Beruflich Dokumente
Kultur Dokumente
Integratin g
COBIT 5 With
COSO 2013
Stephen Head
Senior Manager, IT Risk Advisory Services
1
Integrating COBIT 5 With COSO 2013
• COSO Overview
COSO
• Mapping These Frameworks 2013
2
Integrating COBIT 5 With COSO 2013
Use of Frameworks
4
Integrating COBIT 5 With COSO 2013
5
COBIT Overview
Integrating COBIT 5 With COSO 2013
What Is COBIT?
• A Business Framework for the Governance and Management of
Enterprise IT
• Developed by ISACA in 1996, 5th Edition published in Spring 2012
• Accepted globally as a set of tools that ensures IT is working
effectively
• Provides common language to communicate goals, objectives and
expected results to all stakeholders
• Based on, and integrates, industry standards and good practices in:
– Strategic alignment of IT with business goals
– Value delivery of services and new projects
– Risk management
– Resource management
– Performance measurement
7
Integrating COBIT 5 With COSO 2013
(EDM)
Source: COBIT 5 Framework, page 32, © 2012 ISACA. All rights reserved.
8
Integrating COBIT 5 With COSO 2013
9
Integrating COBIT 5 With COSO 2013
What is COSO?
Definition: COSO is a leading framework for designing, implementing,
and conducting internal control and assessing the effectiveness of
internal control.
Source: COSO, Internal Control––Integrated Framework Executive Summary, USA, May 2013.
13
13
Integrating COBIT 5 With COSO 2013
15
15
Integrating COBIT 5 With COSO 2013
Summary of Changes
The Update increases ease of use and broadens application
16
Integrating COBIT 5 With COSO 2013
COSO 2013
5 Components 17 Principles 77 Points of Focus
Source: COSO.org
17
Integrating COBIT 5 With COSO 2013
Management
Assessment
Oversight
Process
18
Mapping COBIT 5 to COSO 2013
Integrating COBIT 5 With COSO 2013
COSO 2013
5 Components 17 Principles 77 Points of Focus
Source: COSO.org
20
Integrating COBIT 5 With COSO 2013
21
Integrating COBIT 5 With COSO 2013
22
Integrating COBIT 5 With COSO 2013
1 2 2 All Processes
5, 6, 10
3 8 2 2 7 2 15 17
1 3 4 8 1
9 12 14 4 8
13
13 7
9 9 9 9 13
16 17
11
23
Integrating COBIT 5 With COSO 2013
COSO Principle 1
The organization demonstrates a commitment to integrity and ethical
values.
COBIT 5 Coverage:
• EDM01 Ensure Governance Framework Setting and Maintenance
• APO01 Manage the IT Management Framework
• APO07 Manage Human Resources
24
Integrating COBIT 5 With COSO 2013
COSO Principle 2
The board of directors demonstrates independence from management
and exercises oversight of the development and performance of internal
control.
COBIT 5 Coverage:
• EDM01 Ensure Governance Framework Setting and Maintenance
• EDM02 Ensure Benefits Delivery
• EDM03 Ensure Risk Optimization
• EDM04 Ensure Resource Optimization
• EDM05 Ensure Stakeholder Transparency
25
Integrating COBIT 5 With COSO 2013
COSO Principle 3
Management establishes, with board oversight, structures, reporting
lines, and appropriate authorities and responsibilities in the pursuit of
objectives.
COBIT 5 Coverage:
• EDM01 Ensure Governance Framework Setting and Maintenance
• APO01 Manage the IT Management Framework
26
Integrating COBIT 5 With COSO 2013
COSO Principle 4
The organization demonstrates a commitment to attract, develop, and
retain competent individuals in alignment with objectives.
COBIT 5 Coverage:
• APO01 Manage the IT Management Framework
• APO07 Manage Human Resources
27
Integrating COBIT 5 With COSO 2013
COSO Principle 5
The organization holds individuals accountable for their internal control
responsibilities in the pursuit of objectives.
COBIT 5 Coverage:
• All COBIT 5 Processes
28
Integrating COBIT 5 With COSO 2013
COSO Principle 6
The organization specifies objectives with sufficient clarity to enable the
identification and assessment of risks relating to objectives.
COBIT 5 Coverage:
• All COBIT 5 Processes
29
Integrating COBIT 5 With COSO 2013
COSO Principle 7
The organization identifies risks to the achievement of its objectives
across the entity and analyzes risks as a basis for determining how the
risks should be managed.
COBIT 5 Coverage:
• EDM03 Ensure Risk Optimization
• APO12 Manage Risk
30
Integrating COBIT 5 With COSO 2013
COSO Principle 8
The organization considers the potential for fraud in assessing risks to
the achievement of objectives.
• COBIT 5 Coverage:
• EDM01 Ensure Governance Framework Setting and Maintenance
• APO01 Manage the IT Management Framework
• APO07 Manage Human Resources
• MEA03 Monitor, Evaluate and Assess Compliance With External
Requirements
31
Integrating COBIT 5 With COSO 2013
COSO Principle 9
The organization identifies and assesses changes that could
significantly impact the system of internal control.
COBIT 5 Coverage:
• APO01 Manage the IT Management Framework
• BAI02 Manage Requirements Definition
• BAI05 Manage Organizational Change Enablement
• BAI06 Manage Changes
• BAI07 Manage Change Acceptance and Transitioning
32
Integrating COBIT 5 With COSO 2013
COSO Principle 10
The organization selects and develops control activities that contribute
to the mitigation of risks to the achievement of objectives to acceptable
levels.
COBIT 5 Coverage:
• All COBIT 5 Processes
33
Integrating COBIT 5 With COSO 2013
COSO Principle 11
The organization selects and develops general control activities over
technology to support the achievement of objectives.
COBIT 5 Coverage:
• DSS06 Manage Business Process Controls
34
Integrating COBIT 5 With COSO 2013
COSO Principle 12
The organization deploys control activities through policies that establish
what is expected and procedures that put policies into action.
COBIT 5 Coverage:
• APO01 Manage the IT Management Framework
35
Integrating COBIT 5 With COSO 2013
COSO Principle 13
The organization obtains or generates and uses relevant, quality
information to support the functioning of internal control.
COBIT 5 Coverage:
• APO11 Manage Quality
• MEA01 Monitor, Evaluate and Assess Performance and Conformance
• MEA02 Monitor, Evaluate and Assess the System of Internal Control
36
Integrating COBIT 5 With COSO 2013
COSO Principle 14
The organization internally communicates information, including
objectives and responsibilities for internal control, necessary to support
the functioning of internal control.
COBIT 5 Coverage:
• APO01 Manage the IT Management Framework
37
Integrating COBIT 5 With COSO 2013
COSO Principle 15
The organization communicates with external parties regarding matters
affecting the functioning of internal control.
COBIT 5 Coverage:
• EDM05 Ensure Stakeholder Transparency
38
Integrating COBIT 5 With COSO 2013
COSO Principle 16
The organization selects, develops, and performs ongoing and/or
separate evaluations to ascertain whether the components of internal
control are present and functioning.
COBIT 5 Coverage:
• MEA02 Monitor, Evaluate and Assess the System of Internal Control
39
Integrating COBIT 5 With COSO 2013
COSO Principle 17
The organization evaluates and communicates internal control
deficiencies in a timely manner to those parties responsible for taking
corrective action, including senior management and the board of
directors, as appropriate.
COBIT 5 Coverage:
• EDM05 Ensure Stakeholder Transparency
• MEA02 Monitor, Evaluate and Assess the System of Internal Control
40
Expectations
Integrating COBIT 5 With COSO 2013
Regulatory Expectations
• What methodology does your
organization use for IT governance?
• Regulatory Expectations (tomorrow’s
expectations, not today’s expectations)
• Remember, you are aiming at a moving
target
• How do you want to be viewed (A
market leader, middle of the pack, or
late adopter)
• Domestic vs. International Regulators
42
Integrating COBIT 5 With COSO 2013
43
Integrating COBIT 5 With COSO 2013
Implementation Considerations
• Gap Assessment
• Management Support
• Project Plan/Manager/Sponsor
46
Integrating COBIT 5 With COSO 2013
• Lead time
• Dashboard redesign
• Cutover point
47
Integrating COBIT 5 With COSO 2013
• Data Quality
• Upgrading/Creating SAPs
• Training
48
Integrating COBIT 5 With COSO 2013
Transition Methodology
Build Internal Perform Impact Engage,
Awareness and Assessment/ Prepare Execute the Communicate
Expertise Project Plan Transition Plan and Train
PCI-DSS 3.0
• Version 3.0 of PCI-DSS was released in November 2013
• Regulated by the PCI Security Standards Council and the major credit
card brands
• Any entity that stores, processes, or transmits cardholder information
MUST COMPLY with the PCI Data Security Standard (DSS)
• Entities include but are not limited to:
– Acquirers
– Merchants
– Service providers
– Trusted third parties
• Each card brand has their own compliance requirements based on
this general requirement
51
Integrating COBIT 5 With COSO 2013
PCI-DSS 3.0
ITIL
• The Information Technology Infrastructure Library (ITIL), is a set
of best-practices for IT service management (ITSM) that focuses on
aligning IT services with the needs of the business.
• In its current form (known as ITILv3 and ITIL 2011 edition), ITIL is
published in a series of five core publications, each of which covers an
ITSM lifecycle stage.
• ITIL describes procedures, tasks and checklists that are not
organization-specific, used by an organization for establishing a
minimum level of competency. It allows the organization to establish a
baseline from which it can plan, implement, and measure. It is used to
demonstrate compliance and to measure improvement.
53
Integrating COBIT 5 With COSO 2013
ITIL Service
improvement
Requests for change
Service
transition Requests
for change
(Filtering)
Design
Requests for change
limitations
Compensating resources
Requests for change and requests for change
Objectives, policies
and guidelines
Service
strategy
54
Integrating COBIT 5 With COSO 2013
HIPAA
Health Insurance Portability and Accountability Act of 1996 (HIPAA),
Department of Health and Human Services (DHHS).
Privacy of health information
– Restricts the use and dissemination of identifiable health information
– Provides individuals with greater access and control of their medical
information
– Regulates business partners and business partner agreements
Security of health information
– Ensures information integrity and confidentiality
– Protects against information tampering and unauthorized information uses
and disclosures
55
Integrating COBIT 5 With COSO 2013
HIPAA
56
Integrating COBIT 5 With COSO 2013
HIPAA
57
Integrating COBIT 5 With COSO 2013
Summary
The latest versions of COBIT and COSO are
complimentary frameworks that can be
mapped to one another.
58
Integrating COBIT 5 With COSO 2013
Questions?
Stephen Head
stephen.head@experis.com
704-953-6688
59