1 / 48

Association of Government Accountants

Association of Government Accountants. IT Controls and Audit Readiness In the Federal Government February 9, 2011 Harrisburg, PA. Learning Objectives. At the conclusion of this session, you will be able to understand:

chaylse
Download Presentation

Association of Government Accountants

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Association of Government Accountants IT Controls and Audit Readiness In the Federal Government February 9, 2011 Harrisburg, PA

  2. Learning Objectives At the conclusion of this session, you will be able to understand: The primary federal guidance applicable to Information Technology Controls to understand management responsibilities and the needs of financial statement auditors; How to identify and prioritize systems that impact the financial statement audit; How to apply authoritative guidance and understand the types of information technology controls, control objectives, and control techniques; How to document and validate whether information technology controls are designed properly and operating effectively; How to evaluate the impact of testing exceptions; and The role and responsibilities of third party Service Providers.

  3. Agenda • Section 1: Relevance of Systems and IT Controls to the Financial Statement Audit • Section 2: Types of IT Controls • Section 3: IT Controls Validation • Section 4: Other Considerations

  4. Section 1 Relevance of Systems and IT Controls to the Financial Statement Audit

  5. Illustration of an End-to-End Electronic Audit Trail • A Source Journal is the initial system where business transactions are entered (also known as a system of record). • The audit trail for the business transaction from Source Journal to Financial Statement may only exist in an electronic format. • It may not be possible (or efficient) to “audit around” systems.

  6. Example Scenario Transaction Initiated and Recorded in Source Journal Requester Requester Operations Logistics Acquisition Finance Accounting

  7. Example Scenario Purchasing Transaction Automatically Initiated Requester Requester Operations Logistics Acquisition Finance Accounting

  8. Example Scenario Disbursement Transaction Initiated Requester Requester Operations Logistics Acquisition Finance Accounting

  9. Example Scenario General Ledger and Consolidation Systems Updated Requester Requester Operations Logistics Acquisition Finance Accounting

  10. Impact of Systems on Internal Controls Financial Statement Line Item / Significant Account / Disclosure Significant Process / Major Classes of Transactions Key Controls Automated Controls Programmed or configured application controls, calculations, or procedures Manual Controls Using system-generated reports or data Manual Controls Not dependent on information technology System Generated Information Dependency Dependency Information Technology Control Environment Controls over Access to Programs and Data ApplicationData Audit Significant Applications Computer Operations Program Development Program Change Controls

  11. What are the Reporting Entity’s audit readiness responsibilities relevant to its financial information systems?

  12. Statement to Process Analysis Example – Budgetary Resources Purchasing Procure to Pay Disbursing

  13. Key Points to Remember • Most Federal business activities are recorded in automated systems and it may not be possible (or efficient) to “audit around” the systems. • If the Reporting Entity is placing reliance on controls performed by systems or manual controls rely on reports / data produced by systems, the IT general controls for these systems must be documented and tested. The Reporting Entities are responsible for identifying, documenting, and testing relevant IT application and general controls necessary to address internal control over financial reporting and audit readiness considerations. • Financial, non-financial, and mixed systems may feed financial statement account balances and/or have a role in internal controls over financial reporting. A structured process should be followed to determine which systems are in scope for audit readiness.

  14. Section 2 Types of IT Controls

  15. What are the differences among operations compliance, budget, and financial controls?

  16. Differences among operational, compliance, budget, and financial controls Operational Controls • The objectives of operations controls are to provide reasonable assurance that the Reporting Entity achieves the performance desired by management for planning, productivity, quality, economy, efficiency, or effectiveness of the entity’s operations. Compliance Controls • The objective of compliance controls are to provide reasonable assurance that the Reporting Entity complies with significant provisions of applicable laws and regulations. Budget Controls (Funds Control) • The objective of budget controls is to ensure transactions are executed in accordance with budget authority. If an event results in a financial transaction, it impacts ICOFR and audit readiness

  17. Differences among operational, compliance, budget, and financial controls Financial Reporting Controls • The objective of financial reporting controls is to prevent or detect misstatements in significant financial statement assertions. These include (1) safeguarding controls to protect assets against loss from unauthorized acquisition, use or disposition, and (2) segregation-of-duties controls to prevent one person from controlling multiple aspects of a transaction allowing that person to both cause and conceal misstatements whether errors or fraud.

  18. What are Business Process Application Controls? Those controls incorporated directly into computer applications (or performed manually based on system generated information) to help ensure the completeness, accuracy, validity, confidentiality, and availability of transactions and data during application processing. Importance of Business Process Application Controls to Audit Readiness Effective business process application controls help ensure that the Reporting Entity’s financial transactions are complete, accurate, and valid which are key internal control over financial reporting objectives and critical to asserting audit readiness.

  19. What are Business Process Application Controls? Business Process Application Controls consist of the following four control categories: • Business Process Controls • Interface Controls • Database Management System Controls • Application Level General Controls

  20. User id and password required Business Process Application Controls - Example Requester Check completion of all required fields Requester Operations Logistics Acquisition Finance Accounting

  21. Total records sent = total records received Interface Control - Example Requester Requester Operations Logistics Acquisition Finance Accounting

  22. Database Management System Control - Example Requester ApplicationData Direct access to the production database by developers is not allowed Requester Operations Logistics Acquisition Finance Accounting

  23. Application Level Controls – Legacy System Environment I P Requester O I P O I I O I O P P P I O I O I I O I O O I P O I P I O P I O O I P O P O I O I I O I I I O O P I Requester Operations Logistics Acquisition Finance Accounting I Input Control Point Output Control Point P Processing Control Point O

  24. Application Level General Control - Example Requester All application configuration changes are approved by the change control board (management) Requester Operations Logistics Acquisition Finance Accounting

  25. What are entity level Information Technology General Controls (ITGCs)? Entity Level ITGCs are grouped into the following five general control categories: • Security Management • Access Controls • Segregation of Duties • Configuration Management • Contingency Planning Deficiencies related to access control and configuration management have the greatest potential to result in material weaknesses and render the other IT general an application controls unreliable.

  26. What are entity level Information Technology General Controls (ITGCs)? Security Management • Provides a framework and continuing cycle of activity for managing risk, developing security policies, assigning responsibilities, and monitoring the adequacy of the entity’s computer-related controls. Access Controls • Limit or detect access to computer resources (data, programs, equipment, and facilities); thereby, protecting them against unauthorized modifications, loss, and disclosure. Segregation of Duties • Includes policies, procedures, and an organizational structure to manage who can control key aspects of computer-related operations.

  27. What are entity level Information Technology General Controls (ITGCs)? Configuration Management • Prevents unauthorized changes to information system resources (for example, software programs and hardware configurations) and provides reasonable assurance that systems are configured and operating securely and as intended. Contingency Planning • Includes plans and procedures in place that ensure when unexpected events occur, critical operations continue without disruption or are promptly resumed, and critical and sensitive data are protected. Such plans should consider the activities performed at general support facilities, as well as those performed by users of specific applications.

  28. Entity Level General Control - Example Requester All operating system configuration changes are approved by the change control board (management) Physical access to the data center where the applications are hosted is appropriately restricted Requester Operations Logistics Acquisition Finance Accounting

  29. Key Points to Remember There are differences among operational, compliance, budget, and financial controls. Business process application controls are incorporated directly into computer applications (or performed manually based on system generated information) to help ensure the completeness, accuracy, validity, confidentiality, and availability of transactions and data during application processing. IT General Controls are the policies and procedures that apply to all or a large segment of entity’s information systems and help ensure their proper operation. ITGCs are applied entity-wide and at the system and application levels.

  30. Section 3 IT Controls Validation

  31. Sources of Internal Control Over Financial Reporting and Audit Readiness Guidance Audit Guidance Controls Guidance GAO Financial Audit Manual (FAM) OBM A-123 Implementation Guide COSO Internal Control Framework (COSO) Overall Framework & Application Controls GAO Government Auditing Standards (Yellow Book) GAO Standards for Internal Control (Green Book) GAO Federal Information System Controls Audit Manual (FISCAM) GAO Assessing Reliability of Computer Processed Data GAO Federal Information System Controls Audit Manual (FISCAM) GAO Assessing Reliability of Computer Processed Data Currently IT Controls

  32. Sources of Internal Control Over Financial Reporting and Audit Readiness Guidance • When evaluating IT application and general controls, the GAO FISCAM manual is the primary authoritative source for relevant control objectives and control techniques that should be addressed.

  33. Why is it important for the Reporting Entity to document an understanding of the design of its Information Systems controls? There are two primary reasons for documenting an understanding of IT general and application controls: The first is to simply determine if internal controls have been identified (or exist) for each relevant control objective. The second is to evaluate whether the controls, if implemented and operating effectively, would satisfy the relevant control objectives. This second point is often referred to as assessing the “design effectiveness” of the internal control. It is essential that the controls documentation be prepared in enough detail for the reader to easily understand whether the control objective has been addressed.

  34. Why is it important for the Reporting Entity to document an understanding of the design of its Information Systems controls? Control Objective Control Technique Control in Place Satisfactory

  35. Why is it important for the Reporting Entity to effectively design and conduct tests of IT control activities? Once the Reporting Entity has determined that the internal controls are appropriately designed, the next step is to determine if the control has been operating effectively throughout the audit / assertion period. This is commonly referred to as “testing of operational effectiveness.” Tests of operational effectiveness must be successfully completed before reliance can be placed on the internal control.

  36. Why is it important for the Reporting Entity to effectively design and conduct tests of IT control activities? When performing tests on whether IT control are operating effectively, the Reporting Entity has a number of techniques available including: Inquiry of Appropriate Personnel Observation of the Control in Operation Inspection of Documentation Re-performance of the Control It is important to note that inquiry and observation by themselves typically do not constitute a valid test of whether IT controls are operating effectively. Lowest Level of Assurance Highest Level of Assurance

  37. Why is it important for the Reporting Entity to effectively design and conduct tests of IT control activities? The Reporting Entity may perform both sampling (statistical/non-statistical) and nonsampling control tests to evaluate whether IT controls are operating effectively. For an automated control, the number of items tested can be as low as one, assuming that information technology general controls have been tested and found to be effective. A common example of an automated control is an edit check that is activated during data entry.

  38. Why is it important for the Reporting Entity to effectively design and conduct tests of IT control activities? Example Sample Sizes Test sample size depends on several factors including: • Type of control (manual or automated) • Frequency of the control (e.g., how often is it performed) • Complexity of the control • Management’s Judgment In those instances where Management has determined that smaller sample sizes are appropriate (based on their judgment), the rationale for this decision should be thoroughly documented.

  39. Key Points to Remember • The GAO FISCAM manual is the primary authoritative source for relevant control objectives and control techniques that should be included in the scope of the IT controls evaluation. • It is essential that the controls documentation be prepared in enough detail for the reader to easily understand if the control objective has been addressed. • Performing an assessment of design effectiveness is important because it allows management to identify areas for remediation quickly instead of wasting time testing a poorly designed control. • Testing the actual operational effectiveness of the internal control over time is absolutely critical, as this provides the basis of reliance for the audit / assertion period. • When testing operational effectiveness appropriate testing techniques and sample sizes should be used. • Completion of system certification and accreditation does not completely address ICOFR requirements.

  40. FIAR 301 Section 4 Other Considerations

  41. What is the relevance of evaluating exceptions for the Reporting Entity? In evaluating test results and exceptions, the Reporting Entity should perform an evaluation to understand the matter and their potential consequences. Internal control deficiencies are defined by the Public Company Accounting Oversight Board (PCAOB) and the AICPA. GAO and OMB typically adopt these same definitions by reference into their own guidance. How many exceptions were there and how severe? Has the control operated effectively throughout the period? Can we still rely on this control? Are there appropriate compensating controls? Is the control objective satisfied? Are there unmitigated financial reporting risks?

  42. What is the relevance of evaluating exceptions for the Reporting Entity? • A Deficiency in internal control exists when the design or operation of a control does not allow management or employees, in the normal course of performing their assigned functions, to prevent, or detect and correct misstatements on a timely basis. • A Significant Deficiency is a deficiency, or a combination of deficiencies, in internal control that is less severe than a material weakness, yet important enough to merit attention by those charged with governance. • Material Weakness is a deficiency, or combination of deficiencies, in internal control, such that there is a reasonable possibility that a material misstatement of the entity’s financial statements will not be prevented, or detected and corrected on a timely basis.

  43. Reporting Entities and Service Providers perform roles in different segments of end to-end processes in the Department. Neither party actively participates in every segment of the entire process. Below is overview example of a Service Provider functional view, of a representative Civilian Pay Process that summarizes the roles of the Reporting Entity and Service Provider. What is the role of Third Party Service Providers? When the Reporting Entity asserts audit readiness, it is for the entire process including those activities and controls performed by the Service Provider.

  44. What are the responsibilities of Reporting Entities and third party Service Providers relevant to Federal financial audits? • With respect to financial audits, a Service Provider’s services are part of an entity’s information systems and therefore, could be significant to the Reporting Entity’s information system. If the user organization’s (Reporting Entity) management and/or user auditor determine that the service organization’s controls are significant to the entity’s internal control, the Reporting Entity should gain an understanding of controls at the Service Provider by obtaining a service auditor’s report. • According to OMB Bulletin 07-04, as revised, Audit Requirements for Federal Financial Statements, service organizations must either provide its user organizations with an audit report on whether (1) internal controls were designed properly to achieve specified objectives and placed into operation as of a specified date and (2) the controls that were tested were operating effectively to provide reasonable assurance that the related control objectives were met during the period specified or allow user auditors to perform appropriate tests of controls at the service organization.

  45. What are the types of service auditor reports? • Type 1 Report - is a report on the design and implementation of controls (placed in operation) at a service organization, but does not include testing whether the controls are operating effectively. • Type 2 Report - is a report on the design and implementation of controls (placed in operation) and on their operating effectiveness. In a Type 2 engagement, the service auditor performs the procedures required for a Type 1 engagement and also performs tests of specific controls to evaluate whether they operate effectively in achieving the specified control objectives. • Introduction of a New AICPA Standard and Revised GAO Guidance Statement on Standards for Attestation Engagement (SSAE) No. 16 is replacing Statement on Auditing Standards (SAS) No. 70 effective June 15, 2011. The Type 2 report addresses the needs of the financial statement auditor.

  46. Key Points to Remember • In evaluating test results and exceptions, the Reporting Entity should perform an evaluation to understand the matter and their potential consequences. • Deficiencies, Significant Deficiencies, and Material Weaknesses have differing levels of impact on the Reporting Entities audit readiness and should be reported, prioritized, and remediated accordingly. • When the Reporting Entity asserts audit readiness, it is for the entire process including those activities and controls performed by the Service Provider. • A Type 1 Service Auditor’s Report does not provide assurance regarding the operational effectiveness on the Service Providers internal controls over a period of time. This type of assurance is provided in a Type 2 report.

  47. Comments and Questions? • © 2011 PricewaterhouseCoopers. All rights reserved. “PricewaterhouseCoopers” refers to the network of member firms of PricewaterhouseCoopers International Limited, each of which is a separate and independent legal entity.

  48. Want to contact us? • Bobbi Markley, CDFM, CISA, CISM • PricewaterhouseCoopers LLP • 1800 Tysons Boulevard • McLean VA 22102 • 703.918.3138 • Bradley Keith, CPA, CISA, PMP • PricewaterhouseCoopers LLP • 1800 Tysons Boulevard • McLean VA 22102 • 703.918.3564

More Related