Update on Monitoring Guidance on Monitoring Internal Control Systems

This guidance more carefully explains the monitoring component of the 1992 COSO Report. It helps to fully understand the benefits and the potential of effective monitoring. The 2009 Report rest on two principles: 1. Ongoing and/or separate evaluations of internal controls helps management determine whether the internal control system continues function as expected over time. 2. Internal control deficiencies or weaknesses should be identified and communicated to the proper individuals in a timely fashion so that the management can make corrections promptly. GMICS suggests that these two principles can be achieved most effectively when monitoring is based on these three broad elements:

Review of Operating performance versus Monitoring

Review of Operating performance Some areas of the company may have an internal audit review only once every three to five years. So, an operational audit is a review of the operations of a department or a subunit of the organization and occurs on a regular basis, but not every year. One of the tasks during the operational audit is to test the internal controls that are in place.

Monitoring Effective Monitoring within the context of the COSO Framework is both risk based and principles based and considers all five components of internal control. Monitoring is a high level, comprehensive review of firm-wide objectives and risks. With such information, managers can identify critical controls to mitigate identified risks, and then develop appropriate test of those controls to be persuasively convinced that the controls are operating as expected.

2011 COBIT, VERSION 516

ISACA is an audit and control association that issued the first version of Control Objectives for information and related Technology (COBIT) in 1996. It released Version 5 of COBIT in 2011, which was driven by a major strategic effort to tie together and reinforce all ISACA knowledge assets. The resulting version consolidates and integrates COBIT 4.1, Val IT2.0, Risk IT frameworks, as well as the BMIS and ITAF ISACA created the COBIT framework to be business focused, process oriented, controls based and measurement driven. To research, develop, publicize and promote an authoritative, up-to-date international set of generally accepted information technology control objectives for dayto-day use by business managers, IT professionals and assurance professionals. Managers must first tend to the requirements outlined in the 1992 COSO Report and set up and internal control system that of these 5 components: The control environment Risk assessment Control Activities Information Monitoring Managers should work through the guidelines contained in the 2004 COSO Report

5 Areas that senior manager typically focuses in order to achieve appropriate and effective governance of IT: 1. Managers need to focus on strategic alignment of IT operations. 2. They must determine whether the organization is realizing the expected benefits from IT investments.

3. Managers should continually assess whether the level of IT investments is optimal 4. Senior management must determine their organizations risk appetite and plan accordingly. 5. Management must continuously measure and assess the performance of IT resources. Val IT Is a formal statement of principles and processes for IT management. Helps organizations understand if they are making the right investments and optimizing the returns from them. Focuses on investment decision.

The Integration of COBIT and Val IT

Strategic Question
Are we doing the right thing to obtain maximum value from our IT inversment?

Value Question
Are the right metrics in place to ensure that the company achieves the expected benefits from the IT invesment?

Architecture Question
Is our IT investment consistent with our IT architecture?

Delivery Question
Do we have the resources to get the most from our IT investment?

3 Helpful Publications that you can download for free at http://www.isaca.org To better understand the importance and value of COBIT Val IT

1. Val IT Framework 2.0 2. Val IT Getting started with Value Management 3. Val IT The Business Case

TYPES OF CONTROLS
Preventive Controls Controls that management puts in place to prevent problems from occurring. Event Identification Identify possible events that represent a problem to the firm and then identify appropriate safeguards for those problems.

Scenario planning (James Cash) It means that management identifies various scenarios that range from minor concerns to major disasters that could occur.

Detective Controls Because preventive controls cannot stop every possible problem from occurring, organizations also need strong Detective Controls that alert managers when the preventive control fails.

Corrective Controls Corrective controls are procedures a company uses to solve or correct a problem. A company establishes corrective controls to remedy problems it discovers by the detective procedures.