Internal Controls Training 671
kymike last edited by
We are gettting ready to roll out ownership of controls documentation and some testing to the control owners. We have a shared services group for our US businesses and individual accounting shops around the world for our non-US businesses.
We are looking to develop (or purchase) some sort of internal controls training program that we can use to train our control owners as to what controls really are, how COSO impacts how we look at controls and how we are applying COSO within our organization.
Does anyone have any ideas that they are willing to share as to how to pull such a plan together (we have 4-5 weeks before we start training) or feedback on controls training tools they have purchased?
lekatis last edited by
If you choose to develop your own material to cover your specific needs:
Sarbanes-Oxley Needs Assessment
A very important first step in order to determine the needs of a training program is a needs assessment. It is a systematic exploration of the way things are and the way they should be. The key is to seek the gap between the current situation and the desired situation.
Check the actual performance of people against standards. This includes the current state of skills, knowledge, and abilities of the current and/or future employees. Next, define the desired / necessary situation.
Special consideration is needed in order to understand the actual needs that are not always the same as perceived needs, or ‘wants’. Many training programs have failed in the past and will continue to fail because the instructional designer did not understand the needs or wants of the company.
There are two parts:
A. Current situation
Determine the current state of skills, knowledge, and abilities of employees. This analysis will also examine the organizational goals, climate, and internal and external constraints.
Necessary actions include:
Review and assessment of available resource material, such as current awareness and training material.
Analysis of metrics related to training
Review of security plans for general support systems and major applications to identify system and application owners and appointed security representatives
Review of any findings and/or recommendations from oversight bodies
Meetings with owners of general support systems and major applications, and other organization staff whose business functions rely on IT
B. Desired or necessary situation
Identify the desired or necessary conditions for compliance. This analysis focuses on the necessary job tasks/standards, as well as the skills, knowledge, and abilities needed to accomplish these successfully. Distinguish actual needs from perceived needs.
Measurements of the compliance training effectiveness
The requirement to measure compliance performance is driven not only by organizational, but also by the Sarbanes-Oxley documentation and testing needs as well.
Training metrics must be based on performance objectives (remember the COSO framework). Monitor the accomplishment of the goals and objectives by quantifying the level of implementation of the security controls and the effectiveness and efficiency of the controls, analyzing the adequacy of security activities and identifying possible improvement actions.
The following matters must be considered during development and implementation of a compliance training program:
Metrics must yield quantifiable information (percentages, averages, and numbers)
Data supporting metrics needs to be readily obtainable
Only repeatable processes should be considered for measurement
Metrics must be useful for tracking performance and directing resources.
Metrics Development and Implementation
Two processes guide the establishment and operation of a security metrics program: metrics development and metrics implementation.
The metrics development process establishes the initial set of metrics and selection of the metrics subset appropriate for the organization.
The metrics implementation process operates a metrics program that is iterative by nature and ensures that appropriate aspects of Sarbanes Oxley compliance issues are measured for a specific time period.