COBIT 5 and COSO 2013: Comparing the Frameworks
Download
Report
Transcript COBIT 5 and COSO 2013: Comparing the Frameworks
COBIT 5 and COSO 2013:
Comparing the Frameworks
Presented to ISACA Central Ohio Chapter
Charles T. Saunders, PhD, CIA, CCSA, CRMA
5/8/2014
COSO/COBIT 5 Presentation
1
COBIT 5: A BUSINESS FRAMEWORK FOR
THE GOVERNANCE AND MANAGEMENT
OF ENTERPRISE IT (ISACA)
5/8/2014
COSO/COBIT 5 Presentation
2
Overview of COBIT 5
• “COBIT 5 is a framework that enables IT to be governed
and managed in a holistic manner for the entire
enterprise…enables managers to bridge the gap
between business objectives, technical issues, and
business risk” (ISACA, 2014).
• Key concepts of COBIT 5:
–
–
–
–
–
–
5/8/2014
IT Governance and the political dimension
Core concepts that explain general use of framework
Value creation and benefits realization
Risk management
Information security
Assurance
COSO/COBIT 5 Presentation
3
COBIT 5: IT Governance and the
Political Dimension
• “IT governance is the
process that ensures the
efficient use of IT to achieve
enterprise strategic
objectives and goals”
(ISACA, 2014).
5/8/2014
• IT governance frameworks:
– Balanced Scorecard
– Capability Maturity Model
Integration
– COBIT
– COSO
– ENISA guidelines
– ISO/IEC 27001
– ITIL (focus on ITSM)
– NIST guidelines
– PRINCE2 (project
management)
– Six Sigma (operational
performance, defect
identification)
COSO/COBIT 5 Presentation
4
COBIT 5 Structure At-a-Glance
•
•
•
•
Five Principles
11 Stakeholder Needs
Four Balanced Scorecard (BSC) Dimensions
17 Goals for Alignment within 4 BSC
Dimensions
– Alignment of IT Goals with Enterprise Goals
5/8/2014
COSO/COBIT 5 Presentation
5
COBIT 5 Principles
1. Meeting
Stakeholder
Needs
5. Separating
Governance
from
Management
2. Covering
the
Enterprise
End-to-End
4. Enabling a
Holistic
Approach
5/8/2014
3. Applying a
Single
Integrated
Framework
COSO/COBIT 5 Presentation
6
COBIT 5 Goals Cascade
Step 1: Stakeholder drivers
influence stakeholder needs.
Step 2: Stakeholder needs
cascade to enterprise
goals.
Step 3: Enterprise
goals cascade to ITrelated goals.
Step 4: IT-related
goals cascade to
enabler goals.
5/8/2014
COSO/COBIT 5 Presentation
7
COBIT 5 Use of Balanced Scorecard (BSC)
Dimensions: Alignment of IT and Enterprise
Goals - Examples
• BSC Dimensions and Related Goals (17 total):
– Financial – 5 Enterprise goals, 6 IT goals (aligned IT goals in
parentheses, below)
• Example # 1: Stakeholder value of business investments
(Alignment of IT and business strategy)
– Customer – 5 Enterprise goals, 2 IT goals
• Example # 2: Customer-oriented service culture (Delivery of IT
services in line with business requirements)
– Internal – 5 Enterprise goals, 7 IT goals
• Example # 3: Operational and staff productivity (Availability of
reliable and useful information for decision making)
– Learning and Growth – 2 Enterprise and 2 IT goals
• Example # 4: Product and business innovation culture (Knowledge,
expertise, and initiatives for business innovation)
5/8/2014
COSO/COBIT 5 Presentation
8
COBIT 5: Categories of Enablers
1.
2.
3.
4.
5.
6.
7.
Principles, Policies, and Frameworks
Processes
Organizational Structures
Culture, Ethics, and Behaviour
Information
Services, Infrastructure, and Applications
People, Skills, and Competencies
5/8/2014
COSO/COBIT 5 Presentation
9
COBIT 5 Enabler: Processes
• Process: “a collection of practices influenced
by the enterprise’s policies and procedures
that takes inputs from a number of sources
(including other processes), manipulates the
inputs and produces outputs (e.g., products,
services)” (ISACA, 2012, p. 69).
5/8/2014
COSO/COBIT 5 Presentation
10
COBIT 5 – Process Reference Model:
Processes for Governance of Enterprise IT (examples)
1.
Evaluate, Direct, and Monitor (5 processes)
–
2.
Align, Plan, and Organize (13 processes)
–
3.
DSS01: Manage operations
Monitor, Evaluate, and Assess (3 processes)
–
•
BAI09: Manage assets
Deliver, Service, and Support (6 processes)
–
5.
APO02: Manage strategy
Build, Acquire, and Implement (10 processes)
–
4.
EDM02: Ensure benefits delivery
Monitor, evaluate, and assess performance and conformance
NOTE: Metrics recommended for all Enablers and Processes:
–
–
–
5/8/2014
Questions: Needs addressed? Goals achieved? Life cycle managed? Good
practices applied?
Lag indicators – for Achievement of goals
Lead indicators – for Applications of practice
COSO/COBIT 5 Presentation
11
COBIT 5: Enabler Dimensions
• Stakeholders
• Life Cycle
– Internal
– External
• Goals
– Intrinsic quality
– Contextual quality (relevance,
effectiveness)
– Accessibility and security
– Plan
– Design
– Build/Acquire/Create/
Implement
– Use/Operate
– Evaluate/Monitor
– Update/Dispose
• Good Practices
– Process practices, activities,
detailed activities
– Work products
(Inputs/Outputs)
5/8/2014
COSO/COBIT 5 Presentation
12
COSO INTERNAL CONTROL –
INTEGRATED FRAMEWORK (2013)
5/8/2014
COSO/COBIT 5 Presentation
13
Defining Internal Control
(COSO, 2013)
• Internal control is defined as follows:
Internal control is a process, effected by an
entity’s board of directors, management, and
other personnel, designed to provide
reasonable assurance regarding the
achievement of objectives relating to
operations, reporting, and compliance.
5/8/2014
COSO/COBIT 5 Presentation
14
Fundamental Concepts of Internal
Control
• Geared to the achievement of objectives in one or more categories—
operations, reporting, and compliance
• A process consisting of ongoing tasks and activities—a means
to an end, not an end in itself
• Effected by people—not merely about policy and procedure
manuals, systems, and forms, but about people and the actions
they take at every level of an organization to affect internal
control
• Able to provide reasonable assurance—but not absolute assurance,
to an entity’s senior management and board of directors
• Adaptable to the entity structure—flexible in application for
the entire entity or for a particular subsidiary, division, operating
unit, or business process
5/8/2014
COSO/COBIT 5 Presentation
15
Objectives
The Framework provides for three categories of objectives,
which allow organizations to focus on differing aspects of internal
control:
• Operations Objectives—These pertain to effectiveness and efficiency
of the entity’s operations, including operational and
financial performance goals, and safeguarding assets against
loss.
• Reporting Objectives—These pertain to internal and external
financial and non-financial reporting and may encompass reliability,
timeliness, transparency, or other terms as set forth
by regulators, recognized standard setters, or the entity’s
policies.
• Compliance Objectives—These pertain to adherence to laws
and regulations to which the entity is subject.
5/8/2014
COSO/COBIT 5 Presentation
16
Components of Internal Control
Internal control consists of five integrated components:
• Control Environment - The control environment is the
set of standards, processes, and structures that provide
the basis for carrying out internal control across the
organization.
• Risk Assessment - Every entity faces a variety of risks
from external and internal sources. Risk is defined as
the possibility that an event will occur and adversely
affect the achievement of objectives. Risk assessment
involves a dynamic and iterative process for identifying
and assessing risks to the achievement of objectives.
5/8/2014
COSO/COBIT 5 Presentation
17
Components of Internal Control
• Control Activities - the actions established
through policies and procedures that help ensure
that management’s directives to mitigate risks to
the achievement of objectives are carried out.
• Information and Communication - Information is
necessary for the entity to carry out internal
control responsibilities to support the
achievement of its objectives. Communication is
the continual, iterative process of providing,
sharing, and obtaining necessary information.
5/8/2014
COSO/COBIT 5 Presentation
18
Components of Internal Control
• Monitoring Activities - Ongoing evaluations,
separate evaluations, or some combination of
the two are used to ascertain whether each of
the five components of internal control,
including controls to effect the principles
within each component, is present and
functioning.
5/8/2014
COSO/COBIT 5 Presentation
19
COSO – Relationship of Objectives and
Components (Source: COSO)
5/8/2014
COSO/COBIT 5 Presentation
20
Components and Principles:
Control Environment
1.
2.
3.
4.
5.
The organization demonstrates a commitment to integrity and
ethical values.
The board of directors demonstrates independence from
management and exercises oversight of the development and
performance of internal control.
Management establishes, with board oversight, structures,
reporting lines, and appropriate authorities and responsibilities in
the pursuit of objectives.
The organization demonstrates a commitment to attract, develop,
and retain competent individuals in alignment with objectives.
The organization holds individuals accountable for their internal
control responsibilities in the pursuit of objectives.
5/8/2014
COSO/COBIT 5 Presentation
21
Components and Principles:
Risk Assessment
6. The organization specifies objectives with sufficient
clarity to enable the identification and assessment of
risks relating to objectives.
7. The organization identifies risks to the achievement of
its objectives across the entity and analyzes risks as a
basis for determining how the risks should be
managed.
8. The organization considers the potential for fraud in
assessing risks to the achievement of objectives.
9. The organization identifies and assesses changes that
could significantly impact the system of internal
control.
5/8/2014
COSO/COBIT 5 Presentation
22
Components and Principles:
Control Activities
10.The organization selects and develops control
activities that contribute to the mitigation of
risks to the achievement of objectives to
acceptable levels.
11.The organization selects and develops general
control activities over technology to support the
achievement of objectives.
12.The organization deploys control activities
through policies that establish what is expected
and procedures that put policies into action.
5/8/2014
COSO/COBIT 5 Presentation
23
Components and Principles:
Information and Communication
13. The organization obtains or generates and uses
relevant, quality information to support the
functioning of other components of internal control.
14. The organization internally communicates
information, including objectives and responsibilities
for internal control, necessary to support the
functioning of internal control.
15. The organization communicates with external parties
regarding matters affecting the functioning of other
components of internal control.
5/8/2014
COSO/COBIT 5 Presentation
24
Components and Principles:
Monitoring
16.The organization selects, develops, and
performs ongoing and/or separate evaluations
to ascertain whether the components of internal
control are present and functioning.
17.The organization evaluates and communicates
internal control deficiencies in a timely manner
to those parties responsible for taking corrective
action, including senior management and the
board of directors, as appropriate.
5/8/2014
COSO/COBIT 5 Presentation
25
COSO ENTERPRISE RISK MANAGEMENT
FRAMEWORK (2004)
5/8/2014
COSO/COBIT 5 Presentation
26
Since Risk Management is Mentioned in COBIT 5…Here
is an Overview of COSO’s ERM Integrated Framework
(COSO, 2004)
• COSO Definition of ERM: Enterprise risk management is a
process, effected by an entity’s board of directors,
management and other personnel, applied in strategy
setting and across the enterprise, designed to identify
potential events that may affect the entity, and manage risk
to be within its risk appetite, to provide reasonable
assurance regarding the achievement of entity objectives.
• Achievement of Objectives:
–
–
–
–
5/8/2014
Strategic – high-level, aligned with and supporting mission
Operations – effective and efficient use of its resources
Reporting – reliability of reporting
Compliance – with applicable laws and regulations
COSO/COBIT 5 Presentation
27
COSO: Components of
Enterprise Risk Management
1.
2.
3.
4.
5.
6.
7.
8.
Internal environment (tone, risk management philosophy, risk appetite,
integrity, ethical values)
Objective setting (set by management, align with mission and risk
appetite)
Event identification (internal and external events affecting achievement
of objectives; risks vs. opportunities)
Risk assessment (analysis: likelihood and impact; inherent and residual
risks)
Risk response (i.e., avoiding, accepting, reducing, sharing)
Control activities (policies and procedures)
Information and communication (relevant information to enable
accomplishment of objectives; effective communication flowing down,
across, and up the entity)
Monitoring (through ongoing management activities, separate
evaluations, or both)
5/8/2014
COSO/COBIT 5 Presentation
28
Summary: Comparing COBIT 5 and
COSO Frameworks
Comparison Point
COBIT 5
COSO 2013
Business Purpose?
IT/IS governance
Org. governance (IC)
Stakeholder oriented?
Extensive consideration
Broader consideration
Business principles-based?
Yes
Yes
Alignment – org.
goals/objectives?
Yes (focus on IT, but can be
adapted across
organization)
Yes (focus on operations,
reporting, compliance)
“Guts” of model
• Business Scorecard
dimensions, with:
• 17 related goals,
• 7 enablers,
• 37 processes
• 5 Components (IC)
• Total organizational
applicability: Entity,
division, unit, function
• 17 high-level internal
control principles
Adaptability to total
organization?
Yes, with some creative
effort
Yes, by design
5/8/2014
COSO/COBIT 5 Presentation
29
References
1. COSO (2013). COSO: Internal control –
integrated framework. Durham, NC: AICPA.
2. COSO (2004). Enterprise risk management –
integrated framework. Durham, NC: AICPA.
3. ISACA (2014). Basic foundational concepts
student book: Using COBIT 5. Rolling Meadows,
IL: ISACA.
4. ISACA (2012). COBIT 5: A business framework for
the governance and management of enterprise
IT. Rolling Meadows, IL: ISACA.
5/8/2014
COSO/COBIT 5 Presentation
30
On a Personal Note
• Dr. Saunders is available to perform a sabbatical
research project in your organization. Sabbaticals
are 15-week projects which, with approval by
Franklin University, enable faculty to pursue a
supported research project in their field of
interest. ERM, COSO, and COBIT 5 are within my
field of interest and are directly related to courses
I teach at Franklin. If there might be an
opportunity within your organization, please take
a business card today, and contact Dr. Saunders
to discuss possibilities. Sabbatical projects are
being planned for the 2015 – 2016 academic year.
5/8/2014
COSO/COBIT 5 Presentation
31
Your Questions/Comments?
Thank You!
5/8/2014
COSO/COBIT 5 Presentation
32