COSO Update Sept 2008

7/30/2019 COSO Update Sept 2008

1/22

Grant Thornton

||||| Guidance on Monitoring Internal Control Systems

COSO Monitoring Project Update

FEI - CFIT MeetingSeptember 25, 2008


2/22

Slide 1Guidance on Monitoring Internal Control Systems

Project Overview

Drivers: COSO observed that many

organizations were not fully utilizing

the monitoring component of a system

of internal control.

SOX response provided confirmation.

Objectives:

Help organizations improve the

effectiveness and efficiency of their

internal control systems.

Provide practical guidance that

illustrates how monitoring can be

incorporated into an organizations

internal control processes.


3/22


Project Overview

Process

GT authoring team, supported by large task force

Last summer conceptual whitepaper

This summer proposed guidance - public commentsJuly to August 15

Content

Volume I Guidance 15 pages

Volume II Theory & Application 54 pages

Volume III Practical Examples 116 pages

Final guidance wi l l be issued sho rt ly bu t there

are still some minor wording issues in play


4/22


Guiding Principles

Without m oni tor ing, even good contro ls

deter iorate over t ime


5/22


Organization Structure

Role of Management & The Board

Management has primary responsibility for internal control system

Board should determine that management has fulfilled their

obligations

Evaluating controls performed by senior management requires focus

and consideration

Characteristics of Evaluators

Competence knowledge of control and implications of failure Objectivity perform evaluation without fear of repudiation or personal

interest in outcome


6/22


Importance of Having A Baseline

You have to know that you have good internal controls

before you can imp lement moni tor ing of those

con trols & you have to adapt as things change


7/22Slide 6Guidance on Monitoring Internal Control Systems

Design & Execute Monitoring



Persuasive Information (about a

control) is . .

1. Suitable

Relevant

Direct

Indirect Reliable

Timely

2. Sufficient

Quantity Of Information Do We Have Enough To

Support A Conclusion?

Relevant

TimelyReliable

Need

Timely

Info

Need

Reliable

Info

Need

Relevant

Info

Relevant,

Reliable &Timely

Relevant

TimelyReliable

Need

Timely

Info

Need

Reliable

Info

Need

Relevant

Info

Relevant,

Reliable &Timely

Bo th require judgment that depends on the level of

risk and the controls susceptibility to failure



Relevance of Information

Direct information

Substantiates control operation through observation

and/or re-performance of a given control

Indirect information Anything other than Direct information

Only allows the user to infer the continued effective

operation of controls

Can only influence the type, timing, and extent of

monitoring using direct information



Information Technology References &

Implications

Volume I Guidance

None

Volume II Theory & Application

Tools Enabling The Monitoring Process

Tools That Monitor Controls

Volume III Practical Examples

Company Specific Uses Of IT Tools Used To Monitor Process Risks

Comprehensive Example Of Identifying & Monitoring Controls Over

Common IT Risks

Examples Of Common IT Processes That MIGHT Be Considered

Monitoring

Examples Of How Tools Are Used



Tools Enabling The Monitoring Process

Tools to make the process of assessing risks, defining and

evaluating controls and communicating their operating

effectiveness efficient and sustainable. Example uses:

Coordinate the risk assessment process

Provide a repository for documentation

Enhance the communication process

Support the roll-up of information at various levels and

points within an organization

Provide performance indicators




General Observations Typically enhance both efficiency and effectiveness of the

monitoring process

Can be very specific or very broad in terms of the types of

controls they help monitor Can be a control and simultaneously play a role in

monitoring of controls

Can be independent or be part of the reporting capability

of a tool that is functioning as a control Apply to both IT processes and application controls

Do have limitations


13/22



Tools that monitor controls typically do so by

focusing on one or more of the following:

Transaction Data

Conditions Changes

Processing Integrity

Error Management


14/22


Transaction Data

Tools extract either/both processed transactions, or

master file data, and analyze them against a set of

control rules to highlight exceptions to:

Highlight exceptions and/or anomalies Analyze unusual trends in activities, values and volumes

Compare balances or details between two systems or

between distinct parts of a process

Can be ad hoc reporting tool or an integratedapplication solution or suite


15/22


Conditions

Tools that monitor the settings, parameters, rules or

configuration data that govern IT processing within either/both

infrastructure resources and application systems.

Works by comparing the configuration information to either

baseline information, a prior analysis, or both to determineif they are consistent with the organizations expectations.

Increases the speed and effectiveness of the monitoring

process while simultaneously allowing it to be performed on

a more frequent, or even continuous, basis. Can be scanning or agent based


16/22


Changes

Tools that identify and report changes to critical

resources, data or information:

Usually operate on a continuous basis (i.e., they are

"agent-based") Provide independent ability to identify a change so that it

can be verified as appropriate and authorized

Most likely will be considered a control as well as a

method for monitoring controls


17/22


Processing Integrity

Tools used to verify and monitor the completeness

and accuracy of the various processing steps that

might occur in an overall IT process:

Typically focus on balancing and controlling data as itprogresses through processes and systems

Can also be designed to maintain an audit trail of key

information that can be used for monitoring or trending

studies Most likely will be considered a control as well as a

method for monitoring controls


18/22


Error Management

Application systems frequently capture transactions

with certain types of errors in a suspense area where

they are later corrected and re-processed.

Monitoring of the volume and resolution of activity in thesesuspense area provide information that the controls are

operating effectively

Will almost always be seen as a control activity first


19/22


Continuous Control Monitoring Tools

Tools typically complement normal transaction processing bychecking transactions or other data for anomalies.

In most cases, they operate as control activities allowing forthe identification of control failures and ability to correct

errors before they become significant. When used as a control, the tool itself should be subject to

monitoring.

Addressing the impact of change is also a key requirementfor these tools.


20/22


Volume III - Examples

Information Used To Monitor Common Controls That

Are Relevant To Financial Reporting Risks

Application Security

Application Program/Configuration Change Control Data Security & Change Control

Program Testing

Job Scheduling & Management

Data Redundancy


21/22


Volume III - Examples

Common IT Management Processes That MIGHT Be

Considered Monitoring Of Controls

Access Recertification

Security Log Monitoring Peer/Quality Review Processes

Change Review Boards

Post-Implementation Reviews

Recovery Testing


22/22

Grant Thornton

||||| Guidance on Monitoring Internal Control Systems

Questions???

COSO Update Sept 2008

Documents