Presentation is loading. Please wait.

Presentation is loading. Please wait.

Are You Ready for IT Control Identification & Testing?

Similar presentations


Presentation on theme: "Are You Ready for IT Control Identification & Testing?"— Presentation transcript:

1 Are You Ready for IT Control Identification & Testing?
The Institute of Internal Auditors February 10, 2004 Moderator: Xenia Ley Parker, CIA, CISA, CFSA XLP Associates

2 Agenda Introduction & Overview Xenia Ley Parker, XLP Associates
General Controls Edward Hill, Protiviti Application Controls John Gimpert, Deloitte Establishing a Framework Reggie Combs, Lockheed Martin Break Q & A

3 References Public Company Oversight Board - www.pcaobus.org/
Final Rule: Management's Reports on Internal Control Over Financial Reporting and Certification of Disclosure in Exchange Act Periodic Reports - “Internal Control—Integrated Framework” Committee of Sponsoring Organizations of the Treadway Commission (COSO), Exposure Draft “Enterprise Risk Management Framework”- CobiT 3rd EditionÓ, IT Governance Institute - “IT Control Objectives for Sarbanes-Oxley”- The IIA GAIN Flash Survey Use of SOX tools - Protiviti “Guide to the Sarbanes-Oxley Act: IT Risks and Controls Frequently Asked Questions” - Deloitte “Taking Control, A Guide to Compliance with Section 404 of the Sarbanes-Oxley Act of 2002” - PricewaterhouseCoopers “Understanding the Independent Auditor’s Role in Building Trust”; “The Sarbanes-Oxley Act of 2002, Strategies for Meeting New Internal Control Reporting Challenges” -

4 PCAOB ED Statements: Impact on IT Control Guidance
“determining which controls should be tested… generally, such controls include… information technology general controls, on which other controls are dependent” (page 41) “The auditor should obtain an understanding of the design of specific controls by applying procedures that include… tracing transactions through the information system relevant to financial reporting” (page 48) “Information technology general controls over program development, program changes, computer operations, and access to programs and data help ensure that specific controls over the processing of transactions are operating effectively” (page 51)

5 PCAOB ED Statements Impact on IT Control Guidance
“The risk that the controls might not be operating effectively. Factors … include the following: – The degree to which the control relies on the effectiveness of other controls (for example, the control environment or information technology general controls) (p 74) “The audit should trace all types of transactions and events, both recurring and unusual from origination through the company’s information systems until they are reflected in the company’s financial reports…” (page 79) Source:

6 Introduction of Key Issues
Define 404 universe, processes, risks, & controls Identify key controls: assertions related to control considerations Impact of IT controls Application vs. IT controls Establishing a framework

7 PCAOB Release No. 2003-017 issued 7 October 2003
Because of the frequency with which management of public companies is expected to use COSO as the framework for the assessment, the directions in the proposed standard are based on the COSO framework Other suitable frameworks have been published in other countries and likely will be published in the future Although different frameworks may not contain exactly the same elements as COSO, they should have elements that encompass all of COSO's general themes

8 Tone at the Top IT Executives need to be well versed on internal control theory and practice Does the audit committee have the expertise to understand the relevance and degree of reliability/importance of IT controls? Is the audit committee aware of any significant activities affecting the IT environment as it relates to financial reporting?

9 IT Control Objectives for Sarbanes-Oxley: Common Elements of Organizations

10 Sarbanes Oxley, COSO and COBIT®

11 Sarbanes-Oxley IT Diagnostic Questions
1. Does the SOX steering committee understand the risks inherent in IT systems & their impact on compliance with Section 404? 2. Does IT management understand the financial reporting process and its supporting systems? 3. Does the CIO have an advanced knowledge of the types of IT controls necessary to support reliable financial processing? 4. Are policies governing security, availability and processing integrity established, documented & communicated to all members of the IT organization? 5. Are the IT department’s roles and responsibilities related to Section 404 documented & understood by all members of the IT department?

12 Sarbanes-Oxley IT Diagnostic Questions
6. Do IT employees understand their roles, do they possess the requisite skills to perform their job responsibilities relating to internal control, & are they supported with appropriate skill development? 7. Is the IT department’s risk assessment process integrated with the company’s overall risk assessment process for financial reporting? 8. Does IT document, evaluate & remediate IT controls related to financial reporting on an annual basis? 9. Does IT have a formal process in place to identify & respond to IT control deficiencies? 10. Is the effectiveness of IT controls monitored & followed up on a regular basis? Source for Slides 8-12: IT Governance Institute, ISACA

13 Are you Ready for IT Control Identification & Testing?
General Controls Edward Hill, CPA Protiviti

14 Integrated Application
“Plain English” Approach: IT Risks & Controls for SOX 404 Define Universe, processes, risks & controls Assertion relationships Document key controls & valuate Testing of key controls & what to do IT Organization & Structure IT Entity Level Control Evaluations IT Process Level Control Evaluations Integrated Application Specific Processes Application & Data Owner Processes General IT Processes

15 Integrated Application
Process Level: IT Risks & Controls Integrated Application Specific Processes Application and Data Owner Processes General IT Processes Most important part of this discussion: These processes and activities are looked at in the context of how the controls relate to the ability of the company to meet the IC objectives over the reliability of financial reporting.

16 General IT Process Risks and Controls-A Typical Universe & Risk Assessment
General IT Processes Security Administration Application Maintenance - Change Control Ensure Continuity - Data Management & Disaster Recovery Manage Technical Infrastructure & Operations - Problem Management Asset Management

17 Integrated Application
Impact of STRONG Controls at the IT General Controls General IT Processes Integrated Application Specific Processes Application & Data Owner Processes Applications perform as designed Programmed controls function as designed Access to transactions and data function as designed WHEN SETTING SCOPE: Work at application and data owner level can focus on proper design of controls General controls provide an indication that such controls operate as intended

18 Controls Security Administration
How does this relate to the assertions - what can go wrong? Security, designed & implemented properly, assures transactions are executed by only those individuals with authorization. Security, designed appropriately, ensures (physical and electronic) access to assets is restricted. This impact must be understood at each IT component level: Application transaction and data level Access to the systems and infrastructure such as administrator and super user: Databases Platforms (operating systems) Networks

19 Security & Segregation of Duties
Potential impact on assertions: Transactions are executed only by individuals authorized by management to do so Duties that are incompatible from an internal control standpoint are segregated in accordance with management’s criteria Updates and changes to applications may impact how security should be managed and the duties which may need to be segregated (authorized and segregation issues)

20 Security Administration
Risk and controls documented, evaluated for specific process portions: Role set up, maintenance and periodic validation User set up, maintenance and deletion Data classification and rules allowing access to sensitive data Periodic transaction and data access review, validation and follow-up Risks and controls documented, evaluated at the technical level: Set up of administrative and other sensitive accounts for all technology components Add, modify and delete procedures Audit trail rules and set-up Monitoring and review procedures for usage of administrative and sensitive account

21 Security Administration
Risk and controls documented, evaluated for specific process portions: Development and maintenance of security roles restricting access to transitions and data to only individuals with a valid business need to execute transactions and access data Development and communication to the IT organization the roles and transactions needed to be segregated from an internal controls standpoint Maintenance and review of applications changes to confirm appropriateness of the roles and transactions identified as incompatible from an internal control standpoint

22 Manage Applications-Change Controls
How does this relate to the assertions- what can go wrong: Application change provides assurances that applications function as intended and integrity of processing can be assured Appropriate application changes assure completeness and accuracy of processing Together with the security administration, processes assures transactions can only be initiated, modified or deleted by individuals authorized by management to execute and view transactions Access to applications and data through the change process must be restricted so that inadvertent or deliberate changes to the following do not occur: Production data Other related components such as interface routines, background processing and updates, etc.

23 Application & Data Owner Responsibilities For Change Controls
How does this relate to the assertions- what can go wrong: Application changes may not be in accordance with the directives of the business owners causing them not to function as intended or without the appropriate controls- impacts Completeness and accuracy Authorization Access to assets There may be changes to the security administration of roles and responsibilities that effect the controls which ensure appropriate authorization of transactions and access to assets

24 Management Applications – Change Controls
Risk and controls documented, evaluated for specific process Initiation of change requests Testing and approval of changes prior to migration into the production environment Critical calculations and data validation and exception routines Interfaces Job sequencing and interrelationships Application migration procedures Integrity of process and access to applications and data by migrators Back out and validation of successful migrations Emergency change procedures and processes

25 Business Owner Change Control Processes
Risk and controls documented, evaluated for specific process Changes are appropriately initiated and approved by the application and data owners All changes are reviewed by the application owners from a controls perspective and a sign-off that controls have been appropriately considered for any change(s) Changes are adequately tested from a controls functionality perspective. This should be performed to ensure critical controls still function (error checking and data validation, integrity of key management reports, interfaces function properly, etc.) There should be review (after the fact) of emergency changes such that application owners verify validity of change and the appropriateness of change on programmed controls.

26 Format for Documentation and Control Related Work
Evaluation of IT-related risks and controls should be formatted similar to other process and control work Process maps Process narratives Risk and control matrices All work should focus on controls that affect the financial reporting and disclosure risks and controls Must address financial reporting assertions

27 Evaluation of IT Controls
After the documentation is complete, evaluate each risk to determine whether the controls are designed to effectively mitigate the risks The evaluation should include both manual and systems-based controls - even in the General Controls processes At this point, control gaps if any, should be identified and a management action plan to deal with the gaps determined, for both manual and systems-based controls For controls evaluated as effective, the next step is to develop a testing plan so that the operating effectiveness can be evaluated

28 Approach to IT General Controls Testing
Define Testing Scopes Build Testing Plan Execute Testing Analyze Test Results Update Testing For IT General Controls testing – Test key controls can and should be tested similar to other processes with pervasive controls: There needs to be a combination of inquiry, inspection, observation and re-performance Process flows and risk and control matrices should be referenced and a key to selecting the type of test needed Timing of this testing- two competing issues One external firm indicated that for pervasive controls such as IT General controls these controls should be tested near the “as of” date Testing of these needs to be done early in the overall process because the results of these tests directly impact the nature and extent of controls downstream of these.

29 Documenting General Controls Testing
Define Testing Scopes Build Testing Plan Execute Testing Analyze Test Results Update Testing For IT General Controls testing – Documentation of testing should be tested similar to other processes with pervasive controls: There needs to be documentation standards for inquiry, inspection, observation and re-performance testing- scoping should be based on overall approach Evidence of tests should be retained for review and approval

30 John Gimpert, CPA Deloitte
Are you Ready for IT Control Identification & Testing? Application Controls John Gimpert, CPA Deloitte

31 Importance of IT in Sarbanes Oxley
For most organizations, IT controls are pervasive to the financial reporting process Financial applications and automated systems are typically used to initiate, record, process and report transactions Applications and ERP systems are supported by the general computing environment Effectiveness of the application computing controls are dependant upon the general computing controls Limitations of application controls may need to be appropriately mitigated by general computing controls Overall, application and general computing controls support the integrity and reliability of financial reporting

32 A Roadmap for Compliance
Source: IT Governance Institute (ITGI) “IT Control Objectives for Sarbanes Oxley Discussion Document

33 Internal Control Reliability Model
Determine the reliability and maturity of IT controls. Meets characteristics of Stage 3. An enterprise-wide control and risk mgt. program exists such that controls are documented and continuously reevaluated to reflect major process or organizational changes. A self-assessment process is used to evaluate controls design and effectiveness. Technology helps document processes, control objectives and activities, identify gaps, and evaluate control effectiveness. Controls and related policies and procedures are in place and adequately documented. A disclosure creation process is in place and adequately documented. Employees are aware of their responsibility for controls activities. Operating effectiveness of control activities is evaluated periodically; the process is documented. Control deficiencies are identified and remediated timely. Controls and policies and procedures are not fully documented. A disclosure creation process is not fully documented. Employees may not be aware of their responsibility for control activities. Operating effectiveness of control activities is not evaluated regularly and the process isn’t documented. Control deficiencies may be identified but not remediated timely. Controls, policies and procedures are not in place and documented. A disclosure creation process does not exist. Employees are unaware of their controls responsibility. Operating effectiveness of control activities is not evaluated regularly. Control deficiencies aren’t identified. Characteristics Stage 4–Optimal Stage 3–Reliable Stage 2–Insufficient Stage 1–Unreliable

34 Mapping Accounts to Controls
Significant Accounts/Processes Balance Sheet Income Statement G/L Inventory Other Determine and walk-through key transactions and accounts Identify applications and IT systems related to significant accounts and transactions Identify, document and test controls supporting the above Classes of Transactions / Business Processes Process A Process B Process C Financial Applications Application A Application B Application C Application controls (examples) Seg of Duties Data integrity Completeness Timeliness General Computing Controls Security Retention Operations Configuration

35 Application Controls: Definition
Application controls help ensure the completeness, accuracy, authorization and validity of all transactions during application processing Application controls also support interfaces to other application systems to help ensure all inputs are received in a complete and accurate manner and outputs are correct Application controls are typically embedded within software programs to prevent or detect unauthorized transactions

36 Linking Business Process to Controls SAP, Oracle, Other Applications
Control Objectives Account Receivable balances and reserves are complete and accurate. Sales revenues and cost of goods sold is complete and accurate All purchase orders received are input and processed Invoices are generated using authorized terms and prices Only valid changes are made to customer master files. Accounts Receivable Invoice controls Order Processing Sales Sub-process Order & supplier controls Customer controls Customer order entry SAP, Oracle, Other Applications Application controls cover authorized changes, segregation of duties, validity, completeness and timeliness of reporting of financial information. IT Infrastructure Networks System Software Databases and Information Security General computing controls cover security access, change and configuration mgt, data retention, testing, processing integrity, etc.

37 Assertions

38 Examples of Control Identification
Access to enter orders is limited to appropriate personal. A valid customer number is required prior to order entry. Existence or Occurrences Only valid orders are processed Pending order reports are generated daily for review. Incomplete order entries are flagged for completion. Completeness All orders received from customers are input and processed Critical data fields (e.g.; order number, date, address) are pre-populated prior to order completion. Data entered on returns is matched with original sales information. Orders and cancellations of orders are input accurately Orders entered that exceed customer credit limits are pended for review prior to processing. Access to change/override customer credit limits requires approval by credit manager. Authorization Orders are processed only within the approved customer credit limits Automated Application Controls Assertion Objective

39 Types of controls Preventive Preventative controls are designed to avert problems rather than correct them. Some examples include passwords to application systems or an approval on all purchase orders over a specified limit. Detective Detective controls are meant to catch errors after the fact. These may take the form of reviews, reconciliations, and analyses. Manual Manual controls are carried out by people, as opposed to automated controls (i.e., application controls) that take place without direct human intervention. Many manual controls can now be automated by application software such as the triggering of exception reports. Information Technology IT controls consist of general controls (include controls over data center operations, system software acquisition and maintenance, access security, and application system development and maintenance) and application controls (to ensure completeness, accuracy, authorization, and validity of data input and transaction processing).

40 Control Evaluation and Testing Process
Discovery process for existing controls Evaluation of Control Design Assess the Control Design Document the Assessment Document Control Controls for those business processes impacting key transactions and accounts Remediate Y N Evaluation of Control Effectiveness Remediate N Prepare for Certification Document the Test Results Test Control Effectiveness Y

41 Sample Result of Evaluation Process
None noted. Gap Identified: One person can enter orders and increase customer credit limits. Review application security settings to ensure control is set up properly. Orders entered that exceed customer credit limits are pended for review prior to processing. Access to change/override customer credit limits requires approval by credit manager. Gap identified: access rights are not updated promptly when personnel change roles Compare who system allows to enter orders to list of management approved personnel. Observe entry of sample orders with wrong customer numbers. Access to enter orders is limited to appropriate personal. A valid customer number is required prior to order entry. Gap Identified: Return can be processed without matching an original sale. Gap noted: Some incomplete orders are processed Control Gaps Query sample of order numbers to ensure uniqueness. Compare sample of sales returns against sales to ensure match. Obtain reports from individual responsible for review. Observe entry of sample incomplete orders. Example Test of Effectiveness Critical data fields (e.g.; order number, date, address) are pre-populated prior to order completion. Data entered on returns is matched with original sale information. Pending order reports are generated daily for review. Incomplete order entries are flagged for completion. Control Activity

42 Lessons Learned Effective IT application controls are critical and serve as a first line of defense Some controls exist at both the general computing and applications layer - for instance Security Controls Applications controls can be modernized, many previously manual controls can be automated (such as automatic generation of reports when suspect conditions exist) Applications controls can be proactively built into applications and can help identify risks Improved applications controls can result in improved application effectiveness and help drive higher quality applications A well controlled environment is a first step toward improved IT Governance

43 Sarbanes Oxley to Increase Shareholder Value
Risk Management Compliance with Sarbanes Oxley has direct impact and IT control improvements can reduce risk for downstream business initiatives Operating Margin Deep understanding of process and technology linkages can result in process re-engineering initiatives, improving levels of automation Asset Efficiency Operational improvement regarding IT management processes Consolidation of systems to reduce complexity can result in operational efficiencies Revenue Growth Inventory your critical customer systems and data for future sales targeting initiatives

44 Reginald B. Combs, CISA Lockheed Martin Corporation
Are you Ready for IT Control Identification & Testing? Establishing A Framework Reginald B. Combs, CISA Lockheed Martin Corporation

45 Establishing A Framework
The COSO/COBITTM Relationship Considerations When Identifying Controls Entity, General, or Application Control?

46 Establishing A Framework
The COSO/COBITTM Relationship To assess an organization’s internal controls, first identify the assessment criteria: COSO report defines internal control consistent with current auditing standards and SAS guidance COSO report also identifies five components of effective internal control: Control Environment Risk Assessment Information & Communication Control Activities Monitoring 404: “…establish and maintain an adequate internal control structure…”

47 Establishing A Framework
The COSO/COBITTM Relationship To assess an organization’s IT internal controls, first identify the assessment criteria: COBIT framework is generally applicable and accepted as a standard for good IT security and control practices COBIT “Business/Fiduciary Requirements” derived from COSO categories COBIT classifies control objectives into four groups (domains): Plan & Organize Acquire & Implement Deliver & Support Monitor and Evaluate COSO and COBIT Provide a Complementary Framework for IT Control Identification

48 Mapping The COSO/COBITTM Relationship

49 Considerations When Identifying Controls
Focus on “Key” controls: How does the application support the key financial processes? Is the application processing data or acting as a repository? Who relies on the controls? Consider the types of errors that can occur at the application and process level Ask “What Can Go Wrong” questions When evaluating IT controls and related risks, consider the relevant financial statement assertions for significant accounts

50 Entity, General, or Application Control?
Varying Opinions on which controls fall into each category Establish definitions early and obtain consensus Communicate throughout the organization

51 Example: Lockheed Martin Corporation

52 SOX 404 Documentation Tools
• Pentana JeffersonWells E&Y's tool • Developed in-house SOXA Accelerator Focus - Paisley Axentis • ERA - Methodware • Lotus Notes • Horizon--JP Morgan • ICT-Grant Thornton • Open-Pages SOX Express SPF Teammate • Dynamic Policy Source:

53 Concluding Remarks Lessons learned
Understanding the role of IT controls means understanding IT better Updating skill sets to identify/classify controls Changing business auditors’ mindset What they can do; when IT auditors are needed How to relate types of testing How to determine the impact of deficiencies

54 Questions & Answers your questions by clicking on the link provided or directly to

55 Next Webcast “Balancing SOX with Risk Based Audit Planning”
March 9, 2004 “Balancing SOX with Risk Based Audit Planning” See you at our next webcast!


Download ppt "Are You Ready for IT Control Identification & Testing?"

Similar presentations


Ads by Google