The Committee of Sponsoring Organizations (COSO)

Internal control is broadly defined as a process, effected by an entity’s board of directors, management and other personnel, designed to provide reasonable assurance regarding the achievement of objectives in effectiveness and efficiency of operations, reliability of financial reporting, compliance with applicable laws and regulations and safeguarding tangible and intangible assets.  While internal control is a process, its effectiveness is a state or condition of the process at one or more points in time.

Internal control consists of five interrelated components.  The control environment is the atmosphere in which people conduct their activities and carry out their control responsibilities. It serves as the foundation for the other components.  Within this environment, management assesses business risks of not achieving specified objectives.  Control activities are implemented to help ensure that management directives to address the risks are carried out.  Meanwhile, relevant information is captured and communicated throughout the organization. The entire process is monitored and modified as conditions warrant.

In an “effective” internal control system, these five components work to support the achievement of CSU’s mission, strategies and related business objectives.

  • Control Environment
      • Integrity and Ethical Values
      • Commitment to Competence
      • Board of Directors and Audit Committee
      • Management’s Philosophy and Operating Style
      • Organizational Structure
      • Assignment of Authority and Responsibility
      • Human Resource Policies and Procedures
  • Risk Assessment
      • Company-wide Objectives
      • Process-level Objectives
      • Risk Identification and Analysis
      • Managing Change
  • Control Activities
      • Policies and Procedures
      • Security (Application and Network)
      • Application Change Management
      • Business Continuity / Backups
      • Outsourcing
  • Information and Communication
      • Quality of Information
      • Effectiveness of Communication
  • Monitoring
      • On-going Monitoring
      • Separate Evaluations
      • Reporting Deficiencies

These components work to establish the foundation for sound internal control within CSU through directed leadership, shared values and a culture that emphasizes accountability for control.  The various risks facing the company are identified and assessed routinely at all levels and within all functions in the organization.  Control activities and other mechanisms are proactively designed to address and mitigate the significant risks.  Information critical to identifying risks and meeting business objectives is communicated through established channels up, down and across CSU.  The entire system of internal control is monitored continuously and problems are addressed timely.

Control Objectives for Information and Related Technology (COBIT)
view the COBIT brochure

What is COBIT?

  • An international unifying framework that integrates all of the main global IT standards, including ITIL, CMMI and ISO 17799
  • A business-oriented set of standards for guiding management in the sound use of information technology from the Information Systems Audit and Control Association (ISACA)
  • A tool for compliance with Sarbanes-Oxley and many other global standards that includes resources such as an executive summary, a framework, control objectives, audit guidelines, management guides and reference materials on CD-ROM.

What does COBIT do?

  • Improves IT efficiency and effectiveness
  • Helps IT understand the needs of the business
  • Puts practices in place to meet the business needs as efficiently as possible
  • Helps executives understand and mange IT investments throughout their life cycle
  • Provides a method to assess whether IT services and new initiatives are meeting business requirements and are likely to deliver the benefits expected
  • Helps to develop and document the appropriate organizational structures, processes and tools for effective management of IT
  • Provides an authoritative, international set of generally accepted practices that helps boards of directors, executives and managers increase the value of IT and reduce related risks

COBIT is comprised of:

  • Management Guidelines - these help answer the questions of immediate concern to all those who have a stake in enterprise success
  • Executive Summary - this provides an overview of COBIT's issues and foundational premise
  • Framework - this describes in detail the high-level IT control objectives, and identifies the business requirements for information and IT resources primarily impacted by each control objective
  • Control Objectives - these contain statements of the desired results or purposes to be achieved by implementing the specific, detailed control objectives
  • Audit Guidelines - these contain suggested audit steps corresponding to each of the IT Control Objectives
  • Implementation Tool Set - this provides lessons learned from those organizations that successfully applied COBIT in their work environments and several tools to help management assess their control environment related to information and IT resources
  • IT Control Practice Statement - this provides the more detailed “how and why” needed by management, service providers, end users, and control professionals to implement highly specific controls based on an analysis of operational and IT risks

How does COBIT support the governance of IT?

COBIT supports the governance of IT by providing a framework to ensure that:

  • IT is aligned with the business
  • IT enables the business and maximizes benefits
  • IT resources are used responsibly
  • IT risks are managed appropriately

IT Governance Focus Areas

Strategic Alignment focuses on ensuring the linkage of business and IT plans, on defining, maintaining and validating the IT value proposition, and on aligning IT operations with enterprise operations.

Value Delivery is about executing the value proposition throughout the delivery cycle, ensuring that IT delivers the promised benefits against the strategy, concentrating on optimizing costs and proving the intrinsic value of IT.

Resource Management is about the optimal investment in, and the proper management of, critical IT resources: processes, people, applications, infrastructure and information. Key issues relate to the optimization of knowledge and infrastructure.

Risk Management requires risk awareness by senior corporate officers, a clear understanding of the enterprise’s appetite for risk, transparency about the significant risks to the enterprise and embedding of risk management responsibilities into the organization.

Performance Measurement tracks and monitors strategy implementation, project completion, resource usage, process performance and service delivery, using for example, balanced scorecards that translate strategy into action to achieve goals measurable beyond conventional accounting.

An effective IT Governance Framework:

  • Provides clear direction to ensure that IT investments support the business
  • Is an effective way to manage change
  • Creates value for the business in alignment with enterprise objectives
  • Addresses the complete life cycle of IT investment

COBIT divides the IT function into four basic responsibility areas and 34 distinct processes, each focusing less on execution and more on IT controls.  Note that while COBIT does not stress execution, this does not mean that it ignores the process for execution.  The four responsibility areas form a methodology, starting with designing an IT strategy based on business objectives and IT governance objectives, then building and running the systems, and finally measuring the system to generate feedback regarding the satisfaction of the original business and IT governance objectives.  Measurement is at the heart of control: If it can’t be measured, it can’t be managed.  Thus COBIT is a business framework that revolves around IT resources with a goal of continuous improvement.  The following are four responsibility areas:

  • Plan and Organize.  This section covers alignment of IT with strategy, designing the IT infrastructure and IT processes, resource optimization, communication of strategic vision and goals, assessing risks and determining if systems have sufficient quality and proper staffing to meet business needs.  An example would be assessing and managing IT risks.
  • Acquire and Implement.  This section covers needs analysis, application selection or development and assessment and maintenance of existing systems.  Business continuity and meeting budgets and deadlines are stressed. Procuring IT resources is an example.
  • Deliver and Support.  This section covers prioritizing the delivery of services, reducing costs, meeting productivity goals and maintaining integrity, confidentiality and continuity of services.  An example would be managing the service desk and incidents.
  • Monitor and Evaluate.  This section covers monitoring internal controls and IT performance, compliance with regulations and governance of IT functions.  It also stresses the reporting and use of the feedback.  Providing IT guidance is an example.

Each of the 34 processes uses standard terminology and methods. Once the method is known, any process can be understood and communicated effectively. The process format includes a high-level control objective that discusses the process objective and places it in the context of what it is, what business requirements it satisfies, what focus is needed to meet the requirements, how it should be specifically achieved and how it can be measured. This area lists relevant information qualities, IT governance topics and resources needed.