The Importance of the COBIT Framework IT Processes For Effective Internal Control over the Reliability of Financial Reporting: An International Survey UWCISA Symposium, October 11-13, 2007, Toronto, Canada Uday Murthy University of South Florida David S. Kerr University of North Carolina at Charlotte
25
Embed
The Importance of the COBIT Framework IT Processes For Effective Internal Control over the Reliability of Financial Reporting: An International Survey.
This document is posted to help you gain knowledge. Please leave a comment to let me know what you think about it! Share it to your friends and learn new things together.
Transcript
The Importance of the COBIT Framework IT Processes For Effective Internal Control over the Reliability of
Financial Reporting: An International Survey
UWCISA Symposium,
October 11-13, 2007, Toronto,
Canada
Uday MurthyUniversity of South Florida
David S. KerrUniversity of North Carolina at Charlotte
2
Introduction and Background
Publicly held companies must have a system of internal controls, per regulatory requirements
Internal controls are heavily “IT-dependent” Need for strong IT governance COBIT – a framework for IT governance
Specifies “best practices” for IT processes Conformance to COBIT IT processes should
result in better internal control
3
Motivation
To understand the extent to which the COBIT IT processes contribute to effective internal control over the reliability of financial reporting Given limited resources, are there certain “key”
processes that organizations should focus on from the viewpoint of reliability of financial reporting?
To determine whether demographic variations in IT auditors explain differences in perceptions regarding the value of COBIT
4
COBIT
Control OBjectives for Information and related Technology
Focus of COBIT is on the management and control of IT Comprises 34 IT processes organized into 4 domains
Plan and Organize (plan) Acquire and Implement (build) Deliver and Support (run) Monitor and Evaluate (monitor)
5
Figure 1: COBIT Framework
6
Prior Work
COBIT usage survey by Guldentops and De Haes (2002) Profile of COBIT adopters (n=182)
Almost half of the respondents were from the Americas Most over 1,000 employees with 1/3rd > 10,000 employees 90% of responding organizations used COBIT Uses: audit planning and audit program development, validate current
IT controls, to evaluate IT risks, to reduce IT risks, and as a framework for improving IT
~ 40% of respondents indicated that their control framework and audit process was partly COBIT-based; less than 5% of respondents indicated that COBIT had been formally adopted and was enforced as corporate policy
7
Research Questions
RQ1: In the context of the reliability of financial reporting, what is the relative importance of each of the 34 IT control and security processes?
RQ2: In the context of the reliability of financial reporting, to what extent does the relative importance of each of the 34 IT control and security processes vary as a function of characteristics of the IT professionals within the organization?
8
Method
Web survey of IT professionals ISACA members targeted through local chapters Sections of survey instrument
Demographics Background information COBIT familiarity Importance rating for each process, top 10 processes
9
Respondents 189 respondents from 21 countries Average age: 40.1 years Gender: 71% were male. Working in…
industry: 66% public accounting: 18% government: 16%
Average time with current employer: 5.8 years Degrees: 38% masters; 57% bachelors Certifications: 58% CISAs
10
Selected Demographics
TIME SPENT REVIEWING IT
CONTROLS Frequency Percent
Less than 10% 18 9.5 10% - 25% 39 20.6 26% - 50% 34 18.0 51% - 75% 33 17.5
Greater than 75% 65 34.4
Familiarity with COBIT*
Frequency Percent
1 2 1.1 2 11 5.8 3 60 31.7 4 55 29.1 5 61 32.3
* 1 = Not at all familiar; 3 = Somewhat familiar; 5 = Very familiar
11
Table 2COBIT Processes Sorted by Mean Importance Ratings
COBIT
Process* Description of process
Mean importance rating
DS5 Ensure System Security 4.661
AI6 Manage Changes 4.487
PO9 Assess Risk 4.413
DS11 Manage Data 4.333
M2 Assess Internal Control Adequacy 4.328
PO8 Ensure Compliance with External Requirements 4.222
DS10 Manage Problems and Incidents 4.101
AI4 Develop and Maintain Procedures 4.085
M1 Monitor the Process 4.079
PO11 Manage Quality 4.074
DS4 Ensure Continuous Service 4.048
M4 Provide for Independent Audit 4.021
DS7 Educate and Train Users 4.005
PO10 Manage Projects 3.952
M3 Obtain Independent Assurance 3.947
DS9 Manage the Configuration 3.931
PO2 Define the Information Architecture 3.884
12
Table 2 (contd.)COBIT Processes Sorted by Mean Importance Ratings
COBIT
Process* Description of process
Mean importance rating
DS13 Manage Operations 3.884
PO1 Define a strategic IT plan 3.878
AI5 Install and Accredit Systems 3.873
PO6 Communicate Management Aims and Directions 3.825
AI3 Acquire and Maintain Technology Infrastructure 3.815
AI2 Acquire and Maintain Application Software 3.799
DS2 Manage Third-party Services 3.783
PO4 Define the IT Organization and Relationship 3.746
DS12 Manage Facilities 3.730
DS1 Define and Manage Service Levels 3.714
DS3 Manage Performance and Capacity 3.714
PO5 Manage the Information Technology and Relationships 3.709
PO7 Manage Human Resources 3.640
AI1 Identify Automated Solutions 3.566
PO3 Determine the Technological Direction 3.545
DS6 Identify and Allocate Costs 3.407
DS8 Assist and Advise Consumers 3.238
13
Table 3Number of times each IT process was selected as a “Top 10” process
COBIT process Description of process Top 10 count
DS5 Ensure System Security 147
AI6 Manage Changes 133
PO9 Assess Risk 122
M2 Assess Internal Control Adequacy 98
DS11 Manage Data 97
PO1 Define a strategic IT plan 91
M1 Monitor the Process 81
AI4 Develop and Maintain Procedures 74
DS10 Manage Problems and Incidents 70
DS7 Educate and Train Users 66
PO8 Ensure Compliance with External Requirements 64
M4 Provide for Independent Audit 58
M3 Obtain Independent Assurance 55
DS4 Ensure Continuous Service 51
DS9 Manage the Configuration 50
PO10 Manage Projects 49
PO2 Define the Information Architecture 48
14
Table 3 (contd.)Number of times each IT process was selected as a “Top 10” process
COBIT process Description of process Top 10 count
AI2 Acquire and Maintain Application Software 46
PO11 Manage Quality 45
PO6 Communicate Management Aims and Directions 44
AI3 Acquire and Maintain Technology Infrastructure 39
PO4 Define the IT Organization and Relationship 38
DS1 Define and Manage Service Levels 38
DS13 Manage Operations 36
PO5 Manage the Information Technology and Relationships 35
Overview of Results Of the 34 IT processes, results reveal that some are more
important than others from the viewpoint of the reliability of financial reporting
In particular, five processes stood out as being critical: Ensure System Security (DS5); Manage Changes (AI6), Assess Risk (PO9), Assess Internal Control Adequacy (M2), and Manage Data (DS11)
Factor analysis results revealed six distinct factors, with the “general and application controls” factor being the most prominent
24
Limitations
True response rate and hence extent of non-response bias is unknown
Extent to which importance ratings were affected by the length of the instrument is unknown (the “fatigue factor”)
Order of 34 processes was not randomized Despite instructions, it is possible that respondents were not
attuned to the focus on the effect of the COBIT IT processes on the reliability of financial reporting
Lack of a “reference point” or context for assessing importance of IT processes
25
Conclusion and Future Research
Some COBIT IT processes are deemed more critical than others from the standpoint of the reliability of financial reporting
Internal and external auditors can focus their attention on the “Top 10” most critical COBIT processes
Future research could focus on the why question – why some IT processes are deemed more critical than others
Also worth investigating the extent to which COBIT processes contribute to other organizational objectives