Presentation is loading. Please wait.

Presentation is loading. Please wait.

COBIT 5 and COSO 2013: Comparing the Frameworks Presented to ISACA Central Ohio Chapter Charles T. Saunders, PhD, CIA, CCSA, CRMA 5/8/2014COSO/COBIT 5.

Similar presentations

Presentation on theme: "COBIT 5 and COSO 2013: Comparing the Frameworks Presented to ISACA Central Ohio Chapter Charles T. Saunders, PhD, CIA, CCSA, CRMA 5/8/2014COSO/COBIT 5."— Presentation transcript:

1 COBIT 5 and COSO 2013: Comparing the Frameworks Presented to ISACA Central Ohio Chapter Charles T. Saunders, PhD, CIA, CCSA, CRMA 5/8/2014COSO/COBIT 5 Presentation1


3 Overview of COBIT 5 “COBIT 5 is a framework that enables IT to be governed and managed in a holistic manner for the entire enterprise…enables managers to bridge the gap between business objectives, technical issues, and business risk” (ISACA, 2014). Key concepts of COBIT 5: – IT Governance and the political dimension – Core concepts that explain general use of framework – Value creation and benefits realization – Risk management – Information security – Assurance 5/8/2014COSO/COBIT 5 Presentation3

4 COBIT 5: IT Governance and the Political Dimension “IT governance is the process that ensures the efficient use of IT to achieve enterprise strategic objectives and goals” (ISACA, 2014). IT governance frameworks: – Balanced Scorecard – Capability Maturity Model Integration – COBIT – COSO – ENISA guidelines – ISO/IEC – ITIL (focus on ITSM) – NIST guidelines – PRINCE2 (project management) – Six Sigma (operational performance, defect identification) 5/8/2014COSO/COBIT 5 Presentation4

5 COBIT 5 Structure At-a-Glance Five Principles 11 Stakeholder Needs Four Balanced Scorecard (BSC) Dimensions 17 Goals for Alignment within 4 BSC Dimensions – Alignment of IT Goals with Enterprise Goals 5/8/2014COSO/COBIT 5 Presentation5

6 COBIT 5 Principles 1. Meeting Stakeholder Needs 2. Covering the Enterprise End-to-End 3. Applying a Single Integrated Framework 4. Enabling a Holistic Approach 5. Separating Governance from Management 5/8/2014COSO/COBIT 5 Presentation6

7 COBIT 5 Goals Cascade Step 1: Stakeholder drivers influence stakeholder needs. Step 2: Stakeholder needs cascade to enterprise goals. Step 3: Enterprise goals cascade to IT- related goals. Step 4: IT-related goals cascade to enabler goals. 5/8/2014COSO/COBIT 5 Presentation7

8 COBIT 5 Use of Balanced Scorecard (BSC) Dimensions: Alignment of IT and Enterprise Goals - Examples BSC Dimensions and Related Goals (17 total): – Financial – 5 Enterprise goals, 6 IT goals (aligned IT goals in parentheses, below) Example # 1: Stakeholder value of business investments (Alignment of IT and business strategy) – Customer – 5 Enterprise goals, 2 IT goals Example # 2: Customer-oriented service culture (Delivery of IT services in line with business requirements) – Internal – 5 Enterprise goals, 7 IT goals Example # 3: Operational and staff productivity (Availability of reliable and useful information for decision making) – Learning and Growth – 2 Enterprise and 2 IT goals Example # 4: Product and business innovation culture (Knowledge, expertise, and initiatives for business innovation) 5/8/2014COSO/COBIT 5 Presentation8

9 COBIT 5: Categories of Enablers 1.Principles, Policies, and Frameworks 2.Processes 3.Organizational Structures 4.Culture, Ethics, and Behaviour 5.Information 6.Services, Infrastructure, and Applications 7.People, Skills, and Competencies 5/8/2014COSO/COBIT 5 Presentation9

10 COBIT 5 Enabler: Processes Process: “a collection of practices influenced by the enterprise’s policies and procedures that takes inputs from a number of sources (including other processes), manipulates the inputs and produces outputs (e.g., products, services)” (ISACA, 2012, p. 69). 5/8/2014COSO/COBIT 5 Presentation10

11 COBIT 5 – Process Reference Model: Processes for Governance of Enterprise IT (examples) 1.Evaluate, Direct, and Monitor (5 processes) – EDM02: Ensure benefits delivery 2.Align, Plan, and Organize (13 processes) – APO02: Manage strategy 3.Build, Acquire, and Implement (10 processes) – BAI09: Manage assets 4.Deliver, Service, and Support (6 processes) – DSS01: Manage operations 5.Monitor, Evaluate, and Assess (3 processes) – Monitor, evaluate, and assess performance and conformance NOTE: Metrics recommended for all Enablers and Processes: – Questions: Needs addressed? Goals achieved? Life cycle managed? Good practices applied? – Lag indicators – for Achievement of goals – Lead indicators – for Applications of practice 5/8/2014COSO/COBIT 5 Presentation11

12 COBIT 5: Enabler Dimensions Stakeholders – Internal – External Goals – Intrinsic quality – Contextual quality (relevance, effectiveness) – Accessibility and security Life Cycle – Plan – Design – Build/Acquire/Create/ Implement – Use/Operate – Evaluate/Monitor – Update/Dispose Good Practices – Process practices, activities, detailed activities – Work products (Inputs/Outputs) 5/8/2014COSO/COBIT 5 Presentation12


14 Defining Internal Control (COSO, 2013) Internal control is defined as follows: Internal control is a process, effected by an entity’s board of directors, management, and other personnel, designed to provide reasonable assurance regarding the achievement of objectives relating to operations, reporting, and compliance. 5/8/2014COSO/COBIT 5 Presentation14

15 Fundamental Concepts of Internal Control Geared to the achievement of objectives in one or more categories— operations, reporting, and compliance A process consisting of ongoing tasks and activities—a means to an end, not an end in itself Effected by people—not merely about policy and procedure manuals, systems, and forms, but about people and the actions they take at every level of an organization to affect internal control Able to provide reasonable assurance—but not absolute assurance, to an entity’s senior management and board of directors Adaptable to the entity structure—flexible in application for the entire entity or for a particular subsidiary, division, operating unit, or business process 5/8/2014COSO/COBIT 5 Presentation15

16 Objectives The Framework provides for three categories of objectives, which allow organizations to focus on differing aspects of internal control: Operations Objectives—These pertain to effectiveness and efficiency of the entity’s operations, including operational and financial performance goals, and safeguarding assets against loss. Reporting Objectives—These pertain to internal and external financial and non-financial reporting and may encompass reliability, timeliness, transparency, or other terms as set forth by regulators, recognized standard setters, or the entity’s policies. Compliance Objectives—These pertain to adherence to laws and regulations to which the entity is subject. 5/8/2014COSO/COBIT 5 Presentation16

17 Components of Internal Control Internal control consists of five integrated components: Control Environment - The control environment is the set of standards, processes, and structures that provide the basis for carrying out internal control across the organization. Risk Assessment - Every entity faces a variety of risks from external and internal sources. Risk is defined as the possibility that an event will occur and adversely affect the achievement of objectives. Risk assessment involves a dynamic and iterative process for identifying and assessing risks to the achievement of objectives. 5/8/2014COSO/COBIT 5 Presentation17

18 Components of Internal Control Control Activities - the actions established through policies and procedures that help ensure that management’s directives to mitigate risks to the achievement of objectives are carried out. Information and Communication - Information is necessary for the entity to carry out internal control responsibilities to support the achievement of its objectives. Communication is the continual, iterative process of providing, sharing, and obtaining necessary information. 5/8/2014COSO/COBIT 5 Presentation18

19 Components of Internal Control Monitoring Activities - Ongoing evaluations, separate evaluations, or some combination of the two are used to ascertain whether each of the five components of internal control, including controls to effect the principles within each component, is present and functioning. 5/8/2014COSO/COBIT 5 Presentation19

20 COSO – Relationship of Objectives and Components (Source: COSO) 5/8/2014COSO/COBIT 5 Presentation20

21 Components and Principles: Control Environment 1.The organization demonstrates a commitment to integrity and ethical values. 2.The board of directors demonstrates independence from management and exercises oversight of the development and performance of internal control. 3.Management establishes, with board oversight, structures, reporting lines, and appropriate authorities and responsibilities in the pursuit of objectives. 4.The organization demonstrates a commitment to attract, develop, and retain competent individuals in alignment with objectives. 5.The organization holds individuals accountable for their internal control responsibilities in the pursuit of objectives. 5/8/2014COSO/COBIT 5 Presentation21

22 Components and Principles: Risk Assessment 6.The organization specifies objectives with sufficient clarity to enable the identification and assessment of risks relating to objectives. 7.The organization identifies risks to the achievement of its objectives across the entity and analyzes risks as a basis for determining how the risks should be managed. 8.The organization considers the potential for fraud in assessing risks to the achievement of objectives. 9.The organization identifies and assesses changes that could significantly impact the system of internal control. 5/8/2014COSO/COBIT 5 Presentation22

23 Components and Principles: Control Activities 10.The organization selects and develops control activities that contribute to the mitigation of risks to the achievement of objectives to acceptable levels. 11.The organization selects and develops general control activities over technology to support the achievement of objectives. 12.The organization deploys control activities through policies that establish what is expected and procedures that put policies into action. 5/8/2014COSO/COBIT 5 Presentation23

24 Components and Principles: Information and Communication 13.The organization obtains or generates and uses relevant, quality information to support the functioning of other components of internal control. 14.The organization internally communicates information, including objectives and responsibilities for internal control, necessary to support the functioning of internal control. 15.The organization communicates with external parties regarding matters affecting the functioning of other components of internal control. 5/8/2014COSO/COBIT 5 Presentation24

25 Components and Principles: Monitoring 16.The organization selects, develops, and performs ongoing and/or separate evaluations to ascertain whether the components of internal control are present and functioning. 17.The organization evaluates and communicates internal control deficiencies in a timely manner to those parties responsible for taking corrective action, including senior management and the board of directors, as appropriate. 5/8/2014COSO/COBIT 5 Presentation25


27 Since Risk Management is Mentioned in COBIT 5…Here is an Overview of COSO’s ERM Integrated Framework (COSO, 2004) COSO Definition of ERM: Enterprise risk management is a process, effected by an entity’s board of directors, management and other personnel, applied in strategy setting and across the enterprise, designed to identify potential events that may affect the entity, and manage risk to be within its risk appetite, to provide reasonable assurance regarding the achievement of entity objectives. Achievement of Objectives: – Strategic – high-level, aligned with and supporting mission – Operations – effective and efficient use of its resources – Reporting – reliability of reporting – Compliance – with applicable laws and regulations 5/8/2014COSO/COBIT 5 Presentation27

28 COSO: Components of Enterprise Risk Management 1.Internal environment (tone, risk management philosophy, risk appetite, integrity, ethical values) 2.Objective setting (set by management, align with mission and risk appetite) 3.Event identification (internal and external events affecting achievement of objectives; risks vs. opportunities) 4.Risk assessment (analysis: likelihood and impact; inherent and residual risks) 5.Risk response (i.e., avoiding, accepting, reducing, sharing) 6.Control activities (policies and procedures) 7.Information and communication (relevant information to enable accomplishment of objectives; effective communication flowing down, across, and up the entity) 8.Monitoring (through ongoing management activities, separate evaluations, or both) 5/8/2014COSO/COBIT 5 Presentation28

29 Summary: Comparing COBIT 5 and COSO Frameworks Comparison PointCOBIT 5COSO 2013 Business Purpose?IT/IS governanceOrg. governance (IC) Stakeholder oriented?Extensive considerationBroader consideration Business principles-based?Yes Alignment – org. goals/objectives? Yes (focus on IT, but can be adapted across organization) Yes (focus on operations, reporting, compliance) “Guts” of model Business Scorecard dimensions, with: 17 related goals, 7 enablers, 37 processes 5 Components (IC) Total organizational applicability: Entity, division, unit, function 17 high-level internal control principles Adaptability to total organization? Yes, with some creative effort Yes, by design 5/8/2014COSO/COBIT 5 Presentation29

30 References 1.COSO (2013). COSO: Internal control – integrated framework. Durham, NC: AICPA. 2.COSO (2004). Enterprise risk management – integrated framework. Durham, NC: AICPA. 3.ISACA (2014). Basic foundational concepts student book: Using COBIT 5. Rolling Meadows, IL: ISACA. 4.ISACA (2012). COBIT 5: A business framework for the governance and management of enterprise IT. Rolling Meadows, IL: ISACA. 5/8/2014COSO/COBIT 5 Presentation30

31 On a Personal Note Dr. Saunders is available to perform a sabbatical research project in your organization. Sabbaticals are 15-week projects which, with approval by Franklin University, enable faculty to pursue a supported research project in their field of interest. ERM, COSO, and COBIT 5 are within my field of interest and are directly related to courses I teach at Franklin. If there might be an opportunity within your organization, please take a business card today, and contact Dr. Saunders to discuss possibilities. Sabbatical projects are being planned for the 2015 – 2016 academic year. 5/8/2014COSO/COBIT 5 Presentation31

32 Your Questions/Comments? Thank You! 5/8/2014COSO/COBIT 5 Presentation32

Download ppt "COBIT 5 and COSO 2013: Comparing the Frameworks Presented to ISACA Central Ohio Chapter Charles T. Saunders, PhD, CIA, CCSA, CRMA 5/8/2014COSO/COBIT 5."

Similar presentations

Ads by Google