Are You Ready for IT Control Identification

1
Are You Ready for IT Control Identification
Testing?

• The Institute of Internal AuditorsFebruary 10,
  2004

Moderator Xenia Ley Parker, CIA, CISA, CFSAXLP
Associates
2
Agenda

• Introduction Overview
• Xenia Ley Parker, XLP Associates
• General Controls
• Edward Hill, Protiviti
• Application Controls
• John Gimpert, Deloitte
• Establishing a Framework
• Reggie Combs, Lockheed Martin
• Break
• Q A

3
References

• Public Company Oversight Board - www.pcaobus.org/
  
• Final Rule Management's Reports on Internal
  Control Over Financial Reporting and
  Certification of Disclosure in Exchange Act
  Periodic Reports - www.sec.gov/rules/final/33-8238
  .htm
• Internal ControlIntegrated Framework Committee
  of Sponsoring Organizations of the Treadway
  Commission (COSO), Exposure Draft Enterprise
  Risk Management Framework- www.coso.org
• CobiT 3rd EditionÓ, IT Governance Institute -
  www.isaca.org
• IT Control Objectives for Sarbanes-Oxley-
  www.itgi.org
• The IIA GAIN Flash Survey Use of SOX tools -
  www.gain2.org/sox4jwsum
• Protiviti Guide to the Sarbanes-Oxley Act IT
  Risks and ControlsFrequently Asked Questions -
  www.protiviti.com
• Deloitte Taking Control, A Guide to Compliance
  with Section 404 of the Sarbanes-Oxley Act of
  2002 - www.deloitte.com
• PricewaterhouseCoopers Understanding the
  Independent Auditors Role in Building Trust
  The Sarbanes-Oxley Act of 2002, Strategies for
  Meeting New Internal Control Reporting
  Challenges - www.pwc.com

4
PCAOB ED Statements Impact on IT Control
Guidance

• determining which controls should be tested
  generally, such controls include information
  technology general controls, on which other
  controls are dependent (page 41)
• The auditor should obtain an understanding of
  the design of specific controls by applying
  procedures that include tracing transactions
  through the information system relevant to
  financial reporting (page 48)
• Information technology general controls over
  program development, program changes, computer
  operations, and access to programs and data help
  ensure that specific controls over the processing
  of transactions are operating effectively (page
  51)

5
PCAOB ED Statements Impact on IT Control
Guidance

• The risk that the controls might not be
  operating effectively. Factors include the
  following
• The degree to which the control relies on the
  effectiveness of other controls (for example, the
  control environment or information technology
  general controls) (p 74)
• The audit should trace all types of transactions
  and events, both recurring and unusual from
  origination through the companys information
  systems until they are reflected in the companys
  financial reports (page 79)

Source http//www.pcaobus.org/
6
Introduction of Key Issues

• Define 404 universe, processes, risks,
  controls
• Identify key controls assertions related to
  control considerations
• Impact of IT controls
• Application vs. IT controls
• Establishing a framework

7
PCAOB Release No. 2003-017 issued 7 October 2003

• Because of the frequency with which management of
  public companies is expected to use COSO as the
  framework for the assessment, the directions in
  the proposed standard are based on the COSO
  framework
• Other suitable frameworks have been published in
  other countries and likely will be published in
  the future
• Although different frameworks may not contain
  exactly the same elements as COSO, they should
  have elements that encompass all of COSO's
  general themes

8
Tone at the Top

• IT Executives need to be well versed on internal
  control theory and practice
• Does the audit committee have the expertise to
  understand the relevance and degree of
  reliability/importance of IT controls?
• Is the audit committee aware of any significant
  activities affecting the IT environment as it
  relates to financial reporting?

9
IT Control Objectives for Sarbanes-Oxley Common
Elements of Organizations
10
Sarbanes Oxley, COSO and COBIT
11
Sarbanes-Oxley IT Diagnostic Questions

• 1. Does the SOX steering committee understand the
  risks inherent in IT systems their impact on
  compliance with Section 404?
• 2. Does IT management understand the financial
  reporting process and its supporting systems?
• 3. Does the CIO have an advanced knowledge of the
  types of IT controls necessary to support
  reliable financial processing?
• 4. Are policies governing security, availability
  and processing integrity established, documented
  communicated to all members of the IT
  organization?
• 5. Are the IT departments roles and
  responsibilities related to Section 404
  documented understood by all members of the IT
  department?

12
Sarbanes-Oxley IT Diagnostic Questions

• 6. Do IT employees understand their roles, do
  they possess the requisite skills to perform
  their job responsibilities relating to internal
  control, are they supported with appropriate
  skill development?
• 7. Is the IT departments risk assessment process
  integrated with the companys overall risk
  assessment process for financial reporting?
• 8. Does IT document, evaluate remediate IT
  controls related to financial reporting on an
  annual basis?
• 9. Does IT have a formal process in place to
  identify respond to IT control deficiencies?
• 10. Is the effectiveness of IT controls monitored
  followed up on a regular basis?
• Source for Slides 8-12 IT Governance Institute,
  ISACA

13
Are you Ready for IT Control Identification
Testing? General Controls Edward Hill,
CPA Protiviti
14
Plain English Approach IT Risks Controls for
SOX 404

• Define Universe, processes, risks controls
• Assertion relationships
• Document key controls valuate
• Testing of key controls what to do

IT Organization Structure
IT Entity Level Control Evaluations
IT Process Level Control Evaluations
15
(No Transcript)
16
General IT Process Risks and Controls-A Typical
Universe Risk Assessment
General IT Processes

• Security Administration
• Application Maintenance - Change Control
• Ensure Continuity - Data Management Disaster
  Recovery
• Manage Technical Infrastructure Operations -
  Problem Management
• Asset Management

17
Impact of STRONG Controls at the IT General
Controls
General IT Processes
Integrated Application Specific Processes
Application Data Owner Processes

• Applications perform as designed
• Programmed controls function as designed
• Access to transactions and data function as
  designed

• WHEN SETTING SCOPE
• Work at application and data owner level can
  focus on proper design of controls
• General controls provide an indication that such
  controls operate as intended

18
Controls Security Administration

• How does this relate to the assertions - what can
  go wrong?
• Security, designed implemented properly,
  assures transactions are executed by only those
  individuals with authorization.
• Security, designed appropriately, ensures
  (physical and electronic) access to assets is
  restricted.
• This impact must be understood at each IT
  component level
• Application transaction and data level
• Access to the systems and infrastructure such as
  administrator and super user
• Databases
• Platforms (operating systems)
• Networks

19
Security Segregation of Duties

• Potential impact on assertions
• Transactions are executed only by individuals
  authorized by management to do so
• Duties that are incompatible from an internal
  control standpoint are segregated in accordance
  with managements criteria
• Updates and changes to applications may impact
  how security should be managed and the duties
  which may need to be segregated (authorized and
  segregation issues)

20

Security Administration

• Risk and controls documented, evaluated for
  specific process portions
• Role set up, maintenance and periodic validation
• User set up, maintenance and deletion
• Data classification and rules allowing access to
  sensitive data
• Periodic transaction and data access review,
  validation and follow-up
• Risks and controls documented, evaluated at the
  technical level
• Set up of administrative and other sensitive
  accounts for all technology components
• Add, modify and delete procedures
• Audit trail rules and set-up
• Monitoring and review procedures for usage of
  administrative and sensitive account

21
Security Administration

• Risk and controls documented, evaluated for
  specific process portions
• Development and maintenance of security roles
  restricting access to transitions and data to
  only individuals with a valid business need to
  execute transactions and access data
• Development and communication to the IT
  organization the roles and transactions needed to
  be segregated from an internal controls
  standpoint
• Maintenance and review of applications changes to
  confirm appropriateness of the roles and
  transactions identified as incompatible from an
  internal control standpoint

22

Manage Applications-Change Controls

• How does this relate to the assertions- what can
  go wrong
• Application change provides assurances that
  applications function as intended and integrity
  of processing can be assured
• Appropriate application changes assure
  completeness and accuracy of processing
• Together with the security administration,
  processes assures transactions can only be
  initiated, modified or deleted by individuals
  authorized by management to execute and view
  transactions
• Access to applications and data through the
  change process must be restricted so that
  inadvertent or deliberate changes to the
  following do not occur
• Production data
• Other related components such as interface
  routines, background processing and updates, etc.

23
Application Data Owner Responsibilities For
Change Controls

• How does this relate to the assertions- what can
  go wrong
• Application changes may not be in accordance with
  the directives of the business owners causing
  them not to function as intended or without the
  appropriate controls- impacts
• Completeness and accuracy
• Authorization
• Access to assets
• There may be changes to the security
  administration of roles and responsibilities that
  effect the controls which ensure appropriate
  authorization of transactions and access to assets

24

Management Applications Change Controls

• Risk and controls documented, evaluated for
  specific process
• Initiation of change requests
• Testing and approval of changes prior to
  migration into the production environment
• Critical calculations and data validation and
  exception routines
• Interfaces
• Job sequencing and interrelationships
• Application migration procedures
• Integrity of process and access to applications
  and data by migrators
• Back out and validation of successful migrations
• Emergency change procedures and processes

25
Business Owner Change Control Processes

• Risk and controls documented, evaluated for
  specific process
• Changes are appropriately initiated and approved
  by the application and data owners
• All changes are reviewed by the application
  owners from a controls perspective and a sign-off
  that controls have been appropriately considered
  for any change(s)
• Changes are adequately tested from a controls
  functionality perspective. This should be
  performed to ensure critical controls still
  function (error checking and data validation,
  integrity of key management reports, interfaces
  function properly, etc.)
• There should be review (after the fact) of
  emergency changes such that application owners
  verify validity of change and the appropriateness
  of change on programmed controls.

26
Format for Documentation and Control Related Work

• Evaluation of IT-related risks and controls
  should be formatted similar to other process and
  control work
• Process maps
• Process narratives
• Risk and control matrices
• All work should focus on controls that affect the
  financial reporting and disclosure risks and
  controls
• Must address financial reporting assertions

27
Evaluation of IT Controls

• After the documentation is complete, evaluate
  each risk to determine whether the controls are
  designed to effectively mitigate the risks
• The evaluation should include both manual and
  systems-based controls - even in the General
  Controls processes
• At this point, control gaps if any, should be
  identified and a management action plan to deal
  with the gaps determined, for both manual and
  systems-based controls
• For controls evaluated as effective, the next
  step is to develop a testing plan so that the
  operating effectiveness can be evaluated

28
Approach to IT General Controls Testing
Update Testing
Define Testing Scopes
Build Testing Plan
Execute Testing
Analyze Test Results

• For IT General Controls testing
• Test key controls can and should be tested
  similar to other processes with pervasive
  controls
• There needs to be a combination of inquiry,
  inspection, observation and re-performance
• Process flows and risk and control matrices
  should be referenced and a key to selecting the
  type of test needed
• Timing of this testing- two competing issues
• One external firm indicated that for pervasive
  controls such as IT General controls these
  controls should be tested near the as of date
• Testing of these needs to be done early in the
  overall process because the results of these
  tests directly impact the nature and extent of
  controls downstream of these.

29
Documenting General Controls Testing
Update Testing
Define Testing Scopes
Build Testing Plan
Execute Testing
Analyze Test Results

• For IT General Controls testing
• Documentation of testing should be tested similar
  to other processes with pervasive controls
• There needs to be documentation standards for
  inquiry, inspection, observation and
  re-performance testing- scoping should be based
  on overall approach
• Evidence of tests should be retained for review
  and approval

30
Are you Ready for IT Control Identification
Testing? Application Controls

• John Gimpert, CPADeloitte

31
Importance of IT in Sarbanes Oxley

• For most organizations, IT controls are pervasive
  to the financial reporting process
• Financial applications and automated systems are
  typically used to initiate, record, process and
  report transactions
• Applications and ERP systems are supported by the
  general computing environment
• Effectiveness of the application computing
  controls are dependant upon the general computing
  controls
• Limitations of application controls may need to
  be appropriately mitigated by general computing
  controls
• Overall, application and general computing
  controls support the integrity and reliability of
  financial reporting

32
A Roadmap for Compliance
Source IT Governance Institute (ITGI) IT
Control Objectives for Sarbanes Oxley Discussion
Document
33
Internal Control Reliability Model
Determine the reliability and maturity of IT
controls.

34
Mapping Accounts to Controls
Significant Accounts/Processes
Balance Sheet
IncomeStatement
G/L
Inventory
Other

• Determine and walk-through key transactions and
  accounts
• Identify applications and IT systems related to
  significant accounts and transactions
• Identify, document and test controls supporting
  the above

Classes of Transactions / Business Processes
Process A
Process B
Process C
Financial Applications
Application C
Application B
Application A
Application controls (examples)
Seg of Duties
Data integrity
Completeness
Timeliness
General Computing Controls
Security
Retention
Operations
Configuration
35
Application Controls Definition

• Application controls help ensure the
  completeness, accuracy, authorization and
  validity of all transactions during application
  processing
• Application controls also support interfaces to
  other application systems to help ensure all
  inputs are received in a complete and accurate
  manner and outputs are correct
• Application controls are typically embedded
  within software programs to prevent or detect
  unauthorized transactions

36
Linking Business Process to Controls
Order Processing

• Control Objectives
• Account Receivable balances and reserves are
  complete and accurate.
• Sales revenues and cost of goods sold is complete
  and accurate
• All purchase orders received are input and
  processed
• Invoices are generated using authorized terms and
  prices
• Only valid changes are made to customer master
  files.

SalesSub-process
Order supplier controls
Customer controls
Customerorder entry
SAP, Oracle, Other Applications
Application controls cover authorized changes,
segregation of duties, validity, completeness and
timeliness of reporting of financial information.
General computing controls cover security access,
change and configuration mgt, data retention,
testing, processing integrity, etc.
37
Assertions
38
Examples of Control Identification
39
Types of controls
40
Control Evaluation and Testing Process
Discovery process for existing controls
Controls for those business processes impacting
key transactions and accounts
Y
N
Evaluation of Control Effectiveness
N
Prepare for Certification
Test Control Effectiveness
Document the Test Results
Y
41
Sample Result of Evaluation Process
42
Lessons Learned

• Effective IT application controls are critical
  and serve as a first line of defense
• Some controls exist at both the general computing
  and applications layer - for instance Security
  Controls
• Applications controls can be modernized, many
  previously manual controls can be automated (such
  as automatic generation of reports when suspect
  conditions exist)
• Applications controls can be proactively built
  into applications and can help identify risks
• Improved applications controls can result in
  improved application effectiveness and help drive
  higher quality applications
• A well controlled environment is a first step
  toward improved IT Governance

43
Sarbanes Oxley to Increase Shareholder Value

• Risk Management
• Compliance with Sarbanes Oxley has direct impact
  and IT control improvements can reduce risk for
  downstream business initiatives
• Operating Margin
• Deep understanding of process and technology
  linkages can result in process re-engineering
  initiatives, improving levels of automation
• Asset Efficiency
• Operational improvement regarding IT management
  processes
• Consolidation of systems to reduce complexity can
  result in operational efficiencies
• Revenue Growth
• Inventory your critical customer systems and data
  for future sales targeting initiatives

44
Reginald B. Combs, CISALockheed Martin
Corporation
Are you Ready for IT Control Identification
Testing? Establishing A Framework
45
Establishing A Framework

• The COSO/COBITTM Relationship
• Considerations When Identifying Controls
• Entity, General, or Application Control?

46
Establishing A Framework

• The COSO/COBITTM Relationship
• To assess an organizations internal controls,
  first identify the assessment criteria
• COSO report defines internal control consistent
  with current auditing standards and SAS guidance
• COSO report also identifies five components of
  effective internal control
• Control Environment
• Risk Assessment
• Information Communication
• Control Activities
• Monitoring

404 establish and maintain an adequate
internal control structure
47
Establishing A Framework

• The COSO/COBITTM Relationship
• To assess an organizations IT internal
  controls, first identify the assessment criteria
• COBIT framework is generally applicable and
  accepted as a standard for good IT security and
  control practices
• COBIT Business/Fiduciary Requirements derived
  from COSO categories
• COBIT classifies control objectives into four
  groups (domains)
• Plan Organize
• Acquire Implement
• Deliver Support
• Monitor and Evaluate

COSO and COBIT Provide a Complementary Framework
for IT Control Identification
48
Mapping The COSO/COBITTM Relationship
49
Considerations When Identifying Controls

• Focus on Key controls
• How does the application support the key
  financial processes?
• Is the application processing data or acting as a
  repository?
• Who relies on the controls?
• Consider the types of errors that can occur at
  the application and process level
• Ask What Can Go Wrong questions
• When evaluating IT controls and related risks,
  consider the relevant financial statement
  assertions for significant accounts

50
Entity, General, or Application Control?

• Varying Opinions on which controls fall into each
  category
• Establish definitions early and obtain consensus
• Communicate throughout the organization

51
Example Lockheed Martin Corporation
52
SOX 404 Documentation Tools

• Pentana
• JeffersonWells
• EY's tool Developed in-house
• SOXA Accelerator
• Focus - Paisley
• Axentis ERA - Methodware Lotus Notes
  Horizon--JP Morgan ICT-Grant Thornton
  Open-Pages
• SOX Express
• SPF
• Teammate Dynamic Policy

Source http//www.gain2.org/sox4jwsum.htm
53
Concluding Remarks

• Lessons learned
• Understanding the role of IT controls means
  understanding IT better
• Updating skill sets to identify/classify controls
• Changing business auditors mindset
• What they can do when IT auditors are needed
• How to relate types of testing
• How to determine the impact of deficiencies

54
Questions Answers

• E-mail your questions by clicking on the link
  provided or directly to info_at_tvworldwide.com

55
Next Webcast

• March 9, 2004
• Balancing SOX with Risk Based Audit Planning
• See you at our next webcast!