Are You Ready for IT Control Identification & Testing? The Institute of Internal Auditors February 10, 2004 Moderator: Xenia Ley Parker, CIA, CISA, CFSA XLP Associates 1 Agenda Introduction & Overview Xenia Ley Parker, XLP Associates General Controls Edward Hill, Protiviti Application Controls John Gimpert, Deloitte Establishing a Framework Reggie Combs, Lockheed Martin Break Q&A 2 References Public Company Oversight Board - www.pcaobus.org/ Final Rule: Management's Reports on Internal Control Over Financial Reporting and Certification of Disclosure in Exchange Act Periodic Reports - www.sec.gov/rules/final/33-8238.htm
Internal ControlIntegrated Framework Committee of Sponsoring Organizations of the Treadway Commission (COSO), Exposure Draft Enterprise Risk Management Framework- www.coso.org CobiT 3rd Edition, IT Governance Institute - www.isaca.org IT Control Objectives for Sarbanes-Oxley- www.itgi.org The IIA GAIN Flash Survey Use of SOX tools - www.gain2.org/sox4jwsum Protiviti Guide to the Sarbanes-Oxley Act: IT Risks and Controls Frequently Asked Questions - www.protiviti.com Deloitte Taking Control, A Guide to Compliance with Section 404 of the Sarbanes-Oxley Act of 2002 - www.deloitte.com PricewaterhouseCoopers Understanding the Independent Auditors Role in Building Trust; The Sarbanes-Oxley Act of 2002, Strategies for Meeting New Internal Control Reporting Challenges - www.pwc.com 3 PCAOB ED Statements: Impact on IT Control Guidance determining which controls should be tested generally, such controls include information technology general controls, on which other controls are dependent (page 41) The auditor should obtain an understanding of the design of specific controls by applying procedures that include tracing
transactions through the information system relevant to financial reporting (page 48) Information technology general controls over program development, program changes, computer operations, and access to programs and data help ensure that specific controls over the processing of transactions are operating effectively (page 51) 4 PCAOB ED Statements Impact on IT Control Guidance The risk that the controls might not be operating effectively. Factors include the following: The degree to which the control relies on the effectiveness of other controls (for example, the control environment or information technology general controls) (p 74) The audit should trace all types of transactions and events, both recurring and unusual from origination through the companys information systems until they are reflected in the companys financial reports (page 79) 5 Source: http://www.pcaobus.org/ Introduction of Key Issues Define 404 universe, processes, risks, & controls Identify key controls: assertions related to control considerations
Impact of IT controls Application vs. IT controls Establishing a framework 6 PCAOB Release No. 2003-017 issued 7 October 2003 Because of the frequency with which management of public companies is expected to use COSO as the framework for the assessment, the directions in the proposed standard are based on the COSO framework Other suitable frameworks have been published in other countries and likely will be published in the future Although different frameworks may not contain exactly the same elements as COSO, they should have elements that encompass all of COSO's general themes 7 Tone at the Top IT Executives need to be well versed on internal control theory and practice Does the audit committee have the expertise to understand the relevance and degree of reliability/importance of IT controls? Is the audit committee aware of any significant activities affecting the IT environment as it relates to financial reporting? 8
IT Control Objectives for Sarbanes-Oxley: Common Elements of Organizations Company Entity Level Controls Controls Etc. Business Process Logistics Business Process Manufacturing Business Process Finance Business Process Company-level controls Entity controls set Executive the the
set tonetone for the for the Management organization. Examples include: Systems planning planning Operating style Enterprise policies policies Governance Collaboration Information Information sharing sharing Codes of conduct IT Services Fraud OS/ Data/ Telecom/ Continuity/ Networks prevention programs General Controls 9
Controls embedded in common services form general controls. Examples include: Systems maintenance Disaster recovery Physical and logical security Data management Incident response Application Controls Controls embedded in business process applications, designed to achieve completeness, accuracy, validity and recording assertions, are commonly referred to as application controls. Examples include: Authorizations Approvals Tolerance levels Reconciliations Reconciliation's Input edits Sarbanes Oxley, COSO and COBIT IT controls should consider the overall governance framework to support the quality and integrity of information.
M o Ev ni t a l or ua a n te d De liv Su e r pp a n or d t Ac Im qu pl i re em a e n nd t Pl O an rg a n an d iz e COBIT Objectives
Control Activities Information and Communication Monitoring Controls in IT are relevant to both financial reporting And disclosure requirements of Sarbanes-Oxley. Competency in all five layers of COSOs f ramework are necessary to achieve an integrated control program. 10 Section 404 Risk Assessment Section 302 COSO Components Control Environment Sarbanes-Oxley IT Diagnostic Questions 1. Does the SOX steering committee understand the risks inherent in IT systems & their impact on compliance with Section 404? 2. Does IT management understand the financial reporting process and its supporting systems? 3. Does the CIO have an advanced knowledge of the types of IT controls necessary to support reliable financial processing? 4. Are policies governing security, availability and processing integrity established, documented & communicated to all members of the IT organization?
5. Are the IT departments roles and responsibilities related to Section 404 documented & understood by all members of the IT department? 11 Sarbanes-Oxley IT Diagnostic Questions 6. Do IT employees understand their roles, do they possess the requisite skills to perform their job responsibilities relating to internal control, & are they supported with appropriate skill development? 7. Is the IT departments risk assessment process integrated with the companys overall risk assessment process for financial reporting? 8. Does IT document, evaluate & remediate IT controls related to financial reporting on an annual basis? 9. Does IT have a formal process in place to identify & respond to IT control deficiencies? 10. Is the effectiveness of IT controls monitored & followed up on a regular basis? Source for Slides 8-12: IT Governance Institute, ISACA 12 Are you Ready for IT Control Identification & Testing? General Controls Edward Hill, CPA Protiviti 13
Plain English Approach: IT Risks & Controls for SOX 404 IT Organization & Structure IT Entity Level Control Evaluations Define Universe, processes, risks & controls Assertion relationships Document key controls & valuate Testing of key controls & what to do IT Process Level Control Evaluations
General IT Processes 14 Application & Data Owner Processes Integrated Application Specific Processes IT Organization and Structure IT Entity Level Control Evaluations Process Level: IT Risks & Controls IT Process Level Control Evaluations General IT Processes Application and Data Owner Processes Integrated Application Specific Processes
Most important part of this discussion: These processes and activities are looked at in the context of how the controls relate to the ability of the company to meet the IC objectives over the reliability of financial reporting. 15 IT Organization and Structure IT Entity Level Control Evaluations IT Process Level Control Evaluations General IT Process Risks and Controls-A Typical Universe & Risk Assessment General IT Processes Security Administration Application Maintenance - Change Control Ensure Continuity - Data Management & Disaster Recovery Manage Technical Infrastructure & Operations - Problem Management Asset Management 16
IT Organization and Structure Impact of STRONG Controls at the IT General Controls IT Entity Level Control Evaluations IT Process Level Control Evaluations General IT Processes Applications perform as designed Programmed controls function as designed Access to transactions and data function as designed 17 Application & Data Owner Processes Integrated Application Specific Processes WHEN SETTING SCOPE:
Work at application and data owner level can focus on proper design of controls General controls provide an indication that such controls operate as intended Controls Security Administration How does this relate to the assertions - what can go wrong? Security, designed & implemented properly, assures transactions are executed by only those individuals with authorization. Security, designed appropriately, ensures (physical and electronic) access to assets is restricted. This impact must be understood at each IT component level: Application transaction and data level Access to the systems and infrastructure such as administrator and super user: Databases Platforms (operating systems) Networks 18 Security & Segregation of Duties Potential impact on assertions: Transactions are executed only by individuals authorized by management to do so Duties that are incompatible from an internal control standpoint are segregated in accordance with managements criteria Updates and changes to applications may impact how security should be managed and the duties which may
need to be segregated (authorized and segregation issues) 19 Security Administration Risk and controls documented, evaluated for specific process portions: Role set up, maintenance and periodic validation User set up, maintenance and deletion Data classification and rules allowing access to sensitive data Periodic transaction and data access review, validation and follow-up Risks and controls documented, evaluated at the technical level: Set up of administrative and other sensitive accounts for all technology components Add, modify and delete procedures Audit trail rules and set-up Monitoring and review procedures for usage of administrative and sensitive account 20 Security Administration Risk and controls documented, evaluated for specific process portions: Development and maintenance of security roles restricting access to transitions and data to only individuals with a
valid business need to execute transactions and access data Development and communication to the IT organization the roles and transactions needed to be segregated from an internal controls standpoint Maintenance and review of applications changes to confirm appropriateness of the roles and transactions identified as incompatible from an internal control standpoint 21 Manage Applications-Change Controls How does this relate to the assertions- what can go wrong: Application change provides assurances that applications function as intended and integrity of processing can be assured Appropriate application changes assure completeness and accuracy of processing Together with the security administration, processes assures transactions can only be initiated, modified or deleted by individuals authorized by management to execute and view transactions Access to applications and data through the change process must be restricted so that inadvertent or deliberate changes to the following do not occur: Production data Other related components such as interface routines, background processing and updates, etc. 22 Application & Data Owner Responsibilities For Change Controls
How does this relate to the assertions- what can go wrong: Application changes may not be in accordance with the directives of the business owners causing them not to function as intended or without the appropriate controls- impacts Completeness and accuracy Authorization Access to assets There may be changes to the security administration of roles and responsibilities that effect the controls which ensure appropriate authorization of transactions and access to assets 23 Management Applications Change Controls Risk and controls documented, evaluated for specific process Initiation of change requests Testing and approval of changes prior to migration into the production environment Critical calculations and data validation and exception routines Interfaces Job sequencing and interrelationships
Application migration procedures Integrity of process and access to applications and data by migrators Back out and validation of successful migrations Emergency change procedures and processes 24 Business Owner Change Control Processes Risk and controls documented, evaluated for specific process Changes are appropriately initiated and approved by the application and data owners All changes are reviewed by the application owners from a controls perspective and a sign-off that controls have been appropriately considered for any change(s) Changes are adequately tested from a controls functionality perspective. This should be performed to ensure critical controls still function (error checking and data validation, integrity of key management reports, interfaces function properly, etc.) There should be review (after the fact) of emergency changes such that application owners verify validity of change and the appropriateness of change on programmed controls.
25 Format for Documentation and Control Related Work Evaluation of IT-related risks and controls should be formatted similar to other process and control work Process maps Process narratives Risk and control matrices All work should focus on controls that affect the financial reporting and disclosure risks and controls Must address financial reporting assertions 26 Evaluation of IT Controls After the documentation is complete, evaluate each risk to determine whether the controls are designed to effectively mitigate the risks The evaluation should include both manual and systems-based controls - even in the General Controls processes At this point, control gaps if any, should be identified and a management action plan to deal with the gaps determined, for both manual and systems-based controls For controls evaluated as effective, the next step is to develop a testing plan so that the operating effectiveness can be evaluated 27
Define Testing Scopes Build Testing Plan Execute Testing Analyze Test Results Update Testing Approach to IT General Controls Testing For IT General Controls testing Test key controls can and should be tested similar to other processes with pervasive controls: There needs to be a combination of inquiry, inspection, observation and re-performance Process flows and risk and control matrices should be referenced and a key to selecting the type of test needed
Timing of this testing- two competing issues One external firm indicated that for pervasive controls such as IT General controls these controls should be tested near the as of date Testing of these needs to be done early in the overall process because the results of these tests directly impact the nature and extent of controls downstream of these. 28 Define Testing Scopes Build Testing Plan Execute Testing Analyze Test Results Update Testing Documenting General Controls Testing
For IT General Controls testing Documentation of testing should be tested similar to other processes with pervasive controls: There needs to be documentation standards for inquiry, inspection, observation and re-performance testing- scoping should be based on overall approach Evidence of tests should be retained for review and approval 29 Are you Ready for IT Control Identification & Testing? Application Controls John Gimpert, CPA Deloitte 30 Importance of IT in Sarbanes Oxley For most organizations, IT controls are pervasive to the financial reporting process Financial applications and automated systems are typically used to initiate, record, process and report transactions Applications and ERP systems are supported by the general computing environment Effectiveness of the application computing controls are dependant upon the general computing controls
Limitations of application controls may need to be appropriately mitigated by general computing controls Overall, application and general computing controls support the integrity and reliability of financial reporting 31 A Roadmap for Compliance 8. Document Results 9. Build Sustainability Internal evaluation Coordination with Auditors External evaluation Internal sign-off (302, 404) Independent sign-off (404) Business Value 3. Identify Significant Controls 2. Perform Risk Assessment 1. Plan Scope
Probability & Impact to business & Size / complexity Application controls over initiating, recording, processing & reporting IT General Controls 5. Evaluate Control Design Mitigates control risk to an acceptable level Understood by users Financial reporting process Supporting systems 4. Document Controls Policy manuals Procedures Narratives Flowcharts
Configurations Assessment questionnaires 32 7. Determine Material Weaknesses 6. Evaluate Operational Effectiveness Significant weakness Material weakness Remediation Internal audit Technical testing Self assessment Inquiry + All locations and controls (annual) Sarbanes-Oxley Compliance Source: IT Governance Institute (ITGI) IT Control Objectives for Sarbanes Oxley Discussion Document Internal Control Reliability Model Determine the reliability and maturity of IT controls.
Stage 1Unreliable Stage 2Insufficient Stage 3Reliable Characteristics Controls, policies and procedures are not in place and documented. Controls and policies and procedures are not fully documented. Controls and related policies and procedures are in place and adequately documented. A disclosure creation process does not exist. A disclosure creation process is not fully documented. Employees are unaware of their controls responsibility. Employees may not be aware
of their responsibility for control activities. A disclosure creation process is in place and adequately documented. Operating effectiveness of control activities is not evaluated regularly. Control deficiencies arent identified. 33 Operating effectiveness of control activities is not evaluated regularly and the process isnt documented. Control deficiencies may be identified but not remediated timely. Employees are aware of their responsibility for controls activities. Operating effectiveness of control activities is evaluated periodically; the process is documented. Control deficiencies are
identified and remediated timely. Stage 4Optimal Meets characteristics of Stage 3. An enterprise-wide control and risk mgt. program exists such that controls are documented and continuously reevaluated to reflect major process or organizational changes. A self-assessment process is used to evaluate controls design and effectiveness. Technology helps document processes, control objectives and activities, identify gaps, and evaluate control effectiveness. Mapping Accounts to Controls Significant Accounts/Processes Determine and walk-through key transactions and accounts Identify
applications and IT systems related to significant accounts and transactions 34 Identify, document and test controls supporting the above Balance Balance Sheet Sheet Income Income Statement Statement G/L G/L Inventory Inventory
Other Other Classes of Transactions / Business Processes Process Process A Process Process B B Process Process C C Financial Applications Application Application A A Application B Application Application C C Application controls (examples) Seg Seg of of Duties
Duties Data Data integrity integrity Completeness Completeness Timeliness Timeliness General Computing Controls Security Security Retention Retention Operations Operations Configuration Configuration Application Controls: Definition Application controls help ensure the completeness, accuracy, authorization and validity of all transactions during application processing Application controls also support interfaces to other application systems to help ensure all inputs are
received in a complete and accurate manner and outputs are correct Application controls are typically embedded within software programs to prevent or detect unauthorized transactions 35 Linking Business Process to Controls Control Objectives Account Receivable balances and reserves are complete and accurate. Sales revenues and cost of goods sold is complete and accurate All purchase orders received are input and processed Invoices are generated using authorized terms and prices Only valid changes are made to customer
master files. 36 Accounts Receivable Invoice control s Order Processing Sales Sub-process Order & supplier controls Customer controls SAP, Oracle, Other Applications Customer order entry Application controls cover authorized changes, segregation of duties, validity, completeness and timeliness of reporting of
financial information. Databases and Information IT Infrastructure Security System Software Networks General computing controls cover security access, change and configuration mgt, data retention, testing, processing integrity, etc. Assertions Elements of Transaction Assertions Potential Errors 1. OccurrenceDid the transaction occur? Existence or occurrence Validity 2. OwnershipDoes the transaction give rise to an asset that represents rights of the entity or a liability that represents obligations of the entity?
Rights and obligations Validity 3. CompletenessAre transactions missing? Completeness Completeness 4. TimingAre transactions recorded in the correct accounting period? Are transactions recorded too early? Are transactions recorded too late? Existence or occurrence Existence or occurrence Cutoff Cutoff Existence or occurrence Recording Valuation or allocation Valuation 6. ClassificationIs the transaction recorded in the correct general ledger account?
Presentation and disclosure Recording 7. Presentation and disclosureIs the transaction ultimately presented appropriately in the financial statements and, where relevant, related matters appropriately disclosed? Presentation and disclosure Presentation 5. AmountIs the transaction recorded at the correct amount? Amounts not subject to measurement uncertainty (i.e., accuracy) Amounts subject to measurement uncertainty (i.e., valuation) 37 Examples of Control Identification Objective Assertion Automated Application Controls All orders received from customers are input and processed
Completeness Pending order reports are generated daily for review. Incomplete order entries are flagged for completion. Orders are processed only within the approved customer credit limits Authorization Orders entered that exceed customer credit limits are pended for review prior to processing. Access to change/override customer credit limits requires approval by credit manager. Only valid orders are processed Existence or Occurrences Access to enter orders is limited to appropriate personal. A valid customer number is required prior to order entry. Orders and cancellations of orders
are input accurately Existence or Occurrences Critical data fields (e.g.; order number, date, address) are pre-populated prior to order completion. Data entered on returns is matched with original sales information. 38 Types of controls Preventive Detective Manual Information Technology 39 Preventative controls are designed to avert problems rather than correct them. Some examples include passwords to application systems or an approval on all purchase orders over a specified limit. Detective controls are meant to catch errors after the fact. These may take the form of reviews, reconciliations, and analyses.
Manual controls are carried out by people, as opposed to automated controls (i.e., application controls) that take place without direct human intervention. Many manual controls can now be automated by application software such as the triggering of exception reports. IT controls consist of general controls (include controls over data center operations, system software acquisition and maintenance, access security, and application system development and maintenance) and application controls (to ensure completeness, accuracy, authorization, and validity of data input and transaction processing). Control Evaluation and Testing Process Discovery process for existing controls Controls for those business processes impacting key transactions and accounts Prepare for Certification Evaluation of Control Design Document
Control Assess the Document Control the Design Assessment N Evaluation of Control Effectiveness N Remediate Document the Test Results Y 40 Remediate Test Control Effectiveness Y Sample Result of Evaluation Process Control Activity
Example Test of Effectiveness Control Gaps Pending order reports are generated daily for review. Incomplete order entries are flagged for completion. Obtain reports from individual responsible for review. Observe entry of sample incomplete orders. None noted. Orders entered that exceed customer credit limits are pended for review prior to processing. Access to change/override customer credit limits requires approval by credit manager. Review application security settings to ensure control is set up properly. None noted. Access to enter orders is limited to
appropriate personal. Compare who system allows to enter orders to list of management approved personnel. Observe entry of sample orders with wrong customer numbers. Gap identified: access rights are not updated promptly when personnel change roles None noted. Query sample of order numbers to ensure uniqueness. None noted. Compare sample of sales returns against sales to ensure match. Gap Identified: Return can be processed without matching an original sale. A valid customer number is required prior to order entry. Critical data fields (e.g.; order number, date, address) are prepopulated prior to order completion. Data entered on returns is matched
with original sale information. 41 Review application security settings to ensure control is set up properly. Gap noted: Some incomplete orders are processed Gap Identified: One person can enter orders and increase customer credit limits. Lessons Learned Effective IT application controls are critical and serve as a first line of defense Some controls exist at both the general computing and applications layer - for instance Security Controls Applications controls can be modernized, many previously manual controls can be automated (such as automatic generation of reports when suspect conditions exist) Applications controls can be proactively built into applications and can help identify risks Improved applications controls can result in improved application effectiveness and help drive higher quality applications A well controlled environment is a first step toward improved IT Governance 42
Sarbanes Oxley to Increase Shareholder Value Risk Management Compliance with Sarbanes Oxley has direct impact and IT control improvements can reduce risk for downstream business initiatives Operating Margin Deep understanding of process and technology linkages can result in process re-engineering initiatives, improving levels of automation Asset Efficiency Operational improvement regarding IT management processes Consolidation of systems to reduce complexity can result in operational efficiencies Revenue Growth Inventory your critical customer systems and data for future sales targeting initiatives 43 Are you Ready for IT Control Identification & Testing? Establishing A Framework Reginald B. Combs, CISA Lockheed Martin Corporation 44 Establishing A Framework
The COSO/COBIT Relationship TM Considerations When Identifying Controls Entity, General, or Application Control? 45 Establishing A Framework The COSO/COBIT Relationship TM To assess an organizations internal controls, first identify the assessment criteria: COSO report defines internal control consistent with current auditing standards and SAS guidance COSO report also identifies five components of effective internal control: Control Environment Risk Assessment Information & Communication Control Activities Monitoring 404: establish and maintain an adequate internal
control structure 46 Establishing A Framework The COSO/COBIT Relationship TM To assess an organizations IT internal controls, first identify the assessment criteria: COBIT framework is generally applicable and accepted as a standard for good IT security and control practices COBIT Business/Fiduciary Requirements derived from COSO categories COBIT classifies control objectives into four groups (domains): Plan & Organize Acquire & Implement Deliver & Support Monitor and Evaluate COSO and COBIT Provide a Complementary Framework for IT Control Identification 47 Mapping The COSO/COBIT Relationship
TM TM COBIT Domains COSO Components Control Environment Risk Control Assessment Activities Information & Communications Monitoring X X XX X X Acquire & Implement
XX X Deliver & Support XX X Plan & Organize Monitor & Evaluate 48 X X Considerations When Identifying Controls Focus on Key controls: How does the application support the key financial processes? Is the application processing data or acting as a repository? Who relies on the controls? Consider the types of errors that can occur at the application and process level Ask What Can Go Wrong questions
When evaluating IT controls and related risks, consider the relevant financial statement assertions for significant accounts 49 Entity, General, or Application Control? Varying Opinions on which controls fall into each category Establish definitions early and obtain consensus Communicate throughout the organization 50 Entity, General, or Application Controls? Entity Level Controls Control Environm ent Risk Assessm ent Inform ation & Com m unication Control Activities M onitoring Aeronautics General
Controls Electronic System s Space System s App lication Controls Example: Lockheed Martin Corporation Page 9 of 13 51 Applied at the LM Corporate Level Defines Tone at the Top Integrated Systems & Solutions C orp. & Shared S vcs Information & Technology Sv cs
TM Applied at LM Business Area or Business Unit Level Based on C OBIT Fram ew ork Plan & O rganize Acquire & Im plem ent Deliver & Support M onitor & Evaluate Applied at the Application Level Controls based on Standard Application Support Processes Input s Proc e ssing Configur ation M gt. - Outpu ts - Back up & R eco very - Interface s SOX 404 Documentation Tools Pentana JeffersonWells E&Y's tool Developed in-house SOXA Accelerator Focus - Paisley Axentis
ERA - Methodware Lotus Notes Horizon--JP Morgan ICT-Grant Thornton Open-Pages SOX Express SPF Teammate Dynamic Policy All Others 39% CAT - KPMG 11% Internal Control Workbench - PwC 10% Risk Navigator Paisley 6% 52 Risk Control Tracking - Deloitte 20% MS Office Tools + Visio
7% SarBox Portal Protiviti 7% Source: http://www.gain2.org/sox4jwsum.htm Concluding Remarks Lessons learned Understanding the role of IT controls means understanding IT better Updating skill sets to identify/classify controls Changing business auditors mindset What they can do; when IT auditors are needed How to relate types of testing How to determine the impact of deficiencies 53 Questions & Answers E-mail your questions by clicking on the link provided or directly to [email protected] 54 Next Webcast March 9, 2004
Balancing SOX with Risk Based Audit Planning See you at our next webcast! 55