Are You Ready for IT Control Identification - PowerPoint PPT Presentation

About This Presentation
Title:

Are You Ready for IT Control Identification

Description:

Are You Ready for IT Control Identification & Testing? The Institute of Internal Auditors February 10, 2004 Moderator: Xenia Ley Parker, CIA, CISA, CFSA – PowerPoint PPT presentation

Number of Views:106
Avg rating:3.0/5.0
Slides: 56
Provided by: LoriOn9
Category:

less

Transcript and Presenter's Notes

Title: Are You Ready for IT Control Identification


1
Are You Ready for IT Control Identification
Testing?
  • The Institute of Internal AuditorsFebruary 10,
    2004

Moderator Xenia Ley Parker, CIA, CISA, CFSAXLP
Associates
2
Agenda
  • Introduction Overview
  • Xenia Ley Parker, XLP Associates
  • General Controls
  • Edward Hill, Protiviti
  • Application Controls
  • John Gimpert, Deloitte
  • Establishing a Framework
  • Reggie Combs, Lockheed Martin
  • Break
  • Q A

3
References
  • Public Company Oversight Board - www.pcaobus.org/
  • Final Rule Management's Reports on Internal
    Control Over Financial Reporting and
    Certification of Disclosure in Exchange Act
    Periodic Reports - www.sec.gov/rules/final/33-8238
    .htm
  • Internal ControlIntegrated Framework Committee
    of Sponsoring Organizations of the Treadway
    Commission (COSO), Exposure Draft Enterprise
    Risk Management Framework- www.coso.org
  • CobiT 3rd EditionÓ, IT Governance Institute -
    www.isaca.org
  • IT Control Objectives for Sarbanes-Oxley-
    www.itgi.org
  • The IIA GAIN Flash Survey Use of SOX tools -
    www.gain2.org/sox4jwsum
  • Protiviti Guide to the Sarbanes-Oxley Act IT
    Risks and ControlsFrequently Asked Questions -
    www.protiviti.com
  • Deloitte Taking Control, A Guide to Compliance
    with Section 404 of the Sarbanes-Oxley Act of
    2002 - www.deloitte.com
  • PricewaterhouseCoopers Understanding the
    Independent Auditors Role in Building Trust
    The Sarbanes-Oxley Act of 2002, Strategies for
    Meeting New Internal Control Reporting
    Challenges - www.pwc.com

4
PCAOB ED Statements Impact on IT Control
Guidance
  • determining which controls should be tested
    generally, such controls include information
    technology general controls, on which other
    controls are dependent (page 41)
  • The auditor should obtain an understanding of
    the design of specific controls by applying
    procedures that include tracing transactions
    through the information system relevant to
    financial reporting (page 48)
  • Information technology general controls over
    program development, program changes, computer
    operations, and access to programs and data help
    ensure that specific controls over the processing
    of transactions are operating effectively (page
    51)

5
PCAOB ED Statements Impact on IT Control
Guidance
  • The risk that the controls might not be
    operating effectively. Factors include the
    following
  • The degree to which the control relies on the
    effectiveness of other controls (for example, the
    control environment or information technology
    general controls) (p 74)
  • The audit should trace all types of transactions
    and events, both recurring and unusual from
    origination through the companys information
    systems until they are reflected in the companys
    financial reports (page 79)

Source http//www.pcaobus.org/
6
Introduction of Key Issues
  • Define 404 universe, processes, risks,
    controls
  • Identify key controls assertions related to
    control considerations
  • Impact of IT controls
  • Application vs. IT controls
  • Establishing a framework

7
PCAOB Release No. 2003-017 issued 7 October 2003
  • Because of the frequency with which management of
    public companies is expected to use COSO as the
    framework for the assessment, the directions in
    the proposed standard are based on the COSO
    framework
  • Other suitable frameworks have been published in
    other countries and likely will be published in
    the future
  • Although different frameworks may not contain
    exactly the same elements as COSO, they should
    have elements that encompass all of COSO's
    general themes

8
Tone at the Top
  • IT Executives need to be well versed on internal
    control theory and practice
  • Does the audit committee have the expertise to
    understand the relevance and degree of
    reliability/importance of IT controls?
  • Is the audit committee aware of any significant
    activities affecting the IT environment as it
    relates to financial reporting?

9
IT Control Objectives for Sarbanes-Oxley Common
Elements of Organizations
10
Sarbanes Oxley, COSO and COBIT
11
Sarbanes-Oxley IT Diagnostic Questions
  • 1. Does the SOX steering committee understand the
    risks inherent in IT systems their impact on
    compliance with Section 404?
  • 2. Does IT management understand the financial
    reporting process and its supporting systems?
  • 3. Does the CIO have an advanced knowledge of the
    types of IT controls necessary to support
    reliable financial processing?
  • 4. Are policies governing security, availability
    and processing integrity established, documented
    communicated to all members of the IT
    organization?
  • 5. Are the IT departments roles and
    responsibilities related to Section 404
    documented understood by all members of the IT
    department?

12
Sarbanes-Oxley IT Diagnostic Questions
  • 6. Do IT employees understand their roles, do
    they possess the requisite skills to perform
    their job responsibilities relating to internal
    control, are they supported with appropriate
    skill development?
  • 7. Is the IT departments risk assessment process
    integrated with the companys overall risk
    assessment process for financial reporting?
  • 8. Does IT document, evaluate remediate IT
    controls related to financial reporting on an
    annual basis?
  • 9. Does IT have a formal process in place to
    identify respond to IT control deficiencies?
  • 10. Is the effectiveness of IT controls monitored
    followed up on a regular basis?
  • Source for Slides 8-12 IT Governance Institute,
    ISACA

13
Are you Ready for IT Control Identification
Testing? General Controls Edward Hill,
CPA Protiviti
14
Plain English Approach IT Risks Controls for
SOX 404
  • Define Universe, processes, risks controls
  • Assertion relationships
  • Document key controls valuate
  • Testing of key controls what to do

IT Organization Structure
IT Entity Level Control Evaluations
IT Process Level Control Evaluations
15
(No Transcript)
16
General IT Process Risks and Controls-A Typical
Universe Risk Assessment
General IT Processes
  • Security Administration
  • Application Maintenance - Change Control
  • Ensure Continuity - Data Management Disaster
    Recovery
  • Manage Technical Infrastructure Operations -
    Problem Management
  • Asset Management

17
Impact of STRONG Controls at the IT General
Controls
General IT Processes
Integrated Application Specific Processes
Application Data Owner Processes
  • Applications perform as designed
  • Programmed controls function as designed
  • Access to transactions and data function as
    designed
  • WHEN SETTING SCOPE
  • Work at application and data owner level can
    focus on proper design of controls
  • General controls provide an indication that such
    controls operate as intended

18
Controls Security Administration
  • How does this relate to the assertions - what can
    go wrong?
  • Security, designed implemented properly,
    assures transactions are executed by only those
    individuals with authorization.
  • Security, designed appropriately, ensures
    (physical and electronic) access to assets is
    restricted.
  • This impact must be understood at each IT
    component level
  • Application transaction and data level
  • Access to the systems and infrastructure such as
    administrator and super user
  • Databases
  • Platforms (operating systems)
  • Networks

19
Security Segregation of Duties
  • Potential impact on assertions
  • Transactions are executed only by individuals
    authorized by management to do so
  • Duties that are incompatible from an internal
    control standpoint are segregated in accordance
    with managements criteria
  • Updates and changes to applications may impact
    how security should be managed and the duties
    which may need to be segregated (authorized and
    segregation issues)

20

Security Administration
  • Risk and controls documented, evaluated for
    specific process portions
  • Role set up, maintenance and periodic validation
  • User set up, maintenance and deletion
  • Data classification and rules allowing access to
    sensitive data
  • Periodic transaction and data access review,
    validation and follow-up
  • Risks and controls documented, evaluated at the
    technical level
  • Set up of administrative and other sensitive
    accounts for all technology components
  • Add, modify and delete procedures
  • Audit trail rules and set-up
  • Monitoring and review procedures for usage of
    administrative and sensitive account

21
Security Administration
  • Risk and controls documented, evaluated for
    specific process portions
  • Development and maintenance of security roles
    restricting access to transitions and data to
    only individuals with a valid business need to
    execute transactions and access data
  • Development and communication to the IT
    organization the roles and transactions needed to
    be segregated from an internal controls
    standpoint
  • Maintenance and review of applications changes to
    confirm appropriateness of the roles and
    transactions identified as incompatible from an
    internal control standpoint

22

Manage Applications-Change Controls
  • How does this relate to the assertions- what can
    go wrong
  • Application change provides assurances that
    applications function as intended and integrity
    of processing can be assured
  • Appropriate application changes assure
    completeness and accuracy of processing
  • Together with the security administration,
    processes assures transactions can only be
    initiated, modified or deleted by individuals
    authorized by management to execute and view
    transactions
  • Access to applications and data through the
    change process must be restricted so that
    inadvertent or deliberate changes to the
    following do not occur
  • Production data
  • Other related components such as interface
    routines, background processing and updates, etc.

23
Application Data Owner Responsibilities For
Change Controls
  • How does this relate to the assertions- what can
    go wrong
  • Application changes may not be in accordance with
    the directives of the business owners causing
    them not to function as intended or without the
    appropriate controls- impacts
  • Completeness and accuracy
  • Authorization
  • Access to assets
  • There may be changes to the security
    administration of roles and responsibilities that
    effect the controls which ensure appropriate
    authorization of transactions and access to assets

24

Management Applications Change Controls
  • Risk and controls documented, evaluated for
    specific process
  • Initiation of change requests
  • Testing and approval of changes prior to
    migration into the production environment
  • Critical calculations and data validation and
    exception routines
  • Interfaces
  • Job sequencing and interrelationships
  • Application migration procedures
  • Integrity of process and access to applications
    and data by migrators
  • Back out and validation of successful migrations
  • Emergency change procedures and processes

25
Business Owner Change Control Processes
  • Risk and controls documented, evaluated for
    specific process
  • Changes are appropriately initiated and approved
    by the application and data owners
  • All changes are reviewed by the application
    owners from a controls perspective and a sign-off
    that controls have been appropriately considered
    for any change(s)
  • Changes are adequately tested from a controls
    functionality perspective. This should be
    performed to ensure critical controls still
    function (error checking and data validation,
    integrity of key management reports, interfaces
    function properly, etc.)
  • There should be review (after the fact) of
    emergency changes such that application owners
    verify validity of change and the appropriateness
    of change on programmed controls.

26
Format for Documentation and Control Related Work
  • Evaluation of IT-related risks and controls
    should be formatted similar to other process and
    control work
  • Process maps
  • Process narratives
  • Risk and control matrices
  • All work should focus on controls that affect the
    financial reporting and disclosure risks and
    controls
  • Must address financial reporting assertions

27
Evaluation of IT Controls
  • After the documentation is complete, evaluate
    each risk to determine whether the controls are
    designed to effectively mitigate the risks
  • The evaluation should include both manual and
    systems-based controls - even in the General
    Controls processes
  • At this point, control gaps if any, should be
    identified and a management action plan to deal
    with the gaps determined, for both manual and
    systems-based controls
  • For controls evaluated as effective, the next
    step is to develop a testing plan so that the
    operating effectiveness can be evaluated

28
Approach to IT General Controls Testing
Update Testing
Define Testing Scopes
Build Testing Plan
Execute Testing
Analyze Test Results
  • For IT General Controls testing
  • Test key controls can and should be tested
    similar to other processes with pervasive
    controls
  • There needs to be a combination of inquiry,
    inspection, observation and re-performance
  • Process flows and risk and control matrices
    should be referenced and a key to selecting the
    type of test needed
  • Timing of this testing- two competing issues
  • One external firm indicated that for pervasive
    controls such as IT General controls these
    controls should be tested near the as of date
  • Testing of these needs to be done early in the
    overall process because the results of these
    tests directly impact the nature and extent of
    controls downstream of these.

29
Documenting General Controls Testing
Update Testing
Define Testing Scopes
Build Testing Plan
Execute Testing
Analyze Test Results
  • For IT General Controls testing
  • Documentation of testing should be tested similar
    to other processes with pervasive controls
  • There needs to be documentation standards for
    inquiry, inspection, observation and
    re-performance testing- scoping should be based
    on overall approach
  • Evidence of tests should be retained for review
    and approval

30
Are you Ready for IT Control Identification
Testing? Application Controls
  • John Gimpert, CPADeloitte

31
Importance of IT in Sarbanes Oxley
  • For most organizations, IT controls are pervasive
    to the financial reporting process
  • Financial applications and automated systems are
    typically used to initiate, record, process and
    report transactions
  • Applications and ERP systems are supported by the
    general computing environment
  • Effectiveness of the application computing
    controls are dependant upon the general computing
    controls
  • Limitations of application controls may need to
    be appropriately mitigated by general computing
    controls
  • Overall, application and general computing
    controls support the integrity and reliability of
    financial reporting

32
A Roadmap for Compliance
Source IT Governance Institute (ITGI) IT
Control Objectives for Sarbanes Oxley Discussion
Document
33
Internal Control Reliability Model
Determine the reliability and maturity of IT
controls.

34
Mapping Accounts to Controls
Significant Accounts/Processes
Balance Sheet
IncomeStatement
G/L
Inventory
Other
  • Determine and walk-through key transactions and
    accounts
  • Identify applications and IT systems related to
    significant accounts and transactions
  • Identify, document and test controls supporting
    the above

Classes of Transactions / Business Processes
Process A
Process B
Process C
Financial Applications
Application C
Application B
Application A
Application controls (examples)
Seg of Duties
Data integrity
Completeness
Timeliness
General Computing Controls
Security
Retention
Operations
Configuration
35
Application Controls Definition
  • Application controls help ensure the
    completeness, accuracy, authorization and
    validity of all transactions during application
    processing
  • Application controls also support interfaces to
    other application systems to help ensure all
    inputs are received in a complete and accurate
    manner and outputs are correct
  • Application controls are typically embedded
    within software programs to prevent or detect
    unauthorized transactions

36
Linking Business Process to Controls
Order Processing
  • Control Objectives
  • Account Receivable balances and reserves are
    complete and accurate.
  • Sales revenues and cost of goods sold is complete
    and accurate
  • All purchase orders received are input and
    processed
  • Invoices are generated using authorized terms and
    prices
  • Only valid changes are made to customer master
    files.

SalesSub-process
Order supplier controls
Customer controls
Customerorder entry
SAP, Oracle, Other Applications
Application controls cover authorized changes,
segregation of duties, validity, completeness and
timeliness of reporting of financial information.
General computing controls cover security access,
change and configuration mgt, data retention,
testing, processing integrity, etc.
37
Assertions
38
Examples of Control Identification
39
Types of controls
40
Control Evaluation and Testing Process
Discovery process for existing controls
Controls for those business processes impacting
key transactions and accounts
Y
N
Evaluation of Control Effectiveness
N
Prepare for Certification
Test Control Effectiveness
Document the Test Results
Y
41
Sample Result of Evaluation Process
42
Lessons Learned
  • Effective IT application controls are critical
    and serve as a first line of defense
  • Some controls exist at both the general computing
    and applications layer - for instance Security
    Controls
  • Applications controls can be modernized, many
    previously manual controls can be automated (such
    as automatic generation of reports when suspect
    conditions exist)
  • Applications controls can be proactively built
    into applications and can help identify risks
  • Improved applications controls can result in
    improved application effectiveness and help drive
    higher quality applications
  • A well controlled environment is a first step
    toward improved IT Governance

43
Sarbanes Oxley to Increase Shareholder Value
  • Risk Management
  • Compliance with Sarbanes Oxley has direct impact
    and IT control improvements can reduce risk for
    downstream business initiatives
  • Operating Margin
  • Deep understanding of process and technology
    linkages can result in process re-engineering
    initiatives, improving levels of automation
  • Asset Efficiency
  • Operational improvement regarding IT management
    processes
  • Consolidation of systems to reduce complexity can
    result in operational efficiencies
  • Revenue Growth
  • Inventory your critical customer systems and data
    for future sales targeting initiatives

44
Reginald B. Combs, CISALockheed Martin
Corporation
Are you Ready for IT Control Identification
Testing? Establishing A Framework
45
Establishing A Framework
  • The COSO/COBITTM Relationship
  • Considerations When Identifying Controls
  • Entity, General, or Application Control?

46
Establishing A Framework
  • The COSO/COBITTM Relationship
  • To assess an organizations internal controls,
    first identify the assessment criteria
  • COSO report defines internal control consistent
    with current auditing standards and SAS guidance
  • COSO report also identifies five components of
    effective internal control
  • Control Environment
  • Risk Assessment
  • Information Communication
  • Control Activities
  • Monitoring

404 establish and maintain an adequate
internal control structure
47
Establishing A Framework
  • The COSO/COBITTM Relationship
  • To assess an organizations IT internal
    controls, first identify the assessment criteria
  • COBIT framework is generally applicable and
    accepted as a standard for good IT security and
    control practices
  • COBIT Business/Fiduciary Requirements derived
    from COSO categories
  • COBIT classifies control objectives into four
    groups (domains)
  • Plan Organize
  • Acquire Implement
  • Deliver Support
  • Monitor and Evaluate

COSO and COBIT Provide a Complementary Framework
for IT Control Identification
48
Mapping The COSO/COBITTM Relationship
49
Considerations When Identifying Controls
  • Focus on Key controls
  • How does the application support the key
    financial processes?
  • Is the application processing data or acting as a
    repository?
  • Who relies on the controls?
  • Consider the types of errors that can occur at
    the application and process level
  • Ask What Can Go Wrong questions
  • When evaluating IT controls and related risks,
    consider the relevant financial statement
    assertions for significant accounts

50
Entity, General, or Application Control?
  • Varying Opinions on which controls fall into each
    category
  • Establish definitions early and obtain consensus
  • Communicate throughout the organization

51
Example Lockheed Martin Corporation
52
SOX 404 Documentation Tools
  • Pentana
  • JeffersonWells
  • EY's tool Developed in-house
  • SOXA Accelerator
  • Focus - Paisley
  • Axentis ERA - Methodware Lotus Notes
    Horizon--JP Morgan ICT-Grant Thornton
    Open-Pages
  • SOX Express
  • SPF
  • Teammate Dynamic Policy

Source http//www.gain2.org/sox4jwsum.htm
53
Concluding Remarks
  • Lessons learned
  • Understanding the role of IT controls means
    understanding IT better
  • Updating skill sets to identify/classify controls
  • Changing business auditors mindset
  • What they can do when IT auditors are needed
  • How to relate types of testing
  • How to determine the impact of deficiencies

54
Questions Answers
  • E-mail your questions by clicking on the link
    provided or directly to info_at_tvworldwide.com

55
Next Webcast
  • March 9, 2004
  • Balancing SOX with Risk Based Audit Planning
  • See you at our next webcast!
Write a Comment
User Comments (0)
About PowerShow.com