• Expanding the definitions of governance roles in an organization.

• Increased focus on operations and compliance on non-financial reporting objectives. This version expands the reporting category beyond only external reporting of financial information, to include compliance and internal reporting.

• Considering fraud risk relating to: material misstatement of reporting; inadequate safeguarding of assets; and corruption, as part of the risk assessment process.

• Considering different organizational structures and business models. Includes an attribute concerning activities managed both internally and externally to an organization.

Overall, the updated 2012 version of ICIF should assist management with a framework that is easier to interpret, with considerable emphasis on operational and compliance-

The Technical Resource for the Region’s Largest Organizations

Proposed Changes to the 1992 COSO Internal Control - Integrated Frameworkby Nicole P. Saldamarco, CPA, CIA, Senior Manager, Internal Audit and Risk Advisory Services

—Continued on Page 2

Feature Story

Jan/FEb 2012

ADVISORtHe

Mobile Security

by Frank E. Dezort III, CISA, Senior Manager, Internal Audit and

Technololgy Advisory Services

—Continued on Page 2

It has been over 10 years since the original COSO Framework was introduced. By the end of 2012, COSO is anticipating publishing the 2012 Internal Control – Integrated Framework (ICIF). This new framework is only an update. The 2012 ICIF enhances the application of the initial 1992 ICIF and provides more structure to assist in the evaluation of a company’s internal control activities. The updated version does not change the underlying definition of internal control or the five components of internal control.

Some of the specific changes included in the 2012 version include:• Application of a principles-based

approach. The framework now explicitly lists 17 principles to apply under the five internal control components, which are supported by attributes.

• Broadening the discussion of the evolution of technology and expanding the discussion of the relationship between automated control activities and general controls over technology.

1133 Penn Avenue | Pittsburgh, PA 15222 | 412-261-364441 South High Street, Suite 2100 | Columbus, OH 43215 | 614-621-4060

www.schneiderdowns.com

As technology provides better mobile tools (i.e., cell phones, tablets) to make us more effective and efficient, we must remember that these tools bring additional risks. Along with the array of benefits that new mobile tools provide come exposures and vulnerabilities of the information that they hold.

New risks to an organization include:• Handheld devices’ small size and

mobility make them easier to misplace or to have stolen than a laptop or notebook computer. If handheld devices fall into the wrong hands, it can be easy for thieves to gain access to the information they store or access them remotely.

• Scripting of passwords and account information is highly popular with mobile devices. Scripting of voicemail passwords, conference numbers and pin codes, account information, remote access passwords can be stored in clear text on the device.

•Communications networks, desktop synchronization, and corrupted storage media can be used to deliver malware, perhaps disguised as a game or application. Once installed, malware can initiate a wide range of attacks and spread itself onto other devices.

related internal controls. Additionally, there is a renewed emphasis on all five components of internal control, versus merely concentrating on monitoring and control activities.

How do these changes impact you and your organization? What do you need to do? In order to ensure that your organization continues to be in compliance with the COSO framework, review the exposure draft and: 1) Begin to prepare your board and management for the changes by informing them of the changes.2) Commence the review of the 17 principles listed in the exposure draft to ensure that your existing control environment is consistent with these principles.3) Assess the impact that the changes may have and your organization’s level of effort to adopt the new framework.

Jan/Feb 2012tHe aDVISor www.ScHneIDerDownS.com

Is there a topic you would like us to cover in the next issue? Contact Charles A. Oshurak, Senior Manager, at 412-697-5396 or coshurak@schneiderdowns.com with your suggestions.

coSo Internal controls continued from Page 1

Frank Dezort is a Senior Manager with Schneider Downs' Internal Audit and Technology and Advisory Services. Frank specializes in providing technology risk management, internal audit, Sarbanes-Oxley, internal control and information security consulting, and technology advisory services. For more information on this article, or to discuss similar topics, contact Frank Dezort at fdezort@schneiderdowns.com.

mobile Security continued from Page 1

Nicole Saldamarco is a Senior Manager with Schneider Downs' Internal Audit and Risk Advisory Services. Nicole's experience includes fraud and entity risk assessments, Sarbanes-Oxley initial compliance and on-

going testing, control optimization, documentation and understanding of companies' control environments and providing valuable process improvement recommendations. For more information on this article, or to discuss similar topics, contact Nicole Saldamarco at nsaldamarco@schneiderdowns.com.

•Cell phones and tablets are subject to spam, which can be used for phishing attempts to gain password or account information.

•Server-resident content, such as electronic mail maintained for a user by a network carrier as a convenience, may expose sensitive information through vulnerabilities that exist at the server.

•A lack of passwords on mobile devices or easily guessed passwords on mobile devices make the device more convenient for use, but leave them vulnerable.

Cost-effective and reasonable measures can be used to protect the device and stored information and reduce the risk to an organization. These steps include:•Avoid keeping sensitive information, such as personal and financial account

information, on a handheld device. Sensitive data could also be maintained on password-encrypted, removable memory cards, kept separately from the device until needed.

•If the presence of sensitive data is not avoidable, the data should be kept in a suitable encrypted form until required. Some devices do support built-in encryption capabilities.

•Although it is convenient, maintaining PINs, passwords, user IDs and account numbers on a handheld device should also be avoided.

•Any messages or contacts received on a mobile phone from an unknown number or device should be destroyed without opening them.

•Any request from a mobile phone to accept the installation of an unknown program whose installation was not initiated by the user should not be accepted.

•Controls over password length and composition, and number of entry attempts should be required, along with the ability for the phone to perform remote password reset and remote erasure or locking of the device.

•Controls to restrict application downloads, access and use should be required.

The most effective component in addressing the risks introduced by new mobile technology is for organizations to plan and address the security aspects of mobile devices. Security is much more difficult to address once deployment and implementation are underway, so risks and vulnerabilities should be considered from the beginning. Organizations should employ appropriate security management practices and controls over mobile devices that include:

• Organization-wide security policy for mobile handheld devices• Risk assessment and management• Security awareness and training• Configuration control and management• Certification and accreditation