IT Controls in Financial Systems

1
IT Controls in Financial Systems

• Office of the Auditor General of Canada
• John M. Dunning
• 22 November 2005

2
Agenda

• Background
• OAG Controls Assessments
• Methodology
• Scope
• Common Themes
• Questions

3
OAG Relationships
4
What we audit

• about 70 federal government departments and
  agencies, 40 Crown corporations, 10 departmental
  corporations and 60 other entities and special
  audits
• the governments of the three territories and some
  15 territorial agencies
• United Nations agencies such as UNESCO and ICAO.

5
Everything is Under Control?

• Private Sector
• Enron / Worldcom
• Sarbanes Oxley
• Nortel
• Public Sector
• Gomery Commission
• CPAC ratings

6
Why Are Controls Important?

Strong Controls
Weak Controls
7
Controls

• What is required
• Strong individual leadership from senior
  officials is necessary to reinforce commitment to
  improving the use of financial information and
  financial information systems.
• Internal audit function is an important element
  in ensuring effective internal control systems.

8
Challenge

• Re-establishing public confidence in government
  institutions
• Establishing effective financial information
  systems and controls throughout government that
  lead to improving stewardship in government
• Ensuring that strong internal controls are
  implemented

9

• OAG -- Controls Assessments

10
Controls Assessments Objectives

• Assess possibility of reliance on controls for
  purposes of auditing the Public Accounts of
  Canada
• Develop audit methodology for assessing general
  computer and business cycle controls in complex
  IT systems and environments
• Move towards implementation of business risk
  audit approach

11
Controls Assessments A 5 Step Approach

• 1. Obtain an Understanding of the Entity
• 2. Identify key business risks, key financial
  authorities, and material components
• 3. Identify key controls governing risks,
  authorities and components
• 4. Perform walkthroughs and testing of key
  controls
• 5. Assess the degree for possible control
  reliance and issue management letter

12
1. Obtain an understanding of the entity

• Gain an understanding of
• Entity goals objectives
• Entity business lines and risks
• Overall control environment
• Computer information systems environment
• Result -- Knowledge of how the entity operates,
  what it is trying to achieve and how its
  applications are affecting financial statements

13
2. Identify key risks, authorities components

• Analyze information obtained in developing an
  understanding of the entity to assess
• Those risks that impact the fairness of the
  financial results
• Areas of the entity that are material to the
  fairness of financial statement presentation
• The likelihood and consequences of error (high,
  medium or low) for identified risks, authorities
  and financial statement components

14
3. Identify key controls

• Identify key controls must correlate to risks,
  authorities and material components identified in
  Step 2
• Key controls will be the means used by the entity
  to ensure fairness of financial results and
  accomplishment of objectives
• Balance of preventive and detective controls
• A key detective control is reconciliation - this
  ensures the integrity of processing controls

15
4. Perform walkthroughs testing of key controls

• Walkthroughs and testing normally are conducted
  via the following categories
• General Computer Controls
• Business Processing Controls
• Management and Monitoring Controls

16
5. Assess degree of control reliance possible

• Key question is whether reliance can be placed on
  the controls evaluated throughout the period of
  intended reliance.
• Answer Yes or No to whether reliance can be
  placed on
• controls overall
• general computer controls
• business processing controls
• management monitoring
• Consider compensating controls for deficiencies
  - will they suffice?

17
Controls over financial reporting
Significant Accounts in the Financial Statements
Significant Accounts in Financial Statements
Balance
Income
Balance
Income
SCFP
Notes
Other
SCFP
Notes
Other
Sheet
Statement
Sheet
Statemen

• Application Controls
• Accuracy
• Completeness
• Validity
• Authorization
• Segregation of duties
• etc...

Business Processes / Classes of Transactions
Business Processes / Classes of Transactions
Process A
Process B
Process C
Process A
Process B
Process C
Financial Applications

• General
• ComputerControls
• Security management
• Systems management
• Access management

Application A
Application B
Application C
IT Infrastructure Services
Database
Operating System
Network
18
Scope of Our Assessments

• 18 Departments
• FIS Systems
• Legacy Systems

19
Controls Assessments -- Common Themes
20
Common themes

• Electronic security controls
• User access rights and privileges reflect
  incompatible duties.
• Super user accounts are not sufficiently
  controlled.
• Generic user IDs are used, which impairs
  accountability

21
Common themes

• Monitoring controls
• Reconciliation of accounts is not being done on a
  timely basis.
• Review of clearing and suspense accounts is not
  timely.
• Policies and procedures for monitoring accounts
  are not always in placefor example, review of
  unusual or high-risk transactions and review of
  key performance measures such as receivables
  aging.

22
Common themes

• New financial systems
• Integration of financial systems has not been
  achieved.
• Many controls inherent in the new financial
  systems are not being used.

23
Common themes

• Manual processing controls
• Segregation of duties is inadequate.
• Documentation on policies and procedures is not
  being prepared/reviewed.
• Quality assurance of the account verification
  process is limited.

24
What has happened?

• Issued management letters after each assessment
• Started a follow-up process to monitor progress
• Found
• Departments and agencies have slowly made
  progress in responding to key internal financial
  controls weaknesses

25
What has happened?

• Began annual public reporting on progress made to
  address controls assessment observations in 2004
• Found
• Progress is faster when departments and agencies
  are publicly named

26
Other Developments

• Reorganization plan focused TBS to strengthen and
  support comptrollership and financial management
• Office of the Comptroller General to monitor
  internal controls weaknesses
• Development of Chief Financial Officers in some
  departments

27
Closing Remarks

• Unless departments and agencies have strong
  financial controls and sound financial
  information, they will not be able to restore
  public confidence in their financial practices

28
Conclusion

• It is all resting on you!

29

• Questions?