Risks and Controls A day in the life of our Advisory Practice November 2015

Copyright © 2015 Deloitte Development LLC. All rights reserved. 1 Agenda  Recent Newsworthy Events  Deloitte’s Risk Advisory Practice  Risks and Controls  Understanding Internal Control  Team Activity  Q&A

Copyright © 2015 Deloitte Development LLC. All rights reserved. 2 Recent Newsworthy Events

Deloitte Risk Advisory Practice

Copyright © 2015 Deloitte Development LLC. All rights reserved. 4 Deloitte's Global Footprint North America 2 countries LACRO (Latin America and Caribbean) 28 countries Europe 47 countries Africa 21 countries Middle East 16 countries Asia Pacific 26 countries Deloitte has a global network of member firms in more than 150 countries Deloitte has more than 210,000 professionals around the world serving clients Global Revenues US $34.2 Billion

Copyright © 2015 Deloitte Development LLC. All rights reserved. Deloitte in Greater Washington: Who We Serve

Copyright © 2015 Deloitte Development LLC. All rights reserved. 6 Types of Risk Services Offered S TRATEGIC Incorrect business decisions or those that impact the business model R EGULATORY C OMPLIANCE Non-compliance with existing/new regulations F INANCIAL Financial conduct of business operations O PERATIONAL Operations or execution of business activities I NFORMATION T ECHNOLOGY Data, information or technology resources supporting business operations R ISK T YPES A DVISORY C ATEGORIES DevelopmentImplementationManagementAssessmentValidationResponse

Risks and Controls

Copyright © 2015 Deloitte Development LLC. All rights reserved. 8 What are Risks and Controls? Ask most people why cars have brakes and they’ll say, “It's so you can slow down”… Risk is the potential for loss or harm — or the diminished opportunity for gain — that can adversely affect the achievement of an organization’s objectives. Risk: Meeting with an Accident Control: Presence of Brakes …But the real reason is so you can go faster, and still be in control.

Copyright © 2015 Deloitte Development LLC. All rights reserved. 9 Risks and their Impact on Organizations Fraud Disasters Penalties and fines Target new markets New product development New pricing models Manage risks to create shareholder value (future growth) Manage risks to protect shareholder value (existing assets) VALUE Risk Intelligence enables organizations to create and preserve value. Businesses thrive by taking risks but falter when risk is managed ineffectively. A Risk Intelligent Enterprise recognizes this dual nature of risk, and devotes sufficient resources both to risk taking for reward and to the protection of existing assets.

Understanding Internal Control

Copyright © 2015 Deloitte Development LLC. All rights reserved. Compliance with applicable laws and regulations Effectiveness and efficiency of operations Reliability of financial reporting Objectives Management Process Reasonable Assurance Internal Controls

Copyright © 2015 Deloitte Development LLC. All rights reserved. The overall attitude, awareness, and actions of the directors and management concerning the importance of internal control in the entity The process used to identify, analyze, and manage the risks faced by the entity The information systems and communication used to capture and exchange information needed to conduct, manage, and control operations Policies and procedures designed to help ensure that management directives are carried out The process of assessing the quality of internal control performance over time Components of Internal Controls

Copyright © 2015 Deloitte Development LLC. All rights reserved. Relationship between Business Process Controls and General IT Controls Business Processes Financial Information Internal Financial Reports Financial Statements Automated Controls General IT Controls (ITGCs) Other Controls Data

Copyright © 2015 Deloitte Development LLC. All rights reserved. Walkthroughs Process flow diagrams Detailed description of the control Building an Understanding of Controls

Copyright © 2015 Deloitte Development LLC. All rights reserved. Walkthroughs We perform inquiry with the client, sometimes called a “walkthrough”, to understand the business process controls and IT controls in place. The client individual will explain the following: Steps involved in performing the control Reports and other information used, including how such information is obtained and used Procedures performed when an exception or misstatement is identified Procedures performed when the individual is absent Procedures performed with respect to unusual transactions Changes to the controls during the period, including changes to personnel who perform the controls

Copyright © 2015 Deloitte Development LLC. All rights reserved. Process Flow Diagrams – Example (Revenue) Revenue Include Order processing Shipping & invoicing Sales returns Exclude None Symbol legend

Copyright © 2015 Deloitte Development LLC. All rights reserved. 17 Facilitates our assessment of the design of the control, and also our assessment of risk associated with the control Important for planning tests of operating effectiveness Inadequate written descriptions of control procedures may result in inconsistent performance of the control because control performers may not fully understand the expectations Detailed Description of the Control

Team Activity

Copyright © 2015 Deloitte Development LLC. All rights reserved. 19 Your facilitator will assign you into groups. Work in your groups to review the IT Risks and General IT Controls, and then determine which controls address each of the risks. Be prepared to share your insights on how the controls address the risks. Team Activity

Copyright © 2015 Deloitte Development LLC. All rights reserved. 20 Team Exercise – IT Risks Risk IdentifierRisk Description 1Unauthorized users have access to the database. 2Duplicate data entries exist within the database. 3Unauthorized or invalid changes are made to data. Note: Multiple controls can address the same risk.

Copyright © 2015 Deloitte Development LLC. All rights reserved. 21 Team Exercise – General IT Controls Control NumberControl Description APasswords are configured to require a minimum length of 8 characters, complexity settings enabled, and must be changed every 90 days. BChanges made to data are logged, monitored, and reviewed by management on a weekly basis. CNew access to the database must be approved by a manager before the access is granted. DWhen a user leaves the company (i.e., “terminated user”), their access to the database must be removed within 48 hours. EBefore a change is made to the database, the change must be documented in a change ticket, which then must be approved by management. FWhen duplicate data entries are inserted into the database, an error message appears.

What Questions Do You Have?

About Deloitte Deloitte refers to one or more of Deloitte Touche Tohmatsu Limited, a UK private company limited by guarantee, and its network of member firms, each of which is a legally separate and independent entity. Please see for a detailed description of the legal structure of Deloitte Touche Tohmatsu Limited and its member firms. Please see for a detailed description of the legal structure of Deloitte LLP and its subsidiaries. Copyright © 2012 Deloitte Development LLC. All rights reserved. Member of Deloitte Touche Tohmatsu Limitedwww.deloitte.com/about