ACCOUNTING INFORMATION SYSTEM INTERNAL CONTROL GROUP MEMBERS • Phan Trúc Quyền - 2006197 • Đặng Nguyễn Anh Đào – 2132921 • Hồ Thảo Vy – 2005226 • Phạm Hải Yến - 2004279 OUTLINE • Introduce generally about internal control • Introduce about COSO 2013 • Introduce about COBIT 2013 • Comparision between COSO 2013 and COBIT 2013 • Conclusion Internal Control A process An entity's board of directors Other personnel Management Objectives Effectiveness and efficiency of operations Reliability of financial reporting Compliance with laws and regulations Control Environment • • Sets the tone of the organization Influences the control consciousness of its people Inclusion areas: • Integrity and ethical behavior • Commitment to competence • Board of directors and audit committee participation • Management philosophy and operating style • Organization structure • Assignment of authority and responsibility • Human resource policies and practices Control Activities The policies and procedures -> ensure management directives are carried out -> ensure necessary actions are taken to address risks to achievement of the entity's objectives Inclusion a range of activities : • Approvals • Authorizations • Verifications • Reconciliations • Reviews of operating performance • Security of assets • Segregation of duties Scope of operations • • • • • Achieving entity performance and profitability targets Preventing loss of resources Helping ensure reliable financial reporting Ensuring enterprise complies with laws and regulations Avoiding damage to its reputation and other consequences Restrictions • Cannot change an inherently poor manager into a good one • Cannot ensure success, or even survival • Not absolutely assurance to achieve entity's objectives • Judgments in decision-making can be faulty, and breakdowns can occur • The design of an internal control system must reflect the fact that there are resource constraints • The benefits of controls must be considered relative to their costs COSO (Committee of Sponsoring Organizations ) A joint initiative of five private sector organizations, established in the United States: – The Institute of Management Accountants (IMA) – The American Accounting Association (AAA) – The American Institute of Certified Public Accountants (AICPA) – The Institute of Internal Auditors (IIA) – Financial Executives International (FEI) -> to provide thought leadership to executive management and governance entities on critical aspects of organizational governance, business ethics, internal control, enterprise risk management, fraud, and financial reporting COSO 2013 Objectives • • • The effectiveness and efficiency of operations including operational and financial performance goals, and safeguarding assets against loss In the 1992 Framework, the operations objective was limited to “effective and efficient use of the entity’s resources.” The reliability of financial reporting In the 1992 Framework, the reporting objective was called the financial reporting objective and it was described as “relating to the preparation of reliable financial statements.” Compliance with laws and regulations The 2013 Framework considers the increased demands and complexities in laws, regulations, and accounting standards that have occurred since 1992 COSO Framework Control Environment Risk Assessment • Demonstrates commitment to integrity and ethical values • Exercises oversight responsibility • Establishes structure, authority, and responsibility • Demonstrates commitment to competence • Enforces accountability • Specifies suitable objectives • Identifies and analyzes risk • Assesses fraud risk • Identifies and analyzes significant change Control Activities • Selects and develops control activities • Selects and develops general controls over technology • Deploys through policies and procedures Information and Communication • Uses relevant information • Communicates internally • Communicates externally Monitoring • Conducts ongoing and/or separate evaluations • Evaluates and communicates deficiencies Changes in COSO 1992 to 2013 Enterprises exist to create value for their stakeholders Consequently, any enterprise—commercial or not—will have value creation as a governance objective Value creation means realizing benefits at an optimal resource cost while optimizing risk Step1 Stakeholder Drivers Influence Stakeholder Needs • Stakeholder needs are influenced by a number of drivers, e.g., strategy changes, a changing business and regulatory environment, and new technologies Step Stakeholder Needs Cascade To Enterprise Goals • Stakeholder needs can be related to a set of generic enterprise goals These enterprise goals have been developed using the balanced scorecard (BSC) Step Enterprise Goals Cascade To ITrelated Goals • Achievement of enterprise goals requires a number of IT-related outcomes, which are represented by the IT-related goals IT-related stands for information and related technology, and the IT-related goals are structured along the dimensions of the IT balanced scorecard (IT BSC) Step ITrelated Goals Cascade To Enabler Goals • Achieving ITrelated goals requires the successful application and use of a number of enablers Covering the Enterprise End-to-End • • • • Covers governance & management of IT (GEIT) Integrates GEIT into Enterprise Governance Seamless integration since aligned with latest views Not focused ONLY on the IT function • Covers all functions and processes with the enterprise • IT is like all other assets in an enterprise Single Integrated Framework COBIT is a single and integrated framework because: It aligns with other latest relevant standards and frameworks, and thus allows the enterprise to use COBIT as the overarching governance and management framework integrator It is complete in enterprise coverage, providing a basis to integrate effectively other frameworks, standards and practices used A single overarching framework serves as a consistent and integrated source of guidance in a nontechnical, technology-agnostic common language It provides a simple architecture for structuring guidance materials and producing a consistent product set It integrates all knowledge previously dispersed over different ISACA frameworks Enabling a Holistic Approach • Principles, policies and frameworks are the vehicle to translate the desired behavior into practical guidance for day-to-day management • Processes describe an organized set of practices and activities to achieve certain objectives and produce a set of outputs in support of achieving overall IT-related goals Organizational structures are the key decision-making entities in an enterprise Culture, ethics and behavior of individuals and of the enterprise are very often underestimated as a success factor in governance and management activities • • • • • • Culture, ethics and behavior of individuals and of the enterprise are very often underestimated as a success factor in governance and management activities Information is pervasive throughout any organization and includes all information produced and used by the enterprise Information is required for keeping the organization running and well governed, but at the operational level, information is very often the key product of the enterprise itself Services, infrastructure and applications include the infrastructure, technology and applications that provide the enterprise with information technology processing and services People, skills and competencies are linked to people and are required for successful completion of all activities and for making correct decisions and taking corrective actions Enabling a Holistic Approach  Enablers must be interconnected – Inputs from other enablers – Outputs to benefit other enablers Information People, Skills and Competencies Organization al Structures Process Information Separating Governance From Management Governance ensures that stakeholder needs, conditions and options are evaluated to determine balanced, agreed-on enterprise objectives to be achieved; setting direction through prioritisation and decision making; and monitoring performance and compliance against agreed-on direction and objectives VS Management plans, builds, runs and monitors activities in alignment with the direction set by the governance body to achieve the enterprise objectives Separating Governance From Management COMPARISON COSO COBIT COBIT COSO more comprehensive, process-orientated, risk, control needs, and it relates more to technical issues more broad-based, fewer complexes, without so much technical issues covers quality and security requirements COSO’s control objects: operating, reports, compliance The domains of COBIT are: Planning and organizing , Acquisition and implementation, Manage IT investment, Delivery and support, Monitoring and evaluation components: Control environment, Risk assessment, Control activities, Information and Communication, Monitoring • Focuses on IT components • Contains the system of development, operation, delivery, and implementation • Strengthens assessment, understanding and exercise of appropriate internal controls • Provides a good framework for risk management and improves communication among management, users and auditors regarding IT governance focuses on monitoring and evaluation, which is also one of the COBIT's domains Therefore, COSO and COBIT build together a strong assessment of IT based systems and processes CONCLUSION • The combination of COSO and COBIT will be very beneficial • All analysis and documentation of processes could be scoped by the COSO framework and all technological issues could be reviewed in details by the COBIT framework • COBIT would also help with the complexity of software system On the other hand, the COSO will support control activities and the COBIT will help in detailed monitoring and evaluating THANK YOU FOR WATCHING AND LISTENING US [...]... very often underestimated as a success factor in governance and management activities Information is pervasive throughout any organization and includes all information produced and used by the enterprise Information is required for keeping the organization running and well governed, but at the operational level, information is very often the key product of the enterprise itself Services, infrastructure... provide the enterprise with information technology processing and services People, skills and competencies are linked to people and are required for successful completion of all activities and for making correct decisions and taking corrective actions Enabling a Holistic Approach  Enablers must be interconnected – Inputs from other enablers – Outputs to benefit other enablers Information People, Skills... implementation, Manage IT investment, Delivery and support, Monitoring and evaluation 5 components: Control environment, Risk assessment, Control activities, Information and Communication, Monitoring • Focuses on IT components • Contains the system of development, operation, delivery, and implementation • Strengthens assessment, understanding and exercise of appropriate internal controls • Provides... build together a strong assessment of IT based systems and processes CONCLUSION • The combination of COSO and COBIT will be very beneficial • All analysis and documentation of processes could be scoped by the COSO framework and all technological issues could be reviewed in details by the COBIT framework • COBIT would also help with the complexity of software system On the other hand, the COSO will support... Enabling a Holistic Approach  Enablers must be interconnected – Inputs from other enablers – Outputs to benefit other enablers Information People, Skills and Competencies Organization al Structures Process Information Separating Governance From Management Governance ensures that stakeholder needs, conditions and options are evaluated to determine balanced, agreed-on enterprise objectives to be achieved;...COBIT (Control Objectives for Information and related Technology) • An IT governance framework and supporting toolset that allows managers to bridge the gap between control requirements, technical issues and business risks • Enables... (BSC) Step 3 Enterprise Goals Cascade To ITrelated Goals • Achievement of enterprise goals requires a number of IT-related outcomes, 2 which are represented by the IT-related goals IT-related stands for information and related technology, and the IT-related goals are structured along the dimensions of the IT balanced scorecard (IT BSC) Step 4 ITrelated Goals Cascade To Enabler Goals • Achieving ITrelated ... governance and management activities Information is pervasive throughout any organization and includes all information produced and used by the enterprise Information is required for keeping the... general controls over technology • Deploys through policies and procedures Information and Communication • Uses relevant information • Communicates internally • Communicates externally Monitoring... from other enablers – Outputs to benefit other enablers Information People, Skills and Competencies Organization al Structures Process Information Separating Governance From Management Governance