In any internal control environment at any entity, there is one common factor that affects all members of the organization- information technology (IT). Information technology is the element that has the broadest impact on its users and is one of the least understood and least likely to be discussed. While this element of the internal control environment may seem like something to defer to the IT experts of the world, information technology is something that should be emphasized throughout all organizations at all levels.
Without an effective internal control environment, deficiencies in an organization’s information systems are more likely to occur. A single unsecured employee password or unlocked server room can, in time, impact the company’s day-to-day functions and ultimately have an effect on the financial health of the entity. This situation has occurred countless times over the last decade at major organizations. Organizations that hold billions of dollars in assets, have had crippling data breaches that could have been prevented or mitigated by a more secure internal control environment. This begs the question: what can an organization do to prevent this from happening?
In 2003, The Committee of Sponsoring Organizations of the Treadway Commission (COSO) developed a risk-based, integrated framework to aid organizations in designing and implementing internal controls. Many of the principles of this framework hold true with respect to information technology, but there remain significant IT areas that the framework fails to cover. To supplement the original framework, COSO partnered with Deloitte and create ‘COSO in the Cyber Age’ in order to better address the information technology-related needs of organizations*.
This document addresses the major components of the original framework and relates them to the risks that organizations face in an age of constant technological change. The original COSO framework details the importance of properly assessing control risks in order to adequately respond to them. This IT-focused addendum to the primary framework delves into external factors that can lead to data breaches and IT control deficiencies. The document outlines outside risks such as the major perpetrators of cyber-attacks. The authors of this document stress the importance of assessing which of these external risks are the most relevant to each organization in order to efficiently use their limited resources and get the most out of their internal controls. While the guidance from COSO is an excellent starting point towards mitigating risks within an organization, it is not a guarantee of success. It is important for management to be vigilant in continuously assessing and evaluating the effectiveness of its controls over information technology. A periodic assessment of an entity’s controls affected by IT is a good starting point.
Author: Doug Falatko