Presentation is loading. Please wait.

Presentation is loading. Please wait.

IT Risk and Internal Control Frameworks University of Washington

Similar presentations


Presentation on theme: "IT Risk and Internal Control Frameworks University of Washington"— Presentation transcript:

1 IT Risk and Internal Control Frameworks University of Washington
March 5th, 2015 Michael Isensee Partner, Advisory

2 Outline My Background IT Risk COBIT Introduction to COBIT Components
Principles COSO Introduction to COSO COSO framework and Key Principles Q & A

3 My background and experience
German University “MBA” graduate – 1996, accounting, finance, and information systems Thesis Paper on Controlling IS for Mercedes Benz Intern at Arthur Andersen & Co. Joined Arthur Andersen & Co. full time in 1996 Joined KPMG in 2003 Became CISA in 1999, CPA in 2001, CITP in 2006, PMP in 2007, CGEIT in 2009 Diverse career experience in accounting & IT Clients included Costco Wholesale, Gap, Nordstrom, Ross Stores, Siemens, T-Mobile, Washington Mutual, and Weyerhaeuser

4 IT Risk

5 Assessing risk, including IT Risk
Almost Certain Human Resources Finance Likely Sales Central Transaction Processing Treasury Corp. Governance Moderate Likelihood of Occurrence Logistics Information Technology Procurement Acquisitions Inventory Control & Management Unlikely Outsourcing Unions Rare Low Moderate to Low Moderate Moderate to High High Magnitude of Impact

6 What is IT Risk? Any risk related to information technology.
IT risk incidents have the potential to produce substantial business consequences that touch a wide range of stakeholders. Examples include: Critical business processes, such as order processing, disrupted. Customers unable to contact call centers. Lost business, reduced profits, and damage to an organization’s reputation are at stake. Encompasses not only the negative impact of operations, but also the benefit\value of risks associated with missing opportunities to use technology to enhance business objectives Goal: Turn business threats into a competitive advantage.

7 Threat update – Security Risk

8 Business Continuity (BC) – Availability Risk
Key BC activities as selected from the BS standard and the respective logical flow are represented below. BC Management covers both IT and other business risk Understand the organization Determining BCM strategy Developing and implementing BCM response Embedding in BCM culture Exercising, maintaining, and reviewing Project Initiation Risk Assessment Business Impact Analysis Design Strategy Strategy Implementation Develop Plans Training and Awareness Exercise/Test On-going Validation and Maintenance Emergency Response Plan Crisis Management Plan Business Continuity Plan Disaster Recovery Plan

9 Financial Reporting Key IT Risks
Key issues for the external auditor (where IT risk is concerned) include: Logical Security Physical Security Changes to Software Backups to recover from Hardware and Software Malfunction Batch Processing External auditors will also be increasingly concerned with emerging risks such as: Cloud Computing Mobile Platforms

10 Control Objectives for Information and Related Technology

11 Brainstorm examples of controls in your life
Automobiles Football Game Air Travel “Internal Controls” are an everyday part of our lives

12 What is COBIT? Framework created by ISACA for IT management and IT governance that was first released in 1996. Supports governance of IT by defining and aligning business goals with IT goals and IT processes. Mission – to research, develop, publish and promote an authoritative, up-to-date, international set of generally accepted information technology control objectives for day-to-day use by business managers, IT professionals and assurance professionals. Latest revision (COBIT 5) was recently released in April 2012. COBIT 5 is the only business framework for the governance and management of enterprise IT. This evolutionary version incorporates the latest thinking in enterprise governance and management techniques, and provides globally accepted principles, practices, analytical tools and models to help increase the trust in, and value from, information systems. COBIT 5 builds and expands on COBIT 4.1 by integrating other major frameworks, standards and resources, including ISACA’s Val IT and Risk IT, Information Technology Infrastructure Library (ITIL®) and related standards from the International Organization for Standardization (ISO).

13 COBIT Key concepts Bridges the gaps amongst business requirements, control needs, and technical issues. Helps management and business process owners understand and manage the risks associated with IT. Focuses on IT processes rather than functions or applications. Not just for the IT Department, applies to the business as a whole.

14 COBIT components Framework: organize IT governance objectives and good practices by IT domains and processes, and links them to business requirements Process descriptions: a reference process model and common language for everyone in an organization. The processes map to responsibility areas of plan, build, run and monitor. Control objectives: provide a complete set of high-level requirements to be considered by management for effective control of each IT process. Management guidelines: help assign responsibility, agree on objectives, measure performance, and illustrate interrelationship with other processes Maturity models: assess maturity and capability per process and helps to address gaps.

15 COBIT principles COBIT 5 is based on five key principles for governance and management of enterprise IT. Enterprises of all sizes, whether commercial, not-for-profit or in the public sector, can benefit from using the COBIT 5 principles. COBIT 5 has become the standard for overall control of IT. 1. Meeting Stakeholder Needs 5. Separating Governance From Management 2. Covering the Enterprise End-to-end COBIT 5 Principles 4. Enabling a Holistic Approach 3. Applying a Single Integrated Framework

16 Case Study You are developing an IT Policy framework for Solo Cup and have decided to use COBIT. In evaluating the layout of the framework, consider the following: What are some control environment characteristics of the organization? What are the major IT general computer control areas? What risk factors should be considered? What processes are integral to the business? How and to whom does the organization communicate information? What components should be in place to help oversee the organization? -Case Study from ISACA: -At Solo, the policy framework was defined to cover the following major IT general computer control areas: Ensure systems security. Manage the configuration. Manage data. Manage operations. Install and accredit solutions and changes. Manage problems and incidents. Manage third parties. End-user computing

17 Sample IT Controls Framework for Solo Cup IT Policies

18 COSO Internal Control Framework

19 What is COSO? The Committee of Sponsoring Organizations of the Treadway Commission. Formed in 1985 as an alliance of five professional organizations to serve as one voice on issues related to fraudulent financial reporting. Mission – to improve the quality of financial reporting through business ethics, effective internal control and corporate governance 1987 – Treadway Commission issued the Report of National Commission on Fraudulent Reporting. 1992 – issued the initial Internal Control-Integrated Framework 2013 – issued evolutionary Control Framework Update (superseded old standard in December 2014)

20 COSO Key concepts Principles-based approach
Being “In Control” helps drive business success Control and business performance tie directly with the concept of an “Upside” in managing risk – control helps an entity achieve its goals! Taking risks “Smartly” is a good thing To take risks you have to understand, embrace, and manage them Objective Risk Control

21 COSO Key concepts (continued)
Internal control is a process. It is a means to an end, not an end in itself. Internal control is effected by people. It’s not merely policy manuals and forms, but people at every level of an organization. Internal control can be expected to provide only reasonable assurance, not absolute assurance, to an entity’s management and board. Internal control is geared to the achievement of objectives in one or more separate but overlapping categories.

22 Case study You are executives for a large banking firm. In evaluating the control framework for your business consider the following: What are some control environment characteristics of the organization? What risk factors should be considered? What key controls should be in place? How and to whom does the organization communicate information? What components should be in place to help oversee the organization?

23 COSO components and principles
For effective internal control: Each of the five components and 17 principles must be present and functioning Points of focus are characteristics supporting achievement of control objectives The five components must operate together in an integrated manner. Control environment Demonstrates commitment to integrity and ethical values Exercises oversight responsibility Establishes structure, authority, and responsibility Demonstrates commitment to competence Enforces accountability Risk assessment Specifies suitable objectives Identifies and analyzes risk Assesses fraud risk Identifies and analyzes significant change Control activities Selects and develops control activities Selects and develops general controls over technology Deploys through policies and procedures Information and communication Uses relevant information Communicates internally Communicates externally Monitoring activities Conducts ongoing and/or separate evaluations Evaluates and communicates deficiencies

24 Control activities – 2013 Framework changes
Control activities are the actions established through policies and procedures to mitigate risks to the achievement of objectives. Control activities are performed at all levels of the entity, at various stages within business processes, and over the technology environment. They may be preventive or detective in nature and may encompass a range of manual and automated activities such as authorizations and approvals, verifications, reconciliations, and business performance reviews. Segregation of duties is typically built into the selection and development of control activities. Where segregation of duties is not practical, management selects and develops alternative control activities. Control activities – 2013 Framework changes Updated for the evolution in technology since 1992 (e.g., replacing data center concepts with a more general discussion on the technology infrastructure) Addresses the linkage between business processes, automated control activities, and GITCs Contrasts process-level controls from controls at other levels of the organization Updated for GITC applicability (IT infrastructure; security management; and technology acquisition, development, and maintenance) across all technology platforms Clarifies that control activities are actions established by policies and procedures rather than being the policies and procedures themselves

25 Principle #10: Understanding the process and identifying what could go wrong (WCGW)
Understand how transactions are initiated, authorized, processed, and recorded, including: How data enters the IT system How data is stored within the IT system, and how it may be accessed When data is summarized, accumulated, or calculated What manual processes affect the data. Every time the data moves, there may be a risk (WCGW) related to the CEA of data.

26 Control Activities: Principle #11 and points of focus
11. The organization selects and develops general control activities over technology to support the achievement of objectives. Points of focus Determines dependency between the use of technology in business processes and GITCs Management understands and determines dependency and linkage between business processes, automated control activities, and GITCs Establishes relevant technology infrastructure control activities . . . which are designed and implemented to help the completeness, accuracy, and availability of technology processing Establishes relevant security management process control activities . . . which are designed and implemented to restrict technology access rights to authorized users commensurate with their job responsibilities and to protect the entity’s assets from external threats Establishes relevant technology acquisition, development, and maintenance process control activities Management selects and develops control activities over the acquisition, development, and maintenance of technology and its infrastructure to achieve objectives

27 Principle #11: Understand dependency and linkage among processes, automated controls, and GITCs
GITCs include access, systems development, program change, and computer operations controls Financial statements Purchasing A/P Operating expenses Vendor master file Applications Databases Operating systems

28 Example Employees enter time into the time/expense module.
Timesheets are signed by employees and forwarded to their supervisor. Supervisor approves timesheets for payment. Supervisor prints, signs, and disburses checks. Timesheets are posted from the time/expense module to the GL module. End

29 Example (continued) Employees enter time into the
PR time/expense module. Validation and Edit Checks System Access Timesheets are signed by employees and forwarded to their supervisor. Supervisor approves timesheets for payment. Management Review System Access Supervisor prints, signs, and disburses checks. Control Gap – no segregation of duties Timesheets are posted from the time/expense module to the AR module. Interface/Conversion controls Mapping/Account Configuration

30 Third-party service providers (TPSPs)
Consider the following regarding the transactions or information processed by TPSP: The significance of the transactions processed by the TPSP to the entity’s financial statements The risk of a material misstatement due to error or fraud associated with the transactions processed by the TPSP The nature and complexity of services provided by the TPSP How unique or highly standardized are they? Extent of delegation of authority to the TPSP How do the entity’s processes and controls interact with those of the TPSP? Is the TPSP part of the entity’s IT systems? Consider applicability of five components and 17 principles Reporting entity Third-party service provider Inputs Outputs

31 Thank you! Michael J Isensee
Phone: (206)

32 Appendix

33 Control environment – 2013 Framework changes
The control environment is the set of standards, processes, and structures that provide the basis for carrying out internal control across the organization. The Board of Directors and senior management establish the Tone at the Top regarding the importance of internal control, including expected standards of conduct. Management reinforces expectations at the various levels of the organization. The control environment comprises the integrity and ethical values of the organization; the parameters enabling the board of directors to carry out its governance oversight responsibilities; the organizational structure and assignment of authority and responsibility; the process for attracting, developing, and retaining competent individuals; and the rigor around performance measures, incentives, and rewards to drive accountability for performance. The resulting control environment has a pervasive impact on the overall system of internal control. Control environment – 2013 Framework changes Explains that the control environment is the foundation for a sound system of internal control Updated for changes in business operations—global operations, VIEs, shared service centers Expands and clarifies guidance on: Governance roles in an organization, recognizing differences in structures, types of entities, etc. The need to consider internal control across the expanded organization, including outsourced service providers and other external partners Expectations of competence and accountability with respect to internal control

34 Risk assessment – 2013 Framework changes
Risk assessment involves a dynamic and iterative process for identifying and assessing risks to the achievement of objectives. Thus, risk assessment forms the basis for determining how risks will be managed. Management specifies objectives relating to operations, reporting, and compliance with sufficient clarity to be able to identify and analyze risks to those objectives. Risk assessment requires management to consider the impact of possible changes in the external environment and within its own business model that may render internal control ineffective. Risk assessment – 2013 Framework changes Recognizes that many organizations take a risk-based approach to internal control Introduces the concept of “risk tolerance” (acceptable risk levels) Clarifies that risk assessment includes processes for risk identification, risk analysis, and risk response Expands the discussion on: Assessment of significance of risks The need to understand significant changes in internal and external factors and the impact of these changes on the system of internal control Includes specific assessment of fraud risk relating to material misstatement of reporting, inadequate safeguarding of assets, and corruption as part of the risk assessment process

35 Information and communication
Management obtains or generates and uses relevant and quality information from both internal and external sources to support the functioning of other components of internal control. Communication is the continual, iterative process of providing, sharing, and obtaining necessary information. Internal communication is the means by which information is disseminated throughout the organization, flowing up, down, and across the entity. External communication is twofold: it enables inbound communication of relevant external information, and it provides information to external parties in response to requirements and expectations. Information and communication – 2013 Framework changes Emphasizes importance of quality of information Including how the entity manages information from and communicates with third-party service providers and those that operate outside its legal and operational boundaries Expands the discussion on The impact of regulatory requirements on reliability and protection of information The volume and sources of information in light of increased complexity of business processes, greater interaction with external parties, and technology advances Reflects the impact of technology and other communication mechanisms on the speed, means, and quality of the flow of information

36 Monitoring activities
Ongoing evaluations, separate evaluations, or some combination of the two are used to ascertain whether each of the five components of internal control, including controls to effect the principles within each component, is present and functioning. Ongoing evaluations, built into business processes at different levels of the entity, provide timely information. Separate evaluations, conducted periodically, will vary in scope and frequency depending on assessment of risks, effectiveness of ongoing evaluations, and other management considerations. Findings are evaluated against criteria established by regulators, recognized standard-setting bodies, or management and the board of directors, and deficiencies are communicated to management and the board of directors as appropriate. Monitoring activities – 2013 Framework changes Refines the terminology, where the two main categories of monitoring activities are now referred to as ongoing evaluations and separate evaluations Added the need for a baseline understanding in establishing and evaluating ongoing and separate evaluations Expanded discussion of the use of technology and external service providers

37 Example control categories
Description Examples Authorization Approval of transactions executed and access to assets and records only in accordance with management’s general or specific policies and procedures. Designated approval lists Authorization limits Signatures on purchase orders Check signing limits Configuration/account mapping “Switches” to secure data against inappropriate processing. Posting limits Validations and edit checks Screen layout with required fields Exception/edit report Reports are generated to monitor something and exceptions are followed up to resolution. (Exception – a violation of a set standard, Edit – a change to a master file) Reports of sales over credit limits Reports of changes to price master file

38 Example control categories (continued)
Description Examples Interface/conversion controls Controls over moving data between computer systems. Process used to migrate data from a legacy system. Interface between accounts payable system and general ledger system captures only unpaid invoices. General ledger balances are moved from old account numbers to correct new account numbers Key performance indicators Financial and non-financial quantitative measurements that are collected by the entity and used to evaluate progress toward meeting objectives. Gross margin analysis A/R over 90 days Salary and benefits per full time equivalent employee Management review A person different from the preparer analyzing and performing oversight of activities performed. Manager review of reconciliations Dual signature on checks Co-workers reviewing each others’ work

39 Example control categories (continued)
Description Examples Reconciliation Check whether two items (account balances, computer systems) are consistent Cash reconciliation from general ledger to bank Reconciliation of A/R aging to general ledger Segregation of duties Separation of duties and responsibilities of authorizing transactions, recording transactions and maintaining custody to prevent individuals Person who prepares bank reconciliations is not a signer on bank accounts Persons who bill accounts receivable do not post cash collections System access Ability that individual users or groups of users have within a computer information system as determined by access rights is configured in the system. Password protection linked to level of access.


Download ppt "IT Risk and Internal Control Frameworks University of Washington"

Similar presentations


Ads by Google