Title: Are You Ready for IT Control Identification
1Are You Ready for IT Control Identification
Testing?
- The Institute of Internal AuditorsFebruary 10,
2004
Moderator Xenia Ley Parker, CIA, CISA, CFSAXLP
Associates
2Agenda
- Introduction Overview
- Xenia Ley Parker, XLP Associates
- General Controls
- Edward Hill, Protiviti
- Application Controls
- John Gimpert, Deloitte
- Establishing a Framework
- Reggie Combs, Lockheed Martin
- Break
- Q A
3References
- Public Company Oversight Board - www.pcaobus.org/
- Final Rule Management's Reports on Internal
Control Over Financial Reporting and
Certification of Disclosure in Exchange Act
Periodic Reports - www.sec.gov/rules/final/33-8238
.htm - Internal ControlIntegrated Framework Committee
of Sponsoring Organizations of the Treadway
Commission (COSO), Exposure Draft Enterprise
Risk Management Framework- www.coso.org - CobiT 3rd EditionÓ, IT Governance Institute -
www.isaca.org - IT Control Objectives for Sarbanes-Oxley-
www.itgi.org - The IIA GAIN Flash Survey Use of SOX tools -
www.gain2.org/sox4jwsum - Protiviti Guide to the Sarbanes-Oxley Act IT
Risks and ControlsFrequently Asked Questions -
www.protiviti.com - Deloitte Taking Control, A Guide to Compliance
with Section 404 of the Sarbanes-Oxley Act of
2002 - www.deloitte.com - PricewaterhouseCoopers Understanding the
Independent Auditors Role in Building Trust
The Sarbanes-Oxley Act of 2002, Strategies for
Meeting New Internal Control Reporting
Challenges - www.pwc.com
4PCAOB ED Statements Impact on IT Control
Guidance
- determining which controls should be tested
generally, such controls include information
technology general controls, on which other
controls are dependent (page 41) - The auditor should obtain an understanding of
the design of specific controls by applying
procedures that include tracing transactions
through the information system relevant to
financial reporting (page 48) - Information technology general controls over
program development, program changes, computer
operations, and access to programs and data help
ensure that specific controls over the processing
of transactions are operating effectively (page
51)
5PCAOB ED Statements Impact on IT Control
Guidance
- The risk that the controls might not be
operating effectively. Factors include the
following - The degree to which the control relies on the
effectiveness of other controls (for example, the
control environment or information technology
general controls) (p 74) - The audit should trace all types of transactions
and events, both recurring and unusual from
origination through the companys information
systems until they are reflected in the companys
financial reports (page 79)
Source http//www.pcaobus.org/
6Introduction of Key Issues
- Define 404 universe, processes, risks,
controls - Identify key controls assertions related to
control considerations - Impact of IT controls
- Application vs. IT controls
- Establishing a framework
7PCAOB Release No. 2003-017 issued 7 October 2003
- Because of the frequency with which management of
public companies is expected to use COSO as the
framework for the assessment, the directions in
the proposed standard are based on the COSO
framework - Other suitable frameworks have been published in
other countries and likely will be published in
the future - Although different frameworks may not contain
exactly the same elements as COSO, they should
have elements that encompass all of COSO's
general themes
8Tone at the Top
- IT Executives need to be well versed on internal
control theory and practice - Does the audit committee have the expertise to
understand the relevance and degree of
reliability/importance of IT controls? - Is the audit committee aware of any significant
activities affecting the IT environment as it
relates to financial reporting?
9IT Control Objectives for Sarbanes-Oxley Common
Elements of Organizations
10Sarbanes Oxley, COSO and COBIT
11Sarbanes-Oxley IT Diagnostic Questions
- 1. Does the SOX steering committee understand the
risks inherent in IT systems their impact on
compliance with Section 404? - 2. Does IT management understand the financial
reporting process and its supporting systems? - 3. Does the CIO have an advanced knowledge of the
types of IT controls necessary to support
reliable financial processing? - 4. Are policies governing security, availability
and processing integrity established, documented
communicated to all members of the IT
organization? - 5. Are the IT departments roles and
responsibilities related to Section 404
documented understood by all members of the IT
department?
12Sarbanes-Oxley IT Diagnostic Questions
- 6. Do IT employees understand their roles, do
they possess the requisite skills to perform
their job responsibilities relating to internal
control, are they supported with appropriate
skill development? - 7. Is the IT departments risk assessment process
integrated with the companys overall risk
assessment process for financial reporting? - 8. Does IT document, evaluate remediate IT
controls related to financial reporting on an
annual basis? - 9. Does IT have a formal process in place to
identify respond to IT control deficiencies? - 10. Is the effectiveness of IT controls monitored
followed up on a regular basis? - Source for Slides 8-12 IT Governance Institute,
ISACA
13Are you Ready for IT Control Identification
Testing? General Controls Edward Hill,
CPA Protiviti
14Plain English Approach IT Risks Controls for
SOX 404
- Define Universe, processes, risks controls
- Assertion relationships
- Document key controls valuate
- Testing of key controls what to do
IT Organization Structure
IT Entity Level Control Evaluations
IT Process Level Control Evaluations
15(No Transcript)
16General IT Process Risks and Controls-A Typical
Universe Risk Assessment
General IT Processes
- Security Administration
- Application Maintenance - Change Control
- Ensure Continuity - Data Management Disaster
Recovery - Manage Technical Infrastructure Operations -
Problem Management - Asset Management
17Impact of STRONG Controls at the IT General
Controls
General IT Processes
Integrated Application Specific Processes
Application Data Owner Processes
- Applications perform as designed
- Programmed controls function as designed
- Access to transactions and data function as
designed
- WHEN SETTING SCOPE
- Work at application and data owner level can
focus on proper design of controls - General controls provide an indication that such
controls operate as intended
18Controls Security Administration
- How does this relate to the assertions - what can
go wrong? - Security, designed implemented properly,
assures transactions are executed by only those
individuals with authorization. - Security, designed appropriately, ensures
(physical and electronic) access to assets is
restricted. - This impact must be understood at each IT
component level - Application transaction and data level
- Access to the systems and infrastructure such as
administrator and super user - Databases
- Platforms (operating systems)
- Networks
19Security Segregation of Duties
- Potential impact on assertions
- Transactions are executed only by individuals
authorized by management to do so - Duties that are incompatible from an internal
control standpoint are segregated in accordance
with managements criteria - Updates and changes to applications may impact
how security should be managed and the duties
which may need to be segregated (authorized and
segregation issues)
20 Security Administration
- Risk and controls documented, evaluated for
specific process portions - Role set up, maintenance and periodic validation
- User set up, maintenance and deletion
- Data classification and rules allowing access to
sensitive data - Periodic transaction and data access review,
validation and follow-up - Risks and controls documented, evaluated at the
technical level - Set up of administrative and other sensitive
accounts for all technology components - Add, modify and delete procedures
- Audit trail rules and set-up
- Monitoring and review procedures for usage of
administrative and sensitive account
21Security Administration
- Risk and controls documented, evaluated for
specific process portions - Development and maintenance of security roles
restricting access to transitions and data to
only individuals with a valid business need to
execute transactions and access data - Development and communication to the IT
organization the roles and transactions needed to
be segregated from an internal controls
standpoint - Maintenance and review of applications changes to
confirm appropriateness of the roles and
transactions identified as incompatible from an
internal control standpoint
22 Manage Applications-Change Controls
- How does this relate to the assertions- what can
go wrong - Application change provides assurances that
applications function as intended and integrity
of processing can be assured - Appropriate application changes assure
completeness and accuracy of processing - Together with the security administration,
processes assures transactions can only be
initiated, modified or deleted by individuals
authorized by management to execute and view
transactions - Access to applications and data through the
change process must be restricted so that
inadvertent or deliberate changes to the
following do not occur - Production data
- Other related components such as interface
routines, background processing and updates, etc.
23 Application Data Owner Responsibilities For
Change Controls
- How does this relate to the assertions- what can
go wrong - Application changes may not be in accordance with
the directives of the business owners causing
them not to function as intended or without the
appropriate controls- impacts - Completeness and accuracy
- Authorization
- Access to assets
- There may be changes to the security
administration of roles and responsibilities that
effect the controls which ensure appropriate
authorization of transactions and access to assets
24 Management Applications Change Controls
- Risk and controls documented, evaluated for
specific process - Initiation of change requests
- Testing and approval of changes prior to
migration into the production environment - Critical calculations and data validation and
exception routines - Interfaces
- Job sequencing and interrelationships
- Application migration procedures
- Integrity of process and access to applications
and data by migrators - Back out and validation of successful migrations
- Emergency change procedures and processes
25 Business Owner Change Control Processes
- Risk and controls documented, evaluated for
specific process - Changes are appropriately initiated and approved
by the application and data owners - All changes are reviewed by the application
owners from a controls perspective and a sign-off
that controls have been appropriately considered
for any change(s) - Changes are adequately tested from a controls
functionality perspective. This should be
performed to ensure critical controls still
function (error checking and data validation,
integrity of key management reports, interfaces
function properly, etc.) - There should be review (after the fact) of
emergency changes such that application owners
verify validity of change and the appropriateness
of change on programmed controls.
26Format for Documentation and Control Related Work
- Evaluation of IT-related risks and controls
should be formatted similar to other process and
control work - Process maps
- Process narratives
- Risk and control matrices
- All work should focus on controls that affect the
financial reporting and disclosure risks and
controls - Must address financial reporting assertions
27Evaluation of IT Controls
- After the documentation is complete, evaluate
each risk to determine whether the controls are
designed to effectively mitigate the risks - The evaluation should include both manual and
systems-based controls - even in the General
Controls processes - At this point, control gaps if any, should be
identified and a management action plan to deal
with the gaps determined, for both manual and
systems-based controls - For controls evaluated as effective, the next
step is to develop a testing plan so that the
operating effectiveness can be evaluated
28Approach to IT General Controls Testing
Update Testing
Define Testing Scopes
Build Testing Plan
Execute Testing
Analyze Test Results
- For IT General Controls testing
- Test key controls can and should be tested
similar to other processes with pervasive
controls - There needs to be a combination of inquiry,
inspection, observation and re-performance - Process flows and risk and control matrices
should be referenced and a key to selecting the
type of test needed - Timing of this testing- two competing issues
- One external firm indicated that for pervasive
controls such as IT General controls these
controls should be tested near the as of date - Testing of these needs to be done early in the
overall process because the results of these
tests directly impact the nature and extent of
controls downstream of these.
29Documenting General Controls Testing
Update Testing
Define Testing Scopes
Build Testing Plan
Execute Testing
Analyze Test Results
- For IT General Controls testing
- Documentation of testing should be tested similar
to other processes with pervasive controls - There needs to be documentation standards for
inquiry, inspection, observation and
re-performance testing- scoping should be based
on overall approach - Evidence of tests should be retained for review
and approval
30 Are you Ready for IT Control Identification
Testing? Application Controls
- John Gimpert, CPADeloitte
31Importance of IT in Sarbanes Oxley
- For most organizations, IT controls are pervasive
to the financial reporting process - Financial applications and automated systems are
typically used to initiate, record, process and
report transactions - Applications and ERP systems are supported by the
general computing environment - Effectiveness of the application computing
controls are dependant upon the general computing
controls - Limitations of application controls may need to
be appropriately mitigated by general computing
controls - Overall, application and general computing
controls support the integrity and reliability of
financial reporting
32A Roadmap for Compliance
Source IT Governance Institute (ITGI) IT
Control Objectives for Sarbanes Oxley Discussion
Document
33Internal Control Reliability Model
Determine the reliability and maturity of IT
controls.
34Mapping Accounts to Controls
Significant Accounts/Processes
Balance Sheet
IncomeStatement
G/L
Inventory
Other
- Determine and walk-through key transactions and
accounts - Identify applications and IT systems related to
significant accounts and transactions - Identify, document and test controls supporting
the above
Classes of Transactions / Business Processes
Process A
Process B
Process C
Financial Applications
Application C
Application B
Application A
Application controls (examples)
Seg of Duties
Data integrity
Completeness
Timeliness
General Computing Controls
Security
Retention
Operations
Configuration
35Application Controls Definition
- Application controls help ensure the
completeness, accuracy, authorization and
validity of all transactions during application
processing - Application controls also support interfaces to
other application systems to help ensure all
inputs are received in a complete and accurate
manner and outputs are correct - Application controls are typically embedded
within software programs to prevent or detect
unauthorized transactions
36Linking Business Process to Controls
Order Processing
- Control Objectives
- Account Receivable balances and reserves are
complete and accurate. - Sales revenues and cost of goods sold is complete
and accurate - All purchase orders received are input and
processed - Invoices are generated using authorized terms and
prices - Only valid changes are made to customer master
files.
SalesSub-process
Order supplier controls
Customer controls
Customerorder entry
SAP, Oracle, Other Applications
Application controls cover authorized changes,
segregation of duties, validity, completeness and
timeliness of reporting of financial information.
General computing controls cover security access,
change and configuration mgt, data retention,
testing, processing integrity, etc.
37Assertions
38Examples of Control Identification
39Types of controls
40Control Evaluation and Testing Process
Discovery process for existing controls
Controls for those business processes impacting
key transactions and accounts
Y
N
Evaluation of Control Effectiveness
N
Prepare for Certification
Test Control Effectiveness
Document the Test Results
Y
41Sample Result of Evaluation Process
42Lessons Learned
- Effective IT application controls are critical
and serve as a first line of defense - Some controls exist at both the general computing
and applications layer - for instance Security
Controls - Applications controls can be modernized, many
previously manual controls can be automated (such
as automatic generation of reports when suspect
conditions exist) - Applications controls can be proactively built
into applications and can help identify risks - Improved applications controls can result in
improved application effectiveness and help drive
higher quality applications - A well controlled environment is a first step
toward improved IT Governance
43Sarbanes Oxley to Increase Shareholder Value
- Risk Management
- Compliance with Sarbanes Oxley has direct impact
and IT control improvements can reduce risk for
downstream business initiatives - Operating Margin
- Deep understanding of process and technology
linkages can result in process re-engineering
initiatives, improving levels of automation - Asset Efficiency
- Operational improvement regarding IT management
processes - Consolidation of systems to reduce complexity can
result in operational efficiencies - Revenue Growth
- Inventory your critical customer systems and data
for future sales targeting initiatives
44Reginald B. Combs, CISALockheed Martin
Corporation
Are you Ready for IT Control Identification
Testing? Establishing A Framework
45Establishing A Framework
- The COSO/COBITTM Relationship
- Considerations When Identifying Controls
- Entity, General, or Application Control?
46Establishing A Framework
- The COSO/COBITTM Relationship
- To assess an organizations internal controls,
first identify the assessment criteria - COSO report defines internal control consistent
with current auditing standards and SAS guidance - COSO report also identifies five components of
effective internal control - Control Environment
- Risk Assessment
- Information Communication
- Control Activities
- Monitoring
404 establish and maintain an adequate
internal control structure
47Establishing A Framework
- The COSO/COBITTM Relationship
- To assess an organizations IT internal
controls, first identify the assessment criteria - COBIT framework is generally applicable and
accepted as a standard for good IT security and
control practices - COBIT Business/Fiduciary Requirements derived
from COSO categories - COBIT classifies control objectives into four
groups (domains) - Plan Organize
- Acquire Implement
- Deliver Support
- Monitor and Evaluate
COSO and COBIT Provide a Complementary Framework
for IT Control Identification
48Mapping The COSO/COBITTM Relationship
49Considerations When Identifying Controls
- Focus on Key controls
- How does the application support the key
financial processes? - Is the application processing data or acting as a
repository? - Who relies on the controls?
- Consider the types of errors that can occur at
the application and process level - Ask What Can Go Wrong questions
- When evaluating IT controls and related risks,
consider the relevant financial statement
assertions for significant accounts
50Entity, General, or Application Control?
- Varying Opinions on which controls fall into each
category - Establish definitions early and obtain consensus
- Communicate throughout the organization
51Example Lockheed Martin Corporation
52SOX 404 Documentation Tools
- Pentana
- JeffersonWells
- EY's tool Developed in-house
- SOXA Accelerator
- Focus - Paisley
- Axentis ERA - Methodware Lotus Notes
Horizon--JP Morgan ICT-Grant Thornton
Open-Pages - SOX Express
- SPF
- Teammate Dynamic Policy
Source http//www.gain2.org/sox4jwsum.htm
53Concluding Remarks
- Lessons learned
- Understanding the role of IT controls means
understanding IT better - Updating skill sets to identify/classify controls
- Changing business auditors mindset
- What they can do when IT auditors are needed
- How to relate types of testing
- How to determine the impact of deficiencies
54Questions Answers
- E-mail your questions by clicking on the link
provided or directly to info_at_tvworldwide.com
55Next Webcast
- March 9, 2004
- Balancing SOX with Risk Based Audit Planning
- See you at our next webcast!