Presentation is loading. Please wait.

Presentation is loading. Please wait.

© Grant Thornton | | | | | Guidance on Monitoring Internal Control Systems COSO Monitoring Project Update FEI - CFIT Meeting September 25, 2008.

Published byLeslie Blake Modified over 9 years ago

Similar presentations

Presentation on theme: "© Grant Thornton | | | | | Guidance on Monitoring Internal Control Systems COSO Monitoring Project Update FEI - CFIT Meeting September 25, 2008."— Presentation transcript:

1 © Grant Thornton | | | | | Guidance on Monitoring Internal Control Systems COSO Monitoring Project Update FEI - CFIT Meeting September 25, 2008

2 Slide 1 Guidance on Monitoring Internal Control Systems Project Overview Drivers: COSO observed that many organizations were not fully utilizing the monitoring component of a system of internal control. SOX response provided confirmation. Objectives: Help organizations improve the effectiveness and efficiency of their internal control systems. Provide practical guidance that illustrates how monitoring can be incorporated into an organization’s internal control processes.

3 Slide 2 Guidance on Monitoring Internal Control Systems Project Overview Process –GT authoring team, supported by large task force –Last summer – conceptual whitepaper –This summer – proposed guidance - public comments – July to August 15 Content –Volume I – Guidance – 15 pages –Volume II – Theory & Application – 54 pages –Volume III – Practical Examples – 116 pages Final guidance will be issued shortly but there are still some minor wording issues “in play”

4 Slide 3 Guidance on Monitoring Internal Control Systems Guiding Principles Without monitoring, even good controls deteriorate over time

5 Slide 4 Guidance on Monitoring Internal Control Systems Organization Structure Role of Management & The Board –Management has primary responsibility for internal control system –Board should determine that management has fulfilled their obligations –“Evaluating” controls performed by senior management requires focus and consideration Characteristics of Evaluators –Competence – knowledge of control and implications of failure –Objectivity – perform evaluation without fear of repudiation or personal interest in outcome

6 Slide 5 Guidance on Monitoring Internal Control Systems Importance of Having A “Baseline” You have to know that you have good internal controls before you can implement monitoring of those controls & you have to adapt as things change

7 Slide 6 Guidance on Monitoring Internal Control Systems Design & Execute Monitoring

8 Slide 7 Guidance on Monitoring Internal Control Systems Persuasive Information (about a control) is.. 1. Suitable Relevant –Direct –Indirect Reliable Timely 2. Sufficient Quantity Of Information – Do We Have Enough To Support A Conclusion? Both require judgment that depends on the level of risk and the control’s susceptibility to failure

9 Slide 8 Guidance on Monitoring Internal Control Systems Relevance of Information Direct information –Substantiates control operation through observation and/or re-performance of a given control Indirect information –Anything other than Direct information Only allows the user to infer the continued effective operation of controls Can only influence the type, timing, and extent of monitoring using direct information

10 Slide 9 Guidance on Monitoring Internal Control Systems Information Technology References & Implications Volume I – Guidance None Volume II – Theory & Application Tools Enabling The Monitoring Process Tools That Monitor Controls Volume III – Practical Examples Company Specific Uses Of IT Tools Used To Monitor Process Risks Comprehensive “Example” Of Identifying & Monitoring Controls Over “Common” IT Risks Examples Of Common IT Processes That MIGHT Be Considered Monitoring Examples Of How Tools Are Used

11 Slide 10 Guidance on Monitoring Internal Control Systems Tools Enabling The Monitoring Process Tools to make the process of assessing risks, defining and evaluating controls and communicating their operating effectiveness efficient and sustainable. Example uses: –Coordinate the risk assessment process –Provide a repository for documentation –Enhance the communication process –Support the “roll-up” of information at various levels and points within an organization –Provide performance indicators

12 Slide 11 Guidance on Monitoring Internal Control Systems Tools That Monitor Controls General Observations –Typically enhance both efficiency and effectiveness of the monitoring process –Can be very specific or very broad in terms of the types of controls they help monitor –Can be a control and simultaneously play a role in monitoring of controls –Can be independent or be part of the reporting capability of a tool that is functioning as a control –Apply to both IT processes and application controls –Do have limitations

13 Slide 12 Guidance on Monitoring Internal Control Systems Tools That Monitor Controls Tools that “monitor” controls typically do so by focusing on one or more of the following: –Transaction Data –Conditions –Changes –Processing Integrity –Error Management

14 Slide 13 Guidance on Monitoring Internal Control Systems Transaction Data Tools extract either/both processed transactions, or master file data, and analyze them against a set of control rules to highlight exceptions to: –Highlight exceptions and/or anomalies –Analyze unusual trends in activities, values and volumes –Compare balances or details between two systems or between distinct parts of a process Can be “ad hoc” reporting tool or an integrated application solution or suite

15 Slide 14 Guidance on Monitoring Internal Control Systems Conditions Tools that monitor the settings, parameters, rules or configuration data that govern IT processing within either/both infrastructure resources and application systems. Works by comparing the configuration information to either “baseline” information, a prior analysis, or both to determine if they are consistent with the organization’s expectations. Increases the speed and effectiveness of the monitoring process while simultaneously allowing it to be performed on a more frequent, or even continuous, basis. Can be “scanning” or “agent” based

16 Slide 15 Guidance on Monitoring Internal Control Systems Changes Tools that identify and report changes to critical resources, data or information: –Usually operate on a continuous basis (i.e., they are "agent-based") –Provide independent ability to identify a change so that it can be verified as appropriate and authorized –Most likely will be considered a control as well as a method for monitoring controls

17 Slide 16 Guidance on Monitoring Internal Control Systems Processing Integrity Tools used to verify and monitor the completeness and accuracy of the various processing steps that might occur in an overall IT process: –Typically focus on balancing and controlling data as it progresses through processes and systems –Can also be designed to maintain an audit trail of key information that can be used for monitoring or trending studies –Most likely will be considered a control as well as a method for monitoring controls

18 Slide 17 Guidance on Monitoring Internal Control Systems Error Management Application systems frequently capture transactions with certain types of errors in a suspense area where they are later corrected and re-processed. –Monitoring of the volume and resolution of activity in these suspense area provide information that the controls are operating effectively –Will almost always be seen as a control activity first

19 Slide 18 Guidance on Monitoring Internal Control Systems “Continuous Control Monitoring” Tools Tools typically complement normal transaction processing by checking transactions or other data for anomalies. In most cases, they operate as “control activities” allowing for the identification of control failures and ability to correct errors before they become significant. When used as a control, the tool itself should be subject to monitoring. Addressing the impact of change is also a key requirement for these tools.

20 Slide 19 Guidance on Monitoring Internal Control Systems Volume III - Examples Information Used To Monitor “Common” Controls That Are Relevant To Financial Reporting Risks –Application Security –Application Program/Configuration Change Control –Data Security & Change Control –Program Testing –Job Scheduling & Management –Data Redundancy

21 Slide 20 Guidance on Monitoring Internal Control Systems Volume III - Examples Common IT Management Processes That MIGHT Be Considered Monitoring Of Controls –Access Recertification –Security Log Monitoring –Peer/Quality Review Processes –Change Review Boards –Post-Implementation Reviews –Recovery Testing

22 © Grant Thornton | | | | | Guidance on Monitoring Internal Control Systems Questions???

Download ppt "© Grant Thornton | | | | | Guidance on Monitoring Internal Control Systems COSO Monitoring Project Update FEI - CFIT Meeting September 25, 2008."

Similar presentations

Quality Improvement/ Quality Assurance Amelia Broussard, PhD, RN, MPH Christopher Gibbs, JD, MPH.

Quality Improvement/ Quality Assurance Amelia Broussard, PhD, RN, MPH Christopher Gibbs, JD, MPH.
Learning Objectives LO5 Document an accounting system to identify key controls and weaknesses in order to assess control risk. LO6 Write key control tests.

Learning Objectives LO5 Document an accounting system to identify key controls and weaknesses in order to assess control risk. LO6 Write key control tests.
© Grant Thornton UK LLP. All rights reserved. Review of Sickness Absence Vale of Glamorgan Council Final Report- November 2009.

© Grant Thornton UK LLP. All rights reserved. Review of Sickness Absence Vale of Glamorgan Council Final Report- November 2009.
SOX and IT Audit Programs John R. Robles Thursday, May 31, 2007 Tel: 787-647-396.

SOX and IT Audit Programs John R. Robles Thursday, May 31, Tel:
Chapter 19: Network Management Business Data Communications, 4e.

Chapter 19: Network Management Business Data Communications, 4e.
Review of Introduction to Auditing

Review of Introduction to Auditing
Standar Pekerjaan Lapangan: Pemahaman Memadai atas Pengendalian Intern Pertemuan 5.

Standar Pekerjaan Lapangan: Pemahaman Memadai atas Pengendalian Intern Pertemuan 5.
COSO Framework A company should include IT in all five COSO components: –Control Environment –Risk Assessment –Control activities –Information and communication.

COSO Framework A company should include IT in all five COSO components: –Control Environment –Risk Assessment –Control activities –Information and communication.
Auditing A Risk-Based Approach To Conducting A Quality Audit

Auditing A Risk-Based Approach To Conducting A Quality Audit
Computer Security: Principles and Practice

Computer Security: Principles and Practice
Purpose of the Standards

Purpose of the Standards
A Review ISO 9001:2015 Draft What’s Important to Know Now

A Review ISO 9001:2015 Draft What’s Important to Know Now
INTERNAL CONTROL OVER FINANCIAL REPORTING

INTERNAL CONTROL OVER FINANCIAL REPORTING
Financial Audit Autonomous Bodies Internal Control and Risk Assessment Session 1.8 1 Internal Control and Risk Assessment.

Financial Audit Autonomous Bodies Internal Control and Risk Assessment Session Internal Control and Risk Assessment.
Information Technology Service Management

Information Technology Service Management
Auditing Standards IFTA\IRP Audit Guidance Government Auditing Standards (GAO) Generally Accepted Auditing Standards (GAAS) International Standards on.

Auditing Standards IFTA\IRP Audit Guidance Government Auditing Standards (GAO) Generally Accepted Auditing Standards (GAAS) International Standards on.
1 Rittenberg/Schwieger/Johnstone Auditing: A Business Risk Approach Sixth Edition Chapter 7 Performing an Integrated Audit Copyright © 2008 Thomson South-Western,

1 Rittenberg/Schwieger/Johnstone Auditing: A Business Risk Approach Sixth Edition Chapter 7 Performing an Integrated Audit Copyright © 2008 Thomson South-Western,
COSO Framework Update IIA Columbus Chapter May 17, 2013

COSO Framework Update IIA Columbus Chapter May 17, 2013
Conducting the IT Audit

Conducting the IT Audit
Codex Guidelines for the Application of HACCP

Codex Guidelines for the Application of HACCP

Similar presentations

Ads by Google