Information Technology & the Updated COSO Framework
advertisement
Information Technology (IT) & The Updated COSO Framework Phil Gesner, CPA.CITP, CISA Audit Manager and IT Auditor / Consultant Ocala, FL Nature Coast Florida Government Finance Officer’s Association | October 16, 2013 Disclaimer The views expressed by the presenters do not necessarily represent the views, positions, or opinions of the presenter’s respective organizations or any associated organizations cited. These materials, and the oral presentation accompanying them, are for educational purposes only and do not constitute accounting or legal advice or create an accountant-client or attorney-client relationship. 2 COSO Considerations • Changed (from implicitly to explicitly recognizing technology’s role in internal control) due to greater use and dependence (reliance) on technology – Use of technology continues to grow – Extent of technology used in organizations continues to increase and evolve • Recognizes that management judgment (decisions) may be based on the use of and dependence on technology. • Outsourcing continues to grow – Business Processes (Payroll, Payables, Pension and Benefit Management, Investment Management) – Technology Activities supporting the Business Processes • Procure, manage, and maintain previously internally managed technology systems 3 COSO’s Definition of “Technology” • May be referred to as: – Management Information Systems (MIS) – Information Technology (IT) – Various other Terms • Technology is the use of a combination of automated and manual processes, and computer hardware and software, methodologies, and processes. – Very Generic Definition – as Technology continually evolves (ie. cloud computing and social media) 4 COSO’s Definition of “Technology” • Technology environments vary in size, complexity, and extent of integration. – Large, centralized, and integrated systems – Small, decentralized, and independent systems • May involve real-time processing environments that enable immediate access to information, including mobile computer applications that can cut across many systems, organizations, and geographies. 5 COSO’s Definition of “Technology” • Technology enables organizations to process high volumes of transactions, transform data into information to support sound decision making, share information efficiently across the entity and with business partners, and secure confidential information from inappropriate use. • In addition, technology can allow an entity to share operational and performance data with the public. 6 COSO’s Definition of “Technology” • Technology innovation creates both opportunities and risks. – Opportunities: • Enable the development of new business markets and models, • Generate efficiencies through automation, and • Enable entities to do things that were previously hard to imagine. – Risks: • Increased complexity, which makes identifying and managing risks more difficult. 7 Risk | Complexity of IT Security Like Ogres And Onions Data & Business Processes IT Security Has Layers IT Security Also Involves People (Employees); therefore, Training is Critical 8 IT Security Protects the Data and Business Process Data & Business Processes Controls should be in place to protect the data and business processes. • Data is an organizational asset • Value of Data • May not be readily ascertainable • Not recorded on Books • Varies Depending on Perspective • Your Organization • Other Organizations • Employees • External Individuals • Vendors • Your garbage is another individual’s or organization’s treasure!!!! 9 Source: AICPA Information Management and Technology Assurance (IMTA) Section. IT Audits and What to Pay Attention To. The CITP Body of Knowledge Series Webcast. 2013 10 Source: AICPA Information Management and Technology Assurance (IMTA) Section. IT Audits and What to Pay Attention To. The CITP Body of Knowledge Series Webcast. 2013 11 Risk | IT Complexity • The nature and extent of IT risks are dependent on the level of “complexity”. – Generally, as complexity increases, the type and number of potential IT risks increase. – The manner in which IT is used in conducting business also has a direct relationship with the potential IT risks. – Significant changes made to existing systems, or implementation of new system increase the potential IT risks. – Shared data between systems increases the potential IT risks. – Usage of emerging technologies (cloud computing, mobile - BYOD) increases the potential IT risks. – Availability of evidence only in electronic formats increases the potential IT risks. • Including reports Source: AICPA IT Audit Training School 12 Risks |IT Risk Factors for Internal Control Include • Reliance on systems or programs that are processing data inaccurately, processing inaccurate data, or both • Unauthorized access to data that may result in destruction of data or improper changes to data, including the recording of unauthorized or nonexistent transactions or inaccurate recording of transactions • Unauthorized changes to data in master files • Unauthorized changes to systems or programs • Failure to make necessary changes to systems or programs • Inappropriate manual intervention • Potential loss of data or inability to access data as required Source: AICPA IT Audit Training School 13 Applications | Purchased Systems • Commercial Off The Shelf (COTS) and/or configurable systems • Advantages • Generally cheaper for general business use applications • On-going support and maintenance • Disadvantages • Some limitations related to customizations • Vendor dependence • Example: Quickbooks Source: AICPA IT Audit Training School 14 Applications | Configurable Packages • • • • Configurable “mid-tier” system Not as expensive as an ERP System or Custom Developed Application Found in small, mid or large organizations Increased capabilities when compared to Commercial Off the Shelf – Purchased Systems: – Configuration changes – Customizations • Examples: Microsoft Dynamics (Great Plains/Solomon), MAS/90, Navision, Munis, Eden, etc. • Most Prevalent Source: AICPA IT Audit Training School 15 Applications | Enterprise Resource Planning (ERP) System • Integrates all facets of financial processing with operations, marketing, HR • Requires specialized knowledge to setup (usually with the vendor and outside consultants) • Generally, found in large organizations • Very expensive to purchase & maintain • Very complex security • Examples: SAP, JD Edwards, PeopleSoft, Oracle Financials, Lawson, etc. Source: AICPA IT Audit Training School 16 Applications | Custom Developed • Custom Developed Application – those applications that are designed and developed in-house to meet a specific business need for internal use (not resale) • Advantages – Customized to meet specific business need – Independence from vendors • Disadvantages – No outside vendor support – all by on-staff personnel (higher costs) – Often longer deployment times and less controls • Less prevalent, and becoming more so each day Source: AICPA IT Audit Training School 17 Applications | Outsourced • Organization contracts with a third-party service organization for one or all of the following activities: – Development of Application and Underlying Technology – Hosting of Application, Data, and Underlying Technology – Maintenance of Application and Underlying Technology – All or part of a/multiple business process(es) (ie. payroll) and related internal controls Source: AICPA IT Audit Training School 18 Applications | Outsourced • Advantages – Customized and configurable to meet specific business need – Can obtain access to ERP systems at lower costs • May not need to purchase any servers • May not need to hire new IT personnel and may be able to reallocate IT personnel or positions – Dependence on vendor rather than employees • IT third-party service organization is able to replace employees easier than the outsourcing organization Source: AICPA IT Audit Training School 19 Applications | Outsourced • Disadvantages – Dependence on vendor • Requires increased effort to manage vendors and service level agreements (SLA’s) – Service Organization Control (SOC) Reports – See AICPA Website – www.aicpa.org/InterestAreas/FRC/AssuranceAdvisoryServices/Pages/SORHome.aspx • Poor end user experience due to performance bottlenecks – Poor customer experiences could be perceived as organization weaknesses rather than vendor weaknesses – More limited control over application, data, and underlying technology • Examples: Xero Source: AICPA IT Audit Training School 20 Control Environment • Principle 2: The board of directors demonstrates independence from management and exercises oversight of the development and performance of internal control. – Executive management and the board should have an understanding of relevant systems and technology (or appropriate skills and expertise) needed to evaluate the organization’s approach to managing new technology innovations, critical systems, and the opportunities and risks associated with those challenges. • IT Governance Committee • IT Steering Committees • User Groups 21 Control Environment • Principle 3: Management establishes, with board oversight, structures, reporting lines, and appropriate authorities and responsibilities in the pursuit of objectives. – Technology is leveraged as appropriate to facilitate the definition and limitation of roles and responsibilities within the workflow of business. – Management is supported by requisite processes and technology to provide for clear accountability and information flows within and across the overall entity and its subunits 22 Control Environment • Principle 4: The organization demonstrates a commitment to attract, develop, and retain competent individuals in alignment with objectives. – The organization should ensure that it has appropriately skilled personnel with knowledge of the operation of technology platforms underpinning the business processes. 23 Control Environment • Principle 5: The organization holds individuals accountable for their internal control responsibilities in the pursuit of objectives. – Accountability is driven by tone at the top and supported by the commitment to integrity and ethical values, competence, structure, processes, and technology, which collectively influence the control culture of the organization. 24 Risk Assessment • Principle 6: The organization specifies objectives with sufficient clarity to enable the identification and assessment of risks relating to objectives. • Entity-level risks – Technological—Developments that can affect the availability and use of data, infrastructure costs, and the demand for technology-based service – Internal factors • Technology—A disruption in information systems processing that can adversely affect the entity’s operations 25 Risk Assessment • Principle 8: The organization considers the potential for fraud in assessing risks to the achievement of objectives. – As part of the risk assessment process, the organization should identify the various ways that fraudulent reporting can occur, considering: • Nature of technology and management’s ability to manipulate information – Opportunities (and thereby fraud risks) may increase as a result of: • Turnover in technology staff • Ineffective technology systems 26 Risk Assessment • Principle 9: The organization identifies and assesses changes that could significantly impact the system of internal control. – New Technology—When new technology is incorporated into production, service delivery processes, or supporting information systems, internal controls will likely need to be modified. 27 Control Activities Principle 10: The organization selects and develops control activities that contribute to the mitigation of risks to the achievement of objectives to acceptable levels. 28 Principle 10: Selects and Develops Control Activities – When determining what actions to put in place to mitigate risk, management considers all aspects of the entity’s internal control components and the relevant business processes, information technology, and locations where control activities are needed. – Restricted access is especially important where technology is integral to an organization’s processes or business. • Configuring the security in applications to address restricted access can become very complex and requires technical knowledge and a structured approach. – Discussed in more detail under the Security Management Processes section of Principle 11. 29 Principle 10: Selects and Develops Control Activities – Control activities and technology relate to each other: • Technology Supports Business Processes – When technology is embedded into the entity’s business processes, such as robotic automation in a manufacturing plant, control activities are needed to mitigate the risk that the technology itself will not continue to operate properly to support the achievement of the organization’s objectives. • Technology Used to Automate Control Activities – Many control activities in an entity are partially or wholly automated using technology. 30 Technology Supports Business Processes Internal Control Over Financial Reporting (ICFR) Significant Accounts in the Financial Statements Balance Sheet Income Statement Cash Flows Notes Other Disclosures Key Application and IT-Dependent Manual Controls Significant Classes of Transactions / Business Processes Process A Process B Process C Process D Process E IT General Controls • Program Development Assertions • Accuracy Significant Financial Applications Application A Application B Application C •Program Changes •Completeness Objectives •Authorization •Program Operations Significant IT Infrastructure Services •Access Controls Operating System •Control Environment Network / Physical •Segregation of Duties Database Source: IT Control Objectives for Sarbanes-Oxley: The Role of IT in the Design and Implementation of Internal Control Over Financial Reporting, 2nd Edition 31 Technology Used to Automate Control Activities Manual vs. Automated Controls • Manual Control – A control performed manually (not through techcnology) • Automated controls: Control activities mostly or wholly performed through technology (e.g., automated control functions programmed into computer software. – Application Control • A control that occurs automatically, usually through computer systems, based on predefined criteria, circumstances, times, dates, or events. – IT-Dependent Manual Control (Hybrid Control) • Manual controls that are dependent on an automated process to take place. 32 Application Controls Type • Edit checks • Validations • Calculations • Interfaces • Authorizations Character • Embedded • Configurable 33 Technology Used to Automate Control Activities Examples of Application Controls – Computer generated batch control total comparison – Edit and validation checks on information entered into input fields – Master file data look-ups of information entered into input fields – Numeric range controls for data entered into input fields – Data matching – Error checking programs – Computations – Forwarding a transaction to the appropriate person for electronic authorization (using logical Segregation of Duties) 34 Examples of Application Controls Purchasing and Accounts Payable Business Process • Initiate/Authorize (Input) – Application will only accept purchase orders entered for vendors on an approved vendor list (ie. vendors in the vendor master file). – Access to add or modify vendor or vendor information through the purchasing module of the financial application in to the vendor master file (database) is restricted to purchasing department personnel. • Process – Application matches the purchase order, receiving report and vendor invoice before payment can be made (three-way match). – Application automatically selects items for payment based on the due date of the vendor invoice. • Record (Output) – Application automatically posts the payment to the G/L. 35 Example of a IT-Dependent Manual Control Purchasing and Accounts Payable Business Process – Detection: Computer detects a discrepancy between a PO, receiving report & vendor invoice. (automated control) – Investigation/Correction: Clerk reviews and follows-up until discrepancy is resolved. (manual control) – Resubmission: Clerk resubmits reconciled invoice for payment. (manual process) – NOTE: Test both automated and manual controls 36 Automated Control Implications • Software is designed to be used by many organizations with different requirements. • Many features, including controls, are optional or designed with adjustable parameters and thresholds. • End users may have the ability to change system configuration settings. • Segregation of duties when software is maintained by vendor. • Program change responsibilities may be shared between vendor and client. 37 Principle 10: Selects and Develops Control Activities – Most business processes have a mix of manual and automated controls, depending on the availability of technology in the entity. – Automated controls tend to be more reliable, since they are less susceptible to human judgment and error, and are typically more efficient. • Subject to whether technology general controls (Principle 11) are implemented and operating. • The design, implementation, and operating effectiveness of automated controls is dependent on or directly related to the design, implementation, and operating effectiveness of technology general controls. 38 Relationship of Technology General Controls (Principle 11) to Business Process Controls (Principle 10) Automated Controls Manual Controls (Purely) Manual Controls IT-Dependent Manual Controls Application Controls 1. Embedded 2. Configurable Controls Technology General Controls 39 Technology General Controls vs. Application Controls • IT General Controls – Relate to managing change, logical access and other technology general controls, including IT operations applied to individual applications and do not operate at the individual transaction level • Application Controls – Apply to each and every transaction – Reviewed at a “point in time” • “Application and IT general controls go hand-in-hand.” 40 Relationship of Technology General Controls (Principle 11) to Business Process Controls (Principle 10) Automated Controls Manual Controls (Purely) Manual Controls IT-Dependent Manual Controls Application Controls 1. Embedded 2. Configurable Controls Technology General Controls 41 Control Activities Principle 11: The organization selects and develops general control activities over technology to support the achievement of objectives. (Technology General Controls) 42 Principle 11: Technology General Controls • Determines Dependency between the Use of Technology in Business Processes (Principle 10) and Technology General Controls (Principle 11) – Management understands and determines the dependency and linkage between business processes, automated control activities, and technology general controls. • The reliability of technology within business processes, including automated controls, depends on the selection, development, and deployment of general control activities over technology. 43 Relationship of Technology General Controls (Principle 11) to Business Process Controls (Principle 10) Automated Controls Manual Controls (Purely) Manual Controls IT-Dependent Manual Controls Application Controls 1. Embedded 2. Configurable Controls Technology General Controls 44 Technology Supports Business Processes Internal Control Over Financial Reporting (ICFR) Significant Accounts in the Financial Statements Balance Sheet Income Statement Cash Flows Notes Other Disclosures Key Application and IT-Dependent Manual Controls Significant Classes of Transactions / Business Processes Technology General Controls • Technology Infrastructure Control Activities •Security Management Process Control Activities •Change Control Activities •Control Environment Process A Process B Process C Process D Process E Assertions • Accuracy Significant Financial Applications Application A Application B Application C •Completeness Objectives •Authorization Significant IT Infrastructure Services •Segregation of Duties Database Operating System Network / Physical Source: IT Control Objectives for Sarbanes-Oxley: The Role of IT in the Design and Implementation of Internal Control Over Financial Reporting, 2nd Edition 45 Principle 11: Technology General Controls • Technology general controls over the acquisition and development of technology are deployed to help ensure that automated controls work properly when first developed and implemented. • Technology general controls also help information systems continue to function properly after they are implemented. • Technology general controls apply to all technology – – – – – – – IT applications on a mainframe computer; Client/server, Desktop, End-user computing, Portable computer, Mobile device environments; Operational technology • Plant control systems or • Manufacturing robotics. 46 Principle 11: Technology General Controls • The extent and rigor of control activities will vary for each of these technologies depending on various factors, such as the complexity of the technology and risk of the underlying business process being supported. Similar to business transaction controls, technology general controls may include both manual and automated control activities. 47 Principle 11: Technology General Controls Technology Infrastructure Control Activities • Establishes Relevant Technology Infrastructure Control Activities – Management selects and develops control activities over the technology infrastructure, which are designed and implemented to help ensure the completeness, accuracy, and availability of technology processing. • Technology infrastructure includes: – Communication networks – to link technologies to each other and across the organization • Routers, switches, firewalls, etc. – Computing resources for applications to operate • Servers, Desktops, Laptops – Electrical power supply. 48 Principle 11: Technology General Controls Technology Infrastructure Control Activities • Technology Infrastructure – Can be complex – Shared by different business units in an organization – Outsourced to a third-party service organizations (including locationindependent technology services – cloud computing) • Technology changes constantly (3-5 years) • Technology Infrastructure Controls – Batch (mainframe) / real-time (client/server) process scheduling – Problem/incident management – Backup and recovery • Including disaster recovery plans 49 Principle 11: Technology General Controls Security Management Process Control Activities • Establishes Relevant Security Management Process Control Activities – Management selects and develops control activities that are designed and implemented to restrict technology access rights to authorized users commensurate with their job responsibilities and to protect the entity’s assets from external threats. • Sub-processes and control activities over who and what has access to the organization’s technology, including who has the ability to execute transactions. – Protects the organization from inappropriate or unauthorized access/use of system – Supports segregation of duties 50 Principle 11: Technology General Controls Security Management Process Control Activities • Sub-processes and control activities over who and what has access to the organization’s technology, including who has the ability to execute transactions. – Prevents unauthorized use/changes to system protects data and program integrity from malicious intent or a simple error from: • Internal threats – former, disgruntled employees motivated to work against the organization due to greater access and knowledge of the organization • External threats – due to the many potential uses of technology and points of entry and use of telecommunications networks and the Internet, 51 Principle 11: Technology General Controls Security Management Process Control Activities • Authentication control activities – Unique user identifications or tokens are authenticated (checked before access is allowed) against pre-approved list – Technology general control are designed to: • Allow only authorized users on these pre-approved lists • Restrict authorized users to the applications or functions commensurate with their job responsibilities and supporting an appropriate segregation of duties • Control activities are in place to update access when employees change job functions or leave the organization • A periodic review of access rights against the policy is often used to check if access remains appropriate • Access to different technologies (which may be integrated/connected) are controlled 52 Principle 11: Technology General Controls Change Control Activities • Establishes Relevant Technology Acquisition, Development, and Maintenance Process (Change) Control Activities – Management selects and develops control activities over the acquisition, development, and maintenance of technology and its infrastructure to achieve management’s objectives – Provides structure for system design and implementation, outlining specific phases, documentation requirements, approvals and checkpoints 53 Principle 11: Technology General Controls Change Control Activities • Provides appropriate controls over changes to technology – Authorization of change requests – Verification that the organization has a legal right to use the technology in the manner in which the technology is being employed – Review to ensure that the changes are appropriate (aka. testing and quality assurance) – Approval for the changes – Testing results of changes – Implementing protocols to determine whether changes are properly made • Varies depending on the risks (and complexity) of the technology 54 Information & Communication Principle 13: The organization obtains or generates and uses relevant, quality information to support the functioning of internal control. 55 Principle 13: Relevant, Quality Information Used to Support Functioning of Internal Controls • An organization’s information system encompass a combination of people, processes, data, and technology that support business processes managed internally as well as those that are supported through relationships with outsourced service providers and other parties interacting with the entity 56 Principle 13: Relevant, Quality Information Used to Support Functioning of Internal Controls – Information systems developed with integrated, technology-enabled processes provide opportunities to enhance the efficiency, speed, and accessibility of information to users. – Additionally, such information systems may enhance internal control over security and privacy risks associated with information obtained and generated by the organization. Information systems designed and implemented to restrict access to information only to those who need it and to reduce the number of access points enhance the effectiveness of mitigating risks associated with the security and privacy of information. 57 Principle 13: Relevant, Quality Information Used to Support Functioning of Internal Controls – Enterprise resource planning (ERP) systems, association management systems (AMS), corporate intranets, collaboration tools, interactive social media, data warehouses, business intelligence systems, operational systems (e.g., factory automation and energy-usage systems), web-based applications, and other technology solutions present opportunities for management to leverage technology in developing and implementing effective and efficient information systems 58 Principle 13: Relevant, Quality Information Used to Support Functioning of Internal Controls • Quality of Information is Dependent On: – Accessible—The information is easy to obtain by those who need it. Users know what information is available and where in the information system the information is accessible. – Correct—The underlying data is accurate and complete. Information systems include validation checks that address accuracy and completeness, including necessary exception resolution procedures. – Current—The data gathered is from current sources and is gathered at the frequency needed. – Protected—Access to sensitive information is restricted to authorized personnel. Data categorization (e.g., confidential and top secret) supports information protection. – Retained—Information is available over an extended period of time to support inquiries and inspections by external parties. 59 Principle 13: Relevant, Quality Information Used to Support Functioning of Internal Controls • Quality of Information is Dependent On: – Sufficient—There is enough information at the right level of detail relevant to information requirements. Extraneous data is eliminated to avoid inefficiency, misuse, or misinterpretation. – Timely—The information is available from the information system when needed. Timely information helps with the early identification of events, trends, and issues. – Valid—Information is obtained from authorized sources, gathered according to prescribed procedures, and represents events that actually occurred. – Verifiable—Information is supported by evidence from the source. Management establishes information management policies with clear responsibility and accountability for the quality of the information 60 Resources • AICPA’s Information Management and Technology Assurance (IMTA) Interest Area: www.aicpa.org • Located under Interest Areas Tab on AICPA’s Home Page • Sponsor of the Certified Information Technology Professional (CITP) credential which recognizes CPA’s for their ability to leverage technology to effectively manage information while ensuring the data’s reliability, security, accessibility and relevance. • Various Webcasts, Whitepapers, Newsletters, Etc. 61 Resources • Information Systems Audit and Control Association (ISACA): www.isaca.org • Sponsor of the Certified Information Systems Auditor (CISA), Certified Information Systems Manager (CISM), and Certified in Risk and Information Systems Control (CRISC) Exams • IT Governance Institute • Designed COBIT (Control Objectives for Information and related Technology) w/ ISACA, AICPA, and Other Interested Parties to serve as a framework for IT governance and control to fit with and support COSO’s Internal Control – Integrated Framework • COBIT Home Page: www.isaca.org/COBIT/Pages/default.aspx 62 Contact Information Phil Gesner, CPA.CITP, CISA Audit Manager and IT Auditor / Consultant Ocala, FL E-mail: pgesner@purvisgray.com Mobile: 352.642.4357 Company Website: www.purvisgray.com LinkedIn: www.linkedin.com/in/philgesner/ Nature Coast Florida Government Finance Officer’s Association | October 16, 2013
