Association of Government Accountants Date Association of Government Accountants IT Controls and Audit Readiness In the Federal Government February 9, 2011 Harrisburg, PA
Learning Objectives At the conclusion of this session, you will be able to understand: The primary federal guidance applicable to Information Technology Controls to understand management responsibilities and the needs of financial statement auditors; How to identify and prioritize systems that impact the financial statement audit; How to apply authoritative guidance and understand the types of information technology controls, control objectives, and control techniques; How to document and validate whether information technology controls are designed properly and operating effectively; How to evaluate the impact of testing exceptions; and The role and responsibilities of third party Service Providers.
Date Agenda Section 1: Relevance of Systems and IT Controls to the Financial Statement Audit Section 2: Types of IT Controls Section 3: IT Controls Validation Section 4: Other Considerations
Relevance of Systems and IT Controls to the Financial Statement Audit Section 1 Relevance of Systems and IT Controls to the Financial Statement Audit
Illustration of an End-to-End Electronic Audit Trail A Source Journal is the initial system where business transactions are entered (also known as a system of record). The audit trail for the business transaction from Source Journal to Financial Statement may only exist in an electronic format. It may not be possible (or efficient) to “audit around” systems.
Transaction Initiated and Recorded in Source Journal Example Scenario Transaction Initiated and Recorded in Source Journal Requester To better illustrate this concept, we have prepared a graphic which we will refer to at various points throughout this course. This example will illustrate the end-to-end flow of information generated by the requisition of material to support operations. Our example begins when a requester enters a requisition electronically to obtain a new truck which is needed to transport supplies and ammunition to the troops under their command. The approved requisition is then processed electronically by a supply and logistics system and provides the electronic authorization to remove an item from inventory (in the supply system and the general ledger). Requester Accounting Operations Logistics Acquisition Finance
Purchasing Transaction Automatically Initiated Example Scenario Purchasing Transaction Automatically Initiated Requester If inventory levels in the supply and logistics system fall below certain predetermined levels, the system may automatically initiate a purchase requisition / order in a purchasing system if it is configured to do so and funds are available. The purchasing system may in turn provide information to the general ledger to record an obligation. Requester Accounting Operations Logistics Acquisition Finance
Disbursement Transaction Initiated Example Scenario Disbursement Transaction Initiated Requester Once ordered materials (or services) have been received and approved, a vendor invoice is received, and a three way match with the purchase order performed a vendor payment is processed through the disbursing system to liquidate the obligation. Funds validation should also be performed (ideally be the system) during the disbursing phase as well, since it is required by the Grassley Act. As a result, the general ledger will be updated to reflect a reduction in the accounts payable balance and a corresponding reduction in cash. Key supporting documents (KSDs) for each step in this process, including control activities, will likely exist both inside and outside the information systems. Requester Accounting Operations Logistics Acquisition Finance
General Ledger and Consolidation Systems Updated Example Scenario General Ledger and Consolidation Systems Updated Requester At the end of accounting periods, information from the general ledgers are passed to a system that consolidates financial information from all DoD Reporting entities and that information is used to prepare the Department’s financial statements (i.e., DDRS). The key point / take away from our example scenario is more than just the general ledger produces accounting data and therefore relevant to ICOFR, financial improvement, and audit readiness. As we will see later, the number of systems introduces additional complexities and risks. It is also important to note that while information in each of these systems is used for financial reporting, it is also used to support ongoing business operations. If information in the supply and logistics systems is incorrect, the combatant commander may not have visibility into resource availability or the status of requested items. If the information is not completely and accurately transferred to the purchasing systems, needed materials and equipment may not be ordered in a timely manner and/or there may be impaired visibility into the availability of funds (if purchase contracts are not entered in a timely manner). If invalid or inaccurate information is entered into disbursing systems (manually or interfaced), duplicate or erroneous payments could be made to vendors and deplete resources available to the Department (not to mention possible Anti-Deficiency Act violations). Now that we have an understanding of the importance of automated systems to the Department’s operational and accounting processes, we would like to discuss the significance of internal controls within and around these systems to the Department’s audit readiness efforts and associated internal controls over financial reporting. Requester Accounting Operations Logistics Acquisition Finance
Impact of Systems on Internal Controls Financial Statement Line Item / Significant Account / Disclosure Significant Process / Major Classes of Transactions Key Controls Automated Controls Programmed or configured application controls, calculations, or procedures Manual Controls Using system-generated reports or data Manual Controls Not dependent on information technology System Generated Information Dependency Dependency Information Technology Control Environment Controls over Access to Programs and Data Audit Significant Applications Application Data Computer Operations Program Development Program Change Controls
What are the Reporting Entity’s audit readiness responsibilities relevant to its financial information systems?
Statement to Process Analysis Example – Budgetary Resources Purchasing Procure to Pay Disbursing
Key Points to Remember Most Federal business activities are recorded in automated systems and it may not be possible (or efficient) to “audit around” the systems. If the Reporting Entity is placing reliance on controls performed by systems or manual controls rely on reports / data produced by systems, the IT general controls for these systems must be documented and tested. The Reporting Entities are responsible for identifying, documenting, and testing relevant IT application and general controls necessary to address internal control over financial reporting and audit readiness considerations. Financial, non-financial, and mixed systems may feed financial statement account balances and/or have a role in internal controls over financial reporting. A structured process should be followed to determine which systems are in scope for audit readiness.
Section 2 Types of IT Controls
What are the differences among operations compliance, budget, and financial controls?
Differences among operational, compliance, budget, and financial controls Operational Controls The objectives of operations controls are to provide reasonable assurance that the Reporting Entity achieves the performance desired by management for planning, productivity, quality, economy, efficiency, or effectiveness of the entity’s operations. Compliance Controls The objective of compliance controls are to provide reasonable assurance that the Reporting Entity complies with significant provisions of applicable laws and regulations. Budget Controls (Funds Control) The objective of budget controls is to ensure transactions are executed in accordance with budget authority. If an event results in a financial transaction, it impacts ICOFR and audit readiness
Differences among operational, compliance, budget, and financial controls Financial Reporting Controls The objective of financial reporting controls is to prevent or detect misstatements in significant financial statement assertions. These include (1) safeguarding controls to protect assets against loss from unauthorized acquisition, use or disposition, and (2) segregation-of-duties controls to prevent one person from controlling multiple aspects of a transaction allowing that person to both cause and conceal misstatements whether errors or fraud.
What are Business Process Application Controls? Those controls incorporated directly into computer applications (or performed manually based on system generated information) to help ensure the completeness, accuracy, validity, confidentiality, and availability of transactions and data during application processing. Importance of Business Process Application Controls to Audit Readiness Effective business process application controls help ensure that the Reporting Entity’s financial transactions are complete, accurate, and valid which are key internal control over financial reporting objectives and critical to asserting audit readiness. The overall objectives of business process application controls are to provide reasonable assurance about the completeness, accuracy, validity, and confidentiality of transactions and data during application processing. The Reporting Entity should design each specific business process control technique to achieve one or more control objectives. It is important to remember that the effectiveness of business process controls depends on whether all of these overall objectives are achieved. As noted earlier in our truck requisition scenario, an example control is user access restrictions in applications that only allow authorized personnel to enter transactions. This control would address the validity objective. If the relevant software applications also include automated edit checks to ensure all required screen fields are filled in and checks the data entered against allowed values, the completeness and accuracy objectives would be addressed. Additional examples will be provided on the following slides. Typically, more than one control is required to satisfy financial reporting control objectives for the entire business process.
What are Business Process Application Controls? Business Process Application Controls consist of the following four control categories: Business Process Controls Interface Controls Database Management System Controls Application Level General Controls
User id and password required Check completion of all required fields Business Process Application Controls - Example User id and password required Requester Check completion of all required fields Requester Accounting Operations Logistics Acquisition Finance
Total records sent = total records received Interface Control - Example Total records sent = total records received Requester Requester Accounting Operations Logistics Acquisition Finance
Direct access to the production database by developers is not allowed Database Management System Control - Example Requester Direct access to the production database by developers is not allowed Requester Application Data Accounting Operations Logistics Acquisition Finance
Application Level Controls – Legacy System Environment Requester Requester Accounting Operations Logistics Acquisition Finance I Input Control Point P Processing Control Point O Output Control Point
Application Level General Control - Example Requester All application configuration changes are approved by the change control board (management) Requester Accounting Operations Logistics Acquisition Finance
What are entity level Information Technology General Controls (ITGCs)? Entity Level ITGCs are grouped into the following five general control categories: Security Management Access Controls Segregation of Duties Configuration Management Contingency Planning Deficiencies related to access control and configuration management have the greatest potential to result in material weaknesses and render the other IT general an application controls unreliable. Entity level ITGCs are grouped into the following five general categories, each of which will be explored in greater detail in the rest of this section. Security Management Access Controls Configuration Management Segregation of Duties Contingency Planning Deficiencies related to access control and configuration management have the greatest potential to result in material weaknesses and render the other IT general an application controls unreliable. For example, if a developer has the access privileges needed to directly change system configuration settings, management cannot rely on system performed controls or data in reports produced by the system. As defined in discussed in the FIAR 102 training course, there are three basic classifications of controls deficiencies that have an increasingly adverse impact on the reliability of internal controls: Deficiency Significant Deficiency Material Weakness We will discuss each of these classifications in more detail on the following slides.
Security Management Access Controls Segregation of Duties What are entity level Information Technology General Controls (ITGCs)? Security Management Provides a framework and continuing cycle of activity for managing risk, developing security policies, assigning responsibilities, and monitoring the adequacy of the entity’s computer-related controls. Access Controls Limit or detect access to computer resources (data, programs, equipment, and facilities); thereby, protecting them against unauthorized modifications, loss, and disclosure. Segregation of Duties Includes policies, procedures, and an organizational structure to manage who can control key aspects of computer-related operations. Security Management can be summarized as procedures and controls that limit system and data access to only authorized personnel. Examples include, but are not limited to: Establishing an information assurance function and assigning information security roles and responsibilities. Publishing, implementing, and monitoring adherence to security policies, procedures, and standard system configuration requirements. In the case of DoD, DISA publishes security technical implementation guides (STIGs) for multiple computer operating systems. DISA also runs automated scripts against computing devices to monitor compliance with the STIGs. Access Controls can be summarized as the policies, procedures, and activities in place for granting / restricting access to computing resources and facilities. An example that may be familiar to those of you that have access to computer networks is the requirement to complete an access request form (the 2875) and obtain approval from appropriate levels of management. Very closely related to Access Controls is Segregation of Duties. This control can be summarized as policies, procedures, and activities in place to prevent the assignment of incompatible access privileges. For example, providing software developers with unmonitored update access to development, test, and production environments, would allow them to circumvent software change control procedures. Most organizations also try to avoid giving developers or system administrators user accounts for production business applications. In the DoD, responsibility for maintaining system software belongs to the hosting organization (ex., DISA), responsibility for maintaining application software belongs to the system owner (ex., DFAS), and business / financial transactions would be entered by users at the Components.
Configuration Management What are entity level Information Technology General Controls (ITGCs)? Configuration Management Prevents unauthorized changes to information system resources (for example, software programs and hardware configurations) and provides reasonable assurance that systems are configured and operating securely and as intended. Contingency Planning Includes plans and procedures in place that ensure when unexpected events occur, critical operations continue without disruption or are promptly resumed, and critical and sensitive data are protected. Such plans should consider the activities performed at general support facilities, as well as those performed by users of specific applications.
Entity Level General Control - Example Requester All operating system configuration changes are approved by the change control board (management) Physical access to the data center where the applications are hosted is appropriately restricted Requester Accounting Operations Logistics Acquisition Finance
Key Points to Remember There are differences among operational, compliance, budget, and financial controls. Business process application controls are incorporated directly into computer applications (or performed manually based on system generated information) to help ensure the completeness, accuracy, validity, confidentiality, and availability of transactions and data during application processing. IT General Controls are the policies and procedures that apply to all or a large segment of entity’s information systems and help ensure their proper operation. ITGCs are applied entity-wide and at the system and application levels.
IT Controls Validation Section 3 IT Controls Validation
Date Sources of Internal Control Over Financial Reporting and Audit Readiness Guidance Audit Guidance Controls Guidance GAO Financial Audit Manual (FAM) OBM A-123 Implementation Guide COSO Internal Control Framework (COSO) Overall Framework & Application Controls GAO Government Auditing Standards (Yellow Book) GAO Standards for Internal Control (Green Book) GAO Federal Information System Controls Audit Manual (FISCAM) GAO Assessing Reliability of Computer Processed Data GAO Federal Information System Controls Audit Manual (FISCAM) GAO Assessing Reliability of Computer Processed Data Currently IT Controls
Sources of Internal Control Over Financial Reporting and Audit Readiness Guidance When evaluating IT application and general controls, the GAO FISCAM manual is the primary authoritative source for relevant control objectives and control techniques that should be addressed.
Why is it important for the Reporting Entity to document an understanding of the design of its Information Systems controls? There are two primary reasons for documenting an understanding of IT general and application controls: The first is to simply determine if internal controls have been identified (or exist) for each relevant control objective. The second is to evaluate whether the controls, if implemented and operating effectively, would satisfy the relevant control objectives. This second point is often referred to as assessing the “design effectiveness” of the internal control. It is essential that the controls documentation be prepared in enough detail for the reader to easily understand whether the control objective has been addressed.
Why is it important for the Reporting Entity to document an understanding of the design of its Information Systems controls? Control in Place Satisfactory Control Technique Control Objective
Why is it important for the Reporting Entity to effectively design and conduct tests of IT control activities? Once the Reporting Entity has determined that the internal controls are appropriately designed, the next step is to determine if the control has been operating effectively throughout the audit / assertion period. This is commonly referred to as “testing of operational effectiveness.” Tests of operational effectiveness must be successfully completed before reliance can be placed on the internal control.
Inquiry of Appropriate Personnel Why is it important for the Reporting Entity to effectively design and conduct tests of IT control activities? When performing tests on whether IT control are operating effectively, the Reporting Entity has a number of techniques available including: Inquiry of Appropriate Personnel Observation of the Control in Operation Inspection of Documentation Re-performance of the Control It is important to note that inquiry and observation by themselves typically do not constitute a valid test of whether IT controls are operating effectively. Lowest Level of Assurance Highest Level of Assurance
Why is it important for the Reporting Entity to effectively design and conduct tests of IT control activities? The Reporting Entity may perform both sampling (statistical/non-statistical) and nonsampling control tests to evaluate whether IT controls are operating effectively. For an automated control, the number of items tested can be as low as one, assuming that information technology general controls have been tested and found to be effective. A common example of an automated control is an edit check that is activated during data entry.
Frequency (Population) Why is it important for the Reporting Entity to effectively design and conduct tests of IT control activities? Example Sample Sizes Test sample size depends on several factors including: Type of control (manual or automated) Frequency of the control (e.g., how often is it performed) Complexity of the control Management’s Judgment Frequency (Population) Sample Size Annually (1) 1 Quarterly (4) 2 Monthly (12) 3 Weekly (52) 10 Daily (250) 30 Recurring (>250) 45 In those instances where Management has determined that smaller sample sizes are appropriate (based on their judgment), the rationale for this decision should be thoroughly documented.
Key Points to Remember The GAO FISCAM manual is the primary authoritative source for relevant control objectives and control techniques that should be included in the scope of the IT controls evaluation. It is essential that the controls documentation be prepared in enough detail for the reader to easily understand if the control objective has been addressed. Performing an assessment of design effectiveness is important because it allows management to identify areas for remediation quickly instead of wasting time testing a poorly designed control. Testing the actual operational effectiveness of the internal control over time is absolutely critical, as this provides the basis of reliance for the audit / assertion period. When testing operational effectiveness appropriate testing techniques and sample sizes should be used. Completion of system certification and accreditation does not completely address ICOFR requirements.
FIAR 301 Section 4 Other Considerations
What is the relevance of evaluating exceptions for the Reporting Entity? In evaluating test results and exceptions, the Reporting Entity should perform an evaluation to understand the matter and their potential consequences. Internal control deficiencies are defined by the Public Company Accounting Oversight Board (PCAOB) and the AICPA. GAO and OMB typically adopt these same definitions by reference into their own guidance. How many exceptions were there and how severe? Has the control operated effectively throughout the period? Can we still rely on this control? Are there appropriate compensating controls? Is the control objective satisfied? Are there unmitigated financial reporting risks?
What is the relevance of evaluating exceptions for the Reporting Entity? A Deficiency in internal control exists when the design or operation of a control does not allow management or employees, in the normal course of performing their assigned functions, to prevent, or detect and correct misstatements on a timely basis. A Significant Deficiency is a deficiency, or a combination of deficiencies, in internal control that is less severe than a material weakness, yet important enough to merit attention by those charged with governance. Material Weakness is a deficiency, or combination of deficiencies, in internal control, such that there is a reasonable possibility that a material misstatement of the entity’s financial statements will not be prevented, or detected and corrected on a timely basis.
What is the role of Third Party Service Providers? Reporting Entities and Service Providers perform roles in different segments of end to-end processes in the Department. Neither party actively participates in every segment of the entire process. Below is overview example of a Service Provider functional view, of a representative Civilian Pay Process that summarizes the roles of the Reporting Entity and Service Provider. When the Reporting Entity asserts audit readiness, it is for the entire process including those activities and controls performed by the Service Provider.
What are the responsibilities of Reporting Entities and third party Service Providers relevant to Federal financial audits? With respect to financial audits, a Service Provider’s services are part of an entity’s information systems and therefore, could be significant to the Reporting Entity’s information system. If the user organization’s (Reporting Entity) management and/or user auditor determine that the service organization’s controls are significant to the entity’s internal control, the Reporting Entity should gain an understanding of controls at the Service Provider by obtaining a service auditor’s report. According to OMB Bulletin 07-04, as revised, Audit Requirements for Federal Financial Statements, service organizations must either provide its user organizations with an audit report on whether (1) internal controls were designed properly to achieve specified objectives and placed into operation as of a specified date and (2) the controls that were tested were operating effectively to provide reasonable assurance that the related control objectives were met during the period specified or allow user auditors to perform appropriate tests of controls at the service organization.
What are the types of service auditor reports? Type 1 Report - is a report on the design and implementation of controls (placed in operation) at a service organization, but does not include testing whether the controls are operating effectively. Type 2 Report - is a report on the design and implementation of controls (placed in operation) and on their operating effectiveness. In a Type 2 engagement, the service auditor performs the procedures required for a Type 1 engagement and also performs tests of specific controls to evaluate whether they operate effectively in achieving the specified control objectives. Introduction of a New AICPA Standard and Revised GAO Guidance Statement on Standards for Attestation Engagement (SSAE) No. 16 is replacing Statement on Auditing Standards (SAS) No. 70 effective June 15, 2011. The Type 2 report addresses the needs of the financial statement auditor.
Key Points to Remember In evaluating test results and exceptions, the Reporting Entity should perform an evaluation to understand the matter and their potential consequences. Deficiencies, Significant Deficiencies, and Material Weaknesses have differing levels of impact on the Reporting Entities audit readiness and should be reported, prioritized, and remediated accordingly. When the Reporting Entity asserts audit readiness, it is for the entire process including those activities and controls performed by the Service Provider. A Type 1 Service Auditor’s Report does not provide assurance regarding the operational effectiveness on the Service Providers internal controls over a period of time. This type of assurance is provided in a Type 2 report.
Comments and Questions? © 2011 PricewaterhouseCoopers. All rights reserved. “PricewaterhouseCoopers” refers to the network of member firms of PricewaterhouseCoopers International Limited, each of which is a separate and independent legal entity.
Date Want to contact us? Bobbi Markley, CDFM, CISA, CISM PricewaterhouseCoopers LLP 1800 Tysons Boulevard McLean VA 22102 703.918.3138 Bradley Keith, CPA, CISA, PMP 703.918.3564