Committee of Sponsoring Organizations of the Treadway Commission - Research Paper Example

? Industry-Standards Models Committee of Sponsoring Organizations of the Treadway Commission (COSO) It was formed in the year 1985 to sponsor the work of Treadway commission. COSO sponsors include American Accounting Association (AAA), Financial Executives Internal (FEI), Institute of Internal Auditors (IIA), AICPA and Institute of Management Accountants (IMA). It is based on the need to improve internal controls so as to prevent cases of financial frauds. The auditing standards No. 2 has recommended the COSO model to act as a tool to be used by both internal and external auditors in evaluating internal controls (Singleton, Singleton & Bologna, 2006). However the evaluation of the internal controls involves mostly those that are related to information systems and entity as well as its environment (Singleton, Singleton & Bologna, 2006). It is normally operated by an IT auditor who understands COSO model and is able to apply it in financial auditing during the evaluation of internal controls. Elements of the COSO Model Control environment. It is a view of the internal controls from the perspective of the entity including the environment created for processes of business and controls internally and influences of this environment on whether it is able to maintain an effective internal control system. Ways in which control environment is evaluated with regard to risks associated with it include enforcement and communication of ethical values and integrity, commitment to competence, participation of people who are charged with governance, management’s style philosophy and assignment of authority and responsibility (Singleton, Singleton & Bologna, 2006). Risk assessment: It refers to the ability of an entity to asses risks properly and, for those risks that are major, mitigates them up to a level that is acceptable through the use of controls. Risks may be introduced through various ways including changing of the operating environment, new information systems, and employment of a modern information systems, rapid growth and pronouncement of new accounting. Information and communication: It involves communicating information on financial reporting accurately and in a timely manner to decision makers and managers. The various ways in which it can be evaluated in regard to the associated risks include systems that support identification, then capture then exchange information in a manner and time frame that will allow personnel to undertake their responsibilities, financial reporting information, internal communication, internal control information and external communication (Singleton, Singleton & Bologna, 2006). Control activities: These refer to actual controls themselves. The evaluation of these control activities involves various ways including general controls, application controls and physical controls. Controls are evaluated at three levels which include: design effectiveness, operational effectiveness and implementation (Singleton, Singleton & Bologna, 2006). Monitoring: It refers to the ability of an entity to effectively monitor the controls since they operate on a daily basis, individually and also cooperate with other controls. Various ways in which monitored control effectiveness are evaluated include separate and ongoing evaluations concerning internal controls over financial reporting, deficiencies that are identified and reported, assessment of the quality of internal controls performance over a given period of time, putting procedures in place so as to adjust the control system as required and utilizing relevant information that is external or independent monitors (Singleton, Singleton & Bologna, 2006). Control Objectives for Information and related Technology (COBIT) It was first issued by the IT Governance Institute, ITGI and Information systems Audit and Control Association, ISACA in the year 1998. It is regarded as de facto standard in IT Governance maturity assessment. A lot of knowledge is needed on this framework and therefore it makes it harder for it to be frequently used by practitioners. Also, the connection between goodness determined of the activity and how it is reflected in the maturity featured model is not specified. It is designed to provide assurance that is reasonable that the objectives of the business will be achieved, and the events that are undesired events can be detected or prevented and corrected (IT Governance Institute, 2007). Elements of COBIT Control objectives: It involves the definitions of the minimum set of controls. For each an every process, control objectives that are detailed are identified as the controls that are minimum needed to be in place. Those controls are assessed to determine whether they are sufficient by professional of controls (IT Governance Institute, 2007). Audit guidelines: It identifies those tasks that are supposed to be performed when assessing control objectives within a process. They are important in obtaining an understanding, evaluation, assessing compliance and substantiating the risk. They allow easy application of the COBIT framework and control objectives for activities of auditing. However, for them to be sufficient they must be tailored and adapted for use in a given audit environment (IT Governance Institute, 2007). Management guidelines: This involve benchmarking the practices of IT control that are expressed mostly as maturity models, performance indicators of the processes of IT and success factors that are critical for ensuring that these processes are under control (IT Governance Institute, 2007). Maturity model: It is a profile of enterprises with regard to IT governance as well as control. It also enhances benchmarking (IT Governance Institute, 2007). Differences between COSO and COBIT The primary audience for COBIT includes the management, information system auditors and users while the audience for COSSO includes the external auditors only. The focus of COBIT is mainly on Information Technology while that of COSSO is mainly on financial statement. The domains for COBIT include planning and organization, delivery and support monitoring and acquisition and monitoring while the components for COSO include Control Environmen risk Assessment control Activities, information and communication monitoring. The size of the Cobit document is 187 pages in four documents while that of COSSO is ^# pages in two documents (Teyn, 1990). Comparison between COSO and COBIT They are both set of processes including procedures, polices, organizational structures and practices. Internal controls effectiveness is evaluated for a period of time in both models. Responsibility for internal control system is on the management in both models. Both documents build on contributions of previous documents (Teyn, 1990). My judgment COBIT is global and involves a collection of control objectives that are validated and organized into domains and processes that are linked to the requirements of the business. COSO present a definition of internal controls that is common and emphasizes that they help organizations achieve an efficient and effective operations. Though both are good standards for the process and tracking control, I would pick on COSO since it is a more detailed IT standard References IT Governance Institute. (2007). COBIT® control practices: Guidance to achieve control objectives for successful IT Governance. Rolling Meadows, IL: IT Governance Institute. Singleton, T., Singleton, A., & Bologna, G. J. (2006). Fraud Auditing and Forensic Accounting. Hoboken: John Wiley & Sons. Teyn, S. (1990). A comparison of internal controls, with specific reference to COBIT, SAC, COSO AND SAS 55/78. Read More