Canadian Institute of Chartered Accountants

Document Sample
Canadian Institute of Chartered Accountants Powered By Docstoc
					Specialized Control Matrix – IT

   – Book discusses Trust Services framework developed by
     AICPA and Canadian Institute of Chartered Accountants

   – More widely accepted in industry is COBIT developed
     by the IT Governance Institute:

      OB=Objectives for
      I=Information and related
COBIT-what is it?

• Provide companies with an information systems
  governance model that helps in understanding and
  managing the risks associated with technology.

• Meant to facilitate bridging the gap between business risk,
  management needs and technical issues.

• Augments COSO/ERM, not a replacement
COBIT Processes

• The primary COBIT® processes that have the most direct
  relevance to COSO’s internal control structure can be
  categorized into 4 broad categories:

   –   Plan and organize
   –   Acquire and implement
   –   Deliver and support
   –   Monitor and evaluate
COBIT: Plan and Organize Control Category

   – IT strategic plan developed, monitored, communicated

   – Define information capture, processing, and reporting

   – IT staff has adequate knowledge and experience; roles
     defined and documented; proper segregation of duties;
     IT employees trained and developed, kept up to date
     with new technology
COBIT: Plan and Organize Control Category

   – Policies and Procedures documented and updated;
     issues reported and resolved

   – System changes are authorized and monitored;
     adequate controls surround change management

   – IT performs security assessments; monitors/updates
     access restrictions; ensures continuity

   – Set standard requirements; assess variances with
COBIT: Acquire and Implement Control Category

• Applications:

   – Financial Reporting requirements met
   – Supports complete, accurate, timely, authorized and
     valid transaction processing
   – Development method includes security, availability and
     processing integrity requirements
   – Aligns with business strategy
   – Users are appropriately involved in design, selection
     and testing of application
   – Post-implementation reviews performed to ensure
     controls are operating as intended
COBIT: Acquire and Implement Control Category

• Technology Infrastructure

   – Provides the appropriate platforms to support financial
     reporting applications

   – Ensure that infrastructure (including network devices and
     software) acquired is based on requirements of financial
     applications intended to support
COBIT: Acquire and Implement Control Category
• Policies and Procedures

   – Exist

   – Define required acquisition and maintenance processes,
     including documentation to support proper use and
     technological solutions put in place

   – Regularly reviewed, updated and approved by
COBIT: Acquire and Implement Control Category
• Install/Test Application SW & Infrastructure:

   – Systems appropriately tested and validated prior to being
     placed into production

   – Controls tested to ensure operating as intended and support
     financial reporting

   – Testing strategy developed and followed during significant
     changes to ensure system continues to operate as intended

   – Interfaces w/other systems tested to confirm data
     transmissions are complete, accurate, timely and valid
COBIT: Acquire and Implement Control Category
• Change Management:
  – System changes of financial reporting significance are
    authorized and tested before movement into production

  – Requests for program/system changes and maintenance
    standardized, documented and subject to change
    management procedures and approvals

  – Emergency control requests documented and approved

  – Restrict migration of programs to production only by
    authorized personnel

  – Protect security of data and programs being stored by the
COBIT: Deliver and Support Control Category

• Define and manage service levels

   – Quality of service levels are defined, documented, and

   – Key performance indicators are established to manage both
     internal and external service agreements
COBIT: Deliver and Support Control Category

• Manage third party services

   – Common understanding of performance levels by which
     quality will be measured

   – Service levels defined and managed to support
     financial reporting system requirements

   – Define framework to manage internal and external
     service level agreement key performance indicators
COBIT: Deliver and Support Control Category

• Manage performance and capacity

   – Monitor performance and capacity levels of systems
     and network

   – Respond to suboptimal performance and capacity
     measures in a timely manner

   – Planning for performance and capacity included in
     system design and implementation phases
COBIT: Deliver and Support Control Category

• Educate and train users

   – Identify and document the training needs of personnel

   – Provide education and ongoing training programs that
         – Ethical conduct
         – System security practices
         – Confidentiality standards
         – Integrity standards
         – Security responsibilities of staff
COBIT: Deliver and Support Control Category

• Manage Facilities

   – Adequate environmental controls at data center facility
     to maintain systems and data

   – Fire suppression, uninterrupted power service, air
     conditioning and elevated floors considered
COBIT: Monitor and Evaluate Control Category

• Monitoring

   – Data collected and reported regarding achievement of
     performance indicator benchmarks

   – Established appropriate metrics to effectively manage
     the day-to-day activities of the IT Department
COBIT: Monitor and Evaluate Control Category

• Internal Control Adequacy

   – Monitor effectiveness of internal controls via
     management reviews, comparisons and benchmarks

   – Serious deviations in internal controls communicated to
     upper management, BOD, etc. when applicable

   – Assessments of internal controls performed periodically
COBIT: Monitor and Evaluate Control Category

• Independent Assurance

   – Independent reviews prior to implementing significant
     IT systems

   – Obtain independent internal control reviews of third-
     party service providers (SAS70 review)
COBIT: Monitor and Evaluate Control Category

• Internal Audit

   – Consider IT internal audit department to review IT
     activities and controls

   – Risk Assessment and subsequent audit plan include IT

   – Follow-up on IT control issues in a timely manner

The Public Company Accounting Oversight Board (PCAOB)
suggests in the Auditing Standard No. 2, An Audit of Internal
Control Over Financial Reporting Performed in Conjunction with an
Audit of Financial Statements:

   IT controls have:

       • a pervasive effect on the achievement of controls related
         to reliable financial reporting

       • should be evaluated in order to assess the likelihood of
         potential misstatements in each significant account

       • the extent of information technology involvement in the
         period-end financial reporting process should be evaluated

Description: Canadian Institute of Chartered Accountants document sample