Welcome to the fifth post of our COSO 2013 blog series. To date, we have discussed how to develop a control environment, execute risk assessments, and design control activities. In this blog, we will cover how to leverage information to make insightful decisions concerning your control environment, and how to communicate your control objectives to both internal and external parties.
Overview of Information and Communication under COSO 2013
While information and communication is a separate component of internal control, it is critical to the success of your entire internal control program, and should be applied to each of the internal control components. COSO defines information as “the data that is combined and summarized based on relevance to information requirements. Additionally, communication is defined as “the continual, iterative process of providing, sharing, and obtaining necessary information.”
The information and communication component of internal control includes three principles:
- “The organization obtains or generates and uses relevant, quality information to support the functioning of internal control.
- The organization internally communicates information, including objectives and responsibilities for internal control, necessary to support the functioning of internal control.
- The organization communicates with external parties regarding matters affecting the functioning of internal control.”
Relevant, and high-quality data is imperative for operating a control environment. Organizations need to put processes in place that ensure management has access to accurate, valid, relevant, and timely data. Without it, organizations cannot make thoughtful decisions concerning internal control.
Read: 4 Seasons of Data Management
Additionally, companies need to have tools in place that allow them to communicate internally. Control objectives should be communicated in a concise and easy to understand fashion. Multiple methods should be in place to ensure that employees are made aware of control objectives. This can include policies and procedures, knowledge documents, trainings, emails, and dashboards.
Lastly, in addition to communicating internally, companies need to have the proper mechanisms in place to communicate with external parties. These communication methods should include anonymous channels for external parties to provide information to a company such as hotlines or surveys.
COSO 2013’s Major Impacts on Information and Communication:
At its core, the primary objectives of the Information and Communication component of internal control are unchanged from the 1992 framework. However, the 2013 framework acknowledges the increased reliance on technology to perform critical business functions. It’s for this reason that the 2013 framework places increased attention on the quality and reliability of electronic information to support each component of internal control. This and/or the increased focus on the following may impact your organizations’ control environment:
- Understating a company’s internal and external data flows
- Ensuring accuracy and integrity of data
- Maintaining open communication methods that allow both internal and external parties to report items concerning internal control objectives
- Leveraging technology to ensure that information is accessible, accurate, timely, and relevant
How can ServiceNow Help with COSO 2013’s Information and Communication?
Any auditor or risk manager will tell you, one of the most difficult aspects of managing a system of internal control is locating, gathering, and centralizing information to support the process. Disparate systems, processes, and procedures throughout the organization can be difficult to manage. It is for this reason, that we at Intreis are so focused on the integration of Service Management and GRC on a single shared platform.
Having data from your high-risk processes on the platform means that risk managers can access and query that information directly, ensuring that no data is modified or corrupted along the way. Embedding controls directly into your processes ensures that the process continues to operate, as designed, for the life of the process.
There is not a single process that doesn’t benefit from direct integration with a GRC platform. GRC ensures that processes adhere to policies, operate consistently, and deliver accurate report information to management. So when looking to introduce automation to a process, consider using the ServiceNow platform’s existing applications, or build your own using CreateNow.
Read: 4 Reasons Why You Should Enable Your ITSM & GRC Objectives on 1 ServiceNow Platform
The ServiceNow platform also offers powerful features that can supercharge your processes and ensure data quality. Here are a few of our favorites:
Surveys & Assessments
Not all information that supports an organization’s decision making is quantitative. Some critical information is qualitative and may exist within specialized groups and individuals. Accessing this information can be challenging and is subject to interpretation as it passes from person to person.
With ServiceNow’s survey engine, questions can be drafted and assigned directly to groups or individuals for completion. With the assessments engine, survey responses can be converted to quantitative metrics that can be used to compare similar records. This is especially useful for the Change Management, Vendor Management, and Risk Management processes, but can be applied to any process where there is a use case for surveys.
Data Certification
Unfortunately, static data points do not always remain accurate over time. Employees come and go, responsibilities change, servers are upgraded, etc. If this data is not dynamically updated in real, there is a risk that it will become stale. ServiceNow’s data certification engine acts as a control to ensure that records are periodically reviewed, and updated when discrepancies are found.
Read: Using Cloud Communications to Assist with Corporate Data Certification
Discovery
The Configuration Management Database is one tool that can easily fall victim to stale data. Data Certification is a great way to ensure accurate configuration information, but still requires manual effort. With ServiceNow Discovery, automated probes can scan network devices and update configuration records in the CMDB. When used alongside Configuration baselines, you can quickly identify changes that were authorized by the change management process, and those that may not have been authorized. This is a great feature when auditing your change process!
Knowledge Management
The ServiceNow Knowledge Base is a great tool that ensures that all important information is readily available to employees, especially those in IT. Knowledge Management helps insure that important information is captured and shared across the organization. For example, known-errors in problem management that have a documented workaround can be communicated to all users as a news or knowledge article. This can help to reduce calls to the service desk, while also assisting business users to access their critical applications. When used with the GRC application, policies, standards, and procedures are stored, managed, and communicated using Knowledge Base features. Automated workflows ensure that these articles are updated following significant organization or technology changes.
That concludes the Information and Communication component of COSO 2013. In our next and final post, we’ll wrap up with Monitoring Activities.
About the authors
“Life is too short to not hit the ground running” - john linamen
