COSO (III): Kontrola Wewnętrzna - Zintegrowana Struktura Ramowa: "Guidance on Monitoring Internal Control Systems".

Najnowsza publikacja COSO to "Przewodnik - Jak monitorować systemy Kontroli Wewnetrznej".

Blisko 10 lat po pierwszym wydaniu przez PIKW polskiej wersji COSO I - "Kontrola Wewnętrzna - Zintegrowana Struktura Ramowa" została ona ponownie dopracowana i wydana przez PIKW w 2008 roku. Pozostaje ona wiodącym dokumentem dotyczącym wiedzy i zrozumienia tego, co to jest kontrola wewnetrzna w każdej organizacji.

Jednak brakowało kierownictwu, szczególniejszych wskazówek jak monitorować system kontroli wewnętrznej w swojej organizacji, jak zapewnić, że jest on efektywny. Od kilku lata, czy to przez ustawy, dyrektywy, Standardy, czy na podstawie wymogu kodeksów Ładu Koropracyjnego (Governance), moniterowanie i udoskonalenie systemów kontroli wewnętrznej oraz raportowanie o tym, stało się obowiązkiem władz spółek i organizacji, jak i działanie Audytorów (wewnętrznych i zewnętrznych) i takich organów jak Komitety Audytu.

Dlatego COSO opracował ten nowy przewodnik. Składa się on z trzech tomów:

1. "Guidance", czyli wskazówki czy "przewodnik",

2. "Application", czyli zastosowanie lub wdrożenie tych wskazówek, oraz

3. "Examples", czyli przykłady jak stosować te wskazówki w rozmaitych typach organizacji.

Prace nad polskim wydaniem już rozpoczęliśmy i powinno być ono dostępne w PIKW w drugim kwartale 2010 roku.

Pisząc o kontroli wewnetrznej, przypominam Czytelnikom o możliwości zapisania się do polskiego Chapteru "The Institute for Internal Controls" i zdobycia jego kwalifikacji zawodowych: Certyfikowanego Audytora ds. (systemów) Kontroli Wewnętrznych - CICA (CERTIFIED INTERNAL CONTROLS AUDITOR), oraz CCS (CERTIFIED CONTROLS SPECIALIST), czyli Certifikowany Specjalista ds.Kontroli.

Więcedj informacji na temat COSO III czy TheIIC można otrzymać za pośrednictwem PIKW.       

Monitoring Internal Controls

A Conversation With Ken Vander Wal, Partner (retired) Ernst & Young LLP, Chair of ISACA’s IT Monitoring Task Force

Why and how was Monitoring of Internal Controls and IT developed? Does it replace or complement another publication?

The IT Monitoring Task Force developed the draft of Monitoring of Internal Controls and IT to complement and expand on the 2009 COSO Guidance on Internal Control Systems. Since more and more technology has been integrated into business processes, the task force particularly wanted to emphasize two areas:

• Special considerations around the monitoring of IT controls
• How to use automation to enhance the monitoring of controls

The objective of this publication is to enable professionals to understand the purpose and (potential) benefits of monitoring, provide practical guidance on how to design and execute an IT monitoring process, and explain how automated monitoring tools may add value to the process. The publication also provides references that help assess risk, implement a monitoring program, and integrate monitoring into daily operations (e.g., COBIT^®, Risk IT and Val IT™).

The publication is scheduled for public exposure through April 2010 (click here).

Please describe the goals and aims of the publication. How do you anticipate the reader benefiting from the content?

The main aims of the publication are to expand the 2009 COSO Guidance on Internal Control Systems by bringing emphasis to the monitoring of application and IT general controls, and to discuss the use of automation (tools) for increased efficiency and effectiveness of monitoring processes. While the authors understand that information technology is not a business goal and, only rarely, a business process, there are important opportunities that can be provided by focusing on the risks related to IT control failures and the opportunities created by automated controls and automated monitoring processes. The authors also move away from a mere conceptual elaboration on the concepts and applications for monitoring and move toward providing multiple examples, case studies and practical tools that can help the professional and the enterprise implement monitoring.

To whom is the book written? What titles, roles will benefit the most from the publication and how?

The book is written with executives/senior management, business process owners and IT professionals in mind. The publication opens with an executive overview of the subject matter and suggests questions that senior management should ask to determine whether the monitoring of internal controls is adequately addressed within their enterprise. For the business process owners it describes how to monitor key IT application controls and how to automate monitoring processes. And, for the IT professional, it goes beyond theory by providing templates and tools that can be leveraged when developing and implementing a monitoring project.

What would you identify as the single most important takeaway from the book? In other words, how will the reader benefit from the publication?

There has been a lot written about how the COSO Internal Control—Integrated Framework can be applied to multiple objectives (e.g., financial reporting, operations, compliance) and to multiple dimensions of an organization (e.g., department, business unit, IT). This publication is unique in that it not only deals with the importance of identifying and monitoring the key IT controls that mitigate an enterprise’s financial reporting and compliance risks, it also expands the concepts of monitoring internal controls to operational objectives (e.g., performance, capacity). These are important aspects that have not been addressed previously in a comprehensive manner within one publication.