Presentation on theme: "Are You Ready for IT Control Identification & Testing?"— Presentation transcript:
1Are You Ready for IT Control Identification & Testing? The Institute of Internal Auditors February 10, 2004Moderator:Xenia Ley Parker, CIA, CISA, CFSA XLP Associates
2Agenda Introduction & Overview Xenia Ley Parker, XLP Associates General ControlsEdward Hill, ProtivitiApplication ControlsJohn Gimpert, DeloitteEstablishing a FrameworkReggie Combs, Lockheed MartinBreakQ & A
3References Public Company Oversight Board - www.pcaobus.org/ Final Rule: Management's Reports on Internal Control Over Financial Reporting and Certification of Disclosure in Exchange Act Periodic Reports -“Internal Control—Integrated Framework” Committee of Sponsoring Organizations of the Treadway Commission (COSO), Exposure Draft “Enterprise Risk Management Framework”-CobiT 3rd EditionÓ, IT Governance Institute -“IT Control Objectives for Sarbanes-Oxley”-The IIA GAIN Flash Survey Use of SOX tools -Protiviti “Guide to the Sarbanes-Oxley Act: IT Risks and Controls Frequently Asked Questions” -Deloitte “Taking Control, A Guide to Compliance with Section 404 of the Sarbanes-Oxley Act of 2002” -PricewaterhouseCoopers “Understanding the Independent Auditor’s Role in Building Trust”; “The Sarbanes-Oxley Act of 2002, Strategies for Meeting New Internal Control Reporting Challenges” -
4PCAOB ED Statements: Impact on IT Control Guidance “determining which controls should be tested… generally, such controls include… information technology general controls, on which other controls are dependent” (page 41)“The auditor should obtain an understanding of the design of specific controls by applying procedures that include… tracing transactions through the information system relevant to financial reporting” (page 48)“Information technology general controls over program development, program changes, computer operations, and access to programs and data help ensure that specific controls over the processing of transactions are operating effectively” (page 51)
5PCAOB ED Statements Impact on IT Control Guidance “The risk that the controls might not be operating effectively. Factors … include the following:– The degree to which the control relies on the effectiveness of other controls (for example, the control environment or information technology general controls) (p 74)“The audit should trace all types of transactions and events, both recurring and unusual from origination through the company’s information systems until they are reflected in the company’s financial reports…” (page 79)Source:
6Introduction of Key Issues Define 404 universe, processes, risks, & controlsIdentify key controls: assertions related to control considerationsImpact of IT controlsApplication vs. IT controlsEstablishing a framework
7PCAOB Release No. 2003-017 issued 7 October 2003 Because of the frequency with which management of public companies is expected to use COSO as the framework for the assessment, the directions in the proposed standard are based on the COSO frameworkOther suitable frameworks have been published in other countries and likely will be published in the futureAlthough different frameworks may not contain exactly the same elements as COSO, they should have elements that encompass all of COSO's general themes
8Tone at the TopIT Executives need to be well versed on internal control theory and practiceDoes the audit committee have the expertise to understand the relevance and degree of reliability/importance of IT controls?Is the audit committee aware of any significant activities affecting the IT environment as it relates to financial reporting?
9IT Control Objectives for Sarbanes-Oxley: Common Elements of Organizations
11Sarbanes-Oxley IT Diagnostic Questions 1. Does the SOX steering committee understand the risks inherent in IT systems & their impact on compliance with Section 404?2. Does IT management understand the financial reporting process and its supporting systems?3. Does the CIO have an advanced knowledge of the types of IT controls necessary to support reliable financial processing?4. Are policies governing security, availability and processing integrity established, documented & communicated to all members of the IT organization?5. Are the IT department’s roles and responsibilities related to Section 404 documented & understood by all members of the IT department?
12Sarbanes-Oxley IT Diagnostic Questions 6. Do IT employees understand their roles, do they possess the requisite skills to perform their job responsibilities relating to internal control, & are they supported with appropriate skill development?7. Is the IT department’s risk assessment process integrated with the company’s overall risk assessment process for financial reporting?8. Does IT document, evaluate & remediate IT controls related to financial reporting on an annual basis?9. Does IT have a formal process in place to identify & respond to IT control deficiencies?10. Is the effectiveness of IT controls monitored & followed up on a regular basis?Source for Slides 8-12: IT Governance Institute, ISACA
13Are you Ready for IT Control Identification & Testing? General ControlsEdward Hill, CPAProtiviti
14Integrated Application “Plain English” Approach: IT Risks & Controls for SOX 404Define Universe, processes, risks & controlsAssertion relationshipsDocument key controls & valuateTesting of key controls & what to doIT Organization& StructureIT Entity LevelControl EvaluationsIT Process LevelControl EvaluationsIntegrated ApplicationSpecific ProcessesApplication& Data OwnerProcessesGeneral IT Processes
15Integrated Application Process Level:IT Risks & ControlsIntegrated ApplicationSpecific ProcessesApplication andData Owner ProcessesGeneral IT ProcessesMost important part of this discussion:These processes and activities are looked at in the context of how the controls relate to the ability of the company to meet the IC objectives over the reliability of financial reporting.
16General IT Process Risks and Controls-A Typical Universe & Risk Assessment General IT ProcessesSecurity AdministrationApplication Maintenance - Change ControlEnsure Continuity - Data Management & Disaster RecoveryManage Technical Infrastructure & Operations - Problem ManagementAsset Management
17Integrated Application Impact of STRONG Controls at the IT General ControlsGeneral IT ProcessesIntegrated ApplicationSpecific ProcessesApplication &Data OwnerProcessesApplications perform as designedProgrammed controls function as designedAccess to transactions and data function as designedWHEN SETTING SCOPE:Work at application and data owner level can focus on proper design of controlsGeneral controls provide an indication that such controls operate as intended
18Controls Security Administration How does this relate to the assertions - what can go wrong?Security, designed & implemented properly, assures transactions are executed by only those individuals with authorization.Security, designed appropriately, ensures (physical and electronic) access to assets is restricted.This impact must be understood at each IT component level:Application transaction and data levelAccess to the systems and infrastructure such as administrator and super user:DatabasesPlatforms (operating systems)Networks
19Security & Segregation of Duties Potential impact on assertions:Transactions are executed only by individuals authorized by management to do soDuties that are incompatible from an internal control standpoint are segregated in accordance with management’s criteriaUpdates and changes to applications may impact how security should be managed and the duties which may need to be segregated (authorized and segregation issues)
20Security Administration Risk and controls documented, evaluated for specific process portions:Role set up, maintenance and periodic validationUser set up, maintenance and deletionData classification and rules allowing access to sensitive dataPeriodic transaction and data access review, validation and follow-upRisks and controls documented, evaluated at the technical level:Set up of administrative and other sensitive accounts for all technology componentsAdd, modify and delete proceduresAudit trail rules and set-upMonitoring and review procedures for usage of administrative and sensitive account
21Security Administration Risk and controls documented, evaluated for specific process portions:Development and maintenance of security roles restricting access to transitions and data to only individuals with a valid business need to execute transactions and access dataDevelopment and communication to the IT organization the roles and transactions needed to be segregated from an internal controls standpointMaintenance and review of applications changes to confirm appropriateness of the roles and transactions identified as incompatible from an internal control standpoint
22Manage Applications-Change Controls How does this relate to the assertions- what can go wrong:Application change provides assurances that applications function as intended and integrity of processing can be assuredAppropriate application changes assure completeness and accuracy of processingTogether with the security administration, processes assures transactions can only be initiated, modified or deleted by individuals authorized by management to execute and view transactionsAccess to applications and data through the change process must be restricted so that inadvertent or deliberate changes to the following do not occur:Production dataOther related components such as interface routines, background processing and updates, etc.
23Application & Data Owner Responsibilities For Change Controls How does this relate to the assertions- what can go wrong:Application changes may not be in accordance with the directives of the business owners causing them not to function as intended or without the appropriate controls- impactsCompleteness and accuracyAuthorizationAccess to assetsThere may be changes to the security administration of roles and responsibilities that effect the controls which ensure appropriate authorization of transactions and access to assets
24Management Applications – Change Controls Risk and controls documented, evaluated for specific processInitiation of change requestsTesting and approval of changes prior to migration into the production environmentCritical calculations and data validation and exception routinesInterfacesJob sequencing and interrelationshipsApplication migration proceduresIntegrity of process and access to applications and data by migratorsBack out and validation of successful migrationsEmergency change procedures and processes
25Business Owner Change Control Processes Risk and controls documented, evaluated for specific processChanges are appropriately initiated and approved by the application and data ownersAll changes are reviewed by the application owners from a controls perspective and a sign-off that controls have been appropriately considered for any change(s)Changes are adequately tested from a controls functionality perspective. This should be performed to ensure critical controls still function (error checking and data validation, integrity of key management reports, interfaces function properly, etc.)There should be review (after the fact) of emergency changes such that application owners verify validity of change and the appropriateness of change on programmed controls.
26Format for Documentation and Control Related Work Evaluation of IT-related risks and controls should be formatted similar to other process and control workProcess mapsProcess narrativesRisk and control matricesAll work should focus on controls that affect the financial reporting and disclosure risks and controlsMust address financial reporting assertions
27Evaluation of IT Controls After the documentation is complete, evaluate each risk to determine whether the controls are designed to effectively mitigate the risksThe evaluation should include both manual and systems-based controls - even in the General Controls processesAt this point, control gaps if any, should be identified and a management action plan to deal with the gaps determined, for both manual and systems-based controlsFor controls evaluated as effective, the next step is to develop a testing plan so that the operating effectiveness can be evaluated
28Approach to IT General Controls Testing Define Testing ScopesBuild Testing PlanExecute TestingAnalyze Test ResultsUpdateTestingFor IT General Controls testing –Test key controls can and should be tested similar to other processes with pervasive controls:There needs to be a combination of inquiry, inspection, observation and re-performanceProcess flows and risk and control matrices should be referenced and a key to selecting the type of test neededTiming of this testing- two competing issuesOne external firm indicated that for pervasive controls such as IT General controls these controls should be tested near the “as of” dateTesting of these needs to be done early in the overall process because the results of these tests directly impact the nature and extent of controls downstream of these.
29Documenting General Controls Testing Define Testing ScopesBuild Testing PlanExecute TestingAnalyze Test ResultsUpdateTestingFor IT General Controls testing –Documentation of testing should be tested similar to other processes with pervasive controls:There needs to be documentation standards for inquiry, inspection, observation and re-performance testing- scoping should be based on overall approachEvidence of tests should be retained for review and approval
30John Gimpert, CPA Deloitte Are you Ready for IT Control Identification & Testing? Application ControlsJohn Gimpert, CPA Deloitte
31Importance of IT in Sarbanes Oxley For most organizations, IT controls are pervasive to the financial reporting processFinancial applications and automated systems are typically used to initiate, record, process and report transactionsApplications and ERP systems are supported by the general computing environmentEffectiveness of the application computing controls are dependant upon the general computing controlsLimitations of application controls may need to be appropriately mitigated by general computing controlsOverall, application and general computing controls support the integrity and reliability of financial reporting
32A Roadmap for Compliance Source: IT Governance Institute (ITGI) “IT Control Objectives for Sarbanes Oxley Discussion Document
33Internal Control Reliability Model Determine the reliability and maturity of IT controls.Meets characteristics of Stage 3.An enterprise-wide control and risk mgt. program exists such that controls are documented and continuously reevaluated to reflect major process or organizational changes.A self-assessment process is used to evaluate controls design and effectiveness.Technology helps document processes, control objectives and activities, identify gaps, and evaluate control effectiveness.Controls and related policies and procedures are in place and adequately documented.A disclosure creation process is in place and adequately documented.Employees are aware of their responsibility for controls activities.Operating effectiveness of control activities is evaluated periodically; the process is documented.Control deficiencies are identified and remediated timely.Controls and policies and procedures are not fully documented.A disclosure creation process is not fully documented.Employees may not be aware of their responsibility for control activities.Operating effectiveness of control activities is not evaluated regularly and the process isn’t documented.Control deficiencies may be identified but not remediated timely.Controls, policies and procedures are not in place and documented.A disclosure creation process does not exist.Employees are unaware of their controls responsibility.Operating effectiveness of control activities is not evaluated regularly.Control deficiencies aren’t identified.CharacteristicsStage 4–OptimalStage 3–ReliableStage 2–InsufficientStage 1–Unreliable
34Mapping Accounts to Controls Significant Accounts/ProcessesBalance SheetIncome StatementG/LInventoryOtherDetermine and walk-through key transactions and accountsIdentify applications and IT systems related to significant accounts and transactionsIdentify, document and test controls supporting the aboveClasses of Transactions / Business ProcessesProcess AProcess BProcess CFinancial ApplicationsApplication AApplication BApplication CApplication controls (examples)Seg of DutiesData integrityCompletenessTimelinessGeneral Computing ControlsSecurityRetentionOperationsConfiguration
35Application Controls: Definition Application controls help ensure the completeness, accuracy, authorization and validity of all transactions during application processingApplication controls also support interfaces to other application systems to help ensure all inputs are received in a complete and accurate manner and outputs are correctApplication controls are typically embedded within software programs to prevent or detect unauthorized transactions
36Linking Business Process to Controls SAP, Oracle, Other Applications Control ObjectivesAccount Receivable balances and reserves are complete and accurate.Sales revenues and cost of goods sold is complete and accurateAll purchase orders received are input and processedInvoices are generated using authorized terms and pricesOnly valid changes are made to customer master files.Accounts ReceivableInvoice controlsOrder ProcessingSales Sub-processOrder & supplier controlsCustomer controlsCustomer order entrySAP, Oracle, Other ApplicationsApplication controls cover authorized changes, segregation of duties, validity, completeness and timeliness of reporting of financial information.IT InfrastructureNetworksSystem SoftwareDatabases and InformationSecurityGeneral computing controls cover security access, change and configuration mgt, data retention, testing, processing integrity, etc.
38Examples of Control Identification Access to enter orders is limited to appropriate personal.A valid customer number is required prior to order entry.Existence or OccurrencesOnly valid orders are processedPending order reports are generated daily for review.Incomplete order entries are flagged for completion.CompletenessAll orders received from customers are input and processedCritical data fields (e.g.; order number, date, address) are pre-populated prior to order completion.Data entered on returns is matched with original sales information.Orders and cancellations of orders are input accuratelyOrders entered that exceed customer credit limits are pended for review prior to processing.Access to change/override customer credit limits requires approval by credit manager.AuthorizationOrders are processed only within the approved customer credit limitsAutomated Application ControlsAssertionObjective
39Types of controlsPreventivePreventative controls are designed to avert problems rather than correct them. Some examples include passwords to application systems or an approval on all purchase orders over a specified limit.DetectiveDetective controls are meant to catch errors after the fact. These may take the form of reviews, reconciliations, and analyses.ManualManual controls are carried out by people, as opposed to automated controls (i.e., application controls) that take place without direct human intervention. Many manual controls can now be automated by application software such as the triggering of exception reports.Information TechnologyIT controls consist of general controls (include controls over data center operations, system software acquisition and maintenance, access security, and application system development and maintenance) and application controls (to ensure completeness, accuracy, authorization, and validity of data input and transaction processing).
40Control Evaluation and Testing Process Discovery process for existing controlsEvaluation of Control DesignAssess the Control DesignDocument the AssessmentDocumentControlControls for those business processes impacting key transactions and accountsRemediateYNEvaluation of Control EffectivenessRemediateNPrepare for CertificationDocument the Test ResultsTest Control EffectivenessY
41Sample Result of Evaluation Process None noted.Gap Identified: One person can enter orders and increase customer credit limits.Review application security settings to ensure control is set up properly.Orders entered that exceed customer credit limits are pended for review prior to processing.Access to change/override customer credit limits requires approval by credit manager.Gap identified: access rights are not updated promptly when personnel change rolesCompare who system allows to enter orders to list of management approved personnel.Observe entry of sample orders with wrong customer numbers.Access to enter orders is limited to appropriate personal.A valid customer number is required prior to order entry.Gap Identified: Return can be processed without matching an original sale.Gap noted: Some incomplete orders are processedControl GapsQuery sample of order numbers to ensure uniqueness.Compare sample of sales returns against sales to ensure match.Obtain reports from individual responsible for review.Observe entry of sample incomplete orders.Example Test of EffectivenessCritical data fields (e.g.; order number, date, address) are pre-populated prior to order completion.Data entered on returns is matched with original sale information.Pending order reports are generated daily for review.Incomplete order entries are flagged for completion.Control Activity
42Lessons LearnedEffective IT application controls are critical and serve as a first line of defenseSome controls exist at both the general computing and applications layer - for instance Security ControlsApplications controls can be modernized, many previously manual controls can be automated (such as automatic generation of reports when suspect conditions exist)Applications controls can be proactively built into applications and can help identify risksImproved applications controls can result in improved application effectiveness and help drive higher quality applicationsA well controlled environment is a first step toward improved IT Governance
43Sarbanes Oxley to Increase Shareholder Value Risk ManagementCompliance with Sarbanes Oxley has direct impact and IT control improvements can reduce risk for downstream business initiativesOperating MarginDeep understanding of process and technology linkages can result in process re-engineering initiatives, improving levels of automationAsset EfficiencyOperational improvement regarding IT management processesConsolidation of systems to reduce complexity can result in operational efficienciesRevenue GrowthInventory your critical customer systems and data for future sales targeting initiatives
44Reginald B. Combs, CISA Lockheed Martin Corporation Are you Ready for IT Control Identification & Testing?Establishing A FrameworkReginald B. Combs, CISA Lockheed Martin Corporation
45Establishing A Framework The COSO/COBITTM RelationshipConsiderations When Identifying ControlsEntity, General, or Application Control?
46Establishing A Framework The COSO/COBITTM RelationshipTo assess an organization’s internal controls, first identify the assessment criteria:COSO report defines internal control consistent with current auditing standards and SAS guidanceCOSO report also identifies five components of effective internal control:Control EnvironmentRisk AssessmentInformation & CommunicationControl ActivitiesMonitoring404: “…establish and maintain an adequate internal control structure…”
47Establishing A Framework The COSO/COBITTM RelationshipTo assess an organization’s IT internal controls, first identify the assessment criteria:COBIT framework is generally applicable and accepted as a standard for good IT security and control practicesCOBIT “Business/Fiduciary Requirements” derived from COSO categoriesCOBIT classifies control objectives into four groups (domains):Plan & OrganizeAcquire & ImplementDeliver & SupportMonitor and EvaluateCOSO and COBIT Provide a Complementary Framework for IT Control Identification
49Considerations When Identifying Controls Focus on “Key” controls:How does the application support the key financial processes?Is the application processing data or acting as a repository?Who relies on the controls?Consider the types of errors that can occur at the application and process levelAsk “What Can Go Wrong” questionsWhen evaluating IT controls and related risks, consider the relevant financial statement assertions for significant accounts
50Entity, General, or Application Control? Varying Opinions on which controls fall into each categoryEstablish definitions early and obtain consensusCommunicate throughout the organization
53Concluding Remarks Lessons learned Understanding the role of IT controls means understanding IT betterUpdating skill sets to identify/classify controlsChanging business auditors’ mindsetWhat they can do; when IT auditors are neededHow to relate types of testingHow to determine the impact of deficiencies
54Questions & Answersyour questions by clicking on the link provided or directly to
55Next Webcast “Balancing SOX with Risk Based Audit Planning” March 9, 2004“Balancing SOX with Risk Based Audit Planning”See you at our next webcast!