In today’s date, any business dealing with finances (which is now a part of almost any business) must have faced or been aware of the high-profile internal as well as external risks including insider trading, financial malpractices, fraud, etc. Several control and assurance mechanisms have emerged for keeping on check among which the COBIT and COSO frameworks are two crucial names.
COSO stands for The Committee of Sponsoring Organizations while COBIT stands for Control Objectives for Information and Related Technologies.
In this article, we’ll go through the generic idea of what these frameworks are about, under what circumstances their need aroused and how, with the essential customization, they can assist in internal controlling of your audits, risks, and other regulatory compliances.
- See the origin of COBIT and COSO and their differences.
- Also see: COSO ERM and ISO 31000 - Gaurav Tiwari
Working on your business with the COSO framework
The COSO structure defines internal control as:
A process, effected by an entity’s board of directors, management and other personnel, designed to provide reasonable assurance of the achievement of objectives in the following categories:
- Effectiveness and efficiency of operations
- Reliability of financial reporting
- Compliance with applicable laws and regulations
While implementing in any business, the following five pillars play a key role in ensuring effective internal control to achieve various business targets (strategies or other objectives):
- Environmental Control: This includes ethical values, integrity, and compliance with competence. Structure of the organization, their working methodology, responsibility, and role assigning guidelines and other Human Resource related policies fall under this category.
- Risk Assessment and Assurance: Both individual process objectives and company-wide larger objectives require risk analysis at each step and hence they together form this category of risk assessment.
- Information, communication and reporting: Effective and honest exchange of information through communication between internal and external members is yet another crucial factor required.
- Activity Control: Controlling activity refers to securing the functioning of application and network and laying out & executing essential procedures for business backups and outsourcing.
- Supervising: Monitoring ongoing processes and reporting any identified defects goes hand in hand when it comes to supervision.
The above-mentioned blocks work together to ensure healthy internal control within the company's operations and aim to create shared values of autonomy and accountability for control. This control can be completely automated, partially automated or even manual. Regular analysis and identification are done at each level of each process and operation which helps in updating designs of control mechanisms to respond and rectify any significant risk activity.
One essential merit of the framework is the routine which is followed at each step which helps to fill any existing loophole that might cause any malicious ventures.
What's special about COBIT framework?
The COBIT framework lies in accordance with the guidelines of COSO, ITIL, TOGSF and other frameworks. Along with helping out with regulatory compliance and risk management, this structure allows the company IT cell to get a better idea of business and operate more efficiently and effectively.
The model is equipped with methods and tactics to check whether the existing IT practices comply with business requirements and objectives, and facilitates documentation and development of tools, procedures and structural plans for constructive management of IT practices.
Elements & Functionalities of COBIT
A tool kit is available as a built-in feature of COBIT for complying with different regulatory schemes which are comprised of following parts:
- Compliance Framework
- Control Objectives
- Audit Guidelines
- Management Fundamentals
Working on your business with the COBIT framework
The functioning of COBIT, to assist the company to align with the law with better agility, can be interpreted as a union of five basic building blocks:
- Defining the Structure: Bringing together the business requirements and IT practices such that both are taken into consideration while working on the ERM.
- Catering to Stakeholders’ Needs: Decisions about the resources of the organization should take account of both ends, the ones who bear the risks and the ones who are receiving the benefits.
- Integration of frameworks: This refers to mapping various business standards into one single business governance and management methodology.
- Management directives: Guidelines to assign roles and responsibilities, settle on common objectives and KPIs, and integrate different processes and people to govern the enterprise.
- Distinguishing management and governance: To offer directions for separating tracking from those in command of the business.
Aligning with COBIT helps the company to exploit gap analysis for aligning with other frameworks including COSO. This allows them to avoid nuances due to different compliance standards across different frameworks.
Points to Remember
On the ground, organizations rarely use the raw frameworks of COSO or COBIT but perform gap analysis of their existing control framework, taking inspiration from COBIT and COSO. The above structures are frequently used as a reference for assessing the effectiveness and sufficiency of their internal control.
In fact, while implementing these frameworks you should keep in mind that these models are for guidance purposes and have been intently constructed in a generic form. Note that it is vital to understand the value chain of your organization, the customer, control environment and the risks involved in operating or not following the required norms and standards of internal control then building the framework accordingly.