Framework for CobiT and Trust Services - Case Study Example

Background information Following the signing into law of the Public Company Accounting Reform and Investor Protection Act of 2002 (more commonly known as Sarbanes-Oxley, Sarbox, or SOX), which requires management to ensure the inclusion of an internal control assessment over financial reporting, with the use of a suitable framework, in the annual report, the American Institute of Certified Public Accountants (AICPA) and the Institute of Internal Auditors (IIA) formed an ad hoc group to address management’s responsibility under Section 404 of the said Act. While it is true that a number of frameworks that satisfy the Act’s criteria for an effective internal control system have been available, some do not simply adequately assess technology controls (see Coe 2005; What is CobiT Security?2004). That the criteria management uses in assessing the effectiveness of their information technology (IT) related controls are particularly important is accounted for by the companies’ heavy reliance on IT. This matter becomes even more urgent since auditing firms actually have their own versions of security practice – bringing out the realization that companies need more than sound accounting practices to ensure the accuracy and integrity of their financial data. They need to have data security processes (see What is CobiT Security? 2004). Thus, that the audit standards issued by the Public Company Accounting Oversight Board emphasize the nub of IT general controls becomes understandable. Further, to meet the requirements of section 404 of Sarbanes-Oxley, IT management and auditors need a specific IT control framework. For which, Securities and Exchange Commission (SEC) has cleared the air – that is, the said IT control framework must be free from bias, complete and relevant to the task at hand, and must permit consistent quantitative and qualitative measurements (Coe 2005). For this end, the two of suitable frameworks that are currently available are the CobiT and the Trust Services. Developed by the Information Systems Audit and Control Foundation (ISACA), the Control Objectives for Information and Related Technology (CobiT) aims to provide a generally applicable and accepted standard for IT security and control practices for the management, users, auditors and security practitioners in keeping with its avowed reason for existence (see Control Objectives for Information and Related Technology 2008). The Trust Services framework is designed by the American Institute of Certified Public Accountants / Canadian Institute of Chartered Accountants (AICPA/CICA) based on a set of principles and criteria constituting professional guidance and serving as best practices for system reliability that CPA’s can use in assessing the reliability of a company’s IT system (Coe 2005). What are frameworks? Prior to discussion on these two frameworks, it may be good to briefly elaborate on what is meant by “framework(s)”. These frameworks are not audit software. Too, they are neither an audit plan nor an IT internal audit work program. They likewise are not audit testing plan or guides on how to audit an IT. Rather these frameworks are methodologies consisting of standards and controls crafted to assist IT professionals in the implementation, review, administration, and monitoring of an IT environment. They are tools to link IT and control practices. And they consolidate and harmonize standards from renowned global sources into a critical source for management, control professionals and auditors (cf. Kowal). The CobiT Meticulous as it is, the current version of CobiT (4.1) has thirty-four (34) high level processes covering two hundred ten (210) control objectives that are categorized in the four domains of Planning and Organization, Acquisition and Implementation, Delivery and Support, and Monitoring and Evaluation. Every process of CobiT has a level of maturity (numerical) from 0-5, where 0 is non-existent and 5 is optimized. This scale can be used for a number of key evaluations, such as the level of maturity a process is currently at within an organization, what level of maturity the processes should be at, what level is considered best practice, and what level the best of the competitors or other organizations have achieved (Control Objectives for Information and Related Technology 2008; further details are provided in other websites provided in the Reference page of this report). Managers, auditors and users actually benefit from CobiT. Managers profit from CobiT as it provides them with a foundation upon which IT related decisions and investments can be based. Managers, too, are helped to better understand their IT systems with its definition of a strategic IT plan and the information architecture, acquisition of the necessary IT hardware and software for execution of an IT strategy, and monitoring of the IT system performance. IT users can take advantage of CobiT because it provides them an assurance of defined controls, security and process governance. Finally, auditors are helped as the framework identifies IT control issues within a company’s IT infrastructure, and corroborates their audit findings (Control Objectives for Information and Related Technology 2008). As it helps close the gaps between business needs, risks, control, and security through the improvement of safeguards and controls throughout the IT process, CobiT is increasingly accepted as good practice for control over IT and related risks in compliance of Sarbanes-Oxley. The primary reason is that CobiT’s objectives have been mapped to COSO (see IT Control Objectives for Sarbanes-Oxley), and to popular enterprise resource planning (ERP) systems such as SAP, Oracle and PeopleSoft. This mapping and related guidance provides CobiT framework references and methodologies for auditing and testing the major ERP systems (Coe 2005). The Trust Services But while CobiT is an excellent comprehensive framework for assessing IT controls, there are companies that would need a narrower framework. And, to this end, Trust Services – taking pride in focusing on the controls that are in place to ensure the company’s systems carry out business processes reliably -- is available (Coe 2005). Used by SystTrust and WebTrust, the principles and criteria of Trust Services are meant to address the risk and opportunities related to IT. With SysTrust, public accounting firms and practitioners are provided assurance on the reliability of a system using any of the Trust Services principles and criteria. With WebTrust, public accounting firms and practitioners are provided assurance services to evaluate and test whether particular e-commerce service meets the selected Trust Services principles and criteria. The WebTrust seal of assurance is placed on the organization’s website after the engagement and indicates the practitioner’s unqualified opinion (see Trust Services; more technical details may be found in the websites provided in the Reference page of this report). Who may use these frameworks? The use of these frameworks depends on the size of an entity. Unless one is a large enterprise, it is unlikely that one is going to implement the frameworks’ entire process. The rigorous process that a full blown implementation of either CobiT or Trust Services framework produces, for instance, could be considered over-kill and/or could require more personnel to implement than us currently on the IT staff for many companies. Similarly, some control objectives are not applicable for all organizations. But, for any company – large and small – these frameworks are great resource to help determine the strategic areas of IT that one may be overlooking. One will most likely find the control objectives documentation especially helpful as a place to start to develop a process to help manage risk and address security as a business function. Whatever the size of the company, it is recommended that management follow the general principles of these frameworks and establish a process to assess, manage and minimize risk throughout their IT organization (What is CobiT Security? 2004). The cost An important caveat, though, is that already in 2004 meeting the requirements of section 404 of Sarbanes-Oxley – or implementing either CorbiT or Trust Services – had costed public companies an average 62% more than the initial anticipated cost. The increase is said to stem from a 109% rise in internal costs, a 42% jumps in external costs and a 40% increase in the fees charged by external auditors (Coe 2005, citing a 2004 survey by Financial Executives International [www.fei.org]). Concluding point Meeting the IT control aspects of the internal control assessment that Sarbanes-Oxley requires is practically posing a challenge to CPA’s. As companies will need to decide the framework that is most appropriate for its needs, either CobiT and Trust Services is a useful option that CPA’s will find particularly helpful when the over all framework they use does not pay sufficient attention to IT issues (Coe 2005). References: Campbell, P 2005, A COBIT @ Primer, online, retrieved 26 August 2009, from http://www.osti.gov/bridge/servlets/purl/876368-0rg5R7/876368.PDF. Coe, M 2005, Trust services: a better way to evaluate IT controls, online, retrieved 26 August 2009, from http://www.journalofaccountancy.com/Issues/2005/Mar/TrustServicesABetterWayToEvaluateITControls.htm Control Objectives for Information and Related Technology, 2008, online, retrieved 25 August 2009, from http://itgovernance.co.uk/cobit.aspx. IT Control Objectives for Sarbanes-Oxley, online, retrieved 27 August 2009, from http://www.isaca.org/Template.cfm?Section=Research2&CONTENTID=45767&TEMPLATE=/ContentManagement/ContentDisplay.cfm Kowal, L Cobit for internal auditors, online, retrieved 26 August 2009, from http://www.nysscpa.org/committees/emergingtech/cobit.ppt. Overview of trust services, online, retrieved 25 August 2009, from http://www.webtrust.org/overview-of-trust-services/pf_item27815.aspx Public Company Accounting Reform and Investor Protection Act of 2002 Trust services, online, retrieved 25 August 2009, from http://www.sas70.com/trustservices.html. What is CobiT?, online, retrieved 26 August 2009, from http://www.ezcobit.com/UsingCobit/html/. What is Cobit Security and when might you need to apply it? 2004, online, retrieved 26 August 2009, from http://www.skyviewpartners.com/pdf/COBIT_Security.pdf. Read More