1 / 37

Internal Audit and IT's Role In A Down Economy

Internal Audit and IT's Role In A Down Economy. Devin Amato & Heidi Zenger Deloitte Enterprise Risk Services Kansas City ISACA February 12, 2009. Topics. Contract Risk & Compliance. What is Contract Risk & Compliance (CRC)?.

abla
Download Presentation

Internal Audit and IT's Role In A Down Economy

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Internal Audit and IT's Role In A Down Economy Devin Amato & Heidi Zenger Deloitte Enterprise Risk Services Kansas City ISACA February 12, 2009

  2. Topics

  3. Contract Risk & Compliance

  4. What is Contract Risk & Compliance (CRC)? Contract Risk & Compliance helps organizations optimize the performance of strategic business relationships by promoting the integrity and reliability of the contracts that underlie their business relationships • Impacts profits by reclaiming contractual revenue • Reduces risk by improving processes and controls

  5. Outsourcing On/Off shore, Licensing IP, Grants, JVs, Alliances Exposure to Brand or Reputation risk Revenue leakage, unauthorized product distribution, licensing of IP Paying for potentially unwarranted variable costs - complicated, cost- plus contracts like Advertising The Extended Enterprise Contractual Obligations and Business Processes Suppliers Affiliates Company Joint Ventures Franchisee Distributors Agents Licensees Customers

  6. Consumer Business Manufacturing Manufacturing Consumer Business Health Care Health Care Health Care Financial Services Financial Services Financial Services Real Estate Real Estate Real Estate The Extended Enterprise Contractual Obligations and Business Processes

  7. Process overview

  8. Discussion Question • In your table groups, discuss what types of contracts exist at your company. Who is managing these? • Discuss Internal Audit’s involvement.

  9. Renewed focus on Data Mining A Foundation for Managing Risk

  10. Does an economic downturn mean an uptick in fraud? • Nearly two-thirds (63.3 percent) of executives surveyed expect accounting fraud to increase during the next two years. • Data from the National White Collar Crime Center shows a spike in arrests for fraud and embezzlement during the two most recent recessions. • Following the savings and loan crisis and the downturn in 1990, white-collar fraud arrests jumped 52% over the next two years; • Following the Internet bust in 2000, arrests jumped 25% in the following two years.1 1 “Experts Say Fraud Likely to Rise” Business Week, January 9, 2009

  11. Fraud factors • Three common factors drive fraudulent activity • How has the economy impacted these factors in your organization?

  12. A closer look • Financial pressure • Corporate: Short term performance goals, earnings expectations, revenue forecasts, financial ratios ties to debt covenants, aggressive accounting practices and applications • Personal: Increase in asset misappropriation schemes including skimming, check tempering, and expense reimbursement • Opportunity • Downsizing, re-prioritize towards revenue reducing focus on internal controls, reduced SOD, increased workloads and inexperience • Rationalization • If employees suspect that they may be let go, they may rationalize “what do I have to lose”. • As corporate revenues decline, management may rationalize fraudulent activity believing it is serving the best interest of the company, its employees, and its shareholders.

  13. Example risks and data mining procedures

  14. Controls Rationalization

  15. Under PressureWhat’s the problem with general computer controls? The following factors appear to remain at play at some companies: • Companies are not linking the IT risk assessment to a top-down business risk assessment resulting in over scoping of IT assets (i.e., applications, databases, etc.) • Companies are treating all general computer controls equally, even though the inherent risk of IT processes, transactions, controls, and technologies may vary • Companies are not applying IT control frameworks in a manner that is leveraging IT-related company level controls • Companies are not capitalizing on automated controls

  16. Discussion Question • In your table groups, discuss what your company is doing, or has done, to rationalize controls across the enterprise. • Discuss Internal Audit’s involvement.

  17. Challenges and OpportunitiesPoint of View Solution Companies should adopt a risk-based control rationalization approach to address current and future compliance challenges Definition - Control Rationalization Control rationalization is the continuous process of designing the most effective and efficient controls to address financial reporting risks. • Guiding Principles • Management should have an informed understanding of the organization's financial reporting risks in order to drive control rationalization efforts. • Management should explicitly apply a top-down, risk-based scoping approach as a foundational first step toward control rationalization. • Control rationalization is a multi-year, continuous effort, which should be integrated into the company’s operations. • Control rationalization can result in immediate benefits; however more significant cost savings can be achieved by adopting a long-term strategic approach to sustained compliance.

  18. Rationalize 1 1 Category Category 5% 5% 2 2 Category Category 15% 15% 3 3 Category Category 80% 80% Working Toward a Lean and Balanced Control Design Using a risk-based control rationalization approach, companies can enhance the efficiency and effectiveness of their compliance program by: refining their testing approaches and improving their design of controls, by emphasizing efforts towards higher-risk areas while reducing costs associated with lower-level risks. Future State Model (Effective & Efficient) Current State Current State Areas of Focus Improve Effectiveness 15% 15% 1 1 2 2 35% 35% Risk-Based Approach Reduce Costs 50% 50% 3 3 (Illustrative Example) Examples: Category 1: company-level controls (e.g., control environment, period end financial reporting, anti-fraud programs) Category 2: general computer controls; controls over non-routine accounts and accounts with significant judgment; controls over other high-risk areas Category 3: controls over routine, transactional processing

  19. Perform IT Risk Assessment Evaluate GCC Areas and Control Objectives Rationalize Controls Develop Risk- Based Testing Approach 1 2 3 4 Control Rationalization – Phased Approach • Documented financial data flow diagrams • Documented system risk assessment • Documented relevant application and platforms (risk rated) • Documented assessment of GCC risk ratings • Documented assessment of control objective risk ratings • Documented IT Company-Level Controls • Documented IT risk-rating approach • Revised IT control matrix with risk-ratings and rationale • Documented risk-based testing strategy • Cost savings analysis Outcomes

  20. 4 2 1 3 Apply Top-Down Risk-Based Scoping & Rationalize GCC ControlsOverview General Computer Control Rationalization Lean and Balanced In Scope Out of Scope Perform IT risk assessment (identify relevant applications, platforms) Remove non-relevant IT applications and platforms Relevance to financial reporting objectives and risk-rating of associated major classes of transaction Remove non-relevant control objectives Evaluate GCC areas & confirm relevance and risk-rating of GCC control objectives Remove unnecessary controls from testing scope Re-designed Testing Approach Evaluate GCCs for effective and efficient testing Develop risk-based testing approach for GCCs NOTE: The foundation for effective control rationalization depends on a strong set of GCCs. Lack of effective GCCs or an inadequate testing approach for GCCs will preclude management from being able to derive benefits of ‘benchmarking’ testing of automated controls • *Efficiency Evaluation Criteria • Remove secondary or redundant controls • Consider testing GCC processes before performing detailed tests related to IT configurations (e.g., test process for granting access before password settings) • Prioritize controls addressing multiple risks

  21. 1 Perform IT Risk Assessment Develop risk profile Develop a risk profile for each in-scope system using quantitative (e.g., dollar throughput) and qualitative (e.g., system risks) factors. Dollar throughput of the business process data flowing through the IT systems. H Financial Impact M L Inherent Risk • Example risk factors include: • Number of users • Complexity of system configuration/embedded business logic • Number/complexity of data interfaces • Frequency of configuration parameter changes • Extent of system customizations • - Level of centralization of IT function • Age of system • Extent of business process control automation

  22. 2 Risk Based Approach for GCCsRisk rate GCC areas The illustration below depicts a sample company’s IT risk prioritization for general computer control categories. COSO defines general computer controls as, “Policies and procedures that help ensure the continued, proper operation of computer information systems… They include controls over data center operations, system software acquisition and maintenance, access security, and application system development and maintenance.” Illustrative Purposes Only Risk Evaluation Considerations • General Computer Control • Category • Application System Development & Maintenance • Information Security • Information Systems Operations • Systems Software Support Examples of Qualitative Factors Example Procedures Risk Ranking • High volume of changes • Application dependencies • Test all three levels H • Test all three levels • High employee turnover • Complex architecture H • Mature monitoring processes • Automated tools • Test predominantly IT company level and process level controls M • Homogenous environment • Automated tools • Test predominantly IT company level controls L NOTE: This illustrates a simplistic risk assessment for IT; consideration should be given to additional qualitative factors relevant to a company’s environment. Also, only selected GCC areas have been included in the example.

  23. 3 Risk Based Approach for GCCsRationalize controls After risk-rating general computer control objectives, specific control activities can be analyzed to further rationalize the testing approach. For this example, the three controls in bold text will be assessed, which represents a 50% reduction in testing. The organization’s SDLC has not changed in the fiscal year, accordingly, this control will not be evaluated. These two controls are redundant in nature, accordingly, only one control will be evaluated. This control activity is redundant in nature since test results are approved by users at a point later in the SDLC process, accordingly, this control will not be evaluated.

  24. 4 Risk Based Approach for GCCs Develop risk-based testing Alter the nature, timing and extent of control testing based on the control objective risk-ratings. *Note: Example for illustrative purposes only Risk-based testing strategy focuses resources and effort on the most important controls, and may generate opportunities for savings based on reduced overall testing effort

  25. Cost savings analysis* The table below is an illustrative example for measuring the reduced effort that may result from implementing a risk-based testing strategy. *Note: Example for illustrative purposes only and does not imply likely savings or results

  26. The Next Wave of Green ITIT’s role in the future of enterprise sustainability

  27. Overview • Research program to explore senior finance and IT executives’ views on how companies around the world are changing their IT practices in an effort to save money, improve performance, and lessen their impact on the physical environment. • Respondents came from North America (56%), Europe (28%), and Asia (16%) • All industries included encompassing companies of sizes $200M - $10B + • Primary benefits fall into three buckets: • Environmental (less pollution, lower carbon emissions, less toxic waste) • Operating (lower costs, higher efficiency, lower risk) • Promotional (brand awareness, public relations, environmental)

  28. Discussion Question • In your table groups, discuss what your companies are doing from a greening perspective; specifically around IT. • Discuss Internal Audit’s involvement.

  29. General Statistics • More than 9 out of 10 companies have made “incremental” or “aggressive” efforts to reduce their impact on the environment • Many companies have at least basic programs in place for green IT and the funding to support these • Nearly 60% of the respondents say their company has at least 5% of its IT budget set aside for greening efforts and 35% say their company has allocated 15% or more to green IT • Two-thirds of respondents say their company has a formal program in place for measuring, monitoring, and improving its environmental performance

  30. Barriers • Lack of information and trusted practices for improving IT’s environmental performance (44%) • Inability to build a sound business case for green IT investments (42%) • Shortage of capital and well-qualified, green IT talent (41%)

  31. New Metrics, Incentives, and Influences • 67% of respondents stated their company has a formal program for measuring, monitoring, and improving its environmental performance • When asked “Has your company conducted a formal evaluation of the environmental impact of its business activities in the last two years?”, respondents said: • Yes, an evaluation has been completed (39%) • Yes, an evaluation is currently under way (36%) • No, we haven’t formally initiated this (25%) • Most common metrics: • Total power consumption • Power usage effectiveness/data center infrastructure efficiency • Carbon dioxide production

  32. Risk Management and Performance Improvement

  33. Examples of IT Efforts • Energy efficient hardware • Shared software resources • Virtualized server architecture • Smaller data center footprints – IT infrastructure within data centers • Printers, copiers, and fax machines • Mobile devices and wireless computers • Hardware recycling, disposal and decommissioning

  34. End-User Applications • End user applications focused on productivity are most likely green IT investment candidates: • Videoconferencing • Online collaboration technology • Enhanced/Alternative cooling technology • Energy management software applications for servers and PCs • Server virtualization • Mobile devices

  35. Company Examples • Intel took the heat its servers produced and redirected it to warm its cafeteria and restroom water supply. • Approval forms for the FDA – fast tracked when submitted electronically; save paper, ink, physical storage requirements • Wells Fargo addresses the power management of its servers which leads to significant cooling efficiency gains and improvement of electrical distribution within the data centers to reduce power consumption

  36. Next Steps • Determining what efforts your company current has in place and your executives’ appetites for greening • Establishing a baseline measurement of current sustainability performance that is satisfactory for both IT and finance • Aligning the company’s tax strategy with its sustainable strategy and green investments • Evaluating IT’s part in these efforts; from capabilities of the systems to measure, monitor, and report to what IT can do to increase the effort

  37. Contact Information:Devin Amatodamato@deloitte.com816.802.7255Heidi Zengerhzenger@deloitte.com816.802.7435

More Related