Page 109 - CITP Review
P. 109

Information and communication also includes information about internal controls as well as accounting
            or financial reporting information.

            The monitoring element involves control activities about controls themselves.

            Specifically, monitoring involves regular reviews of controls to assess the ongoing quality of the control
            over time. This element would include formal, structured process of ongoing monitoring such as regular
            management review, supervisory activities, technology designed to monitor controls in an ongoing
            fashion, and other manual activities. The ongoing aspect could be literally 24/7, or it could be activities
            taken offline but done at regular intervals. The primary goal is to identify changes in the internal control
                                                                                                              16
            system, for instance, when a control needs to be changed or deleted, or when a new control is needed.

            Monitoring would identify internal control deficiencies and communicate them timely to the appropriate
            party. An example would be SOX section 404 compliance where key controls are evaluated every year for
            most public companies.


            COBIT

            Control Objectives for Information and related Technology (COBIT) is a framework provided by the IT
            Governance Institute (ITGI) of ISACA, and is based on decades of its publications, under similar names,
            that documented best practices in IT audit. The current framework is provided in formats for
            management and auditors.

            COBIT is from the IT process perspective, which includes the following four primary processes (called
            domains), which are basically sequential and circular:

              Planning and organizing (PO)
              Acquire and implement (AI)
              Deliver and support (DS)
              Monitor and evaluate (M).

            Each domain is broken down further into sub-processes, 34 in total (see exhibit 3-6 for a summary of
            these two levels of COBIT). Each subprocess is then broken down into over 300 activities (life cycle) or
            tasks (discrete), which are essentially control objectives for that subprocess. The activities (life cycle) or
            tasks (discrete) can be used for designing audit procedures, evaluating IT controls, and even assessing
            IT risks.


            COBIT has other beneficial aspects, such as information criteria; the fact, it includes business
            requirements, IT resources, and IT processes; and questions for domains, processes, and activities or
            tasks. Exhibit 3-6 shows the main aspects of the framework.









            16        th
              See the 4  phase of CDLC, monitoring, which is essentially the same as COSO’s monitoring element — Section
            3.1.1.3.4


            © 2019 Association of International Certified Professional Accountants. All rights reserved.    3-25
   104   105   106   107   108   109   110   111   112   113   114