1 / 49

ISACA Greater Kansas City Chapter Control Rationalization: Taking Action September 14, 2006

ISACA Greater Kansas City Chapter Control Rationalization: Taking Action September 14, 2006. Agenda. Introductions Getting to Know You Control Rationalization Overview General Computer Control (GCC) Challenges GCC Control Rationalization Overview Control Risk-Rating Control Design

abdul-young
Download Presentation

ISACA Greater Kansas City Chapter Control Rationalization: Taking Action September 14, 2006

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. ISACAGreater Kansas City ChapterControl Rationalization: Taking ActionSeptember 14, 2006

  2. Agenda • Introductions • Getting to Know You • Control Rationalization Overview • General Computer Control (GCC) Challenges • GCC Control Rationalization Overview • Control Risk-Rating • Control Design • Risk-Based Testing • Cost Analysis • Working with your External Auditors • Leveraging Company Level Controls & Automation • Roadmap and Wrap-Up

  3. 0 / 250 Polling Question What industry do you work in? • Financial Services • Manufacturing • Technology, Media, and Telecom • Entertainment • Consumer Business • Energy & Utilities • Transportation • Health Care & Life Sciences • Public Sector • Other Cross-Tab Label

  4. 0 / 250 Polling Question What is your position? • Internal Audit / IT Audit • Finance & Accounting • Information Technology • Sarbanes-Oxley Group • Other Cross-Tab Label

  5. 0 / 250 Polling Question Does your organization comply with Sarbanes-Oxley or perform testing of controls? • Yes • No • Don’t Know / No Answer Cross-Tab Label

  6. 0 / 250 Polling Question Do you feel your organization has too many key controls (business process and/or IT) that are tested? • Yes • No • Don’t Know / No Answer Cross-Tab Label

  7. 0 / 250 Polling Question Do you feel that you spend too much of your time focusing on non-critical controls? • Yes • No • Don’t Know / No Answer Cross-Tab Label

  8. 0 / 250 Polling Question Who is driving interest in control rationalization in your organization? • Internal Audit / IT Audit • Audit Committee / Executive Management • External Auditor • Sarbanes-Oxley Group • Business Units / IT • All of the above • None of the above • I’m just hear for the CPE and lunch Cross-Tab Label

  9. Control Rationalization - Overview Control Automation Cost Analysis Company Level Controls Roadmap Risk-Based Testing Control Risk-Rating Control Rationalization Overview • Define roadmap approach • Discuss next steps • Wrap up • Define approach • Discuss process and impact to company • Determine impact on risk-rated controls • Define CLCs and BMC’s and process focused • Identify CLCs that are relevant to company • Discuss short and long term impact • Define cost analysis approach • Review modeling of cost savings • Discuss approach • risk-rate control objectives • Define updated approach • Discuss impact to company Activities • Next steps to apply Control Rationalization to company’s control program • How to identify and use CLCs • Understand benefits of leveraging automation • Impact on test approach based on risk-rating • Examples of applying to company controls • Modeling approach to cost savings • Process to apply • Examples of applying risk-rating • Understand Control Rationalization concepts • How to apply to company Outcomes

  10. Control Rationalization Overview Control Rationalization Overview Control Risk-Rating Risk-Based Testing Cost Analysis Company Level Controls Control Automation Roadmap

  11. What is Control Rationalization? Control Rationalization is a top-down, risk-based approach to implement a lean and balanced control program. Rationalize StrategicControls StrategicControls Routine / Transactional Controls Transactional Controls

  12. Recent Regulatory Guidance

  13. Company-Level Controls (“CLCs”) What are Company-Level Controls (CLCs)? Controls that have a pervasive impact on financial reporting either because they 1) are a component of the organization’s overall governance practices; or 2) address specific control objectives/risks within the organization’s business processes. Why do we care about CLCs? • Pervasive impact on transactional processing • Critical to operational performance • Often performed by senior management and/or specialized staff (i.e. the Accounting department) • More efficient to test • Lower frequency of operation • Often centralized Why can’t we rely only on CLCs, and eliminate all the other controls? • Detective in nature • Almost always manual • PCAOB expressly prohibits auditors from relying on CLCs (AS2, paragraph 54)

  14. General Computer Control (GCC) Challenges

  15. 0 / 250 Polling Question • Not integrated / operating in silos • Somewhat integrated • Highly integrated • Don’t Know / No Answer How would you describe the relationship and correlation of business process and IT controls in your organization? Cross-Tab Label

  16. Under PressureGeneral Computer Control Challenges • Chief Information Officers, IT Compliance Directors and IT Audit Directors often find that IT-related Sarbanes-Oxley costs exceed expectations • Unfortunately, despite continued good faith efforts in Year 2, early evidence from 2005 proxy statements suggests that companies continue to identify weaknesses in controls related to IT • In effect, many efforts are not working to build a sustainable compliance program regarding general computer controls • And yet, there’s a continued focus on containing IT costs associated with Sarbanes-Oxley Companies seeking to manage costs without jeopardizing compliance should evaluate Control Rationalization as the likely first step

  17. Under PressureWhat’s the problem with general computer controls? The following factors appear to remain at play at some companies: • Companies are not linking the IT risk assessment to a top-down business risk assessment resulting in over scoping of IT assets (i.e., applications, databases, etc.) • Companies are treating all general computer controls equally, even though the inherent risk of IT processes, transactions, controls, and technologies may vary • Companies are not applying IT control frameworks in a manner that is leveraging IT-related company level controls • Companies are still applying a short-term mindset versus a long-term strategy to address flaws in control design, and to drive continuous improvement • Where cost savings were realized in Year 2, companies are failing to reinvest some of those savings in higher risk areas

  18. Challenges and Opportunities Solution Companies should adopt a risk-based control rationalization approach to address current and future compliance challenges Definition - Control Rationalization Control rationalization is the continuous process of designing the most effective and efficient controls to address financial reporting risks. • Guiding Principles • Management should have an informed understanding of the organization's financial reporting risks in order to drive control rationalization efforts. • Management should explicitly apply a top-down, risk-based scoping approach as a foundational first step toward control rationalization. • Control rationalization is a multi-year, continuous effort, which should be integrated into the company’s operations. • Control rationalization can result in immediate benefits; however more significant cost savings can be achieved by adopting a long-term strategic approach to sustained compliance.

  19. Key PrinciplesRationalizing General Computer Controls • Although a direct linkage to a company’s overall risk assessment in many cases may not be possible, risk rate GCC categories and control objectives in a manner that results in greater consideration to those areas or control objectives that more directly promote reliability, integrity of financial related processing, and segregation of duties • Apply a risk-rating approach towards GCC categories and control objectives to promote appropriate deployment of compliance efforts • Where GCCs are considered reliable, place a higher reliance on IT-related company level controls (e.g., setting of consistent policy procedures for GCC areas, effective monitoring), particularly for lower risk areas • Take advantage of opportunities to focus on removing secondary or redundant controls from testing if an effective higher-level control can be identified • Consider testing GCC processes before performing detailed tests related to IT configurations for lower risk areas • Be sure to prioritize controls addressing multiple risks

  20. GCC Control Rationalization Overview

  21. 4 2 1 3 Apply Top-Down Risk-Based Scoping & Rationalize GCC Controls General Computer Control Rationalization Lean and Balanced In Scope Out of Scope Perform IT risk assessment (identify relevant applications, platforms) Remove non-relevant IT applications and platforms Relevance to financial reporting objectives and risk-rating of associated major classes of transaction Remove non-relevant control objectives Evaluate GCC areas & confirm relevance and risk-rating of GCC control objectives Remove unnecessary controls from testing scope Re-designed Testing Approach Evaluate GCCs for effective and efficient testing Develop risk-based testing approach for GCCs • *Efficiency Evaluation Criteria • Remove secondary or redundant controls • Consider testing GCC processes before performing detailed tests related to IT configurations (e.g., test process for granting access before password settings) • Prioritize controls addressing multiple risks

  22. Control Risk-Rating Control Rationalization Overview Control Risk-Rating Risk-Based Testing Cost Analysis Company Level Controls Control Automation Roadmap

  23. Typically scoped-out of testing What is a Risk-Rating? • A risk-rating process evaluates the risk of a material control weakness based on the magnitude and likelihood of misstatement (inherent risk) • risk-rating impacts: • Identification of significant accounts andprocesses • Nature, timing and extent of control testing • Reliance by external auditor on management’swork • Sample risk-rating classification: • High • Medium • Low • Remote • risk-rating is typically applied to the control activity or control objective levels, although it can also be applied at the account, process and transaction levels

  24. Rationalize controls and redesign test plans From Phase 1: Significant accounts, relevant assertions, major classes of transactions Out of scope Identify and risk- rate Control Objectives (COs) 1 Note: CLCs often do not have sufficient precision. If so, consider enhancing CLCs 2 Consider removing related PLCs from testing scope Leverage Process-Specific CLCs Consider removing redundant PLCs from testing scope Identify PLCs that fully address multiple COs Note: However, in some cases two controls, which by themselves only partially meet the control objective, can in combination fully meet the objective Consider removing ineffective PLCs from testing scope Identify PLCs that fully address single COs 3 Re-designed testing approach Within these PLCs, prioritize automated controls Consider removing redundant manual PLCs based on risk-rating Note: In high-risk areas, consider retaining redundant controls Set of controls to be tested (PLCs, CLCs, auto, manual) Develop risk-based testing approach

  25. Risk Based Approach for GCCsRisk rate GCC areas The illustration below depicts a sample company’s IT risk prioritization for general computer control categories. COSO defines general computer controls as, “Policies and procedures that help ensure the continued, proper operation of computer information systems… They include controls over data center operations, system software acquisition and maintenance, access security, and application system development and maintenance.” Illustrative Purposes Only Risk Evaluation Considerations • General Computer Control • Category • Application System Development & Maintenance • Information Security • Information Systems Operations • Systems Software Support Examples of Qualitative Factors Example Procedures Risk Ranking • High volume of changes • Application dependencies • Test all three levels H • Test all three levels • High employee turnover • Complex architecture H • Mature monitoring processes • Automated tools • Test predominantly IT company level and process level controls M • Homogenous environment • Automated tools • Test predominantly IT company level controls L NOTE: This illustrates a simplistic risk assessment for IT; consideration should be given to additional qualitative factors relevant to a company’s environment. Also, only selected GCC areas have been included in the example.

  26. Risk Based Approach for GCCsRationalize controls After risk-rating general computer control objectives, specific control activities can be analyzed to further rationalize the testing approach. For this example, the three controls in bold text will be assessed, which represents a 50% reduction in testing. The organization’s SDLC has not changed in the fiscal year, accordingly, this control will not be evaluated. These two controls are redundant in nature, accordingly, only one control will be evaluated. This control activity is redundant in nature since test results are approved by users at a point later in the SDLC process, accordingly, this control will not be evaluated.

  27. Control Objective Assessment Grid High 1 14 16 2 11 15 7 17 9 5 8 10 Magnitude of Potential Error 13 3 19 12 21 18 4 23 20 22 6 24 Low High Low Likelihood of Potential Error Risk rate control objectives for applicable assertions Extending the risk assessment to the control objectives provides the foundation for varying the nature, timing and extent of control testing. • Why risk rate Control Objectives (COs)? • Provides foundation for risk based test plan and control rationalization efforts • Assists in prioritizing remediation efforts, and making concluding process more efficient • Assists in confirming the risk rating of the major classes of transactions and subsequent work planning efforts The approach • Understand the flow of transactions. Identify the points within the process where risks of financial misstatement could occur • List control objectives based on the relevant assertions identified in Phase 1 step 3 • Risk rate (using magnitude and likelihood of potential error) the individual control objectives within the major classes of transactions (MCOT). [COs related to low risk rated MCOTs can be classified as low. COs related to high risk MCOTs are more likely to be rated high. However, MCOTs with a high risk rating may have individual COs that are risk rated M or L

  28. Example Risk-Ranked Heat Map

  29. Exercise: Risk-rate the control risks below Financial Reporting: General Computer Controls Control: Access to test and production environments are appropriately restricted and segregated

  30. Control Design

  31. 0 / 250 Polling Question • Over 1,000 • 750 – 999 • 500 – 749 • 250 – 499 • Under 249 • Don’t Know / No Answer How many controls (business process and IT) does your organization have in place that are considered for testing? Cross-Tab Label

  32. 0 / 250 Polling Question • Yes • No • Don’t Know / No Answer Do you feel your organization has duplicative, or non-unique, controls? Cross-Tab Label

  33. Standardizing Control Design – Best Practices • Develop a standard set of risks to evaluate across LOBs • Align to assertions • Tailor standard risk set to the LOB • include specific risks and omit irrelevant risks • include rationale for additions and omissions • Develop model control activities to link to each standard risk • provides a consistent starting point for control documentation • generic in nature; must be tailored to the LOB • Document control points in high-level process flows • identify areas where controls should be strengthened • improves method for selecting key controls

  34. Risk-Based Testing Control Rationalization Overview Control Risk-Rating Risk-Based Testing Cost Analysis Company Level Controls Control Automation Roadmap

  35. Implementing a risk-based test plan Once management has designed appropriate controls to address financial reporting risks, it has the additional opportunity to reduce costs by designing risk-based test plans. Risk-based test plans vary the nature, extent and timing of testing based on risk.

  36. Cost Analysis Control Risk-Rating Company Level Controls Control Automation Control Rationalization Overview Risk-Based Testing Cost Analysis Roadmap

  37. Testing: Cost Analysis* Based on any potential changes to testing effort based on risk-ratings, an organization can assess the impact on management’s testing resources. A standard framework can be used to measure resource requirements for the risk-based testing program, and provide comparisons to current testing costs. *Note: the example below is included solely for illustrative purposes and does not imply in any way that these or any other savings are likely or possible. The framework relates only to management’s testing, not auditor testing.

  38. Working with your External Auditors

  39. Working with your External Auditors • Develop rapport with external auditors on concepts that lead to more efficient and effective compliance. Concepts include: • Role that likelihood of errors and error magnitude should play in • scoping decisions for SOX framework testing. • Scoping of compliance testing should be risk-based.

  40. External Auditor’s CR Considerations • Auditor’s use of management’s work • Depends on nature of control • Depends on objectivity and competence of the person who tested it • Focus on risk associated with a particular control or area • Overriding consideration is obtaining principal evidence • Self assessment “trade-off” – auditor may need to do more testing to gain assurance

  41. Leveraging CLCs & Automation Control Risk-Rating Cost Analysis Company Level Controls Control Automation Control Rationalization Overview Risk-Based Testing Roadmap

  42. How Can CLCs Be Applied to CR? Certain CLCs, termed process-specific CLCs, may be leveraged to further rationalize the control framework. What are Company Level Controls (CLCs)? The PCAOB describes company-level controls as those that are associated with the control environment, centralized processing, period end financial reporting, monitoring results of operations, etc. As such, they may reside at the entity-level and at the process-level In the Control Rationalization approach, CLCs that are effective in achieving process-level control objectives are referred to as process-specific CLCs • Relevance: Addresses process level risk • Frequency: Operates with enough regularity to enable timely detection of errors or fraud • Precision: Operates at a sufficiently precise level of detail to adequately address risk of misstatement (e.g., precise enough to detect at least “greater than inconsequential” errors in financial reporting. A detective control designed to detect a “material misstatement” is not precise enough to reduce likelihood of material misstatement to remote) To be effective in addressing process-level control objectives, process-specific CLCs possess the following characteristics: Note: Effectiveness of system-dependent CLCs relies on an underlying set of stronggeneral computer controls (GCCs) and application controls

  43. Leveraging CLCs Identify the Process Level Control Activities that are adequately covered by the CLCs. Assuming that the CLCs satisfy the criteria of precision, specificity, frequency, etc., they can be used to reduce the extent of reliance placed on related PLCs. The CLCs that address control objectives with a high degree of precision can be used to reduce or eliminate related PLCs from the scope of management’s internal control assessment

  44. Automation of controls How Can Automation be Applied to CR? Companies should consider enabling functionality in existing IT applications and/or implementing new technology to minimize reliance on people-based controls (requires a strong general computer controls foundation). Impact on control testing Areas to consider for adding new technology • More reliable • Can potentially decrease cost of testing: • Extent: Much less extensive; typically require lesser number of sample items (because likelihood of an exception is low) • Timing: ‘Benchmark’ certain application controls so that testing frequency can be reduced (e.g. every 3rd year) • Nature: More efficient to conduct testing • Lower cost to perform the control (compared to manual) • Manage segregation of duties conflicts • User access provisioning • Transaction-level controls monitoring • System change management • Fraud detection programs

  45. Roadmap Control Risk-Rating Cost Analysis Company Level Controls Control Automation Control Rationalization Overview Risk-Based Testing Roadmap

  46. Example Roadmap • Pilot effort for a single business area • Benchmarking of key controls, recommendations to streamline • Perform management testing to validate operating effectiveness CRPilot Control Rationalization Workshop Top-Down Scoping Control Rationalization • Top-down scoping across divisions, geographies, offices, etc. • Prioritize major areas for rationalization based on risk and savings opportunities Line of Business/Cycle 1 Line of Business/Cycle 2

  47. Wrap-Up • What we covered today: • Control Rationalization concepts • Applying a risk-based approach • Risk-based testing • Leveraging CLCs and automation • Cost analysis model • High-level roadmap • Closing Remarks

  48. Presenters Rex Johnson, CISA, PMP Senior Manager, Deloitte & Touche LLP Audit & Enterprise Risk Services 816.802.7733 rejohnson@deloitte.com Devin Amato, CISA, CIA Manager, Deloitte & Touche LLP Audit & Enterprise Risk Services 816.802.7255 damato@deloitte.com

  49. About Deloitte Deloitte, one of the nation's leading professional services firms, provides audit, tax, consulting, and financial advisory services through nearly 30,000 people in more than 80 U.S. cities. Known as an employer of choice for innovative human resources programs, the firm is dedicated to helping its clients and its people excel. "Deloitte" refers to the associated partnerships of Deloitte & Touche USA LLP (Deloitte & Touche LLP and Deloitte Consulting LLP) and subsidiaries. Deloitte is the U.S. member firm of Deloitte Touche Tohmatsu. For more information, please visit Deloitte's Web site at www.deloitte.com/us. Deloitte Touche Tohmatsu is an organization of member firms devoted to excellence in providing professional services and advice. We are focused on client service through a global strategy executed locally in nearly 150 countries. With access to the deep intellectual capital of 120,000 people worldwide, our member firms, including their affiliates, deliver services in four professional areas: audit, tax, consulting, and financial advisory services. Our member firms serve more than one-half of the world’s largest companies, as well as large national enterprises, public institutions, locally important clients, and successful, fast-growing global growth companies. Deloitte Touche Tohmatsu is a Swiss Verein (association), and, as such, neither Deloitte Touche Tohmatsu nor any of its member firms has any liability for each other’s acts or omissions. Each of the member firms is a separate and independent legal entity operating under the names “Deloitte,” "Deloitte & Touche," "Deloitte Touche Tohmatsu," or other, related names. The services described herein are provided by the member firms and not by the Deloitte Touche Tohmatsu Verein. For regulatory and other reasons, certain member firms do not provide services in all four professional areas listed above.

More Related