Information Technology (IT) & The Updated COSO Framework

Information Technology (IT) & The Updated COSO Framework
COSO’s New Internal Control Framework and IT Considerations 4/2/2017 Information Technology (IT) & The Updated COSO Framework Phil Gesner, CPA.CITP, CISA Audit Manager and IT Auditor / Consultant Ocala, FL Florida Association of School Board Officials (FASBO)

COSO’s New Internal Control Framework and IT Considerations
4/2/2017 Disclaimer The views expressed by the presenters do not necessarily represent the views, positions, or opinions of the presenter’s respective organizations or any associated organizations cited. These materials, and the oral presentation accompanying them, are for educational purposes only and do not constitute accounting or legal advice or create an accountant-client or attorney-client relationship. Florida Association of School Board Officials (FASBO)

4/2/2017 COSO Considerations Changed (from implicitly to explicitly recognizing technology’s role in internal control) due to greater use and dependence (reliance) on technology Use of technology continues to grow Extent of technology used in organizations continues to increase and evolve Recognizes that management judgment (decisions) may be based on the use of and dependence on technology. Outsourcing continues to grow Business Processes (Payroll, Payables, Pension and Benefit Management, Investment Management) Technology Activities supporting the Business Processes Procure, manage, and maintain previously internally managed technology systems Florida Association of School Board Officials (FASBO)

COSO’s Definition of “Technology”
COSO’s New Internal Control Framework and IT Considerations 4/2/2017 COSO’s Definition of “Technology” May be referred to as: Management Information Systems (MIS) Information Technology (IT) Various other Terms Technology is the use of a combination of automated and manual processes, and computer hardware and software, methodologies, and processes. Very Generic Definition – as Technology continually evolves (ie. cloud computing and social media) Florida Association of School Board Officials (FASBO)

COSO’s New Internal Control Framework and IT Considerations 4/2/2017 COSO’s Definition of “Technology” Technology environments vary in size, complexity, and extent of integration. Large, centralized, and integrated systems Small, decentralized, and independent systems May involve real-time processing environments that enable immediate access to information, including mobile computer applications that can cut across many systems, organizations, and geographies. Florida Association of School Board Officials (FASBO)

COSO’s New Internal Control Framework and IT Considerations 4/2/2017 COSO’s Definition of “Technology” Technology enables organizations to process high volumes of transactions, transform data into information to support sound decision making, share information efficiently across the entity and with business partners, and secure confidential information from inappropriate use. In addition, technology can allow an entity to share operational and performance data with the public. Florida Association of School Board Officials (FASBO)

COSO’s New Internal Control Framework and IT Considerations 4/2/2017 COSO’s Definition of “Technology” Technology innovation creates both opportunities and risks. Opportunities: Enable the development of new business markets and models, Generate efficiencies through automation, and Enable entities to do things that were previously hard to imagine. Risks: Increased complexity, which makes identifying and managing risks more difficult. Florida Association of School Board Officials (FASBO)

Risk | Complexity of IT Security
COSO’s New Internal Control Framework and IT Considerations Risk | Complexity of IT Security 4/2/2017 Data & Business Processes Like Ogres And Onions IT Security Has Layers IT Security Also Involves People (Employees); therefore, Training is Critical Florida Association of School Board Officials (FASBO)

IT Security Protects the Data and Business Process
COSO’s New Internal Control Framework and IT Considerations IT Security Protects the Data and Business Process 4/2/2017 Data & Business Processes Controls should be in place to protect the data and business processes. Data is an organizational asset Value of Data May not be readily ascertainable Not recorded on Books Varies Depending on Perspective Your Organization Other Organizations Employees External Individuals Vendors Your garbage is another individual’s or organization’s treasure!!!! Florida Association of School Board Officials (FASBO)

4/2/2017 Source: AICPA Information Management and Technology Assurance (IMTA) Section. IT Audits and What to Pay Attention To. The CITP Body of Knowledge Series Webcast. 2013 Florida Association of School Board Officials (FASBO)

4/2/2017 Risk | IT Complexity The nature and extent of IT risks are dependent on the level of “complexity”. Generally, as complexity increases, the type and number of potential IT risks increase. The manner in which IT is used in conducting business also has a direct relationship with the potential IT risks. Significant changes made to existing systems, or implementation of new system increase the potential IT risks. Shared data between systems increases the potential IT risks. Usage of emerging technologies (cloud computing, mobile - BYOD) increases the potential IT risks. Availability of evidence only in electronic formats increases the potential IT risks. Including reports SAS No. 108 requires the auditor to understand how the entity uses IT to capture, store, and process information. Additionally, the auditor is required to evaluate whether an IT specialist should be a member of the audit team. SAS No. 108 lists factors to consider. In general, the more complex the entity’s systems and IT environment, the more likely that an IT professional should be an integral part of the audit team. Source: AICPA IT Audit Training School Florida Association of School Board Officials (FASBO)

Risks |IT Risk Factors for Internal Control Include
COSO’s New Internal Control Framework and IT Considerations 4/2/2017 Risks |IT Risk Factors for Internal Control Include Reliance on systems or programs that are processing data inaccurately, processing inaccurate data, or both Unauthorized access to data that may result in destruction of data or improper changes to data, including the recording of unauthorized or nonexistent transactions or inaccurate recording of transactions Unauthorized changes to data in master files Unauthorized changes to systems or programs Failure to make necessary changes to systems or programs Inappropriate manual intervention Potential loss of data or inability to access data as required Source: AICPA IT Audit Training School Florida Association of School Board Officials (FASBO) 13

Applications | Purchased Systems
COSO’s New Internal Control Framework and IT Considerations 4/2/2017 Applications | Purchased Systems Commercial Off The Shelf (COTS) and/or configurable systems Advantages Generally cheaper for general business use applications On-going support and maintenance Disadvantages Some limitations related to customizations Vendor dependence Example: Quickbooks Source: AICPA IT Audit Training School Florida Association of School Board Officials (FASBO) 14

Applications | Configurable Packages
COSO’s New Internal Control Framework and IT Considerations Engagement Planning and Supervision 4/2/2017 IT General Controls Applications | Configurable Packages Configurable “mid-tier” system Not as expensive as an ERP System or Custom Developed Application Found in small, mid or large organizations Increased capabilities when compared to Commercial Off the Shelf – Purchased Systems: Configuration changes Customizations Examples: Microsoft Dynamics (Great Plains/Solomon), MAS/90, Navision, Munis, Eden, etc. Most Prevalent Source: AICPA IT Audit Training School Florida Association of School Board Officials (FASBO) EP 09 IT General Controls FG Final_R.ppt All materials copyright ©2007 by BDO Seidman, LLP. All Rights Reserved 15

Applications | Enterprise Resource Planning (ERP) System
COSO’s New Internal Control Framework and IT Considerations Engagement Planning and Supervision 4/2/2017 IT General Controls Applications | Enterprise Resource Planning (ERP) System Integrates all facets of financial processing with operations, marketing, HR Requires specialized knowledge to setup (usually with the vendor and outside consultants) Generally, found in large organizations Very expensive to purchase & maintain Very complex security Examples: SAP, JD Edwards, PeopleSoft, Oracle Financials, Lawson, etc. Source: AICPA IT Audit Training School Florida Association of School Board Officials (FASBO) EP 09 IT General Controls FG Final_R.ppt All materials copyright ©2007 by BDO Seidman, LLP. All Rights Reserved 16

Applications | Custom Developed
COSO’s New Internal Control Framework and IT Considerations 4/2/2017 Applications | Custom Developed Custom Developed Application – those applications that are designed and developed in-house to meet a specific business need for internal use (not resale) Advantages Customized to meet specific business need Independence from vendors Disadvantages No outside vendor support – all by on-staff personnel (higher costs) Often longer deployment times and less controls Less prevalent, and becoming more so each day Source: AICPA IT Audit Training School Florida Association of School Board Officials (FASBO) 17

Applications | Outsourced
COSO’s New Internal Control Framework and IT Considerations 4/2/2017 Applications | Outsourced Organization contracts with a third-party service organization for one or all of the following activities: Development of Application and Underlying Technology Hosting of Application, Data, and Underlying Technology Maintenance of Application and Underlying Technology All or part of a/multiple business process(es) (ie. payroll) and related internal controls Source: AICPA IT Audit Training School Florida Association of School Board Officials (FASBO) 18

COSO’s New Internal Control Framework and IT Considerations 4/2/2017 Applications | Outsourced Advantages Customized and configurable to meet specific business need Can obtain access to ERP systems at lower costs May not need to purchase any servers May not need to hire new IT personnel and may be able to reallocate IT personnel or positions Dependence on vendor rather than employees IT third-party service organization is able to replace employees easier than the outsourcing organization Source: AICPA IT Audit Training School Florida Association of School Board Officials (FASBO) 19

COSO’s New Internal Control Framework and IT Considerations 4/2/2017 Applications | Outsourced Disadvantages Dependence on vendor Requires increased effort to manage vendors and service level agreements (SLA’s) Service Organization Control (SOC) Reports – See AICPA Website Poor end user experience due to performance bottlenecks Poor customer experiences could be perceived as organization weaknesses rather than vendor weaknesses More limited control over application, data, and underlying technology Examples: Xero Source: AICPA IT Audit Training School Florida Association of School Board Officials (FASBO) 20

4/2/2017 Control Environment Principle 2: The board of directors demonstrates independence from management and exercises oversight of the development and performance of internal control. Executive management and the board should have an understanding of relevant systems and technology (or appropriate skills and expertise) needed to evaluate the organization’s approach to managing new technology innovations, critical systems, and the opportunities and risks associated with those challenges. IT Governance Committee IT Steering Committees User Groups Lack of steering committee or other oversight group Improper Organizational Structure Florida Association of School Board Officials (FASBO)

4/2/2017 Control Environment Principle 3: Management establishes, with board oversight, structures, reporting lines, and appropriate authorities and responsibilities in the pursuit of objectives. Technology is leveraged as appropriate to facilitate the definition and limitation of roles and responsibilities within the workflow of business. Management is supported by requisite processes and technology to provide for clear accountability and information flows within and across the overall entity and its subunits Florida Association of School Board Officials (FASBO)

4/2/2017 Control Environment Principle 4: The organization demonstrates a commitment to attract, develop, and retain competent individuals in alignment with objectives. The organization should ensure that it has appropriately skilled personnel with knowledge of the operation of technology platforms underpinning the business processes. Florida Association of School Board Officials (FASBO)

4/2/2017 Control Environment Principle 5: The organization holds individuals accountable for their internal control responsibilities in the pursuit of objectives. Accountability is driven by tone at the top and supported by the commitment to integrity and ethical values, competence, structure, processes, and technology, which collectively influence the control culture of the organization. Florida Association of School Board Officials (FASBO)

4/2/2017 Risk Assessment Principle 6: The organization specifies objectives with sufficient clarity to enable the identification and assessment of risks relating to objectives. Entity-level risks Technological—Developments that can affect the availability and use of data, infrastructure costs, and the demand for technology-based service Internal factors Technology—A disruption in information systems processing that can adversely affect the entity’s operations Florida Association of School Board Officials (FASBO)

4/2/2017 Risk Assessment Principle 8: The organization considers the potential for fraud in assessing risks to the achievement of objectives. As part of the risk assessment process, the organization should identify the various ways that fraudulent reporting can occur, considering: Nature of technology and management’s ability to manipulate information Opportunities (and thereby fraud risks) may increase as a result of: Turnover in technology staff Ineffective technology systems Florida Association of School Board Officials (FASBO)

4/2/2017 Risk Assessment Principle 9: The organization identifies and assesses changes that could significantly impact the system of internal control. New Technology—When new technology is incorporated into production, service delivery processes, or supporting information systems, internal controls will likely need to be modified. Florida Association of School Board Officials (FASBO)

4/2/2017 Control Activities Principle 10: The organization selects and develops control activities that contribute to the mitigation of risks to the achievement of objectives to acceptable levels. Florida Association of School Board Officials (FASBO)

Principle 10: Selects and Develops Control Activities
COSO’s New Internal Control Framework and IT Considerations 4/2/2017 Principle 10: Selects and Develops Control Activities When determining what actions to put in place to mitigate risk, management considers all aspects of the entity’s internal control components and the relevant business processes, information technology, and locations where control activities are needed. Restricted access is especially important where technology is integral to an organization’s processes or business. Configuring the security in applications to address restricted access can become very complex and requires technical knowledge and a structured approach. Discussed in more detail under the Security Management Processes section of Principle 11. Florida Association of School Board Officials (FASBO)

COSO’s New Internal Control Framework and IT Considerations 4/2/2017 Principle 10: Selects and Develops Control Activities Control activities and technology relate to each other: Technology Supports Business Processes When technology is embedded into the entity’s business processes, such as robotic automation in a manufacturing plant, control activities are needed to mitigate the risk that the technology itself will not continue to operate properly to support the achievement of the organization’s objectives. Technology Used to Automate Control Activities Many control activities in an entity are partially or wholly automated using technology. Florida Association of School Board Officials (FASBO)

4/2/2017 Technology Supports Business Processes Internal Control Over Financial Reporting (ICFR) Significant Accounts in the Financial Statements Balance Sheet Income Statement Cash Flows Notes Other Disclosures Key Application and IT-Dependent Manual Controls Assertions Accuracy Completeness Objectives Authorization Segregation of Duties Significant Classes of Transactions / Business Processes Process A Process B Process C Process D Process E IT General Controls Program Development Program Changes Program Operations Access Controls Control Environment Significant Financial Applications Application A Application B Application C Significant IT Infrastructure Services Database Operating System Network / Physical Source: IT Control Objectives for Sarbanes-Oxley: The Role of IT in the Design and Implementation of Internal Control Over Financial Reporting, 2nd Edition Florida Association of School Board Officials (FASBO)

4/2/2017 Technology Used to Automate Control Activities Manual vs. Automated Controls Manual Control A control performed manually (not through techcnology) Automated controls: Control activities mostly or wholly performed through technology (e.g., automated control functions programmed into computer software. Application Control A control that occurs automatically, usually through computer systems, based on predefined criteria, circumstances, times, dates, or events. IT-Dependent Manual Control (Hybrid Control) Manual controls that are dependent on an automated process to take place. Florida Association of School Board Officials (FASBO)

4/2/2017 Application Controls Type Edit checks Validations Calculations Interfaces Authorizations Character Embedded Configurable Embedded Control – The application is programmed to perform the control because of either custom coding or packaged delivery of that functionality. These controls rely on IT General Controls related to changing the functionality of the application. Configurable Control – The application has the capability to perform the control. The functionality of the control depends on its setup (ie. it may have been configured differently). These controls rely on IT General Controls related to changing the functionality of the application, as well as IT General Controls related to levels of access. Edit Checks – Controls that limit the risk of inappropriate input, processing, or output of data due to field format or inappropriate data entry or changes by comparing to established specifications of valid codes and code combinations or check that required data is present in required fields. Predefined Data Listings Drop-down Menus Check-boxes Radio buttons Logic Tests Range Limits Value/alphanumeric Tests Format Tests Validations – Controls to limit the risk of inappropriate input, processing, or output of data due to the confirmation of a test. Tolerances Customer usage is not greater than 2x prior usage. Duplicate Checks Matching PO => Invoice => Receiving Report Calculations – Controls to ensure that a computation is occurring accurately. The utility billing application calculates the customer’s bill based on the customer’s usage and the customer’s classification. Interfaces – Controls to limit the risk of inappropriate input, processing, or output of data being exchanged from one system to another. The general ledger and billing applications confirms through a record count that all records were uploaded from the billing application to the general ledger or confirms that totals from a header record from the billing application reconciles to the detail that was posted in the general ledger. Authorizations – Controls to limit the risk of inappropriate input, processing, or output of key financial data due to unauthorized access to key financial functions or data. Segregation of Duties Authorization Checks Limits Hierarchies Examples: Roles are defined within the application so that only the purchasing manager has the ability to add vendors to the vendor master. Role are defined within the application so that only Human Resources has access to the employee master file. Florida Association of School Board Officials (FASBO)

4/2/2017 Technology Used to Automate Control Activities Examples of Application Controls Computer generated batch control total comparison Edit and validation checks on information entered into input fields Master file data look-ups of information entered into input fields Numeric range controls for data entered into input fields Data matching Error checking programs Computations Forwarding a transaction to the appropriate person for electronic authorization (using logical Segregation of Duties) Florida Association of School Board Officials (FASBO)

Engagement Planning and Supervision COSO’s New Internal Control Framework and IT Considerations 4/2/2017 IT General Controls Examples of Application Controls Purchasing and Accounts Payable Business Process Initiate/Authorize (Input) Application will only accept purchase orders entered for vendors on an approved vendor list (ie. vendors in the vendor master file). Access to add or modify vendor or vendor information through the purchasing module of the financial application in to the vendor master file (database) is restricted to purchasing department personnel. Process Application matches the purchase order, receiving report and vendor invoice before payment can be made (three-way match). Application automatically selects items for payment based on the due date of the vendor invoice. Record (Output) Application automatically posts the payment to the G/L. Florida Association of School Board Officials (FASBO) EP 09 IT General Controls FG Final_R.ppt All materials copyright ©2007 by BDO Seidman, LLP. All Rights Reserved 35

Engagement Planning and Supervision COSO’s New Internal Control Framework and IT Considerations 4/2/2017 IT General Controls Example of a IT-Dependent Manual Control Purchasing and Accounts Payable Business Process Detection: Computer detects a discrepancy between a PO, receiving report & vendor invoice. (automated control) Investigation/Correction: Clerk reviews and follows-up until discrepancy is resolved. (manual control) Resubmission: Clerk resubmits reconciled invoice for payment. (manual process) NOTE: Test both automated and manual controls Florida Association of School Board Officials (FASBO) EP 09 IT General Controls FG Final_R.ppt All materials copyright ©2007 by BDO Seidman, LLP. All Rights Reserved 36

Automated Control Implications
COSO’s New Internal Control Framework and IT Considerations 4/2/2017 Automated Control Implications Software is designed to be used by many organizations with different requirements. Many features, including controls, are optional or designed with adjustable parameters and thresholds. End users may have the ability to change system configuration settings. Segregation of duties when software is maintained by vendor. Program change responsibilities may be shared between vendor and client. Florida Association of School Board Officials (FASBO)

COSO’s New Internal Control Framework and IT Considerations 4/2/2017 Principle 10: Selects and Develops Control Activities Most business processes have a mix of manual and automated controls, depending on the availability of technology in the entity. Automated controls tend to be more reliable, since they are less susceptible to human judgment and error, and are typically more efficient. Subject to whether technology general controls (Principle 11) are implemented and operating. The design, implementation, and operating effectiveness of automated controls is dependent on or directly related to the design, implementation, and operating effectiveness of technology general controls. Florida Association of School Board Officials (FASBO)

4/2/2017 Relationship of Technology General Controls (Principle 11) to Business Process Controls (Principle 10) Manual Controls Automated Controls (Purely) Manual Controls Application Controls IT-Dependent Manual Controls 1. Embedded 2. Configurable Controls Technology General Controls Florida Association of School Board Officials (FASBO)

Technology General Controls vs. Application Controls
COSO’s New Internal Control Framework and IT Considerations 4/2/2017 Technology General Controls vs. Application Controls IT General Controls Relate to managing change, logical access and other technology general controls, including IT operations applied to individual applications and do not operate at the individual transaction level Application Controls Apply to each and every transaction Reviewed at a “point in time” “Application and IT general controls go hand-in-hand.” Florida Association of School Board Officials (FASBO)

4/2/2017 Control Activities Principle 11: The organization selects and develops general control activities over technology to support the achievement of objectives. (Technology General Controls) Florida Association of School Board Officials (FASBO)

Principle 11: Technology General Controls
COSO’s New Internal Control Framework and IT Considerations 4/2/2017 Principle 11: Technology General Controls Determines Dependency between the Use of Technology in Business Processes (Principle 10) and Technology General Controls (Principle 11) Management understands and determines the dependency and linkage between business processes, automated control activities, and technology general controls. The reliability of technology within business processes, including automated controls, depends on the selection, development, and deployment of general control activities over technology. Florida Association of School Board Officials (FASBO)

4/2/2017 Technology Supports Business Processes Internal Control Over Financial Reporting (ICFR) Significant Accounts in the Financial Statements Balance Sheet Income Statement Cash Flows Notes Other Disclosures Key Application and IT-Dependent Manual Controls Assertions Accuracy Completeness Objectives Authorization Segregation of Duties Significant Classes of Transactions / Business Processes Process A Process B Process C Process D Process E Technology General Controls Technology Infrastructure Control Activities Security Management Process Control Activities Change Control Activities Control Environment Significant Financial Applications Application A Application B Application C Significant IT Infrastructure Services Database Operating System Network / Physical Source: IT Control Objectives for Sarbanes-Oxley: The Role of IT in the Design and Implementation of Internal Control Over Financial Reporting, 2nd Edition Florida Association of School Board Officials (FASBO)

COSO’s New Internal Control Framework and IT Considerations 4/2/2017 Principle 11: Technology General Controls Technology general controls over the acquisition and development of technology are deployed to help ensure that automated controls work properly when first developed and implemented. Technology general controls also help information systems continue to function properly after they are implemented. Technology general controls apply to all technology IT applications on a mainframe computer; Client/server, Desktop, End-user computing, Portable computer, Mobile device environments; Operational technology Plant control systems or Manufacturing robotics. Florida Association of School Board Officials (FASBO)

COSO’s New Internal Control Framework and IT Considerations 4/2/2017 Principle 11: Technology General Controls The extent and rigor of control activities will vary for each of these technologies depending on various factors, such as the complexity of the technology and risk of the underlying business process being supported. Similar to business transaction controls, technology general controls may include both manual and automated control activities. Florida Association of School Board Officials (FASBO)

4/2/2017 Principle 11: Technology General Controls Technology Infrastructure Control Activities Establishes Relevant Technology Infrastructure Control Activities Management selects and develops control activities over the technology infrastructure, which are designed and implemented to help ensure the completeness, accuracy, and availability of technology processing. Technology infrastructure includes: Communication networks – to link technologies to each other and across the organization Routers, switches, firewalls, etc. Computing resources for applications to operate Servers, Desktops, Laptops Electrical power supply. Florida Association of School Board Officials (FASBO)

4/2/2017 Principle 11: Technology General Controls Technology Infrastructure Control Activities Technology Infrastructure Can be complex Shared by different business units in an organization Outsourced to a third-party service organizations (including location-independent technology services – cloud computing) Technology changes constantly (3-5 years) Technology Infrastructure Controls Batch (mainframe) / real-time (client/server) process scheduling Problem/incident management Backup and recovery Including disaster recovery plans Incomplete or Untested Backup Procedures Inadequate rotation of media Inadequate off-site backups Inadequate periodic testing of backup media Lack of formal (or any) Disaster Recovery Plans Who/what/where information Untested Florida Association of School Board Officials (FASBO)

4/2/2017 Principle 11: Technology General Controls Security Management Process Control Activities Establishes Relevant Security Management Process Control Activities Management selects and develops control activities that are designed and implemented to restrict technology access rights to authorized users commensurate with their job responsibilities and to protect the entity’s assets from external threats. Sub-processes and control activities over who and what has access to the organization’s technology, including who has the ability to execute transactions. Protects the organization from inappropriate or unauthorized access/use of system Supports segregation of duties Florida Association of School Board Officials (FASBO)

4/2/2017 Principle 11: Technology General Controls Security Management Process Control Activities Sub-processes and control activities over who and what has access to the organization’s technology, including who has the ability to execute transactions. Prevents unauthorized use/changes to system protects data and program integrity from malicious intent or a simple error from: Internal threats – former, disgruntled employees motivated to work against the organization due to greater access and knowledge of the organization External threats – due to the many potential uses of technology and points of entry and use of telecommunications networks and the Internet, Florida Association of School Board Officials (FASBO)

4/2/2017 Principle 11: Technology General Controls Security Management Process Control Activities Authentication control activities Unique user identifications or tokens are authenticated (checked before access is allowed) against pre-approved list Technology general control are designed to: Allow only authorized users on these pre-approved lists Restrict authorized users to the applications or functions commensurate with their job responsibilities and supporting an appropriate segregation of duties Control activities are in place to update access when employees change job functions or leave the organization A periodic review of access rights against the policy is often used to check if access remains appropriate Access to different technologies (which may be integrated/connected) are controlled Lack of physical security to facilities Unlimited Vendor Access to Network/software Complex passwords not required New hire and/or terminated employee procedures are weak or existing procedures not followed No “Group Policy” setup on network for automatic timeout of workstations based on inactivity Business user’s w/ administrator access or excessive access – compromises segregation of duties from an access control perspective Florida Association of School Board Officials (FASBO)

Principle 11: Technology General Controls Change Control Activities
COSO’s New Internal Control Framework and IT Considerations 4/2/2017 Principle 11: Technology General Controls Change Control Activities Establishes Relevant Technology Acquisition, Development, and Maintenance Process (Change) Control Activities Management selects and develops control activities over the acquisition, development, and maintenance of technology and its infrastructure to achieve management’s objectives Provides structure for system design and implementation, outlining specific phases, documentation requirements, approvals and checkpoints In-house developed software – no formal change control standards Developer access to production/live environment no segregation of duties between the person who programs the change and who actually implements the change in production after authorization and testing Florida Association of School Board Officials (FASBO)

Principle 11: Technology General Controls Change Control Activities
COSO’s New Internal Control Framework and IT Considerations 4/2/2017 Principle 11: Technology General Controls Change Control Activities Provides appropriate controls over changes to technology Authorization of change requests Verification that the organization has a legal right to use the technology in the manner in which the technology is being employed Review to ensure that the changes are appropriate (aka. testing and quality assurance) Approval for the changes Testing results of changes Implementing protocols to determine whether changes are properly made Varies depending on the risks (and complexity) of the technology In-house developed software – no formal change control standards Developer access to production/live environment no segregation of duties between the person who programs the change and who actually implements the change in production after authorization and testing Florida Association of School Board Officials (FASBO)

4/2/2017 Information & Communication Principle 13: The organization obtains or generates and uses relevant, quality information to support the functioning of internal control. Florida Association of School Board Officials (FASBO)

4/2/2017 Principle 13: Relevant, Quality Information Used to Support Functioning of Internal Controls An organization’s information system encompass a combination of people, processes, data, and technology that support business processes managed internally as well as those that are supported through relationships with outsourced service providers and other parties interacting with the entity Florida Association of School Board Officials (FASBO)

4/2/2017 Principle 13: Relevant, Quality Information Used to Support Functioning of Internal Controls Information systems developed with integrated, technology-enabled processes provide opportunities to enhance the efficiency, speed, and accessibility of information to users. Additionally, such information systems may enhance internal control over security and privacy risks associated with information obtained and generated by the organization. Information systems designed and implemented to restrict access to information only to those who need it and to reduce the number of access points enhance the effectiveness of mitigating risks associated with the security and privacy of information. Florida Association of School Board Officials (FASBO)

4/2/2017 Principle 13: Relevant, Quality Information Used to Support Functioning of Internal Controls Enterprise resource planning (ERP) systems, association management systems (AMS), corporate intranets, collaboration tools, interactive social media, data warehouses, business intelligence systems, operational systems (e.g., factory automation and energy-usage systems), web-based applications, and other technology solutions present opportunities for management to leverage technology in developing and implementing effective and efficient information systems Florida Association of School Board Officials (FASBO)

4/2/2017 Principle 13: Relevant, Quality Information Used to Support Functioning of Internal Controls Quality of Information is Dependent On: Accessible—The information is easy to obtain by those who need it. Users know what information is available and where in the information system the information is accessible. Correct—The underlying data is accurate and complete. Information systems include validation checks that address accuracy and completeness, including necessary exception resolution procedures. Current—The data gathered is from current sources and is gathered at the frequency needed. Protected—Access to sensitive information is restricted to authorized personnel. Data categorization (e.g., confidential and top secret) supports information protection. Retained—Information is available over an extended period of time to support inquiries and inspections by external parties. Florida Association of School Board Officials (FASBO)

4/2/2017 Principle 13: Relevant, Quality Information Used to Support Functioning of Internal Controls Quality of Information is Dependent On: Sufficient—There is enough information at the right level of detail relevant to information requirements. Extraneous data is eliminated to avoid inefficiency, misuse, or misinterpretation. Timely—The information is available from the information system when needed. Timely information helps with the early identification of events, trends, and issues. Valid—Information is obtained from authorized sources, gathered according to prescribed procedures, and represents events that actually occurred. Verifiable—Information is supported by evidence from the source. Management establishes information management policies with clear responsibility and accountability for the quality of the information Florida Association of School Board Officials (FASBO)

4/2/2017 Resources AICPA’s Information Management and Technology Assurance (IMTA) Interest Area: Located under Interest Areas Tab on AICPA’s Home Page Sponsor of the Certified Information Technology Professional (CITP) credential which recognizes CPA’s for their ability to leverage technology to effectively manage information while ensuring the data’s reliability, security, accessibility and relevance. Various Webcasts, Whitepapers, Newsletters, Etc. Florida Association of School Board Officials (FASBO)

4/2/2017 Resources Information Systems Audit and Control Association (ISACA): Sponsor of the Certified Information Systems Auditor (CISA), Certified Information Systems Manager (CISM), and Certified in Risk and Information Systems Control (CRISC) Exams IT Governance Institute Designed COBIT (Control Objectives for Information and related Technology) w/ ISACA, AICPA, and Other Interested Parties to serve as a framework for IT governance and control to fit with and support COSO’s Internal Control – Integrated Framework COBIT Home Page: Florida Association of School Board Officials (FASBO)

4/2/2017 Contact Information Phil Gesner, CPA.CITP, CISA Audit Manager and IT Auditor / Consultant Ocala, FL Mobile: Company Website: LinkedIn: Florida Association of School Board Officials (FASBO)

Information Technology (IT) & The Updated COSO Framework

Similar presentations

Presentation on theme: "Information Technology (IT) & The Updated COSO Framework"— Presentation transcript:

Similar presentations

About project

Feedback

Log in

Auth with social network:

Information Technology (IT) & The Updated COSO Framework

Similar presentations

Presentation on theme: "Information Technology (IT) & The Updated COSO Framework"— Presentation transcript:

Similar presentations

About project

Feedback