How to Use HALEY to Map ITGCs and ITACs to COSO Principles

Step 1: Start with a Clear Control Type and Process

Initiate with:
“Map the user provisioning ITGC in Oracle Cloud ERP to applicable COSO principles.”
“Align an ITAC for 3-way match validation in SAP to COSO and AS 2201.”
HALEY will request:

System or GRC platform context
Manual vs. automated classification
Control objective and risks mitigated

Step 2: Use HALEY to Identify the COSO Principles Most Applicable

Prompt:
“Which COSO principles apply to quarterly user access reviews in SafePaaS?”
“Align SAP ITACs for order-to-cash to COSO principles and control objectives.”
HALEY will:

Map control activities to COSO principles (e.g., Principle 10 for access controls)
Explain the rationale behind the alignment
Reference specific risk mitigated and control attributes

Step 3: Request a Matrix or Table Format for Documentation

Use:
“Present a COSO-alignment table for the ITGCs in our RACM for Change Management.”
HALEY will return:

Tool configuration is reflected in control design
Control is realistic and testable in your environment
uditors can map configuration to process

Control ID	Control Description	COSO Principle(s)	Justification
ITGC-001	Invoice posting controls in AP module	Principle 10	Ensure accurate financial posting and segregation of duties
ITGC-003	Periodic backup verification	Principle 13	Ensure recoverability of financial data

Step 4: Validate Alignment Against COSO Criteria

Ask HALEY:
“Does this control meet COSO Principle 11 requirements for control precision?”
“What documentation supports alignment to Principle 13 (Relevant & Quality Info)?”
HALEY will provide:

Evidence expectations (e.g., audit logs, exception reports, sign-offs)
Assessment of whether the control is designed/operating effectively
Recommendations to improve precision, documentation, or coverage

COSO Princi ple Alignment Cheat Sheet for IT Controls

COSO Principle
Principle 1 (Control Environment – Integrity & Ethics)
Principle 6 (Risk Assessment)
Principle 10 (Control Activities)
Principle 13 (Information Quality)
Principle 16 (Ongoing Monitoring)
Common ITGC/ITAC Mappings
IT Acceptable Use Policies, Code of Conduct acknowledgment
IT Risk Registers, Application Change Risk Ratings
Logical Access Reviews, Configurable Security, 3-way Match Controls
GRC dashboard data validation, system log accuracy
SafePaaS alert reviews, user de-provisioning exceptions

Example Use Case: Aligning an ITGC to COSO

“Align the ITGC for change request approvals in Oracle to COSO principles.”
HALEY Output:

Control Description: All changes to Oracle production environments require documented approval and testing evidence before migration.
COSO Principles: Principle 10: Control Activity – approvals are evidence-based and preventive Principle 11: Segregation of duties embedded in approval chain
Testing Guidance: Validate sample change tickets for documentation, approver role, and implementation log

Common Pitfalls to Avoid

Don’t Do This	Do This Instead
“Map all controls to all 17 principles.”	Map each control to the 1–3 most relevant COSO principles.
Skip justification for the mapping	Include why each principle applies to the control's intent.
Leave out system context	Always specify ERP/GRC platform used (e.g., SAP, Oracle, SafePaaS).

Pro Tip: Ask HALEY to Auto-Tag COSO Principles in RACMs

Try:
“Auto-fill COSO Principle column for all RACM entries in our Change Management controls.”
HALEY will:
Scan control descriptions
Match applicable COSO principles
Return a completed matrix with rationale