Introduction Comments Regulation / Guidance Internal Controls COSO A-123 SAS 55 Yellow Book SAS 112 1 “Over 800 pages of statutory text govern the daily decisions of Federal managers …” Representative Platts Chairman, Subcommittee on Government Management, Finance, and Accountability (June 22, 2005) 2 2 “Internal controls are the checks and balances that help managers detect and prevent problems. They can be as simple as computer passwords or having a manager sign off on a time sheet, or as complex as installing software to track spending and detect spikes that signal trouble. Internal controls provide a foundation for accountability; and, while they are important in the private sector, sound controls are imperative in government. Public trust depends on nothing less. Representative Platts Chairman, Subcommittee on Government Management, Finance, and Accountability (February 16, 2005) 3 3 “Events of recent years have dispelled the myth that internal control is but a mere academic exercise or is of interest only to accountants or auditors. High profile fraud and mismanagement in the private sector, and the Federal government’s own financial reporting problems, have resulted in an increased focus on management’s responsibility for internal control.” February 2005, Subcommittee on Government Management, Finance, and Accountability 4 4 “Government should lead by example. We should be as good or better than those we are regulating.” David Walker, Comptroller General to Congress (CFO Magazine, June 2003) 5 5 “The policy changes in this circular are intended to strengthen the requirements for conducting management’s assessment of internal control over financial reporting. The circular also emphasizes the need for agencies to integrate and coordinate internal assessments with other internal control-related activities” Linda Springer, Controller Office of Management and Budget December 21, 2004 6 6 Budget & Accounting Procedures Act of 1950 Internal controls have been talked about for almost 60 years. Inspector General Act of 1978, as amended OMB A-123 Management’s Responsibility for Internal Control (1981) Federal Managers Financial Integrity Act of 1982 OMB A-50 Audit Follow Up (1982) GAO Green Book (1983) 7 7 CFO Act of 1990 Financial statement audits for approximately 225 agencies. Government Performance and Results Act of 1993 Government Management Reform Act of 1994 OMB A-123 Management’s Responsibility for Internal Control revised (1995) Federal Financial Management Improvement Act of 1996 Clinger-Cohen Act of 1996 GAO Green Book revised (1999) 8 8 Reports Consolidation Act of 2000 OMB Bulletin 01-02 Audit Requirements for Federal Financial Statements (2000) Federal Information Security Management Act of 2002 Includes PIA Improper Payments Information Act of 2002 Accountability of Tax Dollars Act of 2002 Another 78 agencies must have financial statement audits. OMB A-123 Management’s Responsibility for Internal Control revised (2004) OMB A-136 Financial Reporting Requirements (2004) 9 9 NIST 800-18 Security Plans NIST 800-30 Risk Assessments NIST 800-34 Contingency Planning NIST 800-37 Certification and Accreditation NIST 800-47 Interconnected Systems NIST 800-50 Security Awareness NIST 800-53a Controls (low, moderate, and high) NIST 800-60 Control categories NIST FIPS 199 Security Categorization OMB M 06-16 Where and why do we have to follow NIST standards? 10 10 OMB A-123 Authority: Federal Managers’ Financial Integrity Act of 1982 as codified in 31 U.S.C. 3512 References A-123 to provide guidance on how to implement. 11 “Agencies and individual Federal managers must take systematic and proactive measures to:” 1. Develop internal control oriented management. 2. Assess the adequacy of internal control in programs and operations. 3. Separately assess and document internal control. 4. Identify needed improvements. 5. Take corrective action. 6. Report annually through management assurance statements. Source: A-123 Revised dated December 21, 2004. 12 A-123 makes references to a host of other regulations to follow such as: • • • • FISMA IPIA GPRA CFO Act 13 What are internal controls? 1. Compliance with Laws and Regulations. 2. Reliability of Financial Data. 3. Effectiveness and Efficiency of operations. The above is mentioned everywhere (e.g. CFOC A-123 Implementation guide, many SASs, A-123, Greenbook, etc.) 14 A-123 Applicability: Compliance with A-123 AND Appendix A Agencies listed within the CFO Act of 1990, as amended by the Government Management Reform Act of 1994 (cited in OMB Circular A-136). (ABOUT 225 AGENCIES) Compliance with A-123 (NOT Appendix A) Executive agencies, as well as independent agencies and government corporations within the executive branches of the Federal government. 15 COSO’s influence on the industry: National Commission on Fraudulent Financial Reporting (Treadway Commission) was formed in 1985 from the following 5 organizations: FEI – Financial Executives International AAA – American Accounting Association AICPA – American Institute of CPAs IIA – Institute of Internal Auditors IMA – Institute of Management Accountants 16 16 COSO’s influence on the industry: In 1987, the Treadway Commission issued the Report of the National Commission on Fraudulent Financial Reporting, which emphasized: Importance of control environment Codes of conduct Competent and involved audit committees Active and objective internal audit function 17 17 COSO’s influence on the industry: In September 1992, COSO issued the Internal Control Integrated Framework. Control Environment – tone of the organization Risk Assessment – assessing the risks of the organization Control Activities – policies and procedures Information and Communication – timely communication throughout the organization Monitoring – quality control over a period of time 18 18 COSO’s influence on the industry: In September 2004, COSO issued the Enterprise Risk Management – Integrated Framework (ERM). 19 19 20 20 SAS 55 SAS 55 .02 “In all audits, the auditor should obtain an understanding of internal control sufficient to plan the audit by performing procedures to understand the design of controls relevant to an audit of financial statements and determining whether they have been placed in operation. In obtaining this understanding, the auditor considers how an entity’s use of information technology and manual procedures may affect controls relevant to the audit. The auditor then assesses control risk for the assertions embodied in the account balance, transaction class, and disclosure components of the financial statements.” 21 SAS 55 SAS 55 .04 “Alternatively, the auditor may assess control risk at the maximum level because he or she believes controls are unlikely to pertain to an assertion or are unlikely to be effective, or because evaluating the effectiveness of controls would be inefficient.” Remember: SAS 103 – 112 now come into play…. 22 Yellow Book General Standards (chapter 3) Fieldwork Standards (chapter 4) Reporting Standards (chapter 5) GAAS (AICPA) X X SAS (AICPA) X X X (in addition to AICPA) X (in addition to AICPA) X GAGAS Note: Yellow Book (GAGAS) engagements are subjected to additional AICPA standards for both fieldwork and reporting aspects. 23 SAS 112 1 “It is applicable whenever an auditor expresses an opinion on financial statements.” “Requires the auditor to communicate, in writing, to management and those charged with governance, significant deficiencies and material weaknesses identified in an audit.” 24 SAS 112 5-6 Deficiency Type Control Deficiency Significant Deficiency Material Weakness Likelihood Magnitude Remote Inconsequential More than remote More than remote More than inconsequential Material 25 SAS 112 9 “The auditor must evaluate identified control deficiencies and determine whether these deficiencies, individually or in combination, are significant deficiencies or material weaknesses. The significance of a control deficiency depends on the potential for a misstatement, not on whether a misstatement actually has occurred. Accordingly, the absence of identified misstatement does not provide evidence that identified control deficiencies are not significant or material weaknesses.” 26 SAS 112 13 “Multiple control deficiencies that affect the same financial statement account balance or disclosure increase the likelihood of misstatement and may, in combination, constitute a significant deficiency or material weakness, even though such deficiencies are individually insignificant.” 27 SAS 112 14 “… the auditor also should evaluate the possible mitigating effects of effective compensating controls …” “Although compensating controls mitigate the effects of a control deficiency, they do not eliminate the control deficiency.” 28 SAS 112 18 “Deficiencies in the following areas ordinarily are at least significant deficiencies in internal control: Controls over the selection and application of accounting principles; Antifraud programs and controls; Controls over the period-end financial reporting process, including controls over procedures used to enter transaction totals into the general ledger; initiate, authorize, record, and process journal entries into the general ledger; and record recurring and nonrecurring adjustments to the financial statements.” 29 SAS 112 19 Each of the following is an indicator of a control deficiency that should be regarded as at least a significant deficiency and a strong indicator of a material weakness in internal control: Ineffective oversight of the entity’s financial reporting and internal control by those charged with governance.; Restatement of previously issued financial statements to reflect the correction of a material misstatement; Identification by the auditor of a material misstatement in the financial statements for the period under audit that was not initially identified by the entity’s internal control; An ineffective internal audit function or risk assessment function at an entity for which such functions are important to the monitoring or risk assessment component of internal control, such as for very large or highly complex entities. 30 SAS 112 19 Each of the following is an indicator of a control deficiency that should be regarded as at least a significant deficiency and a strong indicator of a material weakness in internal control: For complex entities in highly regulated industries, an ineffective regulatory compliance function; Identification of fraud of any magnitude on the part of senior management; Failure by management or those charged with governance to assess the effect of a significant deficiency previously communicated to them and either correct it or conclude that it will not be corrected; An ineffective control environment. 31 SAS 112 32 The following are examples of circumstances that may be control deficiencies, significant deficiencies, or material weaknesses: Inadequate design of internal control over a significant account or process; Inadequate documentation of internal control; Insufficient control consciousness within the organization; Absent or inadequate segregation of duties; Absent or inadequate controls over safeguarding of assets; Inadequate design of IT general and application controls; Employees or management who lack qualifications and training; Inadequate design of monitoring controls; and Absence of internal process for reporting deficiencies 32 SAS 112 32 The following are examples of circumstances that may be control deficiencies, significant deficiencies, or material weaknesses: Failure in the operation of effectively designed controls (e.g. dual authorization); Failure to perform reconciliations of significant accounts; Undue biases on the part of management; Management override of controls; and 33 Internal Controls What is Risk? 35 RISK is the threat that an event, action, or non-action will have an adverse affect on the ability to achieve one’s objectives. To assess risk, the following process is used: Identify the Risks Source the Risks Prioritize the Risks What is Internal Control? Internal Control = Risk Mitigation 36 Internal control is anything that provides reasonable assurance that a specified unwanted action is prevented or detected. Examples include: Alarm Clock: designed to prevent oversleeping. What are the risks? Speed Limits: designed to prevent aggressive driving. What are the risks? Log-on Password: designed to prevent unauthorized access to the proprietary information. What are the risks? What is Internal Control in an Organization? 37 Internal controls are the policies and procedures that help managers and employees be effective and efficient while avoiding serious problems such as overspending, operational failure, fraud, waste, abuse, and violations of law. They provide reasonable assurance that the following three objectives are met: Effectiveness & Efficiency of Operations Reliability of Financial Reporting Compliance with Laws & Regulations Relates to an entity's basic business objectives, including performance goals and safeguarding of an entity’s resources. Relates to the preparation of reliable financial reporting, including interim and consolidated financial statements, as well as other significant internal and external reports (i.e. budget execution reports, monitoring reports, and reports used to comply with laws and regulations). Relates to complying with those laws and regulations to which the entity is subject. What are the Benefits of Good Internal Control? 38 Identification and elimination of waste, fraud and abuse Reduction of improper or erroneous payments Enhanced understanding of risk exposure Sustained performance, efficiency and effectiveness Reduced level of effort for financial management system implementation or audit Improved policies and procedures Streamlined processes Clear definition of process ownership Greater accountability Enhanced audit readiness and internal control attestation readiness Compliance with laws & regulations Office of Management and Budget (OMB) and Congressional Oversight 39 The role of OMB is to assist the President in the development and implementation of budget, program, management, and regulatory policies. It is an independent component of the Executive Branch. Internal control is an integral part of tools currently being used by OMB and Congress to monitor federal Agencies. and Accountability Report (PAR) – contains Secretary's assurance statement on internal and financial management controls Program Assessment Rating Tool (PART) – developed to assess and improve program performance so that the Federal government can achieve better results President’s Management Agenda (PMA) – aggressive strategy for improving the management of the Federal government. Contains seven government-wide and nine Agency-specific goals for improvement. Includes a “scorecard” Performance Internal Control Policy Legislative / Regulatory Authorities Internal Control Requirements Federal Managers' Financial Integrity Act (FMFIA) of 1982 Federal Financial Management Improvement Act of 1996 (FFMIA) Federal Information Security Management Act of 2002 (FISMA) Requires that agency CFOs develop and maintain an integrated system of internal controls and requires GAO to issue internal control standards Improper Payments Information Act of 2002 (IPIA) CFO Act of 1990 Provides for estimates and reports of improper payments by Federal agencies Government Performance and Results Act of 1993 (GPRA) Inspector General Act of 1978 OMB Circular A-123 OMB Circular A-127 OMB Circular A-130 Requires that Federal financial management (FM) systems have reliable data and comply with financial management requirements Requires agencies to ensure the adequacy and effectiveness of information security controls by conducting annual reviews and reporting results to OMB Requires that agency CFOs develop and maintain an integrated and controlled accounting and FM system Requires agencies to clarify their missions, set strategic and annual performance goals, and report on performance toward these goals Requires IGs to report on internal controls when conducting a performance audit Requires monitoring and improvement of internal controls associated with programs Outlines requirements for FM system controls Establishes the policy for the management of Federal information resources 40 OMB Circular A-123 • Issued under authority of FMFIA; entitled, “Management Accountability and Control” • Provides guidance to Federal managers on improving the accountability and effectiveness of Federal programs and operations by establishing, assessing, correcting, and reporting on management controls • Requires annual reporting on the effectiveness of management controls • Provides the basis for an Agency head's annual assessment and report on internal controls required by FMFIA 41 Revised OMB Circular A-123 • Circular A-123 was revised in December 2004 • Renamed “Management’s Responsibility for Internal Control” • Changes developed by Chief Financial Officers Council (CFOC) and the President’s Council on Integrity and Efficiency (PCIE) • Adopts certain concepts from the Sarbanes-Oxley Act of 2002 • Strengthens management requirements for assessing controls over financial reporting with the addition of Appendix A, “Internal Controls over Financial Reporting” • Took effect FY 2006 – initial report was due in the November 2006 Performance and Accountability Report (PAR) 42 Overview of Revised Circular OMB A-123 43 The Revised Circular A-123 includes the following Appendices: Appendix A – Internal Control over Financial Reporting Appendix B – Improving Management of Government Charge Card Programs (Issued Revised Appendix B – April 2006) Increases frequency of review and scope of spending and transaction limits Limits authorization and blocking card use for ‘high risk merchant category codes” Appendix C – Requirements for Effective Measurement and Remediation of Improper Payments (Issued August 2006) Requires a review of all programs and activities to identify those which may be susceptible to significant erroneous payments and obtaining a statistically valid estimate of the annual amount of improper payments Requires implementation of a plan to reduce erroneous payments and the reporting of estimates of the annual amount of improper payments and the progress made in reducing them Revised OMB Circular A-123, Appendix A Requirements 44 OMB Circular A-123, Appendix A requires Agencies to: • ASSESS internal control over financial reporting using the Committee of Sponsoring Organizations (COSO)/GAO Framework • ESTABLISH a governance structure • DOCUMENT the design of controls of material accounts and assess their effectiveness as of June 30 - This includes entity-level controls and process/transaction-level controls, including Information Technology (IT) • TEST the operating effectiveness of internal controls Revised OMB Circular A-123, Appendix A Requirements (continued) 45 • INTEGRATE internal control throughout the entire agency and through the entire cycle of planning, budgeting, management, accounting, and auditing • SIGN an annual Statement of Assurance in the Performance Accountability Report (PAR) certifying effectiveness of internal control within the Agency - Assurance Statement must assert to the effectiveness of the internal controls as of June 30 and be issued in the Performance and Accountability Report by November 15 • CORRECT deficiencies in internal control over financial reporting - Agencies must create and execute corrective action plans to promptly and effectively resolve material weaknesses and other significant deficiencies Internal Control over Financial Reporting 46 The specific focus of OMB Circular A-123, Appendix A is internal control over financial reporting Internal control over financial reporting is a process designed to provide reasonable assurance regarding reliability of financial reporting. The process starts at the initiation of a transaction and ends with reporting Internal control over a complete process involves controls at every step of the process including controls over transaction initiation, maintenance of records, recording of transactions, and final reporting Internal control over financial reporting also includes entity level controls, information technology controls, and operational and compliance controls Management Responsibilities 47 Management is responsible for establishing and maintaining internal control and documentation. Management must: consistently apply the internal control standards of OMB Circular A-123, Appendix A (i.e., the COSO Framework’s five components) develop and maintain activities for the three objectives of OMB A-123 (i.e., the COSO/GAO Framework) maintain up-to-date controls documentation on an on-going basis Provide a certification Statement related to the the adequacy of controls (signed by Secretary) Manual versus Automated Controls 48 Controls may be either: • Manual – implemented through human action Example: General Ledger entries must be reviewed and authorized by accountant who signs off on an approved document • Automated – implemented through system action Example: system Users must have a valid user id and password to access a Detective versus Preventative Controls 49 Controls may be either: • Detective – provide evidence that an error or exception has occurred • Example: Reviews, analyses, reconciliations, periodic physical inventories, audits, and surveillance cameras are all examples of detective controls Preventative – are proactive in that they attempt to deter or prevent undesirable events from occurring Example: Separation of duties, proper authorization, passwords, and physical control over custody of assets are all examples of preventative controls Control Activities Specific for Information Systems 50 There are two types of Information System Controls: General Computer Controls (GCCs): Pervasive, over-arching controls that affect every transaction. Used to manage and control the organization’s information technology infrastructure. Application Controls: Controls that cover the processing of data within an application or computer program. OMB Circular A-123 states, “general and application controls over information systems are interrelated; both are needed to ensure complete and accurate information processing.” Control Activities Specific for Information Systems: General Computer Controls 51 General Computer Controls should be designed to ensure that: • The overall IT environment is well-controlled • The IT organization is fit for its purpose, and there is proper management control over information systems • Critical processing can be restored timely in the event of a prolonged outage (data / systems are backed up) • New applications and changes to existing applications are properly authorized and only approved modifications are moved to the production environment • Physical and logical security controls restrict access to data, systems and sensitive facilities Control Activities Specific for Information Systems: General Computer Controls (continued) 52 Examples of General Computer Controls include: • • • • • Monitoring of Adherence to Entity-wide Security Program Data Processing Policies and Procedures Continuity of Operations Plan (COOP) Regularly Scheduled and Documented Change Control Board Meetings Properly Completed and Maintained Access Request Forms What must be assessed? • • • • • • Security Planning and Management Change Control Segregation of Duties Access Controls Service Continuity System Software Control Activities Specific for Information Systems: Application Controls (continued) 53 Examples of Application Controls include: • • Automated controls built into the application (computerized edit checks and required passwords) Manual controls surrounding the application (manual reconciliations of interfaced applications, management sign-offs, and reviews of audit logs) What must be assessed? • • • Input Controls (access restrictions, validity checking, source documents) Processing Controls (integrity controls, error messages, job scheduling) Output Controls (report generation and distribution, manual review of reports for obvious errors) Entity Level Controls Definition: Entity Level Controls are controls that management has in place to ensure that the appropriate controls exist throughout the organization, including at the individual agencies. Entity Level Controls Responsibility: Entity Level Controls are assessed at both the agency and department level. Purpose: Entity Level Controls can have a pervasive effect on the overall control effectiveness of the organization therefore the assessment of entity-level controls is essential to the overall evaluation of controls. 54 Assessing Risk 55 What is meant by Assessing Risk? Assessing Risk Assess: to determine the importance, size, or value of Risk: A state of uncertainty where, if specific events or conditions occur, there exists a possibility of an undesirable outcome. Key Terms 56 Confidentiality Integrity Availability Issue Exception Negligible Exception Isolated Incident Control Deficiency Significant Deficiency Material Weakness FISMA 57 The Federal Information Security Management Act (FISMA) established in December 2002 requires each federal agency to develop, document, and implement an agency-wide program to provide information security for the information and information systems that support the operations and assets of the agency, including those provided or managed by another agency, contractor, or other source. A-123 Appendix A 58 A-123 Appendix A was added in December 2004 to incorporate Sarbanes-Oxley Section 404 principles into federal financial management. Revision deals primarily with internal controls over financial reporting. A-123 Appendix A effective FY 2006. FISMA and A-123 Appendix A involvement with assessing risk 59 In order to maintain a secure environment for information and information systems under FISMA a well established set of internal controls should be developed and executed. FISMA internal controls incorporate the financial internal controls designed by A-123 Appendix A. A necessary element in maintaining a set of internal controls is performing risk assessments. 60 FISMA Compliance NIST 800-53 Controls Financial Reporting Controls A-123 Appendix A Assurance Statement Financial Reporting Controls Vulnerability 61 Definition open to attack or damage Vulnerability is defined as “a weakness or shortfall in a system that reduces the system’s ability to protect system assets. The vulnerability can be used by the absence of a needed security feature, by some inadequacy in the functioning of an existing security feature”. Threat 62 Definition: an indication of something impending Threat is defined as “an unwanted event or attack against an IS asset…(that) exploits a vulnerability and is carried out by a threat agent, such as an insider, intruder, hostile intelligence service, or terrorist. Significance 63 Definition: the quality of being important Significance is defined as “the magnitude of consequence or quantification of the damage that may be done if a threat is carried out and an unwanted event occurs. Household Example 64 Backyard Pool Objective: Keep Child Alive Threat: Child may drown in backyard pool Vulnerability: Pool gate does not have a lock, child cannot swim, child is exploratory Significance: Loss of a loved one POAM: Teach the child to swim / Add lock General Overview 65 Assessing Risk is more than just an annual process, it is continually evolving as the company changes on a day to day basis. How does the scenario and risk rating change under the following conditions: Multiple Children Children are all over the age of 15 House is located 50 miles from neighbors No Children within the house 3 Children under the age of 7 Changes in the environment change the Risk situation. Limited resources - POAM 66 How do we accomplish the control objective when we have limited resources? Resource limitation could include: Cost to complete Time Available Number of people required to accomplish the objective Availability of resources Requires prioritization to use the resources effectively Security Objective Confidentiality Integrity Availability Control Deficiency Significant Deficiency Material Weakness Exists when the design or operation of a control does not allow management or employees, in the normal course of performing their assigned functions, to prevent the unauthorized disclosure of sensitive information. Exists when a control deficiency, or combination of control deficiencies, adversely affects the entity’s ability to protect sensitive information, such that there is more than a remote likelihood of the unauthorized disclosure of sensitive information, that could be expected to have a serious adverse effect. Exists when a deficiency, or combination of significant deficiencies, results in more than a remote likelihood of the unauthorized disclosure of sensitive information that could be expected to have a severe or catastrophic adverse effect . Exists when the design or operation of a control does not allow management or employees, in the normal course of performing their assigned functions, to prevent or detect misstatements of data (both financial and nonfinancial data) on a timely basis. Exists when a control deficiency, or combination of control deficiencies, adversely affects the entity’s ability to initiate, authorize, record, process, or report data (both financial and nonfinancial data) reliably, such that there is more than a remote likelihood that a misstatement of the entity’s reports (both financial and non-financial reports), that is more than inconsequential will not be prevented or detected. Exists when a deficiency, or combination of significant deficiencies, results in more than a remote likelihood that a material misstatement of the entity's reports (both financial and non-financial reports), will not be prevented or detected. Exists when the design or operation of a control does not allow management or employees, in the normal course of performing their assigned functions, to protect the availability of critical information resources and continuity of operations. Exists when a control deficiency, or combination of control deficiencies, adversely affects the entity’s ability to protect critical information resources and continuity of operations, such that there is more than a remote likelihood that a disruption of the entity's operations that could be expected to have a serious adverse effect. Exists when a control deficiency, or combination of control deficiencies, adversely affects the entity’s ability to protect critical information resources and continuity of operations, such that there is more than a remote likelihood that a disruption of the entity's operations that could be expected to have a severe or catastrophic adverse effect. Issue Handling Gauging the Problem 68 Issues Exceptions Assessing Risk Framework Level of Deficiency (CD, SD, MW) A Day in the Life of a Deficiency Framework Evaluation 69 Identify/ Verify Mitigating Controls Aggregation Remediation Issue Identified Deficiency Remediated Assess Likelihood and Magnitude Deficiency Evaluation POA&M Creation 70 Identify and Verify (covered in Test Procedure Training) Identify and Verify 71 Once an issue has been identified, the following should be performed: Speak with the control owner. Determine whether the correct understanding was obtained. Determine whether there is any other evidence of the control. If the issue still exists, confirm with management that it is a true exception. 72 Defining Exceptions Exceptions are deviations from the predefined expectations of control activity statements. Exceptions can be found when assessing the design of the control activities, or when performing operating effectiveness testing of the control. An exception may be detected or a control may not operate as expected for a number of reasons. The person who normally performs the control was absent for a period of time. The control may have broken down. If the person who normally performs the work was absent or the control broke down for other reasons, the individual performing this control should attempt to identify any additional Redundant Controls that might be in place to help achieve the objective. Defining Exceptions (cont.) 73 Consider whether or not the identified exception is an isolated incident, and therefore a negligible exception. Consider whether the exception is within the tolerable deviation rate (frequency of the control must be at least daily). Tolerable deviation - the number of exceptions the auditor will permit in the population and still be willing to rely on internal controls. 74 Redundant Controls Redundant Controls (identified and tested) that operate effectively should be considered when evaluating an exception. Redundant Controls can be found in different control objectives or NIST controls, and help to eliminate the deficiency. The identified Redundant Controls need to be tested, and be operating effectively in order to be considered in the exception evaluation process. Note: Redundant Controls can eliminate a control deficiency Identify and Verify, cont’d 75 Other Comments: Not all exceptions within testing will result in a deficiency. Key factor is whether the control objective, or NIST control, is met Evaluation requires professional judgment considering: Quantitative and qualitative factors Implications with regard to other controls 76 Likelihood and Magnitude Assessing Risk – Exception Risk 77 Evaluate the risk level of each deficiency that is identified. Level of Risk depends on: Proximity of the deficiency to the actual data. Likelihood – the chance that the deficiency could cause an undesirable outcome Magnitude – the size or extent of an undesirable outcome that may change or influence the judgment of a reasonable person Vulnerability Threat Significance The level or risk does not depend on whether an undesirable outcome has actually occurred, but rather on whether there is a reasonable possibility that the department/agency’s controls will fail to prevent or detect an undesirable outcome. Likelihood Threat (including Threat Agent) 78 Capability History Gain / Motivation Attributable Detectability Likelihood 79 Determine if it is reasonably possible that the failure of the control or combination of controls will fail to prevent or detect a undesirable outcome. Determine the likelihood of an undesirable outcome, not likelihood of a material undesirable outcome. Evaluation of likelihood can be made without quantification of the probability of the occurrence of an undesirable outcome. Risk factors affecting likelihood: The subjectivity, complexity, or extent of judgment required to determine the amount involved; The interaction or relationship of the control with other controls, including whether they are interdependent or redundant; The possible future consequences of the deficiency. Magnitude 80 Significance Loss of Life Top Secret/Secret Confidential Privacy Data Operations Impact Equipment Loss Data Integrity / Accuracy Network Operating System IT Control Environment Application Program Development Data Files / Databases Computer Operations Access to Programs & Data Program Changes 83 Compensating Controls Compensating Controls 84 Definition: to cause to become less harsh or hostile Compensating Controls are controls that operate at a level of precision that would reduce the potential impact of the deficiency to the organization. 85 Compensating Controls Compensating Controls (identified and tested) that operate effectively should be considered when evaluating the level of a deficiency. Compensating Controls can be found in different control objectives or NIST controls, and help to decrease the severity of the deficiency. The identified Compensating Controls need to be tested, and be operating effectively in order to be considered in the deficiency evaluation process. Note: Although Compensating Controls can reduce the severity of a control deficiency, they do not eliminate the control deficiency. Example of Redundant vs. Compensating Controls 86 Control Objective: Only authorized users can access application data Control Activity: Application Access is disabled within 5 days of a user’s termination Example of Redundant vs. Compensating Controls 87 Control Objective: Access Controls Control Activity: Application Access is disabled within 5 days of a user’s termination Mitigating Control: Security badges are obtained upon termination, preventing physical access to the building Example of Redundant and Compensating Controls 88 Control Objective: Access Controls Control Activity: Application Access is disabled within 5 days of a user’s termination Mitigating Control: Network access is disabled based on notification from HR of termination. Mitigating Control: Security badges are obtained upon termination, preventing physical access to the building Example of Redundant and Compensating 89 Control Objective: Access Controls Control Activity: Application Access is removed within 5 days of a user’s termination Compensating Control: User IDs are deleted upon weekly notification of termination from HR 90 Evaluating Deficiencies Deficiency Evaluation Issue Evaluation 91 Issue Evaluation Step 1: Determine whether further evaluation is necessary Deficiency Evaluation Step 2: Determine the Level of Deficiency Deficiency Evaluation, cont’d Magnitude of undesirable outcome that occurred, or could have occurred Quantitatively or qualitatively material Likelihood of an undesirable outcome More Than Remote Remote Material Weakness Significant Deficiency Significant Deficiency Control Deficiency Control Deficiency Control Deficiency More than inconsequential, but less than material Inconsequential (i.e., immaterial) 92 Internal Control Definitions – A-123, Financial Reporting Significant Deficiency Material Weakness Likelihood More than Remote More than Remote Magnitude More than Inconsequential Material 93 Costs vs. Benefits 94 In some cases it is adequate to accept the risk of an undesirable outcome. Factors that should be considered when making this decision include: Cost vs. Benefit analysis 95 Aggregating Deficiencies Aggregation of Deficiencies 96 Internal Control InternalControl Control Internal Deficiency Deficiency Deficiency Internal Control InternalControl Control Internal Deficiency Deficiency Deficiency Internal Control InternalControl Control Internal Deficiency Deficiency Deficiency Internal Internal Control InternalControl Control Deficiency Deficiency Deficiency Significant Significant Significant Deficiency Deficiency Deficiency Material Material Material Weakness Weakness Weakness Significant Significant Significant Deficiency Deficiency Deficiency Aggregation of Deficiencies, cont’d 97 Consider all control deficiencies and significant deficiencies in the aggregate by: Significant account balance or disclosure NIST family (i.e., Access Control, Audit and Accountability, or Configuration Management) Consider any prior year unremediated findings when performing aggregation. Control deficiencies related to a specific account balance or disclosure increases the relative likelihood and potential magnitude of undesirable outcome compared to when only one individual control deficiency exists. Aggregation of Deficiencies, cont’d 98 If you agree with the aggregation of deficiencies noted, a position paper is not necessary. After completing your evaluation of the aggregation of the deficiencies, consider writing a position paper in instances where you disagree with the results of aggregation presented by the auditors.