COSO - COBIT

Aspectos comunes y su aportación a los objetivos

de la empresa
KEEP FOCUSED!

Alberto Durán Octubre 2015

 Agenda

• Control Interno – COSO

• Cobit 5
- COSO
- Cobit
• COSO – Cobit 5 Aspectos Comunes

2
 Control Interno - COSO
COSO se publicó en 1992 y la última versión fue publicada en el 2013, en donde se
conceptualiza como un Marco Integrado sobre la Gestión del Riesgo Empresarial (ERM,
por sus siglas en inglés Enterprise Risk Management) que ayuda a establecer el Modelo
de Gestión de Riesgos y proporciona la guía a las empresas para el desarrollo y aplicación
de las actividades.

Objetivo
• Identificar eventos potenciales que puedan afectar a la organización
• Gestionar el riesgo; y
• Proporcionar una seguridad razonable que ayude a alcanzar los objetivos de la
Organización
3
 Control Interno - COSO
COSO define el Control Interno como “un proceso realizado por la Dirección, la
Administración y el Personal de una entidad, diseñado para proporcionar una seguridad
razonable con respecto al cumplimiento de los objetivos de la organización”

Misión de COSO

"... Proporcionar liderazgo intelectual a través del desarrollo de marcos generales y

orientaciones sobre la Gestión del Riesgo, Control Interno y Disuasión del Fraude,
diseñado para mejorar el desempeño organizacional y reducir el alcance del fraude en
las organizaciones."

4
 COSO Componentes y sus dimensiones

Objetivos

Estructura

Componentes
del control
interno

5
 COSO Componentes y sus dimensiones

Objetivos:
Objetivos
• Objetivos Operativos.- Hacen referencia a la efectividad y eficiencia de las operaciones de la
entidad, incluidos sus objetivos de rendimientos financiero y operacional, y la protección de
sus activos frente a posibles perdidas.

• Objetivos de información- Hacen referencia a la información financiera y no financiera

interna y externa y pueden abarcar aspectos de confiabilidad, oportunidad, transparencia, u
otros conceptos establecidos por los reguladores, organismos reconocidos o políticas de la
propia entidad.

• Objetivos de cumplimiento – Hacen referencia al cumplimiento de las leyes y regulaciones a

las que está sujeta la entidad.

6
 COSO Componentes y sus dimensiones

Objetivos
Identificar, analizar y administrar los
Riesgos del Negocio
Promover una actitud colectiva para
lograr el Control Interno eficaz
La información debe ser identificada,
capturada y comunicada de manera
oportuna
Definir las actividades que mitiguen
los Riesgos y así conseguir los
objetivos de la entidad

Establecer el sistema de Evaluación del

Control Interno a través de KPI’s,
autoevaluaciones y la función de
Auditoría Interna

7
 COSO Componentes y sus dimensiones

Es importante mencionar que un solo objetivo puede relacionarse con más de una
definición o meta.

Operativos:
• Promueve eficiencia y eficacia en las operaciones a través de los procesos estandarizados.
• Asegurar la salvaguarda de los activos a través de las actividades de control.

Información:
• Promueve la integridad de los datos en la toma de decisiones del negocio.
• Asiste en la prevención y detección de fraudes a través de la creación de un rastro de
evidencia auditable.

Cumplimiento:
• Ayudar a mantener el cumplimiento con las leyes y regulaciones a través de un
monitoreo periódico
 Relación de Componentes y Principios
De los cinco componentes de Control Interno que establece COSO, se deberán considerar los diecisiete principios
que representan los conceptos fundamentales relacionados con los componentes para el establecimiento de un
efectivo Sistema de Control Interno.
Ambiente de Evaluación de Actividades de Información y Monitoreo de
Control Riesgos Control Comunicación Actividades

1. Demuestra
6. Especifica objetivos 10. Selecciona y desarrolla 13. Usa la información 16. Lleva a cabo
compromiso a la actividades de control
adecuados relevante evaluaciones constantes
integridad y valores
7. Identifica y analiza los 11. Selecciona y desarrolla 14. La comunica al interior y/o individuales
éticos
Riesgos controles generales sobre 15. La comunica al exterior 17. Evalúa y comunica las
2. Ejerce su
8. Evalúa los Riesgo de la tecnología deficiencias
responsabilidad de
supervisión fraude
12. Se implementa a través de
3. Establece estructura, 9. Identifica y analiza los políticas y procedimientos
autoridad y cambios importantes
responsabilidades
4. Demuestra
compromiso con
talento competente
5. Asegura la rendición
de cuentas
 Cobit 5
COBIT 5 provee de un marco de trabajo integral que ayuda a las empresas a alcanzar
sus objetivos para el gobierno y la gestión de las TI corporativas.
1. Satisfacer
las • Ayuda a las empresas a crear el valor óptimo
necesidades
de las partes
interesadas
desde IT manteniendo el equilibrio entre la
generación de beneficios y la optimización de los
5. Separar el 2. Cubrir la niveles de riesgo y el uso de recursos.
Gobierno de la Organización de

•
Administración forma integral
Permite a las TI ser gobernadas y gestionadas de
Principios de un modo holístico para toda la empresa,
COBIT 5
abarcando al negocio completo de principio a fin
y las áreas funcionales de responsabilidad de TI

4. Habilitar un 3. Aplicar un
• Considera los intereses internos y externos
enfoque solo marco
holistico integrado

10
 Cobit 5
Las metas en cascada de COBIT 5 traducen las necesidades de las Partes Interesadas en
metas específicas, accionables y personalizadas dentro del contexto de la Organización,
de las metas relacionadas con la TI y de las metas habilitadoras.
Impulsadores de las Partes
Interesadas
(Medio Ambiente, Evolución Tecnológica, …)
Influencian

Necesidades de las Partes Interesadas

Realización Optimización Optimización
de Beneficios de Riesgos de Recursos

Metas de la Organización

Pasan a

Metas Relacionadas con TI

Pasan a

Metas Habilitadoras
Fuente: Cobit an ISACA Framework 11
 Cobit 5
Habilitadores de Cobit

2. Procesos 3. Estructuras 4. Cultura, Ética

Organizacionales y Comportamiento

1. Principios, Políticas y Marcos

6. Servicios, 7. Personas,
5. Información Infraestructura Habilidades
y Aplicaciones y Competencias

RECURSOS

Fuente: Cobit an ISACA Framework 12

 Cobit 5
Las 17 metas empresariales definidas cubren todos los aspectos de metas operativas a través de las
cuatro dimensiones que consta el Balance Score Card. Estas incluyen metas de reporte y transparencia
financiera, e información base para decisiones estrategicas. Incluyen también el cumplimiento con
regulaciones externas así como políticas internas.

Fuente: Relating-the-COSO-Internal-Control-Integrated-Framework-and-COBIT_whp_Eng_0314
 COSO y Cobit
Ambiente de control

COSO Principle11 COBIT 5 Relationship to COSO Principle

The COBIT 5 Culture, Ethics and Behaviour enabler addresses enterprise ethics and
individual ethics and behaviors, including risk taking, by following policy and addressing
“1. Demuestra compromiso a la negative outcomes. The COBIT 5 processes EDM01 Ensure governance framework setting
integridad y valores éticos and maintenance and APO01 Manage the IT management framework include activities to
embed enterprise integrity and ethical value aspects within the governance and management
framework. The COBIT 5 process APO07 Manage human resources includes activities to
address integrity and ethical value aspects from a human resources perspective.

“2. El consejo de administración The COBIT 5 principle Separating Governance from Management supports the second
demuestra independencia de la COSO principle by differentiating governance and management disciplines and making
gestión y ejerce la supervisión independence easier to establish and maintain. In addition, all five COBIT 5 governance
sobre el desarrollo y desempeño del processes (EDM01 through EDM05) reinforce this separation in their RACI chart guidance.
control interno "

The COBIT 5 Organisational Structure enabler addresses practices, such as operating

“3. Establece estructura, autoridad y principles, span of control (scope) definition, level of authority, delegation of authority powers
and escalation paths, to support the establishment of effective organizational structures
responsabilidades.”
within enterprises. COBIT 5 process APO01 Manage the IT management framework includes
activities to address the required definition of an organizational structure for the enterprise.
APO01 takes direction from COBIT 5 process EDM01 Ensure governance framework setting
and maintenance in respect to enterprise governance requirements.

Fuente: Relating-the-COSO-Internal-Control-Integrated-Framework-and-COBIT_whp_Eng_0314
 COSO y Cobit

The COBIT 5 People, Skills and Competencies enabler addresses the life cycle aspects that
“4. Demuestra compromiso con talento are related to people—knowing the current skills base; the skills that need to be retained,
developed or acquired to meet enterprise goals; and the skills that can be disposed of
competente”
when no longer needed. COBIT 5 process APO01 Manage the IT management framework
includes activities to establish roles and responsibilities to support achievement of enterprise
objectives. COBIT 5 process APO07 Manage human resources includes activities to address
the attraction, development and retention of competent people.

The COBIT 5 Processes enabler and the RACI charts that support the 37 processes are
“5. Asegura la rendición de cuentas.” particularly relevant in the context of individual accountability. The enabler and charts strongly
advocate the assignment of responsibilities and accountabilities and provide examples of
roles and responsibilities for the individual and group roles for all key GEIT-related processes
and activities.

Fuente: Relating-the-COSO-Internal-Control-Integrated-Framework-and-COBIT_whp_Eng_0314
 COSO y Cobit
Evaluación de Riesgos

COSO Principle13 COBIT 5 Relationship to COSO Principle

“6. Especifica objetivos

adecuados The COBIT 5 framework focuses on enterprise objectives through the use of the goals cascade model,
which is based on BSC theory. This model supports the enterprise by clearly defining its business
objectives in a way that enables the identification and assessment of risk that relates to meeting
objectives. The guidance for each of the 37 COBIT processes includes process goals (objectives).

“7. Identifica y analiza los Riesgos.” The COBIT 5 Processes enabler guidance specifically addresses risk governance (process EDM03
Ensure risk optimisation) and management (process APO12 Manage risk). These processes include the
practices and activities required to govern and manage risk effectively—including the identification,
analysis and management of the risk. These processes drive other areas, e.g., information security and
business continuity, which are addressed by other specific COBIT 5 processes.

“8. Evalúa la posibilidad del The COBIT 5 framework does not focus on fraud as a specific business risk, although the guidance
Riesgo de fraude.” supports the establishment of a sound governance and management environment, within which
practices and supporting activities can be established and performed to support effective fraud
prevention activities. The specific inclusion of the COBIT 5 Culture, Ethics and Behaviour enabler helps
to ensure that a culture that is fraud-risk-aware is established and that the consequences of engaging
in such behavior are clearly communicated where appropriate. COBIT 5 processes EDM01, APO01 and
APO07 support culture, ethics and behaviour objectives, including an enterprise’s approach to fraud.
COBIT process MEA03 Monitor, evaluate and assess compliance with external requirements should
also be considered, because fraud prevention (bribery, privacy, etc.) is often part of an enterprise’s
external compliance requirements.
Fuente: Relating-the-COSO-Internal-Control-Integrated-Framework-and-COBIT_whp_Eng_0314
 COSO y Cobit

The COBIT 5 Processes enabler guidance specifically addresses changes in COBIT 5 process BAI06
Manage changes, which is directly linked to the IT-related goal “Managed IT-related business risk.”
This process, like the COSO principle, recognizes that changes within an enterprise can introduce risk
and, therefore, need to be a focus from this perspective.

Further, as changes occur in all areas of control activity (information, applications and general control
“9. Identifica y analiza los activities over technology), these changes are addressed by various COBIT 5 processes. COBIT 5
cambios importantes process APO01 Manage the IT management framework addresses the management framework and
manages changes to general controls. COBIT 5 process BAI06 Manage changes and, for programs
and projects, COBIT 5 process BAI02 Manage requirements definition manage the changes to
business processes, applications and infrastructure.

All changes need to be tested and approved by following the COBIT 5 process BAI07 Manage change
acceptance and transitioning. Impacts to business processes are handled according to COBIT 5
process BAI05 Manage organisational change enablement.

Fuente: Relating-the-COSO-Internal-Control-Integrated-Framework-and-COBIT_whp_Eng_0314
 COSO y Cobit
Actividades de Control

COSO Principle15 COBIT 5 Relationship to COSO Principle

“10. Selecciona y desarrolla The COBIT 5 Processes enabler guidance for the 37 COBIT 5 processes supports enterprises in their
actividades de control.” selection and development of control activities and other arrangements (e.g., structural segregation of
duties), particularly with the practices and activities to consider for IT-related enterprise processes. This
guidance includes how the IT-related enterprise process practices and activities support the IT-related
goals of “Managed IT-related business risk,” “IT compliance and support for business compliance with
external laws and regulations” and “IT compliance with internal policies.”

“11. Selecciona y desarrolla The COBIT 5 principles and enablers can be applied to the governance and management of any type
controles generales sobre la of enterprise activity as described in the previous paragraph (COSO principle 10). Detailed COBIT
tecnología.” 5 guidance relates generically to the governance and management of information and information
technology assets. As such, the detailed guidance in COBIT 5 is directly supportive of COSO principle
11, “selects and develops general control activities over technology.”16 Control activities can be
process activities within all of the 37 COBIT processes or relate to other enabler types. In particular,
COBIT 5 process DSS06 Manage business process controls ensures that control activities that
are embedded in business processes (automated controls or application controls) are adequately
managed.

“12. Se implementa a través de The COBIT 5 Principles, Policies and Frameworks enabler is central to effective enterprise IT
políticas y procedimientos governance and management. Enterprise policies are central to COBIT 5 support of achievement of
enterprise goals, including mitigation of risk through the use of appropriate activities. COBIT 5 process
APO01 Manage the IT management framework includes activities that address the implementation of
enterprise policies.

Fuente: Relating-the-COSO-Internal-Control-Integrated-Framework-and-COBIT_whp_Eng_0314
 COSO y Cobit
Información y Comunicación

COSO Principle17 COBIT 5 Relationship to COSO Principle

The COBIT 5 Information enabler model describes 15 Information quality goals, which are categorized
into intrinsic, contextual and security/accessibility quality dimensions. Considering each quality goal
“13. Usa la información helps enterprises to ensure that the information used supports enterprise business goals, including
relevante y de calidad para control objectives. The guidance for the 37 COBIT 5 processes includes inputs and outputs that are the
soportar el funcionamiento communication of information across, and to and from, the enterprise. In particular, COBIT 5 process
del control interno.” MEA01 Monitor, evaluate and assess performance and conformance addresses performance and
conformance data, and COBIT 5 process MEA02 Monitor, evaluate and assess the system of internal
control addresses control effectiveness reviews.

The COBIT 5 framework provides sound, structured and comprehensive guidance that facilitates
effective internal communication of GEIT aspects and issues between the multiple internal
“14. La organización comunica la stakeholders. This includes the communication of clear objectives that result from the goals cascade,
información internamente, including Processes enabler goals (objectives), which are provided for all 37 COBIT 5 processes.
The need to communicate information with stakeholders as part of enterprise process design and
incluidos los objetivos y
execution, to support the achievement of process and related business goals, is addressed in the RACI
responsabilidades que son charts, with the responsibilities of “consult” and “inform,” and the input and output suggestions that
necesarios para apoyar el support the process guidance for the 37 COBIT 5 processes.
funcionamiento del sistema de
control interno. This communication is implemented and managed following COBIT 5 process APO01 Manage the IT
management framework. In addition, a comprehensive guide, COBIT 5 Implementation, is available.

“15. La organización se comunica

con los grupos de interés externos The COBIT 5 framework also provides a sound basis for effective communication of GEIT aspects and
sobre los aspectos clave que issues to external stakeholders when appropriate. In particular, the COBIT 5 process EDM05 Ensure
stakeholder transparency requires that the communication to stakeholders is effective and timely and
afectan al funcionamiento del
that a reliable, consistent basis for reporting is established.
control interno.”
Fuente: Relating-the-COSO-Internal-Control-Integrated-Framework-and-COBIT_whp_Eng_0314
 COSO y Cobit
Actividades de Monitoreo

COSO Principle18 COBIT 5 Relationship to COSO Principle

“16. La organización selecciona, The COBIT 5 Processes enabler guidance specifically addresses monitoring, evaluation and
desarrolla y realiza evaluaciones assessment of internal control adequacy (COBIT 5 process MEA02 Monitor, evaluate and assess
continuas y/o independientes para the system of internal control). This process includes the practices and activities that are required
determinar si los componentes del to monitor internal controls; review business process controls effectiveness; perform control
sistema de control interno están self-assessments; identify and report control deficiencies; ensure that assurance providers are
presentes y en funcionamiento. independent and qualified; and plan, scope and execute assurance activities.

“17. La organización evalúa y As noted in the previous paragraph, COBIT 5 process MEA02 Monitor, evaluate and assess the
comunica las deficiencias de system of internal control includes the practices and activities that are required to identify control
control interno de forma oportuna a deficiencies; analyze and identify their underlying root cause; escalate control deficiencies; and
las partes responsables de aplicar report to stakeholders as appropriate. In addition, COBIT 5 process EDM05 Ensure stakeholder
medidas correctivas, incluyendo la transparency includes practices and activities to evaluate, direct and monitor stakeholder reporting
alta dirección y el consejo, según and communication requirements, including those that are related to control deficiencies, to senior
corresponda” management and the board, as appropriate.

Fuente: Relating-the-COSO-Internal-Control-Integrated-Framework-and-COBIT_whp_Eng_0314
 Conclusión
COSO y Cobit son dos marcos de referencias que se complementan con el objetivo de
que las organizaciones tengan un sólido marco de referencia para mejorar el proceso
del control interno a través de una adecuada gestión de riesgos empresariales,
incluyendo al componente de TI a través del establecimiento de practicas de gobierno y
gestión alineadas con los objetivos y necesidades del negocio.

¡Gracias!
Fernando López Luna
Socio líder de los servicios de Auditoría Interna y Gobierno Corporativo
[email protected]

Rivelino de la Luz Sotelo

Socio Auditoría Interna en Oficina Guadalajara
[email protected]

Alberto Durán J.
Socio Líder de los servicios de riesgos sobre TI
[email protected]

Alejandro Ramírez S. Oficina Monterrey:

Ave. Ricardo Margaín 575, Edificio C
Socio Líder de los servicios de asesoría contable y financiera IOS Offices Campestre
Parque Corporativo Santa Engracia
[email protected] San Pedro Garza García, NL CP 66267

Oficina Guadalajara:
Ave. Patria 2085, Piso Mezzanine
IOS Offices Andares Corporativo Patria
Fraccionamiento Puerta de Hierro
[email protected] Zapopan, Jal. CP 45116
29