Critical System Controls - GovCon360 · Critical System Controls ... • Disable inactive users after so many days ... • Approval Settings subtab ˜ You specify which JE types require

C r i t i c a l S y s t e m C o n t r o l s

Presented by CohnReznick’s Government Contracting Industry Practice

Bhavesh Vadhani, Principal

P L E A S E R E A D

This presentation has been prepared for information purposes and general guidance only and does not constitute professional advice. You should not act upon the information contained in this publication without obtaining specific professional advice.

No representation or warranty (express or implied) is made as to the accuracy or completeness of the information contained in this publication, and CohnReznick LLP, its members, employees and agents accept no liability, and disclaim all responsibility, for the consequences of you or anyone else acting, or refraining to act, in reliance on the information contained in this publication or for any decision based on it.

This presentation and its content are the property of CohnReznick LLP and are protected by applicable copyright laws. Any unauthorized use of the information herein will be considered a violation of CohnReznick LLP’s intellectual property rights. Unless stated otherwise herein, no part of this presentation may be copied, distributed, or published, in whole or in part, without the prior written agreement of CohnReznick LLP.

1

A G E N D A

2

IT Controls – Basics

Different types of IT controls

IT General Controls

Application Processes and Controls

Application Controls & Deltek Costpoint

Impact of IT Controls

I F L I F E W E R E L I K E A C O M P U T E R

• You could add/remove someone in your life using the control panel.

• You could put your kids in the recycle bin and restore them when you feel

like it.

• You could improve your appearance by adjusting the display settings.

• You could click on ‘find’ (Ctrl F) to recover your lost remote control and car

keys.

• To get your daily exercise, just click on ‘run’.

• If you mess up your life, you could always press “Ctrl, Alt, Delete” and start

all over.

3

O B J E C T I V E S

• TO UNDERSTAND

• How IT (information technology) impact’s financial reporting and accounting

• What are IT controls and the different types?

• Dependence of system application controls on General controls - Risk and

Reliance factors

• Various system application controls within Deltek Costpoint

4

H O W D O E S I T H E L P B U S I N E S S ?

5

C O M M O N I T R I S K S

6

• Misaligned with business objectives• Confidentiality compromised• Systems and data availability• Data integrity• Inaccurate reporting• Privacy loss• Inappropriate systems reliance• Revenue loss• Productivity loss• Loss of user confidence• Asset protection

I M P A C T O N B U S I N E S S

7

I T F R A M E W O R K S

8

I M P O R T A N C E O F I T C O N T R O L S

9

Critical mechanism for ensuring the integrity of information systems (IS) and

the reporting of organization finances to avoid and hopefully prevent future

financial fiascos such as Enron, WorldCom, etc.

Information Integrity, Reliability, and Validity: Importance in Today's Global

Business Environment

T Y P E S O F I T C O N T R O L S

10

I T C O N T R O L S

IT General Controls

IT General Controls are controls that span across IT

Infrastructure within an organization and are essential to ensuring the

confidentiality, integrity, availability, reliability, and quality of the

systems and the underlying data.

Application Controls

Application Controls are either automated or IT-dependent

manual controls that relate to the transactions and standing data

appertaining to each computer-based application system.

11

I T G E N E R A L C O N T R O L S

• Entity Level

• IT Policies, Procedures, and Standards

• IT Organizational Chart; Roles and Responsibilities

• Access to Programs and Data

• Firewalls, routers, switches, network operating systems, servers and other related devices are used

and configured appropriately to prevent unauthorized access.

• Information Security – NIST 800-53

• Program Development

• System Development Life Cycle methodology

12

I T G E N E R A L C O N T R O L S ( C O N T. )

• Program Change

• Change Management and Configuration Management Procedures

• Computer Operations

• Service Level Agreements

• Job Schedules

• Data Backup and Recovery

• Disaster Recovery/Contingency Planning

• Adequacy of Business Continuity Plan

• Testing of Disaster Recovery Plan

13

A P P L I C A T I O N P R O C E S S E S & C O N T R O L S

• Embedded within software programs to prevent or detect unauthorized transactions

• Examples of application controls include data input validation, agreement of batch totals,

encryption of data transmitted, etc.

• Ensure F/S assertions

• Completeness

• Accuracy

• Authorization

• Segregation of Duties

14

A P P L I C A T I O N C O N T R O L S : C O N S I D E R A T I O N S

Processes

• User Procedures

• Programs and Interfaces

• Transactions

• Data files

Environment

• Where is the application?

• Where is the data?

• Where are the transactions entered?

• Where are the exposures?

15

A P P L I C A T I O N T R A N S A C T I O N L I F E C Y C L E

16

C O S T P O I N T

17

A P P L I C AT I O N C O N T R O L S A N D C O S T P O I N T

• Costpoint has built in application controls that will compliment your Internal

Control System

• These controls allow for greater reliance on financial information and will

safeguard your financial system

• Application Controls include

• Passwords

• User set up

• User Groups

• Approval processes

• Validations

• You can pick and choose the application controls that best fit your need

18

A P P L I C AT I O N C O N T R O L : PA S S W O R D S

• Passwords are required in Costpoint

• Standard Password Controls in Costpoint:

• Passwords must be a minimum of 8 characters

• Passwords must begin with a letter

• Optional Password Controls are available

• Reuse of passwords can be disallowed

• Passwords can be set to require a number, a special character or both

• Minimum password length can be set to greater than 8 characters

19

A P P L I C AT I O N C O N T R O L : PA S S W O R D S

• Other Options to consider:

• What is the life of the password?

• Disable inactive users after so many days

• Verify Employee Status at Login

20

A P P L I C AT I O N C O N T R O L : PA S S W O R D S

• In Costpoint, Go to Other / System Administration / System Settings�

• On the main screen is a check box relating to “password re-use”

• Click on the “Corporate” subtask to set up your additional security rules

surrounding passwords

21

A P P L I C AT I O N C O N T R O L : U S E R S

• Things to remember / consider when set up users:

• Assign to proper User Group

• Suppress Labor dollar information (salary info)

• Suppress Social Security Numbers

• Inactive termed employees

• In Costpoint Go to Other / System Administration / System Settings /

Maintain Users

22

A P P L I C AT I O N C O N T R O L : U S E R G R O U P S

• User Groups define the modules and functions that can be accessed

• Groups are set up based on roles

• Groups allow for growth and turnover

• Benefits of User Groups:

• Restrict access to the system based on functional roles

• Enhance your internal controls

• Allows for greater reliance on your financial system

• Decrease management override to the system

23

A P P L I C AT I O N C O N T R O L : U S E R G R O U P S

• Access to your system is reviewed by your auditors as well

• They will document this type of control and perform walk through during risk

assessment

• Having these controls function as designed will allow your auditor to place more

reliance on your system and change their auditing procedures as a result

• This is a win / win for everyone

24

A P P L I C AT I O N C O N T R O L : U S E R G R O U P S

• Considerations related to User Groups

• Access should be based on the functional role of the user

• Who can link account / orgs?

• Who will have posting rights?

• Who will have approver rights?

• What about access to master files?

• Restrict access to control screens and utilities

• Control screens can have system wide implications

• Utilities are great but only if used correctly

25

A P P L I C AT I O N C O N T R O L : O V E R R I D E R I G H T S ( E X C E P T I O N N O T A N O R M )

• User override rights can have a negative impact on your system

• Override rights can weaken your internal controls

• Override rights should be an exception, not the norm

• Use in instances of vacation and other leave to grant temporary access to a

function or module

• Override rights should be closely monitored and maintained

26

A P P L I C AT I O N C O N T R O L S : J O U R N A L E N T R I E S

• There are several features in the General Ledger set up that can be turned

on to enhance internal controls relating to Journal Entries

• Costpoint can:

• Support the segregation of the creation of a JE from the approval/posting of the

JE

• Track changes to a JE

27

A P P L I C AT I O N C O N T R O L S : J O U R N A L E N T R I E S

• Go to Accounting / General Ledger / Control / GL Settings�

• “Update Entry Info when Editing a JE” -> Checking this option will allow for

the user ID and date to be updated when a JE is modified

• Approval Settings subtab � You specify which JE types require approval

and set a transaction limit

28

A P P L I C AT I O N C O N T R O L S : J O U R N A L E N T R I E S

• Define Approvers and link users

• Go to Accounting / General Ledger / Control / JE Approver Settings �

• Add authorized approvers and link users to approvers

• Option is available to have re-approval required if JE is modified after approval, but

before posting

• Self approval is allowed – But not recommended

29

A P P L I C AT I O N C O N T R O L S : A C C O U N T S PAYA B L E

• Accounts Payable can be one of the biggest threats to your internal control

system

• Segregation of duties should exist for all the processes surrounding AP

• Vendor set up / approval

• Voucher processing / approval / posting

• Check runs

• Costpoint can support this segregation

30

A P P L I C AT I O N C O N T R O L S : V E N D O R A P P R O VA L

• Go to Accounting / Accounts Payable / A/P Settings � Check the box to

require Vendor Approval

• Requiring vendor approval would allow you to increase the people who are allowed

to enter a new vendor but the use of that vendor will be prohibited until it is

approved

• You will need a process to notify the approver that a new vendor was

entered

31

A P P L I C AT I O N C O N T R O L S : V E N D O R A P P R O V E R

• Go to Accounting / Accounts Payable / Vendor Approver Settings ->

• This where you establish who can approve vendors

32

A P P L I C AT I O N C O N T R O L S : V O U C H E R A P P R O VA L

• Approval of A/P vouchers is another safeguard against fraud

• Go to Accounting / Accounts Payable / A/P Voucher Settings -> System

wide setting for approval for A/P vouchers

• Like JE’s, you can set a dollar threshold on approval required

• There is also a check box to prevent or allow duplicate invoice numbers from

being processed

• Approver Settings ->

• Set up approvers

• Link users to approvers

33

A D D I T I O N A L C O N T R O L S TO C O N S I D E R

• Auto sign numberings is available for Journal Entries, A/P Vouchers,

Requisitions, Purchase Orders, Employees

• Using auto sign numbering will allow for the sequential tracking of all transactions

and eliminate manual listings

• Use Billing User Groups to restrict who can process what customer bills

34

A D D I T I O N A L F E AT U R E S

• Maintain integrity of recording transactions by use of Project Account

Groups

• Activate the period of performance message to minimize late or early

charges to projects

• Set allow charging at lowest level of project string

• Establish leave floors to avoid misuse of leave

• Eliminate manual calculation for revenue and billings

35

M A I N T E N A N C E & M O N I TO R I N G

• Some Application Controls will require maintenance and monitoring

• The big question is usually WHO should be doing the maintenance and

monitoring

• The answers lies somewhere between the janitor and the president

• Each organization is different but the answer is probably close to the

accounting manager, Controller and IT

• It needs to be someone who understands the system and understands your

internal control system

36

M A I N T E N A N C E & M O N I TO R I N G

• Common items that require monitoring are:

• User groups – a functional change to the group

• Override rights that were used to cover leave

• A user changes job, need to change the group they belong to

• Approvers and linked user will need to be updated when people leave, new people

join the organization or to cover vacation and other leave of current employees

37

B E N E F I T S O F I T C O N T R O L S O N B U S I N E S S

• Increase competitiveness

• Reduce costs

• Make information more widely and securely available

• Enable effective and efficient service to customers

• Improve decision making capabilities

• Ultimately improve execution of all business processes

• Stakeholders HAPPY

38

I N A N U T S H E L L

39

TA K E AWAY

“In theory, there’s no difference between theory andpractice. In practice, there is!”

- Yogi Berra

40

Q U E S T I O N S / C O M M E N T S

41

R E S O U R C E S

42

Bhavesh Vadhani, CISA, [email protected](703) 847-4418

GovCon360 keeps you abreast of the ever-changing regulatory environment that is Government contracting. From reference materials, like searchable pdf copies of the FAR and DCAM, to our past

Lunch and Learn seminar slide decks and thought pieces on industry matters, we’ve got it covered. Subscribe to our RSS feed to receive short alerts on recent industry changes. It’s always been

our job to help our clients maintain a competitive advantage by staying ahead of the curve. This website is an extension of the services we’ve been providing for over 35 years by putting useful

resources and up-to-date information at your fingertips.

www.govcon360.com