• Bookmark

COBIT 5 Applied to the Argentine Digital Accounting System

By Graciela Braga, CGEIT, CPA

COBIT Focus | 5 January 2015 Spanish

Graciela Braga In Argentina, the Code of Commerce establishes common obligations for businesses: All businesses are obliged to keep accounts and a description of their transactions. Satisfying the current regulatory requirements created a need to identify an IT management and governance framework such as COBIT 5.


Businesses must keep a Diario, a book in which all transactions are kept on a daily basis in the order in which they are executed. According to Law 19550 on Commercial Companies, businesses may substitute this book with a digital accounting system if the control authority or Public Commercial Registry authorizes it. For this authorization, companies must present a technical demonstration that the records made through the proposed digital accounting system cannot be altered.


Why COBIT 5?

Frameworks, business theories and best practices assist company administrators and representatives in complying with legislation and demonstrating their responsibilities as "good business people."


Law 19550 structures companies based on two bodies: first, administration or social management to manage activity to achieve the corporate purpose, and second, governance to determine, vote on and approve management.


The COBIT 5 framework establishes a clear distinction between governance and management. These two disciplines cover different types of activities. They require different organizational structures and serve different purposes. The principles contained in COBIT 5 affirm its applicability, not only for digital accounting systems, but also in the spirit of company organization under Law 19550.


Governance ensures that the needs, conditions and options of stakeholders are assessed to ensure that balanced and agreed-upon corporate goals are met. Management is established through prioritization and decision making. Performance and compliance are measured with regard to management and agreed-upon goals.


Management plans, builds, runs and monitors activities aligned with the management established by the governance body in order to reach the corporate goals.


Application of the COBIT 5 Principles

COBIT 5 is based on the assumption that companies exist to create value for their stakeholders, so the governance objective of any company (commercial or otherwise) is the creation of value. To apply the first of COBIT 5’s principles, Meeting Stakeholder Needs, to the digital accounting system, it is necessary to define the stakeholders and their needs:

  • Stakeholders:
    • External: Society in general, customers, providers, control authority and external auditors
    • Internal: Administration and governance body, managers of business processes, accounting system managers, IT managers, compliance managers, and internal auditors
  • Stakeholder needs: This article focuses on two of the stakeholder needs proposed in the COBIT 5 framework:
    • Compliance and IT support for the business to comply with external laws and regulations—The set of national laws and those issued by the comptroller's office must be adhered to.
    • Security of information, processing infrastructure and applications—The comptroller's office requires records made in the accounting system be highly nonalterable (unchangeable). The information and digital information system’s integrity, as an information criteria or security requirement, will be based on internal accounting administration controls and other operating or scheduled controls applicable to data entry, processing and output.

COBIT 5 integrates IT management and governance into corporate governance, covering all functions and processes within the enterprise. It does not focus only on the "function of information technology," rather it treats information and related technologies as assets that must be treated like any other assets by everyone in the company.


Principle 2, Covering the Enterprise End-to-end, is reflected in the definition of the accounting system, understood as the set of interrelated elements used to record transactions and financial/economic events for the entire entity. For example, when purchasing a critical information asset, this will be received, recorded and controlled by the business roles, while it will be used and managed by different IT roles. Both roles will subsequently define whether this asset has contributed to achieving the business and IT objectives.


COBIT 5 is aligned at a high level with other relevant standards and frameworks and, therefore, can be the main framework for IT governance and management in an enterprise. This is reflected in principle 3, Applying a Single, Integrated Framework.


This high-level alignment allows for a mapping between the different frameworks and, thus, uses the best of each of them to comply with the current national laws and standards, based on internationally recognized frameworks such as The Committee of Sponsoring Organizations of the Treadway Commission (COSO)’s Internal Control—Integrated Framework and ISO/IEC 27002 and those related to personal data protection.


Principle 4 is Enabling a Holistic Approach. COBIT 5 defines seven enabler categories to support implementation of a global IT governance and management system for the company, all of which are necessary to ensure correct implementation of the digital accounting system, and the precision and integrity of financial statements:

  1. Principles, policies and frameworks required to carry out and record all company transactions and to manage the digital accounting system
  2. Necessary processes to manage IT activities related to the digital accounting system
  3. Organizational structures that define the responsibilities of each of the business and IT roles involved in the recording actions themselves and those related to the digital accounting system
  4. Culture, ethics and behavior of individuals and the company, which provide the necessary basis for the company to comply with external regulations and laws, internal policies and procedures, best practices to protect IT assets in general, and information assets in particular
  5. Useful accounting information to make decisions for all stakeholders and demonstrate regulatory compliance to third parties, including in legal situations
  6. Services, infrastructure and applications that provide the company with information processing services and technologies related to the digital accounting system
  7. People, skills and competencies both in business and IT required in order to carry out activities and for decision making and corrective actions

COBIT 5 defines a map of how each of these IT-related goals is supported by COBIT 5 processes.


With regard to the compliance and IT-supported goals to comply with external regulations and laws, COBIT 5 considers that it is necessary to implement:


Primary references:

  1. BAI10 Manage configuration
  2. DSS05 Manage security services
  3. MEA02 Monitor, evaluate and assess the system of internal control
  4. MEA03 Monitor, evaluate and assess compliance with external requirements
Secondary references:
  1. BAI02 Manage requirements definition
  2. BAI09 Manage assets
  3. DSS01 Manage operations
  4. DSS03 Manage problems
  5. DSS04 Manage continuity
  6. DSS06 Manage business process controls
  7. MEA01 Monitor, evaluate and assess performance and conformance

With regard to the security of information, processing infrastructure and applications goal, COBIT 5 considers that it is necessary to implement:


Primary references:

  1. BAI06 Manage changes
  2. DSS05 Manage security services
Secondary references:
  1. BAI02 Manage requirements definition
  2. BAI08 Manage knowledge
  3. BAI09 Manage assets
  4. BAI10 Manage configuration
  5. DSS01 Manage operations
  6. DSS02 Manage service requests and incidents
  7. DSS04 Manage continuity
  8. DSS06 Manage business process controls
  9. MEA01 Monitor, evaluate and assess performance and conformance
  10. MEA02 Monitor, evaluate and assess the system of internal control
  11. MEA03 Monitor, evaluate and assess compliance with external requirements

As can be seen, several processes are repeated. Given that these are closely related to achieving goals and outcomes, one process can be the input for another.


Separate Governance From Management

The COBIT 5 framework establishes a clear distinction between governance and management (principle 5, Separating Governance From Management). These two disciplines cover different types of activities. They require different organizational structures and serve different purposes.


The principles contained in COBIT 5 affirm its applicability, not only for the digital accounting system, but also in the spirit of organizations under Argentine law.


Graciela Braga, CGEIT, CPA

Is vice president of the Commission for the Study of Record Systems of the Buenos Aires Institute of CPAs in the city of Buenos Aires, Argentina. She is also a researcher at the Instituto Autónomo de Derecho Contable (Autonomous Accountancy Law Institute), Argentina. Previously, she worked on audits and internal control reviews for public and private entities using international frameworks such as COBIT®, COSO and the ISO 27000 series. She has participated in the preparation and review of ISACA products and research related to COBIT, privacy and big data.


References

  • Argentine Congress, Code of Commerce, Argentina
  • Argentine Congress, Law 19550 Commercial Companies, 1972 (reformed text), Argentina
  • Superintendence of Corporations, Resolution IGJ No. 07/2005, Argentina
  • Buenos Aires Institute of CPAs, Commission for the Study of Record Systems, Buenos Aires, Argentina, www.consejo.org.ar/areas/contabilidad/contabilidad.html
  • Favier Dubois (h.), E.; L. Spagnolo; Herramientas Legales para el Contador Público y Estudios Profesionales (Legal Tools for the Certified Public Accountants [CPAs] and Accounting & Law Firms), 1st Edition, Argentina, 2013
  • Braga, Graciela; “Aplicación de un marco de negocio de gestión y gobierno de tecnología de información de la empresa a los sistemas de registros informáticos” (“Application of an IT management and governance business framework to digital record systems”), 7th National Workshop of Accounting Law, IADECO, Argentina, June 2014
THIS WEBSITE USES INFORMATION GATHERING TOOLS INCLUDING COOKIES, AND OTHER SIMILAR TECHNOLOGY.
BY USING THIS WEBSITE, YOU CONSENT TO USE OF THESE TOOLS. IF YOU DO NOT CONSENT, DO NOT USE THIS WEBSITE. USE OF THIS WEBSITE IS NOT REQUIRED BY ISACA. OUR PRIVACY POLICY IS LOCATED HERE.