Download presentation
Presentation is loading. Please wait.
Published byLeslie Blake Modified over 9 years ago
1
© Grant Thornton | | | | | Guidance on Monitoring Internal Control Systems COSO Monitoring Project Update FEI - CFIT Meeting September 25, 2008
2
Slide 1 Guidance on Monitoring Internal Control Systems Project Overview Drivers: COSO observed that many organizations were not fully utilizing the monitoring component of a system of internal control. SOX response provided confirmation. Objectives: Help organizations improve the effectiveness and efficiency of their internal control systems. Provide practical guidance that illustrates how monitoring can be incorporated into an organization’s internal control processes.
3
Slide 2 Guidance on Monitoring Internal Control Systems Project Overview Process –GT authoring team, supported by large task force –Last summer – conceptual whitepaper –This summer – proposed guidance - public comments – July to August 15 Content –Volume I – Guidance – 15 pages –Volume II – Theory & Application – 54 pages –Volume III – Practical Examples – 116 pages Final guidance will be issued shortly but there are still some minor wording issues “in play”
4
Slide 3 Guidance on Monitoring Internal Control Systems Guiding Principles Without monitoring, even good controls deteriorate over time
5
Slide 4 Guidance on Monitoring Internal Control Systems Organization Structure Role of Management & The Board –Management has primary responsibility for internal control system –Board should determine that management has fulfilled their obligations –“Evaluating” controls performed by senior management requires focus and consideration Characteristics of Evaluators –Competence – knowledge of control and implications of failure –Objectivity – perform evaluation without fear of repudiation or personal interest in outcome
6
Slide 5 Guidance on Monitoring Internal Control Systems Importance of Having A “Baseline” You have to know that you have good internal controls before you can implement monitoring of those controls & you have to adapt as things change
7
Slide 6 Guidance on Monitoring Internal Control Systems Design & Execute Monitoring
8
Slide 7 Guidance on Monitoring Internal Control Systems Persuasive Information (about a control) is.. 1. Suitable Relevant –Direct –Indirect Reliable Timely 2. Sufficient Quantity Of Information – Do We Have Enough To Support A Conclusion? Both require judgment that depends on the level of risk and the control’s susceptibility to failure
9
Slide 8 Guidance on Monitoring Internal Control Systems Relevance of Information Direct information –Substantiates control operation through observation and/or re-performance of a given control Indirect information –Anything other than Direct information Only allows the user to infer the continued effective operation of controls Can only influence the type, timing, and extent of monitoring using direct information
10
Slide 9 Guidance on Monitoring Internal Control Systems Information Technology References & Implications Volume I – Guidance None Volume II – Theory & Application Tools Enabling The Monitoring Process Tools That Monitor Controls Volume III – Practical Examples Company Specific Uses Of IT Tools Used To Monitor Process Risks Comprehensive “Example” Of Identifying & Monitoring Controls Over “Common” IT Risks Examples Of Common IT Processes That MIGHT Be Considered Monitoring Examples Of How Tools Are Used
11
Slide 10 Guidance on Monitoring Internal Control Systems Tools Enabling The Monitoring Process Tools to make the process of assessing risks, defining and evaluating controls and communicating their operating effectiveness efficient and sustainable. Example uses: –Coordinate the risk assessment process –Provide a repository for documentation –Enhance the communication process –Support the “roll-up” of information at various levels and points within an organization –Provide performance indicators
12
Slide 11 Guidance on Monitoring Internal Control Systems Tools That Monitor Controls General Observations –Typically enhance both efficiency and effectiveness of the monitoring process –Can be very specific or very broad in terms of the types of controls they help monitor –Can be a control and simultaneously play a role in monitoring of controls –Can be independent or be part of the reporting capability of a tool that is functioning as a control –Apply to both IT processes and application controls –Do have limitations
13
Slide 12 Guidance on Monitoring Internal Control Systems Tools That Monitor Controls Tools that “monitor” controls typically do so by focusing on one or more of the following: –Transaction Data –Conditions –Changes –Processing Integrity –Error Management
14
Slide 13 Guidance on Monitoring Internal Control Systems Transaction Data Tools extract either/both processed transactions, or master file data, and analyze them against a set of control rules to highlight exceptions to: –Highlight exceptions and/or anomalies –Analyze unusual trends in activities, values and volumes –Compare balances or details between two systems or between distinct parts of a process Can be “ad hoc” reporting tool or an integrated application solution or suite
15
Slide 14 Guidance on Monitoring Internal Control Systems Conditions Tools that monitor the settings, parameters, rules or configuration data that govern IT processing within either/both infrastructure resources and application systems. Works by comparing the configuration information to either “baseline” information, a prior analysis, or both to determine if they are consistent with the organization’s expectations. Increases the speed and effectiveness of the monitoring process while simultaneously allowing it to be performed on a more frequent, or even continuous, basis. Can be “scanning” or “agent” based
16
Slide 15 Guidance on Monitoring Internal Control Systems Changes Tools that identify and report changes to critical resources, data or information: –Usually operate on a continuous basis (i.e., they are "agent-based") –Provide independent ability to identify a change so that it can be verified as appropriate and authorized –Most likely will be considered a control as well as a method for monitoring controls
17
Slide 16 Guidance on Monitoring Internal Control Systems Processing Integrity Tools used to verify and monitor the completeness and accuracy of the various processing steps that might occur in an overall IT process: –Typically focus on balancing and controlling data as it progresses through processes and systems –Can also be designed to maintain an audit trail of key information that can be used for monitoring or trending studies –Most likely will be considered a control as well as a method for monitoring controls
18
Slide 17 Guidance on Monitoring Internal Control Systems Error Management Application systems frequently capture transactions with certain types of errors in a suspense area where they are later corrected and re-processed. –Monitoring of the volume and resolution of activity in these suspense area provide information that the controls are operating effectively –Will almost always be seen as a control activity first
19
Slide 18 Guidance on Monitoring Internal Control Systems “Continuous Control Monitoring” Tools Tools typically complement normal transaction processing by checking transactions or other data for anomalies. In most cases, they operate as “control activities” allowing for the identification of control failures and ability to correct errors before they become significant. When used as a control, the tool itself should be subject to monitoring. Addressing the impact of change is also a key requirement for these tools.
20
Slide 19 Guidance on Monitoring Internal Control Systems Volume III - Examples Information Used To Monitor “Common” Controls That Are Relevant To Financial Reporting Risks –Application Security –Application Program/Configuration Change Control –Data Security & Change Control –Program Testing –Job Scheduling & Management –Data Redundancy
21
Slide 20 Guidance on Monitoring Internal Control Systems Volume III - Examples Common IT Management Processes That MIGHT Be Considered Monitoring Of Controls –Access Recertification –Security Log Monitoring –Peer/Quality Review Processes –Change Review Boards –Post-Implementation Reviews –Recovery Testing
22
© Grant Thornton | | | | | Guidance on Monitoring Internal Control Systems Questions???
Similar presentations
© 2025 SlidePlayer.com. Inc.
All rights reserved.