On September 17 the COSO “Guidance on Monitoring Internal Control Systems” discussion document was released, with public comment on the paper being accepted until October 31.
I’m amazed at the large number of information assurance professionals who have never heard of COSO…have you? If not, it is definitely worthwhile to take a few minutes and learn a little more about it; it could be very helpful to you and your efforts.
COSO stands for the Committee of Sponsoring Organizations of the Treadway Commission.
“COSO was originally formed in 1985 to sponsor the National Commission on Fraudulent Financial Reporting, an independent private sector initiative which studied the causal factors that can lead to fraudulent financial reporting and developed recommendations for public companies and their independent auditors, for the SEC and other regulators, and for educational institutions.”
COSO launched a project designed to make the monitoring component of its 1992 “Internal Control–Integrated Framework” more user-friendly, resulting in this report, which is the result of the first phase of the project. This paper is aimed at providing more clearly usable guidance to organizations for monitoring systems of internal control, including those covered by Section 404 of the Sarbanes-Oxley Act of 2002 (SOX).
As the discussion paper indicates, the 1992 framework consisted of five components. Four components concerned the design and operation of internal control systems, and the fifth component discussed monitoring to “ensure that internal control continues to operate effectively.” This updated discussion document builds on the guidance in the monitoring component.
The second phase will include “practical” examples and case studies. COSO reports they expect to publish the final guidance…the output of both phases…in early 2008.
This discussion document has great advice that can be applied to more compliance efforts than just SOX; it is a nice discussion of the need for internal controls. This is clearly shown through the table of contents; here is an excerpt:
“I. Monitoring as a Component of Internal Control Systems 1
Role of Monitoring 1
Structure of Effective Internal Control Systems 3
Difference Between Monitoring Activities and Control Activities 5
II. Fundamentals of Monitoring 5
Attributes of Ongoing Monitoring and Separate Evaluations 6
Attributes of Effective Communication and Follow-Up 7
Elements of Effective Monitoring 7
Role of the Board/Audit Committee 10
III. Nature of Information Used in Monitoring 11
Information Suitability 12
Information Sufficiency 16
IV. Designing Effective Monitoring 18
Prioritizing and Designing Monitoring Procedures 18
Deciding When and How Often to Monitor 24
V. Communicating and Addressing the Results of Monitoring 25
Ranking Issues and Reporting Internally 25
Reporting to External Parties 27
VI. Scalability of Monitoring 28
Scalability Based on Size 28
Scalability Based on Complexity 29
Formality of Monitoring and Level of Documentation 30”
Check it out and see how it can be used within your organization. Take the opportunity to tell COSO how they can improve upon it!
Tags: awareness and training, COSO, Information Security, IT compliance, policies and procedures, privacy, risk management, SOX