends, industry
peers through event logs, databases and agreements for
common event disclosures.
The risk events that have caused or potentially cause impact
to IT value benefits, programs and project delivery should be
captured. In addition, data from incidents, problems and
investigation can be recorded.
Management needs to determine the specific conditions
that existed or were absent when risk events occurred and
the way they affect event frequency and loss magnitude.
Management should perform periodic event and risk factor
analysis to identify new/emerging risk issues and gain an
understanding of associated risk factors.
Guidance to Validate Internal Control Assertions in Indian Financial Reporting
14
2. APO12.02 Analyze risk.
Develop useful information to support risk decisions that take into account the business relevance of risk factors.
ACTIVIES DETAILED ACTIVITIES
1. Define the appropriate breadth and depth of risk
analysis efforts, considering all risk factors and the
business criticality of assets. Set the risk analysis scope
after performing a cost-benefit analysis.
2. Build and regularly update IT risk scenarios, including
compound scenarios of cascading and/or coincidental
threat types, and develop expectations for specific
control activities, capabilities to detect and other
response measures.
3. Estimate the frequency and magnitude of loss or gain
associated with IT risk scenarios. Take into account all
applicable risk factors, evaluate known operational
controls and estimate residual risk levels.
4. Compare residual risk to acceptable risk tolerance and
identify exposures that may require a risk response.
5. Analyze cost-benefit of potential risk response options
such as avoid, reduce/mitigate, transfer/share, and
accept and exploit/seize. Propose the optimal risk
response.
6. Specify high-level requirements for projects or
programs that will implement the selected risk
responses. Identify requirements and expectations for
appropriate key controls for risk mitigation responses.
7. Validate the risk analysis results before using them in
decision making, confirming that the analysis aligns
with enterprise requirements and verifying that
estimations were properly calibrated and scrutinized for
bias.
Management needs to define the appropriate breadth and
depth of risk and criticality of assets, and set the risk scope
after performing a cost-benefit analysis.
Management needs to build and regularly update the risk
scenarios, including compound scenarios of
cascading/coincidental threat types and development
expectations for specific control activities, capabilities to
detect and other response measures.
Management needs to estimate the frequency and
magnitude of loss or gain associated with risk scenarios. The
applicable risk factors need to be taken into account and
management needs to evaluate operational controls and
estimate residual risk levels.
There needs to be a comparison between residual risk to
acceptable risk tolerance and risk exposure needs to be
identified, which will require responses.
Management needs to conduct a cost-benefit analysis of
potential risk response options such as avoid, reduce,
transfer and accept.
Management should specify high-level requirements for
programs that will implement the risk responses.
Management should identify requirements for key controls.
Management needs to validate the risk analysis results
before using them for decision making, confirm whether risk
aligns with enterprise requirements and verify that
estimations were calibrated.
3. APO12.03 Maintain a risk profile.
Maintain an inventory of known risk and risk attributes (including expected frequency, potential impact and responses) and
of related resources, capabilities and current control activities.
ACTIVITIES
MANAGEMENT’S ROLE
1. Inventory business processes, including supporting
personnel, applications, infrastructure, facilities, critical
manual records, vendors, suppliers and outsourcers,
and document the dependency on IT service
management processes and IT infrastructure resources.
Management can take an inventory of business processes,
applications, infrastructure, facilities, critical manual
records, vendors, etc., and document the dependency on IT
service management processes and IT infrastructure
resources.
Guidance to Validate Internal Control Assertions in Indian Financial Reporting
15
2. Determine and agree on which IT services and IT
infrastructure resources are essential to sustain the
operation of business processes. Analyze dependencies
and identify weak links.
3. Aggregate current risk scenarios by category, business
line and functional area.
4. On a regular basis, capture all risk profile information
and consolidate it into an aggregated risk profile.
5. Based on all risk profile data, define a set of risk
indicators that allow the quick identification and
monitoring of current risk and risk trends.
6. Capture information on IT risk events that have
materialized, for inclusion in the IT risk profile of the
enterprise.
Further, management should determine and agree on which
IT services and infrastructure resources are essential to
sustain the operation of business processes. Analyze
dependencies and weak links.
Management needs to aggregate current risk scenarios by
categories, business lines and functional areas.
On a regular basis, management should capture risk profile
information and consolidate it into aggregated risk profiles.
Based on the profiles, management needs to define a set of
risk indicators that allow quick identification and monitoring
of current risk trends.
Capture the information on risk events that have
materialized for inclusion in profiles of the enterprise.
4. APO12.04 Articulate risk.
Provide information on the current state of IT-related exposures and opportunities in a timely manner to all required
stakeholders for appropriate response.
ACTIVITIES
DETAILED ACTIVITIES
1. Report the results of risk analysis to all affected
stakeholders in terms and formats useful to support
enterprise decisions. Wherever possible, include
probabilities and ranges of loss or gain along with
confidence levels that enable management to balance
risk-return.
2. Provide decision makers with an understanding of
worst-case and most-probable scenarios, due diligence
exposures, and significant reputation, legal or
regulatory considerations.
3. Report the current risk profile to all stakeholders,
including effectiveness of the risk management process,
control effectiveness, gaps, inconsistencies,
redundancies, remediation status, and their impacts on
the risk profile.
4. Review the results of objective third-party assessments,
internal audit and quality assurance reviews, and map
them to the risk profile. Review identified gaps and
exposures to determine the need for additional risk
analysis.
Management needs to report the results of risk analysis to
all affected stakeholders in terms of formats supporting
decision making. Wherever possible, include probabilities
and range of loss or gain with confidence levels to balance
risk and return.
Management can provide to the decision makers an
understanding of worst case and most probable scenarios,
due diligence exposures and reputation, legal or regulatory
consideration.
The report on current risk profile includes effectiveness of
the risk management process, control effectiveness, gaps,
inconsistencies, etc., and their impact on risk profile to the
stakeholders.
Management should review the results of third-party
assessments, internal audits and quality assurance (QA)
reviews, and map them to the risk profiles.
Guidance to Validate Internal Control Assertions in Indian Financial Reporting
16
5. APO12.05 Define a risk management action portfolio.
Manage opportunities to reduce risk to an acceptable level as a portfolio.
ACTIVITIES DETAILED ACTIVITIES
1. Maintain an inventory of control activities that are in
place to manage risk and that enable risk to be taken in
line with risk appetite and tolerance. Classify control
activities and map them to specific IT risk statements and
aggregations of IT risk.
2. Determine whether each organizational entity monitors
risk and accepts accountability for operating within its
individual and portfolio tolerance levels.
3. Define a balanced set of project proposals designed to
reduce risk and/or projects that enable strategic
enterprise opportunities, considering cost and benefits,
effect on current risk profile and regulations.
Management needs to make an inventory of control activities
that are in place to manage risk and that enable risk to be
taken in line with appetite and tolerance. The control activities
should be classified and mapped to specific risk statements
and aggregations of risk.
Management needs to determine that risk and accountability
for operating within individual and portfolio tolerance levels
are monitored.
Management defines a balanced set of project proposals
which are designed to reduce risk and/or projects that enable
strategic opportunities considering the cost-benefit analysis.
6. APO12.06 Respond to risk.
Respond in a timely manner with effective measures to limit the magnitude of loss from IT-related events.
ACTIVITIES DETAILED ACTIVITIES
1. Prepare, maintain and test plans that document the
specific steps to take when a risk event may cause a
significant operational or development incident with
serious business impact. Ensure that plans include
pathways of escalation across the enterprise.
2. Categorize incidents, and compare actual exposures
against risk tolerance thresholds. Communicate business
impacts to decision makers as part of reporting, and
update the risk profile.
3. Apply the appropriate response plan to minimize the
impact when risk incidents occur.
4. Examine past adverse events/losses, missed
opportunities, and determine root causes. Communicate
root cause, additional risk response requirements and
process improvements to appropriate decision makers
and ensure that the cause, response requirements and
process improvement are included in risk governance
processes.
Management needs to prepare, maintain and test plans that
document specific steps to take when a risk event may cause a
significant operational or development incident with serious
impact on the business. Further, ensure that plans include
escalations across the enterprise.
There needs to be a categorization of incidents and a
comparison of actual exposures against risk thresholds and
communication to decision makers as a part of reporting and
updating risk profiles.
Management should apply plans to minimize the impact when
risk incidents occur, to examine the past adverse event and
missed opportunities, and to determine root causes.
Communicate the root causes, risk response requirements and
process improvements to decision makers.
Guidance to Validate Internal Control Assertions in Indian Financial Reporting
17
REFERENCES FOR THE PUBLICATION
• Companies Act, 2013
• Clause 49 of the Listing Agreement of SEBI
• Information Technology Act, 2000 (as Amended by IT Amendment Act, 2008)
• COBIT 5 framework
• COBIT® 5: Enabling Processes
• COBIT® 5 Implementation
• COBIT® 5 for Risk
• COBIT® 5 for Assurance
• Securing Sensitive Personal Data or Information Under India’s IT Act Using COBIT® 5
• COBIT® 5: Enabling Information
• COBIT® 5 for Information Security
• Board Briefing on IT Governance (an ISACA publication)
Guidance to Validate Internal Control Assertions in Indian Financial Reporting
18
SECTION 2 – DETAILED PUBLICATION
Section 2 is the core section of this publication. Section 2 consists of the guidance note for compliance of governance and risk
management in India using COBIT 5. It is divided into three chapters. Chapter 1 describes all the regulations that are relevant to
be complied with in order to have the minimum required governance and ERM. Chapter 2 gives a brief introduction of the COBIT
5 framework and its five principles and its seven enablers. Chapter 3 gives a detailed explanation of how COBIT 5 can be used to
comply with the regulations that have been identified in chapter 1 for each stakeholder that has been identified in the scope of
this publication.
DEFINITIONS
The following terms are defined according to their respective acts. The same meaning should be used while interpreting this
document.
Sr. No. Term Definition
1 Board of Directors In relation to a company, the collective body of the directors of the
company
2 Independent Director An independent director referred to in sub-section (6) of section 149, i.e., a
director other than a managing director or a whole-time director or a
nominee director
a) in the opinion of the Board, a person of integrity who possesses relevant
expertise and experience
(b) (i) person who is or was not a promoter of the company or its holdings,
subsidiary or associate company
(b) (ii) person who is not related to promoters or directors in the company,
its holdings, subsidiary or associate company
(c) person who has or had no pecuniary relationship with the company, its
holdings, subsidiary or associate company, or their promoters, or directors,
during the two immediately preceding financial years or during the current
financial year
(d) person, none of whose relatives has or had a pecuniary relationship or
transaction with the company, its holdings, subsidiary or associate
company, or their promoters, or directors, amounting to two percent or
more of its gross turnover or total income or fifty lakh rupees or such higher
amount as may be prescribed, whichever is lower, during the two
immediately preceding financial years or during the current financial year
Guidance to Validate Internal Control Assertions in Indian Financial Reporting
19
Sr. No. Term Definition
(e) person who, neither himself nor any of his relatives—
(i) holds or has held the position of key managerial personnel or is or
has been an employee of the company or its holdings, subsidiary or
associate company in any of the three financial years immediately
preceding the financial year in which he is proposed to be appointed
(ii) is or has been an employee or proprietor or a partner, in any of the
three financial years immediately preceding the financial year in which he is
proposed to be appointed, of:
(A) a firm of auditors or company secretaries in practice or cost
auditors of the company or its holdings, subsidiary or associate company; or
(B) any legal or a consulting firm that has or had any transaction with
the company, its holdings, subsidiary or associate company amounting to
ten percent. or more of the gross turnover of such firm
(iii) holds together with his relatives two percent. or more of the total
voting power of the company or
(iv) is a chief executive or director, by whatever name called, of any
nonprofit organization that receives twenty-five percent or more of its
receipts from the company, any of its promoters, directors or its holdings,
subsidiary or associate company or that holds two percent. or more of the
total voting power of the company or
(f) who possesses such other qualifications as may be prescribed
3 Key Managerial Personnel In relation to a company:
(i) the CEO or the managing director or the manager
(ii) the company secretary
(iii) the whole-time director
(iv) the chief financial officer; and
(v) such other officer as may be prescribed
Guidance to Validate Internal Control Assertions in Indian Financial Reporting
20
Sr. No. Term Definition
4 Sensitive Personal Data Personal information that relates to passwords; financial information such
as bank account or credit card or debit card or other payment instrument
details; physical, psychological and mental health condition; sexual
orientation; medical records and history, biometric information
5 Body Corporate Any company, including a firm, sole proprietorship or other association of
individuals engaged in commercial or professional activities. The term is not
restricted to a body corporate established in India. It refers to an
organization that collects, stores or processes sensitive data on behalf of a
body corporate (data processor).
8 Identity Theft A form of stealing someone's identity in which someone pretends to be
someone else by assuming that person's identity, usually as a method to
gain access to resources. This process is also called personation.
9 Cyberterrorism Threats to the unity, integrity, security or sovereignty of India or to strike
terror in the people or any section of the people by:
(i) denying or causing the denial of access to any person authorized to
access a computer resource; or
(ii) attempting to penetrate or access a computer resource without
authorization or exceeding authorized access; or
(iii) introducing or causing to introduce any computer contaminant.
By means of such conduct, causes or is likely to cause death or injuries to
persons or damage to or destruction of property or disruptions or knowing
that it is likely to cause damage or disruption of supplies or services
essential to the life of the community or adversely affect the critical
information infrastructure specified under section 70.
10 Intermediary Any person who on behalf of another person stores or transmits a message
or provides any service with respect to that message
11 Computer resources Computer, communication device, computer system, computer network,
data, computer database or software
1 Internal Control Process/methods designed by management or other personnel to ensure
the integrity of financial and accounting information meet operational and
profitable targets and transmit management policies throughout the
organization. Basic policies related to internal controls were created to
ensure suitable business practices.
2 Audit Committee An operating committee of a company's board of directors that is in charge
of overseeing financial reporting and disclosure. They are also responsible
for overseeing all internal and external audit functions of a company.
Guidance to Validate Internal Control Assertions in Indian Financial Reporting
21
Sr. No. Term Definition
3 Whistleblower Anyone who has and reports insider knowledge of illegal activities occurring
in an organization. Whistleblowers can be employees, suppliers,
contractors, clients or any individual who somehow becomes aware of
illegal activities taking place in a business, either through witnessing the
behavior or being told about it. In other words, a person who informs on a
person or organization regarded as engaging in an unlawful or immoral
activity.
Guidance to Validate Internal Control Assertions in Indian Financial Reporting
22
CHAPTER 1 - GOVERNANCE AND RISK MANAGEMENT IN INDIA – REGULATORY REQUIREMENTS TO
COMPLY WITH THE INDIAN REGULATIONS
This chapter present information on the enactments, and it provides the scope and objectives of this guidance note using COBIT
5. Detailed explanation of the COBIT 5 guidance has been explained in chapter 3 with respect to each stakeholder. Companies
Act, 2013 and Clause 49 have been concentrated to a great extent. Because this is also the digital era, importance is also given to
the Information Technology Act, 2000 (as amended by IT Amendment Act, 2008) with respect to the data privacy and penalty
laws in India.
All of the respective regulations have been identified and explained for every stakeholder in the scope of this publication with
reference to the governance, risk management, assurance and privacy regulations.
GOVERNANCE
Governance regulatory requirements for every stakeholder have been identified from the Companies Act, 2013 and Clause 49
and have been explained in the following table.
Section Reference Regulatory Requirement
Companies Act, 2013
Section – 149, Schedule – IV
The Company and independent directors shall abide by the provision specified in Schedule
IV, which includes the roles and functions of independent directors, i.e.:
• To help in bringing an independent judgment to bear on the board’s deliberations on
risk management issues
• To satisfy themselves on the integrity of financial information, those financial
controls, and that the systems of risk management are robust and defensible
How this document will be useful Provides guidance by mapping to COBIT 5 processes EDM03, APO12, and their relevant
management practices as identified for the various stakeholders in chapter 3
Companies Act, 2013
Section – 177, Clause – 4(vii)
Every audit committee shall act in accordance with the terms of reference specified in
writing by the board, which shall inter alia include evaluation of internal financial controls
and risk management systems.
How this document will be useful Provides guidance by mapping to COBIT 5 processes EDM01, EDM03, APO01, BAI01, BAI02,
DSS06, MEA01, MEA02, MEA03 and their relevant management practices as identified for
the various stakeholders in chapter 3
Clause 49
Section – IV, Clause – (c)
The company shall lay down procedures to inform board members about the risk
assessment and minimization procedures. These procedures shall be periodically
reviewed to ensure that executive management controls risk through means of a properly
defined risk management framework.
How this document will be useful Provides guidance by mapping to COBIT 5 processes EDM01, EDM03, APO01, APO02,
APO12, BAI01, BAI02 DSS06, MEA01, MEA02, MEA03 and their relevant management
practices as identified for the various stakeholders in chapter 3
Clause 49
Section – IV, Clause – (f)
As part of the directors’ report or as an addition thereto, a Management Discussion and
Analysis report should form part of the Annual Report to the shareholders. This
Management Discussion and Analysis report should include discussion on risks and
concerns within the limits set by the company’s competitive position.
How this document will be useful Provides guidance by mapping to COBIT 5 processes EDM03, APO01, APO12, BAI01,
BAI02,BAI06, BAI07, DSS01, DSS06 and their relevant management practices as identified
Guidance to Validate Internal Control Assertions in Indian Financial Reporting
23
Section Reference Regulatory Requirement
for the various stakeholders in chapter 3
Companies Act, 2013
Section – 138 (1)
Such class or classes of companies as may be prescribed shall be required to appoint an
internal auditor, who shall be either a chartered accountant or a cost accountant, or such
other professional as may be decided by the board to conduct internal audit of the
functions and activities of the company.
How this document will be useful Provides guidance by mapping to COBIT 5 processes MEA01, MEA02, MEA03 and their
relevant management practices as identified for the various stakeholders in chapter 3
Companies Act, 2013
Section – 143, Clause 3€
The auditor’s report shall also state whether the company has adequate internal financial
controls system in place and the operating effectiveness of such controls.
How this document will be useful Provides guidance by mapping to COBIT 5 processes MEA01, MEA02, MEA03 and their
relevant management practices as identified for the various stakeholders in chapter 3
Companies Act, 2013
Section – 177 (4)
Every audit committee shall act in accordance with the terms of reference specified in
writing by the board which shall, inter alia, include:
• Review and monitor of the auditor’s independence and performance, and the
effectiveness of the audit process.
• Evaluation of internal financial controls and risk management systems
How this document will be useful Provides guidance by mapping to COBIT 5 processes EDM01, EDM03, MEA01, MEA02,
MEA03 and their relevant management practices as identified for the various stakeholders
in chapter 3
Clause 49
Section – II, Clause – (d), (e)
The role of the audit committee shall include the following:
a) Reviewing, with management, performance of statutory and internal auditors,
adequacy of the internal control systems
b) Reviewing the adequacy of internal audit function, if any, including the structure of
the internal audit department, staffing and seniority of the official heading the
department, reporting structure coverage and frequency of internal audit
c) Discussion with internal auditors of any significant findings and follow up
d) Reviewing the findings of any internal investigations by the internal auditors into
matters where there is suspected fraud or irregularity or a failure of internal
control systems of a material nature and reporting the matter to the board
e) Management discussion and analysis of financial condition and results of operations
f) Management letters/letters of internal control weaknesses issued by the statutory
auditors.
g) Internal audit reports relating to internal control weaknesses
How this document will be useful Provides guidance by mapping to COBIT 5 processes EDM01, EDM03, MEA01, MEA02,
MEA03 and their relevant management practices as identified for the various stakeholders
in chapter 3
Guidance to Validate Internal Control Assertions in Indian Financial Reporting
24
RISK MANAGEMENT
Risk management regulatory requirements for every stakeholder have been identified from the Companies Act, 2013 and Clause
49 and have been explained in the following table.
Section Reference Regulatory Requirement
Companies Act, 2013
Section - 134, Clause - 3(n)
There shall be attached to statements laid before a company in general meeting, a report
by its board of directors, which shall include a statement indicating development and
implementation of a risk management policy for the company, including identification of
elements of risk, if any, which in the opinion of the board may threaten the existence of
the company.
How this document will be useful Provides guidance by mapping to COBIT 5 processes EDM03, APO12 and their relevant
management practices as identified for the various stakeholders in chapter 3
Companies Act, 2013
Section - 149 (8), Schedule – IV
The independent director shall help in bringing an independent judgment to bear on the
board’s deliberations on risk management resources and satisfy themselves that financial
controls and the systems of risk management are robust and defensible.
How this document will be useful Provides guidance by mapping to COBIT 5 processes EDM01, EDM04, EDM03, APO12,
DSS06 and their relevant management practices as identified for the various stakeholders
in chapter 3
Clause 49
Section - IV, Clause – c
The company shall lay down procedures to inform board members about the risk
assessment and minimization procedures. These procedures shall be periodically reviewed
to ensure that executive management controls risk through means of a properly defined
framework.
How this document will be useful Provides guidance by mapping to COBIT 5 processes EDM01, EDM05, APO12, DSS06,
MEA01, MEA02, MEA03, DSS01 and their relevant management practices as identified for
the various stakeholders in chapter 3
Clause 49
Section - IV, Clause – f
Management Discussion and Analysis report should include discussion on risks and
concerns as well as internal control systems and their adequacy within the limits set by
the company’s competitive position.
How this document will be useful Provides guidance by mapping to COBIT 5 processes APO12, MEA02 and their relevant
management practices as identified for the various stakeholders in chapter 3
Guidance to Validate Internal Control Assertions in Indian Financial Reporting
25
ASSURANCE
Assurance regulatory requirements for the auditor stakeholder have been identified from the Companies Act, 2013 and Clause
49 and have been explained in the following table.
Section Reference Regulatory Requirement
Companies Act, 2013
Section - 134, Clause - 3(n)
Every audit committee shall act in accordance with the terms of reference specified in
writing by the board, which shall include evaluation of internal financial controls and risk
management systems.
How this document will be useful Provides guidance by mapping to COBIT 5 processes MEA01, MEA02, MEA03 and their
relevant management practices as identified for the various stakeholders in chapter 3
Companies Act, 2013
Section - 138 (1)
Prescribed classes of companies shall be required to appoint an internal auditor, who is an
assurance professional (auditor) decided by the board to conduct internal audit of the
functions and activities of the company.
How this document will be useful Provides guidance by mapping to COBIT 5 processes MEA01, MEA02, MEA03 and their
relevant management practices as identified for the various stakeholders in chapter 3
Companies Act, 2013
Section - 143 (3), clause – i
The auditor’s report shall state that whether the company has adequate internal financial
controls system in place and the operating effectiveness of such controls.
How this document will be useful Provides guidance by mapping to COBIT 5 processes MEA01, MEA02, MEA03 and their
relevant management practices as identified for the various stakeholders in chapter 3
Clause 49
Section - II, Clause - d (6)
The role of the audit committee shall include reviewing, with management, the
performance of statutory and internal auditors, and adequacy of the internal control
systems.
How this document will be useful Provides guidance by mapping to COBIT 5 processes MEA01, MEA02, MEA03 and their
relevant management practices as identified for the various stakeholders in chapter 3
Clause 49
Section - II, Clause - d (7)
The role of the audit committee shall include reviewing the adequacy of internal audit
function, if any, including the structure of the internal audit department, staffing and
seniority of the official heading the department, reporting structure coverage and
frequency of internal audit.
How this document will be useful Provides guidance by mapping to COBIT 5 processes MEA01, MEA02, MEA03 and their
relevant management practices as identified for the various stakeholders in chapter 3
Clause 49
Section - II, Clause - d (9)
The role of the audit committee shall include reviewing the findings of any internal
investigations by the internal auditors into matters where there is suspected fraud or
irregularity or a failure of internal control systems of a material nature and reporting the
matter to the board.
How this document will be useful Provides guidance by mapping to COBIT 5 processes MEA01, MEA02, MEA03 and their
relevant management practices as identified for the various stakeholders in chapter 3
Clause 49
Section - II, Clause - d (12)
The role of the audit committee shall include reviewing the functioning of the whistle-
blower mechanism, in case the same is prevailing.
How this document will be useful Provides guidance by mapping to COBIT 5 processes MEA01, MEA02, MEA03 and their
relevant management practices as identified for the various stakeholders in chapter 3
Clause 49 The audit committee shall mandatorily review the management discussion and analysis of
financial condition and results of operations.
Guidance to Validate Internal Control Assertions in Indian Financial Reporting
26
Section Reference Regulatory Requirement
Section - II, Clause - e (1)
How this document will be useful Provides guidance by mapping to COBIT 5 processes MEA01, MEA02, MEA03 and their
relevant management practices as identified for the various stakeholders in chapter 3
Clause 49
Section - II, Clause - e (3)
The audit committee shall mandatorily review the management letters / letters of
internal control weaknesses issued by the statutory auditors.
How this document will be useful Provides guidance by mapping to COBIT 5 processes MEA01, MEA02, MEA03 and their
relevant management practices as identified for the various stakeholders in chapter 3
Clause 49
Section - II, Clause - e (4)
The audit committee shall mandatorily review the internal audit reports relating to
internal control weaknesses.
How this document will be useful Provides guidance by mapping to COBIT 5 processes MEA01, MEA02, MEA03 and their
relevant management practices as identified for the various stakeholders in chapter 3
Clause 49
Section - VII, Clause - 1
The company shall obtain a certificate from either the auditors or practicing company
secretaries regarding compliance of conditions of governance as stipulated in this clause
and annex the certificate with the directors’ report, which is sent annually to all the
shareholders of the company.
How this document will be useful N/A
Guidance to Validate Internal Control Assertions in Indian Financial Reporting
27
INFORMATION TECHNOLOGY ACT, 2000 (AS AMENDED BY INFORMATION TECHNOLOGY AMENDMENT
ACT, 2008)
Data privacy and penalty regulatory requirements for every stakeholder have been identified from the Companies Act, 2013 and
Clause 49 and have been explained in the following table.
Section Reference Regulatory Requirement
Section 43A The obligation to protect sensitive personal data applies to every entity (body corporate)
that:
• Possesses, deals with or handles any sensitive personal data or information (SPDI)
• In a computer resource that it owns, controls or operates
How this document will be useful Provides guidance by mapping to COBIT 5 processes APO013, MEA02, MEA03, DSS02,
DSS05 and their relevant management practices as identified for the various stakeholders
in chapter 3
Section 43A Where an entity that is obliged to maintain security of sensitive personal data is negligent
in implementing and maintaining reasonable security practices and procedures and
thereby causes wrongful loss or wrongful gain to any person, such entity would be liable to
pay damages by way of compensation to the person so affected.
How this document will be useful Provides guidance by mapping to COBIT 5 processes APO013, MEA02, MEA03, DSS02,
DSS05 and their relevant management practices as identified for the various stakeholders
in chapter 3
Section 43A Body corporate to provide policy for privacy and disclosure of information.
The body corporate or any person who on behalf of the body corporate collects, receives,
possesses, stores, deals or handles information of provider of information, shall provide a
privacy policy for handling of or dealing in personal information, including sensitive
personal data or information, and ensure that the policy is available for view by such
providers of information who have provided such information under lawful contract.
How this document will be useful Provides guidance by mapping to COBIT 5 processes EDM01, EDM03 and their relevant
management practices as identified for the various stakeholders in chapter 3
Section 66E Punishment for violation for privacy :
Anybody being guilty of intentionally or knowingly captures, publishes or transmits the
image of a private area of any person without his or her consent, under circumstances
violating the privacy of that person, shall be punished with imprisonment which may
extend to three years or with a fine not exceeding two lakh rupees, or with both
imprisonment and a fine.
How this document will be useful N/A
Section 66A Any person who sends, by means of a computer resource or a communication device:
a) any information that is grossly offensive or has menacing character; or
b) any information which he knows to be false, but for the purpose of causing annoyance,
inconvenience, danger, obstruction, insult, injury, criminal intimidation, enmity, hatred, or
ill will, persistently makes use of such computer resource or a communication device,
c) any electronic mail or electronic mail message for the purpose of causing annoyance or
inconvenience or to deceive or to mislead the addressee or recipient about the origin of
such messages (Inserted vide ITAA 2008)
How this document will be useful N/A
Guidance to Validate Internal Control Assertions in Indian Financial Reporting
28
Section Reference Regulatory Requirement
Section 66B Whoever dishonestly receives or retains any stolen computer resource or communication
device knowing or having reason to believe the resource or device to be stolen, shall be
punished with imprisonment of either description for a term, which may extend to three
years or with a fine, which may extend to rupees one lakh or with both imprisonment and a
fine.
How this document will be useful N/A
Section 66C Whoever fraudulently or dishonestly makes use of the electronic signature, password or
any other unique identification feature of any other person, shall be punished with
imprisonment of either description for a term which may extend to three years and shall
also be liable to a fine which may extend to rupees one lakh.
How this document will be useful N/A
Section 66D Whoever, by means of any communication device or computer resource cheats by
personation, shall be punished with imprisonment of either description for a term, which
may extend to three years and shall also be liable to a fine, which may extend to one lakh
rupees.
How this document will be useful N/A
Section 67C (1) Intermediary shall preserve and retain such information as may be specified for such
duration and in such manner and format as the central government may prescribe.
(2) Any intermediary who intentionally or knowingly contravenes the provisions of sub-
section (1) shall be punished with imprisonment for a term which may extend to three
years and shall also be liable to a fine
How this document will be useful N/A
SUMMARY
There is great effort being made in India to achieve efficient governance and risk management. Governance and risk
management are regulated by the Companies Act, 2013 and Clause 49. Data that are generated have to be preserved, keeping in
mind Confidentiality and Privacy perspectives. Privacy of the data is regulated by the Information Technology Act, 2000 (as
amended in 2008).
Guidance to Validate Internal Control Assertions in Indian Financial Reporting
29
CHAPTER 2: INTRODUCTION TO COBIT 5
Executive Summary
According to COBIT 5, information is the currency of the 21st century enterprise. Information, and the technology that supports
it, can drive success, but it also raises challenging governance and management issues. This section explains the need for using
the approach and latest thinking provided by globally recognized framework COBIT 5 as a benchmark for reviewing and
implementing governance and management of enterprise IT. It explains the principles and enablers of COBIT 5 and how it can be
an effective tool to help enterprises to simplify complex issues, deliver trust and value, manage risk, reduce potential public
embarrassment, protect intellectual property, and maximize opportunities.
COBIT 5 helps enterprises to manage IT-related risk and ensures compliance, continuity, security and privacy. COBIT 5 enables
clear policy development and good practice for IT management, including increased business user satisfaction. The key
advantage of using a generic framework such as COBIT 5 is that it is useful for enterprises of all sizes, whether commercial, not-
for-profit or in the public sector.
Five Principles of COBIT 5
Source: COBIT 5, ISACA, USA, 2012, figure 2
COBIT 5 simplifies governance challenges with just five principles. The five key principles for governance and management of
enterprise IT in COBTI 5 taken together enable the enterprise to build an effective governance and management framework
that optimizes information and technology investment and use for the benefit of stakeholders.
Principles 1: Meeting Stakeholder Needs: Enterprises exist to create value for their stakeholders by maintaining a balance
between the realization of benefits and the optimization of risk and use of resources. COBIT 5 provides all of the required
processes and other enablers to support business value creation using IT. Because every enterprise has different objectives, an
enterprise can customize COBIT 5 to suit its own context through the goals cascade, translating high-level enterprise goals into
manageable specific, IT-related goals and mapping these to specific processed and practices.
The COBIT 5 goals cascade is the mechanism to translate stakeholder needs to specific, actionable and customized enterprise
goals—IT-related goals and enabler goals.
Guidance to Validate Internal Control Assertions in Indian Financial Reporting
30
Principle 2: Covering the Enterprise End-to-end: COBIT 5 integrates governance of enterprise IT into enterprise governance. It
covers all functions and processes within the enterprise; COBIT 5 does not focus only on the IT function, but treats information
and related technologies as assets that need to be dealt with just like any other asset by everyone in the enterprise. It considers
all IT-related governance and management enablers to be enterprisewide and end-to-end, i.e., inclusive of everything and
everyone internal and external that is relevant to governance and management of enterprise information and related IT.
Principle 3: Applying a Single Integrated Framework: There are many IT-related standards and best practices, each providing
guidance on a subset of IT activities. COBIT 5 is a single and integrated framework because it aligns with other latest relevant
standards and frameworks; this allows the enterprise to use COBIT 5 as the overarching governance and management
framework integrator. It is complete in enterprise coverage, providing a basis to integrate effectively other frameworks,
standards and practices used.
Principle 4: Enabling a Holistic Approach: Efficient and effective governance and management of enterprise IT require a holistic
approach, taking into account several integrating components. COBIT 5 defines a set of enablers to support the implementation
of a comprehensive governance and management system for enterprise IT. Enablers are broadly defined as anything that can
help to achieve objectives of the enterprise.
Principle 5: Separating Governance From Management: The COBIT 5 framework makes a clear distinction between
governance and management. These two disciplines encompass different types of activities, require different organizational
structures and serve different purposes.
• Governance: It ensures that stakeholder needs, conditions and options are evaluated to determine balanced,
agreed-on enterprise objectives to be achieved; setting direction through prioritization and decision making,
and monitoring performance and compliance against agreed-on direction and objectives. In most
organizations, governance is the responsibility of the board of directors under the leadership of the
chairperson. Specific governance responsibilities may be delegated to special organizational structures at an
appropriate level, especially in larger, complex organizations.
• Management: It plans, builds, runs and monitors activities in alignment with the direction set by the
governing body to achieve the objectives. In most enterprises, management is the responsibility of executive
management under the leadership of the chief executive officer (CEO).
From the definition of governance and management it is clear that they comprise different types of activities, with different
responsibilities; however, given the role of governance to evaluate, direct and monitor, a set of interactions is required between
governance and management to result in an efficient and effective governance system.
Seven Enablers of COBIT 5
Enablers are factors that, individually and collectively, influence whether something will work, in this case, governance and
management over enterprise IT. The goals cascade, i.e., higher level IT-related goals defining what the different enablers should
achieve, drives enablers.
The seven categories of enablers are:
• Principles, Policies and Frameworks are the vehicles to translate the desired behavior into practical guidance for day-
to-day management.
• Processes describe an organized set of practices and activities to achieve certain objectives and produce a set of
outputs in support of achieving overall IT-related goals.
• Organizational Structures are the key decision-making entities in an enterprise.
• Culture, Ethics and Behavior of individuals and of the enterprise are very often underestimated as a success factor in
governance and management activities.
• Information is pervasive throughout any organization and includes all information produced and used by the
enterprise. Information is required for keeping the organization running and well governed, but at the operational level,
information is very often the key product of the enterprise itself.
Guidance to Validate Internal Control Assertions in Indian Financial Reporting
31
• Services, Infrastructure and Applications include the infrastructure, technology and applications that provide the
enterprise with information technology processing and services.
• People, Skills and Competencies are linked to people and are required for successful completion of all activities and for
making correct decisions and taking corrective actions.
Source: COBIT 5, ISACA, USA, 2012, figure 2
Guidance to Validate Internal Control Assertions in Indian Financial Reporting
32
CHAPTER 3 – HOW COBIT 5 CAN BE USED TO COMPLY WITH GOVERNANCE
Chapter 3 has been developed so that the COBIT 5 practices that are required for every stakeholder as an individual are
provided. COBIT 5 provides a comprehensive framework that assists enterprises in achieving their objectives for the governance
and management of enterprise IT. Simply stated, it helps enterprises create optimal value from IT by maintaining a balance
between realizing benefits and optimizing risk levels and resource use. COBIT 5 enables IT to be governed and managed in a
holistic manner for the entire enterprise, taking in the full end-to-end business and IT functional areas of responsibility,
considering the IT-related interests of internal and external stakeholders. COBIT 5 is generic and useful for enterprises of all
sizes, whether commercial, not-for-profit or in the public sector.
The solution has been formulated by following these steps:
Step 1 – Identification of stakeholder needs that are required by the regulations and mapping with the relevant enterprise goals
Step 2 – Mapping of enterprise goals with the relevant IT goals
Step 3 – Mapping of IT goals with relevant IT processes
Step 4 – Segregation of IT processes that would be applicable to the following stakeholders:
Stakeholder 1 – Board of directors
Stakeholder 2 – Management (CEO, CFO, CISO, CIO and other members of the C-level)
Stakeholder 3 – Auditors
This chapter consists of tables, as follows:
Activities DETAILED ACTIVITIES
The text in the “ACTIVITIES” column consists of the set of suggestions and guidance that have been prescribed by the COBIT 5
product family publications. The text in the “DETAILED ACTIVITIES” column consists of the interpretation of the activities from
the perspective of the stakeholder, area under discussion and the regulatory requirements.
Guidance to Validate Internal Control Assertions in Indian Financial Reporting
33
Step 1 – Identification of Stakeholder Needs That Are Required by the Regulations and Mapping With the Relevant Enterprise Goals
All stakeholder needs which are relevant have been highlighted in blue and the corresponding enterprise-related goals have
been derived.
Stakeholdervalueofbusiness
investments
Portfolioofcompetitive
productsandservices
Managedbusinessrisks
(safeguardingofassets)
Compliancewithexternallaws
andregulations
Financialtransparency
Customer-orientedservice
culture
Businessservicecontinuityand
availability
Agileresponsestoachanging
businessenvironment
Information-basedstrategic
decisionmaking
Optimisationofservicedelivery
costs
Optimisationofbusiness
processfunctionality
Optimisationofbusiness
processcosts
Managedbusinesschange
programmes
Operationalandstaff
productivity
Compliancewithinternal
policies
Skilledandmotivatedpeople
Productandbusiness
innovationculture
Stakeholder Needs 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17
How do I get value from the use of IT? Are end users satisfied with
the quality of the IT service? Y Y Y Y Y Y Y
How do I manage performance of IT? Y Y Y Y Y Y Y
How can I best exploit new technology for new strategic
opportunities? Y Y Y Y Y Y
How do I best build and structure my IT department? Y Y Y Y Y Y Y
How dependent am I on external providers? How well are IT
outsourcing agreements being managed? How do I obtain
assurance over external providers? Y Y Y
What are (control) requirements for Information? Y Y Y
Did I address all IT-related risks? Y Y Y Y
Am I running an efficient and resilient IT operation? Y Y
How do I control cost of IT? How do I use IT resources in the most
effective and efficient manner? What are the most effective and
efficient sourcing options? Y Y Y
Do I have enough people for IT? How do I develop and maintain
their skills, and how do I manage their performance? Y Y Y
How do I get assurance over IT? Y Y
Is the information I am processing well secured? Y Y Y
How do I improve business agility through a more flexible IT
environment? Y Y Y Y
Do IT projects fail to deliver what they promised, and if so - why? Is
IT standing in the way of executing the business strategy? Y Y Y Y Y Y Y
How critical is IT to sustaining the enterprise? What do I do if IT is
not available? Y Y Y
What concrete vital primary business processes are dependent on
IT, and what are the requirements of business processes? Y Y Y Y
What has been the average overrun of IT operational budgets? How
often and how much do IT projects go over budget? Y Y Y Y
How much of the IT effort goes to fire fighting rather than enabling
business improvements? Y Y Y
Are sufficient IT resources and infrastructure available to meet
required enterprise strategic objectives? Y Y Y Y
How long does it take to make major IT decisions? Y Y Y Y
Are the total IT effort and investments transparent? Y Y Y Y
Does IT support the enterprise in complying with regulations and
service levels? How do I know whether I’m compliant with all
applicable regulations? Y Y
Guidance to Validate Internal Control Assertions in Indian Financial Reporting
34
Step 2 – Mapping of enterprise goals With the Relevant IT Goals
The enterprise goals that have been derived from step 1 have been mapped to their corresponding IT-related goal. This mapping
is based on the matrix that is presented in the COBIT 5 framework.
Guidance to Validate Internal Control Assertions in Indian Financial Reporting
35
Step 3 – Mapping of IT goals With Relevant IT processes
The IT processes that have been derived from step 2 have been mapped to the relevant COBIT 5 processes. This mapping is
based on the matrix that is presented in the COBIT 5 framework.
Guidance to Validate Internal Control Assertions in Indian Financial Reporting
36
Summary of Selected IT-related Goals
The following IT-related goals as derived from step 3 would be made applicable after following the goals cascade approach and
keeping in mind the scope of the document.
IT Goal
No.
IT-related Goal Priority Comments
1 Alignment of IT and business strategy P Irrelevant
2 IT compliance and support for business compliance with external laws and regulations P Relevant
3 Commitment of executive management for making IT-related decisions P Irrelevant
4 Managed IT-related business risks P Relevant
5 Realized benefits from IT-enabled investments and services portfolio P Irrelevant
6 Transparency of IT costs, benefits and risk P Relevant
7 Delivery of IT services in line with business requirements P Relevant
8 Adequate use of applications, information and technology solutions P Relevant
9 IT agility P Irrelevant
10 Security of information and processing infrastructure and applications P Irrelevant
11 Optimization of IT assets, resources and capabilities P Relevant
12 Enablement and support of business processes by integrating applications and
technology into business processes
P Irrelevant
13 Delivery of programs on time, on budget, and meeting requirements and quality
standards
P Irrelevant
14 Availability of reliable and useful information for decision making P Irrelevant
15 IT compliance with internal policies P Relevant
16 Competent and motivated business and IT personnel P Irrelevant
17 Knowledge, expertise and initiatives for business innovation P Irrelevant
P = Primary
Guidance to Validate Internal Control Assertions in Indian Financial Reporting
37
Step 4 – Segregation of IT Processes That Would Be Applicable to Stakeholders Collectively
The following figure gives an idea of the relationship between the board of directors, management and auditors to comply with
the regulatory requirements that have been imposed by the regulators of the enterprise. Therefore, the board of directors
needs to ensure compliance to regulations, which shall be verified by the auditors and shall, in the end, report the same to the
regulators. Management will have to implement the directions that have been imposed by the board of directors and account
for the same to the board of directors.
Guidance to Validate Internal Control Assertions in Indian Financial Reporting
38
STAKEHOLDER 1 – BOARD OF DIRECTORS
The board of directors is the highest governing authority within the management structure at any publicly traded company. They
are policy managers of a corporation or organization elected by the shareholders or members. The board in turn chooses the
officers of the corporation, sets basic policy and is responsible to the shareholders. In small corporations, there are usually only
three directors. The board is directly accountable to the shareholders, and each year the company will hold an annual general
meeting (AGM) at which the directors must provide a report to shareholders on the performance of the company and what its
plans and strategies are, and submit themselves for re-election to the board. Roles of board of directors include:
• Determine the company's vision and mission to guide and set the pace for its current operations and future
development.
• Determine the values to be promoted throughout the company.
• Determine and review company goals.
• Determine company policies.
• Review and evaluate present and future opportunities, threats and risks in the external environment and current and
future strengths, weaknesses and risks relating to the company.
• Determine strategic options, select those to be pursued, and decide the means to implement and support them.
• Determine the business strategies and plans that underpin the corporate strategy.
• Ensure that the company's organizational structure and capability are appropriate for implementing the chosen
strategies.
Guidance to Validate Internal Control Assertions in Indian Financial Reporting
39
Because COBIT 5 is a comprehensive framework for governance and management of enterprise IT, it allows enterprises to use
the enablers and management practices to satisfy needs and goals. It can be tailored and used, according to the discretion of
management, toward achieving their goals and objectives.
The image below depicts that, out of the 37 processes, the stakeholder (the board) can adapt relevant processes (borders
shaded in black) and their underlying management practices, which shall assist in achieving the goals of the enterprise.
RACI CHART
A responsibility assignment matrix, also known as a RACI chart (Responsible, Accountable, Consulted, Informed), ARCI matrix or
linear responsibility chart, describes the participation by various roles in completing tasks or deliverables for a project or
business process. The following RACI chart explains the roles of the board of directors in contributing to effective corporate IT
governance. The processes explained in this chapter would have to be executed keeping in mind the perspective of the roles in
the following chart.
Governance Practice
Board
EDM01.01 Evaluate the governance system. A
EDM01.02 Direct the governance system. A
EDM01.03 Monitor the governance system. A
Guidance to Validate Internal Control Assertions in Indian Financial Reporting
40
Governance Practice
Board
EDM03.01 Evaluate risk management. A
EDM03.02 Direct risk management. A
EDM03.03 Monitor risk management. A
EDM05.01 Evaluate stakeholder-reporting requirements. A
EDM05.02 Direct stakeholder communication and reporting. A
EDM05.03 Monitor stakeholder communication. A
MEA01.05 Ensure the implementation of corrective actions. I
MEA02.02 Review business process controls effectiveness. I
MEA02.08 Execute assurance initiatives. I
MEA03.03 Confirm external compliance. I
MEA03.04 Obtain assurance of external compliance. I
1. EDM01.01 Evaluate the governance system.
Continually identify and engage with the enterprise’s stakeholders, document an understanding of the requirements,
and make a judgment on the current and future design of governance of enterprise IT.
ACTIVITIES DETAILED ACTIVITIES
1. Analyze and identify the internal and external
environmental factors (legal, regulatory &
contractual obligations) and trends in the
business environment that may influence
governance decisions.
2. Determine the significance of IT and its role
with respect to business.
3. Consider external regulations, laws and
The board needs to identify the internal and external factors
and trends in the business environment that influence
governance decisions.
The board should envision the significance of IT and the role
it shall play toward achieving business objectives and benefits
realization.
The board needs to consider the impact of laws and
Guidance to Validate Internal Control Assertions in Indian Financial Reporting
41
contractual obligations and determine how they
should be applied with the governance of
enterprise IT.
4. Align the ethical use and processing of
information and its impact on society, natural
environment, and internal and external
stakeholder interests with the enterprise’s
direction, goals and objectives.
5. Determine the implications of the overall
enterprise control environment with regard to
IT.
6. Articulate principles that will guide the design
of governance and decision making of IT
7. Understand the enterprise’s decision-making
culture and determine the optimal decision-
making model for IT.
8. Determine the appropriate levels of authority
delegation, including threshold rules, for IT
decisions.
regulations and determine the governance of enterprise IT.
The board needs to frame ethical standards and consider the
impact of business decisions on society, environment and the
interests of stakeholders in relation to business objectives.
The board can develop guidelines and principles for
governance in IT.
The board can devise appropriate levels of delegated
authority and devise rules for IT-related decisions.
2. EDM01.02 Direct the governance system.
Inform leaders and obtain their support, buy-in and commitment. Guide the structures, processes and practices for the
governance of IT in line with agreed-on governance design principles, decision-making models and authority levels.
Define the information required for informed decision-making.
ACTIVITIES DETAILED ACTIVITIES
1. Communicate governance of IT principles and
agree with executive management on the way
to establish informed and committed
leadership.
2. Establish or delegate the establishment of
governance structures, processes and practices
in line with agreed-on design principles.
3. Allocate responsibility, authority and
accountability in line with agreed-on
governance design principles, decision-making
models and delegation.
4. Ensure that communication and reporting
mechanisms provide those responsible for
oversight and decision-making with appropriate
information.
5. Direct that staff follow relevant guidelines for
ethical and professional behavior and ensure
that consequences of non-compliance are
known and enforced.
6. Direct the establishment of a reward system to
promote desirable cultural change.
The board needs to communicate the governance principles
and establish systems toward committed leadership.
The board needs to ensure that a system is established with
governance structures, practices and processes, which are in
line with an agreed-on governance methodology.
The board should allocate responsibility—should allocate
accountability to management on the basis of agreed-on
governance principles.
The board needs to direct staff to follow guidelines on ethical
and professional behavior and ensure that staff are aware of
the consequences and actions of noncompliance.
The board can also implement a reward-based system to
promote a cultural change within the organization.
Guidance to Validate Internal Control Assertions in Indian Financial Reporting
42
3. EDM01.03 Monitor the governance system.
Monitor the effectiveness and performance of the enterprise’s governance of IT. Assess whether the governance
system and implemented mechanisms (including structures, principles and processes) are operating effectively and
provide appropriate oversight of IT.
ACTIVITIES DETAILED ACTIVITIES
1. Assess the effectiveness and performance
of those stakeholders given delegated
responsibility and authority for governance
of enterprise IT.
2. Periodically assess whether agreed-on
governance of IT mechanisms (structures,
principles, processes, etc.) is established
and operating effectively.
3. Assess the effectiveness of the governance
design and identify actions to rectify any
deviations found.
4. Maintain oversight of the extent to which
IT satisfies obligations (regulatory,
legislation, common law, contractual),
internal policies, standards and
professional guidelines.
5. Provide oversight of the effectiveness of,
and compliance with, the enterprise’s
system of control.
6. Monitor regular and routine mechanisms
for ensuring that the use of IT complies
with relevant obligations (regulatory,
legislation, common law, contractual),
standards and guidelines.
The board needs to assess the effectiveness and performance
of management personnel who have been assigned the task
of governance of the enterprise.
The board should assess periodically the governance systems,
policies and procedures for efficient operations and rectify
the deviations, if any, found in the governance system.
The board should maintain oversight of the extent to which IT
is able to satisfy obligations, standards and professional
guidelines.
4. EDM03.01 Evaluate risk management.
Continually examine and make judgment on the effect of risk on the current and future use of IT in the enterprise.
Consider whether the enterprise’s risk appetite is appropriate and that risk to enterprise value related to the use of IT is
identified and managed.
ACTIVITIES DETAILED ACTIVITIES
1. Determine the level of IT-related risk that the
enterprise is willing to take to meet its risk
objectives.
2. Evaluate and approve proposed IT risk
tolerance thresholds against the enterprise’s
acceptable risk and opportunity levels.
3. Determine the extent of alignment of the IT risk
strategy to enterprise risk strategy.
4. Proactively evaluate IT risk factors in advance of
The board needs to actively take part in the risk evaluation
process of the enterprise, which also includes the IT-related
risks and, on assessing those risks, define a risk tolerance
threshold for acceptable risks and opportunity levels.
The board needs to evaluate the risk factors before making
decisions on strategies to ensure that impact of risk has been
factored in.
Internal Controls for Indian Financial Reporting using COBIT 5 based Guidance
Internal Controls for Indian Financial Reporting using COBIT 5 based Guidance
Internal Controls for Indian Financial Reporting using COBIT 5 based Guidance
Internal Controls for Indian Financial Reporting using COBIT 5 based Guidance
Internal Controls for Indian Financial Reporting using COBIT 5 based Guidance
Internal Controls for Indian Financial Reporting using COBIT 5 based Guidance
Internal Controls for Indian Financial Reporting using COBIT 5 based Guidance
Internal Controls for Indian Financial Reporting using COBIT 5 based Guidance
Internal Controls for Indian Financial Reporting using COBIT 5 based Guidance
Internal Controls for Indian Financial Reporting using COBIT 5 based Guidance
Internal Controls for Indian Financial Reporting using COBIT 5 based Guidance
Internal Controls for Indian Financial Reporting using COBIT 5 based Guidance
Internal Controls for Indian Financial Reporting using COBIT 5 based Guidance
Internal Controls for Indian Financial Reporting using COBIT 5 based Guidance
Internal Controls for Indian Financial Reporting using COBIT 5 based Guidance
Internal Controls for Indian Financial Reporting using COBIT 5 based Guidance
Internal Controls for Indian Financial Reporting using COBIT 5 based Guidance
Internal Controls for Indian Financial Reporting using COBIT 5 based Guidance
Internal Controls for Indian Financial Reporting using COBIT 5 based Guidance
Internal Controls for Indian Financial Reporting using COBIT 5 based Guidance
Internal Controls for Indian Financial Reporting using COBIT 5 based Guidance
Internal Controls for Indian Financial Reporting using COBIT 5 based Guidance
Internal Controls for Indian Financial Reporting using COBIT 5 based Guidance
Internal Controls for Indian Financial Reporting using COBIT 5 based Guidance
Internal Controls for Indian Financial Reporting using COBIT 5 based Guidance
Internal Controls for Indian Financial Reporting using COBIT 5 based Guidance
Internal Controls for Indian Financial Reporting using COBIT 5 based Guidance
Internal Controls for Indian Financial Reporting using COBIT 5 based Guidance
Internal Controls for Indian Financial Reporting using COBIT 5 based Guidance
Internal Controls for Indian Financial Reporting using COBIT 5 based Guidance
Internal Controls for Indian Financial Reporting using COBIT 5 based Guidance
Internal Controls for Indian Financial Reporting using COBIT 5 based Guidance
Internal Controls for Indian Financial Reporting using COBIT 5 based Guidance
Internal Controls for Indian Financial Reporting using COBIT 5 based Guidance
Internal Controls for Indian Financial Reporting using COBIT 5 based Guidance
Internal Controls for Indian Financial Reporting using COBIT 5 based Guidance
Internal Controls for Indian Financial Reporting using COBIT 5 based Guidance
Internal Controls for Indian Financial Reporting using COBIT 5 based Guidance
Internal Controls for Indian Financial Reporting using COBIT 5 based Guidance
Internal Controls for Indian Financial Reporting using COBIT 5 based Guidance
Internal Controls for Indian Financial Reporting using COBIT 5 based Guidance
Internal Controls for Indian Financial Reporting using COBIT 5 based Guidance
Internal Controls for Indian Financial Reporting using COBIT 5 based Guidance
Internal Controls for Indian Financial Reporting using COBIT 5 based Guidance
Internal Controls for Indian Financial Reporting using COBIT 5 based Guidance
Internal Controls for Indian Financial Reporting using COBIT 5 based Guidance
Internal Controls for Indian Financial Reporting using COBIT 5 based Guidance
Internal Controls for Indian Financial Reporting using COBIT 5 based Guidance
Internal Controls for Indian Financial Reporting using COBIT 5 based Guidance
Internal Controls for Indian Financial Reporting using COBIT 5 based Guidance
Internal Controls for Indian Financial Reporting using COBIT 5 based Guidance
Internal Controls for Indian Financial Reporting using COBIT 5 based Guidance
Internal Controls for Indian Financial Reporting using COBIT 5 based Guidance
Internal Controls for Indian Financial Reporting using COBIT 5 based Guidance
Internal Controls for Indian Financial Reporting using COBIT 5 based Guidance
Internal Controls for Indian Financial Reporting using COBIT 5 based Guidance
Internal Controls for Indian Financial Reporting using COBIT 5 based Guidance
Internal Controls for Indian Financial Reporting using COBIT 5 based Guidance
Internal Controls for Indian Financial Reporting using COBIT 5 based Guidance
Internal Controls for Indian Financial Reporting using COBIT 5 based Guidance
Internal Controls for Indian Financial Reporting using COBIT 5 based Guidance
Internal Controls for Indian Financial Reporting using COBIT 5 based Guidance
Internal Controls for Indian Financial Reporting using COBIT 5 based Guidance
Internal Controls for Indian Financial Reporting using COBIT 5 based Guidance
Internal Controls for Indian Financial Reporting using COBIT 5 based Guidance

More Related Content

Similar to Internal Controls for Indian Financial Reporting using COBIT 5 based Guidance

Esms+handbook+construction v7
Esms+handbook+construction v7Esms+handbook+construction v7
Esms+handbook+construction v7
Dr Lendy Spires
 
Esms+handbook+crop prod v7
Esms+handbook+crop prod v7Esms+handbook+crop prod v7
Esms+handbook+crop prod v7
Dr Lendy Spires
 
CISA sertifikacija
CISA sertifikacijaCISA sertifikacija
Clinical Trial Management Systems
Clinical Trial Management SystemsClinical Trial Management Systems
Clinical Trial Management Systems
Mahesh Koppula
 
Safety Excellence Preparedness: A Study Report
Safety Excellence Preparedness: A Study ReportSafety Excellence Preparedness: A Study Report
Safety Excellence Preparedness: A Study Report
Confederation of Indian Industry
 
700studyguide
700studyguide700studyguide
700studyguide
Kenny Sweetneez
 
How can you use the Training and Education function model mentio.docx
How can you use the Training and Education function model mentio.docxHow can you use the Training and Education function model mentio.docx
How can you use the Training and Education function model mentio.docx
pooleavelina
 
National Cybersecurity Talent Workforce Assessment Report of the Philippines.pdf
National Cybersecurity Talent Workforce Assessment Report of the Philippines.pdfNational Cybersecurity Talent Workforce Assessment Report of the Philippines.pdf
National Cybersecurity Talent Workforce Assessment Report of the Philippines.pdf
Ryan Frunnile
 
121cash mgmt
121cash mgmt121cash mgmt
121cash mgmt
Namita Kumari
 
Global Human Resources Cloud Using Benefits.pdf
Global Human Resources Cloud Using Benefits.pdfGlobal Human Resources Cloud Using Benefits.pdf
Global Human Resources Cloud Using Benefits.pdf
Prabhakar Subburaj
 
Oracle service procurement manual
Oracle  service procurement manualOracle  service procurement manual
Oracle service procurement manual
Vikram Reddy
 
Indian startup ecosystem aera version1
Indian startup ecosystem aera version1Indian startup ecosystem aera version1
Indian startup ecosystem aera version1
AeraTeam
 
Esms+handbook+textiles&apparel v8
Esms+handbook+textiles&apparel v8Esms+handbook+textiles&apparel v8
Esms+handbook+textiles&apparel v8
Dr Lendy Spires
 
Oracle-Service-Procurement - User Guide.pdf
Oracle-Service-Procurement - User Guide.pdfOracle-Service-Procurement - User Guide.pdf
Oracle-Service-Procurement - User Guide.pdf
TarigTaha3
 
2020 vrm expert reference guide
2020   vrm expert reference guide2020   vrm expert reference guide
2020 vrm expert reference guide
AnkitKumar250429
 
Software quality management_tutorial
Software quality management_tutorialSoftware quality management_tutorial
Software quality management_tutorial
HarikaReddy115
 
Connecting THE DOTS
Connecting THE DOTSConnecting THE DOTS
Connecting THE DOTS
Brian Higson
 
Connecting THE DOTS
Connecting THE DOTSConnecting THE DOTS
Connecting THE DOTS
Brian Higson
 
SLM
SLMSLM
SLM
Naras98
 
Iso 27001 Audit Evidence Acquisitionv3
Iso 27001 Audit Evidence Acquisitionv3Iso 27001 Audit Evidence Acquisitionv3
Iso 27001 Audit Evidence Acquisitionv3
Ben Omoakin Oguntala, developingafrica(dot)net
 

Similar to Internal Controls for Indian Financial Reporting using COBIT 5 based Guidance (20)

Esms+handbook+construction v7
Esms+handbook+construction v7Esms+handbook+construction v7
Esms+handbook+construction v7
 
Esms+handbook+crop prod v7
Esms+handbook+crop prod v7Esms+handbook+crop prod v7
Esms+handbook+crop prod v7
 
CISA sertifikacija
CISA sertifikacijaCISA sertifikacija
CISA sertifikacija
 
Clinical Trial Management Systems
Clinical Trial Management SystemsClinical Trial Management Systems
Clinical Trial Management Systems
 
Safety Excellence Preparedness: A Study Report
Safety Excellence Preparedness: A Study ReportSafety Excellence Preparedness: A Study Report
Safety Excellence Preparedness: A Study Report
 
700studyguide
700studyguide700studyguide
700studyguide
 
How can you use the Training and Education function model mentio.docx
How can you use the Training and Education function model mentio.docxHow can you use the Training and Education function model mentio.docx
How can you use the Training and Education function model mentio.docx
 
National Cybersecurity Talent Workforce Assessment Report of the Philippines.pdf
National Cybersecurity Talent Workforce Assessment Report of the Philippines.pdfNational Cybersecurity Talent Workforce Assessment Report of the Philippines.pdf
National Cybersecurity Talent Workforce Assessment Report of the Philippines.pdf
 
121cash mgmt
121cash mgmt121cash mgmt
121cash mgmt
 
Global Human Resources Cloud Using Benefits.pdf
Global Human Resources Cloud Using Benefits.pdfGlobal Human Resources Cloud Using Benefits.pdf
Global Human Resources Cloud Using Benefits.pdf
 
Oracle service procurement manual
Oracle  service procurement manualOracle  service procurement manual
Oracle service procurement manual
 
Indian startup ecosystem aera version1
Indian startup ecosystem aera version1Indian startup ecosystem aera version1
Indian startup ecosystem aera version1
 
Esms+handbook+textiles&apparel v8
Esms+handbook+textiles&apparel v8Esms+handbook+textiles&apparel v8
Esms+handbook+textiles&apparel v8
 
Oracle-Service-Procurement - User Guide.pdf
Oracle-Service-Procurement - User Guide.pdfOracle-Service-Procurement - User Guide.pdf
Oracle-Service-Procurement - User Guide.pdf
 
2020 vrm expert reference guide
2020   vrm expert reference guide2020   vrm expert reference guide
2020 vrm expert reference guide
 
Software quality management_tutorial
Software quality management_tutorialSoftware quality management_tutorial
Software quality management_tutorial
 
Connecting THE DOTS
Connecting THE DOTSConnecting THE DOTS
Connecting THE DOTS
 
Connecting THE DOTS
Connecting THE DOTSConnecting THE DOTS
Connecting THE DOTS
 
SLM
SLMSLM
SLM
 
Iso 27001 Audit Evidence Acquisitionv3
Iso 27001 Audit Evidence Acquisitionv3Iso 27001 Audit Evidence Acquisitionv3
Iso 27001 Audit Evidence Acquisitionv3
 

More from Bharath Rao

Let the games begin - Insights into the Gaming Industry
Let the games begin - Insights into the Gaming IndustryLet the games begin - Insights into the Gaming Industry
Let the games begin - Insights into the Gaming Industry
Bharath Rao
 
Going global while being local
Going global while being localGoing global while being local
Going global while being local
Bharath Rao
 
The Next Gen Auditor - Auditing through technological disruptions
The Next Gen Auditor - Auditing through technological disruptionsThe Next Gen Auditor - Auditing through technological disruptions
The Next Gen Auditor - Auditing through technological disruptions
Bharath Rao
 
Big data, Machine learning and the Auditor
Big data, Machine learning and the AuditorBig data, Machine learning and the Auditor
Big data, Machine learning and the Auditor
Bharath Rao
 
Base Erosion and Profit Shifting
Base Erosion and Profit ShiftingBase Erosion and Profit Shifting
Base Erosion and Profit Shifting
Bharath Rao
 
Chartered Accountant going Global
Chartered Accountant going GlobalChartered Accountant going Global
Chartered Accountant going Global
Bharath Rao
 
Forex markets
Forex marketsForex markets
Forex markets
Bharath Rao
 
Internal Controls over Financial Reporting in the Indian Context
Internal Controls over Financial Reporting in the Indian Context Internal Controls over Financial Reporting in the Indian Context
Internal Controls over Financial Reporting in the Indian Context
Bharath Rao
 
Big Data Analytics and a Chartered Accountant
Big Data Analytics and a Chartered AccountantBig Data Analytics and a Chartered Accountant
Big Data Analytics and a Chartered Accountant
Bharath Rao
 
IS Audits and Internal Controls
IS Audits and Internal ControlsIS Audits and Internal Controls
IS Audits and Internal Controls
Bharath Rao
 
Cloud Computing - Emerging Opportunities in the CA Profession
Cloud Computing - Emerging Opportunities in the CA ProfessionCloud Computing - Emerging Opportunities in the CA Profession
Cloud Computing - Emerging Opportunities in the CA Profession
Bharath Rao
 
Internal Controls over Indian Financial Reporting
Internal Controls over Indian Financial ReportingInternal Controls over Indian Financial Reporting
Internal Controls over Indian Financial Reporting
Bharath Rao
 
Big data - The next best thing
Big data - The next best thingBig data - The next best thing
Big data - The next best thing
Bharath Rao
 
Physical and logical access controls - A pre-requsite for Internal Controls
Physical and logical access controls - A pre-requsite for Internal ControlsPhysical and logical access controls - A pre-requsite for Internal Controls
Physical and logical access controls - A pre-requsite for Internal Controls
Bharath Rao
 
Standards of Auditing - Introduction and Application in the Indian Context
Standards of Auditing - Introduction and Application in the Indian ContextStandards of Auditing - Introduction and Application in the Indian Context
Standards of Auditing - Introduction and Application in the Indian Context
Bharath Rao
 
Life of the software - SDLC
Life of the software - SDLCLife of the software - SDLC
Life of the software - SDLC
Bharath Rao
 
The CIA Triad - Assurance on Information Security
The CIA Triad - Assurance on Information SecurityThe CIA Triad - Assurance on Information Security
The CIA Triad - Assurance on Information Security
Bharath Rao
 
IS Audit and Internal Controls
IS Audit and Internal ControlsIS Audit and Internal Controls
IS Audit and Internal Controls
Bharath Rao
 
Business Continuity Planning
Business Continuity PlanningBusiness Continuity Planning
Business Continuity Planning
Bharath Rao
 

More from Bharath Rao (19)

Let the games begin - Insights into the Gaming Industry
Let the games begin - Insights into the Gaming IndustryLet the games begin - Insights into the Gaming Industry
Let the games begin - Insights into the Gaming Industry
 
Going global while being local
Going global while being localGoing global while being local
Going global while being local
 
The Next Gen Auditor - Auditing through technological disruptions
The Next Gen Auditor - Auditing through technological disruptionsThe Next Gen Auditor - Auditing through technological disruptions
The Next Gen Auditor - Auditing through technological disruptions
 
Big data, Machine learning and the Auditor
Big data, Machine learning and the AuditorBig data, Machine learning and the Auditor
Big data, Machine learning and the Auditor
 
Base Erosion and Profit Shifting
Base Erosion and Profit ShiftingBase Erosion and Profit Shifting
Base Erosion and Profit Shifting
 
Chartered Accountant going Global
Chartered Accountant going GlobalChartered Accountant going Global
Chartered Accountant going Global
 
Forex markets
Forex marketsForex markets
Forex markets
 
Internal Controls over Financial Reporting in the Indian Context
Internal Controls over Financial Reporting in the Indian Context Internal Controls over Financial Reporting in the Indian Context
Internal Controls over Financial Reporting in the Indian Context
 
Big Data Analytics and a Chartered Accountant
Big Data Analytics and a Chartered AccountantBig Data Analytics and a Chartered Accountant
Big Data Analytics and a Chartered Accountant
 
IS Audits and Internal Controls
IS Audits and Internal ControlsIS Audits and Internal Controls
IS Audits and Internal Controls
 
Cloud Computing - Emerging Opportunities in the CA Profession
Cloud Computing - Emerging Opportunities in the CA ProfessionCloud Computing - Emerging Opportunities in the CA Profession
Cloud Computing - Emerging Opportunities in the CA Profession
 
Internal Controls over Indian Financial Reporting
Internal Controls over Indian Financial ReportingInternal Controls over Indian Financial Reporting
Internal Controls over Indian Financial Reporting
 
Big data - The next best thing
Big data - The next best thingBig data - The next best thing
Big data - The next best thing
 
Physical and logical access controls - A pre-requsite for Internal Controls
Physical and logical access controls - A pre-requsite for Internal ControlsPhysical and logical access controls - A pre-requsite for Internal Controls
Physical and logical access controls - A pre-requsite for Internal Controls
 
Standards of Auditing - Introduction and Application in the Indian Context
Standards of Auditing - Introduction and Application in the Indian ContextStandards of Auditing - Introduction and Application in the Indian Context
Standards of Auditing - Introduction and Application in the Indian Context
 
Life of the software - SDLC
Life of the software - SDLCLife of the software - SDLC
Life of the software - SDLC
 
The CIA Triad - Assurance on Information Security
The CIA Triad - Assurance on Information SecurityThe CIA Triad - Assurance on Information Security
The CIA Triad - Assurance on Information Security
 
IS Audit and Internal Controls
IS Audit and Internal ControlsIS Audit and Internal Controls
IS Audit and Internal Controls
 
Business Continuity Planning
Business Continuity PlanningBusiness Continuity Planning
Business Continuity Planning
 

Recently uploaded

Best practices for project execution and delivery
Best practices for project execution and deliveryBest practices for project execution and delivery
Best practices for project execution and delivery
CLIVE MINCHIN
 
Organizational Change Leadership Agile Tour Geneve 2024
Organizational Change Leadership Agile Tour Geneve 2024Organizational Change Leadership Agile Tour Geneve 2024
Organizational Change Leadership Agile Tour Geneve 2024
Kirill Klimov
 
Best Competitive Marble Pricing in Dubai - ☎ 9928909666
Best Competitive Marble Pricing in Dubai - ☎ 9928909666Best Competitive Marble Pricing in Dubai - ☎ 9928909666
Best Competitive Marble Pricing in Dubai - ☎ 9928909666
Stone Art Hub
 
Digital Marketing with a Focus on Sustainability
Digital Marketing with a Focus on SustainabilityDigital Marketing with a Focus on Sustainability
Digital Marketing with a Focus on Sustainability
sssourabhsharma
 
Dpboss Matka Guessing Satta Matta Matka Kalyan Chart Satta Matka
Dpboss Matka Guessing Satta Matta Matka Kalyan Chart Satta MatkaDpboss Matka Guessing Satta Matta Matka Kalyan Chart Satta Matka
Dpboss Matka Guessing Satta Matta Matka Kalyan Chart Satta Matka
➒➌➎➏➑➐➋➑➐➐Dpboss Matka Guessing Satta Matka Kalyan Chart Indian Matka
 
The Heart of Leadership_ How Emotional Intelligence Drives Business Success B...
The Heart of Leadership_ How Emotional Intelligence Drives Business Success B...The Heart of Leadership_ How Emotional Intelligence Drives Business Success B...
The Heart of Leadership_ How Emotional Intelligence Drives Business Success B...
Stephen Cashman
 
The Genesis of BriansClub.cm Famous Dark WEb Platform
The Genesis of BriansClub.cm Famous Dark WEb PlatformThe Genesis of BriansClub.cm Famous Dark WEb Platform
The Genesis of BriansClub.cm Famous Dark WEb Platform
SabaaSudozai
 
How to Implement a Strategy: Transform Your Strategy with BSC Designer's Comp...
How to Implement a Strategy: Transform Your Strategy with BSC Designer's Comp...How to Implement a Strategy: Transform Your Strategy with BSC Designer's Comp...
How to Implement a Strategy: Transform Your Strategy with BSC Designer's Comp...
Aleksey Savkin
 
DearbornMusic-KatherineJasperFullSailUni
DearbornMusic-KatherineJasperFullSailUniDearbornMusic-KatherineJasperFullSailUni
DearbornMusic-KatherineJasperFullSailUni
katiejasper96
 
Brian Fitzsimmons on the Business Strategy and Content Flywheel of Barstool S...
Brian Fitzsimmons on the Business Strategy and Content Flywheel of Barstool S...Brian Fitzsimmons on the Business Strategy and Content Flywheel of Barstool S...
Brian Fitzsimmons on the Business Strategy and Content Flywheel of Barstool S...
Neil Horowitz
 
Income Tax exemption for Start up : Section 80 IAC
Income Tax  exemption for Start up : Section 80 IACIncome Tax  exemption for Start up : Section 80 IAC
Income Tax exemption for Start up : Section 80 IAC
CA Dr. Prithvi Ranjan Parhi
 
GKohler - Retail Scavenger Hunt Presentation
GKohler - Retail Scavenger Hunt PresentationGKohler - Retail Scavenger Hunt Presentation
GKohler - Retail Scavenger Hunt Presentation
GraceKohler1
 
Observation Lab PowerPoint Assignment for TEM 431
Observation Lab PowerPoint Assignment for TEM 431Observation Lab PowerPoint Assignment for TEM 431
Observation Lab PowerPoint Assignment for TEM 431
ecamare2
 
Innovation Management Frameworks: Your Guide to Creativity & Innovation
Innovation Management Frameworks: Your Guide to Creativity & InnovationInnovation Management Frameworks: Your Guide to Creativity & Innovation
Innovation Management Frameworks: Your Guide to Creativity & Innovation
Operational Excellence Consulting
 
Digital Transformation Frameworks: Driving Digital Excellence
Digital Transformation Frameworks: Driving Digital ExcellenceDigital Transformation Frameworks: Driving Digital Excellence
Digital Transformation Frameworks: Driving Digital Excellence
Operational Excellence Consulting
 
Chapter 7 Final business management sciences .ppt
Chapter 7 Final business management sciences .pptChapter 7 Final business management sciences .ppt
Chapter 7 Final business management sciences .ppt
ssuser567e2d
 
TIMES BPO: Business Plan For Startup Industry
TIMES BPO: Business Plan For Startup IndustryTIMES BPO: Business Plan For Startup Industry
TIMES BPO: Business Plan For Startup Industry
timesbpobusiness
 
Satta Matka Dpboss Matka Guessing Kalyan Chart Indian Matka Kalyan panel Chart
Satta Matka Dpboss Matka Guessing Kalyan Chart Indian Matka Kalyan panel ChartSatta Matka Dpboss Matka Guessing Kalyan Chart Indian Matka Kalyan panel Chart
Satta Matka Dpboss Matka Guessing Kalyan Chart Indian Matka Kalyan panel Chart
➒➌➎➏➑➐➋➑➐➐Dpboss Matka Guessing Satta Matka Kalyan Chart Indian Matka
 
2022 Vintage Roman Numerals Men Rings
2022 Vintage Roman  Numerals  Men  Rings2022 Vintage Roman  Numerals  Men  Rings
2022 Vintage Roman Numerals Men Rings
aragme
 
Lundin Gold Corporate Presentation - June 2024
Lundin Gold Corporate Presentation - June 2024Lundin Gold Corporate Presentation - June 2024
Lundin Gold Corporate Presentation - June 2024
Adnet Communications
 

Recently uploaded (20)

Best practices for project execution and delivery
Best practices for project execution and deliveryBest practices for project execution and delivery
Best practices for project execution and delivery
 
Organizational Change Leadership Agile Tour Geneve 2024
Organizational Change Leadership Agile Tour Geneve 2024Organizational Change Leadership Agile Tour Geneve 2024
Organizational Change Leadership Agile Tour Geneve 2024
 
Best Competitive Marble Pricing in Dubai - ☎ 9928909666
Best Competitive Marble Pricing in Dubai - ☎ 9928909666Best Competitive Marble Pricing in Dubai - ☎ 9928909666
Best Competitive Marble Pricing in Dubai - ☎ 9928909666
 
Digital Marketing with a Focus on Sustainability
Digital Marketing with a Focus on SustainabilityDigital Marketing with a Focus on Sustainability
Digital Marketing with a Focus on Sustainability
 
Dpboss Matka Guessing Satta Matta Matka Kalyan Chart Satta Matka
Dpboss Matka Guessing Satta Matta Matka Kalyan Chart Satta MatkaDpboss Matka Guessing Satta Matta Matka Kalyan Chart Satta Matka
Dpboss Matka Guessing Satta Matta Matka Kalyan Chart Satta Matka
 
The Heart of Leadership_ How Emotional Intelligence Drives Business Success B...
The Heart of Leadership_ How Emotional Intelligence Drives Business Success B...The Heart of Leadership_ How Emotional Intelligence Drives Business Success B...
The Heart of Leadership_ How Emotional Intelligence Drives Business Success B...
 
The Genesis of BriansClub.cm Famous Dark WEb Platform
The Genesis of BriansClub.cm Famous Dark WEb PlatformThe Genesis of BriansClub.cm Famous Dark WEb Platform
The Genesis of BriansClub.cm Famous Dark WEb Platform
 
How to Implement a Strategy: Transform Your Strategy with BSC Designer's Comp...
How to Implement a Strategy: Transform Your Strategy with BSC Designer's Comp...How to Implement a Strategy: Transform Your Strategy with BSC Designer's Comp...
How to Implement a Strategy: Transform Your Strategy with BSC Designer's Comp...
 
DearbornMusic-KatherineJasperFullSailUni
DearbornMusic-KatherineJasperFullSailUniDearbornMusic-KatherineJasperFullSailUni
DearbornMusic-KatherineJasperFullSailUni
 
Brian Fitzsimmons on the Business Strategy and Content Flywheel of Barstool S...
Brian Fitzsimmons on the Business Strategy and Content Flywheel of Barstool S...Brian Fitzsimmons on the Business Strategy and Content Flywheel of Barstool S...
Brian Fitzsimmons on the Business Strategy and Content Flywheel of Barstool S...
 
Income Tax exemption for Start up : Section 80 IAC
Income Tax  exemption for Start up : Section 80 IACIncome Tax  exemption for Start up : Section 80 IAC
Income Tax exemption for Start up : Section 80 IAC
 
GKohler - Retail Scavenger Hunt Presentation
GKohler - Retail Scavenger Hunt PresentationGKohler - Retail Scavenger Hunt Presentation
GKohler - Retail Scavenger Hunt Presentation
 
Observation Lab PowerPoint Assignment for TEM 431
Observation Lab PowerPoint Assignment for TEM 431Observation Lab PowerPoint Assignment for TEM 431
Observation Lab PowerPoint Assignment for TEM 431
 
Innovation Management Frameworks: Your Guide to Creativity & Innovation
Innovation Management Frameworks: Your Guide to Creativity & InnovationInnovation Management Frameworks: Your Guide to Creativity & Innovation
Innovation Management Frameworks: Your Guide to Creativity & Innovation
 
Digital Transformation Frameworks: Driving Digital Excellence
Digital Transformation Frameworks: Driving Digital ExcellenceDigital Transformation Frameworks: Driving Digital Excellence
Digital Transformation Frameworks: Driving Digital Excellence
 
Chapter 7 Final business management sciences .ppt
Chapter 7 Final business management sciences .pptChapter 7 Final business management sciences .ppt
Chapter 7 Final business management sciences .ppt
 
TIMES BPO: Business Plan For Startup Industry
TIMES BPO: Business Plan For Startup IndustryTIMES BPO: Business Plan For Startup Industry
TIMES BPO: Business Plan For Startup Industry
 
Satta Matka Dpboss Matka Guessing Kalyan Chart Indian Matka Kalyan panel Chart
Satta Matka Dpboss Matka Guessing Kalyan Chart Indian Matka Kalyan panel ChartSatta Matka Dpboss Matka Guessing Kalyan Chart Indian Matka Kalyan panel Chart
Satta Matka Dpboss Matka Guessing Kalyan Chart Indian Matka Kalyan panel Chart
 
2022 Vintage Roman Numerals Men Rings
2022 Vintage Roman  Numerals  Men  Rings2022 Vintage Roman  Numerals  Men  Rings
2022 Vintage Roman Numerals Men Rings
 
Lundin Gold Corporate Presentation - June 2024
Lundin Gold Corporate Presentation - June 2024Lundin Gold Corporate Presentation - June 2024
Lundin Gold Corporate Presentation - June 2024
 

Internal Controls for Indian Financial Reporting using COBIT 5 based Guidance

  • 1. Guidance to Validate Internal Control Assertions in Indian Financial Reporting
  • 2. Guidance to Validate Internal Control Assertions in Indian Financial Reporting 1 TABLE OF CONTENTS Acknowledgements ....................................................................................................................................................................... 3 Section 1 – Executive Summary.......................................................................................................................................................... 4 Need for This publication ............................................................................................................................................................... 4 Objective Statement....................................................................................................................................................................... 5 Identified Stakeholders .................................................................................................................................................................. 5 An Introduction to This document ................................................................................................................................................. 5 Benefits Derived From This Document........................................................................................................................................... 7 Approach to This publication.......................................................................................................................................................... 8 An Example of How to Read the Document................................................................................................................................. 10 References for the Publication ..................................................................................................................................................... 17 Section 2 – Detailed Publication ....................................................................................................................................................... 18 Definitions .................................................................................................................................................................................... 18 Chapter 1 - Governance and Risk Management in India – Regulatory Requirements to Comply With Indian Regulations ........ 22 Governance.............................................................................................................................................................................. 22 Risk Management..................................................................................................................................................................... 24 Assurance................................................................................................................................................................................. 25 Information Technology Act, 2000 (as Amended by Information Technology Amendment Act, 2008).................................. 27 Summary .................................................................................................................................................................................. 28 Chapter 2: Introduction to COBIT 5.............................................................................................................................................. 29 Chapter 3 – How COBIT 5 Can Be Used to Comply With Governance.......................................................................................... 32 Stakeholder 1 – Board of Directors.......................................................................................................................................... 38 Stakeholder 2 - Management................................................................................................................................................... 46 Stakeholder 3 – Auditor ........................................................................................................................................................... 77 Summary .................................................................................................................................................................................. 92 Section 3 Checklists........................................................................................................................................................................... 92 Checklist 1 – General Checklist for Governance........................................................................................................................... 93 Checklist 2 – General Checklist for Risk Management ................................................................................................................. 94 Checklist 3 – General Checklist Audit and Assurance................................................................................................................... 94 Checklist 4 – Compliance With the Data Protection Areas of IT Act ............................................................................................ 95 Checklist 5 – Sample Checklist for the Auditor to Gain Assurance on the Controls That Are in Place to Protect Personally Identifiable Information ............................................................................................................................................................... 98
  • 3. Guidance to Validate Internal Control Assertions in Indian Financial Reporting 2 ISACA With more than 115,000 constituents in 180 countries, ISACA(www.isaca.org) helps business and IT leaders build trust in, and value from, information and information systems. Established in 1969, ISACA is the trusted source of knowledge, standards, networking, and career development for information systems audit, assurance, security, risk, privacy and governance professionals. ISACA offers the Cybersecurity Nexus ™ , a comprehensive set of resources for cybersecurity professionals, and COBIT ® , a business framework that helps enterprises govern and manage their information and technology. ISACA also advances and validates business-critical skills and knowledge through the globally respected Certified Information Systems Auditor ® (CISA ® ), Certified Information Security Manager ® (CISM ® ), Certified in the Governance of Enterprise IT ® (CGEIT ® ) and Certified in Risk and Information Systems Control ™ (CRISC ™ ) credentials. The association has more than 200 chapters worldwide. Disclaimer This book is not intended to, and does not, provide legal, technical or other advice on compliance or related matters. Every entity or individual using this book should seek expert technical, legal or other advice as appropriate to its respective needs and circumstances. ISACA, its office bearers, its advisors/consultants, the authors, the reviewers and other persons associated with the writing, reviewing, printing or publication of this book do not guarantee or warrant the accuracy, adequacy, completeness or suitability of the content of this publication and they hereby disclaim any and all responsibility or liability for damages incurred as a result of the content contained herein. They also hereby disclaim any responsibility or liability whatsoever for the consequences of the use of this book by any person or entity. Courts in Cook County, state of Illinois, USA, alone shall have jurisdiction relating to any lawsuits pertaining to this book. The opinions and views expressed in Guidance to Validate Internal Control Assertions in Indian Financial Reporting are solely those of the authors of this publication, as a practical application and implementation of COBIT 5 principles and good practices. The opinions and views of the authors do not necessarily reflect those of ISACA. Reservation of Rights © 2014 ISACA. All rights reserved. No part of this publication may be used, copied, reproduced, modified, distributed, displayed, stored in a retrieval system or transmitted in any form by any means (electronic, mechanical, photocopying, recording or otherwise) without the prior written authorization of ISACA. Reproduction and use of all or portions of this publication are solely permitted for academic, internal and noncommercial use and for consulting/advisory engagements, and must include full attribution of the material’s source. No other right or permission is granted with respect to this work. This text uses relevant ISACA publications with permission. ISACA 3701 Algonquin Road, Suite 1010 Rolling Meadows, IL 60008 USA Phone: +1.847.253.1545 Fax: +1.847.253.1443 Email: info@isaca.org Web site: www.isaca.org ISACA® and COBIT® are registered trademarks of ISACA. Participate in the ISACA Knowledge Center: www.isaca.org/topic-India Follow ISACA on Twitter: https://twitter.com/ISACANews Join ISACA on LinkedIn: ISACA (Official), http://linkd.in/ISACAOfficial Like ISACA on Facebook: www.facebook.com/ISACAHQ
  • 4. Guidance to Validate Internal Control Assertions in Indian Financial Reporting 3 ACKNOWLEDGMENTS ISACA Wishes to Recognize: The ISACA India Task Force Chairman, Mr. S.V. Sunder Krishnan, CISA, Reliance Life Insurance Company Ltd., Mumbai, India Mr. Avinash W. Kadam, CISA, CISM, CGEIT, CRISC, CISSP, CSSLP, GSEC, GCIH, CBCP, MBCI, PMP, CCSK, COBIT 5 Approved Trainer—Foundation, Advisor, ISACA’s India Task Force Mr. Sunil Bakshi, CISA, CISM, CGEIT, CRISC, CISSP, PMP, CeHv6, ISO 27001:2005 LA, ISO 14001 LA, Freelance consultant and trainer, Pune, India Mr. Anil Bhandari, CISA, CIA, DISA, AICWA, FCA, ANB Consulting Co., Mumbai, India Mr. Madhav Chablani, CISA, CISM, TippingEdge Consulting Pvt. Ltd, New Delhi, India Mr. Sandeep Godbole, CISA, CISM, CGEIT, Syntel, Pune, India Mr. Niraj Kapasi, CISA, Kapasi Bangad Tech Consulting Pvt, Ltd., Hyderabad, India Mr. Vaibhav Patkar, CISA, CISM, CRISC, CGEIT, Sutherland, Mumbai, India Mr. Vittal Raj, CISA, CISM, CGEIT, Kumar and Raj, Chennai, India Mr. Raghavendra Rao Hulgeri, CISA, Oracle Financial Services Software Ltd., Bangalore, India Project Coordinator and Advisor Mr. S.V. Sunder Krishnan, CISA, Reliance Life Insurance Company Ltd., Mumbai, India Content Development Team Mr. Anand Prakash Jangid CISA, CISM, CFE, ACA, Quadrisk Advisors, Bangalore, India Mr. Rajiv Gupta CISA, CFE, ACA, Coca-Cola India Ms. Vishakha Chhawchharia CISA, ACA, Quadrisk Advisors, Bangalore, India Mr. Amarnath Daga CISA, ACA, Quadrisk Advisors, Bangalore, India Mr. Bharath Rao B CeHv8, Quadrisk Advisors, Bangalore, India Mr. Anish Jain ACA, Quadrisk Advisors, Bangalore, India Ms. Shefalika Sahu ACA, Quadrisk Advisors, Bangalore, India Mr. Firoz Attarwala ACA, Quadrisk Advisors, Bangalore, India Expert Reviewers Mr. Abdul Rafeq, CISA, CGEIT, CIA, FCA, A. Rafeq and Associates, India Mr. S.V. Sunder Krishnan, CISA, Reliance Life Insurance Company Ltd., Mumbai, India Mr. Avinash W. Kadam, CISA, CISM, CGEIT, CRISC, CISSP, CSSLP, GSEC, GCIH, CBCP, MBCI, PMP, CCSK, COBIT 5 Approved Trainer—Foundation, Advisor, ISACA’s India Task Force Mr. Sunil Bakshi, CISA, CISM, CGEIT, CRISC, CISSP, PMP, CeHv6, ISO 27001:2005 LA, ISO 14001 LA, Freelance consultant and trainer, Pune, India Mr. Madhav Chablani, CISA, CISM, TippingEdge Consulting Pvt. Ltd, New Delhi, India Mr. Niraj Kapasi, CISA, Kapasi Bangad Tech Consulting Pvt, Ltd., Hyderabad, India Mr. Vittal Raj, CISA, CISM, CGEIT, Kumar and Raj, Chennai, India Mr. Shrikant Patil Mr. Shashikant Shirahatti
  • 5. Guidance to Validate Internal Control Assertions in Indian Financial Reporting 4 SECTION 1 – EXECUTIVE SUMMARY NEED FOR THIS PUBLICATION As a part of "Management's Responsibility for Financial Statements", executive management of Indian companies assert to their stakeholders the relevance of "the design, implementation and maintenance of internal controls" for the preparation and presentation of financial statements that need to give a true and fair view of financial position on a particular date and performance for the relevant period. Financial statements need to be devoid of any material misstatements, whether due to fraud or error. This responsibility is an onerous one. Under Section 211 (7) of the Indian Companies Act, 1956, in the event that a company fails to take all reasonable steps to secure compliance, the willful negligence may be punishable with imprisonment for a term which may extend up to six months or a fine which may extend to ten thousand rupees or with both imprisonment and a fine. The new Companies Act, 2013 has not only emphasized the above requirements, but also has upped the ante in increasing a number of corporate governance and risk management requirements. This publication is aimed at solving the problems of C-level executives of various Indian enterprises signing financial statements and committing to assertions on internal controls. This publication guides the board, management and auditors in complying with the corporate governance and internal control requirements arising out of Clause 49 of the Listing Agreement of the Securities and Exchange Board of India (SEBI) and the new Companies Act, 2013 in using ISACA’s COBIT 5 framework. With the changing times, there also is a need for greater accountability of companies to their shareholders and customers. A need for governance arises from the separation of management from ownership. For a firm success, companies need to concentrate on both economic and social aspects. Companies needs to be fair with producers, shareholders, customers, etc., and have various responsibilities toward employees, and communities. Companies need to serve their responsibilities in all aspects. There are several important issues in governance and they play a great role. All the issues are inter-related and interdependent with each other. Each of the issues connected with governance has different priorities in each of the corporate bodies. The issues are: 1. Value-based corporate culture 2. Holistic view 3. Compliance with laws 4. Disclosure, transparency, and accountability 5. Governance and human resource management 6. Innovation Corporate scandals, internally or at other companies, have shed light on the need to manage strategically in an effort to avoid such catastrophes that often leave executives unemployed. Many executives believe that risks are higher than ever before. However, they are unsure about how to manage them; therefore, many executives are welcoming risk management plans and infrastructures. Finally, companies have learned that managing risk correctly can lead to increased shareholder value. Companies are hoping to shift from a simple control process to a value creation process using an enterprisewide approach. The concept of governance hinges on total transparency, integrity and accountability of management and the board of directors. The importance of governance along with efficient risk management lies in its contribution both to business prosperity and to accountability.
  • 6. Guidance to Validate Internal Control Assertions in Indian Financial Reporting 5 OBJECTIVE STATEMENT This publication is aimed at solving the problems of C-level executives of various Indian enterprises signing financial statements and committing to assertions on internal controls. This publication guides the board, management and auditors in complying with the corporate governance and internal control requirements arising out of Clause 49 of the Listing Agreement of the Securities and Exchange Board of India (SEBI) and the new Companies Act, 2013 in using ISACA’s COBIT 5 framework. IDENTIFIED STAKEHOLDERS This publication is targeted at the following audience, as their roles play the most crucial role in developing, maintaining and evaluating governance. COBIT® 5 is a business framework for the governance and management of enterprise IT, and hence their roles are restricted to the areas in which IT Information is present. • Board of directors • Management o Chief executive officer (CEO) o Chief financial officer (CFO) o Chief information officer (CIO) o Chief risk officer (CRO) o Chief information security officer (CISO) • Auditors (external and internal) AN INTRODUCTION TO THIS DOCUMENT Today, there is a growing dialogue among stakeholders about governance and how it should evolve to cope with the increasingly dynamic and global nature of capital markets. This dialogue is taking place against a background of legislative and regulatory change. There has been a significant increase in the scope of audit and other internal control and risk management along with increased public scrutiny. It is only with dialogue and active participation of all stakeholders that the appropriate balance can be reached between: • Strengthened central controls and fast local responsiveness • Effective risk management and the enduring need for innovation • The costs of compliance with the new governance regulation and the value it brings The following factors disrupt the normal operations of the company. Internal Factors The Board of Directors/Management The board advises the company’s CEO, who runs the daily operations, and reviews the quality of recommendations the CEO receives from others in corporate management. Some board members may be employees or family members (most often from the extended family of the company’s founder). Other board members may be affiliated with the company through a banking relationship, a law company retained by the company, or someone who represents a customer or supplier. Such members may be subject to potential conflicts of interest that cause them to act in ways not necessarily in the shareholders’ best interests. This has led some observers to argue that boards should be composed primarily of independent directors and different individuals should hold the CEO and board chairperson positions.
  • 7. Guidance to Validate Internal Control Assertions in Indian Financial Reporting 6 Internal Controls Well-designed systems generate information that poses a reduced threat of material misstatements. However, simply having systems in place—even if they are properly engineered and constructed—is not sufficient to guarantee both the effectiveness of the required actions and the reliability of the collected data. Thus, extra procedures are built into every system by management to help ensure that every operation is performed as intended and the resulting financial data are reliable. Internal controls over financial reporting is a formal system of checks and balances, monitored by management and the board of directors and reviewed by the outside auditor. To be efficient and effective, these systems must be carefully designed and maintained. They need to keep company assets secure at a minimum cost. In addition, appropriate record keeping is a required aspect of virtually every system. Anti-takeover Defenses A company’s management and board may employ defenses to gain leverage in negotiating with a potential suitor or to solidify current management’s position within the company. Corporate Culture and Values While internal systems and controls are important, good governance also results when the employee culture is instilled with appropriate core values and behaviors. Setting the right tone and direction comes from the board of directors and senior management and their willingness to behave in a manner consistent with what they demand from other employees. Impact Due to Internal Factors One can conclude that if the company’s internal controls are not aligned for achieving governance, the company can face serious repercussions regarding integrity and professionalism of the company, which in turn affects the goodwill of the company. Internal controls help the company to achieve long-term stability. If there is chaos in the company, loss of shareholder faith and loss of money would be inevitable. External Factors Federal and state legislation, the court system, regulators, institutional activists and the corporate takeover market all play an important role in maintaining good governance practices. Institutional Activists Pension funds, hedge funds, private equity investors and mutual funds have become increasingly influential institutions that can affect the policies of companies in which they invest. There is growing evidence that institutional activism, in combination with merger and acquisition activity, has become an important factor in disciplining underperforming managers. Amalgamations and Acquisitions Changes in corporate control can occur because of a hostile (i.e., bids contested by the target’s board and management) or friendly takeover of a target company or because of a proxy contest initiated by dissident shareholders. When a company’s internal mechanisms that govern management control are relatively weak, the corporate takeover market seems to act as a “court of last resort” to discipline inappropriate management behavior. Strong internal governance mechanisms, by contrast, lessen the role of the takeover threat as a disciplinary factor. Moreover, the disciplining effect of a takeover threat on a company’s management can be reinforced when it is paired with a large shareholding by an institutional investor. Impact Due to External Factors After establishing an ideal internal control environment for achieving governance, it is crucial that the company maintains the same. External factors also affect the company’s governance. Thus, events like accounting frauds, cyberattacks, social engineering attacks and market instability would be unavoidable if governance is not implemented correctly. Any changes in legal, compliance, statutory, etc., areas has to be fulfilled by the company to sustain itself in the market and grow accordingly.
  • 8. Guidance to Validate Internal Control Assertions in Indian Financial Reporting 7 This publication is aimed at giving guidance in developing, maintaining and evaluating the governance that arises out of the governance, risk management and information security regulatory requirements from the Companies Act, 2013, Clause 49 and the Information Technology Act, 2008 (as amended). BENEFITS DERIVED FROM THIS DOCUMENT Using this guidance note results in a number of easier governance and enterprise risk management (ERM) solutions to the enterprise and in a number of enterprise benefits, such as: • Reduced complexity and increased cost-effectiveness due to improved and easier integration of governance and risk management compliances, best practices, etc. • Increased user satisfaction with governance arrangements and outcomes • Improved integration of governance and ERM in the enterprise • Informed risk decisions and risk awareness • Reduced (impact of) costs of noncompliance of governance and ERM • Improved management of costs related to the governance and ERM • Better understanding of governance, ERM and internal controls • Enhanced support for innovation and competitiveness
  • 9. Guidance to Validate Internal Control Assertions in Indian Financial Reporting 8 Regulations of Companies Act, 2013 and Clause 49 • Regulations related to governance and risk management and data privacy were identified. • Stakeholders were identified. Stakeholder Needs Identification • Questions are given from COBIT. • Questions are selected based on the regulation that is applicable to the stakeholder. Enterprise Goals Identification • Respective enterprise goals are selected for stakeholder needs. IT Goals Identification • Enterprise goals are converted to relevant IT goals according to the mapping that is given in the annexure of the COBIT 5 framework. Process Enablers & Management Practices • Process enablers and practices from COBIT are selected and applied in the relevant section. APPROACH TO THIS PUBLICATION This publication was prepared in keeping with the following: The COBIT enablers are tailored for compliance of governance requirements, enterprise risk management (ERM) and data security requirements based on the previous chart. Section two of this publication is divided into three chapters. The first chapter gives a broad view of the following:
  • 10. Guidance to Validate Internal Control Assertions in Indian Financial Reporting 9 • Regulation requirements are captured in detail with respect to each identified stakeholder of the Companies Act, 2013, Clause 49 and Information Technology Act, 2008, covering areas of governance, risk management, assurance and data security. • Relevant practices are suggested by COBIT 5 that can be implemented to comply with these areas. Chapter 2 gives an idea of the COBIT 5 framework and the COBIT 5 methodology through its principles and enablers. Chapter 3 gives the relevant guidance for compliance to the listed regulations, keeping the stakeholders in mind, by using COBIT 5. This chapter has segregated the requirements that were applicable for each stakeholder, respectively, and the respective COBIT enabler usage to meet the stakeholder requirements is explained. Therefore, it is crucial that the previous chart be kept in mind while going through the document. Stakeholders are expected to follow these steps in order to bring value to their company: Chapter 1 •Regulatory requirements from the Companies Act, 2013, Clause 49 and Information Technology Act, 2008 •Governance, risk management, assurance and security Chapter 2 •Introduction to COBIT 5 •Principles and enablers Chapter 3 •Stakeholder segregation •RACI charts for the role of the stakeholder in an activity •COBIT 5 recommended practices for each stakeholder
  • 11. Guidance to Validate Internal Control Assertions in Indian Financial Reporting 10 AN EXAMPLE OF HOW TO READ THE DOCUMENT Risk management compliance is to be performed by the company. Step 1 – Identify the regulation with which the user needs to comply (from chapter 1). Section Reference Regulatory Requirement Companies Act, 2013 Section 134, Clause 3(n) There shall be attached to statements laid before a company in general meeting, a report by its board of directors, which shall include a statement indicating development and implementation of a risk management policy for the company including identification of elements of risk, if any, which in the opinion of the board may threaten the existence of the company. How this document will be useful: Provides guidance by mapping to COBIT 5 processes EDM03, APO12 and their relevant management practices as identified for the various stakeholders in chapter 3 Step 2 – Determine the stakeholders that are affected. Classify them as primary and secondary. Primary stakeholder identified—Board of Directors Secondary stakeholder Identified—Management Step 3 – Identify the required processes of COBIT that need to be incorporated in order to comply with the selected regulation from the “How this document will be useful” row. Identified processes – EDM03, APO12 Step 1 - Identify the regulation with which the company needs to comply (from chapter 1). Step 2 - Determine the stakeholders that are affected. Classify them as primary and secondary. Step 3 - Identify the required processes of COBIT that need to be incorporated in order to comply with the selected regulation from the “How this document will be useful” row. Step 4 - Locate the processes under the respective stakeholder (in chapter 3) and identify the role of the stakeholder in the RACI (Responsible, Accountable, Consulted, Informed) chart that has been provided. Step 5 - Incorporate the activities that are described in detail under the respective stakeholder in the RACI chart (in chapter 3).
  • 12. Guidance to Validate Internal Control Assertions in Indian Financial Reporting 11 Step 4 – Locate the processes under the respective stakeholder (in chapter 3) and identify the role of the stakeholder in the RACI chart (Responsible, Accountable, Consulted, Informed) that has been provided. RACI Chart – Board of Directors Governance Practice Board EDM03.01 Evaluate risk management. A EDM03.02 Direct risk management. A EDM03.03 Monitor risk management. A RACI Chart - Management Management Practice ChiefExecutiveOfficer ChiefFinancialOfficer ChiefInformationSecurityOfficer ChiefRiskOfficer ChiefInformationOfficer APO12.01 Collect data. I R R A APO12.02 Analyze risk. I C R A APO12.03 Maintain a risk profile. I C A R APO12.04 Articulate risk. I C R A APO12.05 Define a risk management action portfolio. I C A R APO12.06 Respond to risk. I R R A Step 5 – Incorporate the activities that are described in detail under the respective stakeholder in the RACI chart (in chapter 3). Board of Directors – 1. EDM03.01 Evaluate risk management. Continually examine and make judgment on the effect of risk on the current and future use of IT in the enterprise. Consider whether the enterprise’s risk appetite is appropriate and that risk to enterprise value related to the use of IT is identified and managed.
  • 13. Guidance to Validate Internal Control Assertions in Indian Financial Reporting 12 ACTIVITY DETAILED ACTIVITIES 1. Determine the level of IT-related risk that the enterprise is willing to take to meet its risk objectives. 2. Evaluate and approve proposed IT risk tolerance thresholds against the enterprise’s acceptable risk and opportunity levels. 3. Determine the extent of alignment of the IT risk strategy to enterprise risk strategy. 4. Proactively evaluate IT risk factors in advance of pending strategic enterprise decisions and ensure that risk-aware enterprise decisions are made. 5. Determine that IT use is subject to appropriate risk assessment and evaluation, as described in relevant international and national standards. 6. Evaluate risk management activities to ensure alignment with the enterprise’s capacity for IT- related loss and leadership’s tolerance of it. The board needs to actively take part in the risk evaluation process of the enterprise, which also includes the IT-related risks, and, in assessing the risk, define a risk tolerance threshold for acceptable risks and opportunity levels. The board needs to evaluate the risk factors before taking decisions on strategies to ensure that impact of risk has been factored. The board should evaluate the risk management activities and regularly define the enterprise’s capacity for loss and the tolerance limits. 2. EDM03.02 Direct risk management. Direct the establishment of risk management practices to provide reasonable assurance that IT risk management practices are appropriate to ensure that the actual IT risk does not exceed the board’s risk appetite. ACTIVITY DETAILED ACTIVITIES 1. Promote an IT risk-aware culture and empower the enterprise to proactively identify IT risk, opportunity and potential business impacts. 2. Direct the integration of the IT risk strategy and operations with the enterprise strategic risk decisions and operations. 3. Direct the development of risk communication plans (covering all levels of the enterprise) as well as risk action plans. 4. Direct implementation of the appropriate mechanisms to respond quickly to changing risk and report immediately to appropriate levels of management, supported by agreed-on principles of escalation (what to report, when, where and how). 5. Direct that risk, opportunities, issues and concerns may be identified and reported by anyone at any time. Risk should be managed in accordance with published policies and procedures and escalated to the relevant decision makers. 6. Identify key goals and metrics of risk governance and management processes to be monitored, and approve the approaches, methods, techniques and processes for capturing and reporting the measurement information. The board needs to actively take part in promoting a culture where opportunities, risks and their impacts are proactively identified. The board should ensure that there is integration within the risk strategies for IT and the enterprise and there are no conflicts. The board should direct the development of risk communication plans and action plans to all levels of the enterprise, which shall ensure timely responses to a changing risk environment. The board should encourage reporting of incidents by any level of management in a timely manner and direct handling of incidents according to the defined policies and procedures.
  • 14. Guidance to Validate Internal Control Assertions in Indian Financial Reporting 13 3. EDM03.03 Monitor risk management. Monitor the key goals and metrics of the risk management processes and establish how deviations or problems will be identified, tracked and reported for remediation. ACTIVITY DETAILED ACTIVITIES 1. Monitor the extent to which the risk profile is managed within the risk appetite thresholds. 2. Monitor key goals and metrics of risk governance and management processes against targets, analyze the cause of any deviations, and initiate remedial actions to address the underlying causes. 3. Enable key stakeholders’ review of the enterprise’s progress towards identified goals. The board needs to monitor the extent to which the risk profile is managed and whether the profile is within the thresholds of risk appetite. The board should ensure that deviations of the processes against the defined targets are analyzed and corrective action needed is taken. Management - 1. APO12.01 Collect data. Identify and collect relevant data to enable effective IT-related risk identification, analysis and reporting. ACTIVITIES DETAILED ACTIVITIES 1. Establish and maintain a method for the collection, classification and analysis of IT risk-related data, accommodating multiple types of events, multiple categories of IT risk and multiple risk factors. 2. Record relevant data on the enterprise’s internal and external operating environment that could play a significant role in the management of IT risk. 3. Survey and analyze the historical IT risk data and loss experience from externally available data and trends, industry peers through industry-based event logs, databases, and industry agreements for common event disclosure. 4. Record data on risk events that have caused or may cause impacts to IT benefit/value enablement, IT program and project delivery, and/or IT operations and service delivery. Capture relevant data from related issues, incidents, problems and investigations. 5. For similar classes of events, organize the collected data and highlight contributing factors. Determine common contributing factors across multiple events. 6. Determine the specific conditions that existed or were absent when risk events occurred and the way the conditions affected event frequency and loss magnitude. 7. Perform periodic event and risk factor analysis to identify new or emerging risk issues and to gain an understanding of the associated internal and external risk factors. Management needs to establish and maintain a method for collection, classification and analysis of risk-related data, which accommodates multiple events, categories of risk and risk factors. Management can record relevant data on the enterprise internal and external operating environment that would play a significant role in management of risk. There can be a survey and analysis of historical risk data and loss experience from externally available trends, industry peers through event logs, databases and agreements for common event disclosures. The risk events that have caused or potentially cause impact to IT value benefits, programs and project delivery should be captured. In addition, data from incidents, problems and investigation can be recorded. Management needs to determine the specific conditions that existed or were absent when risk events occurred and the way they affect event frequency and loss magnitude. Management should perform periodic event and risk factor analysis to identify new/emerging risk issues and gain an understanding of associated risk factors.
  • 15. Guidance to Validate Internal Control Assertions in Indian Financial Reporting 14 2. APO12.02 Analyze risk. Develop useful information to support risk decisions that take into account the business relevance of risk factors. ACTIVIES DETAILED ACTIVITIES 1. Define the appropriate breadth and depth of risk analysis efforts, considering all risk factors and the business criticality of assets. Set the risk analysis scope after performing a cost-benefit analysis. 2. Build and regularly update IT risk scenarios, including compound scenarios of cascading and/or coincidental threat types, and develop expectations for specific control activities, capabilities to detect and other response measures. 3. Estimate the frequency and magnitude of loss or gain associated with IT risk scenarios. Take into account all applicable risk factors, evaluate known operational controls and estimate residual risk levels. 4. Compare residual risk to acceptable risk tolerance and identify exposures that may require a risk response. 5. Analyze cost-benefit of potential risk response options such as avoid, reduce/mitigate, transfer/share, and accept and exploit/seize. Propose the optimal risk response. 6. Specify high-level requirements for projects or programs that will implement the selected risk responses. Identify requirements and expectations for appropriate key controls for risk mitigation responses. 7. Validate the risk analysis results before using them in decision making, confirming that the analysis aligns with enterprise requirements and verifying that estimations were properly calibrated and scrutinized for bias. Management needs to define the appropriate breadth and depth of risk and criticality of assets, and set the risk scope after performing a cost-benefit analysis. Management needs to build and regularly update the risk scenarios, including compound scenarios of cascading/coincidental threat types and development expectations for specific control activities, capabilities to detect and other response measures. Management needs to estimate the frequency and magnitude of loss or gain associated with risk scenarios. The applicable risk factors need to be taken into account and management needs to evaluate operational controls and estimate residual risk levels. There needs to be a comparison between residual risk to acceptable risk tolerance and risk exposure needs to be identified, which will require responses. Management needs to conduct a cost-benefit analysis of potential risk response options such as avoid, reduce, transfer and accept. Management should specify high-level requirements for programs that will implement the risk responses. Management should identify requirements for key controls. Management needs to validate the risk analysis results before using them for decision making, confirm whether risk aligns with enterprise requirements and verify that estimations were calibrated. 3. APO12.03 Maintain a risk profile. Maintain an inventory of known risk and risk attributes (including expected frequency, potential impact and responses) and of related resources, capabilities and current control activities. ACTIVITIES MANAGEMENT’S ROLE 1. Inventory business processes, including supporting personnel, applications, infrastructure, facilities, critical manual records, vendors, suppliers and outsourcers, and document the dependency on IT service management processes and IT infrastructure resources. Management can take an inventory of business processes, applications, infrastructure, facilities, critical manual records, vendors, etc., and document the dependency on IT service management processes and IT infrastructure resources.
  • 16. Guidance to Validate Internal Control Assertions in Indian Financial Reporting 15 2. Determine and agree on which IT services and IT infrastructure resources are essential to sustain the operation of business processes. Analyze dependencies and identify weak links. 3. Aggregate current risk scenarios by category, business line and functional area. 4. On a regular basis, capture all risk profile information and consolidate it into an aggregated risk profile. 5. Based on all risk profile data, define a set of risk indicators that allow the quick identification and monitoring of current risk and risk trends. 6. Capture information on IT risk events that have materialized, for inclusion in the IT risk profile of the enterprise. Further, management should determine and agree on which IT services and infrastructure resources are essential to sustain the operation of business processes. Analyze dependencies and weak links. Management needs to aggregate current risk scenarios by categories, business lines and functional areas. On a regular basis, management should capture risk profile information and consolidate it into aggregated risk profiles. Based on the profiles, management needs to define a set of risk indicators that allow quick identification and monitoring of current risk trends. Capture the information on risk events that have materialized for inclusion in profiles of the enterprise. 4. APO12.04 Articulate risk. Provide information on the current state of IT-related exposures and opportunities in a timely manner to all required stakeholders for appropriate response. ACTIVITIES DETAILED ACTIVITIES 1. Report the results of risk analysis to all affected stakeholders in terms and formats useful to support enterprise decisions. Wherever possible, include probabilities and ranges of loss or gain along with confidence levels that enable management to balance risk-return. 2. Provide decision makers with an understanding of worst-case and most-probable scenarios, due diligence exposures, and significant reputation, legal or regulatory considerations. 3. Report the current risk profile to all stakeholders, including effectiveness of the risk management process, control effectiveness, gaps, inconsistencies, redundancies, remediation status, and their impacts on the risk profile. 4. Review the results of objective third-party assessments, internal audit and quality assurance reviews, and map them to the risk profile. Review identified gaps and exposures to determine the need for additional risk analysis. Management needs to report the results of risk analysis to all affected stakeholders in terms of formats supporting decision making. Wherever possible, include probabilities and range of loss or gain with confidence levels to balance risk and return. Management can provide to the decision makers an understanding of worst case and most probable scenarios, due diligence exposures and reputation, legal or regulatory consideration. The report on current risk profile includes effectiveness of the risk management process, control effectiveness, gaps, inconsistencies, etc., and their impact on risk profile to the stakeholders. Management should review the results of third-party assessments, internal audits and quality assurance (QA) reviews, and map them to the risk profiles.
  • 17. Guidance to Validate Internal Control Assertions in Indian Financial Reporting 16 5. APO12.05 Define a risk management action portfolio. Manage opportunities to reduce risk to an acceptable level as a portfolio. ACTIVITIES DETAILED ACTIVITIES 1. Maintain an inventory of control activities that are in place to manage risk and that enable risk to be taken in line with risk appetite and tolerance. Classify control activities and map them to specific IT risk statements and aggregations of IT risk. 2. Determine whether each organizational entity monitors risk and accepts accountability for operating within its individual and portfolio tolerance levels. 3. Define a balanced set of project proposals designed to reduce risk and/or projects that enable strategic enterprise opportunities, considering cost and benefits, effect on current risk profile and regulations. Management needs to make an inventory of control activities that are in place to manage risk and that enable risk to be taken in line with appetite and tolerance. The control activities should be classified and mapped to specific risk statements and aggregations of risk. Management needs to determine that risk and accountability for operating within individual and portfolio tolerance levels are monitored. Management defines a balanced set of project proposals which are designed to reduce risk and/or projects that enable strategic opportunities considering the cost-benefit analysis. 6. APO12.06 Respond to risk. Respond in a timely manner with effective measures to limit the magnitude of loss from IT-related events. ACTIVITIES DETAILED ACTIVITIES 1. Prepare, maintain and test plans that document the specific steps to take when a risk event may cause a significant operational or development incident with serious business impact. Ensure that plans include pathways of escalation across the enterprise. 2. Categorize incidents, and compare actual exposures against risk tolerance thresholds. Communicate business impacts to decision makers as part of reporting, and update the risk profile. 3. Apply the appropriate response plan to minimize the impact when risk incidents occur. 4. Examine past adverse events/losses, missed opportunities, and determine root causes. Communicate root cause, additional risk response requirements and process improvements to appropriate decision makers and ensure that the cause, response requirements and process improvement are included in risk governance processes. Management needs to prepare, maintain and test plans that document specific steps to take when a risk event may cause a significant operational or development incident with serious impact on the business. Further, ensure that plans include escalations across the enterprise. There needs to be a categorization of incidents and a comparison of actual exposures against risk thresholds and communication to decision makers as a part of reporting and updating risk profiles. Management should apply plans to minimize the impact when risk incidents occur, to examine the past adverse event and missed opportunities, and to determine root causes. Communicate the root causes, risk response requirements and process improvements to decision makers.
  • 18. Guidance to Validate Internal Control Assertions in Indian Financial Reporting 17 REFERENCES FOR THE PUBLICATION • Companies Act, 2013 • Clause 49 of the Listing Agreement of SEBI • Information Technology Act, 2000 (as Amended by IT Amendment Act, 2008) • COBIT 5 framework • COBIT® 5: Enabling Processes • COBIT® 5 Implementation • COBIT® 5 for Risk • COBIT® 5 for Assurance • Securing Sensitive Personal Data or Information Under India’s IT Act Using COBIT® 5 • COBIT® 5: Enabling Information • COBIT® 5 for Information Security • Board Briefing on IT Governance (an ISACA publication)
  • 19. Guidance to Validate Internal Control Assertions in Indian Financial Reporting 18 SECTION 2 – DETAILED PUBLICATION Section 2 is the core section of this publication. Section 2 consists of the guidance note for compliance of governance and risk management in India using COBIT 5. It is divided into three chapters. Chapter 1 describes all the regulations that are relevant to be complied with in order to have the minimum required governance and ERM. Chapter 2 gives a brief introduction of the COBIT 5 framework and its five principles and its seven enablers. Chapter 3 gives a detailed explanation of how COBIT 5 can be used to comply with the regulations that have been identified in chapter 1 for each stakeholder that has been identified in the scope of this publication. DEFINITIONS The following terms are defined according to their respective acts. The same meaning should be used while interpreting this document. Sr. No. Term Definition 1 Board of Directors In relation to a company, the collective body of the directors of the company 2 Independent Director An independent director referred to in sub-section (6) of section 149, i.e., a director other than a managing director or a whole-time director or a nominee director a) in the opinion of the Board, a person of integrity who possesses relevant expertise and experience (b) (i) person who is or was not a promoter of the company or its holdings, subsidiary or associate company (b) (ii) person who is not related to promoters or directors in the company, its holdings, subsidiary or associate company (c) person who has or had no pecuniary relationship with the company, its holdings, subsidiary or associate company, or their promoters, or directors, during the two immediately preceding financial years or during the current financial year (d) person, none of whose relatives has or had a pecuniary relationship or transaction with the company, its holdings, subsidiary or associate company, or their promoters, or directors, amounting to two percent or more of its gross turnover or total income or fifty lakh rupees or such higher amount as may be prescribed, whichever is lower, during the two immediately preceding financial years or during the current financial year
  • 20. Guidance to Validate Internal Control Assertions in Indian Financial Reporting 19 Sr. No. Term Definition (e) person who, neither himself nor any of his relatives— (i) holds or has held the position of key managerial personnel or is or has been an employee of the company or its holdings, subsidiary or associate company in any of the three financial years immediately preceding the financial year in which he is proposed to be appointed (ii) is or has been an employee or proprietor or a partner, in any of the three financial years immediately preceding the financial year in which he is proposed to be appointed, of: (A) a firm of auditors or company secretaries in practice or cost auditors of the company or its holdings, subsidiary or associate company; or (B) any legal or a consulting firm that has or had any transaction with the company, its holdings, subsidiary or associate company amounting to ten percent. or more of the gross turnover of such firm (iii) holds together with his relatives two percent. or more of the total voting power of the company or (iv) is a chief executive or director, by whatever name called, of any nonprofit organization that receives twenty-five percent or more of its receipts from the company, any of its promoters, directors or its holdings, subsidiary or associate company or that holds two percent. or more of the total voting power of the company or (f) who possesses such other qualifications as may be prescribed 3 Key Managerial Personnel In relation to a company: (i) the CEO or the managing director or the manager (ii) the company secretary (iii) the whole-time director (iv) the chief financial officer; and (v) such other officer as may be prescribed
  • 21. Guidance to Validate Internal Control Assertions in Indian Financial Reporting 20 Sr. No. Term Definition 4 Sensitive Personal Data Personal information that relates to passwords; financial information such as bank account or credit card or debit card or other payment instrument details; physical, psychological and mental health condition; sexual orientation; medical records and history, biometric information 5 Body Corporate Any company, including a firm, sole proprietorship or other association of individuals engaged in commercial or professional activities. The term is not restricted to a body corporate established in India. It refers to an organization that collects, stores or processes sensitive data on behalf of a body corporate (data processor). 8 Identity Theft A form of stealing someone's identity in which someone pretends to be someone else by assuming that person's identity, usually as a method to gain access to resources. This process is also called personation. 9 Cyberterrorism Threats to the unity, integrity, security or sovereignty of India or to strike terror in the people or any section of the people by: (i) denying or causing the denial of access to any person authorized to access a computer resource; or (ii) attempting to penetrate or access a computer resource without authorization or exceeding authorized access; or (iii) introducing or causing to introduce any computer contaminant. By means of such conduct, causes or is likely to cause death or injuries to persons or damage to or destruction of property or disruptions or knowing that it is likely to cause damage or disruption of supplies or services essential to the life of the community or adversely affect the critical information infrastructure specified under section 70. 10 Intermediary Any person who on behalf of another person stores or transmits a message or provides any service with respect to that message 11 Computer resources Computer, communication device, computer system, computer network, data, computer database or software 1 Internal Control Process/methods designed by management or other personnel to ensure the integrity of financial and accounting information meet operational and profitable targets and transmit management policies throughout the organization. Basic policies related to internal controls were created to ensure suitable business practices. 2 Audit Committee An operating committee of a company's board of directors that is in charge of overseeing financial reporting and disclosure. They are also responsible for overseeing all internal and external audit functions of a company.
  • 22. Guidance to Validate Internal Control Assertions in Indian Financial Reporting 21 Sr. No. Term Definition 3 Whistleblower Anyone who has and reports insider knowledge of illegal activities occurring in an organization. Whistleblowers can be employees, suppliers, contractors, clients or any individual who somehow becomes aware of illegal activities taking place in a business, either through witnessing the behavior or being told about it. In other words, a person who informs on a person or organization regarded as engaging in an unlawful or immoral activity.
  • 23. Guidance to Validate Internal Control Assertions in Indian Financial Reporting 22 CHAPTER 1 - GOVERNANCE AND RISK MANAGEMENT IN INDIA – REGULATORY REQUIREMENTS TO COMPLY WITH THE INDIAN REGULATIONS This chapter present information on the enactments, and it provides the scope and objectives of this guidance note using COBIT 5. Detailed explanation of the COBIT 5 guidance has been explained in chapter 3 with respect to each stakeholder. Companies Act, 2013 and Clause 49 have been concentrated to a great extent. Because this is also the digital era, importance is also given to the Information Technology Act, 2000 (as amended by IT Amendment Act, 2008) with respect to the data privacy and penalty laws in India. All of the respective regulations have been identified and explained for every stakeholder in the scope of this publication with reference to the governance, risk management, assurance and privacy regulations. GOVERNANCE Governance regulatory requirements for every stakeholder have been identified from the Companies Act, 2013 and Clause 49 and have been explained in the following table. Section Reference Regulatory Requirement Companies Act, 2013 Section – 149, Schedule – IV The Company and independent directors shall abide by the provision specified in Schedule IV, which includes the roles and functions of independent directors, i.e.: • To help in bringing an independent judgment to bear on the board’s deliberations on risk management issues • To satisfy themselves on the integrity of financial information, those financial controls, and that the systems of risk management are robust and defensible How this document will be useful Provides guidance by mapping to COBIT 5 processes EDM03, APO12, and their relevant management practices as identified for the various stakeholders in chapter 3 Companies Act, 2013 Section – 177, Clause – 4(vii) Every audit committee shall act in accordance with the terms of reference specified in writing by the board, which shall inter alia include evaluation of internal financial controls and risk management systems. How this document will be useful Provides guidance by mapping to COBIT 5 processes EDM01, EDM03, APO01, BAI01, BAI02, DSS06, MEA01, MEA02, MEA03 and their relevant management practices as identified for the various stakeholders in chapter 3 Clause 49 Section – IV, Clause – (c) The company shall lay down procedures to inform board members about the risk assessment and minimization procedures. These procedures shall be periodically reviewed to ensure that executive management controls risk through means of a properly defined risk management framework. How this document will be useful Provides guidance by mapping to COBIT 5 processes EDM01, EDM03, APO01, APO02, APO12, BAI01, BAI02 DSS06, MEA01, MEA02, MEA03 and their relevant management practices as identified for the various stakeholders in chapter 3 Clause 49 Section – IV, Clause – (f) As part of the directors’ report or as an addition thereto, a Management Discussion and Analysis report should form part of the Annual Report to the shareholders. This Management Discussion and Analysis report should include discussion on risks and concerns within the limits set by the company’s competitive position. How this document will be useful Provides guidance by mapping to COBIT 5 processes EDM03, APO01, APO12, BAI01, BAI02,BAI06, BAI07, DSS01, DSS06 and their relevant management practices as identified
  • 24. Guidance to Validate Internal Control Assertions in Indian Financial Reporting 23 Section Reference Regulatory Requirement for the various stakeholders in chapter 3 Companies Act, 2013 Section – 138 (1) Such class or classes of companies as may be prescribed shall be required to appoint an internal auditor, who shall be either a chartered accountant or a cost accountant, or such other professional as may be decided by the board to conduct internal audit of the functions and activities of the company. How this document will be useful Provides guidance by mapping to COBIT 5 processes MEA01, MEA02, MEA03 and their relevant management practices as identified for the various stakeholders in chapter 3 Companies Act, 2013 Section – 143, Clause 3€ The auditor’s report shall also state whether the company has adequate internal financial controls system in place and the operating effectiveness of such controls. How this document will be useful Provides guidance by mapping to COBIT 5 processes MEA01, MEA02, MEA03 and their relevant management practices as identified for the various stakeholders in chapter 3 Companies Act, 2013 Section – 177 (4) Every audit committee shall act in accordance with the terms of reference specified in writing by the board which shall, inter alia, include: • Review and monitor of the auditor’s independence and performance, and the effectiveness of the audit process. • Evaluation of internal financial controls and risk management systems How this document will be useful Provides guidance by mapping to COBIT 5 processes EDM01, EDM03, MEA01, MEA02, MEA03 and their relevant management practices as identified for the various stakeholders in chapter 3 Clause 49 Section – II, Clause – (d), (e) The role of the audit committee shall include the following: a) Reviewing, with management, performance of statutory and internal auditors, adequacy of the internal control systems b) Reviewing the adequacy of internal audit function, if any, including the structure of the internal audit department, staffing and seniority of the official heading the department, reporting structure coverage and frequency of internal audit c) Discussion with internal auditors of any significant findings and follow up d) Reviewing the findings of any internal investigations by the internal auditors into matters where there is suspected fraud or irregularity or a failure of internal control systems of a material nature and reporting the matter to the board e) Management discussion and analysis of financial condition and results of operations f) Management letters/letters of internal control weaknesses issued by the statutory auditors. g) Internal audit reports relating to internal control weaknesses How this document will be useful Provides guidance by mapping to COBIT 5 processes EDM01, EDM03, MEA01, MEA02, MEA03 and their relevant management practices as identified for the various stakeholders in chapter 3
  • 25. Guidance to Validate Internal Control Assertions in Indian Financial Reporting 24 RISK MANAGEMENT Risk management regulatory requirements for every stakeholder have been identified from the Companies Act, 2013 and Clause 49 and have been explained in the following table. Section Reference Regulatory Requirement Companies Act, 2013 Section - 134, Clause - 3(n) There shall be attached to statements laid before a company in general meeting, a report by its board of directors, which shall include a statement indicating development and implementation of a risk management policy for the company, including identification of elements of risk, if any, which in the opinion of the board may threaten the existence of the company. How this document will be useful Provides guidance by mapping to COBIT 5 processes EDM03, APO12 and their relevant management practices as identified for the various stakeholders in chapter 3 Companies Act, 2013 Section - 149 (8), Schedule – IV The independent director shall help in bringing an independent judgment to bear on the board’s deliberations on risk management resources and satisfy themselves that financial controls and the systems of risk management are robust and defensible. How this document will be useful Provides guidance by mapping to COBIT 5 processes EDM01, EDM04, EDM03, APO12, DSS06 and their relevant management practices as identified for the various stakeholders in chapter 3 Clause 49 Section - IV, Clause – c The company shall lay down procedures to inform board members about the risk assessment and minimization procedures. These procedures shall be periodically reviewed to ensure that executive management controls risk through means of a properly defined framework. How this document will be useful Provides guidance by mapping to COBIT 5 processes EDM01, EDM05, APO12, DSS06, MEA01, MEA02, MEA03, DSS01 and their relevant management practices as identified for the various stakeholders in chapter 3 Clause 49 Section - IV, Clause – f Management Discussion and Analysis report should include discussion on risks and concerns as well as internal control systems and their adequacy within the limits set by the company’s competitive position. How this document will be useful Provides guidance by mapping to COBIT 5 processes APO12, MEA02 and their relevant management practices as identified for the various stakeholders in chapter 3
  • 26. Guidance to Validate Internal Control Assertions in Indian Financial Reporting 25 ASSURANCE Assurance regulatory requirements for the auditor stakeholder have been identified from the Companies Act, 2013 and Clause 49 and have been explained in the following table. Section Reference Regulatory Requirement Companies Act, 2013 Section - 134, Clause - 3(n) Every audit committee shall act in accordance with the terms of reference specified in writing by the board, which shall include evaluation of internal financial controls and risk management systems. How this document will be useful Provides guidance by mapping to COBIT 5 processes MEA01, MEA02, MEA03 and their relevant management practices as identified for the various stakeholders in chapter 3 Companies Act, 2013 Section - 138 (1) Prescribed classes of companies shall be required to appoint an internal auditor, who is an assurance professional (auditor) decided by the board to conduct internal audit of the functions and activities of the company. How this document will be useful Provides guidance by mapping to COBIT 5 processes MEA01, MEA02, MEA03 and their relevant management practices as identified for the various stakeholders in chapter 3 Companies Act, 2013 Section - 143 (3), clause – i The auditor’s report shall state that whether the company has adequate internal financial controls system in place and the operating effectiveness of such controls. How this document will be useful Provides guidance by mapping to COBIT 5 processes MEA01, MEA02, MEA03 and their relevant management practices as identified for the various stakeholders in chapter 3 Clause 49 Section - II, Clause - d (6) The role of the audit committee shall include reviewing, with management, the performance of statutory and internal auditors, and adequacy of the internal control systems. How this document will be useful Provides guidance by mapping to COBIT 5 processes MEA01, MEA02, MEA03 and their relevant management practices as identified for the various stakeholders in chapter 3 Clause 49 Section - II, Clause - d (7) The role of the audit committee shall include reviewing the adequacy of internal audit function, if any, including the structure of the internal audit department, staffing and seniority of the official heading the department, reporting structure coverage and frequency of internal audit. How this document will be useful Provides guidance by mapping to COBIT 5 processes MEA01, MEA02, MEA03 and their relevant management practices as identified for the various stakeholders in chapter 3 Clause 49 Section - II, Clause - d (9) The role of the audit committee shall include reviewing the findings of any internal investigations by the internal auditors into matters where there is suspected fraud or irregularity or a failure of internal control systems of a material nature and reporting the matter to the board. How this document will be useful Provides guidance by mapping to COBIT 5 processes MEA01, MEA02, MEA03 and their relevant management practices as identified for the various stakeholders in chapter 3 Clause 49 Section - II, Clause - d (12) The role of the audit committee shall include reviewing the functioning of the whistle- blower mechanism, in case the same is prevailing. How this document will be useful Provides guidance by mapping to COBIT 5 processes MEA01, MEA02, MEA03 and their relevant management practices as identified for the various stakeholders in chapter 3 Clause 49 The audit committee shall mandatorily review the management discussion and analysis of financial condition and results of operations.
  • 27. Guidance to Validate Internal Control Assertions in Indian Financial Reporting 26 Section Reference Regulatory Requirement Section - II, Clause - e (1) How this document will be useful Provides guidance by mapping to COBIT 5 processes MEA01, MEA02, MEA03 and their relevant management practices as identified for the various stakeholders in chapter 3 Clause 49 Section - II, Clause - e (3) The audit committee shall mandatorily review the management letters / letters of internal control weaknesses issued by the statutory auditors. How this document will be useful Provides guidance by mapping to COBIT 5 processes MEA01, MEA02, MEA03 and their relevant management practices as identified for the various stakeholders in chapter 3 Clause 49 Section - II, Clause - e (4) The audit committee shall mandatorily review the internal audit reports relating to internal control weaknesses. How this document will be useful Provides guidance by mapping to COBIT 5 processes MEA01, MEA02, MEA03 and their relevant management practices as identified for the various stakeholders in chapter 3 Clause 49 Section - VII, Clause - 1 The company shall obtain a certificate from either the auditors or practicing company secretaries regarding compliance of conditions of governance as stipulated in this clause and annex the certificate with the directors’ report, which is sent annually to all the shareholders of the company. How this document will be useful N/A
  • 28. Guidance to Validate Internal Control Assertions in Indian Financial Reporting 27 INFORMATION TECHNOLOGY ACT, 2000 (AS AMENDED BY INFORMATION TECHNOLOGY AMENDMENT ACT, 2008) Data privacy and penalty regulatory requirements for every stakeholder have been identified from the Companies Act, 2013 and Clause 49 and have been explained in the following table. Section Reference Regulatory Requirement Section 43A The obligation to protect sensitive personal data applies to every entity (body corporate) that: • Possesses, deals with or handles any sensitive personal data or information (SPDI) • In a computer resource that it owns, controls or operates How this document will be useful Provides guidance by mapping to COBIT 5 processes APO013, MEA02, MEA03, DSS02, DSS05 and their relevant management practices as identified for the various stakeholders in chapter 3 Section 43A Where an entity that is obliged to maintain security of sensitive personal data is negligent in implementing and maintaining reasonable security practices and procedures and thereby causes wrongful loss or wrongful gain to any person, such entity would be liable to pay damages by way of compensation to the person so affected. How this document will be useful Provides guidance by mapping to COBIT 5 processes APO013, MEA02, MEA03, DSS02, DSS05 and their relevant management practices as identified for the various stakeholders in chapter 3 Section 43A Body corporate to provide policy for privacy and disclosure of information. The body corporate or any person who on behalf of the body corporate collects, receives, possesses, stores, deals or handles information of provider of information, shall provide a privacy policy for handling of or dealing in personal information, including sensitive personal data or information, and ensure that the policy is available for view by such providers of information who have provided such information under lawful contract. How this document will be useful Provides guidance by mapping to COBIT 5 processes EDM01, EDM03 and their relevant management practices as identified for the various stakeholders in chapter 3 Section 66E Punishment for violation for privacy : Anybody being guilty of intentionally or knowingly captures, publishes or transmits the image of a private area of any person without his or her consent, under circumstances violating the privacy of that person, shall be punished with imprisonment which may extend to three years or with a fine not exceeding two lakh rupees, or with both imprisonment and a fine. How this document will be useful N/A Section 66A Any person who sends, by means of a computer resource or a communication device: a) any information that is grossly offensive or has menacing character; or b) any information which he knows to be false, but for the purpose of causing annoyance, inconvenience, danger, obstruction, insult, injury, criminal intimidation, enmity, hatred, or ill will, persistently makes use of such computer resource or a communication device, c) any electronic mail or electronic mail message for the purpose of causing annoyance or inconvenience or to deceive or to mislead the addressee or recipient about the origin of such messages (Inserted vide ITAA 2008) How this document will be useful N/A
  • 29. Guidance to Validate Internal Control Assertions in Indian Financial Reporting 28 Section Reference Regulatory Requirement Section 66B Whoever dishonestly receives or retains any stolen computer resource or communication device knowing or having reason to believe the resource or device to be stolen, shall be punished with imprisonment of either description for a term, which may extend to three years or with a fine, which may extend to rupees one lakh or with both imprisonment and a fine. How this document will be useful N/A Section 66C Whoever fraudulently or dishonestly makes use of the electronic signature, password or any other unique identification feature of any other person, shall be punished with imprisonment of either description for a term which may extend to three years and shall also be liable to a fine which may extend to rupees one lakh. How this document will be useful N/A Section 66D Whoever, by means of any communication device or computer resource cheats by personation, shall be punished with imprisonment of either description for a term, which may extend to three years and shall also be liable to a fine, which may extend to one lakh rupees. How this document will be useful N/A Section 67C (1) Intermediary shall preserve and retain such information as may be specified for such duration and in such manner and format as the central government may prescribe. (2) Any intermediary who intentionally or knowingly contravenes the provisions of sub- section (1) shall be punished with imprisonment for a term which may extend to three years and shall also be liable to a fine How this document will be useful N/A SUMMARY There is great effort being made in India to achieve efficient governance and risk management. Governance and risk management are regulated by the Companies Act, 2013 and Clause 49. Data that are generated have to be preserved, keeping in mind Confidentiality and Privacy perspectives. Privacy of the data is regulated by the Information Technology Act, 2000 (as amended in 2008).
  • 30. Guidance to Validate Internal Control Assertions in Indian Financial Reporting 29 CHAPTER 2: INTRODUCTION TO COBIT 5 Executive Summary According to COBIT 5, information is the currency of the 21st century enterprise. Information, and the technology that supports it, can drive success, but it also raises challenging governance and management issues. This section explains the need for using the approach and latest thinking provided by globally recognized framework COBIT 5 as a benchmark for reviewing and implementing governance and management of enterprise IT. It explains the principles and enablers of COBIT 5 and how it can be an effective tool to help enterprises to simplify complex issues, deliver trust and value, manage risk, reduce potential public embarrassment, protect intellectual property, and maximize opportunities. COBIT 5 helps enterprises to manage IT-related risk and ensures compliance, continuity, security and privacy. COBIT 5 enables clear policy development and good practice for IT management, including increased business user satisfaction. The key advantage of using a generic framework such as COBIT 5 is that it is useful for enterprises of all sizes, whether commercial, not- for-profit or in the public sector. Five Principles of COBIT 5 Source: COBIT 5, ISACA, USA, 2012, figure 2 COBIT 5 simplifies governance challenges with just five principles. The five key principles for governance and management of enterprise IT in COBTI 5 taken together enable the enterprise to build an effective governance and management framework that optimizes information and technology investment and use for the benefit of stakeholders. Principles 1: Meeting Stakeholder Needs: Enterprises exist to create value for their stakeholders by maintaining a balance between the realization of benefits and the optimization of risk and use of resources. COBIT 5 provides all of the required processes and other enablers to support business value creation using IT. Because every enterprise has different objectives, an enterprise can customize COBIT 5 to suit its own context through the goals cascade, translating high-level enterprise goals into manageable specific, IT-related goals and mapping these to specific processed and practices. The COBIT 5 goals cascade is the mechanism to translate stakeholder needs to specific, actionable and customized enterprise goals—IT-related goals and enabler goals.
  • 31. Guidance to Validate Internal Control Assertions in Indian Financial Reporting 30 Principle 2: Covering the Enterprise End-to-end: COBIT 5 integrates governance of enterprise IT into enterprise governance. It covers all functions and processes within the enterprise; COBIT 5 does not focus only on the IT function, but treats information and related technologies as assets that need to be dealt with just like any other asset by everyone in the enterprise. It considers all IT-related governance and management enablers to be enterprisewide and end-to-end, i.e., inclusive of everything and everyone internal and external that is relevant to governance and management of enterprise information and related IT. Principle 3: Applying a Single Integrated Framework: There are many IT-related standards and best practices, each providing guidance on a subset of IT activities. COBIT 5 is a single and integrated framework because it aligns with other latest relevant standards and frameworks; this allows the enterprise to use COBIT 5 as the overarching governance and management framework integrator. It is complete in enterprise coverage, providing a basis to integrate effectively other frameworks, standards and practices used. Principle 4: Enabling a Holistic Approach: Efficient and effective governance and management of enterprise IT require a holistic approach, taking into account several integrating components. COBIT 5 defines a set of enablers to support the implementation of a comprehensive governance and management system for enterprise IT. Enablers are broadly defined as anything that can help to achieve objectives of the enterprise. Principle 5: Separating Governance From Management: The COBIT 5 framework makes a clear distinction between governance and management. These two disciplines encompass different types of activities, require different organizational structures and serve different purposes. • Governance: It ensures that stakeholder needs, conditions and options are evaluated to determine balanced, agreed-on enterprise objectives to be achieved; setting direction through prioritization and decision making, and monitoring performance and compliance against agreed-on direction and objectives. In most organizations, governance is the responsibility of the board of directors under the leadership of the chairperson. Specific governance responsibilities may be delegated to special organizational structures at an appropriate level, especially in larger, complex organizations. • Management: It plans, builds, runs and monitors activities in alignment with the direction set by the governing body to achieve the objectives. In most enterprises, management is the responsibility of executive management under the leadership of the chief executive officer (CEO). From the definition of governance and management it is clear that they comprise different types of activities, with different responsibilities; however, given the role of governance to evaluate, direct and monitor, a set of interactions is required between governance and management to result in an efficient and effective governance system. Seven Enablers of COBIT 5 Enablers are factors that, individually and collectively, influence whether something will work, in this case, governance and management over enterprise IT. The goals cascade, i.e., higher level IT-related goals defining what the different enablers should achieve, drives enablers. The seven categories of enablers are: • Principles, Policies and Frameworks are the vehicles to translate the desired behavior into practical guidance for day- to-day management. • Processes describe an organized set of practices and activities to achieve certain objectives and produce a set of outputs in support of achieving overall IT-related goals. • Organizational Structures are the key decision-making entities in an enterprise. • Culture, Ethics and Behavior of individuals and of the enterprise are very often underestimated as a success factor in governance and management activities. • Information is pervasive throughout any organization and includes all information produced and used by the enterprise. Information is required for keeping the organization running and well governed, but at the operational level, information is very often the key product of the enterprise itself.
  • 32. Guidance to Validate Internal Control Assertions in Indian Financial Reporting 31 • Services, Infrastructure and Applications include the infrastructure, technology and applications that provide the enterprise with information technology processing and services. • People, Skills and Competencies are linked to people and are required for successful completion of all activities and for making correct decisions and taking corrective actions. Source: COBIT 5, ISACA, USA, 2012, figure 2
  • 33. Guidance to Validate Internal Control Assertions in Indian Financial Reporting 32 CHAPTER 3 – HOW COBIT 5 CAN BE USED TO COMPLY WITH GOVERNANCE Chapter 3 has been developed so that the COBIT 5 practices that are required for every stakeholder as an individual are provided. COBIT 5 provides a comprehensive framework that assists enterprises in achieving their objectives for the governance and management of enterprise IT. Simply stated, it helps enterprises create optimal value from IT by maintaining a balance between realizing benefits and optimizing risk levels and resource use. COBIT 5 enables IT to be governed and managed in a holistic manner for the entire enterprise, taking in the full end-to-end business and IT functional areas of responsibility, considering the IT-related interests of internal and external stakeholders. COBIT 5 is generic and useful for enterprises of all sizes, whether commercial, not-for-profit or in the public sector. The solution has been formulated by following these steps: Step 1 – Identification of stakeholder needs that are required by the regulations and mapping with the relevant enterprise goals Step 2 – Mapping of enterprise goals with the relevant IT goals Step 3 – Mapping of IT goals with relevant IT processes Step 4 – Segregation of IT processes that would be applicable to the following stakeholders: Stakeholder 1 – Board of directors Stakeholder 2 – Management (CEO, CFO, CISO, CIO and other members of the C-level) Stakeholder 3 – Auditors This chapter consists of tables, as follows: Activities DETAILED ACTIVITIES The text in the “ACTIVITIES” column consists of the set of suggestions and guidance that have been prescribed by the COBIT 5 product family publications. The text in the “DETAILED ACTIVITIES” column consists of the interpretation of the activities from the perspective of the stakeholder, area under discussion and the regulatory requirements.
  • 34. Guidance to Validate Internal Control Assertions in Indian Financial Reporting 33 Step 1 – Identification of Stakeholder Needs That Are Required by the Regulations and Mapping With the Relevant Enterprise Goals All stakeholder needs which are relevant have been highlighted in blue and the corresponding enterprise-related goals have been derived. Stakeholdervalueofbusiness investments Portfolioofcompetitive productsandservices Managedbusinessrisks (safeguardingofassets) Compliancewithexternallaws andregulations Financialtransparency Customer-orientedservice culture Businessservicecontinuityand availability Agileresponsestoachanging businessenvironment Information-basedstrategic decisionmaking Optimisationofservicedelivery costs Optimisationofbusiness processfunctionality Optimisationofbusiness processcosts Managedbusinesschange programmes Operationalandstaff productivity Compliancewithinternal policies Skilledandmotivatedpeople Productandbusiness innovationculture Stakeholder Needs 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 How do I get value from the use of IT? Are end users satisfied with the quality of the IT service? Y Y Y Y Y Y Y How do I manage performance of IT? Y Y Y Y Y Y Y How can I best exploit new technology for new strategic opportunities? Y Y Y Y Y Y How do I best build and structure my IT department? Y Y Y Y Y Y Y How dependent am I on external providers? How well are IT outsourcing agreements being managed? How do I obtain assurance over external providers? Y Y Y What are (control) requirements for Information? Y Y Y Did I address all IT-related risks? Y Y Y Y Am I running an efficient and resilient IT operation? Y Y How do I control cost of IT? How do I use IT resources in the most effective and efficient manner? What are the most effective and efficient sourcing options? Y Y Y Do I have enough people for IT? How do I develop and maintain their skills, and how do I manage their performance? Y Y Y How do I get assurance over IT? Y Y Is the information I am processing well secured? Y Y Y How do I improve business agility through a more flexible IT environment? Y Y Y Y Do IT projects fail to deliver what they promised, and if so - why? Is IT standing in the way of executing the business strategy? Y Y Y Y Y Y Y How critical is IT to sustaining the enterprise? What do I do if IT is not available? Y Y Y What concrete vital primary business processes are dependent on IT, and what are the requirements of business processes? Y Y Y Y What has been the average overrun of IT operational budgets? How often and how much do IT projects go over budget? Y Y Y Y How much of the IT effort goes to fire fighting rather than enabling business improvements? Y Y Y Are sufficient IT resources and infrastructure available to meet required enterprise strategic objectives? Y Y Y Y How long does it take to make major IT decisions? Y Y Y Y Are the total IT effort and investments transparent? Y Y Y Y Does IT support the enterprise in complying with regulations and service levels? How do I know whether I’m compliant with all applicable regulations? Y Y
  • 35. Guidance to Validate Internal Control Assertions in Indian Financial Reporting 34 Step 2 – Mapping of enterprise goals With the Relevant IT Goals The enterprise goals that have been derived from step 1 have been mapped to their corresponding IT-related goal. This mapping is based on the matrix that is presented in the COBIT 5 framework.
  • 36. Guidance to Validate Internal Control Assertions in Indian Financial Reporting 35 Step 3 – Mapping of IT goals With Relevant IT processes The IT processes that have been derived from step 2 have been mapped to the relevant COBIT 5 processes. This mapping is based on the matrix that is presented in the COBIT 5 framework.
  • 37. Guidance to Validate Internal Control Assertions in Indian Financial Reporting 36 Summary of Selected IT-related Goals The following IT-related goals as derived from step 3 would be made applicable after following the goals cascade approach and keeping in mind the scope of the document. IT Goal No. IT-related Goal Priority Comments 1 Alignment of IT and business strategy P Irrelevant 2 IT compliance and support for business compliance with external laws and regulations P Relevant 3 Commitment of executive management for making IT-related decisions P Irrelevant 4 Managed IT-related business risks P Relevant 5 Realized benefits from IT-enabled investments and services portfolio P Irrelevant 6 Transparency of IT costs, benefits and risk P Relevant 7 Delivery of IT services in line with business requirements P Relevant 8 Adequate use of applications, information and technology solutions P Relevant 9 IT agility P Irrelevant 10 Security of information and processing infrastructure and applications P Irrelevant 11 Optimization of IT assets, resources and capabilities P Relevant 12 Enablement and support of business processes by integrating applications and technology into business processes P Irrelevant 13 Delivery of programs on time, on budget, and meeting requirements and quality standards P Irrelevant 14 Availability of reliable and useful information for decision making P Irrelevant 15 IT compliance with internal policies P Relevant 16 Competent and motivated business and IT personnel P Irrelevant 17 Knowledge, expertise and initiatives for business innovation P Irrelevant P = Primary
  • 38. Guidance to Validate Internal Control Assertions in Indian Financial Reporting 37 Step 4 – Segregation of IT Processes That Would Be Applicable to Stakeholders Collectively The following figure gives an idea of the relationship between the board of directors, management and auditors to comply with the regulatory requirements that have been imposed by the regulators of the enterprise. Therefore, the board of directors needs to ensure compliance to regulations, which shall be verified by the auditors and shall, in the end, report the same to the regulators. Management will have to implement the directions that have been imposed by the board of directors and account for the same to the board of directors.
  • 39. Guidance to Validate Internal Control Assertions in Indian Financial Reporting 38 STAKEHOLDER 1 – BOARD OF DIRECTORS The board of directors is the highest governing authority within the management structure at any publicly traded company. They are policy managers of a corporation or organization elected by the shareholders or members. The board in turn chooses the officers of the corporation, sets basic policy and is responsible to the shareholders. In small corporations, there are usually only three directors. The board is directly accountable to the shareholders, and each year the company will hold an annual general meeting (AGM) at which the directors must provide a report to shareholders on the performance of the company and what its plans and strategies are, and submit themselves for re-election to the board. Roles of board of directors include: • Determine the company's vision and mission to guide and set the pace for its current operations and future development. • Determine the values to be promoted throughout the company. • Determine and review company goals. • Determine company policies. • Review and evaluate present and future opportunities, threats and risks in the external environment and current and future strengths, weaknesses and risks relating to the company. • Determine strategic options, select those to be pursued, and decide the means to implement and support them. • Determine the business strategies and plans that underpin the corporate strategy. • Ensure that the company's organizational structure and capability are appropriate for implementing the chosen strategies.
  • 40. Guidance to Validate Internal Control Assertions in Indian Financial Reporting 39 Because COBIT 5 is a comprehensive framework for governance and management of enterprise IT, it allows enterprises to use the enablers and management practices to satisfy needs and goals. It can be tailored and used, according to the discretion of management, toward achieving their goals and objectives. The image below depicts that, out of the 37 processes, the stakeholder (the board) can adapt relevant processes (borders shaded in black) and their underlying management practices, which shall assist in achieving the goals of the enterprise. RACI CHART A responsibility assignment matrix, also known as a RACI chart (Responsible, Accountable, Consulted, Informed), ARCI matrix or linear responsibility chart, describes the participation by various roles in completing tasks or deliverables for a project or business process. The following RACI chart explains the roles of the board of directors in contributing to effective corporate IT governance. The processes explained in this chapter would have to be executed keeping in mind the perspective of the roles in the following chart. Governance Practice Board EDM01.01 Evaluate the governance system. A EDM01.02 Direct the governance system. A EDM01.03 Monitor the governance system. A
  • 41. Guidance to Validate Internal Control Assertions in Indian Financial Reporting 40 Governance Practice Board EDM03.01 Evaluate risk management. A EDM03.02 Direct risk management. A EDM03.03 Monitor risk management. A EDM05.01 Evaluate stakeholder-reporting requirements. A EDM05.02 Direct stakeholder communication and reporting. A EDM05.03 Monitor stakeholder communication. A MEA01.05 Ensure the implementation of corrective actions. I MEA02.02 Review business process controls effectiveness. I MEA02.08 Execute assurance initiatives. I MEA03.03 Confirm external compliance. I MEA03.04 Obtain assurance of external compliance. I 1. EDM01.01 Evaluate the governance system. Continually identify and engage with the enterprise’s stakeholders, document an understanding of the requirements, and make a judgment on the current and future design of governance of enterprise IT. ACTIVITIES DETAILED ACTIVITIES 1. Analyze and identify the internal and external environmental factors (legal, regulatory & contractual obligations) and trends in the business environment that may influence governance decisions. 2. Determine the significance of IT and its role with respect to business. 3. Consider external regulations, laws and The board needs to identify the internal and external factors and trends in the business environment that influence governance decisions. The board should envision the significance of IT and the role it shall play toward achieving business objectives and benefits realization. The board needs to consider the impact of laws and
  • 42. Guidance to Validate Internal Control Assertions in Indian Financial Reporting 41 contractual obligations and determine how they should be applied with the governance of enterprise IT. 4. Align the ethical use and processing of information and its impact on society, natural environment, and internal and external stakeholder interests with the enterprise’s direction, goals and objectives. 5. Determine the implications of the overall enterprise control environment with regard to IT. 6. Articulate principles that will guide the design of governance and decision making of IT 7. Understand the enterprise’s decision-making culture and determine the optimal decision- making model for IT. 8. Determine the appropriate levels of authority delegation, including threshold rules, for IT decisions. regulations and determine the governance of enterprise IT. The board needs to frame ethical standards and consider the impact of business decisions on society, environment and the interests of stakeholders in relation to business objectives. The board can develop guidelines and principles for governance in IT. The board can devise appropriate levels of delegated authority and devise rules for IT-related decisions. 2. EDM01.02 Direct the governance system. Inform leaders and obtain their support, buy-in and commitment. Guide the structures, processes and practices for the governance of IT in line with agreed-on governance design principles, decision-making models and authority levels. Define the information required for informed decision-making. ACTIVITIES DETAILED ACTIVITIES 1. Communicate governance of IT principles and agree with executive management on the way to establish informed and committed leadership. 2. Establish or delegate the establishment of governance structures, processes and practices in line with agreed-on design principles. 3. Allocate responsibility, authority and accountability in line with agreed-on governance design principles, decision-making models and delegation. 4. Ensure that communication and reporting mechanisms provide those responsible for oversight and decision-making with appropriate information. 5. Direct that staff follow relevant guidelines for ethical and professional behavior and ensure that consequences of non-compliance are known and enforced. 6. Direct the establishment of a reward system to promote desirable cultural change. The board needs to communicate the governance principles and establish systems toward committed leadership. The board needs to ensure that a system is established with governance structures, practices and processes, which are in line with an agreed-on governance methodology. The board should allocate responsibility—should allocate accountability to management on the basis of agreed-on governance principles. The board needs to direct staff to follow guidelines on ethical and professional behavior and ensure that staff are aware of the consequences and actions of noncompliance. The board can also implement a reward-based system to promote a cultural change within the organization.
  • 43. Guidance to Validate Internal Control Assertions in Indian Financial Reporting 42 3. EDM01.03 Monitor the governance system. Monitor the effectiveness and performance of the enterprise’s governance of IT. Assess whether the governance system and implemented mechanisms (including structures, principles and processes) are operating effectively and provide appropriate oversight of IT. ACTIVITIES DETAILED ACTIVITIES 1. Assess the effectiveness and performance of those stakeholders given delegated responsibility and authority for governance of enterprise IT. 2. Periodically assess whether agreed-on governance of IT mechanisms (structures, principles, processes, etc.) is established and operating effectively. 3. Assess the effectiveness of the governance design and identify actions to rectify any deviations found. 4. Maintain oversight of the extent to which IT satisfies obligations (regulatory, legislation, common law, contractual), internal policies, standards and professional guidelines. 5. Provide oversight of the effectiveness of, and compliance with, the enterprise’s system of control. 6. Monitor regular and routine mechanisms for ensuring that the use of IT complies with relevant obligations (regulatory, legislation, common law, contractual), standards and guidelines. The board needs to assess the effectiveness and performance of management personnel who have been assigned the task of governance of the enterprise. The board should assess periodically the governance systems, policies and procedures for efficient operations and rectify the deviations, if any, found in the governance system. The board should maintain oversight of the extent to which IT is able to satisfy obligations, standards and professional guidelines. 4. EDM03.01 Evaluate risk management. Continually examine and make judgment on the effect of risk on the current and future use of IT in the enterprise. Consider whether the enterprise’s risk appetite is appropriate and that risk to enterprise value related to the use of IT is identified and managed. ACTIVITIES DETAILED ACTIVITIES 1. Determine the level of IT-related risk that the enterprise is willing to take to meet its risk objectives. 2. Evaluate and approve proposed IT risk tolerance thresholds against the enterprise’s acceptable risk and opportunity levels. 3. Determine the extent of alignment of the IT risk strategy to enterprise risk strategy. 4. Proactively evaluate IT risk factors in advance of The board needs to actively take part in the risk evaluation process of the enterprise, which also includes the IT-related risks and, on assessing those risks, define a risk tolerance threshold for acceptable risks and opportunity levels. The board needs to evaluate the risk factors before making decisions on strategies to ensure that impact of risk has been factored in.