Add to collection(s) Add to saved
  1. Business
  2. Accounting
  3. Financial Accounting

5 Federal IT Controls and Audit Readiness AGA

Association of Government Accountants
IT Controls and Audit Readiness
In the
Federal Government
February 9, 2011
Harrisburg, PA
Learning Objectives
At the conclusion of this session, you will be able to understand:
The primary federal guidance applicable to Information Technology
Controls to understand management responsibilities and the needs of
financial statement auditors;
How to identify and prioritize systems that impact the financial statement
audit;
How to apply authoritative guidance and understand the types of
information technology controls, control objectives, and control
techniques;
How to document and validate whether information technology controls
are designed properly and operating effectively;
How to evaluate the impact of testing exceptions; and
The role and responsibilities of third party Service Providers.
2
Agenda
Section 1: Relevance of Systems and IT Controls to the Financial
Statement Audit
Section 2: Types of IT Controls
Section 3: IT Controls Validation
Section 4: Other Considerations
Section 1
Relevance of Systems and IT Controls
to the Financial Statement Audit
Illustration of an End-to-End Electronic Audit Trail
*
A Source Journal is the initial system where business transactions are
entered (also known as a system of record).
*
The audit trail for the business transaction from Source Journal to
Financial Statement may only exist in an electronic format.
*
It may not be possible (or efficient) to “audit around” systems.
5
Example Scenario
Transaction Initiated and Recorded in Source Journal
Requester
Requester
Operations
Logistics
Acquisition
Finance
Accounting
6
Example Scenario
Purchasing Transaction Automatically Initiated
Requester
Requester
Operations
Logistics
Acquisition
Finance
Accounting
7
Example Scenario
Disbursement Transaction Initiated
Requester
Requester
Operations
Logistics
Acquisition
Finance
Accounting
8
Example Scenario
General Ledger and Consolidation Systems Updated
Requester
Requester
Operations
Logistics
Acquisition
Finance
Accounting
9
Impact of Systems on Internal Controls
Financial Statement Line Item / Significant Account / Disclosure
Significant Process / Major Classes of Transactions
Key Controls
Automated Controls
Manual Controls
Manual Controls
Programmed or configured
application controls,
calculations, or procedures
Using system-generated
reports or data
Not dependent on
information technology
Dependency
System
Generated
Information
Dependency
Controls over Access to Programs and Data
Audit Significant
Applications
Application
Data
Program Change Controls
Program Development
Computer Operations
Information Technology Control Environment
10
Phase
What are the Reporting Entity’s audit readiness responsibilities
relevant to its financial information systems?
Evaluation &
Discovery
1.1 Statement
to Process
Analysis
Key Tasks
1.2
Prioritization
1.3 Assess &
Test Controls
Activities
1.3.1 Identify Key
Control Objectives
1.3.2 Prepare
process and
systems
documentation
1.3.3 Prepare
controls
assessment
• For each assessable unit, reporting entities identify all relevant financial
statement assertion risks and corresponding Key Control Objectives (KCOs)
and document in Financial Improvement Plans (FIPs)
• Prepare process and systems documentation to include narratives, flowcharts,
risk assessments and control worksheets documenting processes, risks
(linked to financial statement assertions), control activities (manual and
automated), IT general computer controls for significant systems, system
certification/accreditations, system and end user locations, system
documentation location, and descriptions of hardware/software/interfaces
• Prepare controls assessment document for each assessable unit,
summarizing control activities and noted deficiencies for missing control
activities or control activities that are not designed effectively
Resulting Work Products
Updated FIPs
Process and system documentation
to include narratives, flowcharts, risk
assessments, control worksheets,
system certification/accreditations,
system and end user locations,
system documentation location, and
descriptions of
hardware/software/interfaces
Controls assessments
1.3.4 Execute tests
of controls
• For control activities appropriately designed and in place, develop and execute
a test plan to assess the operating effectiveness of control activities
Test plans
1.3.5 Summarize
test results
• Update control assessments with the results of tests of controls, indicating the
number tested, the number of controls operating effectively and any
exceptions or deviations noted during testing
Updated control assessments
1.3.6 Identify
deficiencies
• Identify any control activities with operation or documentation deficiencies that
require corrective action to be addressed in step 1.5.1
Updated control assessments
1.4 Evaluate
Supporting
Documentation
1.5 Define Audit
Ready
Environment
Detailed Activities
= To be included in Assertion Documentation
These work products are utilized for
ICOFR requirements
11
Statement to Process Analysis Example – Budgetary Resources
Procure to Pay
Purchasing
Disbursing
12
Key Points to Remember
• Most Federal business activities are recorded in automated systems and it
may not be possible (or efficient) to “audit around” the systems.
• If the Reporting Entity is placing reliance on controls performed by systems
or manual controls rely on reports / data produced by systems, the IT general
controls for these systems must be documented and tested.
The Reporting Entities are responsible for identifying, documenting, and
testing relevant IT application and general controls necessary to address
internal control over financial reporting and audit readiness considerations.
• Financial, non-financial, and mixed systems may feed financial statement
account balances and/or have a role in internal controls over financial
reporting. A structured process should be followed to determine which
systems are in scope for audit readiness.
13
Section 2
Types of IT Controls
What are the differences among operations compliance, budget,
and financial controls?
15
Differences among operational, compliance, budget, and
financial controls
Operational Controls
• The objectives of operations controls are to provide reasonable
assurance that the Reporting Entity achieves the performance desired by
management for planning, productivity, quality, economy, efficiency, or
effectiveness of the entity’s operations.
Compliance Controls
• The objective of compliance controls are to provide reasonable
assurance that the Reporting Entity complies with significant provisions of
applicable laws and regulations.
Budget Controls (Funds Control)
• The objective of budget controls is to ensure transactions are executed in
accordance with budget authority.
If an event results in a financial transaction, it impacts ICOFR and audit readiness
16
Differences among operational, compliance, budget, and
financial controls
Financial Reporting Controls
• The objective of financial reporting controls is to prevent or detect misstatements
in significant financial statement assertions. These include (1) safeguarding
controls to protect assets against loss from unauthorized acquisition, use or
disposition, and (2) segregation-of-duties controls to prevent one person from
controlling multiple aspects of a transaction allowing that person to both cause
and conceal misstatements whether errors or fraud.
17
What are Business Process Application Controls?
Those controls incorporated directly into computer applications (or performed
manually based on system generated information) to help ensure the
completeness, accuracy, validity, confidentiality, and availability of transactions
and data during application processing.
Importance of Business Process Application Controls to Audit
Readiness
Effective business process application controls help ensure that the Reporting
Entity’s financial transactions are complete, accurate, and valid which are key
internal control over financial reporting objectives and critical to asserting audit
readiness.
18
What are Business Process Application Controls?
Business Process Application Controls consist of the following
four control categories:
• Business Process Controls
• Interface Controls
• Database Management
System Controls
• Application Level General
Controls
19
Business Process Application Controls - Example
User id and
password
required
Requester
Check
completion of
all required
fields
Requester
Operations
Logistics
Acquisition
Finance
Accounting
20
Interface Control - Example
Total records sent = total records received
Requester
Requester
Operations
Logistics
Acquisition
Finance
Accounting
21
Database Management System Control - Example
Requester
Direct access to the
production database by
developers is not
allowed
Requester
Operations
Logistics
Acquisition
Finance
Application
Data
Accounting
22
Application Level Controls – Legacy System Environment
I
P
Requester
O
I
P
P
I
O
O
I
P
I
O
O
I
O
I
P
I
I
O
I
O
O
I
P
O
I
O
O
I
I
P
P
P
I
O
O
I
O
I
O
I
O
I
P
I
I
O
O
P
I
Requester
Operations
Logistics
I
Acquisition
Input Control Point
P
Finance
Processing Control Point
Accounting
O
Output Control Point
23
Application Level General Control - Example
Requester
All application
configuration
changes are
approved by the
change control
board
(management)
Requester
Operations
Logistics
Acquisition
Finance
Accounting
24
What are entity level Information Technology General Controls
(ITGCs)?
Entity Level ITGCs are grouped into the following five general
control categories:
• Security Management
• Access Controls
• Segregation of Duties
• Configuration Management
• Contingency Planning
Deficiencies related to access control and configuration management
have the greatest potential to result in material weaknesses and
render the other IT general an application controls unreliable.
25
What are entity level Information Technology General Controls
(ITGCs)?
Security Management
− Provides a framework and continuing cycle of activity for
managing risk, developing security policies, assigning
responsibilities, and monitoring the adequacy of the entity’s
computer-related controls.
Access Controls
− Limit or detect access to computer resources (data, programs,
equipment, and facilities); thereby, protecting them against
unauthorized modifications, loss, and disclosure.
Segregation of Duties
− Includes policies, procedures, and an organizational structure
to manage who can control key aspects of computer-related
operations.
26
What are entity level Information Technology General Controls
(ITGCs)?
Configuration Management
− Prevents unauthorized changes to information system resources
(for example, software programs and hardware configurations)
and provides reasonable assurance that systems are configured
and operating securely and as intended.
Contingency Planning
− Includes plans and procedures in place that ensure when
unexpected events occur, critical operations continue without
disruption or are promptly resumed, and critical and sensitive
data are protected. Such plans should consider the activities
performed at general support facilities, as well as those
performed by users of specific applications.
27
Entity Level General Control - Example
Requester
All operating system
configuration changes are
approved by the change
control board (management)
Physical access to the
data center where the
applications are hosted
is appropriately
restricted
Requester
Operations
Logistics
Acquisition
Finance
Accounting
28
Key Points to Remember
There are differences among operational, compliance, budget, and
financial controls.
Business process application controls are incorporated directly into
computer applications (or performed manually based on system
generated information) to help ensure the completeness, accuracy,
validity, confidentiality, and availability of transactions and data during
application processing.
IT General Controls are the policies and procedures that apply to all or
a large segment of entity’s information systems and help ensure their
proper operation. ITGCs are applied entity-wide and at the system and
application levels.
29
Section 3
IT Controls Validation
Sources of Internal Control Over Financial Reporting and Audit
Readiness Guidance
Audit Guidance
Controls Guidance
GAO Financial Audit
Manual
OBM A-123
Implementation Guide
(FAM)
GAO Government
Auditing Standards
COSO Internal Control
Framework
(COSO)
(Yellow Book)
GAO Federal
Information System
Controls Audit Manual
GAO Assessing
Reliability of Computer
Processed Data
Overall
Framework &
Application
Controls
GAO Standards for
Internal Control
(Green Book)
(FISCAM)
GAO Federal
Information System
Controls Audit Manual
GAO Assessing
Reliability of Computer
Processed Data
(FISCAM)
PricewaterhouseCoopers
Currently IT Controls
Slide 31
Sources of Internal Control Over Financial Reporting and Audit
Readiness Guidance
When evaluating IT application and general controls, the GAO FISCAM
manual is the primary authoritative source for relevant control objectives
and control techniques that should be addressed.
32
Why is it important for the Reporting Entity to document an
understanding of the design of its Information Systems controls?
There are two primary reasons for documenting an understanding of
IT general and application controls:
The first is to simply determine if internal controls have been
identified (or exist) for each relevant control objective.
The second is to evaluate whether the controls, if implemented and
operating effectively, would satisfy the relevant control objectives.
This second point is often referred to as assessing the “design
effectiveness” of the internal control.
It is essential that the controls documentation be prepared in enough
detail for the reader to easily understand whether the control objective
has been addressed.
33
Why is it important for the Reporting Entity to document an
understanding of the design of its Information Systems controls?
Control Objective
Control Technique
Control in Place
Satisfactory
34
Why is it important for the Reporting Entity to effectively design
and conduct tests of IT control activities?
Once the Reporting Entity has determined that the internal controls are
appropriately designed, the next step is to determine if the control has been
operating effectively throughout the audit / assertion period.
This is commonly referred to as “testing of operational effectiveness.”
Tests of operational effectiveness must be successfully completed
before reliance can be placed on the internal control.
35
Why is it important for the Reporting Entity to effectively design
and conduct tests of IT control activities?
When performing tests on whether IT control are operating effectively,
the Reporting Entity has a number of techniques available including:
Lowest Level of Assurance
Inquiry of Appropriate Personnel
Observation of the Control in Operation
Inspection of Documentation
Re-performance of the Control
Highest Level of Assurance
It is important to note that inquiry and observation by themselves typically do not
constitute a valid test of whether IT controls are operating effectively.
36
Why is it important for the Reporting Entity to effectively design
and conduct tests of IT control activities?
The Reporting Entity may perform both sampling (statistical/nonstatistical) and nonsampling control tests to evaluate whether IT
controls are operating effectively.
For an automated control, the number of items tested can be as low
as one, assuming that information technology general controls
have been tested and found to be effective. A common example
of an automated control is an edit check that is activated during
data entry.
37
Why is it important for the Reporting Entity to effectively design and
conduct tests of IT control activities?
Example Sample Sizes
Test sample size depends on several
factors including:
Frequency (Population)
Sample Size
• Type of control (manual or automated)
Annually (1)
1
• Frequency of the control (e.g., how often
is it performed)
Quarterly (4)
2
Monthly (12)
3
• Complexity of the control
Weekly (52)
10
• Management’s Judgment
Daily (250)
30
Recurring (>250)
45
In those instances where Management has determined that smaller sample sizes are
appropriate (based on their judgment), the rationale for this decision should be thoroughly
documented.
38
Key Points to Remember
• The GAO FISCAM manual is the primary authoritative source for relevant control
objectives and control techniques that should be included in the scope of the IT controls
evaluation.
• It is essential that the controls documentation be prepared in enough detail for the
reader to easily understand if the control objective has been addressed.
• Performing an assessment of design effectiveness is important because it allows
management to identify areas for remediation quickly instead of wasting time testing a
poorly designed control.
• Testing the actual operational effectiveness of the internal control over time is
absolutely critical, as this provides the basis of reliance for the audit / assertion period.
• When testing operational effectiveness appropriate testing techniques and sample
sizes should be used.
• Completion of system certification and accreditation does not completely address
ICOFR requirements.
39
FIAR
301
Section 4
Other Considerations
What is the relevance of evaluating exceptions for the Reporting
Entity?
In evaluating test results and exceptions, the Reporting Entity should
perform an evaluation to understand the matter and their potential
consequences.
Internal control deficiencies are defined by the Public Company
Accounting Oversight Board (PCAOB) and the AICPA. GAO and OMB
typically adopt these same definitions by reference into their own
guidance.
How many exceptions were there and how severe?
Has the control operated effectively throughout the period?
Can we still rely on this control?
Are there appropriate compensating controls?
Is the control objective satisfied?
Are there unmitigated financial reporting risks?
41
What is the relevance of evaluating exceptions for the Reporting
Entity?
A Deficiency in internal control exists when the design or operation of a
control does not allow management or employees, in the normal course of
performing their assigned functions, to prevent, or detect and correct
misstatements on a timely basis.
A Significant Deficiency is a deficiency, or a combination of deficiencies, in
internal control that is less severe than a material weakness, yet important
enough to merit attention by those charged with governance.
Material Weakness is a deficiency, or combination of deficiencies, in internal
control, such that there is a reasonable possibility that a material misstatement
of the entity’s financial statements will not be prevented, or detected and
corrected on a timely basis.
42
What is the role of Third Party Service Providers?
Reporting Entities and Service Providers perform roles in different segments of end
to-end processes in the Department. Neither party actively participates in every
segment of the entire process.
Below is overview example of a Service Provider functional view, of a representative
Civilian Pay Process that summarizes the roles of the Reporting Entity and Service
Provider.
When the Reporting Entity asserts audit readiness, it is for the entire process including those
activities and controls performed by the Service Provider.
43
What are the responsibilities of Reporting Entities and third party
Service Providers relevant to Federal financial audits?
•
With respect to financial audits, a Service Provider’s services are part of an
entity’s information systems and therefore, could be significant to the Reporting
Entity’s information system. If the user organization’s (Reporting Entity)
management and/or user auditor determine that the service organization’s
controls are significant to the entity’s internal control, the Reporting Entity should
gain an understanding of controls at the Service Provider by obtaining a service
auditor’s report.
•
According to OMB Bulletin 07-04, as revised, Audit Requirements for Federal
Financial Statements, service organizations must either provide its user
organizations with an audit report on whether (1) internal controls were
designed properly to achieve specified objectives and placed into operation as
of a specified date and (2) the controls that were tested were operating
effectively to provide reasonable assurance that the related control objectives
were met during the period specified or allow user auditors to perform
appropriate tests of controls at the service organization.
44
What are the types of service auditor reports?
• Type 1 Report - is a report on the design and implementation of controls
(placed in operation) at a service organization, but does not include testing
whether the controls are operating effectively.
• Type 2 Report - is a report on the design and implementation of controls
(placed in operation) and on their operating effectiveness. In a Type 2
engagement, the service auditor performs the procedures required for a Type
1 engagement and also performs tests of specific controls to evaluate whether
they operate effectively in achieving the specified control objectives.
•
Introduction of a New AICPA Standard and Revised GAO Guidance
Statement on Standards for Attestation Engagement (SSAE) No. 16 is
replacing Statement on Auditing Standards (SAS) No. 70 effective June 15,
2011.
45
Key Points to Remember
• In evaluating test results and exceptions, the Reporting Entity should
perform an evaluation to understand the matter and their potential
consequences.
• Deficiencies, Significant Deficiencies, and Material Weaknesses have
differing levels of impact on the Reporting Entities audit readiness and
should be reported, prioritized, and remediated accordingly.
• When the Reporting Entity asserts audit readiness, it is for the entire
process including those activities and controls performed by the Service
Provider.
• A Type 1 Service Auditor’s Report does not provide assurance
regarding the operational effectiveness on the Service Providers internal
controls over a period of time. This type of assurance is provided in a
Type 2 report.
46
Comments and Questions?
© 2011 PricewaterhouseCoopers. All rights reserved. “PricewaterhouseCoopers” refers to the network
of member firms of PricewaterhouseCoopers International Limited, each of which is a separate and independent
legal entity.
Want to contact us?
Bobbi Markley, CDFM, CISA, CISM
PricewaterhouseCoopers LLP
1800 Tysons Boulevard
McLean VA 22102
703.918.3138
Bradley Keith, CPA, CISA, PMP
PricewaterhouseCoopers LLP
1800 Tysons Boulevard
McLean VA 22102
703.918.3564
PricewaterhouseCoopers
Slide 48
Related documents
1 The best definition of an accounting system is: a Journals, ledgers
1 The best definition of an accounting system is: a Journals, ledgers
Illustrative Representation Letter
Illustrative Representation Letter
Book Donation Form - Connellsville Area School District
Book Donation Form - Connellsville Area School District
Assumptions on our ER diagram
Assumptions on our ER diagram
Systems Analysis and Design Sergey V. Samoilenko
Systems Analysis and Design Sergey V. Samoilenko
identifying and assessing the risks of material misstatement
identifying and assessing the risks of material misstatement
Marketing Plan Rubric
Marketing Plan Rubric
APB Opinion #22 (paragraphs 12 and 13)
APB Opinion #22 (paragraphs 12 and 13)
Download