COSO Framework A company should include IT in all five COSO components: –Control Environment –Risk Assessment –Control activities –Information and communication –Monitoring NOTE: COBIT developed to help achieve this goal

Control Environment IT should be included in company-wide ethics policies Capital expenditure policies should include specifics regarding IT purchases, included approval requirements Support the achievement of organizations financial reporting control objectives Appropriate segregation of duties in IT department itself

Computer systems - Segregation of Duties Recommended IT department segregation of duties: Systems Analyst, Programmer, Computer operator, Testing group, AIS Librarian (data, programs), Manager. What type of control is this? Preventive One way for a company to address this risk is to? Share it – can use external consultant for pieces of application support, or utilize a web based application

Risk Assessment IT factors should be included in determining the risk that management objectives related to reliable financial reporting will not occur (SOX section404). Examples of IT risks: –Key system/application not available when needed –Significant information integrity failure (e.g., completeness, validity, etc.) –Implementation of an unauthorized change to a key system/application –Failure to properly maintain or update a key system/application

Risk Assessment IT Factors Factors that could increase the likelihood of a risk occurring: –Complex system and related application(s) –High volume of transactions being processed –History of significant error –High customization of applications –Old/dated system/application –High extent and complexity of revisions made to system

Control Activity: Computerized Controls Friend or Foe? Benefits: Decrease human error, restrict access, decrease duplication of input, audit trail Detriments: Confidentiality, system integrity, completeness, input errors, audit trail

Internal Controls -Computerized AIS Environment Some concepts of controls do not change –Objective: mitigate risks –Control Environment: its importance & impact

Internal Controls -Computerized AIS Environment Concepts of controls that change: –Characteristics: Imbedded/automated –Frequency: Continuous vs. periodic –Errors: Systemic vs. random

Categories of IT Internal Controls: 1.General Controls – pervasive, relate to the entire system Examples: physical access restrictions, backup process, policies, disaster recovery, segregation of duties 2.Application Controls – specific, relate to individual portions of the system—or types of transactions Examples: passwords, security matrix, edit reports, smart fields, batch totals

Control Activities Management should ensure that both IT general and application controls exist and support the objectives of the compliance effort. Some of the key areas related to IT include: –Designing and implementing controls designed to mitigate significant identified IT risks –Monitoring key IT controls for continued effectiveness –Documenting and testing IT controls related to §404

Information and Communication IT items to consider: –Define, implement, and maintain system security levels. Periodically review and modify. –Develop, document and communicate IT policies and procedures –Process in place to assess compliance with IT policies, procedures and standards –Investigate IT compliance deviations, remediate as needed

Monitoring Companies need to evaluate the actual ability of designed controls to reduce risk to an appropriate and planned level. For example: –Perform evaluation of operating effectiveness of control activities periodically and document them –Leverage technology to its fullest extent to document processes, control activities, identify gaps and evaluate effectiveness of controls –Controls are continuously evaluated and updated to reflect necessary major process or organizational changes

Access and safeguarding Data protection –passwords, smart fields, firewalls, backup files, security matrix, etc. Physical protection – restrict access to computer rooms, monitor access to IT computers/programs, restrict access to internet, etc. Uninterruptible power sources-separate grid, backup generator, etc. Disaster recovery-hot sites, cold sites, etc.

Security Matrix (Access Control) A table listing all authorized users and their corresponding abilities within a system. This should include type of access as well –Read –Change –Delete Powerful SOD tool Change management is key to remaining effective Type of control? –Preventive

Problem 7.3 Take 10 minutes and complete Problem 7.3 a. NOTE: Processing is equal to a 3 (read, modify, create and delete).

7.3 a.: Access Control Matrix User GroupPayroll Program Inventory Program Payroll File Inven. File Trans. File Sales00010 Inventory Control Payroll Clerk00200 HR Manager00300 P/R Prog Inventory Prog CIO33333

Problem 7.3 Complete part b of problem minutes

7.3 b. 1.Inventory control: Should not have create and delete rights to the inventory file. This analyst should only have read, display, and update rights to the inventory program. 2.Human resources manager: Should only have read access right to the payroll file. Also add read to Transaction File as a management review tool. NOTE:CIO is part of a small company without proper IT segregation of duties. How could this added risk be addressed?

Things to keep in mind regarding IT General computer controls should be: –based on financial reporting requirements –signed off by key business process owners –not left to the sole responsibility of the IT function. IT application controls should also be defined by business- user requirements, and not the IT function.

IT Controls and SOX IT controls are embedded into controls critical to reliable financial reporting. For example: –Establishment of data classification (e.g. chart of accounts, account groupings, or aging) –User management (e.g., authentication, authorization, or initiation) –Monitoring of transaction thresholds and tolerance levels (e.g. smart fields, exception reports, etc.) –Data processing integrity and validation

SOX and IT Management must identify where technology is critical in the support of the financial statement process, including the key systems and subsystems that need to be included in the scope of the SOX compliance project. Systems may be within the scope, if they are involved in the initiation, recording, processing, and/or reporting of financial information. Only IT systems that are associated with a significant account or related business process need to be considered for compliance purposes. The higher the risk, the greater the need for relevant IT control assurance.

Factors to consider for SOX inclusion Factors that should be considered when determining whether systems need to be reviewed and tested as part of a Sarbanes-Oxley compliance project include: –Volume of transactions –Dollar-value of transactions –Complexity of transactions –Sensitivity of financial data and reports