- Outsourcing News
- Outsourcing Press-Releases
- Outsourcing Events
- Outsourcing Analytics
The COSO 2013 internal control integrated framework clearly present the framework, the five control components, and seventeen principles for enterprise-wide internal control.
It speaks clearly to the responsibilities for financial stewardship and reliable financial reporting, focusing on governance and management accountability.
But the nature of the framework is such that it cannot delve directly into the many areas of specific and individual responsibility.
Guidance for the board and executives clearly includes technology control awareness, but the framework cannot cover specific technology risk areas such as protection of sensitive data in technology components, or the management of accountabilities across outsourced or cloud-based processes and systems, or the impacts of social media.
Because of the emphasis on financial accountability, it is incumbent on technology professionals to ensure technology risks and controls are communicated to the enterprise governance level in terms of not only operations, performance, and compliance – but also the financial implications of technology risk areas.
This responsibility may include educating executives and board members on the potential financial consequences and probability of failure to manage specific risks like vulnerability to cyber-attack, or non-compliance with important requirements like privacy or the Payment Card Industry’s Data Security Standard (PCI DSS).
Many areas of specific technical IT controls and monitoring can directly impact major financial risks. The potential compromise of intellectual property, disclosure of sensitive or personal information, and failure to provide effective incident response and recovery are only a few of the high-risk IT control areas to be addressed in an IT general controls audit.
This presentation focuses on the importance of keeping the enterprise system of internal control in mind when assessing the specific controls relevant to IT management.
The ongoing responsibility of the auditor is to know enough about technology risks and their potential impacts to be able to focus on the areas of greatest risk – while not ignoring other areas of significant risk. It also helps to be aware of the available tools and solutions for managing IT processes and their related risks.