COSO Assertions and IT Control Assertions 1488

  • I am working on a RCM (Risk Control Matrix) for SDLC which has COSO (PCAOB) Assertions like Access to assets, Completeness and Accuracy etc… All these Assertions are related to financial key controls but not IT key controls. Does anyone know if an intrepretation/mapping exists for this? if so can you please advise.
    Thank you in advance,

  • Hi,
    ISACA published a document called CobiT Mapping that maps the CobiT Framework to various frameworks including the COSO Framework. However, the linkage is between the IT Control Objectives (not IT Key Controls) and the COSO Components (not PCAOB FS Assertions).
    The challenge you will have in your approach is that a 1:1 linkage might not exist between IT Key Controls and FS Assertions. Also, if a linkage can be established, it will be dependent on the Application Control. The Application Control will likely be unique to the Company and the IT Application(s) relied upon by the Company.
    Again, some of the IT Key Controls will not have a relevant FS Assertion. To avoid confusion and to use a control matrix format that is generally accepted by the external auditors, you might consider simply listing the IT Control Objective from the CobiT Framework in one column and relate it to the COSO Component instead in another column.
    With regards to developing the control matrix for SDLC, you can then use existing resources, with particular emphasis on CobiT resource documents published by ISACA.
    Sorry for the long reply, but I was not clear about your exact question and was taking a shot at replying based on my interpretation. Certainly, other persons reading this post will provide additional comments/feedback and hopefully, you can make progress on the control matrix.
    Hope this helps and good luck,

  • I agree with Milan.
    The IT Application controls should fit neatly into your RCM, since the only distinction among these Key Controls are that they are ‘automated’ rather than ‘manual’. We have found that the most likely transaction processing controls among Application controls are completeness, accuracy, and restricted access ; although a validity check within an application can satisfy ‘validity’ of course. (Testing these application controls without exception is a completely different story…but, that is true of many Key Controls.)
    However, on the General IT Controls, I would seriously doubt if you can effectively correlate the Key Controls to processing controls (aside from restricted access) since it’s an apples to oranges comparison.
    While CoBIT and COSO complement each other, it’s not an even fit (more like square pegs…). At any rate, why would you want to map 1-to-1? Either a General Control (CoBIT Objective) is met, or it is not. I think that you’d be better off spending (investing?) your time remediating the failed General IT Controls than spinning your wheels on something esoteric, that really doesn’t matter anyway.
    Having said that, IF you do work it out, let me know, please.

Log in to reply