The Role of the COSO Framework and the Relationship to ISAE 3402

SOX legislation and the PCAOB AS 5 do not mandate a particular control framework. SOX legislation requires “management to base its evaluation of the effectiveness of the company’s ICFR on a suitable, recognized control framework (also known as control criteria) established by a body or group that followed due-process procedures.” Although enterprises have flexibility in their choice of an internal control framework, in practice, most enterprises choose to adopt the Internal Control— Integrated Framework promulgated by COSO. The COSO framework definitions of control objectives, entity-level controls and control domains are consistently in use as a guide for enterprises that comply with SOX sections 302 and 404. However, COSO gives only broad guidance on IT controls. In this guide, COBIT 5 is mapped to COSO showing how the two frameworks complement each other for purposes of SOX requirements.

COBIT 5 is a comprehensive framework for the governance and management of enterprise IT, comprising five domains, 37 IT-enabling processes and over 200 governance and management practices and activities. COBIT 5 includes controls that address all aspects of IT governance, but only those significant to financial reporting have been used to develop this document. COBIT 5 provides both entity-level and activity-level objectives (called management practices and activities in COBIT 5) along with associated controls. COBIT 5 is widely used by enterprises as a supplement to COSO.

COSO

COSO is a voluntary private-sector organization that is dedicated to the development of guidance in the areas of risk and control, which enable good organizational governance and the reduction of fraud. COSO was formed in 1985 to sponsor the National Commission on Fraudulent Financial Reporting, an independent organization that is often referred to as the Treadway Commission.

The sponsoring organizations include the AICPA, American Accounting Association (AAA), Financial Executives International (FEI), Institute of Internal Auditors (IIA) and Institute of Management Accountants (IMA). The sections that follow provide further insight into the COSO framework and its implications for IT. A new version of the framework was released in May 2013. The five key components of the original COSO framework that was issued in 1992 are the same in the 2013 version. However, the key difference is that the revised COSO framework details 17 principles that must be followed to ensure that control requirements that are related to the five key component areas are met.

The five key component areas are:

    • Control environment

    • Risk assessment

    • Control activities

    • Information and communication

    • Monitoring activities

Chapter 1 introduced COSO’s definition of internal controls. This chapter elaborates on this definition of internal control, and shows the relationship to control objectives.

COSO sees internal control as:

    • A process consisting of ongoing tasks and activities. It is a means to an end and not an end in itself.

    • Effected by people. It is not merely about policy manuals, systems and forms, but about people at every level of an organization who impact internal control.

    • Able to provide reasonable assurance, not absolute assurance, to an entity’s senior management and governing board

    • Geared to the achievement of objectives in one or more separate, but overlapping, categories

    • Adaptable to the entity structure

COSO sees internal control as having five components:

    1. Control environment—Sets the tone for the organization, influencing the control consciousness of its people. It is the foundation for all other components of internal control.

    2. Risk assessment—The identification and analysis of relevant risk to the achievement of objectives, forming a basis for how the risk should be managed

    3. Control activities—The policies and procedures that help to ensure that management directives are carried out

    4. Information and communication—Systems or processes that support the identification, capture and exchange of information in a form and time frame that enables people to carry out their responsibilities

    5. Monitoring activities—Processes used to assess the quality of internal control performance over time

The COSO framework provides for three categories of objectives, which allow organizations to focus on different aspects of internal control:

    • Operations objectives—Pertain to effectiveness and efficiency of the entity’s operations, including operational and financial performance goals and safeguarding assets against loss

    • Reporting objectives—Pertain to internal and external financial and non-financial reporting and may encompass reliability, timeliness, transparency, or other terms as set forth by regulators, recognized standard setters, or entity policies

    • Compliance objectives—Pertain to adherence to laws and regulations to which the entity is subject

Relationship of Objectives and Components

“A direct relationship exists between objectives, which are what an entity strives to achieve, components, which represent what is required to achieve the objectives, and the organizational structure of the entity (the operating units, legal entities, and other). The relationship can be depicted in the form of a cube, as illustrated in figure 6.

•             The three categories of objectives—operations, reporting, and compliance—are represented by the columns.

•             The five components are represented by the rows.

•             An entity’s organizational structure is represented by the third dimension.”22

Components     Principles

Control Environment     1.            The organization demonstrates a commitment to integrity and ethical values.

2.            The board of directors demonstrates independence from management and exercises oversight of the development and performance of internal control.

3.            Management establishes, with board oversight, structures, reporting lines, and appropriate authorities and responsibilities in the pursuit of objectives.

4.            The organization demonstrates a commitment to attract, develop, and retain competent individuals in alignment with objectives.

5.            The organization holds individuals accountable for their internal control responsibilities in the pursuit of objectives.

Risk Assessment             6.            The organization specifies objectives with sufficient clarity to enable the identification and assessment of risks relating to objectives.

7.            The organization identifies risks to the achievement of its objectives across the entity and analyzes risk as a basis for determining how the risks should be managed.

8.            The organization considers the potential for fraud in assessing risks to the achievement of objectives.

9.            The organization identifies and assesses changes that could significantly impact the system of internal control.

Control Activities             10.          The organization selects and develops control activities that contribute to the mitigation of risks to ensure the achievement of objectives to acceptable levels.

11.          The organization selects and develops general control activities over technology to support the achievement of objectives.

12.          The organization deploys control activities through policies that establish what is expected and procedures that put policies into action.

Information and Communication            13.          The organization obtains or generates and uses relevant, quality information to support the functioning of internal control.

14.          The organization internally communicates information, including objectives and responsibilities for internal control, necessary to support the functioning of internal control.

15.          The organization communicates with external parties regarding matters affecting the functioning of internal control.

Monitoring Activities     16.          The organization selects, develops, and performs ongoing and/or separate evaluations to ascertain whether the components of internal control are present and functioning.

17.          The organization evaluates and communicates internal control deficiencies in a timely manner to those parties responsible for taking corrective action, including senior management and the board of directors, as appropriate.

The Role of the COSO Framework and the Relationship to COBIT 5 

Applying the COSO Framework to IT and COBIT 5

For SOX compliance efforts, it is important to demonstrate how IT controls support the COSO framework. COSO uses the term “technology” to refer to all computerized systems, including software applications and operational control systems. However, the COSO framework also does not address other specific IT process areas, such as IT service management or information security, and notes the following:

As presented earlier in the chapter, the COSO framework divides internal control into five components. Figure 8 shows that all of the components need to be in place and integrated to achieve the control objectives necessary for effective financial reporting. COBIT 5 provides similar detailed guidance for IT. The five components of the COSO framework—beginning with identifying the control environment and culminating in the monitoring of internal controls—is the horizontal layer of the three-dimensional cube. The COBIT 5 control areas, beginning with the governance domain of Evaluate, Direct and Monitor (EDM) through the management domain of Monitor, Evaluate and Assess (MEA), make up the horizontal layer of the cube. They are applicable to all five components of the COSO framework, individually and in aggregate.

IT controls should consider the overall governance framework to support the quality and integrity of information.

COBIT 5 Control Areas (Process Enabler Reference Model)

Control Environment Risk Assessment Control Activities

Information and Communication

Monitoring Activities

Controls in IT are relevant to both financial reporting and disclosure requirements of Sarbanes-Oxley.

Competency in all five layers of COSO’s framework is necessary to achieve an integrated control program.

Source: Adapted from COSO, “Internal Control—Integrated Framework,” Executive Summary, USA, May 2013. Used with permission.

The Environment Component

The control environment affects the entire entity. It creates the foundation for effective internal control and sets the “tone at the top.” Five COSO principles are related to

the control environment as shown in figure 7. The control environment primarily addresses the entity level. For illustrative purposes, principle 3 is selected:

Principle 3—“Management establishes, with board oversight, structures, reporting lines and appropriate authorities and responsibilities in the pursuit of objectives.”25

Two COBIT 5 processes align to this principle:

•             EDM01 Ensure Governance Framework Setting and Maintenance

•             APO01 Manage the IT Management Framework

Example control objective:

•             APO01.02 Establish roles and responsibilities. Including the agreement on IT-related roles and responsibilities for all personnel in the organization, in alignment with business needs and objectives. Clearly delineate responsibilities and accountabilities, especially for decision making and approvals.

Risk Assessment Component

Risk assessment involves management’s identification and analysis of relevant risk to achieving predetermined objectives, which form the basis for determining control activities. A risk assessment is required for both entity-level and the activity-level

controls (for a specific process or business units). There are three principles associated with this component. For illustrative purposes, Principle 8 is selected.

Principle 8—“The organization considers the potential for fraud in assessing risks to the achievement of objectives.”26

Twelve COBIT 5 processes align to this principle:

•             APO01 Manage the IT Management Framework

•             APO07 Manage Human Resources

•             APO10 Manage Suppliers

•             APO12 Manage Risk

•             APO13 Manage Security

•             BAI06 Manage Changes

•             BAI07 Manage Change Acceptance and Transitioning

•             BAI10 Manage Configuration

•             DSS01 Manage Operations

•             DSS05 Manage Security Services

•             DSS06 Manage Business Process Controls

•             MEA03 Monitor, Evaluate and Assess Compliance With External Requirements

Example control objectives:

•             DSS05.04 Manage user identity and logical access. Specifically authenticate all access to information assets based on their security classification, coordination with business units that manage authentication within applications that are used in business processes to ensure that authentication controls have been properly administered so as to reduce or prevent fraud.

•             DSS06.03 Manage roles, responsibilities, access privileges and levels of authority. Allocate access rights and privileges based on what is required to perform job activities, based on pre-defined roles. Remove or revise access rights immediately, if the job role changes or the staff member leaves the business process area.

Control Activities Component

Control activities are the policies, procedures and practices that are in place to ensure achievement of business objectives and risk optimization. Control activities specifically address each control objective to mitigate identified risk.

The IT-related General Controls include the following four types of control that are included in the selection of the appropriate SOX-related General Controls in the recommended COBIT 5 processes for SOX compliance:

•             Data center operation controls—Controls such as job setup and scheduling, operator actions, and data backup and recovery procedures

•             System software controls—Controls over the effective acquisition, implementation and maintenance of system software, database management, telecommunications software, security software and utilities

•             Access security controls—Controls that prevent inappropriate and unauthorized use of the system across all layers of systems, operating system, database and application

•             Application system development and maintenance controls—Controls over development methodology, including system design and implementation that outline specific phases, documentation requirements, change management, approvals and checkpoints to control the development or maintenance of the project

Three COSO principles are aligned to this component. For illustrative purposes, Principle 11 is selected on technology controls. This is one of the key COSO principles for IT, and, as a result, is a major focus for SOX compliance.

Principle 11—“The organization selects and develops general control activities over technology to support the achievement of objectives.”27

Fifteen COBIT 5 processes align to this principle:

•             APO09 Manage Service Agreements

•             APO10 Manage Suppliers

•             APO13 Manage Security

•             BAI02 Manage Requirements Definition

•             BAI03 Manage Solutions Identification and Build

•             BAI04 Manage Availability and Capacity

•             BAI06 Manage Changes

•             BAI07 Manage Change Acceptance and Transitioning

•             BAI10 Manage Configuration

•             DSS01 Manage Operations

•             DSS02 Manage Serivce Requests and Incidence

•             DSS03 Manage Problems

•             DSS04 Manage Continuity

•             DSS05 Manage Security Services

•             DSS06 Manage Business Process Controls

Example control objectives:

•             BAI04.01 Assess current availability, performance and capacity and create a baseline. To ensure that cost-justifiable capacity and performance are available to support business needs and deliver against service level agreements (SLAs). Create baselines for future comparison.

•             DSS04.07 Manage backup arrangements. Define requirements for on-site and off-site storage of backup data that meet business requirements. Consider the accessibility required to back up data.

Information and Communication Component

The COSO framework states that an appropriate flow of information is necessary at all levels of an organization to run the business and achieve the entity’s control

objectives. In COBIT 5, “Information” is part of the overall focus of the governance and management framework (information and related technology as enterprise assets) and a supporting enabler with associated attributes. Facilitating effective communication, by providing a “common language” framework for governance of enterprise IT (GEIT) is a key purpose of COBIT 5.

The IT organization processes most financial reporting information. However, the scope of activities undertaken by the IT organization is usually much broader than the support of financial reporting. IT may also assist in implementing mechanisms such as a move to a cloud solution or implementation of a new executive decision support system.

The COSO framework states that there are certain criteria that affect the quality of information; these should include ascertaining whether the information is:

•             Appropriate—Is it the right information?

•             Timely—Is it available when required and reported in the right period of time?

•             Current—Is it the latest available information?

•             Accurate—Are the data correct?

•             Accessible—Can authorized individuals gain access to it as necessary?

The Role of the COSO Framework and the Relationship to COBIT 5 x 43

Three COSO principles are aligned to this principle. For illustrative purposes, Principle 15 is selected.

Principle 15—“The organization communicates with external parties regarding matters affecting the functioning of internal control.”28

Two COBIT 5 processes align to this principle:

•             APO01 Manage the IT Management Framework

•             EDM05 Ensure Stakeholder Transparency

Example control objectives:

•             EDM05.02 and EDM05.03 Direct and monitor stakeholder communication and reporting. Ensures that the communication to stakeholders is effective and timely and that a reliable, consistent basis for reporting is established.

Monitoring Activities Component

Monitoring covers the oversight of internal control by management through continuous and point-in-time assessment processes. Monitoring is becoming increasingly important to IT management. Two COSO framework principles are aligned to this component. For illustrative purposes, Principle 17 is selected.

Principle 17—“The organization evaluates and communicates internal control deficiencies in a timely manner to those parties responsible for taking corrective action, including senior management and the board of directors, as appropriate.”29

Five COBIT 5 processes align to this principle:

•             EDM01 Ensure Governance Framework Setting and Maintenance

•             EDM05 Ensure Stakeholder Transparency

•             MEA01 Monitor, Evaluate and Assess Performance and Conformance

•             MEA02 Monitor, Evaluate and Assess the System of Internal Control

•             MEA03 Monitor, Evaluate and Assess Compliance With External Requirements

An example control objective:

•             MEA03.03 Confirm external compliance. Regularly review for recurring patterns of compliance failure and address compliance gaps in policies, standards and procedures on a timely basis.