Are You Ready for IT Control Identification &Testing? The Institute of Internal AuditorsFebruary 10, 2004 Moderator: Xenia Ley Parker, CIA, CISA, CFSAXLP Associates
Agenda • Introduction & Overview Xenia Ley Parker, XLP Associates • General Controls Edward Hill, Protiviti • Application Controls John Gimpert, Deloitte • Establishing a Framework Reggie Combs, Lockheed Martin • Break • Q & A
References • Public Company Oversight Board - www.pcaobus.org/ • Final Rule: Management's Reports on Internal Control Over Financial Reporting and Certification of Disclosure in Exchange Act Periodic Reports - www.sec.gov/rules/final/33-8238.htm • “Internal Control—Integrated Framework” Committee of Sponsoring Organizations of the Treadway Commission (COSO), Exposure Draft “Enterprise Risk Management Framework”- www.coso.org • CobiT 3rd EditionÓ, IT Governance Institute - www.isaca.org • “IT Control Objectives for Sarbanes-Oxley”- www.itgi.org • The IIA GAIN Flash Survey Use of SOX tools - www.gain2.org/sox4jwsum • Protiviti “Guide to the Sarbanes-Oxley Act: IT Risks and ControlsFrequently Asked Questions” - www.protiviti.com • Deloitte “Taking Control, A Guide to Compliance with Section 404 of the Sarbanes-Oxley Act of 2002” - www.deloitte.com • PricewaterhouseCoopers “Understanding the Independent Auditor’s Role in Building Trust”; “The Sarbanes-Oxley Act of 2002, Strategies for Meeting New Internal Control Reporting Challenges” - www.pwc.com
PCAOB ED Statements: Impact on IT Control Guidance • “determining which controls should be tested… generally, such controls include… information technology general controls, on which other controls are dependent” (page 41) • “The auditor should obtain an understanding of the design of specific controls by applying procedures that include… tracing transactions through the information system relevant to financial reporting” (page 48) • “Information technology general controls over program development, program changes, computer operations, and access to programs and data help ensure that specific controls over the processing of transactions are operating effectively” (page 51)
PCAOB ED Statements Impact on IT Control Guidance • “The risk that the controls might not be operating effectively. Factors … include the following: – The degree to which the control relies on the effectiveness of other controls (for example, the control environment or information technology general controls) (p 74) • “The audit should trace all types of transactions and events, both recurring and unusual from origination through the company’s information systems until they are reflected in the company’s financial reports…” (page 79) Source: http://www.pcaobus.org/
Introduction of Key Issues • Define 404 universe, processes, risks, & controls • Identify key controls: assertions related to control considerations • Impact of IT controls • Application vs. IT controls • Establishing a framework
PCAOB Release No. 2003-017 issued 7 October 2003 • Because of the frequency with which management of public companies is expected to use COSO as the framework for the assessment, the directions in the proposed standard are based on the COSO framework • Other suitable frameworks have been published in other countries and likely will be published in the future • Although different frameworks may not contain exactly the same elements as COSO, they should have elements that encompass all of COSO's general themes
Tone at the Top • IT Executives need to be well versed on internal control theory and practice • Does the audit committee have the expertise to understand the relevance and degree of reliability/importance of IT controls? • Is the audit committee aware of any significant activities affecting the IT environment as it relates to financial reporting?
Sarbanes-Oxley IT Diagnostic Questions 1. Does the SOX steering committee understand the risks inherent in IT systems & their impact on compliance with Section 404? 2. Does IT management understand the financial reporting process and its supporting systems? 3. Does the CIO have an advanced knowledge of the types of IT controls necessary to support reliable financial processing? 4. Are policies governing security, availability and processing integrity established, documented & communicated to all members of the IT organization? 5. Are the IT department’s roles and responsibilities related to Section 404 documented & understood by all members of the IT department?
Sarbanes-Oxley IT Diagnostic Questions 6. Do IT employees understand their roles, do they possess the requisite skills to perform their job responsibilities relating to internal control, & are they supported with appropriate skill development? 7. Is the IT department’s risk assessment process integrated with the company’s overall risk assessment process for financial reporting? 8. Does IT document, evaluate & remediate IT controls related to financial reporting on an annual basis? 9. Does IT have a formal process in place to identify & respond to IT control deficiencies? 10. Is the effectiveness of IT controls monitored & followed up on a regular basis? • Source for Slides 8-12: IT Governance Institute, ISACA
Are you Ready for IT Control Identification & Testing? General Controls Edward Hill, CPA Protiviti
Integrated Application Specific Processes General IT Processes Application & Data Owner Processes “Plain English” Approach: IT Risks & Controls for SOX 404 • Define Universe, processes, risks & controls • Assertion relationships • Document key controls & valuate • Testing of key controls & what to do IT Organization & Structure IT Entity Level Control Evaluations IT Process Level Control Evaluations
Process Level: IT Risks & Controls Integrated Application Specific Processes General IT Processes Application and Data Owner Processes Most important part of this discussion: These processes and activities are looked at in the context of how the controls relate to the ability of the company to meet the IC objectives over the reliability of financial reporting.
General IT Process Risks and Controls-A Typical Universe & Risk Assessment General IT Processes • Security Administration • Application Maintenance - Change Control • Ensure Continuity - Data Management & Disaster Recovery • Manage Technical Infrastructure & Operations - Problem Management • Asset Management
Impact of STRONG Controls at the IT General Controls General IT Processes Integrated Application Specific Processes Application & Data Owner Processes • Applications perform as designed • Programmed controls function as designed • Access to transactions and data function as designed • WHEN SETTING SCOPE: • Work at application and data owner level can focus on proper design of controls • General controls provide an indication that such controls operate as intended
Controls Security Administration • How does this relate to the assertions - what can go wrong? • Security, designed & implemented properly, assures transactions are executed by only those individuals with authorization. • Security, designed appropriately, ensures (physical and electronic) access to assets is restricted. • This impact must be understood at each IT component level: • Application transaction and data level • Access to the systems and infrastructure such as administrator and super user: • Databases • Platforms (operating systems) • Networks
Security & Segregation of Duties Potential impact on assertions: • Transactions are executed only by individuals authorized by management to do so • Duties that are incompatible from an internal control standpoint are segregated in accordance with management’s criteria • Updates and changes to applications may impact how security should be managed and the duties which may need to be segregated (authorized and segregation issues)
Security Administration • Risk and controls documented, evaluated for specific process portions: • Role set up, maintenance and periodic validation • User set up, maintenance and deletion • Data classification and rules allowing access to sensitive data • Periodic transaction and data access review, validation and follow-up • Risks and controls documented, evaluated at the technical level: • Set up of administrative and other sensitive accounts for all technology components • Add, modify and delete procedures • Audit trail rules and set-up • Monitoring and review procedures for usage of administrative and sensitive account
Security Administration Risk and controls documented, evaluated for specific process portions: • Development and maintenance of security roles restricting access to transitions and data to only individuals with a valid business need to execute transactions and access data • Development and communication to the IT organization the roles and transactions needed to be segregated from an internal controls standpoint • Maintenance and review of applications changes to confirm appropriateness of the roles and transactions identified as incompatible from an internal control standpoint
Manage Applications-Change Controls • How does this relate to the assertions- what can go wrong: • Application change provides assurances that applications function as intended and integrity of processing can be assured • Appropriate application changes assure completeness and accuracy of processing • Together with the security administration, processes assures transactions can only be initiated, modified or deleted by individuals authorized by management to execute and view transactions • Access to applications and data through the change process must be restricted so that inadvertent or deliberate changes to the following do not occur: • Production data • Other related components such as interface routines, background processing and updates, etc.
Application & Data Owner Responsibilities For Change Controls • How does this relate to the assertions- what can go wrong: • Application changes may not be in accordance with the directives of the business owners causing them not to function as intended or without the appropriate controls- impacts • Completeness and accuracy • Authorization • Access to assets • There may be changes to the security administration of roles and responsibilities that effect the controls which ensure appropriate authorization of transactions and access to assets
Management Applications – Change Controls Risk and controls documented, evaluated for specific process • Initiation of change requests • Testing and approval of changes prior to migration into the production environment • Critical calculations and data validation and exception routines • Interfaces • Job sequencing and interrelationships • Application migration procedures • Integrity of process and access to applications and data by migrators • Back out and validation of successful migrations • Emergency change procedures and processes
Business Owner Change Control Processes • Risk and controls documented, evaluated for specific process • Changes are appropriately initiated and approved by the application and data owners • All changes are reviewed by the application owners from a controls perspective and a sign-off that controls have been appropriately considered for any change(s) • Changes are adequately tested from a controls functionality perspective. This should be performed to ensure critical controls still function (error checking and data validation, integrity of key management reports, interfaces function properly, etc.) • There should be review (after the fact) of emergency changes such that application owners verify validity of change and the appropriateness of change on programmed controls.
Format for Documentation and Control Related Work • Evaluation of IT-related risks and controls should be formatted similar to other process and control work • Process maps • Process narratives • Risk and control matrices • All work should focus on controls that affect the financial reporting and disclosure risks and controls • Must address financial reporting assertions
Evaluation of IT Controls • After the documentation is complete, evaluate each risk to determine whether the controls are designed to effectively mitigate the risks • The evaluation should include both manual and systems-based controls - even in the General Controls processes • At this point, control gaps if any, should be identified and a management action plan to deal with the gaps determined, for both manual and systems-based controls • For controls evaluated as effective, the next step is to develop a testing plan so that the operating effectiveness can be evaluated
Update Testing Define Testing Scopes Build Testing Plan Execute Testing Analyze Test Results Approach to IT General Controls Testing For IT General Controls testing – • Test key controls can and should be tested similar to other processes with pervasive controls: • There needs to be a combination of inquiry, inspection, observation and re-performance • Process flows and risk and control matrices should be referenced and a key to selecting the type of test needed • Timing of this testing- two competing issues • One external firm indicated that for pervasive controls such as IT General controls these controls should be tested near the “as of” date • Testing of these needs to be done early in the overall process because the results of these tests directly impact the nature and extent of controls downstream of these.
Update Testing Define Testing Scopes Build Testing Plan Execute Testing Analyze Test Results Documenting General Controls Testing For IT General Controls testing – • Documentation of testing should be tested similar to other processes with pervasive controls: • There needs to be documentation standards for inquiry, inspection, observation and re-performance testing- scoping should be based on overall approach • Evidence of tests should be retained for review and approval
Are you Ready for IT Control Identification & Testing?Application Controls John Gimpert, CPADeloitte
Importance of IT in Sarbanes Oxley • For most organizations, IT controls are pervasive to the financial reporting process • Financial applications and automated systems are typically used to initiate, record, process and report transactions • Applications and ERP systems are supported by the general computing environment • Effectiveness of the application computing controls are dependant upon the general computing controls • Limitations of application controls may need to be appropriately mitigated by general computing controls • Overall, application and general computing controls support the integrity and reliability of financial reporting
A Roadmap for Compliance Source: IT Governance Institute (ITGI) “IT Control Objectives for Sarbanes Oxley Discussion Document
Stage 1–Unreliable Stage 2–Insufficient Stage 3–Reliable Stage 4–Optimal Characteristics • Controls, policies and procedures are not in place and documented. • A disclosure creation process does not exist. • Employees are unaware of their controls responsibility. • Operating effectiveness of control activities is not evaluated regularly. • Control deficiencies aren’t identified. • Controls and policies and procedures are not fully documented. • A disclosure creation process is not fully documented. • Employees may not be aware of their responsibility for control activities. • Operating effectiveness of control activities is not evaluated regularly and the process isn’t documented. • Control deficiencies may be identified but not remediated timely. • Controls and related policies and procedures are in place and adequately documented. • A disclosure creation process is in place and adequately documented. • Employees are aware of their responsibility for controls activities. • Operating effectiveness of control activities is evaluated periodically; the process is documented. • Control deficiencies are identified and remediated timely. • Meets characteristics of Stage 3. • An enterprise-wide control and risk mgt. program exists such that controls are documented and continuously reevaluated to reflect major process or organizational changes. • A self-assessment process is used to evaluate controls design and effectiveness. • Technology helps document processes, control objectives and activities, identify gaps, and evaluate control effectiveness. Internal Control Reliability Model Determine the reliability and maturity of IT controls.
Mapping Accounts to Controls Significant Accounts/Processes Balance Sheet IncomeStatement G/L Inventory Other Classes of Transactions / Business Processes • Determine and walk-through key transactions and accounts • Identify applications and IT systems related to significant accounts and transactions • Identify, document and test controls supporting the above Process A Process B Process C Financial Applications Application A Application B Application C Application controls (examples) Seg of Duties Data integrity Completeness Timeliness General Computing Controls Security Retention Operations Configuration
Application Controls: Definition • Application controls help ensure the completeness, accuracy, authorization and validity of all transactions during application processing • Application controls also support interfaces to other application systems to help ensure all inputs are received in a complete and accurate manner and outputs are correct • Application controls are typically embedded within software programs to prevent or detect unauthorized transactions
Accounts Receivable Invoice controls Databases and Information IT Infrastructure Security System Software Networks Linking Business Process to Controls Order Processing • Control Objectives • Account Receivable balances and reserves are complete and accurate. • Sales revenues and cost of goods sold is complete and accurate • All purchase orders received are input and processed • Invoices are generated using authorized terms and prices • Only valid changes are made to customer master files. SalesSub-process Order & supplier controls Customer controls Customerorder entry SAP, Oracle, Other Applications Application controls cover authorized changes, segregation of duties, validity, completeness and timeliness of reporting of financial information. General computing controls cover security access, change and configuration mgt, data retention, testing, processing integrity, etc.
Objective Assertion Automated Application Controls All orders received from customers are input and processed Completeness • Pending order reports are generated daily for review. • Incomplete order entries are flagged for completion. Orders are processed only within the approved customer credit limits Authorization • Orders entered that exceed customer credit limits are pended for review prior to processing. • Access to change/override customer credit limits requires approval by credit manager. Only valid orders are processed Existence or Occurrences • Access to enter orders is limited to appropriate personal. • A valid customer number is required prior to order entry. Orders and cancellations of orders are input accurately Existence or Occurrences • Critical data fields (e.g.; order number, date, address) are pre-populated prior to order completion. • Data entered on returns is matched with original sales information. Examples of Control Identification
Preventive Preventative controls are designed to avert problems rather than correct them. Some examples include passwords to application systems or an approval on all purchase orders over a specified limit. Detective Detective controls are meant to catch errors after the fact. These may take the form of reviews, reconciliations, and analyses. Manual Manual controls are carried out by people, as opposed to automated controls (i.e., application controls) that take place without direct human intervention. Many manual controls can now be automated by application software such as the triggering of exception reports. Information Technology IT controls consist of general controls (include controls over data center operations, system software acquisition and maintenance, access security, and application system development and maintenance) and application controls (to ensure completeness, accuracy, authorization, and validity of data input and transaction processing). Types of controls
Evaluation of Control Design Remediate Document Control Assess the Control Design Document the Assessment Remediate Control Evaluation and Testing Process Discovery process for existing controls Controls for those business processes impacting key transactions and accounts Y N Evaluation of Control Effectiveness N Prepare for Certification Document the Test Results Test Control Effectiveness Y
Control Activity Example Test of Effectiveness Control Gaps • Pending order reports are generated daily for review. • Incomplete order entries are flagged for completion. • Obtain reports from individual responsible for review. • Observe entry of sample incomplete orders. • None noted. • Gap noted: Some incomplete orders are processed • Orders entered that exceed customer credit limits are pended for review prior to processing. • Access to change/override customer credit limits requires approval by credit manager. • Review application security settings to ensure control is set up properly. • Review application security settings to ensure control is set up properly. • None noted. • Gap Identified: One person can enter orders and increase customer credit limits. • Access to enter orders is limited to appropriate personal. • A valid customer number is required prior to order entry. • Compare who system allows to enter orders to list of management approved personnel. • Observe entry of sample orders with wrong customer numbers. • Gap identified: access rights are not updated promptly when personnel change roles • None noted. • Critical data fields (e.g.; order number, date, address) are pre-populated prior to order completion. • Data entered on returns is matched with original sale information. • Query sample of order numbers to ensure uniqueness. • Compare sample of sales returns against sales to ensure match. • None noted. • Gap Identified: Return can be processed without matching an original sale. Sample Result of Evaluation Process
Lessons Learned Effective IT application controls are critical and serve as a first line of defense Some controls exist at both the general computing and applications layer - for instance Security Controls Applications controls can be modernized, many previously manual controls can be automated (such as automatic generation of reports when suspect conditions exist) Applications controls can be proactively built into applications and can help identify risks Improved applications controls can result in improved application effectiveness and help drive higher quality applications A well controlled environment is a first step toward improved IT Governance
Sarbanes Oxley to Increase Shareholder Value Risk Management • Compliance with Sarbanes Oxley has direct impact and IT control improvements can reduce risk for downstream business initiatives Operating Margin • Deep understanding of process and technology linkages can result in process re-engineering initiatives, improving levels of automation Asset Efficiency • Operational improvement regarding IT management processes • Consolidation of systems to reduce complexity can result in operational efficiencies Revenue Growth • Inventory your critical customer systems and data for future sales targeting initiatives
Are you Ready for IT Control Identification & Testing? Establishing A Framework Reginald B. Combs, CISALockheed Martin Corporation
Establishing A Framework • The COSO/COBITTM Relationship • Considerations When Identifying Controls • Entity, General, or Application Control?
Establishing A Framework The COSO/COBITTM Relationship To assess an organization’s internal controls, first identify the assessment criteria: • COSO report defines internal control consistent with current auditing standards and SAS guidance • COSO report also identifies five components of effective internal control: • Control Environment • Risk Assessment • Information & Communication • Control Activities • Monitoring 404: “…establish and maintain an adequate internal control structure…”
Establishing A Framework The COSO/COBITTM Relationship To assess an organization’s IT internal controls, first identify the assessment criteria: • COBIT framework is generally applicable and accepted as a standard for good IT security and control practices • COBIT “Business/Fiduciary Requirements” derived from COSO categories • COBIT classifies control objectives into four groups (domains): • Plan & Organize • Acquire & Implement • Deliver & Support • Monitor and Evaluate COSO and COBIT Provide a Complementary Framework for IT Control Identification
Considerations When Identifying Controls • Focus on “Key” controls: • How does the application support the key financial processes? • Is the application processing data or acting as a repository? • Who relies on the controls? • Consider the types of errors that can occur at the application and process level • Ask “What Can Go Wrong” questions • When evaluating IT controls and related risks, consider the relevant financial statement assertions for significant accounts
Entity, General, or Application Control? • Varying Opinions on which controls fall into each category • Establish definitions early and obtain consensus • Communicate throughout the organization