ZenGRC

Simply Powerful GRC

Blog

What is Cybersecurity Architecture and Why is it Important?

· ·

Cybersecurity threats abound, and the pace of cybersecurity attacks is increasing steadily year after year. At the same time, consumers are also becoming more aware of cybersecurity harms, and demanding better performance from the companies with which they do business. Regulators hear that sentiment from consumers too, and are responding with ever more stringent rules for data privacy.

For these reasons and more, a robust cybersecurity architecture has never been more important. In this article, we’ll explain what a cybersecurity architecture is, why it’s important, and how your organization can get started on the worry-free path toward designing and implementing a successful cybersecurity architecture.

What Is Cybersecurity Architecture?

Cybersecurity architecture, also known as network security architecture, is the practice of designing computer systems to assure the security of your underlying data. Generally speaking, cybersecurity architecture is at the foundation of your organization’s defense against security threats.

Working as one component of an organization’s overall security architecture, cybersecurity architecture is typically designed using a cybersecurity architectural framework – that is, a framework that specifies the structure, standards, policies, and functional behavior of a computer network, including both security measures and network features.

A framework will help your organization identify security risks and then position security controls to address them. It will also show you how your security controls relate to your overall business. Ideally, a cybersecurity architecture framework will allow your organization to maintain confidentiality, integrity, and availability of the data within its business operations.

Your cybersecurity architecture framework should be flexible enough to adapt and provide security coverage for your business despite the constantly evolving cyber threat landscape. It should encompass three main elements, which we will further explore in a moment: procedural and policy-related elements, standards and frameworks, and security and network elements.

Most businesses already have at least some elements of cybersecurity in place, including firewalls, antivirus programs, and intrusion detection systems. A detailed cybersecurity architecture should integrate these elements to maintain and maximize these tools alongside your policies and procedures. That said, firewalls, antivirus programs, and intrusion detection systems only address external threats – which is not enough in the modern threat environment.

For this reason, many organizations are employing a “zero trust” model, which calls on verifying every request irrespective of whether the users are inside or outside the perimeter. By using access control and establishing several checkpoints within a network, organizations are able to limit their exposure to malware infiltration.

Although businesses can and should do more to build network security systems independently, many simply do not possess the necessary technologies to do so. If this sounds like you, you might want to consider hiring a cybersecurity architect: a security professional who will help you to anticipate potential cyber threats and design the structures and systems that will prevent them. For many organizations, hiring a cybersecurity architect is the best way to identify system vulnerabilities and remediate them as quickly as possible.

Now that we have some context, we can take a closer look at some of the components that make up a robust cybersecurity architecture. Then we’ll further explain why a cybersecurity architecture is critical for your business, and how you can get started on the worry-free path toward designing and implementing a successful cybersecurity architecture framework.


What Are the Components of Cybersecurity Architecture?

Even if you decide to hire a security architect to do all of the heavy lifting, the success of that endeavor hinges on your employees’ ability to work according to the processes laid out in your security architecture framework. Enforcing your cybersecurity architecture once it’s been created will require a continuous flow of information throughout your organization.

People, Policies and Procedures

People – your employees, stakeholders, decision-makers, and anyone else who touches your enterprise – are the first (and most often overlooked) component of a cybersecurity architecture. The people, along with processes and tools, should all work together to protect your company’s assets.

Throughout your organization, the people, processes, and tools you use to create and enforce a cybersecurity architecture will all be driven by your organization’s security policy. A security policy is a statement that outlines how each entity within your organization will access other entities, what operations those various entities can carry out, the level of protection that’s required for each system, and the actions that should be taken when these security requirements are not met.

Your security policy, as well as any other policies related to your cybersecurity architecture, needs to be clear and easy to understand. If your employees don’t understand the “why” behind a policy, they’re far less likely to follow the “how” – meaning, the procedure associated with the policy.

A well-rounded cybersecurity architectural framework should recognize the need for clear, concise, and explicit policy documents that make it easy for your employees to formulate the necessary procedures. Additionally, you should require staff training whenever implementing or updating policies and procedures, so that your employees have the opportunity to learn and ask questions.

Your cybersecurity architecture’s policies and procedures need to be directed and enforced throughout your organization. Ideally they should be definable and simulatable using industry-standard architecture and modeling language.

As more and more regulations are starting to require the production of relevant policies and appropriate procedures for compliance, this element of a cybersecurity architecture is becoming increasingly important. This requirement, coupled with the need to educate employees adequately, underlines just how important policies and procedures really are to the success of a cybersecurity architecture.

Standards and Frameworks

In many cases, compliance with industry standards is not only legally required, but also a great way to improve your organization’s overall cyber hygiene. To better understand cybersecurity architecture and its role, you should start by looking at pre-existing standards and the frameworks that support them.

Standards set out what must be achieved by various organizations in different industries. For example, the following information security standards require the protection of personal data or sensitive information:

  • International Organization for Standardization (ISO 27001)
  • The Payment Card Industry Data Security Standard (PCI DSS)
  • The European Union’s General Data Protection Regulation (EU GDPR)
  • California Consumer Privacy Act (CCPA)
  • Health Insurance Portability and Accountability Act (HIPAA)

These are just a few of the many standards that are required for organizations in specific industries and are enforced by law. Which standards your organization needs to meet will depend on your business operations, so it’s important to familiarize yourself with those that are relevant to you. Industry standards and regulations change often, so you’ll need to revisit them frequently to make sure your organization is always compliant.

As far as frameworks are concerned, probably the most important and widely recognized cybersecurity framework in the United States is the National Institute of Standards and Technology Cybersecurity Framework (NIST CSF). This framework covers five broad domains (identify, protect, detect, respond, and react), and includes categories and subcategories for each.

NIST CSF also provides an overview of the separate but interconnected areas that must be addressed when assessing the appropriateness and effectiveness of a given cybersecurity architecture. Ultimately, this allows organizations to measure the relative security and level of compliance being provided by their existing cybersecurity architecture.

If you decide to base your own cybersecurity architecture on an existing framework, choose one that meets the needs of your organization. Even if you decide to start from scratch, visiting these existing frameworks and standards can give you a better starting point for your own cybersecurity architecture.

You should also take into consideration the technology standards for any of the cybersecurity software choices you make. The security solutions you rely on to execute your cybersecurity architecture should ideally align with your organization’s security standards as well as any compliance requirements.

Network and Security

Finally, your cybersecurity architecture will need to include more specific network and security elements to keep your organization’s systems secure.

Make sure you include the following network elements in your cybersecurity architecture:

  • An inventory of network nodes including computers, NICs, repeaters, hubs, bridges, switches, routers, modems, gateways.
  • Your network communication protocols (TCP/IP, DHCP, DNA, FTP, HTTP, HTTPS, and IMAP).
  • Any network connections between nodes using specific protocols.
  • Network topologies among nodes such as point-to-point, circular, chain, and hybrid.

You also need to account for the following security elements in your cybersecurity architecture:

  • Any cybersecurity devices like firewalls, Intrusion Detection/Protection Systems (IDS/IPS), and encryption/decryption devices.
  • Cybersecurity software (anti-virus software, spyware software, and anti-malware software).
  • Secure network communication protocols (TCP/IP, DHCP, DNS, FTP, HTTP, HTTPS, and IMAP).
  • Strong encryption techniques such as end-to-end encryption, zero-knowledge privacy, and blockchain.
  • Multi-factor authentication, and any other identity and access management practices.

Why Is Cybersecurity Architecture Important?

Generally speaking, the purpose of a cybersecurity architecture is to assure that the main network architecture of your organization, including its most sensitive data and critical applications, is fully protected against any present or future threats or security breaches.

A well-implemented and enforced cybersecurity architecture will enhance cybersecurity and help your organization adhere to more stringent data privacy regulations as they arise, and increase your marketability in an ever-increasing cyber-conscious market.

When done correctly, a successful cybersecurity architecture will be most evident in three key areas to your organization: regulatory compliance, your bottom line, and overall information management.

Regulatory Compliance

A cybersecurity architecture is often key in demonstrating compliance to many data protection regulations. Most organizations confront a variety of data regulations, especially those conducting business internationally.

These days, most data protection regulations call for some form of a cybersecurity architecture. While different regulations have different information management requirements, a strong cybersecurity architecture should transcend those differences. Simply having one in place will almost always be seen as a positive to any regulatory body.

Bottom Line

As stated above, consumers are becoming increasingly more aware of cybersecurity issues and how those issues can affect their lives. Use that as an opportunity to market your superior cybersecurity to your consumers. Businesses with more transparency are more likely to win customers’ trust, especially those who have fallen victim to security incidents in the past.

A solid cybersecurity architecture can also act as a form of insurance to a number of potentially disruptive scenarios, which also protects your business’s bottom line. An active approach to cybersecurity is usually much more successful than a defensive or a reactive one, as the cost of recovering from a security incident can often outweigh the initial investment needed to implement a cybersecurity architecture.

Information Management

How your organization deals with its data can mean the difference between success or failure. Integrating a cybersecurity architecture throughout your organization can streamline your data management process, with the added benefit of protecting your systems’ information network.

Ideally, a cybersecurity framework should align the risk management process with your underlying business strategies with little to no interruption to the day-to-day running of your business.

Build a Stronger Cybersecurity Architecture With ZenGRC

If building and enforcing a robust cybersecurity architecture sounds overwhelming, you’re not alone. Creating open communication channels, training employees, designing and implementing policies and procedures, tracking compliance, enforcing network and security elements – these tasks can be complicated and time-consuming, especially if you’re working in spreadsheets.

ZenGRC gives you the power to be more strategic with IT risk management by putting your business activities front and center. Discover a modern way to manage your risk posture with ZenGRC, giving you the ability to understand and act on your IT and cyber risks, all in a single unified platform.

With an intuitive user experience paired with in-application expert guidance, you can assess, manage, and communicate risks and their potential business impact. Using AI, the relationships between assets, controls and risks are automatically created, alerting you to changes in your risk posture and making it simple to grow and manage your risk programs. With dashboards and reports that provide contextual insights, it’s easier to communicate with key stakeholders and make informed business decisions with the ZenGRC platform.

Become more strategic with your IT risk management and talk to an expert today to learn more about how ZenGRC can help your organization confidently manage risks and compliance.

Security Misconfigurations: Definition, Causes, and Avoidance Strategies

· ·

Misconfigured security settings can be disastrous for a company’s cybersecurity. In 2019, for example, a researcher discovered a security misconfiguration in the popular project management tool Atlassian JIRA that allowed him to access a vast amount of confidential data from companies that used JIRA.

Unfortunately, Atlassian’s error is all too common. Configuration errors were responsible for almost one-third of data breaches in 2021 and are expected to cause 99 percent of all firewall breaches through 2023.

Finding and fixing misconfigurations should always be a cybersecurity priority. In this post we’ll cover what a security misconfiguration is, and how organizations can locate, remedy, and mitigate those errors.

What Is a Security Misconfiguration?

A security misconfiguration can occur when security settings are either (1) not implemented, or (2) deployed with errors. These errors create security gaps that expose the application and its data to a cyber attack or possible breach.

These errors can happen at any level of the application stack, including:

  • Web or application servers
  • Databases
  • Network services
  • Custom code
  • Development platforms and frameworks
  • Storage
  • Virtual machines
  • Cloud containers

What Can Security Misconfigurations Lead To?

A majority of configuration errors happen because system administrators fail to change the default configuration (also known as the “out of the box” account settings) of a device or application during installation. This error is problematic because many automated attacks start by testing whether a target’s systems use the default settings. By altering these settings, organizations can reduce the chance of such attacks succeeding.

For example, consider a system administrator keeping the default configuration on a CMS application. Without altering the default settings, the device, application, network, and system are vulnerable to exploits from an attacker who knows those settings (which, rest assured, are available on the dark web). Some threat research organizations estimate that misconfigurations are among the top 10 exploits that can lead to an attack.

A few of the more common causes of security misconfiguration errors and the threats they lead to are as follows.

Unpatched flaws

All software has flaws, but most software vendors soon issue patches to repair those flaws. When you don’t install the patch, attackers who already know the flaws will be able to penetrate your systems.

Unused pages and unnecessary service

Unused web pages and unnecessary features or services also allow attackers to gain unauthorized access to an enterprise application or device. These issues may result in cyberattacks such as command injections, brute force attacks, and credential stuffing exploits if left unchecked.

Inadequate access controls

Threat actors can gain entry into the network infrastructure by using default passwords, abandoned user accounts, or unused access permissions that admins did not update or remove. Overly permissive access rules also allow adversaries to cause chaos, including malware attacks and data compromise.

Unprotected files and directories

Files and directories not protected by strong security controls are vulnerable to cyberattacks. Hackers can identify platforms and applications that use easy-to-guess names and locations to garner valuable system information and orchestrate targeted attacks.

Predictable file names and locations can also expose admin interfaces and allow the adversary to get privileged access, configuration details, or business logic and even add, remove, or modify application functionality.

Poor coding practices and using vulnerable XML files

Many security misconfigurations can occur in Java web.xml files. Custom error pages or SSL may not be configured, or the code may be missing web-based access controls.

Coding errors may allow attackers to access parts of web applications via non-SSL and launch session hijacking attacks. Using URL parameters for session tracking or not setting a session timeout may also result in these attacks. Similarly, cookies without the HttpOnly flag can increase the possibility of cross-site scripting (XSS) attacks.

Disabled antivirus

Sometimes users temporarily turn off the antivirus if the antivirus overrides a particular action, such as running an installer. Once the user completes the installation, if he or she forgets to reactivate the antivirus, that leaves the organization vulnerable to hacks and data breaches.

Inadequate hardware management

Hackers use devices such as routers, switches, and endpoints to access enterprise applications and data by exploiting unsecured ports, overly permissive network traffic rules, and inadequately patched and maintained hardware.

How a Server Misconfiguration Can Create Vulnerabilities

Configuration errors create security vulnerabilities that hackers and cybercriminals can exploit. Server misconfigurations create vulnerabilities by exposing sensitive data, providing unauthorized access, and opening attack pathways. Below are some other common ways in which server misconfigurations can lead to an attack:

Exposes sensitive data

Configuration errors often result in unauthorized access to sensitive information. One reason is that nearly 73 percent of organizations have at least one critical security misconfiguration that could expose sensitive data, systems, or services to threat actors.

Prompts directory traversal attacks

Directory listing in a web application allows threat actors to browse and freely access the file structure and discover its security vulnerabilities. They can exploit these vulnerabilities to modify parts of the application and even reverse-engineer it.

Increases cyberattacks on mobile applications

Configuration mistakes can be a serious problem with mobile applications because the business and presentation layers are not deployed on a proprietary server under the organization’s control. Instead, the code is deployed on a mobile device that an attacker can physically access, modify, or reverse-engineer.

Creates remote attacks

Some critical misconfigurations allow attackers to access servers remotely and disable network and information security controls such as firewalls and VPNs. Unused open administration ports also expose the application to remote attacks.

Provides unauthorized access to the organization

Occasionally, legacy applications will attempt to communicate with non-existent applications. That creates a security gap that allows attackers to connect to the enterprise IT ecosystem, providing the attacker even more unauthorized access to the organization.

How Organizations Can Prevent Security Configuration Vulnerabilities

Security configuration errors are a widespread problem in any network, system, device, or application. Organizations can avoid them or minimize the chance of occurrence by following these best practices.

Pay attention to alerts

Configuration errors usually create warning signals that admins and developers should watch for. These alerts include notifications of multiple login attempts, devices that self-install software, and users’ web searches being redirected to unexpected websites. All these events can suggest compromised devices or applications.

Regularly patch all devices and software

Regular security patches and updates are vital to find and fix configuration errors. Admins can also patch a “golden image” (a virtual machine configured correctly) and deploy it into the entire environment.

Strengthen remote access controls

A layered remote security approach with intrusion detection systems, permission zones, firewalls, and virtual private networks (VPNs) can limit the vulnerabilities created by remote users. In general, all files and directories in both on-premise data centers and cloud environments must have strong access controls on a need-to-have basis.

Provide cybersecurity training and awareness to all users

A lack of cybersecurity knowledge can result in insecure practices and human errors, which increase the risk of breaches. Employees must be trained about the need for strong passwords, the dangers of “shadow IT” (that is, unauthorized hardware or software operating on your network), and the rules for handling sensitive data. A strong security culture is also vital to improve awareness of security threats, suspicious activities, and appropriate threat responses.

Follow secure coding practices

Secure coding practices are essential to prevent misconfiguration issues. Developers must ensure proper input/output data validation in the code, configure custom error pages and SSL, set a session timeout, never bypass authentication and authorization, and avoid using URL parameters for session tracking.

It’s also good practice to run custom static code through a security scanner before integrating it into the production environment.

Some other ways to avoid security misconfiguration errors are:

  • Regularly monitor web application security and vulnerabilities
  • Define and monitor non-default security settings for apps and programs
  • Remove unused applications, programs, and features
  • Change all default accounts, usernames, and passwords
  • Develop an application architecture with secure separation of elements
  • Encrypt data-at-rest and data-in-transit

ZenGRC Helps Protect Your Organization from Vulnerabilities

You can protect your organization from many vulnerabilities by identifying where misconfiguration errors occur. For such visibility, you need a tool like ZenGRC.

ZenGRC reveals information security risks across your business. See where security configuration and other errors are occurring so you can take quick action to minimize and manage vulnerabilities and minimize business exposure.

With ZenGRC, you can simplify threat and risk management, compliance, audits, governance, and even policy management from one centralized application. Manage risk and compliance easily and guide your organization to greater operational confidence. Schedule a demo to discover the full power of ZenGRC.

What is the Importance of Internal Controls in Corporate Governance Mechanisms?

· ·

At the core of business management are the rules, practices and processes that define how your organization is directed, operated and controlled. This system, known as corporate governance, is aimed at creating more ethical business practices by aligning the interest of your organization’s stakeholders. In today’s business environment, the more ethical-and transparent-your organization is about its corporate governance practices, the more financially viable it will be.

One of the most important components of effective corporate governance is enterprise risk management (ERM), or the program your organization puts in place to identify, analyze, prioritize and mitigate risks. Determining the level of risk that comes along with certain business operations is not only important, but it’s also mandatory in the case of regulatory compliance.

In this article, we’ll take a closer look at corporate governance, including some of the mechanisms your organization can implement to reduce any inefficiencies or incidents that might arise. Armed with this knowledge, your organization will be better positioned to start on the worry-free path toward an effective and efficient risk management system.

What are the Mechanisms of Corporate Governance?

Corporate governance is the act of directing, controlling, and evaluating your organization. It includes setting forth your organization’s governance structures and principles by a supervisory board to identify the distribution of rights and responsibilities among different stakeholders, and to cultivate a company culture of integrity.

At its foundation, corporate governance is necessary because it helps manage any potential conflicts of interest between shareholders and company management, or among shareholders. However, unlike the day-to-day operational management of the company by your full-time executives and employees, corporate governance has more to do with what the board members of your company do, including how the board sets the values of your company.

Establishing the values, rights, and responsibilities of your organization is a critical step in decision-making, but you also need to consider how you will enforce that code of conduct after you’ve created it. To do so, your organization should use both external and internal corporate governance control mechanisms designed to protect your assets from incidents, reduce any inefficiencies that might arise, and support your overall business objectives.

External Mechanisms of Corporate Governance

External control mechanisms are those controlled by entities outside your organization such as regulators, governments, trade unions and financial institutions. Most of the time, the objectives of external control mechanisms are to assess adequate debt management and legal compliance and are often imposed on organizations by external stakeholders in the forms of union contracts or regulatory guidelines.

To determine regulatory compliance, many organizations must undergo an independent audit as part of the evaluation of the overall corporate governance structure.

Independent Audits

An important part of regulatory compliance and another important external mechanism is that of the independent audit. During an independent audit, an external auditor is responsible for reviewing the financial statements of your organization and issuing an opinion as to their reliability.

In most cases, an independent audit serves both your internal and external stakeholders by helping investors, employees, shareholders and regulators determine the financial performance of your organization. An external audit can also give you a broad view of your organization’s internal working mechanisms and its future outlook.

In addition to external audits, regulatory bodies may also suggest guidelines for best practices, and organizations can choose whether or not to follow them. Typically, organizations report their compliance status to external stakeholders. One such compliance regulation is the Sarbanes-Oxley Act (SOX), which was enacted in 2002 following the scandals surrounding Enron and MCI (formerly WorldCom).

SOX Compliance

Today, all public companies in the United States are obligated to comply with SOX, which was created to provide greater accuracy and transparency of corporate disclosures in financial statements and to safeguard investors from fraudulent accounting practices through effective risk management.

To demonstrate SOX compliance, your organization will need to submit proof, annually, of all risk controls during an external audit. While the cost of SOX compliance varies from organization to organization, you can expect to spend $500,000 to $1 million on compliance efforts and audits-an investment that’s much lower than the penalties associated with non-compliance.

Because SOX compliance is not optional for public companies in the US, ignoring the SOX compliance process can cause a variety of problems for organizations. Not only do SEC enforcement actions cost time and money, but they also potentially result in fines that run into figures in the millions of dollars.

In addition to avoiding legal fines and penalties, some of the benefits of SOX compliance include more robust internal controls and greater public confidence, and less opportunity for financial fraud or other suspicious activity by employees or stakeholders.

Internal Mechanisms of Corporate Governance

While external mechanisms of corporate governance are undoubtedly important, the foremost sets of controls for your organization are the internal mechanisms you use to monitor the progress and activities of your organization, and take corrective actions when your business goes off track.

Internal control mechanisms aim to serve the internal objectives of your organization and its internal stakeholders. Typically, these objectives include smooth business operations, clearly defined reporting lines and performance measurement systems.

Ideally, your internal corporate governance mechanisms will maintain your organization’s larger internal control fabric-the policies, procedures, and technical safeguards that protect your organization’s assets by preventing errors and inappropriate action.

In a similar fashion to the external audits used by regulatory bodies to determine compliance, your organization can also conduct internal audits to determine the effectiveness of internal controls.

Even if regulatory compliance isn’t required for your organization, assigning an internal auditor to assess whether your control mechanisms are meeting regulatory requirements is a good place to start.

Fortunately, your organization doesn’t have to come up with your system of internal controls entirely on its own. The Internal Control-Integrated Framework, developed by the Committee of Sponsoring Organizations of the Treadway Commission (COSO), defines five necessary components for designing a sound internal control structure:

  • Internal control environment
  • Risk assessment
  • Internal control activities
  • Information and communication
  • Monitoring

Within COSO’s framework, each of these five key components of internal control includes principles with supporting points of focus to help with designing, implementing, conducting, monitoring, and assessing internal control processes.

In the next section, we’ll discuss how internal controls can help your organization improve its corporate governance and introduce some of the most effective internal controls for corporate governance.

What is the Role of Internal Control in Corporate Governance?

To refresh, internal controls are the policies, procedures, and technical safeguards that protect your organization’s assets by preventing errors and inappropriate action. They’re the more practical aspect of corporate governance-the ways in which your organization ensures compliance with its own moral code.

When it comes to corporate governance, internal controls can help your organization monitor activities and then take corrective actions to accomplish your organizational goals. Typically, internal control procedures are implemented by your organization’s board of directors, audit committee, management, and any other personnel to provide reasonable assurance that you’re meeting your objectives related to reliable financial reporting, efficient operations, and compliance with laws and regulations.

To ensure your organization adheres to corporate governance guidelines, internal control activities also help produce an audit trail that can be followed during both internal and external audits. Ultimately, both money and information should have a clear path through your organization-with good internal controls, that path can easily be re-traced.

For example, one of the compliance requirements for SOX compliance specified in Section 404 is that of the Management Assessment of Internal Controls. 404(a), which applies to all publicly traded companies, requires management to certify whether internal controls over financial reporting (ICFR) are or are not effective and, if not, why.

A clear audit trail will not only help your organization achieve and maintain SOX compliance, but it will also allow your shareholders to feel more confident about their investments and your customers to feel more confident about the goods or services they’ve purchased. When organizations can show proof of good corporate governance via internal controls, they’re often more successful.

The goals of internal corporate governance controls usually include:

  • Safeguarding assets: internal controls help prevent asset loss due to mistakes or fraud.
  • Minimizing errors: internal controls ensure that financial information is carefully reviewed to reduce errors.
  • Promoting efficiency: internal controls prevent mistakes, which improves efficiency in the long run.
  • Minimizing risk: internal control procedures may include regular risk assessments to find areas where inaccuracies are occurring to improve those areas.

To meet these goals and more, your organization may engage in several internal control activities, which fall into three broad categories: preventative, detective, and corrective. While detective controls seek to understand incidents once they have occurred, corrective controls take corrective action to remedy those vulnerabilities, and preventative controls actually attempt to prevent those risks from occurring in the first place.

Now that we’ve established how internal controls play a role in corporate governance, it’s time to introduce the types of internal controls that can best help your organization with its corporate governance.

What are the Procedures for Internal Control of Corporate Governance?

To be most effective, internal corporate governance controls rely on the responsibilities of your organization’s stakeholders for proper execution. While the board of directors are responsible for setting the values, rights and responsibilities and the corresponding internal controls that will help promote these activities; management is responsible for maintaining the system of internal control and communicating the expectations and duties to staff. In return, staff and operating personnel are responsible for carrying out those internal control activities set forth by management.

Here are some of the most common procedures for internal control used in corporate governance today:

Authorization

Authorization is a process that involves establishing a basis by which various employees have the authority to execute certain types of transactions and serves as a proactive approach for preventing invalid transactions.

This includes approval authority requirements which require specific managers to authorize certain types of transactions, adding a layer of responsibility to your records systems by providing that the transactions have been seen, analyzed, and approved by the appropriate authorities.

Documentation

Documentation includes paper and electronic communication that supports the completion of the transaction lifecycle. It’s anything that provides evidence of a transaction, who has performed each activity pertaining to the transaction, and the authority to perform such activities.

Documents provide a financial record of events and activities, and therefore, they ensure the accuracy and completeness of transactions. This includes expenses, revenues, inventories, personnel, and other types of transactions. The proper documentation can provide evidence of what has transpired as well as providing information for researching any discrepancies.

Standardized documentation used for financial transactions can help your organization maintain its consistency in record keeping over time, and it can also make it easier to review past records when searching for the source of a discrepancy in your system. Ultimately, a lack of documentation standardization can lead to overlooking or misinterpreting important information.

Reconciliation

Reconciliation is the process of comparing transactions and activities with supporting documentation and involves resolving any discrepancies that have been discovered. Occasional reconciliation ensures that the balances in your system match up with the balances in the systems held by other entities, including banks, suppliers, and credit customers.

A good internal control system should provide a mechanism to verify that transactions and activities are for the correct purposes and amounts, and that they are allowable. Any errors or discrepancies, whether intentional or unintentional, should be detected, investigated and resolved as quickly as possible.

Security

The security of your assets and data includes three different types of safeguards: administrative, physical and technical. Administrative security focuses on the departmental processes that are put in place to protect assets and data. Physical security is the protection of physical data and assets from loss by theft or damage. Technical security is the protection of electronic data loss by theft, damage, or loss in transport.

Ideally, assets and data should be kept secure at all times to prevent unauthorized access, loss, or damage. The security of your assets and data is essential for ongoing operations, accuracy of information, privacy of personal and sensitive information, and in many cases is state or federal law.

Segregation of Duties

Segregation of duties is the means by which no one person has sole control over the lifespan of a transaction. According to the American Institute of Certified Public Accountants (CPA), segregation of duties means “shared responsibilities of a key process that disperse the critical functions of that process to more than one person or department” to reduce the risk of fraud and errors.

Ideally, no one person should be able to initiate, record, authorize and reconcile a transaction. All organizations should separate functional responsibilities to assure that mistakes, intentional or otherwise, cannot be made without being discovered by another person.

Primary incompatible responsibilities that must be separated are:

  • Performing transactions
  • Authorization or acceptance
  • Reconciliations
  • Asset custodianship

The segregation of duties will ultimately depend on the side of your organization and its structure. Duties may be segregated by department or by individuals within a department, and the level of risk associated with a transaction should determine the method for segregating duties.

Improve Your Internal Controls with ZenGRC

Across industries, the only thing that all internal control schemes have in common is the arduous documentation and reporting that come with them. If your organization is using spreadsheets to manage your compliance requirements, it’s time to consider another option.

ZenGRC is an integrated cybersecurity risk management solution designed to provide you with actionable insights to gain the visibility you need to stay ahead of threats and clearly communicate the impact of risk on high-priority business initiatives. Turn the unknown into quantifiable and actionable risk insights with built-in expertise that identifies and maps risks, threats and controls for you, so you can spend less time setting up the application and more time using it.

A single, real-time view of risk and business context allows you to clearly communicate to the board and key stakeholders in a way that’s framed around their priorities, keeping your risk posture in sync with the direction your business is moving.

ZenGRC will even notify you automatically of any changes or required actions, so you can be on top of your risk posture like never before. Eliminate time-consuming, manual work and streamline collaboration by automating workflows and integrating with your most critical systems.

Now, through a more proactive approach, you can give time back to your team with ZenGRC. Talk to an expert today to learn more about how the ZenGRC can help your organization mitigate cybersecurity risk and stay ahead of threats.

5 Step Risk Management Process

· ·

At its core, risk management is about identifying risks and guarding against them. It gives organizations a plan of action to determine which risks are worth taking and which aren’t, to assure better outcomes for their bottom lines.

This post will outline the five steps of risk management, which you can use to protect your company against the uncertainties of doing business.

What Is Risk Management?

Risk Management is a multi-step process that identifies and evaluates any emerging threats or risks, whether internal or external, to a business’ information systems and data. It is essential to maintain a risk management process because it reveals all potential threats within the business, whether they already exist or before they generate a negative impact.

It also generates a series of benefits, such as avoiding data breaches and driving the need for a cybersecurity program. It also includes cost/benefit analysis activities related to security risks, operational risks, business risks, and other metrics.

What Are the Five Steps in a Risk Management Process?

Risk management can be defined as a process that helps you:

  • Project risks, forecast, and evaluate risks to your organization
  • Analyze and determine their effect on your business operations, finances, customers and employees, brand, stakeholders
  • Identify an action plan to have a risk response and eliminate or reduce those effects

Risk mitigation and risk management make it easier to understand where a business should spend its time and resources. You don’t have to cross your fingers and hope your business remains protected from bad luck.

Step 1: Identify Your Risks

First, identify all the risks your organization might encounter in its operating environment. There are many types of risk assessments, but generally, this process is performed routinely. To start a risk assessment, examine the factors in your organization and environment — regulatory, legal, environmental, market risks, and so on — that are potentially dangerous.

Identify as many of these risk factors as possible. Anything that can harm your organization should be on your radar, including natural disasters, technological risks, and single point of failure (SPOF) risks.

Consider creating a risk log or risk register that serves as an ongoing database of each project’s potential risks. This will help you and your team manage current risks. It can also serve as a reference for past projects and guide you on future ones.

Step 2: Analyze All Risks

After risk identification, you perform risk analysis. Some risks can bring your business to a standstill, while some will only be minor inconveniences. To analyze each threat and determine its scope and potential disruption, ask: How likely are these risks to occur? And if they do, what will the consequences be?

You can then establish a link between the risks and different factors within your organization. Specifically, this will help you understand how many business functions the risk affects. The greater the number of functions, the more severe the risk.

Step 3: Evaluate and Prioritize Every Risk

Next, rank and prioritize each risk depending on its severity. This allows the risk management team to see and understand your organization’s total risk exposure. For example, risks that will lead to minor inconvenience should be a lower priority, while risks that can cause catastrophic losses should be at the top.

Additionally, you should figure out your risk profile: your risk appetite and risk tolerance. Some organizations are comfortable running many risks; others want their risk exposure to zero.

Step 4: Treat Your Risks

Develop a risk treatment plan to eliminate or contain each risk as much as possible. Starting with the highest-priority risk, you and your team should work to solve the threat (or at least mitigate it) so the risk no longer threatens your organization. A good starting point is to connect with the respective experts of each field to which the risk belongs.

Your risk mitigation strategy should include the following:

  • Avoid the risk: stop activities that cause the risk.
  • Reduce the risk: take action to reduce the likelihood of an adverse event occurring.
  • Share the risk: take out insurance to cover the risk or contractually agree with other parties to share the potential recovery costs.
  • Accept the risk: acknowledge that if the threat occurs, the organization will have to bear the consequences and be prepared with a contingency plan.

Using your available resources efficiently is crucial here without derailing your daily operations. Luckily, once you start building a risk register of past projects, you can anticipate risks rather than take a reactive approach.

Step 5: Monitor Your Risks

Regularly monitor, track, and review your risk mitigation results to determine whether your initiatives are adequate or if you need to make any changes. Your team will have to start over with a new process if the implemented risk management strategy isn’t practical.

Avoid impulsive reactions and getting into “firefighting mode” to rectify problems. Instead, a clear, calm perspective will make you better equipped to minimize the harm of project threats and capture opportunities.

What Are the Methods and Processes of Risk Management?

The risk management process is a series of steps to identify, analyze, and respond to possible risks that may arise over your organization’s life cycle, assuring your business remains on track and meets its objectives.

To help you manage your risk more effectively, here’s an overview of the different methods of effective risk management:

Risk Management Strategy

  • Develop a risk management plan
  • Implement comprehensive risk management documentation
  • Assign risk management responsibilities
  • Create a risk-aware culture
  • Use risk training and communication

Risk Assessment

  • Understand the importance of an assessment of risk
  • Identify short-, medium-, and long-term new risks
  • Analyze risk likelihood and impact
  • Implement loss control

Risk Response

  • Know the importance of risk appetite: risk capacity and risk exposure
  • Practice the four Ts of hazard response: tolerate, treat, transfer, and terminate
  • Apply risk control techniques: preventative, corrective, directive, and detective

Risk Assurance and Reporting

  • Evaluate the control environment
  • Carry out internal audit function
  • Apply risk assurance techniques, such as audit committees
  • Report on risk management (risk documentation)
  • Understand and reinforce the importance of corporate reputation

Common Risk Management Process Examples

Predicting what might happen is never easy. So you have to take things one day at a time.

However, that doesn’t mean that you cannot accelerate the process. For example, you can get an idea about what actions to take and which tactics to use to mitigate risks by understanding the different types of risks at play.

Compliance Risks

Regulatory compliance is critical for every organization. You must ensure you have the necessary controls to monitor your company’s compliance with its regulatory obligations. Create a risk management plan to watch all your existing processes, procedures, and technologies to stay compliant.

Market Risks

There’s no guarantee that the product or service you purchase will be priced at the same value in the future. However, you can manage this risk by entering into early and long-term contracts with different suppliers to secure your company’s future, regardless of the market conditions. You can also do the same with customers to stabilize the price of your products or services.

What Are Risk Management Standards?

Risk management standards set out a strategic set of processes that begin with the overall aspirations and objectives of an organization. They are intended to identify risks and encourage mitigation through best practices.

The standards are commonly designed and created by several agencies that collaborate to promote mutual objectives and help further assure that organizations conduct high-quality risk management processes.

Risk management standards are guidelines to help guarantee that risk management is carried out in a structured manner. The standards typically include checkpoints and examples to facilitate compliance by companies.

There are various types of Risk Management Standards.

ISO 31000

ISO 31000 was published in 2009 and revised in 2018. It includes a list of enterprise risk management (ERM) fundamentals and a framework to guide organizations in applying risk management mechanisms to their operations. It also defines processes and tools for identifying, assessing, prioritizing, and mitigating risks.

The ISO 31000 risk management standards framework includes:

  • ISO 31000:2009 – Principles and Guidelines on Implementation
  • ISO/IEC 31010:2009 – Risk Management – Risk Assessment Techniques
  • ISO Guide 73:2009 – Risk Management – Vocabulary

A more strategic focus on ERM is included in the newer 2018 standard. It also further emphasizes the significant role of senior management in risk management and embedding risk management throughout the organization.

British Standard (BS) 31100

This code of practice for risk management was issued in 2011 and offered a process for applying the principles outlined in ISO 31000, including identifying, assessing, responding, reporting, and reviewing.

The Risk and Insurance Management Company’s Risk Maturity Model (RMM)

The RMM framework is being updated, although it is readily available in the initial 2006 version. The RMM lists out seven core attributes of a risk management program and assists organizations in assessing each on a scale ranging from nonexistent to leading.

An RMM risk management assessment, designed as an integrative framework of worldwide, cross-industry standards, enables businesses to determine how well their risk management activities match these best practices. Companies receive a maturity score and practical suggestions to help them enhance their programs and reap the numerous advantages of maturity.

Why Is Risk Management So Important for Your Business?

If you still aren’t sold on the importance of having a sound risk management process for your company’s bottom line, consider the consequences of sitting back and waiting to see how it all turns out. They are not good.

Failed or Restricted Growth

Having a risk management process can sustain and help grow your company. Sure, there’s still a chance some risks will come to fruition despite your best efforts. Still, your chances of success will be higher after identifying, evaluating, and treating risks, facilitating more confident decision-making.

Catastrophic Losses

Managing risk also has profound financial implications. You have much to gain by protecting your company — and potentially everything to lose by not.

You could lose market share simply because you failed to predict changes in market conditions. You could lose money if you fail to anticipate the risks of expanding your company. Moreover, failing to prepare to manage difficulties can further cause irreparable damage to your company’s reputation.

Lawsuits

Non-compliance with laws and regulations increases the odds of your company facing litigation from regulators, employees, customers, competitors, or other parties. Those lawsuits will cost your company money, either in legal fees, settlement costs, or both.

Simplify Your Risk Management Process with ZenGRC

Your organization’s risk management process should become part of your organization’s culture. While you can pursue a manual risk management process, a manual process is prone to errors and other bottlenecks that can result in expensive and damaging consequences.

ZenGRC simplifies risk management with comprehensive views of control environments, easy access to the information needed for risk assessment, and continuous compliance monitoring to address critical tasks at any time.

ZenGRC’s tools and templates enable you to evaluate risks and see the far-reaching effects of each risk faster by providing risk heat maps, dashboards, and reports to give you greater visibility across your organization.

Schedule a demo to see how easy it is to know what risks to mitigate, how to mitigate them, track workflows, collect and store documents, and much more!

Guide to COSO Framework and Compliance

· ·

Intro

The Committee of Sponsoring Organizations of the Treadway Commission’s (COSO) framework for internal business controls helps organizations ensure that their financial statements are accurate, their assets and stakeholders are protected from fraud, and their operations are running efficiently and effectively. Its guidance encompasses the entire organization, from auditing to IT.

COSO also helps organizations comply with laws and regulations enacted over the years, including the Sarbanes-Oxley Act (SOX), a federal law enacted in 2002 to protect public companies and their stakeholders from accounting errors and fraud, and the Foreign Corrupt Practices Act (FCPA). For compliance with SOX and FCPA, COSO is the definitive tool.

Although COSO is the United States’ most widely used framework for internal controls, compliance can be challenging and expensive. But it’s not as costly or difficult as recovering from fraud, theft, reputational loss, or legal penalties. (COSO compliance is voluntary, but SOX and FCPA compliance are not.)

To simplify your COSO journey, we’ve compiled an exhaustive trove of information for your use. Read this guide, or skip to the sections most relevant to your enterprise. Along the way, you’ll find links to take you more deeply into any topic. Click away and become an expert in all things COSO.

What Is the COSO Framework?

Fraud deterrence was the main impetus behind forming the Committee of Sponsoring Organizations of the Treadway Commission (COSO) and its 1992 framework for internal control: Internal Control—Integrated Framework.

Known as the COSO framework, this document provided the first standard definition of “internal control” and a system that organizations could use to assess the effectiveness of their internal controls.

COSO defines “internal control” as “…a process, effected by an entity’s board of directors, management, and other personnel, designed to provide reasonable assurance regarding the achievement of objectives relating to operations, reporting, and compliance.”

Unpacking this definition reveals five concepts regarding internal controls.

  • Establishing them is a process, not a destination.
  • They help organizations to achieve objectives—operational, reporting, and compliance.
  • People put them into effect.
  • They can provide “reasonable assurance,” but not absolute assurance, to senior management and the board regarding:
    • Effectiveness and efficiency of operations
    • Reliability of financial reporting
    • Compliance with applicable laws and regulations.
  • They can be adapted to the “entity” structure, applied entity-wide, or to one or more subsidiaries, divisions, operating units, or business processes.

The COSO Framework: A Short History

The Committee of Sponsoring Organizations, or COSO, was initially organized in 1985 to sponsor the National Commission on Fraudulent Reporting (NCFR). Its member organizations were the American Accounting Association (AAA), the American Institute of Certified Public Accountants (AICPA), Financial Executives International (FEI), the Institute of Management Accountants (IMA), and the Institute of Internal Auditors (IIA).

As its name implies, the NCFR was formed to study why and how fraudulent financial reporting at organizations occurs and to recommend ways to reduce it. The NCFR’s 1987 report focused on internal financial controls, highlighting this crucial topic for perhaps the first time. It also pointed out that there was no standard definition of “internal control” and began a project to create one. The COSO internal control framework, published in 1992, was the result.

Twenty years would pass before an update to the COSO framework. Increased business complexity, globalization, and the ascendant role of IT in business operations were among the factors inspiring the update, released in May 2013.

COSO’s Main Elements

COSO’s five key components of internal control (described in more detail in the next section) are:

  • Control environment
  • Risk assessment
  • Control activities
  • Information and communication
  • Monitoring activities

Each component includes principles—17 principles in all—with supporting “points of focus” to help design, implement, conduct, monitor, and assess internal control processes.

COSO has also published other documents to improve internal control management:

  • Internal Control over External Financial Reporting (ICEFR): Compendium of Approaches and Examples—to help users apply the framework to external financial reporting objectives
  • Illustrative Tools—to help users assess the effectiveness of a system of internal control based on requirements listed in the updated framework

The organization in 2004 issued a second framework: Enterprise Risk Management—Integrated Framework, updated in 2017.

What Are the Five Components of the COSO Framework?

COSO defines five risk management components, which are what an organization needs to achieve its objectives, each with corresponding principles:

1. Control environment

  • Commitment to integrity and ethical values
  • Independent Board of Directors’ oversight
  • Structures, reporting lines, authorities, and responsibilities
  • Attract, develop, and retain competent people
  • People held accountable for internal control responsibilities

2. Risk assessment

  • Clear objectives specified
  • Risks identified to achievement of objectives
  • Potential for fraud considered
  • Significant changes identified and assessed

3. Control activities

  • Clear objectives specified
  • Risks identified to achievement of objectives
  • Potential for fraud considered
  • Significant changes identified and assessed

4. Information and communication

  • Quality information obtained, generated and used
  • Internal control information internally communicated
  • Internal information externally communicated

5. Monitoring activities

  • Ongoing or separate evaluations are conducted
  • Internal control deficiencies evaluated and communicated

The five components comprise one face of the “COSO cube,” a three-dimensional framework defining internal control from varying perspectives.

  • Operations controls
  • Reporting controls
  • Compliance controls

These are described in greater detail in this post.

The third face represents an organization’s structure: units, divisions, or processes, each of which may or may not be affected by a particular internal control:

  • Business unit activities
  • Division and function controls
  • Business entity-level controls

Benefits of using the COSO framework

The COSO framework offers several key benefits for organizations implementing it:

  • Provides a common language for internal control concepts across the organization, facilitating communication and coordination.
  • It helps design, implement, and evaluate internal controls more effectively. Principles and focus points guide the process.
  • Clarifying organizational structure, reporting lines, authorities, and responsibilities supports accountability.
  • Identifies and analyzes risks to achieving objectives, enabling risk management.
  • Considers fraud potential when assessing risks, aiding prevention.

COSO Framework Limitations

While useful, the COSO framework has some limitations:

  • Principles-based guidance, not prescriptive requirements. Implementation takes effort and judgment.
  • Subjectivity in assessing effectiveness can lead to consistent application.
  • Focus on financial reporting objectives may result in overlooking operational and compliance risks.
  • More technical guidance on control methods for specific activities like IT security is needed.
  • Ongoing monitoring and updating for changes adds to the administrative workload.

Overall, the COSO frameworks are excellent tools and have assisted organizations in establishing a solid and efficient system of internal controls and fraud protection policies and procedures over the years.

Probably one of the biggest limitations in any ERM framework doesn’t lie within the concepts of the framework itself, but in an area that’s often the most difficult to entirely control—the human factor. COSO admits that even with a well-designed internal control system, internal auditors cannot always uncover risks of human error, poor judgment, management overrides, or employees colluding to circumvent internal control.

To avoid the pitfalls inherent in any framework, more organizations are replacing manual processes with automated systems. Not only does this address many of the limitations of COSO frameworks, but also makes it easier to reduce risk to lower levels and mitigate internal control deficiencies.

What Are the 3 Types of Internal Controls for COSO?

When it was published in 1992, the COSO internal control framework established for the first time a standard, common definition of effective “internal control.” This definition refers to three types of risk management “objectives,” which is what a business hopes to achieve:

Operations Objectives

It concerns the effectiveness and efficiency of entity operations, including operational and financial performance goals and safeguarding assets against loss.

Reporting Objectives

They are concerning internal and external reporting, financial and non-financial. These controls may encompass reliability, timeliness, transparency, or other concepts set forth by regulators or the organization’s policies.

Compliance Objectives

It concerns conformance to relevant laws and regulations.

These objectives form one face of the three-sided COSO “cube,” a three-dimensional model illustrating internal control from various perspectives. The other two dimensions depict “components,” what the entity needs to achieve its objectives, and the organizational structure.

Ten years after the publication of the original COSO framework, in 2002, Congress enacted the Sarbanes-Oxley Act (SOX), which requires that U.S. publicly listed companies report on the effectiveness of their ICFR using a suitable framework. Many companies use COSO’s Integrated Control—Integrated Framework to guide SOX compliance. They may utilize the document’s appendix, The Illustrative Tools for Assessing Effectiveness of a System of Internal Control, for templates and scenarios to use when applying the COSO framework.

What are the COSO Coverage Areas?

One of the three sides of the “COSO cube,” a three-dimensional illustration of how the COSO internal control framework may be applied, lists the areas of an entity to which COSO might be used to achieve operational financial and compliance objectives:

ENTITY LEVEL

DIVISION

OPERATING UNIT

FUNCTION

These four coverage area criteria correlate to the top-down structure of a typical organization. They establish that the COSO framework can be used to gauge the effectiveness of controls for an enterprise as a whole or at the division, operating unit, or function level—and that control activities should take place at all these levels.

The higher the level, the more abstract their relation to financial reporting activities. Entity-level controls often have an indirect relationship to financial statements and can be harder to quantify than more direct process-level controls. Entity-level controls also vary according to an organization’s complexity and risk profile and must be evaluated qualitatively instead of qualitatively.

Relationship of ERM and Internal Controls

Adequate internal controls are essential to Enterprise Risk Management (ERM). ERM helps an organization manage risk at every level, from strategy-setting through review and revision, and uses internal controls to achieve four types of risk-management objectives:

  • Strategic
  • Operations
  • Financial reporting
  • Compliance

Recognizing the importance of ERM and internal control to successful enterprise governance and management, COSO has published an ERM framework as well as an internal control framework:

  • COSO Internal Control—Integrated Framework (updated 2013)
  • COSO Enterprise Risk Management—Integrating with Strategy and Performance (updated 2017)

The COSO ERM framework defines enterprise risk management as:

A process, effected by an entity’s board of directors, management, and other personnel, applied in strategy-setting and across the enterprise, designed to identify potential events that may affect the entity and manage risk to be within its risk appetite, to provide reasonable assurance regarding the achievement of entity objectives.

According to COSO, the COSO ERM framework is a strategic guide to meeting business objectives, while the COSO internal control framework is a tactical guide. 

Although they differ in the key components they list, these are complementary and intended to be applied in tandem.

The internal control framework lists five critical components of internal control:

  • Control environment
  • Risk assessment
  • Control activities
  • Information and communication
  • Monitoring activities

The ERM framework lists five core business activities essential to sound risk management:

  • Governance and culture, including the formulating of mission and vision statements, board oversight, and executive management functions
  • Strategy and objective setting, in which executives and, possibly, the board, define organizational risk appetite and create a high-level plan for achieving corporate goals
  • Performance, in which risks are identified, assessed, and prioritized, and responses to risk implemented
  • Review and revision, which involves assessing performance and striving for continual improvement
  • Information, communication, and reporting, including the use of information technology

Components in the internal control framework correspond to those listed in the ERM framework. ERM and internal control go hand-in-hand; internal control is essential to ERM. One supports the other: having solid internal controls enables managers to focus on operations and business objectives, knowing that the organization has a robust risk management program and complies with applicable laws, regulations, and standards.

Internal Control-Integrated Framework (2013)

The new internal control framework fills in some of the 1992 framework gaps.

The addition of 17 principles, describing how to incorporate the five components into an effective internal control model, transformed the COSO framework into a blueprint for developing new internal controls. The new framework also Incorporated internal controls for IT systems.

A huge leap in corporate governance and risk management, the new version still contains limitations.

The 2013 Framework postulates that to be effective, an internal control system must have all five components and 17 principles “present” and “functioning” and “operating together.” What it doesn’t address is the possibility that, due to size, country of operation, or industry of the business, certain principles may not apply. 

In this case, according to the COSO Framework, a business has “major deficiencies” within the internal control system.

The limitations of the COSO framework in this instance is that it doesn’t offer guidance on how to adjust accordingly.

The New COSO ERM Framework (2017)

According to COSO’s FAQ publication regarding the new framework: “it provides greater insight into strategy and the role of enterprise risk management in the setting and execution of strategy, enhances the alignment between organizational performance and enterprise risk management, and accommodates expectations for governance and oversight.”

Industry leaders and Boards of Directors alike agree the new standards offer dramatic Improvement in the areas of risk tolerance, risk appetite, and risk response. It’s also acknowledged that the 2017 Framework does a much better job of incorporating risk assessment, objective setting, corporate governance, and reporting objectives across all aspects of the organizational structure, rather than handling those items separately in a silo-based approach. 

A noticeable inadequacy to the new risk management framework is a lack of discussion on issues revolving around risks from external parties or external events.

COSO also guides using both frameworks in its 2014 paper, Improving Organizational Performance and Governance: How the COSO Frameworks Can Help.

COSO Guidance for Health Care Providers

The COSO Internal Control-Integrated Framework: An Implementation Guide for the Healthcare Provider Industry, was published in 2013 by the Committee of Sponsoring Organizations (COSO) in collaboration with professional services firm Crowe and CommonSpirit Health.

The guide is meant to help healthcare businesses navigate the enormously complicated world of U.S. healthcare. It addresses subjects such as access control, system integrity, clinical documentation, coding, and billing procedures; all to help healthcare businesses comply with the Affordable Care Act of 2010, and to protect patient data while health records (EHR) have become the norm. COSO’s guidance provides an outline and best practices for meeting those standards.

“Healthcare organizations experience issues with system access, system integrity, clinical documentation, coding, and billing; all of which may result in potential non-compliance with federal and state regulations—and costly mistakes,” the guide’s executive summary states.

To meet those compliance obligations, the guide says, healthcare organizations “must review their control environment to confirm proper controls are in place to ensure effective and efficient operations, proper financial reporting, and compliance; and that their control environment supports the attainment of the organization’s mission and strategy; and COSO provides the direction to do this.”

How to Implement the COSO Framework

Implementing the COSO internal control framework requires assessing its five components (control environment, risk assessment, control activities, information and communication, and monitoring activities) and 17 principles against the organization’s current internal control system and adjusting accordingly.

Failing to enforce the COSO framework principles can violate the federal Sarbanes-Oxley Act’s (SOX) requirements. Auditors evaluating an organization’s ICFR will judge against this standard: When even one of the 17 principles doesn’t function properly, a “major deficiency” is deemed to exist—a “material weakness” under SOX Section 404.

The 17 internal control principles can serve as a handy checklist for enterprises to use to evaluate and strengthen their internal control system—but first, there is the groundwork to be laid. Applying COSO’s internal control or enterprise risk management (ERM) framework requires a systematic, step-by-step approach. To help, we’re providing this roadmap that includes implementation challenges and leading practices.

Implementing the COSO Framework in Five Phases

PHASE 1: PLAN AND SCOPE

Appoint an implementation team. Here’s how it works: The board delegates implementation authority to a committee such as an audit and compliance committee. Managers assign oversight to a management function in the organization, such as internal control or ERM. The team may include accounting managers, staff, and people with a thorough knowledge of how work gets done in the organization.

Develop an implementation plan that includes timing, resources needed, and roles and responsibilities of implementation team members. Determine the scope of the framework’s implementation: Which activities will it measure, and over what period?

At this point, the implementation team will also evaluate the five components of the COSO internal control framework to understand how the enterprise’s internal control system is designed and how well it functions.

In this phase, the implementation team should also meet with the external auditors who will be assessing the organization’s COSO compliance. They must learn their roles, avoid redundancies, and communicate the plan to the board and managers.

PHASE 2: ASSESS AND DOCUMENT

In this phase, the implementation team assesses the organization’s control structure. Are its systems centralized or decentralized? How are entity-level controls structured? Is there a formal ERM process with documented risk management activities? If so, the documents should help analyze where the organization meets COSO framework guidelines and where it falls short. If there is no coordinated approach to ERM, COSO implementation may require more time and effort.

Other activities during this phase include:

  • Assess fraud risk. The COSO internal control framework emphasizes the importance of considering the potential for fraud when evaluating the risks to achieving objectives.
  • Document existing processes and controls. Once managers have identified which processes are relevant to the framework’s control activities, the implementation team can study and record each. Doing so allows them to identify which internal controls apply to each process and where gaps exist. This step may involve interviews with key personnel.
  • Perform gap assessments. This entails comparing the COSO internal control framework’s components and principles to practices in the organization. COSO’s publication Illustrative Tools for Assessing Effectiveness of a System of Internal Control can be helpful.

PHASE 3: REMEDIATE

Now that gap assessments are drawn up, it’s time to remediate those gaps.

  • Make a remediation plan. Prioritize the control deficiencies that pose the most severe vulnerabilities and move down the list to the least serious. Include milestones and a schedule for completion.
  • Implement your remediation plan.

PHASE 4: DESIGN, TEST, AND REPORT

  • Classify controls as critical or non-critical
  • Design procedures for testing each critical control. Each test should consider the risk to be mitigated and the control description—both are equally important to determining a control’s effectiveness. Choose a method of testing for each control. Common methods include:
    • Inquiring: Asking control owners to explain how their controls work
    • Observing: Observing the control in action
    • Examining: Studying all the transactions and documentation associated with a control’s functioning
    • Analyzing: Using data analytics tools to gain insights into controls’ design and operations
  • Test controls, reporting to management on progress and obstacles.

PHASE 5: OPTIMIZE INTERNAL CONTROLS’ EFFECTIVENESS

How do identified risks and controls mesh with your enterprise’s goals, plans, and strategies? The COSO internal control framework can help you align or realign goals and controls. When developing or redesigning controls, consider the following:

  • Control activities such as reconciliation, verification, supervisory, and physical controls
  • Whether controls are preventive, detective, i.e., occurring after a process has begun but before it has concluded, or corrective
  • Whether controls are automated, partially automated (automation enabled or assisted by people) or manual

Once controls are in place, monitoring is critical to ensuring they remain effective. Continuous monitoring with software is preferable to manual tracking. Should a control fail, study the incident carefully to determine its cause for the most effective remediation.

COSO Guidance on Cloud Computing Issues

The information in this section first appeared on radicalcompliance.com August 4th, 2021.

COSO released another guidance document last week, this one talking about how to apply COSO’s enterprise risk management framework for issues in cloud computing. Considering that just about every business under the sun is migrating to the cloud, and that the compliance risks within such migration can be considerable, let’s take a look at what COSO had to say.

The guidance was published last week — 44 pages long, free to all, and like most COSO risk management guidance we’ve seen lately, written in clear, non-technical language that any compliance, audit, or risk professional can understand.

This piece also follows the same pattern we’ve seen in prior COSO risk management guidance. It introduces the ERM framework overall (20 principles in all), and then explores how each principle can be tailored for the subject at hand. In this case the subject is cloud computing, but prior pieces of COSO guidance addressed ethics and compliance, cybersecurity, ESG issues, and other topics.

First, why is such guidance important at all? Because cloud computing has come to be a central IT strategy for most businesses today. From an operations perspective, that makes sense; cloud-based services are cheap and easy to install, and the vendors themselves are probably better at whatever business process you’re outsourcing than you are.

That said, the cloud also poses new risks for privacy, security, and compliance; plus risks around operational resilience if you outsource critical functions to a dud vendor that can’t deliver. So corporate boards, CISOs, audit executives, and compliance officers all have great need to understand what “migrating to the cloud” really means. This COSO guidance unpacks lots of those issues.

One good example comes near the beginning of the guidance. One principle in COSO’s enterprise risk management framework, relating to proper governance and oversight, is “establishes operating structures.” That’s what senior leaders in an organization are supposed to do: establish operating structures so the business can achieve its objectives.

So how does that principle apply when the company is trying to embrace cloud computing?

Well, senior management might need to imagine new roles or responsibilities for various executives as the company moves away from on-premises technology and toward the cloud. For example, vendor risk management would become much more important, since the cloud-based vendors you use would pose more risks (both in absolute number of risks, and in each risk’s severity). Would you therefore redefine the CISO’s role to include vendor risk management — or the privacy officer’s role, or the IT manager’s role? Or would you create some entirely new “chief vendor risk officer” sort of role?

There’s no single correct answer to those questions. The point is that the board and senior management should think their way through such questions before making a large migration to the cloud. That’s what “establishing proper operating structures” means in this context.

Another good example comes from two other principles in the COSO risk management framework, “evaluates alternative strategies” and “formulates business objectives.”

A company can embrace any of several cloud models: public, private, even hybrid clouds. Each one carries different benefits and risks. The public cloud, for example, can be quite cheap; but your privacy risks and need for privacy assurance go up considerably. A hybrid system would be more expensive, but still leave you with more direct control over your data, and therefore over your privacy and compliance risks.

Which one is best? That depends. Your business could make a strategic decision to collect less personally identifiable information, meaning your privacy risks would decline and you could use cheap, public cloud systems more freely. Or maybe collecting all that PII is important enough that you want to keep collecting it, even if that means you spend more time and money to manage privacy and compliance risks among your cloud-based vendors.

Again, however, the point is that migrating to the cloud raises these new questions — questions about strategy, governance, performance, and so forth, that senior leaders previously didn’t need to consider. This COSO guidance is a good framing mechanism to understand the questions you should be pondering, to assure that you embrace this technology wisely.

And since it’s so informative, here’s a chart from COSO explaining the roles and responsibilities that exist under various cloud-computing models.

diagram: Responsibility by Cloud Deployment Model and Cloud Service Delivery Model
Source: COSO

What Are The Differences Between COBIT and COSO?

Developed by the Committee of Sponsoring Organizations of the Treadway Commission, or COSO, comprising five private-sector organizations, the COSO Internal Control—Integrated Framework focuses primarily on an enterprise’s internal control system and financial reporting processes, with fraud prevention in mind.

COBIT, or Control Objectives for Information and Related Technologies, is supported by ISACA, an international professional organization focused on IT governance. The COBIT framework helps with the quality, control, and reliability of an organization’s information systems and facilitates best practices in risk management as associated with IT processes.

Both frameworks list three objectives and five components needed to achieve those objectives in their respective areas (financial controls and IT controls).

The COSO internal control framework’s objectives:

  • Operations
  • Financial reporting
  • Compliance

Its components:

  • Control environment
  • Risk assessment
  • Control activities
  • Information and communication
  • Monitoring activities

COBIT 5’s main objectives:

  • Benefits realization
  • Risk optimization
  • Resource optimization

Its “five principles”:

  • Meeting stakeholder needs
  • Covering the enterprise end-to-end
  • Applying a single integrated framework
  • Enabling a holistic approach
  • Separating corporate governance from management

In other words, COSO governs internal control, which it defines as “…a process, effected by an entity’s board of directors, management, and other personnel, designed to provide reasonable assurance regarding the achievement of objectives relating to operations, reporting, and compliance.”

COBIT 5 enables the governing and management of IT holistically throughout the enterprise. It encompasses the entire end-to-end business and IT functional areas of responsibility and considers the IT-related interests of internal and external stakeholders.

Although their focus differs, the two complementary frameworks can be applied in tandem. Doing so is recommended to maximize risk management and controls throughout the organization.

Both frameworks can effectively achieve compliance with the Sarbanes-Oxley Act (SOX), a federal law intended to prevent accounting errors and fraud in public companies.

For most entities, the COSO framework and SOX compliance go hand-in-hand. Because COSO focuses on financial controls and fraud prevention, it dovetails nicely with SOX, and COSO framework compliance guarantees SOX compliance.

Enacted in 2002, SOX does not spell out compliance requirements for IT; however, many enterprises use COBIT to help ensure that their IT systems and processes comply with the law’s requirements.

The two complement each other in another way: COSO is more theoretical, establishing the guiding principles for organizations to use for building risk tolerance and reducing fraud, while COBIT 5 is more practical, offering concrete suggestions for how to create controls related to IT.

How Do COSO Audits Work?

Because COSO’s Internal Control—Integrated Framework is a framework, not a regulation or requirement, a COSO audit, by definition, doesn’t exist.

However, the COSO framework is beneficial for compliance with SOX, which federal law requires for all publicly traded companies. The U.S. Securities and Exchange Commission watches financial reporting closely and, since SOX’s passage in 2002, demands that those reports be transparent, accurate, and verified by an independent auditor. Noncompliance could cost your organization tens of millions in fines and send your CFO to prison for 20 years.

SOX is highly complex. Each of its 11 sections delivers a different mandate, covering oversight, auditor independence, corporate responsibility, financial statements, annual reports, and more. The regulation is intended to secure public companies, stakeholders, and customers against financial fraud, which is why most organizations audit their SOX compliance using the COSO framework.

COSO was designed to help manage financial risk and improve internal control. The Committee of Sponsoring Organizations of the Treadway Commission, or COSO, was initially named the National Commission on Fraudulent Reporting (NCFR). Its member organizations were the American Accounting Association (AAA), the American Institute of Certified Public Accountants (AICPA), Financial Executives International (FEI), the Institute of Management Accountants (IMA), and the Institute of Internal Auditors (IIA).

The Treadway Commission devised the Internal Control—Integrated Framework to help businesses comply with SOX Section 404: Management Assessment of Internal Controls, the regulation’s most complex, demanding, and expensive section. Essentially, COSO helps entities strengthen their internal control system to protect their data, especially financial information, from tampering.

Another result of SOX was the formation of the Public Company Accounting Oversight Board (PCAOB), an independent agency that regulates external audit firms and establishes auditing standards for external auditors—including Auditing Standard No. 5, or AS5, used by auditors to gauge compliance with various SOX sections including.

  • Section 404, rules for assessing internal controls
  • Section 302, establishing management’s responsibility for financial reports
  • Section 401, rules for enhanced financial reporting disclosures
  • Section 409 requires the immediate disclosure of significant changes in economic conditions and operations
  • Section 802, setting penalties for altering documents
  • Section 806 rules regarding whistleblowers

Preparing for your COSO audit

Thorough preparation is key for a successful COSO audit. Here are some tips:

  • Review framework components and principles and compare them to internal controls.
  • Identify gaps where controls fall short of principles. Develop remediation plans.
  • Document key processes and controls, detailing how they address COSO.
  • Collect evidence that controls are functioning.
  • Interview personnel to ensure they understand control responsibilities.
  • Perform trial audits, testing controls, and processes to remediate failures.
  • Coordinate with the external auditor to avoid redundancies.
  • Verify controls over financial reporting are effectively designed and operating.

Using COSO for SOX Compliance

The best way to ensure that your enterprise is audit-ready for SOX is to use COSO to establish a robust internal control framework.

The independent external auditor you will hire to audit your SOX compliance will almost certainly use COSO standards to measure your controls. ZenGRC’s “Preparing for a SOX Audit Using COSO” audit checklist walks you through the questions you must ask to prepare for this audit.

To prepare for the audit, follow these four steps, using COSO’s five components and 17 principles for achieving financial reporting objectives as a guide.

  1. Prepare a framework
  • Control environment
    • Commitment to integrity and ethical values
    • Independent Board of Directors’ oversight
    • Structures, reporting lines, authorities, and responsibilities
    • Attract, develop, and retain competent people
    • People held accountable for internal control
  • Risk assessment
    • Clear objectives specified
    • Risks identified to achievement of objectives
    • Potential for fraud considered
    • Significant changes identified and assessed
  1. Identify your internal controls
  • Control activities
    • Control activities selected and developed
    • Controls developed through policies and procedures
    • General IT controls selected and developed
  • Information and communication
    • Quality information obtained, generated and used
    • Internal control information internally communicated
    • Internal information externally communicated
  1. Test your controls
  • Monitoring activities
    • – Ongoing and separate evaluations conducted
    • – Internal control deficiencies evaluated and communicated
  1. Get help if you need it.

Modern challenges require modern solutions—including software that can automate many of these processes, greatly simplifying the task of SOX compliance using a framework such as COSOs.

How To Automate Your COSO Compliance

Created by the Committee of Sponsoring Organizations of the Treadway Commission (COSO), the COSO internal control framework may initially seem simple. After all, there are only five components—control environment, risk assessment, control principles, information and communication, and monitoring activities—and 17 principles.

But the framework’s high-level mandates require a long list of action items and processes—not easy to implement manually and downright tricky if you use spreadsheets for your compliance program.

Automation is the answer. Today’s technologies take much guesswork and grunt work out of compliance with regulations, standards, and frameworks. Whether your organization struggles to manage cyber risks and achieve cybersecurity goals, improve performance management, meet business objectives, or comply with mandates, software solutions can simplify these tasks and streamline compliance efforts.

When choosing a solution, look for:

  • Fast, effortless deployment
  • User-friendly design
  • In-a-click internal audits
  • Integrated, multi-framework dashboard
  • Easy evidence collection
  • Automatic framework updates

ZenGRC Has GRC Solutions for COSO Compliance

ZenGRC’s governance, risk, and compliance software-as-a-service, ZenGRC, offers all these features. 

Used by the world’s leading companies, ZenGRC is a cloud-based solution with fast, easy deployment, unified control management, and a centralized dashboard for simple, streamlined compliance and risk management, including self-audits, without the hassle and confusion of spreadsheets. With ZenGRC, you can comply with COSO and SOX.

Contact a ZenGRC expert today to request your free demo and embark on the worry-free path to regulatory compliance—the Zen way.