Presentation is loading. Please wait.

Presentation is loading. Please wait.

Nature Coast Florida Government Finance Officers Association | October 16, 2013 Information Technology (IT) & The Updated COSO Framework Phil Gesner, CPA.CITP,

Similar presentations


Presentation on theme: "Nature Coast Florida Government Finance Officers Association | October 16, 2013 Information Technology (IT) & The Updated COSO Framework Phil Gesner, CPA.CITP,"— Presentation transcript:

1 Nature Coast Florida Government Finance Officers Association | October 16, 2013 Information Technology (IT) & The Updated COSO Framework Phil Gesner, CPA.CITP, CISA Audit Manager and IT Auditor / Consultant Ocala, FL

2 Disclaimer The views expressed by the presenters do not necessarily represent the views, positions, or opinions of the presenters respective organizations or any associated organizations cited. These materials, and the oral presentation accompanying them, are for educational purposes only and do not constitute accounting or legal advice or create an accountant-client or attorney-client relationship. 2

3 COSO Considerations Changed (from implicitly to explicitly recognizing technologys role in internal control) due to greater use and dependence (reliance) on technology – Use of technology continues to grow – Extent of technology used in organizations continues to increase and evolve Recognizes that management judgment (decisions) may be based on the use of and dependence on technology. Outsourcing continues to grow – Business Processes (Payroll, Payables, Pension and Benefit Management, Investment Management) – Technology Activities supporting the Business Processes Procure, manage, and maintain previously internally managed technology systems 3

4 COSOs Definition of Technology May be referred to as: – Management Information Systems (MIS) – Information Technology (IT) – Various other Terms Technology is the use of a combination of automated and manual processes, and computer hardware and software, methodologies, and processes. – Very Generic Definition – as Technology continually evolves (ie. cloud computing and social media) 4

5 COSOs Definition of Technology Technology environments vary in size, complexity, and extent of integration. – Large, centralized, and integrated systems – Small, decentralized, and independent systems May involve real-time processing environments that enable immediate access to information, including mobile computer applications that can cut across many systems, organizations, and geographies. 5

6 COSOs Definition of Technology Technology enables organizations to process high volumes of transactions, transform data into information to support sound decision making, share information efficiently across the entity and with business partners, and secure confidential information from inappropriate use. In addition, technology can allow an entity to share operational and performance data with the public. 6

7 COSOs Definition of Technology Technology innovation creates both opportunities and risks. – Opportunities: Enable the development of new business markets and models, Generate efficiencies through automation, and Enable entities to do things that were previously hard to imagine. – Risks: Increased complexity, which makes identifying and managing risks more difficult. 7

8 Risk | Complexity of IT Security Data & Business Processes Like Ogres And Onions IT Security Has Layers IT Security Also Involves People (Employees); therefore, Training is Critical 8

9 IT Security Protects the Data and Business Process Data & Business Processes Controls should be in place to protect the data and business processes. Data is an organizational asset Value of Data May not be readily ascertainable Not recorded on Books Varies Depending on Perspective Your Organization Other Organizations Employees External Individuals Vendors Your garbage is another individuals or organizations treasure!!!! 9

10 Source: AICPA Information Management and Technology Assurance (IMTA) Section. IT Audits and What to Pay Attention To. The CITP Body of Knowledge Series Webcast

11 Source: AICPA Information Management and Technology Assurance (IMTA) Section. IT Audits and What to Pay Attention To. The CITP Body of Knowledge Series Webcast

12 Risk | IT Complexity The nature and extent of IT risks are dependent on the level of complexity. – Generally, as complexity increases, the type and number of potential IT risks increase. – The manner in which IT is used in conducting business also has a direct relationship with the potential IT risks. – Significant changes made to existing systems, or implementation of new system increase the potential IT risks. – Shared data between systems increases the potential IT risks. – Usage of emerging technologies (cloud computing, mobile - BYOD) increases the potential IT risks. – Availability of evidence only in electronic formats increases the potential IT risks. Including reports Source: AICPA IT Audit Training School 12

13 Risks |IT Risk Factors for Internal Control Include Reliance on systems or programs that are processing data inaccurately, processing inaccurate data, or both Unauthorized access to data that may result in destruction of data or improper changes to data, including the recording of unauthorized or nonexistent transactions or inaccurate recording of transactions Unauthorized changes to data in master files Unauthorized changes to systems or programs Failure to make necessary changes to systems or programs Inappropriate manual intervention Potential loss of data or inability to access data as required Source: AICPA IT Audit Training School 13

14 Applications | Purchased Systems Commercial Off The Shelf (COTS) and/or configurable systems Advantages Generally cheaper for general business use applications On-going support and maintenance Disadvantages Some limitations related to customizations Vendor dependence Example: Quickbooks Source: AICPA IT Audit Training School 14

15 Applications | Configurable Packages Configurable mid-tier system Not as expensive as an ERP System or Custom Developed Application Found in small, mid or large organizations Increased capabilities when compared to Commercial Off the Shelf – Purchased Systems: – Configuration changes – Customizations Examples: Microsoft Dynamics (Great Plains/Solomon), MAS/90, Navision, Munis, Eden, etc. Most Prevalent Source: AICPA IT Audit Training School 15

16 Applications | Enterprise Resource Planning (ERP) System Integrates all facets of financial processing with operations, marketing, HR Requires specialized knowledge to setup (usually with the vendor and outside consultants) Generally, found in large organizations Very expensive to purchase & maintain Very complex security Examples: SAP, JD Edwards, PeopleSoft, Oracle Financials, Lawson, etc. Source: AICPA IT Audit Training School 16

17 Applications | Custom Developed Custom Developed Application – those applications that are designed and developed in-house to meet a specific business need for internal use (not resale) Advantages – Customized to meet specific business need – Independence from vendors Disadvantages – No outside vendor support – all by on-staff personnel (higher costs) – Often longer deployment times and less controls Less prevalent, and becoming more so each day Source: AICPA IT Audit Training School 17

18 Applications | Outsourced Organization contracts with a third-party service organization for one or all of the following activities: – Development of Application and Underlying Technology – Hosting of Application, Data, and Underlying Technology – Maintenance of Application and Underlying Technology – All or part of a/multiple business process(es) (ie. payroll) and related internal controls Source: AICPA IT Audit Training School 18

19 Applications | Outsourced Advantages – Customized and configurable to meet specific business need – Can obtain access to ERP systems at lower costs May not need to purchase any servers May not need to hire new IT personnel and may be able to reallocate IT personnel or positions – Dependence on vendor rather than employees IT third-party service organization is able to replace employees easier than the outsourcing organization Source: AICPA IT Audit Training School 19

20 Applications | Outsourced Disadvantages – Dependence on vendor Requires increased effort to manage vendors and service level agreements (SLAs) – Service Organization Control (SOC) Reports – See AICPA Website – Poor end user experience due to performance bottlenecks – Poor customer experiences could be perceived as organization weaknesses rather than vendor weaknesses – More limited control over application, data, and underlying technology Examples: Xero Source: AICPA IT Audit Training School 20

21 Control Environment Principle 2: The board of directors demonstrates independence from management and exercises oversight of the development and performance of internal control. – Executive management and the board should have an understanding of relevant systems and technology (or appropriate skills and expertise) needed to evaluate the organizations approach to managing new technology innovations, critical systems, and the opportunities and risks associated with those challenges. IT Governance Committee IT Steering Committees User Groups 21

22 Control Environment Principle 3: Management establishes, with board oversight, structures, reporting lines, and appropriate authorities and responsibilities in the pursuit of objectives. – Technology is leveraged as appropriate to facilitate the definition and limitation of roles and responsibilities within the workflow of business. – Management is supported by requisite processes and technology to provide for clear accountability and information flows within and across the overall entity and its subunits 22

23 Control Environment Principle 4: The organization demonstrates a commitment to attract, develop, and retain competent individuals in alignment with objectives. – The organization should ensure that it has appropriately skilled personnel with knowledge of the operation of technology platforms underpinning the business processes. 23

24 Control Environment Principle 5: The organization holds individuals accountable for their internal control responsibilities in the pursuit of objectives. – Accountability is driven by tone at the top and supported by the commitment to integrity and ethical values, competence, structure, processes, and technology, which collectively influence the control culture of the organization. 24

25 Risk Assessment Principle 6: The organization specifies objectives with sufficient clarity to enable the identification and assessment of risks relating to objectives. Entity-level risks – TechnologicalDevelopments that can affect the availability and use of data, infrastructure costs, and the demand for technology-based service – Internal factors TechnologyA disruption in information systems processing that can adversely affect the entitys operations 25

26 Risk Assessment Principle 8: The organization considers the potential for fraud in assessing risks to the achievement of objectives. – As part of the risk assessment process, the organization should identify the various ways that fraudulent reporting can occur, considering: Nature of technology and managements ability to manipulate information – Opportunities (and thereby fraud risks) may increase as a result of: Turnover in technology staff Ineffective technology systems 26

27 Risk Assessment Principle 9: The organization identifies and assesses changes that could significantly impact the system of internal control. – New TechnologyWhen new technology is incorporated into production, service delivery processes, or supporting information systems, internal controls will likely need to be modified. 27

28 Principle 10: The organization selects and develops control activities that contribute to the mitigation of risks to the achievement of objectives to acceptable levels. Control Activities 28

29 Principle 10: Selects and Develops Control Activities – When determining what actions to put in place to mitigate risk, management considers all aspects of the entitys internal control components and the relevant business processes, information technology, and locations where control activities are needed. – Restricted access is especially important where technology is integral to an organizations processes or business. Configuring the security in applications to address restricted access can become very complex and requires technical knowledge and a structured approach. – Discussed in more detail under the Security Management Processes section of Principle

30 Principle 10: Selects and Develops Control Activities – Control activities and technology relate to each other: Technology Supports Business Processes – When technology is embedded into the entitys business processes, such as robotic automation in a manufacturing plant, control activities are needed to mitigate the risk that the technology itself will not continue to operate properly to support the achievement of the organizations objectives. Technology Used to Automate Control Activities – Many control activities in an entity are partially or wholly automated using technology. 30

31 Technology Supports Business Processes Internal Control Over Financial Reporting (ICFR) Significant Accounts in the Financial Statements Balance SheetIncome Statement Cash Flows NotesOther Disclosures Significant Classes of Transactions / Business Processes Process AProcess BProcess CProcess DProcess E Significant Financial Applications Application A Application B Application C Significant IT Infrastructure Services Database Operating System Network / Physical IT General Controls Program Development Program Changes Program Operations Access Controls Control Environment Key Application and IT-Dependent Manual Controls Assertions Accuracy Completeness Objectives Authorization Segregation of Duties Source: IT Control Objectives for Sarbanes-Oxley: The Role of IT in the Design and Implementation of Internal Control Over Financial Reporting, 2 nd Edition 31

32 Technology Used to Automate Control Activities Manual vs. Automated Controls Manual Control – A control performed manually (not through techcnology) Automated controls: Control activities mostly or wholly performed through technology (e.g., automated control functions programmed into computer software. – Application Control A control that occurs automatically, usually through computer systems, based on predefined criteria, circumstances, times, dates, or events. – IT-Dependent Manual Control (Hybrid Control) Manual controls that are dependent on an automated process to take place. 32

33 Application Controls Type Edit checks Validations Calculations Interfaces Authorizations Character Embedded Configurable 33

34 Technology Used to Automate Control Activities Examples of Application Controls – Computer generated batch control total comparison – Edit and validation checks on information entered into input fields – Master file data look-ups of information entered into input fields – Numeric range controls for data entered into input fields – Data matching – Error checking programs – Computations – Forwarding a transaction to the appropriate person for electronic authorization (using logical Segregation of Duties) 34

35 Examples of Application Controls Purchasing and Accounts Payable Business Process Initiate/Authorize (Input) – Application will only accept purchase orders entered for vendors on an approved vendor list (ie. vendors in the vendor master file). – Access to add or modify vendor or vendor information through the purchasing module of the financial application in to the vendor master file (database) is restricted to purchasing department personnel. Process – Application matches the purchase order, receiving report and vendor invoice before payment can be made (three-way match). – Application automatically selects items for payment based on the due date of the vendor invoice. Record (Output) – Application automatically posts the payment to the G/L. 35

36 Example of a IT-Dependent Manual Control Purchasing and Accounts Payable Business Process – Detection: Computer detects a discrepancy between a PO, receiving report & vendor invoice. (automated control) – Investigation/Correction: Clerk reviews and follows-up until discrepancy is resolved. (manual control) – Resubmission: Clerk resubmits reconciled invoice for payment. (manual process) – NOTE: Test both automated and manual controls 36

37 Automated Control Implications Software is designed to be used by many organizations with different requirements. Many features, including controls, are optional or designed with adjustable parameters and thresholds. End users may have the ability to change system configuration settings. Segregation of duties when software is maintained by vendor. Program change responsibilities may be shared between vendor and client. 37

38 Principle 10: Selects and Develops Control Activities – Most business processes have a mix of manual and automated controls, depending on the availability of technology in the entity. – Automated controls tend to be more reliable, since they are less susceptible to human judgment and error, and are typically more efficient. Subject to whether technology general controls (Principle 11) are implemented and operating. The design, implementation, and operating effectiveness of automated controls is dependent on or directly related to the design, implementation, and operating effectiveness of technology general controls. 38

39 Relationship of Technology General Controls (Principle 11) to Business Process Controls (Principle 10) Manual Controls Automated Controls (Purely) Manual Controls Application Controls IT-Dependent Manual Controls 1. Embedded 2. Configurable Controls 1. Embedded 2. Configurable Controls Technology General Controls 39

40 Technology General Controls vs. Application Controls IT General Controls – Relate to managing change, logical access and other technology general controls, including IT operations applied to individual applications and do not operate at the individual transaction level Application Controls – Apply to each and every transaction – Reviewed at a point in time Application and IT general controls go hand-in-hand. 40

41 Relationship of Technology General Controls (Principle 11) to Business Process Controls (Principle 10) Manual Controls Automated Controls (Purely) Manual Controls Application Controls IT-Dependent Manual Controls 1. Embedded 2. Configurable Controls 1. Embedded 2. Configurable Controls Technology General Controls 41

42 Principle 11: The organization selects and develops general control activities over technology to support the achievement of objectives. (Technology General Controls) Control Activities 42

43 Principle 11: Technology General Controls Determines Dependency between the Use of Technology in Business Processes (Principle 10) and Technology General Controls (Principle 11) – Management understands and determines the dependency and linkage between business processes, automated control activities, and technology general controls. The reliability of technology within business processes, including automated controls, depends on the selection, development, and deployment of general control activities over technology. 43

44 Relationship of Technology General Controls (Principle 11) to Business Process Controls (Principle 10) Manual Controls Automated Controls (Purely) Manual Controls Application Controls IT-Dependent Manual Controls 1. Embedded 2. Configurable Controls 1. Embedded 2. Configurable Controls Technology General Controls 44

45 Technology Supports Business Processes Internal Control Over Financial Reporting (ICFR) Significant Accounts in the Financial Statements Balance SheetIncome Statement Cash Flows NotesOther Disclosures Significant Classes of Transactions / Business Processes Process AProcess BProcess CProcess DProcess E Significant Financial Applications Application A Application B Application C Significant IT Infrastructure Services Database Operating System Network / Physical Technology General Controls Technology Infrastructure Control Activities Security Management Process Control Activities Change Control Activities Control Environment Key Application and IT-Dependent Manual Controls Assertions Accuracy Completeness Objectives Authorization Segregation of Duties Source: IT Control Objectives for Sarbanes-Oxley: The Role of IT in the Design and Implementation of Internal Control Over Financial Reporting, 2 nd Edition 45

46 Principle 11: Technology General Controls Technology general controls over the acquisition and development of technology are deployed to help ensure that automated controls work properly when first developed and implemented. Technology general controls also help information systems continue to function properly after they are implemented. Technology general controls apply to all technology – IT applications on a mainframe computer; – Client/server, – Desktop, – End-user computing, – Portable computer, – Mobile device environments; – Operational technology Plant control systems or Manufacturing robotics. 46

47 Principle 11: Technology General Controls The extent and rigor of control activities will vary for each of these technologies depending on various factors, such as the complexity of the technology and risk of the underlying business process being supported. Similar to business transaction controls, technology general controls may include both manual and automated control activities. 47

48 Principle 11: Technology General Controls Technology Infrastructure Control Activities Establishes Relevant Technology Infrastructure Control Activities – Management selects and develops control activities over the technology infrastructure, which are designed and implemented to help ensure the completeness, accuracy, and availability of technology processing. Technology infrastructure includes: – Communication networks – to link technologies to each other and across the organization Routers, switches, firewalls, etc. – Computing resources for applications to operate Servers, Desktops, Laptops – Electrical power supply. 48

49 Principle 11: Technology General Controls Technology Infrastructure Control Activities Technology Infrastructure – Can be complex – Shared by different business units in an organization – Outsourced to a third-party service organizations (including location- independent technology services – cloud computing) Technology changes constantly (3-5 years) Technology Infrastructure Controls – Batch (mainframe) / real-time (client/server) process scheduling – Problem/incident management – Backup and recovery Including disaster recovery plans 49

50 Principle 11: Technology General Controls Security Management Process Control Activities Establishes Relevant Security Management Process Control Activities – Management selects and develops control activities that are designed and implemented to restrict technology access rights to authorized users commensurate with their job responsibilities and to protect the entitys assets from external threats. Sub-processes and control activities over who and what has access to the organizations technology, including who has the ability to execute transactions. – Protects the organization from inappropriate or unauthorized access/use of system – Supports segregation of duties 50

51 Principle 11: Technology General Controls Security Management Process Control Activities Sub-processes and control activities over who and what has access to the organizations technology, including who has the ability to execute transactions. – Prevents unauthorized use/changes to system protects data and program integrity from malicious intent or a simple error from: Internal threats – former, disgruntled employees motivated to work against the organization due to greater access and knowledge of the organization External threats – due to the many potential uses of technology and points of entry and use of telecommunications networks and the Internet, 51

52 Principle 11: Technology General Controls Security Management Process Control Activities Authentication control activities – Unique user identifications or tokens are authenticated (checked before access is allowed) against pre-approved list – Technology general control are designed to: Allow only authorized users on these pre-approved lists Restrict authorized users to the applications or functions commensurate with their job responsibilities and supporting an appropriate segregation of duties Control activities are in place to update access when employees change job functions or leave the organization A periodic review of access rights against the policy is often used to check if access remains appropriate Access to different technologies (which may be integrated/connected) are controlled 52

53 Principle 11: Technology General Controls Change Control Activities Establishes Relevant Technology Acquisition, Development, and Maintenance Process (Change) Control Activities – Management selects and develops control activities over the acquisition, development, and maintenance of technology and its infrastructure to achieve managements objectives – Provides structure for system design and implementation, outlining specific phases, documentation requirements, approvals and checkpoints 53

54 Principle 11: Technology General Controls Change Control Activities Provides appropriate controls over changes to technology – Authorization of change requests – Verification that the organization has a legal right to use the technology in the manner in which the technology is being employed – Review to ensure that the changes are appropriate (aka. testing and quality assurance) – Approval for the changes – Testing results of changes – Implementing protocols to determine whether changes are properly made Varies depending on the risks (and complexity) of the technology 54

55 Principle 13: The organization obtains or generates and uses relevant, quality information to support the functioning of internal control. Information & Communication 55

56 Principle 13: Relevant, Quality Information Used to Support Functioning of Internal Controls An organizations information system encompass a combination of people, processes, data, and technology that support business processes managed internally as well as those that are supported through relationships with outsourced service providers and other parties interacting with the entity 56

57 Principle 13: Relevant, Quality Information Used to Support Functioning of Internal Controls – Information systems developed with integrated, technology-enabled processes provide opportunities to enhance the efficiency, speed, and accessibility of information to users. – Additionally, such information systems may enhance internal control over security and privacy risks associated with information obtained and generated by the organization. Information systems designed and implemented to restrict access to information only to those who need it and to reduce the number of access points enhance the effectiveness of mitigating risks associated with the security and privacy of information. 57

58 Principle 13: Relevant, Quality Information Used to Support Functioning of Internal Controls – Enterprise resource planning (ERP) systems, association management systems (AMS), corporate intranets, collaboration tools, interactive social media, data warehouses, business intelligence systems, operational systems (e.g., factory automation and energy-usage systems), web-based applications, and other technology solutions present opportunities for management to leverage technology in developing and implementing effective and efficient information systems 58

59 Principle 13: Relevant, Quality Information Used to Support Functioning of Internal Controls Quality of Information is Dependent On: – AccessibleThe information is easy to obtain by those who need it. Users know what information is available and where in the information system the information is accessible. – CorrectThe underlying data is accurate and complete. Information systems include validation checks that address accuracy and completeness, including necessary exception resolution procedures. – CurrentThe data gathered is from current sources and is gathered at the frequency needed. – ProtectedAccess to sensitive information is restricted to authorized personnel. Data categorization (e.g., confidential and top secret) supports information protection. – RetainedInformation is available over an extended period of time to support inquiries and inspections by external parties. 59

60 Principle 13: Relevant, Quality Information Used to Support Functioning of Internal Controls Quality of Information is Dependent On: – SufficientThere is enough information at the right level of detail relevant to information requirements. Extraneous data is eliminated to avoid inefficiency, misuse, or misinterpretation. – TimelyThe information is available from the information system when needed. Timely information helps with the early identification of events, trends, and issues. – ValidInformation is obtained from authorized sources, gathered according to prescribed procedures, and represents events that actually occurred. – VerifiableInformation is supported by evidence from the source. Management establishes information management policies with clear responsibility and accountability for the quality of the information 60

61 Resources AICPAs Information Management and Technology Assurance (IMTA) Interest Area: Located under Interest Areas Tab on AICPAs Home Page Sponsor of the Certified Information Technology Professional (CITP) credential which recognizes CPAs for their ability to leverage technology to effectively manage information while ensuring the datas reliability, security, accessibility and relevance. Various Webcasts, Whitepapers, Newsletters, Etc. 61

62 Resources Information Systems Audit and Control Association (ISACA): Sponsor of the Certified Information Systems Auditor (CISA), Certified Information Systems Manager (CISM), and Certified in Risk and Information Systems Control (CRISC) Exams IT Governance Institute Designed COBIT (Control Objectives for Information and related Technology) w/ ISACA, AICPA, and Other Interested Parties to serve as a framework for IT governance and control to fit with and support COSOs Internal Control – Integrated Framework COBIT Home Page: 62

63 Nature Coast Florida Government Finance Officers Association | October 16, 2013 Contact Information Phil Gesner, CPA.CITP, CISA Audit Manager and IT Auditor / Consultant Ocala, FL Mobile: Company Website: LinkedIn:


Download ppt "Nature Coast Florida Government Finance Officers Association | October 16, 2013 Information Technology (IT) & The Updated COSO Framework Phil Gesner, CPA.CITP,"

Similar presentations


Ads by Google