Questions from Our Webinar

COSO 2013: Implications for IT Controls

Introduction
On J anuary 15, 2014, Protiviti hosted a webinar to address the many questions and comments raised in
the market in response to the release of COSOs Internal Control Integrated Framework (2013
edition). During the webcast, our audience of more than 1,400 executives and professionals submitted
numerous questions far more than we had time to address. Therefore, we are pleased to offer this
supplement that provides detailed responses to many of the questions submitted.
For additional information, we invite you to download a complimentary copy of our resource guide,
The Updated COSO Internal Control Framework: Frequently Asked Questions (Second Edition). Many of
the questions below include references to relevant FAQs contained in the guide, and in some of our
guides to the Sarbanes-Oxley Act. You also are welcome to contact our COSO experts directly:
David Brand Jim DeLoach
Managing Director Managing Director
+1.312.476.6401 +1.713.314.4981
david.brand@protiviti.com jim.deloach@protiviti.com

Barbi Goldstein Keith Kawashima
Managing Director Managing Director
+1.212.603.8351 +1.408.808.3222
barbi.goldstein@protiviti.com keith.kawashima@protiviti.com


Protiviti 2
Questions from the Audience
1. Who owns the mapping conversion process?
Management has options in terms of who assumes primary responsibility for the mapping exercise. It
depends on the breadth of the application of the framework. To illustrate, if the framework historically was
applied to internal control over financial reporting primarily (often in conjunction with complying with
Section 404 of Sarbanes-Oxley), the group responsible for evaluating such controls might direct the
mapping process. Groups could include the Sarbanes-Oxley project management office (PMO) or the
finance organization. If the framework has been applied to operations or other areas of compliance and
reporting, then those responsible for their respective areas might conduct the mapping. In many
organizations, internal audit might own the process, or play a significant role, in either reviewing the final
product or performing the mapping directly, as internal audit can contribute a unique perspective on
internal controls.
2. If we historically had a clean Sarbanes-Oxley certification, but now find through
mapping and testing that there are gaps in the presence and functioning of the COSO
2013 principles, how does the organization handle these deficiencies? What are the
implications of a deficiency in control design or operation around these entity-level
type controls with respect to the new framework for a Sarbanes-Oxley filer? Can the
organization now fail to comply with Sarbanes-Oxley Section 404 requirements if it is
weak on a COSO principle?
The premise for this question is that the organization has completed the mapping exercise and is satisfied
it has considered all relevant entity-level and process-level controls currently in place. If gaps
(deficiencies) identified during the mapping of internal controls are true gaps, the organization will need
to evaluate the severity of the deficiencies. It is important to note that not every deficiency will result in a
conclusion that an entity does not have an effective system of internal control. For instance, when
evaluating the severity of the deficiency, an entity-level control gap may be deemed a deficiency or
significant deficiency rather than a material weakness from a Sarbanes-Oxley standpoint, as its impact on
the achievement of the financial reporting objective is not as direct as a deficiency around a specific
process-level control might be. However, over time, such significant deficiencies will need to be
addressed and remediated.
If deficient entity-level controls result in a determination that the corresponding principles are not present
and functioning, and that determination results in the single component not being present and functioning,
then the organization could have a material weakness for Sarbanes-Oxley. This is not very likely for
entity-level controls given that management ordinarily looks for compensating controls in the case of
failure of primary or key controls.
See Protiviti COSO FAQ Guide: Question 9.

Protiviti 3
3. How does the new COSO framework align to COBIT 5?
Below is a graphic that illustrates the relationship between the two frameworks:

Protiviti 4

4. How do you deal with IT providers that are not SSAE 16 compliant? What steps can
be taken (beyond SOCs) to ensure the validity of data from outsourced IT systems?
What if you receive an SOC 2 report on a third-party provider? What impact does the
cloud have on internal controls?
The updated framework states that management is still responsible for internal controls over outsourced
applications. Obtaining an SSAE 16 Service Organization Control (SOC) 1 report can assist management
in its efforts to get comfort about the controls around the processing of the organizations data.
Management should be reviewing SSAE 16 SOC 1 reports annually to ensure the third partys control
environment is adequate. Obtaining and reviewing these reports at least annually enables management
to ensure that coverage is provided for each fiscal year.
Protiviti 5
In addition, management needs to review the user control considerations noted by the SSAE 16 and
identify the controls the organization has in place that meet those considerations. Document the review
performed by management, including how the organization is addressing each user control consideration,
any relevant findings noted in the SSAE 16 report, and the assessment of the risk from the companys
perspective, including any mitigating controls.
Anytime management considers contracting with a new third-party service provider, it should review a
compliance report as part of that evaluation and use it as input on whether it selects that vendor. SOC 2
type 2 reports may be appropriate for management to use in its assessment. A similar evaluation would
need to be completed to assess whether the report addresses the appropriate controls.
If an SOC report does not exist for an in-scope outsourced system, management will need to find other
means to obtain assurance around the controls over that system. This could include identifying controls
management is responsible for that provide assurance that the processing at the outsourcer was
accurate, or conducting tests at the provider to test the controls on which management relies.
See Protiviti Guide to the Sarbanes Oxley Act: IT Ri sks and Controls
5. Do the 17 principles and 77 points of focus apply to IT controls as well as general
controls? I would like to see specific examples mapping IT controls to the 17
principles and relevant points of focus.
: Question 17.
Below are a few examples of mapping IT to principles and points of focus:
Principle 3: Management establishes, with board oversight, structures, reporting lines,
and appropri ate authoriti es and responsibilities in the pursuit of objectives.
Point of Focus Connection to IT
Defines, Assigns, and Li mits Authorities
and Responsibi lities
Use appropriate processes and technology to
assign responsibility and segregate duties
Technology is leveraged as appropriate to
facilitate the definition and limitation of roles
and responsibilities within the workflow of
business processes.
Application and infrastructure access is
administered based on users roles and
responsibilities.
Application access may be facilitated
through integration with the network, or with
identity management systems.
Principle 10: The organization selects and develops control activities that contribute to
the mitigation of risks to the achi evement of objecti ves to acceptabl e level s.
Point of Focus Connection to IT
Evaluates a Mix of Control Activity Types
Control activities include a balance of
approaches to mitigate risks, considering both
manual and automated controls, and
preventive and detective controls.
IT systems support manual system-
dependent controls and automated controls.
Automated application controls as part of
data input and processing can prevent
errors; and monitoring and reconciliation
controls can detect errors.
Addresses Segregation of Duties
Management segregates incompatible
duties
Application and infrastructure access is
administered based on users roles and
responsibilities.
Application access may be facilitated
through integration with the network, or with
identity management systems.
Protiviti 6
In mapping IT to the principles and points of focus, organizations may find that work around IT general
controls (ITGC) could increase for existing Sarbanes-Oxley filers due to the potential increase in the
scope of systems that support entity-level type controls. There are areas that may require documentation
and testing that were not previously included under the scope of the Sarbanes-Oxley program.
6. Will COSO 2013 expand the range of systems in scope for Sarbanes-Oxley this year?
It is possible that, on an organization-by-organization basis, the systems in scope could expand. As
companies map their controls to the 17 principles and relevant points of focus, they may identify that
there are additional data sources and reports that will come into scope in addressing these principles.
These may come from other systems outside of those currently in scope for Sarbanes-Oxley. Each
company will need to analyze and internalize this information through assessing whether there are
alternative controls that can be relied upon with respect to these particular data sources and reports.
In addition, the Public Accounting Oversight Board (PCAOB) inspection reports may pull additional areas
into scope related to review controls. Reports used in review controls may pull additional systems into
scope. The range of systems in scope is an evolving area.
7. How are interface files and programs addressed in Sarbanes-Oxley?
See Protiviti Guide to the Sarbanes-Oxl ey Act: IT Ri sks and Controls
8. Should all IT-dependent manual controls be mapped to Principle 13?
: Question 46.
A top-down risk-based approach should guide the mapping process. Existing Sarbanes-Oxley filers most
likely already have key controls around ITGC documented and tested. Additionally, there has been an
increased focus on Information Produced by Entity (IPE) or Electronic Audit Evidence (EAE) by the public
accounting firms as a result of the PCAOB inspection reports. We expect there to be continued focus on
how management verifies the accuracy of IPE/EAE used in key manual controls.
See Protiviti COSO FAQ Guide: Question 17.
9. Do all reports used in key controls for Sarbanes-Oxley need to be tested annually or
is rotating testing allowed?
The PCAOB inspection reports have highlighted gaps in external audit firms testing of reports used in key
controls. This is an area that is continuing to develop, with varying views on the required frequency of
testing of these reports (also known as baselining). Our survey of the 1,486 attendees of the J anuary 15,
2014 webinar indicated that:
19 percent test all key reports annually
12 percent test key reports on a rotational basis
22 percent baseline test some but not all reports
15 percent test only new reports and rely on ITGC in subsequent years
33 percent do not baseline test reports
As audit firms continue to address the PCAOBs findings, expect to see their expectations evolve on this
topic and plan to adjust accordingly.

Protiviti 7
10. How does COSO relate to other frameworks such as ISO 27000, GTAG and GAIT?
In general, COSO provides principles-based guidance that does not include prescriptive guidance on the
nature of the specific controls management needs to implement. Frameworks such as ISO 27000, GTAG,
COBIT and ITGI provide detailed guidance on how to address technology specifically from a risk
assessment and control activities perspective.
Global Technology Audit Guides (GTAGs) are available from The Institute of Internal Auditors (IIA).
GTAGs address issues related to information technology management, control, and security. They can be
used in conjunction with the COSO framework to analyze IT risks and controls.
The IIA also publishes the Guide to the Assessment of IT Risk (GAIT), which is a series of practice guides
outlining the relationships among business risk, key controls within business processes, automated
controls and other critical IT functionality, and key controls within ITGC. GAIT is useful when scoping
ITGC. The IIA defines GAIT-R as the methodology for identifying all key controls critical to achieving
business goals and objectives. GAIT-R identifies the critical aspects of IT that are essential to the
management and mitigation of organizational risk, generically described as business risk. It is focused on
identifying the key controls that are in place to manage or mitigate risk.
Regarding ISO 27000, see Guide to the Sarbanes-Oxley Act: IT Risks and Controls: Question 9.














For further guidance on how to approach the Sarbanes-Oxley 404 internal controls certification process,
see our Guide to the Sarbanes-Oxley Act: Internal Control Reporting Requirements Frequently Asked
Questions Regarding Section 404 at http://www.protiviti.com/en-US/Pages/SOX-404-FAQs.aspx and our
Guide to the Sarbanes Oxley Act: IT Risks and Controls at http://www.protiviti.com/en-US/Pages/Guide-
to-the-Sarbanes-Oxley-Act.aspx.


2014 Protiviti Inc. An Equal Opportunity Employer M/F/D/V.
Protiviti is not licensed or registered as a public accounting firm and
does not issue opinions on financial statements or offer attestation services.

About Proti viti
Protiviti (www.protiviti.com) is a global consulting firm that helps companies solve problems in finance,
technology, operations, governance, risk and internal audit, and has served more than 35 percent of
FORTUNE 1000

and FORTUNE Global 500

companies. Protiviti and its independently owned Member

Firms serve clients through a network of more than 70 locations in over 20 countries. The firm also works
with smaller, growing companies, including those looking to go public, as well as with government
agencies.
Protiviti is a wholly owned subsidiary of Robert Half (NYSE: RHI). Founded in 1948, Robert Half is a
member of the S&P 500 index.
About Our Financial Controls and Sarbanes-Oxley Compliance Practice
Protivitis Financial Controls and Sarbanes-Oxley compliance professionals help companies establish
effective internal control over financial reporting. Whether your organization is just getting started with
compliance or has complied for years, we can help apply a top-down, risk-based approach, in accordance
with the U.S. Securities and Exchange Commissions interpretive guidance, to implement a cost-effective
compliance process. We help rationalize the critical risks, identify the key controls, develop a credible
body of evidence supporting controls design and operating effectiveness, drive accountability for
compliance throughout the organization, and coordinate the optimization of the attestation process under
Auditing Standard No. 5.
Our experience, gained by working with hundreds of companies, gives us the knowledge to help
organizations think longer term, make the right choices and create value as sustainability improves. Our
flexible, comprehensive approach is driven by a customized road map that addresses each clients
immediate priorities, planned improvements, longer-term strategic improvements and designated
timetable.
Our specific services include:
Sarbanes-Oxley compliance project planning and management
Documentation, evaluation, testing and remediation of risks and controls
Compliance cost reduction by rationalizing risks and controls and implementing risk-based testing
Improvement of internal controls and the quality of key upstream business processes affecting
financial reporting
Governance portal implementation and support