Presentation is loading. Please wait.

Presentation is loading. Please wait.

COBIT 5 and COSO 2013: Comparing the Frameworks

Similar presentations

Presentation on theme: "COBIT 5 and COSO 2013: Comparing the Frameworks"— Presentation transcript:

1 COBIT 5 and COSO 2013: Comparing the Frameworks
Presented to ISACA Central Ohio Chapter Charles T. Saunders, PhD, CIA, CCSA, CRMA 5/8/2014 COSO/COBIT 5 Presentation

2 COSO/COBIT 5 Presentation
COBIT 5: A Business Framework for the Governance and Management of Enterprise IT (ISACA) 5/8/2014 COSO/COBIT 5 Presentation

3 COSO/COBIT 5 Presentation
Overview of COBIT 5 “COBIT 5 is a framework that enables IT to be governed and managed in a holistic manner for the entire enterprise…enables managers to bridge the gap between business objectives, technical issues, and business risk” (ISACA, 2014). Key concepts of COBIT 5: IT Governance and the political dimension Core concepts that explain general use of framework Value creation and benefits realization Risk management Information security Assurance 5/8/2014 COSO/COBIT 5 Presentation

4 COBIT 5: IT Governance and the Political Dimension
“IT governance is the process that ensures the efficient use of IT to achieve enterprise strategic objectives and goals” (ISACA, 2014). IT governance frameworks: Balanced Scorecard Capability Maturity Model Integration COBIT COSO ENISA guidelines ISO/IEC 27001 ITIL (focus on ITSM) NIST guidelines PRINCE2 (project management) Six Sigma (operational performance, defect identification) 5/8/2014 COSO/COBIT 5 Presentation

5 COBIT 5 Structure At-a-Glance
Five Principles 11 Stakeholder Needs Four Balanced Scorecard (BSC) Dimensions 17 Goals for Alignment within 4 BSC Dimensions Alignment of IT Goals with Enterprise Goals 5/8/2014 COSO/COBIT 5 Presentation

6 COBIT 5 Principles 5/8/2014 COSO/COBIT 5 Presentation
1. Meeting Stakeholder Needs 2. Covering the Enterprise End-to-End 3. Applying a Single Integrated Framework 4. Enabling a Holistic Approach 5. Separating Governance from Management 5/8/2014 COSO/COBIT 5 Presentation

7 COBIT 5 Goals Cascade Step 1: Stakeholder drivers influence stakeholder needs. Step 2: Stakeholder needs cascade to enterprise goals. Step 3: Enterprise goals cascade to IT-related goals. Step 4: IT-related goals cascade to enabler goals. 5/8/2014 COSO/COBIT 5 Presentation

8 COSO/COBIT 5 Presentation
COBIT 5 Use of Balanced Scorecard (BSC) Dimensions: Alignment of IT and Enterprise Goals - Examples BSC Dimensions and Related Goals (17 total): Financial – 5 Enterprise goals, 6 IT goals (aligned IT goals in parentheses, below) Example # 1: Stakeholder value of business investments (Alignment of IT and business strategy) Customer – 5 Enterprise goals, 2 IT goals Example # 2: Customer-oriented service culture (Delivery of IT services in line with business requirements) Internal – 5 Enterprise goals, 7 IT goals Example # 3: Operational and staff productivity (Availability of reliable and useful information for decision making) Learning and Growth – 2 Enterprise and 2 IT goals Example # 4: Product and business innovation culture (Knowledge, expertise, and initiatives for business innovation) 5/8/2014 COSO/COBIT 5 Presentation

9 COBIT 5: Categories of Enablers
Principles, Policies, and Frameworks Processes Organizational Structures Culture, Ethics, and Behaviour Information Services, Infrastructure, and Applications People, Skills, and Competencies 5/8/2014 COSO/COBIT 5 Presentation

10 COBIT 5 Enabler: Processes
Process: “a collection of practices influenced by the enterprise’s policies and procedures that takes inputs from a number of sources (including other processes), manipulates the inputs and produces outputs (e.g., products, services)” (ISACA, 2012, p. 69). 5/8/2014 COSO/COBIT 5 Presentation

11 COSO/COBIT 5 Presentation
COBIT 5 – Process Reference Model: Processes for Governance of Enterprise IT (examples) Evaluate, Direct, and Monitor (5 processes) EDM02: Ensure benefits delivery Align, Plan, and Organize (13 processes) APO02: Manage strategy Build, Acquire, and Implement (10 processes) BAI09: Manage assets Deliver, Service, and Support (6 processes) DSS01: Manage operations Monitor, Evaluate, and Assess (3 processes) Monitor, evaluate, and assess performance and conformance NOTE: Metrics recommended for all Enablers and Processes: Questions: Needs addressed? Goals achieved? Life cycle managed? Good practices applied? Lag indicators – for Achievement of goals Lead indicators – for Applications of practice 5/8/2014 COSO/COBIT 5 Presentation

12 COBIT 5: Enabler Dimensions
Stakeholders Internal External Goals Intrinsic quality Contextual quality (relevance, effectiveness) Accessibility and security Life Cycle Plan Design Build/Acquire/Create/ Implement Use/Operate Evaluate/Monitor Update/Dispose Good Practices Process practices, activities, detailed activities Work products (Inputs/Outputs) 5/8/2014 COSO/COBIT 5 Presentation

13 COSO Internal Control – Integrated Framework (2013)
5/8/2014 COSO/COBIT 5 Presentation

14 Defining Internal Control (COSO, 2013)
Internal control is defined as follows: Internal control is a process, effected by an entity’s board of directors, management, and other personnel, designed to provide reasonable assurance regarding the achievement of objectives relating to operations, reporting, and compliance. 5/8/2014 COSO/COBIT 5 Presentation

15 Fundamental Concepts of Internal Control
Geared to the achievement of objectives in one or more categories— operations, reporting, and compliance A process consisting of ongoing tasks and activities—a means to an end, not an end in itself Effected by people—not merely about policy and procedure manuals, systems, and forms, but about people and the actions they take at every level of an organization to affect internal control • Able to provide reasonable assurance—but not absolute assurance, to an entity’s senior management and board of directors • Adaptable to the entity structure—flexible in application for the entire entity or for a particular subsidiary, division, operating unit, or business process 5/8/2014 COSO/COBIT 5 Presentation

16 COSO/COBIT 5 Presentation
Objectives The Framework provides for three categories of objectives, which allow organizations to focus on differing aspects of internal control: • Operations Objectives—These pertain to effectiveness and efficiency of the entity’s operations, including operational and financial performance goals, and safeguarding assets against loss. • Reporting Objectives—These pertain to internal and external financial and non-financial reporting and may encompass reliability, timeliness, transparency, or other terms as set forth by regulators, recognized standard setters, or the entity’s policies. • Compliance Objectives—These pertain to adherence to laws and regulations to which the entity is subject. 5/8/2014 COSO/COBIT 5 Presentation

17 Components of Internal Control
Internal control consists of five integrated components: Control Environment - The control environment is the set of standards, processes, and structures that provide the basis for carrying out internal control across the organization. Risk Assessment - Every entity faces a variety of risks from external and internal sources. Risk is defined as the possibility that an event will occur and adversely affect the achievement of objectives. Risk assessment involves a dynamic and iterative process for identifying and assessing risks to the achievement of objectives. 5/8/2014 COSO/COBIT 5 Presentation

18 Components of Internal Control
Control Activities - the actions established through policies and procedures that help ensure that management’s directives to mitigate risks to the achievement of objectives are carried out. Information and Communication - Information is necessary for the entity to carry out internal control responsibilities to support the achievement of its objectives. Communication is the continual, iterative process of providing, sharing, and obtaining necessary information. 5/8/2014 COSO/COBIT 5 Presentation

19 Components of Internal Control
Monitoring Activities - Ongoing evaluations, separate evaluations, or some combination of the two are used to ascertain whether each of the five components of internal control, including controls to effect the principles within each component, is present and functioning. 5/8/2014 COSO/COBIT 5 Presentation

20 COSO – Relationship of Objectives and Components (Source: COSO)
5/8/2014 COSO/COBIT 5 Presentation

21 Components and Principles: Control Environment
The organization demonstrates a commitment to integrity and ethical values. The board of directors demonstrates independence from management and exercises oversight of the development and performance of internal control. Management establishes, with board oversight, structures, reporting lines, and appropriate authorities and responsibilities in the pursuit of objectives. The organization demonstrates a commitment to attract, develop, and retain competent individuals in alignment with objectives. The organization holds individuals accountable for their internal control responsibilities in the pursuit of objectives. 5/8/2014 COSO/COBIT 5 Presentation

22 Components and Principles: Risk Assessment
The organization specifies objectives with sufficient clarity to enable the identification and assessment of risks relating to objectives. The organization identifies risks to the achievement of its objectives across the entity and analyzes risks as a basis for determining how the risks should be managed. The organization considers the potential for fraud in assessing risks to the achievement of objectives. The organization identifies and assesses changes that could significantly impact the system of internal control. 5/8/2014 COSO/COBIT 5 Presentation

23 Components and Principles: Control Activities
The organization selects and develops control activities that contribute to the mitigation of risks to the achievement of objectives to acceptable levels. The organization selects and develops general control activities over technology to support the achievement of objectives. The organization deploys control activities through policies that establish what is expected and procedures that put policies into action. 5/8/2014 COSO/COBIT 5 Presentation

24 Components and Principles: Information and Communication
The organization obtains or generates and uses relevant, quality information to support the functioning of other components of internal control. The organization internally communicates information, including objectives and responsibilities for internal control, necessary to support the functioning of internal control. The organization communicates with external parties regarding matters affecting the functioning of other components of internal control. 5/8/2014 COSO/COBIT 5 Presentation

25 Components and Principles: Monitoring
The organization selects, develops, and performs ongoing and/or separate evaluations to ascertain whether the components of internal control are present and functioning. The organization evaluates and communicates internal control deficiencies in a timely manner to those parties responsible for taking corrective action, including senior management and the board of directors, as appropriate. 5/8/2014 COSO/COBIT 5 Presentation

26 COSO Enterprise risk management Framework (2004)
5/8/2014 COSO/COBIT 5 Presentation

27 COSO/COBIT 5 Presentation
Since Risk Management is Mentioned in COBIT 5…Here is an Overview of COSO’s ERM Integrated Framework (COSO, 2004) COSO Definition of ERM: Enterprise risk management is a process, effected by an entity’s board of directors, management and other personnel, applied in strategy setting and across the enterprise, designed to identify potential events that may affect the entity, and manage risk to be within its risk appetite, to provide reasonable assurance regarding the achievement of entity objectives. Achievement of Objectives: Strategic – high-level, aligned with and supporting mission Operations – effective and efficient use of its resources Reporting – reliability of reporting Compliance – with applicable laws and regulations 5/8/2014 COSO/COBIT 5 Presentation

28 COSO: Components of Enterprise Risk Management
Internal environment (tone, risk management philosophy, risk appetite, integrity, ethical values) Objective setting (set by management, align with mission and risk appetite) Event identification (internal and external events affecting achievement of objectives; risks vs. opportunities) Risk assessment (analysis: likelihood and impact; inherent and residual risks) Risk response (i.e., avoiding, accepting, reducing, sharing) Control activities (policies and procedures) Information and communication (relevant information to enable accomplishment of objectives; effective communication flowing down, across, and up the entity) Monitoring (through ongoing management activities, separate evaluations, or both) 5/8/2014 COSO/COBIT 5 Presentation

29 Summary: Comparing COBIT 5 and COSO Frameworks
Comparison Point COBIT 5 COSO 2013 Business Purpose? IT/IS governance Org. governance (IC) Stakeholder oriented? Extensive consideration Broader consideration Business principles-based? Yes Alignment – org. goals/objectives? Yes (focus on IT, but can be adapted across organization) Yes (focus on operations, reporting, compliance) “Guts” of model Business Scorecard dimensions, with: 17 related goals, 7 enablers, 37 processes 5 Components (IC) Total organizational applicability: Entity, division, unit, function 17 high-level internal control principles Adaptability to total organization? Yes, with some creative effort Yes, by design 5/8/2014 COSO/COBIT 5 Presentation

30 COSO/COBIT 5 Presentation
References COSO (2013). COSO: Internal control – integrated framework. Durham, NC: AICPA. COSO (2004). Enterprise risk management – integrated framework. Durham, NC: AICPA. ISACA (2014). Basic foundational concepts student book: Using COBIT 5. Rolling Meadows, IL: ISACA. ISACA (2012). COBIT 5: A business framework for the governance and management of enterprise IT. Rolling Meadows, IL: ISACA. 5/8/2014 COSO/COBIT 5 Presentation

31 COSO/COBIT 5 Presentation
On a Personal Note Dr. Saunders is available to perform a sabbatical research project in your organization. Sabbaticals are 15-week projects which, with approval by Franklin University, enable faculty to pursue a supported research project in their field of interest. ERM, COSO, and COBIT 5 are within my field of interest and are directly related to courses I teach at Franklin. If there might be an opportunity within your organization, please take a business card today, and contact Dr. Saunders to discuss possibilities. Sabbatical projects are being planned for the 2015 – 2016 academic year. 5/8/2014 COSO/COBIT 5 Presentation

32 Your Questions/Comments?
Thank You! 5/8/2014 COSO/COBIT 5 Presentation

Download ppt "COBIT 5 and COSO 2013: Comparing the Frameworks"

Similar presentations

Ads by Google