IIA 03212014 COSO 2013 and its Impact on Information Technology

COSO 2013 and its Impact on
Information Technology
Institute of Internal Auditors
Long Island Chapter
Annual Information Technology Conference
• The presentation assumes that attendees already have a basic
understanding of COSO products and the 2013 update in
• The presentation will focus on information technology
considerations that may need further elaboration or
supplementation to what was provided in the COSO documents.
• Although Joel is a member of the AICPA’s “IT Implications of
COSO 2013 Task Force,” the views presented are his own and
not of the Task Force.
Joel Lanz,
Prior to starting his niche IT Audit and
Information Security Management practice in
2001, Joel was a Technology Risk Partner in
Arthur Andersen’s Business Risk Consulting and
Assurance Practice, and was a Manager at
Price Waterhouse. His industry experience
includes Vice President and Audit Manager at
The Chase Manhattan Bank and senior IT
auditor positions at two insurance companies.
Graduate School
Joel’s niche CPA
practice has provided
IT Audit, Information
Management, Risk
Assessment and IT
Compliance services
to clients in and firms
serving the Financial
Services, Healthcare,
Education, Non-Profit
and Technology
sectors since 2001.
• Monthly technology
column in the Trusted
• Editorial Board
member of “The CPA
• Previously chaired
both the NYSSCPA
Technology Assurance
and Information
• Chair of the AICPA’s
CITP Specialist
Credential committee..
• Co-chaired the
AICPA’s 2010 & 2011
Top Tech Task Force.
• Previously served on
the AICPA’s IT
Executive Committee.
• IIA – Long Island
Chapter Board of
Adjunct Professor in the School
of Business at The State
University of New York – College
at Old Westbury. Courses
instructed include;
• Auditing,
• Advanced Assurance
• Forensic Accounting
• Accounting Information
• Accounting Research.
Adjunct Assistant Professor at
NYU Stern Graduate School of
Business teaching IT Auditing in
the M.S. in Accounting program.
“Technology Guidance abundant in COSO Internal Control
(Journal of Accountancy interview with Kenneth Vander Wal – COSO Advisory Council Member and
ISACA President (online) 12/10/2012)
Control environment. There is a need for technology competence on the board of directors and in senior
management. “That’s now a requirement in many instances, depending on the nature of the organization,”
Vander Wal said. In addition, there are more regulatory requirements to consider based on the use of
Risk assessment. The availability of more data as a result of technology allows for more risk assessment
analytics, but also creates new risks. And technology is identified as an entity-level risk in the proposed
framework. “Think about the risk associated with implementing cloud computing in your organization, or the
impact of technology failure, which is much more significant now than it would have been in 1992,” Vander Wal
said. “How long could you operate successfully if your technology failed, and what are the provisions for
addressing that risk? In other words, what is the business continuity planning?”
Control activities. Technology provides new responses to risks, as well as increased efficiency of risk
Information and communication. As a result of technology, more internal and external information is
available over more channels. “So what are the controls over access to that?” Vander Wal said. “How do
I analyze it? How do I use it? All of those things are considered when you look at that section and the
technology in that particular component.”
Monitoring activities. The guidance focuses on new methods for monitoring technology, and new ways to use
technology for monitoring. “We’re using dashboards now, for example,” Vander Wal said. “We’re using
technology to monitor controls. We’re using technology to report key performance indicators.”
…..and more from the interview
• Principle 11, which is under the “control
activities” component, deals primarily
with technology. It states that an
organization should select and develop
general control activities over technology
to support the achievement of objectives.
• The points of focus for organizations to
consider include:
– Determining the dependency between the
use of technology in business processes and
technology general controls.
– Establishing relevant control activities for
technology infrastructure, security
management processes, and technology
acquisition, development, and maintenance.
• The proposal also addresses the
impact of technology on the volume
and complexity of data and
information, and how that affects
organizations. It says:
– Systems need to be increasingly complex
to process and maintain control over the
high volume of data available through
electronic means.
– Operational or compliance risks may
offset the benefits of increased
– Security, protection, and retention of data
are increasingly important.
Bill Schneider’s Blog on AICPA Insights
(Bill is Director-Accounting, AT&T, serves on the AICPA Council and the
COSO Advisory Council
The new and easier to understand framework will clarify what's needed
- and what's not. The new modernized COSO framework will affect
businesses in three big ways by:
1. Articulating the role of a company when outsourcing. While
today's businesses can outsource many activities, they can never
outsource responsibility.
2. Putting fraud right out in the forefront. A business's control
structure must now address issues of fraud directly.
3. Highlighting the critical nature of IT. Information technology is a
needed component that cannot be avoided in today's business
environment. Let's face it, we simply don't use manual ledgers
- See more at: http://blog.aicpa.org/2013/06/3-ways-the-new-coso-framework-may-affect-your-business.html#sthash.WoRNYK7y.dpuf
Note: The attached section is taken or adapted from a May 2013 COSO Outreach
Powerpoint Deck. It is available from COSO’s Home Page (www.coso.org) What’s New
Section (May 14, 2013 Internal Control-Integrated Framework Released).
Product #1 - Internal Control-Integrated
Framework (2013 Edition)
• Consists of three volumes:
– Executive Summary
– Framework and Appendices
– Illustrative Tools for Assessing
Effectiveness of a System of
Internal Control
• Sets out:
– Definition of internal control
– Categories of objectives
– Components and principles of
internal control
– Requirements for effectiveness
Product #2 - Internal Control over External
Financial Reporting: A Compendium....
• Illustrates approaches and
examples of how principles
are applied in preparing
financial statements
• Considers changes in
business and operating
environments during past
two decades
• Provides examples from a
variety of entities – public,
private, not-for-profit, and
• Aligns with the updated
Update considers changes in business and operating
environments – that increasingly rely on information
Environments changes...
…have driven Framework updates
Expectations for governance oversight
Globalization of markets and operations
Changes and greater complexity in business
Demands and complexities in laws, rules,
regulations, and standards
Expectations for competencies and
Use of, and reliance on, evolving technologies
Expectations relating to preventing and
detecting fraud
COSO Cube (2013 Edition)
Update articulates 17 principles of effective internal control
(so that’s what they meant by the five components)
Control Environment
Risk Assessment
Control Activities
Information &
Monitoring Activities
Demonstrates commitment to integrity and ethical values
Exercises oversight responsibility
Establishes structure, authority and responsibility
Demonstrates commitment to competence
Enforces accountability
Specifies suitable objectives
Identifies and analyzes risk
Assesses fraud risk
Identifies and analyzes significant change
10. Selects and develops control activities
11. Selects and develops general controls over technology
12. Deploys through policies and procedures
13. Uses relevant information
14. Communicates internally
15. Communicates externally
16. Conducts ongoing and/or separate evaluations
17. Evaluates and communicates deficiencies
Update clarifies requirements for
effective internal control
• Effective internal control provides reasonable assurance regarding
the achievement of objectives and requires that:
Each component and each relevant principle is present and functioning
The five components are operating together in an integrated manner
• Each principle is suitable to all entities; all principles are presumed
relevant except in rare situations where management determines
that a principle is not relevant to a component (e.g., governance,
• Components operate together when all components are present and
functioning and internal control deficiencies aggregated across
components do not result in one or more major deficiencies
• A major deficiency represents an internal control deficiency or
combination thereof that severely reduces the likelihood that an
entity can achieve its objectives
Update describes important
characteristics of principles, e.g.,
Control Environment
1. The organization demonstrates a commitment to
integrity and ethical values.
Points of Focus:
• Sets the Tone at the Top
• Establishes Standards of Conduct
• Evaluates Adherence to Standards of Conduct
• Addresses Deviations in a Timely Manner
– Points of focus may not be suitable or relevant, and others may be identified
– Points of focus may facilitate designing, implementing, and conducting internal
– There is no requirement to separately assess whether points of focus are in
General and Application Controls
1. The organization demonstrates a
commitment to integrity and ethical
2. The board of directors demonstrates
independence from management and
exercises oversight of the development
and performance of internal control.
3. Management establishes, with board
oversight, structures, reporting lines,
and appropriate authorities and
responsibilities in the pursuit of
4. The organization demonstrates a
commitment to attract, develop, and
retain competent individuals in alignment
with objectives.
5. The organization holds individuals
accountable for their internal control
responsibilities in the pursuit of
• How is the IT function positioned at the organization
and does it have appropriate organizational structures
and reporting lines?
• Are IT-related policies such as information security and
vendor management appropriate given the business
objectives of the organization?
• How is the policy deviation process governed?
• What types of IT-related issues is the Board involved
with and for what issues does it provide oversight?
• How much turnover is occurring in IT functions?
• How is decentralized and end-user computing
• Do employees – both within and outside the IT
functions have current and appropriate skills/knowledge
to enable the organization to achieve business
objectives in a efficient and effective manner?
• What type of performance measures are used to
assess IT effectiveness and efficiency/
6. The organization specifies
objectives with sufficient clarity to
enable the identification and
assessment of risks relating to
7. The organization identifies risks to
the achievement of its objectives
across the entity and analyzes risks
as a basis for determining how the
risks should be managed.
8. The organization considers the
potential for fraud in assessing risks
to the achievement of objectives.
9. The organization identifies and
assesses changes that could
significantly impact the system of
internal control.
• Have systems/data been appropriately classified
to determine appropriate risk tolerances?
• To what extent are recognized IT
standards/frameworks employed?
• Are IT regulatory requirements understood and
• Do applications provide the ability to record
accounting transactions using relevant principles
and criteria?
• Are IT risk assessments periodically performed
and are results used to prioritize remediation?
• To what extent is end user and/or cloud computing
considered in IT risk assessment activities?
• Is computer-facilitated fraud considered during
fraud risk assessments including threats from both
external and internal sources?
• What type of technology-related changes are
planned/have occurred and how will that impact
the organization’s control environment?
(see #11 General IT Controls on
next page)
10. The organization selects and
develops control activities that
contribute to the mitigation of risks
to the achievement of objectives to
acceptable levels.
11. The organization selects and
develops general control activities
over technology to support the
achievement of objectives.
12. The organization deploys control
activities through policies that
establish what is expected and
procedures that put policies into
• Does the organization understand and have they
mapped business processes reliance on
• How and to what extent is technology used to
automate control activities?
• How effective are application controls and do they
enable the organization to enforce completeness,
accuracy and validity objectives?
• Do the applications enforce organizational and
departmental segregation of duties controls?
• Are appropriate monitoring controls designed into
applications to facilitate detective control abilities
as needed?
• Have appropriate systems configuration guidelines
been developed and appropriately reviewed?
• Do IT policies reflect the guidance needed to take
advantage of business opportunities created by
evolving technologies including mobile and cloud
General IT Controls (#11) Deep Dive
(Points of Focus)
• Determine dependency between the use of technology in business
processes and technology general controls.
– Linkage between business processes, automated control activities, and
technology general controls.
• Establish relevant technology infrastructure control activities.
– Ensure the completeness, accuracy, and availability of technology processing.
• Establish relevant security management process control activities.
– Restrict technology access rights to authorized users commensurate with their
responsibilities and protect assets from external threats.
• Establish relevant technology acquisition, development, and maintenance
process controls activities.
– Control activities over the acquisition, development, and maintenance of
technology and its infrastructure.
13. The organization obtains or
generates and uses relevant, quality
information to support the
functioning of internal control.
14. The organization internally
communicates information,
including objectives and
responsibilities for internal control,
necessary to support the functioning
of internal control.
15. The organization communicates
with external parties regarding
matters affecting the functioning of
internal control.
• Can the organization rely on information supplied by
third parties to manage and monitor business activities?
• To what extent has the organization established
information governance activities?
• How is the quality of information assured and
maintained and can we rely on it to make business
• How can we leverage organizational investments in Big
Data to enhance overall internal control and reduce
• How is confidential information protected?
• Do application interfaces and similar processes ensure
that regulatory agencies are provided with complete
and accurate information in the prescribed formats?
• Is the Board and Executive management receiving
information produced by reliable systems?
• Is the IT vendor management oversight program
effective in ensuring that customer’s non-public
information is protected in accordance with regulatory
16. The organization selects, develops,
and performs ongoing and/or
separate evaluations to ascertain
whether the components of internal
control are present and functioning.
17. The organization evaluates and
communicates internal control
deficiencies in a timely manner to
those parties responsible for taking
corrective action, including senior
management and the board of
directors, as appropriate.
• Has the organization developed and implemented
an appropriate logging strategy to monitor
technology-related activities?
• Are there sufficient logs and application audit trails
to support incident response and computer
forensic examination as needed?
• Does the organization have an effective internal
audit function that can evaluate technology risk?
• Do end users periodically conduct technology risk
assessments and application benchmarks to
identify IT-related targets of opportunity?
• Does the enterprise wide risk management group
understand IT risks and are such risks included
and monitored in the organization’s risk register?
• To what extent are data analysis/computer
assisted audit techniques/data mining employed to
proactively identify issues requiring Management
Thank you for attending
today’s conference.
Should you have any
follow-up questions
please do not hesitate
to call or email me.
• Contact Joel directly at:
Joel Lanz
Joel Lanz, CPA, P.C.
471 N. Broadway
Jericho, NY 11753
(516) 933-3662
[email protected]