Add to collection(s) Add to saved
  1. Business
  2. Accounting
  3. Financial Accounting

Information Systems Security Risk & Controls.

advertisement 
SOX MISC
Raj Mehta – Partner
CPA, CITP, CISA, CISSP
713-982-2955
rmehta@deloitte.com
Enterprise Risk Services
.
DISCUSSION ITEMS
• Trends in IT Documentation/Testing
• Definition and Evaluation of Deficiencies
• Rollforward Procedures
• Q&A
2
IS Security Risk & Controls
©2003 Deloitte & Touche LLP
Trends in IT Documentation
• In scope applications, third-party providers, infrastructure, etc.,
still keep changing!
• Documentation does not focus on key aspects related to
financials
3
IS Security Risk & Controls
©2003 Deloitte & Touche LLP
Trends in IT Documentation
• Documentation Trends
Very High Level
Too Granular Level
Who Cares?
How can you miss that?
IMPACT = STILL DOCUMENTING, COSTING MONEY & RESOURCES
4
IS Security Risk & Controls
©2003 Deloitte & Touche LLP
Trends in IT Documentation
• SCOPE it right –
• How important are the application control(s) for the
transaction life cycle?
Transaction Level
Initiate
5
IS Security Risk & Controls
Authorize
Record
Process
©2003 Deloitte & Touche LLP
Trends in IT Documentation
• Disconnect of “process/manual” controls from application controls
assessments based on “silo” approach.
• Disconnect between authentication and authorization – if
application has “weak” authentication controls, and so it fails, so
does authorization.
6
IS Security Risk & Controls
©2003 Deloitte & Touche LLP
Evaluation of Deficiency
Definitions:
• A significant deficiency is a control deficiency, or combination of
control deficiencies, that adversely affects the company's ability
to initiate, authorize, record, process, or report external
financial data reliably in accordance with generally accepted
accounting principles such that there is more than a remote
likelihood that a misstatement of the company's annual or
interim financial statements that is more than inconsequential
will not be prevented or detected.
• A material weakness is a significant deficiency, or combination
of significant deficiencies, that results in more than a remote
likelihood that a material misstatement of the annual or interim
financial statements will not be prevented or detected.
7
IS Security Risk & Controls
©2003 Deloitte & Touche LLP
How to determine?
• Evaluate - magnitude and likelihood
• Potential misstatements equal to or greater than 20% of overall
annual or interim financial statement materiality are presumed
to be more than inconsequential.
• Potential misstatements less than 20% of overall annual or
interim financial statement materiality may be concluded to be
more than inconsequential as a result of the consideration of
qualitative factors, as required by AS2.
8
IS Security Risk & Controls
©2003 Deloitte & Touche LLP
Themes
• Important to correctly classify the type of control deficiency
– Application control deficiencies
– GCC deficiencies
• GCC are evaluated in relation to their effect on application
controls
– GCC deficiencies do not directly result in misstatements
– Misstatements result from ineffective application controls
9
IS Security Risk & Controls
©2003 Deloitte & Touche LLP
Theory – Evaluating Process Level Controls (Applications)
10
IS Security Risk & Controls
©2003 Deloitte & Touche LLP
Theory – Evaluating Process Level Controls (Applications) –
cont.
11
IS Security Risk & Controls
©2003 Deloitte & Touche LLP
Box 1. Are there complementary or
redundant GCC that were tested and
evaluated that achieve the same GCC
objective?
Yes
No
Box 2. Are there application control
deficiencies of a design or performance
nature that are related to or caused by
the GCC deficiency?
No
Box 5. Does additional
evaluation result in a
judgment that the GCC
deficiency is a significant
deficiency?
OR
Yes
Box 3. Are there application control
deficiencies related to or caused by the
GCC deficiency classified as only a
deficiency?
Yes
No
Box 4. Are there application control
deficiencies related to or caused by the
GCC deficiency classified as a significant
deficiency?
No
Deficiency
Would a prudent official
conclude that the GCC
deficiency is a significant
deficiency?
Yes
Yes
Significant Deficiency
No
Material Weakness
12
IS Security Risk & Controls
©2003 Deloitte & Touche LLP
How does this work of IT Controls?
• Application/Process Level Controls:
– Group deficiencies together by Major Class of Transactions (related
processes) – e.g., for Expenditure cycle include deficiencies from
procurement, invoice processing, cash disbursements, etc.
– For application specific issues, consider, what aspects of the
transaction life cycle, volume and dollar amount of transactions (e.g.,
if authentication control fails for Payroll system, and no
compensating/mitigating controls, then the Payroll Expense balance
is the total exposure and has to be evaluated for materiality.)
• General Computer Controls:
– Can the failure be isolated to specific application(s) or is it truly
pervasive? For example, UNIX security may just impact the Payroll
system versus user access administration will likely impact all
systems.
13
IS Security Risk & Controls
©2003 Deloitte & Touche LLP
• Consider factors related to the deficiency:
– Nature and significance of deficiency
– Proximity of control to applications and data
– Pervasiveness of control across applications and processes
– Complexity of entity’s systems environment
– GCC deficiency supporting applications related to accounts
susceptible to loss or fraud
– Cause and frequency of known or detected exceptions in the
operating effectiveness of GCC
– An indication of increased risk evidenced by a history of
misstatements relating to applications affected by the GCC
14
IS Security Risk & Controls
©2003 Deloitte & Touche LLP
Likely Candidates for SD or Higher related to IT?
• Information Security
• Change Controls
15
IS Security Risk & Controls
©2003 Deloitte & Touche LLP
Roll Forward Procedures
• Management has a responsibility to update/roll forward its interim
evaluation for purposes of their assessment and reporting on the
effectiveness of internal control to the “as of” date as required by the
SEC’s Final Rule, Management's Reports on Internal Control Over
Financial Reporting and Certification of Disclosure in Exchange Act
Periodic Reports: The management of each company should perform
evaluations of the design and operation of the company's entire
system of internal control over financial reporting over a period of time
that is adequate for it to determine whether, as of the end of the
company's fiscal year, the design and operation of the company's
internal control over financial reporting are effective.
• The SEC Rule also requires: . . . a company's management, with the
participation of the principal executive and financial officers, to
evaluate any change in the company's internal control over financial
reporting that occurred during a fiscal quarter (or the issuer's fourth
fiscal quarter in the case of an annual report) that has materially
affected, or is reasonably likely to materially affect, the company's
internal control over financial reporting.
16
IS Security Risk & Controls
©2003 Deloitte & Touche LLP
Roll Forward Procedures (cont.)
Evaluation of Design Effectiveness:
Identify and evaluate significant changes in the business or the
business environment in which the company operates that may
impact the continued effectiveness of the design of ICFR.
Procedures may include:
– Considering the results of the monitoring processes
– Identifying and responding to new risks as they are identified
(continuously updating the risk assessment process)
– Making inquiries of managers and others as to their knowledge of
any significant changes or events that may affect the design of
internal control
– Updating the self-assessment process, whereby the organization
confirms the continued design effectiveness of internal control.
17
IS Security Risk & Controls
©2003 Deloitte & Touche LLP
Roll Forward Procedures (cont.)
Tests of Operating Effectiveness:
Determine whether significant changes in the operating
effectiveness of ICFR have occurred. Procedures may include:
– Considering the results of the monitoring processes
– Performing independent tests, whereby the test may be applied
directly to the control activity or by:
– Testing an effective control that specifically monitors the continued operation of
the underlying control activity (e.g., review of the bank reconciliation)
– Testing an effective control upon which the underlying control activity is
dependent (e.g., program change controls)
– Updating the self-assessment process, whereby the organization
confirms the continued operation of the controls. To ensure integrity,
the self-assessment process should be tested periodically by
someone independent of the self-assessment process (e.g., internal
audit).
18
IS Security Risk & Controls
©2003 Deloitte & Touche LLP
Q&A
• Any questions?
• Thank you
19
IS Security Risk & Controls
©2003 Deloitte & Touche LLP
Deloitte & Touche LLP
A member firm of
Deloitte Touche Tohmatsu
Related documents
For FLYERS Please Click here - HFMA Metropolitan New York
For FLYERS Please Click here - HFMA Metropolitan New York
Paul Pacter
Paul Pacter
DELOITTE & TOUCHE NEW EMPLOYEE ORIENTATION
DELOITTE & TOUCHE NEW EMPLOYEE ORIENTATION
Position: Audit Intern
Position: Audit Intern
How to Construct a Cover Letter
How to Construct a Cover Letter
Big Data
Big Data
2015 Strategic Vision. Technology Stream
2015 Strategic Vision. Technology Stream
Deloitte and Touche LLP
Deloitte and Touche LLP
Inplementation of the Proposed 501(r) Regulations
Inplementation of the Proposed 501(r) Regulations
Download
advertisement