1 Are You Ready for IT Control Identification & Testing? The Institute of Internal Auditors February 10, 2004 Moderator: Xenia Ley Parker, CIA, CISA, CFSA.

• Slide 1

1 Are You Ready for IT Control Identification & Testing? The Institute of Internal Auditors February 10, 2004 Moderator: Xenia Ley Parker, CIA, CISA, CFSA XLP Associates Slide 2 2 Agenda Introduction & Overview Xenia Ley Parker, XLP Associates General Controls Edward Hill, Protiviti Application Controls John Gimpert, Deloitte Establishing a Framework Reggie Combs, Lockheed Martin Break Q & A Slide 3 3 References Public Company Oversight Board - www.pcaobus.org/ Final Rule: Management's Reports on Internal Control Over Financial Reporting and Certification of Disclosure in Exchange Act Periodic Reports - www.sec.gov/rules/final/33-8238.htm Internal ControlIntegrated Framework Committee of Sponsoring Organizations of the Treadway Commission (COSO), Exposure Draft Enterprise Risk Management Framework- www.coso.org CobiT 3rd Edition, IT Governance Institute - www.isaca.org IT Control Objectives for Sarbanes-Oxley- www.itgi.org The IIA GAIN Flash Survey Use of SOX tools - www.gain2.org/sox4jwsum Protiviti Guide to the Sarbanes-Oxley Act: IT Risks and Controls Frequently Asked Questions - www.protiviti.com Deloitte Taking Control, A Guide to Compliance with Section 404 of the Sarbanes-Oxley Act of 2002 - www.deloitte.com PricewaterhouseCoopers Understanding the Independent Auditors Role in Building Trust; The Sarbanes-Oxley Act of 2002, Strategies for Meeting New Internal Control Reporting Challenges - www.pwc.com Slide 4 4 PCAOB ED Statements: Impact on IT Control Guidance determining which controls should be tested generally, such controls include information technology general controls, on which other controls are dependent (page 41) The auditor should obtain an understanding of the design of specific controls by applying procedures that include tracing transactions through the information system relevant to financial reporting (page 48) Information technology general controls over program development, program changes, computer operations, and access to programs and data help ensure that specific controls over the processing of transactions are operating effectively (page 51) Slide 5 5 PCAOB ED Statements Impact on IT Control Guidance The risk that the controls might not be operating effectively. Factors include the following: The degree to which the control relies on the effectiveness of other controls (for example, the control environment or information technology general controls) (p 74) The audit should trace all types of transactions and events, both recurring and unusual from origination through the companys information systems until they are reflected in the companys financial reports (page 79) Source: http://www.pcaobus.org/ Slide 6 6 Introduction of Key Issues Define 404 universe, processes, risks, & controls Identify key controls: assertions related to control considerations Impact of IT controls Application vs. IT controls Establishing a framework Slide 7 7 PCAOB Release No. 2003-017 issued 7 October 2003 Because of the frequency with which management of public companies is expected to use COSO as the framework for the assessment, the directions in the proposed standard are based on the COSO framework Other suitable frameworks have been published in other countries and likely will be published in the future Although different frameworks may not contain exactly the same elements as COSO, they should have elements that encompass all of COSO's general themes Slide 8 8 Tone at the Top IT Executives need to be well versed on internal control theory and practice Does the audit committee have the expertise to understand the relevance and degree of reliability/importance of IT controls? Is the audit committee aware of any significant activities affecting the IT environment as it relates to financial reporting? Slide 9 9 IT Control Objectives for Sarbanes-Oxley: Common Elements of Organizations Slide 10 10 Sarbanes Oxley, COSO and COBIT Slide 11 11 Sarbanes-Oxley IT Diagnostic Questions 1. Does the SOX steering committee understand the risks inherent in IT systems & their impact on compliance with Section 404? 2. Does IT management understand the financial reporting process and its supporting systems? 3. Does the CIO have an advanced knowledge of the types of IT controls necessary to support reliable financial processing? 4. Are policies governing security, availability and processing integrity established, documented & communicated to all members of the IT organization? 5. Are the IT departments roles and responsibilities related to Section 404 documented & understood by all members of the IT department? Slide 12 12 Sarbanes-Oxley IT Diagnostic Questions 6. Do IT employees understand their roles, do they possess the requisite skills to perform their job responsibilities relating to internal control, & are they supported with appropriate skill development? 7. Is the IT departments risk assessment process integrated with the companys overall risk assessment process for financial reporting? 8. Does IT document, evaluate & remediate IT controls related to financial reporting on an annual basis? 9. Does IT have a formal process in place to identify & respond to IT control deficiencies? 10. Is the effectiveness of IT controls monitored & followed up on a regular basis? Source for Slides 8-12: IT Governance Institute, ISACA Slide 13 13 Are you Ready for IT Control Identification & Testing? General Controls Edward Hill, CPA Protiviti Slide 14 14 Plain English Approach: IT Risks & Controls for SOX 404 Integrated Application Specific Processes Application & Data Owner Processes General IT Processes IT Process Level Control Evaluations IT Organization & Structure IT Entity Level Control Evaluations Define Universe, processes, risks & controls Assertion relationships Document key controls & valuate Testing of key controls & what to do Slide 15 15 Process Level: IT Risks & Controls Integrated Application Specific Processes Application and Data Owner Processes General IT Processes Most important part of this discussion: These processes and activities are looked at in the context of how the controls relate to the ability of the company to meet the IC objectives over the reliability of financial reporting. Slide 16 16 Security Administration Application Maintenance - Change Control Ensure Continuity - Data Management & Disaster Recovery Manage Technical Infrastructure & Operations - Problem Management Asset Management General IT Process Risks and Controls-A Typical Universe & Risk Assessment General IT Processes Slide 17 17 Impact of STRONG Controls at the IT General Controls Integrated Application Specific Processes Application & Data Owner Processes General IT Processes Applications perform as designed Programmed controls function as designed Access to transactions and data function as designed WHEN SETTING SCOPE: Work at application and data owner level can focus on proper design of controls General controls provide an indication that such controls operate as intended Slide 18 18 How does this relate to the assertions - what can go wrong? Security, designed & implemented properly, assures transactions are executed by only those individuals with authorization. Security, designed appropriately, ensures (physical and electronic) access to assets is restricted. This impact must be understood at each IT component level: Application transaction and data level Access to the systems and infrastructure such as administrator and super user: Databases Platforms (operating systems) Networks Controls Security Administration Slide 19 19 Potential impact on assertions: Transactions are executed only by individuals authorized by management to do so Duties that are incompatible from an internal control standpoint are segregated in accordance with managements criteria Updates and changes to applications may impact how security should be managed and the duties which may need to be segregated (authorized and segregation issues) Security & Segregation of Duties Slide 20 20 Risk and controls documented, evaluated for specific process portions: Role set up, maintenance and periodic validation User set up, maintenance and deletion Data classification and rules allowing access to sensitive data Periodic transaction and data access review, validation and follow- up Risks and controls documented, evaluated at the technical level: Set up of administrative and other sensitive accounts for all technology components Add, modify and delete procedures Audit trail rules and set-up Monitoring and review procedures for usage of administrative and sensitive account Security Administration Slide 21 21 Risk and controls documented, evaluated for specific process portions: Development and maintenance of security roles restricting access to transitions and data to only individuals with a valid business need to execute transactions and access data Development and communication to the IT organization the roles and transactions needed to be segregated from an internal controls standpoint Maintenance and review of applications changes to confirm appropriateness of the roles and transactions identified as incompatible from an internal control standpoint Security Administration Slide 22 22 How does this relate to the assertions- what can go wrong: Application change provides assurances that applications function as intended and integrity of processing can be assured Appropriate application changes assure completeness and accuracy of processing Together with the security administration, processes assures transactions can only be initiated, modified or deleted by individuals authorized by management to execute and view transactions Access to applications and data through the change process must be restricted so that inadvertent or deliberate changes to the following do not occur: Production data Other related components such as interface routines, background processing and updates, etc. Manage Applications-Change Controls Slide 23 23 How does this relate to the assertions- what can go wrong: Application changes may not be in accordance with the directives of the business owners causing them not to function as intended or without the appropriate controls- impacts Completeness and accuracy Authorization Access to assets There may be changes to the security administration of roles and responsibilities that effect the controls which ensure appropriate authorization of transactions and access to assets Application & Data Owner Responsibilities For Change Controls Slide 24 24 Risk and controls documented, evaluated for specific process Initiation of change requests Testing and approval of changes prior to migration into the production environment Critical calculations and data validation and exception routines Interfaces Job sequencing and interrelationships Application migration procedures Integrity of process and access to applications and data by migrators Back out and validation of successful migrations Emergency change procedures and processes Management Applications Change Controls Slide 25 25 Risk and controls documented, evaluated for specific process Changes are appropriately initiated and approved by the application and data owners All changes are reviewed by the application owners from a controls perspective and a sign-off that controls have been appropriately considered for any change(s) Changes are adequately tested from a controls functionality perspective. This should be performed to ensure critical controls still function (error checking and data validation, integrity of key management reports, interfaces function properly, etc.) There should be review (after the fact) of emergency changes such that application owners verify validity of change and the appropriateness of change on programmed controls. Business Owner Change Control Processes Slide 26 26 Evaluation of IT-related risks and controls should be formatted similar to other process and control work Process maps Process narratives Risk and control matrices All work should focus on controls that affect the financial reporting and disclosure risks and controls Must address financial reporting assertions Format for Documentation and Control Related Work Slide 27 27 After the documentation is complete, evaluate each risk to determine whether the controls are designed to effectively mitigate the risks The evaluation should include both manual and systems-based controls - even in the General Controls processes At this point, control gaps if any, should be identified and a management action plan to deal with the gaps determined, for both manual and systems-based controls For controls evaluated as effective, the next step is to develop a testing plan so that the operating effectiveness can be evaluated Evaluation of IT Controls Slide 28 28 For IT General Controls testing Test key controls can and should be tested similar to other processes with pervasive controls: There needs to be a combination of inquiry, inspection, observation and re-performance Process flows and risk and control matrices should be referenced and a key to selecting the type of test needed Timing of this testing- two competing issues One external firm indicated that for pervasive controls such as IT General controls these controls should be tested near the as of date Testing of these needs to be done early in the overall process because the results of these tests directly impact the nature and extent of controls downstream of these. Approach to IT General Controls Testing Define Testing Scopes Build Testing Plan Execute Testing Analyze Test Results Update Testing Slide 29 29 For IT General Controls testing Documentation of testing should be tested similar to other processes with pervasive controls: There needs to be documentation standards for inquiry, inspection, observation and re-performance testing- scoping should be based on overall approach Evidence of tests should be retained for review and approval Documenting General Controls Testing Define Testing Scopes Build Testing Plan Execute Testing Analyze Test Results Update Testing Slide 30 30 Are you Ready for IT Control Identification & Testing? Application Controls John Gimpert, CPA Deloitte Slide 31 31 Importance of IT in Sarbanes Oxley For most organizations, IT controls are pervasive to the financial reporting process Financial applications and automated systems are typically used to initiate, record, process and report transactions Applications and ERP systems are supported by the general computing environment Effectiveness of the application computing controls are dependant upon the general computing controls Limitations of application controls may need to be appropriately mitigated by general computing controls Overall, application and general computing controls support the integrity and reliability of financial reporting Slide 32 32 A Roadmap for Compliance Source: IT Governance Institute (ITGI) IT Control Objectives for Sarbanes Oxley Discussion Document Slide 33 33 Meets characteristics of Stage 3. An enterprise-wide control and risk mgt. program exists such that controls are documented and continuously reevaluated to reflect major process or organizational changes. A self-assessment process is used to evaluate controls design and effectiveness. Technology helps document processes, control objectives and activities, identify gaps, and evaluate control effectiveness. Controls and related policies and procedures are in place and adequately documented. A disclosure creation process is in place and adequately documented. Employees are aware of their responsibility for controls activities. Operating effectiveness of control activities is evaluated periodically; the process is documented. Control deficiencies are identified and remediated timely. Controls and policies and procedures are not fully documented. A disclosure creation process is not fully documented. Employees may not be aware of their responsibility for control activities. Operating effectiveness of control activities is not evaluated regularly and the process isnt documented. Control deficiencies may be identified but not remediated timely. Controls, policies and procedures are not in place and documented. A disclosure creation process does not exist. Employees are unaware of their controls responsibility. Operating effectiveness of control activities is not evaluated regularly. Control deficiencies arent identified. Characteristics Stage 4OptimalStage 3ReliableStage 2InsufficientStage 1Unreliable Internal Control Reliability Model Determine the reliability and maturity of IT controls. Slide 34 34 Financial Applications Mapping Accounts to Controls Determine and walk- through key transactions and accounts Identify applications and IT systems related to significant accounts and transactions Identify, document and test controls supporting the above Classes of Transactions / Business Processes Process A Process B Process C Significant Accounts/Processes Balance Sheet Income Statement G/L Inventory Other Application C Application controls (examples) Seg of Duties Data integrity Completeness Timeliness Application B Application A General Computing Controls Security Retention Operations Configuration Slide 35 35 Application Controls: Definition Application controls help ensure the completeness, accuracy, authorization and validity of all transactions during application processing Application controls also support interfaces to other application systems to help ensure all inputs are received in a complete and accurate manner and outputs are correct Application controls are typically embedded within software programs to prevent or detect unauthorized transactions Slide 36 36 Control Objectives Account Receivable balances and reserves are complete and accurate. Sales revenues and cost of goods sold is complete and accurate All purchase orders received are input and processed Invoices are generated using authorized terms and prices Only valid changes are made to customer master files. Linking Business Process to Controls Customer order entry Accounts Receivable Invoice control s SAP, Oracle, Other Applications Application controls cover authorized changes, segregation of duties, validity, completeness and timeliness of reporting of financial information. General computing controls cover security access, change and configuration mgt, data retention, testing, processing integrity, etc. Order Processing Order & supplier controls Sales Sub-process Customer controls IT Infrastructure Networks System Software Databases and Information Security Slide 37 37 Assertions Slide 38 38 Examples of Control Identification Access to enter orders is limited to appropriate personal. A valid customer number is required prior to order entry. Existence or Occurrences Only valid orders are processed Pending order reports are generated daily for review. Incomplete order entries are flagged for completion. CompletenessAll orders received from customers are input and processed Critical data fields (e.g.; order number, date, address) are pre-populated prior to order completion. Data entered on returns is matched with original sales information. Existence or Occurrences Orders and cancellations of orders are input accurately Orders entered that exceed customer credit limits are pended for review prior to processing. Access to change/override customer credit limits requires approval by credit manager. AuthorizationOrders are processed only within the approved customer credit limits Automated Application ControlsAssertionObjective Slide 39 39 Types of controls Preventive Preventative controls are designed to avert problems rather than correct them. Some examples include passwords to application systems or an approval on all purchase orders over a specified limit. Detective Detective controls are meant to catch errors after the fact. These may take the form of reviews, reconciliations, and analyses. Manual Manual controls are carried out by people, as opposed to automated controls (i.e., application controls) that take place without direct human intervention. Many manual controls can now be automated by application software such as the triggering of exception reports. Information Technology IT controls consist of general controls (include controls over data center operations, system software acquisition and maintenance, access security, and application system development and maintenance) and application controls (to ensure completeness, accuracy, authorization, and validity of data input and transaction processing). Slide 40 40 Control Evaluation and Testing Process Discovery process for existing controls Controls for those business processes impacting key transactions and accounts Evaluation of Control Effectiveness Test Control Effectiveness Document the Test Results Remediate Prepare for Certification Y N N Y Evaluation of Control Design Assess the Control Design Document the Assessment Document Control Remediate Slide 41 41 Sample Result of Evaluation Process None noted. Gap Identified: One person can enter orders and increase customer credit limits. Review application security settings to ensure control is set up properly. Orders entered that exceed customer credit limits are pended for review prior to processing. Access to change/override customer credit limits requires approval by credit manager. Gap identified: access rights are not updated promptly when personnel change roles None noted. Compare who system allows to enter orders to list of management approved personnel. Observe entry of sample orders with wrong customer numbers. Access to enter orders is limited to appropriate personal. A valid customer number is required prior to order entry. None noted. Gap Identified: Return can be processed without matching an original sale. None noted. Gap noted: Some incomplete orders are processed Control Gaps Query sample of order numbers to ensure uniqueness. Compare sample of sales returns against sales to ensure match. Obtain reports from individual responsible for review. Observe entry of sample incomplete orders. Example Test of Effectiveness Critical data fields (e.g.; order number, date, address) are pre- populated prior to order completion. Data entered on returns is matched with original sale information. Pending order reports are generated daily for review. Incomplete order entries are flagged for completion. Control Activity Slide 42 42 Lessons Learned Effective IT application controls are critical and serve as a first line of defense Some controls exist at both the general computing and applications layer - for instance Security Controls Applications controls can be modernized, many previously manual controls can be automated (such as automatic generation of reports when suspect conditions exist) Applications controls can be proactively built into applications and can help identify risks Improved applications controls can result in improved application effectiveness and help drive higher quality applications A well controlled environment is a first step toward improved IT Governance Slide 43 43 Sarbanes Oxley to Increase Shareholder Value Risk Management Compliance with Sarbanes Oxley has direct impact and IT control improvements can reduce risk for downstream business initiatives Operating Margin Deep understanding of process and technology linkages can result in process re-engineering initiatives, improving levels of automation Asset Efficiency Operational improvement regarding IT management processes Consolidation of systems to reduce complexity can result in operational efficiencies Revenue Growth Inventory your critical customer systems and data for future sales targeting initiatives Slide 44 44 Reginald B. Combs, CISA Lockheed Martin Corporation Are you Ready for IT Control Identification & Testing? Establishing A Framework Slide 45 45 Establishing A Framework The COSO/C OBI T TM Relationship Considerations When Identifying Controls Entity, General, or Application Control? Slide 46 46 Establishing A Framework The COSO/C OBI T TM Relationship To assess an organizations internal controls, first identify the assessment criteria: COSO report defines internal control consistent with current auditing standards and SAS guidance COSO report also identifies five components of effective internal control: Control Environment Risk Assessment Information & Communication Control Activities Monitoring 404: establish and maintain an adequate internal control structure Slide 47 47 Establishing A Framework The COSO/C OBI T TM Relationship To assess an organizations IT internal controls, first identify the assessment criteria: C OBI T framework is generally applicable and accepted as a standard for good IT security and control practices C OBI T Business/Fiduciary Requirements derived from COSO categories C OBI T classifies control objectives into four groups (domains): Plan & Organize Acquire & Implement Deliver & Support Monitor and Evaluate COSO and C OBI T Provide a Complementary Framework for IT Control Identification Slide 48 48 Mapping The COSO/COBIT TM Relationship Slide 49 49 Considerations When Identifying Controls Focus on Key controls: How does the application support the key financial processes? Is the application processing data or acting as a repository? Who relies on the controls? Consider the types of errors that can occur at the application and process level Ask What Can Go Wrong questions When evaluating IT controls and related risks, consider the relevant financial statement assertions for significant accounts Slide 50 50 Entity, General, or Application Control? Varying Opinions on which controls fall into each category Establish definitions early and obtain consensus Communicate throughout the organization Slide 51 51 Example: Lockheed Martin Corporation Slide 52 52 Pentana JeffersonWells E&Y's tool Developed in-house SOXA Accelerator Focus - Paisley Axentis ERA - Methodware Lotus Notes Horizon--JP Morgan ICT-Grant Thornton Open-Pages SOX Express SPF Teammate Dynamic Policy SOX 404 Documentation Tools Source: http://www.gain2.org/sox4jwsum.htm Slide 53 53 Concluding Remarks Lessons learned Understanding the role of IT controls means understanding IT better Updating skill sets to identify/classify controls Changing business auditors mindset What they can do; when IT auditors are needed How to relate types of testing How to determine the impact of deficiencies Slide 54 54 Questions & Answers E-mail your questions by clicking on the link provided or directly to [email protected] Slide 55 55 Next Webcast March 9, 2004 Balancing SOX with Risk Based Audit PlanningBalancing SOX with Risk Based Audit Planning See you at our next webcast!