Governance SPICE. Using COSO and COBIT Process Assessment Models BPM GOSPEL

Similar documents
ECQA Certified Profession. Governance SPICE Model. Internal Financial Control Assessor Training Programme

Applying Integrated Assurance Management Scenarios for Governance Capability Assessment

CGEIT Certification Job Practice

Translate stakeholder needs into strategy. Governance is about negotiating and deciding amongst different stakeholders value interests.

Business Context of ISO conform Internal Financial Control Assessment

COBIT 5. COBIT 5 Online Collaborative Environment

COBIT. IT Governance CEN 667

Catching Fraud During a Recession Through Superior Internal Controls. FICPA s 25 th Annual Accounting Show. J. Stephen Nouss September 29, 2010

COBIT 5. COBIT 5 Online Collaborative Environment

September 17, 2012 Pittsburgh ISACA Chapter

IT and Security Governance. Jacqueline Johnson

ISO/IEC Process Mapping to COBIT 4.1 to Derive a Balanced Scorecard for IT Governance

From Dictionary.com. Risk: Exposure to the chance of injury or loss; a hazard or dangerous chance

COBIT 5. COBIT 5 Online Collaborative Environment

Fraud Risk Management

APPENDIX O CONTRACTOR ROLES, RESPONSIBILITIES AND MINIMUM QUALIFICATIONS

Agenda. Enterprise Risk Management Defined. The Intersection of Enterprise-wide Risk Management (ERM) and Business Continuity Management (BCM)

The table below compares to the 2009 Essential Elements and the 2018 Enhanced Data Stewardship Elements

6. IT Governance 2006

ISACA All Rights Reserved.

ISACA Systems Implementation Assurance February 2009

Risk Management Culture: The Linkage Between Ethics & Compliance and ERM September 14, 2009

Deloitte Governance Framework and Maturity Model

COSO ERM: Integrating with Strategy and Performance. Michael Parkinson

CGEIT ITEM DEVELOPMENT GUIDE

10 metrics for improving the level of management. Pekka Forselius, Senior Advisor, FiSMA ry Risto Nevalainen, Senior Advisor, FiSMA ry

The COSO Risk Framework: A reference for internal control? Transition from COSO I to COSO II

CGEIT QAE ITEM DEVELOPMENT GUIDE

Business Benefits by Aligning IT best practices

Topics. Background Approach Status

Road to Self Governance

FROM ERP TO COBIT MOVING TOWARD MATURE OF- THE-SHELF INFORMATION SYSTEMS. A Toy Example A Small Detergent Manufacturing Co.

Governance, COBIT and the Cloud a match made in the sky! Robert E Stroud CGEIT International Vice President ISACA Treasurer, Director Audit,

Changes Reviewed by Date. JO Technology Manager - Samer Huwwari JO Manager, Risk & Control Technology: Issa Laty. CIO, Jordan- Mohammad Aburoub

Service management. The future. Colin Rudd FBCS, CITP, CEng, FLPI, (Copenhagen September 2013)

Sarbanes-Oxley: Company Case Study - Viacom Inc. IT General Controls - Sustaining Compliance Efforts. Anthony Noble VP, IT Internal Audit

Annex 1 (Integrated frameworks on Business/IT alignment) Annex 2 Goals Cascade, adapted from COBIT5

Internal controls over Financial Reporting Key concepts. Presentation by Jayesh Gandhi at WIRC

B U S I N E S S R I S K M A N A G E M E N T L T D

TABLE OF CONTENTS 2. INFORMATION TECHNOLOGY IN A BUSINESS ENVIRONMENT 15

Modernizing compliance: Moving from value protection to value creation

Statement on Risk Management and Internal Control

Risk Advisory Services Developing your organisation s governance for competitive advantage

Enterprise Risk Management: Aligning Risk with Strategy & Performance June 26, :45 p.m. 4:45 p.m.

Enterprise Digital Architect

Appendix A. Simplified Sample Entity-Level Control Matrices

Community Bankers Conference

Risk Management Strategy

RSA ARCHER IT & SECURITY RISK MANAGEMENT

Quick Guide: Meeting ISO Requirements for Asset Management

Internal Control Integrated Framework. An IAASB Overview September 2016

Internal Control Integrated Framework. An IAASB Overview September 2016

pwc.co.uk Enterprise Risk Management

What is ISO/IEC 20000?

Practices in Enterprise Risk Management

Fear, Uncertainty, Doubt

Recognizing your needs

International Civil Aviation Organization FIRST INFORMATION MANAGEMENT PANEL (IMP/1) Montreal, Canada January, 25 30, 2015

20 Years in the Making. Meet the New ICIF: Revisions to COSO s Internal Control Integrated Framework. Dr. Sandra Richtermeyer COSO Board Member

Implementation of the CO BIT -3 Maturity Model in Royal Philips Electronics

COBIT 5. COBIT 5 Online Collaborative Environment

ISO Standards in Strengthening Organizational Resilience, Mitigating Risk & Addressing Sustainability Concerns

Enterprise Risk Management Program Development Update. Finance & Audit Committee Meeting September 25, 2015

Information Privacy and Cybersecurity in a King IV World

The purpose of this document is to define the overall IT Strategy for the period 2016 to 2021

Risk Management in Istat: from the project to the process

International Standards for the Professional Practice of Internal Auditing (Standards)

A Vision of an ISO Compliant Company by Bruce Hawkins, MRG, Inc.

EVALUATION OF INFRASTRUCTURE INFORMATION TECHNOLOGY GOVERNANCE USING COBIT 4.1 FRAMEWORK

Strengthening Your Enterprise Risk Management Process

An Overview of the 2013 COSO Framework. August 2013

CORROSION MANAGEMENT MATURITY MODEL

INTERNAL CONTROLS ON OUR CAMPUS. Kara Kearney-Saylor Director of Internal Audit, UB

Guidance Note: Corporate Governance - Audit Committee. March Ce document est aussi disponible en français.

Guidance Note: Corporate Governance - Audit Committee. January Ce document est aussi disponible en français.

Diving into the 2013 COSO Framework. Presented by: Ronald A. Conrad

Washington Metropolitan Area Transit Authority Board Action/Information Summary

ISO INTERNATIONAL STANDARD. Risk management Principles and guidelines. Management du risque Principes et lignes directrices

Integrating COSO s Fraud Risk Management Guide on an Enterprise Scale

Quality Assurance and Improvement Program

Director Training and Qualifications

Technology s Role in Enterprise Risk Management

Sarbanes-Oxley Act of 2002 Can private businesses benefit from it?

Advisory Services Governance, Risk & Compliance

Enterprise Risk Management Discussion American Gas Association Risk Management Committee Meeting

Implementation Tool for Auditors

SOLUTION BRIEF EU GENERAL DATA PROTECTION REGULATION COMPLIANCE WITH RSA ARCHER

INTERNAL AUDIT PLAN AND CHARTER 2018/19

Risk Management Policy

VIRGINIA POLYTECHNIC INSTITUTE AND STATE UNIVERSITY COMPLIANCE, AUDIT, AND RISK COMMITTEE OF THE BOARD OF VISITORS COMPLIANCE, AUDIT, AND RISK CHARTER

Braindumps COBIT5 50q

DIRECTOR TRAINING AND QUALIFICATIONS: SAMPLE SELF-ASSESSMENT TOOL February 2015

UoD IT Job Description

Regulatory Reporting: Implementing the proposed MAS Notice 610. Navigating the regulatory reporting and data challenge

Internal Financial Controls (IFC) ICAI Seminar October 8, 2016

STATEMENT ON RISK MANAGEMENT AND INTERNAL CONTROL

ASSESSMENT AND EVALUATION OF THE CITY OF PHILADELPHIA S INFORMATION TECHNOLOGY GENERAL CONTROLS FISCAL 2016

If It s not a Business Initiative, It s not COBIT 5

Executive Summary THE OFFICE OF THE INTERNAL AUDITOR. Committee Meeting, June 19, 2017 Board of Governors Meeting, June 20, 2017.

9/17/2017. An Overview of COSO s New Framework and Implementation Guidance SPEAKER. Laura Harden, CPA History

Transcription:

Governance SPICE Using COSO and COBIT Process Assessment Models Linking Governance to Sustainable Value Creation BPM GOSPEL (LLP-LDV-TOI-2010-HU-001) This project has been funded with support from the European Commission. This publication reflects the views only of the authors, and the Commission cannot be held responsible for any use which may be made of the information contained therein. János Ivanyos Memolux Ltd. ivanyos@memolux.hu Dr. József Roóz Budapest Business School rooz.jozsef@bgf.hu

Topics Governance SPICE (2005-2012) COBIT/COSO Performance Measurement Governance Capability - Mapping COSO Objectives with ISO/IEC 15504 Capability Levels COSO & COBIT as Process Reference Models Linking Governance to Sustainable Value Creation Governance Model for Trusted Businesses Multi-layer business assurance technology Developing case studies for learning and coaching SPICE Assessors Workshop Community at the 18th EuroSPI Conference, Roskilde University, Denmark, 27-29 June 2011 2

Governance SPICE (2005-2012) Refers to Governance, Risk and Controls (OECD Principles, Regulations, Audit Standards) based on different concepts (IA-Manager 2005-2007) Recognized Control Frameworks (COSO&COBIT) Risk Tolerance and Risk Appetite (COSO ERM) Performance Measurement (COBIT) Process Capability Assessment (ISO/IEC 15504-2) Evaluating Process-related Risk (ISO/IEC 15504-4) Organizational Maturity (ISO/IEC TR 15504-7) by using multilingual ontology (MONTIFIC 2008-2010) Terminology database Ontology model to leverage sustainable value creation (GOSPEL 2010-2012) Governance Model for Trusted Businesses Multi-layer business assurance technology SPICE Assessors Workshop Community at the 18th EuroSPI Conference, Roskilde University, Denmark, 27-29 June 2011 3

Validation of Governance SPICE Competencies Governance, Risk and Controls SPICE Audit SPICE Assessors Workshop Community at the 18th EuroSPI Conference, Roskilde University, Denmark, 27-29 June 2011 4

Using COSO & COBIT Process Assessment Models Measurement Framework COSO Objective Categories COBIT Performance Drivers Risk Tolerance Risk Appetite Strategic high-level goals, aligned with and supporting entity s mission Operations effective and efficient use of entity s resources Reporting reliability of reporting Compliance compliance with applicable laws and regulations COSO 20 Control Processes Strategic Goals drivenby the outcome measures of Established IT processes Effective and efficient business operation driven by the outcome measures of Managed IT Processes Reliable IT operation driven by the outcomemeasures of Performed IT Processes IT Goals driven by the outcome measures of IT Activities COBIT 34 ITGC Processes GOVERNANCE SPICE Business Processes Financial Reporting Activities Business Process Models SPICE Assessors Workshop Community at the 18th EuroSPI Conference, Roskilde University, Denmark, 27-29 June 2011 5

Business goals Maintain enterprise reputation and leadership Number of incidents causing public embarrassment COBIT IT goals Ensure that IT services can resist and recover from attacks Number of actual IT incidents with business impact driven by Process goals Activity goals focusing on achieved by Understand security requirements, vulnerabilities and threats Detect and resolve unauthorised access Frequency of review of the type of security events to be monitored driven by Number of actual incidents because of unauthorised access driven by COBIT Performance Measurement 6

Evidencies Focusing on Objectives categories Assessments Effectiveness goals Strategic COSO Objectives Metrics Efficiency goals Organizational levels Policies Standardization goals Operations Procedures Deployment goals Workprograms Workproducts Management goals Documentation goals Reporting Operational levels Operational levels Activities Process goals Compliance 7

Evidencies Focusing on Objectives categories Assessments Effectiveness goals Strategic COSO Objectives Metrics Efficiency goals Organizational levels Policies Standardization goals Procedures Deployment goals Operations Outcome measures Workprograms Management goals Reporting Operational levels Workproducts Documentation goals Operational levels Activities Process goals Compliance 8

Evidencies Focusing on Objectives categories Assessments Effectiveness goals Strategic COSO Objectives Metrics Efficiency goals Organizational levels Policies Standardization goals Procedures Deployment goals Operations Performance drivers Workprograms Management goals Reporting Operational levels Workproducts Documentation goals Operational levels Activities Process goals Compliance 9

Strategic COSO OBJECTIVES high-level goals, aligned with and supporting entity s mission processes consistently enactedwithin defined limits COSO ERM Internal Control define driven by Operations effective and efficient use of entity s resources defined processes used based on standard process Level 3 Established are based on reliable Reporting are achieved by performing Compliance compliance with applicable laws and regulations reliability of reporting implemented processes achieving process purpose driven by mananged managed processeswith established, controlled and maintained work products Level1 Performed driven by Level 2 Managed ISO/IEC 15504 CAPABILITY LEVELS 10

ISO/IEC 15504 Capability Levels The process is continuously improved to meet relevant current and projected business goals. Level 5 Optimizing process PA 5.1 Process Innovation PA 5.2 Process Optimization The process is enacted consistently within defined limits. Level 4 Predictable process PA 4.1 Process Measurement PA 4.2 Process Control A defined process is used based on a standard process. Level 3 Established process PA 3.1 Process Definition PA 3.2 Process Deployment Level 2 Managed process PA 2.1 Performance Management PA 2.2 Work Product Management The process is managed and work products are established, controlled and maintained. Level 1 Performed process PA 1.1 Process Performance The process is implemented and achieves its process purpose. Level 0 Incomplete process The process is not implemented or fails to achieve its purpose. SPICE Assessors Workshop Community at the 18th EuroSPI Conference, Roskilde University, Denmark, 27-29 June 2011 11

ISO/IEC 15504 Capability Levels and COSO The process is continuously improved to meet relevant current and projected business goals. Level 5 Optimizing process PA 5.1 Process Innovation PA 5.2 Process Optimization STRATEGIC The process is enacted consistently within defined limits. Level 4 Predictable process PA 4.1 Process Measurement PA 4.2 Process Control COSO A defined process is used based on a standard process. RELIABLE REPORTING Level 3 Established process PA 3.1 Process Definition PA 3.2 Process Deployment Level 2 Managed process PA 2.1 Performance Management PA 2.2 Work Product Management OPERATIONS The process is managed and work products are established, controlled and maintained. Level 1 Performed process PA 1.1 Process Performance The process is implemented and achieves its process purpose. COMPLIANCE Level 0 Incomplete process The process is not implemented or fails to achieve its purpose. SPICE Assessors Workshop Community at the 18th EuroSPI Conference, Roskilde University, Denmark, 27-29 June 2011 12

ISO/IEC 15504 Capability Levels and COBIT The process is continuously improved to meet relevant current and projected business goals. Level 5 Optimizing process PA 5.1 Process Innovation PA 5.2 Process Optimization STRATEGIC GOALS The process is enacted consistently within defined limits. Level 4 Predictable process PA 4.1 Process Measurement PA 4.2 Process Control COBIT A defined process is used based on a standard process. RELIABILITY GOALS Level 3 Established process PA 3.1 Process Definition PA 3.2 Process Deployment Level 2 Managed process PA 2.1 Performance Management PA 2.2 Work Product Management BUSINESS GOALS The process is managed and work products are established, controlled and maintained. Level 1 Performed process PA 1.1 Process Performance The process is implemented and achieves its process purpose. IT GOALS Level 0 Incomplete process The process is not implemented or fails to achieve its purpose. SPICE Assessors Workshop Community at the 18th EuroSPI Conference, Roskilde University, Denmark, 27-29 June 2011 13

Mapping Objectives Outcome Measures with Capability Levels Level 4 Predictable process PA 4.1 Process Measurement PA 4.2 Process Control Level 3 Established process PA 3.1 Process Definition PA 3.2 Process Deployment Level 2 Managed process PA 2.1 Performance Management PA 2.2 Work Product Management Level 1 Performed process PA 1.1 Process Performance SPICE Assessors Workshop Community at the 18th EuroSPI Conference, Roskilde University, Denmark, 27-29 June 2011 14

Terminology Mapping ISO/IEC 15504 COSO COBIT Process Category Component Domain Process Principle Process Process Name Principle name Process name Process Purpose Principle description IT goal Process Outcome Attribute Activity goal Base Practice Approach Control Objective Work Product - Input/Output SPICE Assessors Workshop Community at the 18th EuroSPI Conference, Roskilde University, Denmark, 27-29 June 2011 15

COBIT processes Plan and Organize (PO) PO1 Define a Strategic IT Plan PO2 Define the Information Architecture PO3 Determine Technological Direction PO4 Define the IT Processes, Organisation and Relationships PO5 Manage the IT Investment PO6 Communicate Management Aims and Direction PO7 Manage IT Human Resources PO8 Manage Quality PO9 Assess and Manage IT Risks PO10 Manage Projects Acquire and Implement (AI) AI1 Identify Automated Solutions AI2 Acquire and Maintain Application Software AI3 Acquire and Maintain Technology Infrastructure AI4 Enable Operation and Use AI5 Procure IT Resources AI6 Manage Changes AI7 Install and Accredit Solutions and Changes Deliver and Support (DS) DS1 Define and Manage Service Levels DS2 Manage Third-party Services DS3 Manage Performance and Capacity DS4 Ensure Continuous Service DS5 Ensure Systems Security DS6 Identify and Allocate Costs DS7 Educate and Train Users DS8 Manage Service Desk and Incidents DS9 Manage the Configuration DS10 Manage Problems DS11 Manage Data DS12 Manage the Physical Environment DS13 Manage Operations COSO processes Control Environment (CE) Integrity and Ethical Values (IEV) Oversight Board (OB) Management s Philosophy and Operating Style (MPO) Organizational Structure (OS) Financial Reporting Competencies (FRC) Authority and Responsibility (AR) Human Resources (HR) Risk Assessment (RA) Financial Reporting Objectives (FRO) Financial Reporting Risks (FRR) Fraud Risk (FR) Control Activities (CA) Integration with Risk Assessment (IRA) Selection and Development of Control Activities (SD) Policies and Procedures (PD) Information Technology (IT) Information and Communication (IC) Financial Reporting Information (FRI) Internal Control Information (ICI) Internal Communication (IC) External Communication (EC) Monitoring (MO) Ongoing and Separate Evaluations (OSE) Reporting Deficiencies (RD) Monitor and Evaluate (MO) ME1 Monitor and Evaluate IT Performance ME2 Monitor and Evaluate Internal Control ME3 Ensure Compliance With External Requirements ME4 Provide IT Governance 16

COSO-based Process Assessment Model SPICE Assessors Workshop Community at the 18th EuroSPI Conference, Roskilde University, Denmark, 27-29 June 2011 17

ISO/IEC 15504 conform process definition of a COSO Principle Process ID IFC.CE.IEV Process Name Integrity and Ethical Values Process Purpose Sound integrity and ethical values, particularly of top management, are developed and understood and set the standard of conduct for financial reporting. Process As a result of successful implementation of IFC.CE.IEV process: Outcomes 1) Values articulated Top management develops a clearly articulated statement of ethical values that is understood at all levels of the organization. 2) Adherence monitored Processes are in place to monitor adherence to principles of sound integrity and ethical values. 3) Deviation addressed Deviations from sound integrity and ethical values are identified in a timely manner and appropriately addressed and remedied at appropriate levels within the organisation. SPICE Assessors Workshop Community at the 18th EuroSPI Conference, Roskilde University, Denmark, 27-29 June 2011 18

ISO/IEC 15504 conform base practice descriptions from COSO SPICE Assessors Workshop Community at the 18th EuroSPI Conference, Roskilde University, Denmark, 27-29 June 2011 19

ISO/IEC 15504 conform definition of a COBIT process Control over the IT process of Define a strategic IT plan that satisfies the business requirement for IT of by focusing on is achieved by Process sustaining or extending the business strategy and governance requirements whilst being transparent about benefits, costs and risks incorporating IT and business management in the translation of business requirements into service offerings, and the development of strategies to deliver these services in a transparent and effective manner Engaging with business and senior management in aligning IT strategic planning with current and future business needs Understanding current IT capabilities Providing for a prioritisation scheme for the business that quantifies the business requirements Purpose Related Practices Outcomes and is measured by Percent of IT in the IT strategic plan that support the strategic business plan Percent of IT projects in the IT project portfolio that can be directly traced back to the IT tactical plans Delay between updates of IT strategic plan and updates of IT tactical plans SPICE Assessors Workshop Community at the 18th EuroSPI Conference, Roskilde University, Denmark, 27-29 June 2011 20

COBIT PAM (Exposure Draft 12 Apr 2011) SPICE Assessors Workshop Community at the 18th EuroSPI Conference, Roskilde University, Denmark, 27-29 June 2011 21

Linking Governance to Sustainable Value Creation??? SPICE Assessors Workshop Community at the 18th EuroSPI Conference, Roskilde University, Denmark, 27-29 June 2011 22

Setting Governance Objectives Supporting Organization s Internal Control System Risk Awareness Accountability Competency Accuracy Process Integrity Data Protection Commitment Control Efficiency Supporting Business Sustainability Competitiveness Exploitability Satisfaction SPICE Assessors Workshop Community at the 18th EuroSPI Conference, Roskilde University, Denmark, 27-29 June 2011 23

Determining Application Process for a Governance Objective (Accuracy) Governance Objective Key Risk Risk Factors Responses Applicable COSO&COBIT processes Application Practices Information architecture is inconsistent with processing requirements Maintaining effective information architecture and data model Define the Information Architecture (COBIT) Satisfy the business requirement of being agile in responding to requirements; provide reliable, consistent information, and seamlessly integrate applications into business processes. 4. Accuracy / Information Reliability Ensured Inconsistency in data architecture and disclosure elements Non-compliance with rules and regulations are not detected in time Availability and quality of control information are not sufficient Information is systematically collected and assessed to detect compliance issues, privacy problems and fraud Control information for automated process settings, data manipulations and calculations are maintained systematically Financial Reporting Information (COSO) Internal Control Information (COSO) Pertinent information is identified, captured, used at all levels of the organisation, and distributed in a form and timeframe that supports the achievement of the organization s financial reporting and trusted business. Information used to execute other control components is identified, captured, and distributed in a form and timeframe that enables personnel to carry out their internal control responsibilities. SPICE Assessors Workshop Community at the 18th EuroSPI Conference, Roskilde University, Denmark, 27-29 June 2011 24

Information Reliability Governance Process (Accuracy Objective) Process ID Process Name Process Purpose Process Outcomes GOV.IR Information Reliability The purpose of the Information Reliability process is to ensure the accuracy and consistency in data architecture and disclosure elements relevant for financial reporting and trusted business, and for supporting data processing integrity. NOTE1: The Information Reliability process is a special application of the COSO 2006 and COBIT 4.1 models in the context of the Accuracy governance objective. Thus this process is denoted an Application Area. The practices, called application practices, are implemented using selected processes based on the COSO 2006 principles and the COBIT 4.1 framework in the context of this special application. This facilitates the re-use of the elements of the COSO 2006 and COBIT 4.1 based reference models without recreating processes that are already well established. NOTE2: The descriptions of the COBIT 4.1 processes and the COSO 2006 Principles are applicable to define ISO/IEC 15504 conformant process reference models and process performance indicators for assessing process capability according to the ISO/IEC 15504 standard. As a result of successful implementation of the Information Reliability process the following service governance are achieved: 1) Effective information architecture and data model are maintained. 2) Information is systematically collected and assessed to detect compliance issues, privacy problems and fraud. 3) Control information for automated process settings, data manipulations and calculations are maintained systematically. SPICE Assessors Workshop Community at the 18th EuroSPI Conference, Roskilde University, Denmark, 27-29 June 2011 25

Using Define the Information Architecture COBIT Process as an Application Practice Application practice AP01 Ensure the integrity and consistency of all data stored in electronic form. Satisfy the business requirement of being agile in responding to requirements; provide reliable, consistent information, and seamlessly integrate applications into business processes. [Outcome: 1] NOTE1: This practice is implemented by performing practices (control ) of the COBIT 4.1 Define the Information Architecture process with a specific focus on how governance supports internal control over financial reporting and business operation: PO2.1 Create and maintain enterprise information model. Establish and maintain an enterprise information model to enable applications development and decision-supporting activities, consistent with IT plans. The model should facilitate the optimal creation, use and sharing of information by the business in a way that maintains integrity and is flexible, functional, cost-effective, timely, secure and resilient to failure. PO2.2 Create and maintain enterprise data dictionary (ies). Maintain an enterprise data dictionary that incorporates the organisation s data syntax rules. This dictionary should enable the sharing of data elements amongst applications and systems, promote a common understanding of data amongst IT and business users, and prevent incompatible data elements from being created. PO2.3 Establish and maintain data classification scheme. Establish a classification scheme that applies throughout the enterprise, based on the criticality and sensitivity (e.g., public, confidential, top secret) of enterprise data. This scheme should include details about data ownership; definition of appropriate security levels and protection controls; and a brief description of data retention and destruction requirements, criticality and sensitivity. It should be used as the basis for applying controls such as access controls, archiving or encryption. PO2.4 Manage data integrity. Define and implement procedures to ensure the integrity and consistency of all data stored in electronic form, such as databases, data warehouses and data archives. SPICE Assessors Workshop Community at the 18th EuroSPI Conference, Roskilde University, Denmark, 27-29 June 2011 26

Information Reliability - Governance Process using COSO&COBIT Relationship Notes Sources The relationships between the Information Reliability process and application practices, and other processes in COSO 2006 and COBIT 4.1 models, have been noted for each practice above. This innovative concept of including Application Areas in a process assessment model instantiates the idea of using already established processes with respect to a particular application. (Like in Enterprise SPICE) COBIT 4.1: PO2 Define the Information Architecture COSO 2006: IFC.IC.FRI Financial Reporting Information, IFC.IC.ICI Internal Control Information References Control Objectives for Information and related Technology - COBIT 4.1 Copyright 2007 by the IT Governance Institute. 3701 Algonquin Road, Suite 1010 Rolling Meadows, IL 60008 USA. All rights reserved. Internal Control over Financial Reporting Guidance for Smaller Public Companies Copyright 2006 by The Committee of Sponsoring Organization, C/O AICPA, Harborside Financial Center, 201 Plaza Three, Jersey City, NJ 07311 3881, USA. All rights reserved. SPICE Assessors Workshop Community at the 18th EuroSPI Conference, Roskilde University, Denmark, 27-29 June 2011 27

BPM GOSPEL: Multi-layer business assurance technology Concept of 4 layers in BPM GOSPEL: Transaction Processing Memolux Payroll system Workflow/Control Management ADAMAS by GEMMA Ltd. Compliance/Audit Management Stages Governance Edition by Method Park AG Certification Capability Advisor by ISCN SPICE Assessors Workshop Community at the 18th EuroSPI Conference, Roskilde University, Denmark, 27-29 June 2011 28

Using Stages Governance Edition for Compliance/Audit Management SPICE Assessors Workshop Community at the 18th EuroSPI Conference, Roskilde University, Denmark, 27-29 June 2011 29

BPM GOSPEL Case Studies (by end of 2011) Different approaches for demonstrating added business value are considered per industry needs mapping them to Governance, for example: Memolux payroll SOC1&SOC2 Gemma ESF grant management Method Park - Business SPICE for big company BBS - Short Cycle Higher Education ISCN - ECQA Job-role Committee management per (set of) governance Top five based on presentable added values Participation interest from workshop community is welcome! SPICE Assessors Workshop Community at the 18th EuroSPI Conference, Roskilde University, Denmark, 27-29 June 2011 30

Topics covered Governance SPICE (2005-2012) COBIT/COSO Performance Measurement Governance Capability - Mapping COSO Objectives with ISO/IEC 15504 Capability Levels COSO & COBIT as Process Reference Models Linking Governance to Sustainable Value Creation Governance Model for Trusted Businesses Multi-layer business assurance technology Developing case studies for learning and coaching More information: www.ia-manager.org Thank you for your attention! SPICE Assessors Workshop Community at the 18th EuroSPI Conference, Roskilde University, Denmark, 27-29 June 2011 31

2024 © businessdocbox.com Privacy Policy | Terms of Service | Feedback