Association of Government Accountants IT Controls and Audit Readiness In the Federal Government February 9, 2011 Harrisburg, PA Learning Objectives At the conclusion of this session, you will be able to understand: The primary federal guidance applicable to Information Technology Controls to understand management responsibilities and the needs of financial statement auditors; How to identify and prioritize systems that impact the financial statement audit; How to apply authoritative guidance and understand the types of information technology controls, control objectives, and control techniques; How to document and validate whether information technology controls are designed properly and operating effectively; How to evaluate the impact of testing exceptions; and The role and responsibilities of third party Service Providers. 2 Agenda Section 1: Relevance of Systems and IT Controls to the Financial Statement Audit Section 2: Types of IT Controls Section 3: IT Controls Validation Section 4: Other Considerations Section 1 Relevance of Systems and IT Controls to the Financial Statement Audit Illustration of an End-to-End Electronic Audit Trail * A Source Journal is the initial system where business transactions are entered (also known as a system of record). * The audit trail for the business transaction from Source Journal to Financial Statement may only exist in an electronic format. * It may not be possible (or efficient) to “audit around” systems. 5 Example Scenario Transaction Initiated and Recorded in Source Journal Requester Requester Operations Logistics Acquisition Finance Accounting 6 Example Scenario Purchasing Transaction Automatically Initiated Requester Requester Operations Logistics Acquisition Finance Accounting 7 Example Scenario Disbursement Transaction Initiated Requester Requester Operations Logistics Acquisition Finance Accounting 8 Example Scenario General Ledger and Consolidation Systems Updated Requester Requester Operations Logistics Acquisition Finance Accounting 9 Impact of Systems on Internal Controls Financial Statement Line Item / Significant Account / Disclosure Significant Process / Major Classes of Transactions Key Controls Automated Controls Manual Controls Manual Controls Programmed or configured application controls, calculations, or procedures Using system-generated reports or data Not dependent on information technology Dependency System Generated Information Dependency Controls over Access to Programs and Data Audit Significant Applications Application Data Program Change Controls Program Development Computer Operations Information Technology Control Environment 10 Phase What are the Reporting Entity’s audit readiness responsibilities relevant to its financial information systems? Evaluation & Discovery 1.1 Statement to Process Analysis Key Tasks 1.2 Prioritization 1.3 Assess & Test Controls Activities 1.3.1 Identify Key Control Objectives 1.3.2 Prepare process and systems documentation 1.3.3 Prepare controls assessment • For each assessable unit, reporting entities identify all relevant financial statement assertion risks and corresponding Key Control Objectives (KCOs) and document in Financial Improvement Plans (FIPs) • Prepare process and systems documentation to include narratives, flowcharts, risk assessments and control worksheets documenting processes, risks (linked to financial statement assertions), control activities (manual and automated), IT general computer controls for significant systems, system certification/accreditations, system and end user locations, system documentation location, and descriptions of hardware/software/interfaces • Prepare controls assessment document for each assessable unit, summarizing control activities and noted deficiencies for missing control activities or control activities that are not designed effectively Resulting Work Products Updated FIPs Process and system documentation to include narratives, flowcharts, risk assessments, control worksheets, system certification/accreditations, system and end user locations, system documentation location, and descriptions of hardware/software/interfaces Controls assessments 1.3.4 Execute tests of controls • For control activities appropriately designed and in place, develop and execute a test plan to assess the operating effectiveness of control activities Test plans 1.3.5 Summarize test results • Update control assessments with the results of tests of controls, indicating the number tested, the number of controls operating effectively and any exceptions or deviations noted during testing Updated control assessments 1.3.6 Identify deficiencies • Identify any control activities with operation or documentation deficiencies that require corrective action to be addressed in step 1.5.1 Updated control assessments 1.4 Evaluate Supporting Documentation 1.5 Define Audit Ready Environment Detailed Activities = To be included in Assertion Documentation These work products are utilized for ICOFR requirements 11 Statement to Process Analysis Example – Budgetary Resources Procure to Pay Purchasing Disbursing 12 Key Points to Remember • Most Federal business activities are recorded in automated systems and it may not be possible (or efficient) to “audit around” the systems. • If the Reporting Entity is placing reliance on controls performed by systems or manual controls rely on reports / data produced by systems, the IT general controls for these systems must be documented and tested. The Reporting Entities are responsible for identifying, documenting, and testing relevant IT application and general controls necessary to address internal control over financial reporting and audit readiness considerations. • Financial, non-financial, and mixed systems may feed financial statement account balances and/or have a role in internal controls over financial reporting. A structured process should be followed to determine which systems are in scope for audit readiness. 13 Section 2 Types of IT Controls What are the differences among operations compliance, budget, and financial controls? 15 Differences among operational, compliance, budget, and financial controls Operational Controls • The objectives of operations controls are to provide reasonable assurance that the Reporting Entity achieves the performance desired by management for planning, productivity, quality, economy, efficiency, or effectiveness of the entity’s operations. Compliance Controls • The objective of compliance controls are to provide reasonable assurance that the Reporting Entity complies with significant provisions of applicable laws and regulations. Budget Controls (Funds Control) • The objective of budget controls is to ensure transactions are executed in accordance with budget authority. If an event results in a financial transaction, it impacts ICOFR and audit readiness 16 Differences among operational, compliance, budget, and financial controls Financial Reporting Controls • The objective of financial reporting controls is to prevent or detect misstatements in significant financial statement assertions. These include (1) safeguarding controls to protect assets against loss from unauthorized acquisition, use or disposition, and (2) segregation-of-duties controls to prevent one person from controlling multiple aspects of a transaction allowing that person to both cause and conceal misstatements whether errors or fraud. 17 What are Business Process Application Controls? Those controls incorporated directly into computer applications (or performed manually based on system generated information) to help ensure the completeness, accuracy, validity, confidentiality, and availability of transactions and data during application processing. Importance of Business Process Application Controls to Audit Readiness Effective business process application controls help ensure that the Reporting Entity’s financial transactions are complete, accurate, and valid which are key internal control over financial reporting objectives and critical to asserting audit readiness. 18 What are Business Process Application Controls? Business Process Application Controls consist of the following four control categories: • Business Process Controls • Interface Controls • Database Management System Controls • Application Level General Controls 19 Business Process Application Controls - Example User id and password required Requester Check completion of all required fields Requester Operations Logistics Acquisition Finance Accounting 20 Interface Control - Example Total records sent = total records received Requester Requester Operations Logistics Acquisition Finance Accounting 21 Database Management System Control - Example Requester Direct access to the production database by developers is not allowed Requester Operations Logistics Acquisition Finance Application Data Accounting 22 Application Level Controls – Legacy System Environment I P Requester O I P P I O O I P I O O I O I P I I O I O O I P O I O O I I P P P I O O I O I O I O I P I I O O P I Requester Operations Logistics I Acquisition Input Control Point P Finance Processing Control Point Accounting O Output Control Point 23 Application Level General Control - Example Requester All application configuration changes are approved by the change control board (management) Requester Operations Logistics Acquisition Finance Accounting 24 What are entity level Information Technology General Controls (ITGCs)? Entity Level ITGCs are grouped into the following five general control categories: • Security Management • Access Controls • Segregation of Duties • Configuration Management • Contingency Planning Deficiencies related to access control and configuration management have the greatest potential to result in material weaknesses and render the other IT general an application controls unreliable. 25 What are entity level Information Technology General Controls (ITGCs)? Security Management − Provides a framework and continuing cycle of activity for managing risk, developing security policies, assigning responsibilities, and monitoring the adequacy of the entity’s computer-related controls. Access Controls − Limit or detect access to computer resources (data, programs, equipment, and facilities); thereby, protecting them against unauthorized modifications, loss, and disclosure. Segregation of Duties − Includes policies, procedures, and an organizational structure to manage who can control key aspects of computer-related operations. 26 What are entity level Information Technology General Controls (ITGCs)? Configuration Management − Prevents unauthorized changes to information system resources (for example, software programs and hardware configurations) and provides reasonable assurance that systems are configured and operating securely and as intended. Contingency Planning − Includes plans and procedures in place that ensure when unexpected events occur, critical operations continue without disruption or are promptly resumed, and critical and sensitive data are protected. Such plans should consider the activities performed at general support facilities, as well as those performed by users of specific applications. 27 Entity Level General Control - Example Requester All operating system configuration changes are approved by the change control board (management) Physical access to the data center where the applications are hosted is appropriately restricted Requester Operations Logistics Acquisition Finance Accounting 28 Key Points to Remember There are differences among operational, compliance, budget, and financial controls. Business process application controls are incorporated directly into computer applications (or performed manually based on system generated information) to help ensure the completeness, accuracy, validity, confidentiality, and availability of transactions and data during application processing. IT General Controls are the policies and procedures that apply to all or a large segment of entity’s information systems and help ensure their proper operation. ITGCs are applied entity-wide and at the system and application levels. 29 Section 3 IT Controls Validation Sources of Internal Control Over Financial Reporting and Audit Readiness Guidance Audit Guidance Controls Guidance GAO Financial Audit Manual OBM A-123 Implementation Guide (FAM) GAO Government Auditing Standards COSO Internal Control Framework (COSO) (Yellow Book) GAO Federal Information System Controls Audit Manual GAO Assessing Reliability of Computer Processed Data Overall Framework & Application Controls GAO Standards for Internal Control (Green Book) (FISCAM) GAO Federal Information System Controls Audit Manual GAO Assessing Reliability of Computer Processed Data (FISCAM) PricewaterhouseCoopers Currently IT Controls Slide 31 Sources of Internal Control Over Financial Reporting and Audit Readiness Guidance When evaluating IT application and general controls, the GAO FISCAM manual is the primary authoritative source for relevant control objectives and control techniques that should be addressed. 32 Why is it important for the Reporting Entity to document an understanding of the design of its Information Systems controls? There are two primary reasons for documenting an understanding of IT general and application controls: The first is to simply determine if internal controls have been identified (or exist) for each relevant control objective. The second is to evaluate whether the controls, if implemented and operating effectively, would satisfy the relevant control objectives. This second point is often referred to as assessing the “design effectiveness” of the internal control. It is essential that the controls documentation be prepared in enough detail for the reader to easily understand whether the control objective has been addressed. 33 Why is it important for the Reporting Entity to document an understanding of the design of its Information Systems controls? Control Objective Control Technique Control in Place Satisfactory 34 Why is it important for the Reporting Entity to effectively design and conduct tests of IT control activities? Once the Reporting Entity has determined that the internal controls are appropriately designed, the next step is to determine if the control has been operating effectively throughout the audit / assertion period. This is commonly referred to as “testing of operational effectiveness.” Tests of operational effectiveness must be successfully completed before reliance can be placed on the internal control. 35 Why is it important for the Reporting Entity to effectively design and conduct tests of IT control activities? When performing tests on whether IT control are operating effectively, the Reporting Entity has a number of techniques available including: Lowest Level of Assurance Inquiry of Appropriate Personnel Observation of the Control in Operation Inspection of Documentation Re-performance of the Control Highest Level of Assurance It is important to note that inquiry and observation by themselves typically do not constitute a valid test of whether IT controls are operating effectively. 36 Why is it important for the Reporting Entity to effectively design and conduct tests of IT control activities? The Reporting Entity may perform both sampling (statistical/nonstatistical) and nonsampling control tests to evaluate whether IT controls are operating effectively. For an automated control, the number of items tested can be as low as one, assuming that information technology general controls have been tested and found to be effective. A common example of an automated control is an edit check that is activated during data entry. 37 Why is it important for the Reporting Entity to effectively design and conduct tests of IT control activities? Example Sample Sizes Test sample size depends on several factors including: Frequency (Population) Sample Size • Type of control (manual or automated) Annually (1) 1 • Frequency of the control (e.g., how often is it performed) Quarterly (4) 2 Monthly (12) 3 • Complexity of the control Weekly (52) 10 • Management’s Judgment Daily (250) 30 Recurring (>250) 45 In those instances where Management has determined that smaller sample sizes are appropriate (based on their judgment), the rationale for this decision should be thoroughly documented. 38 Key Points to Remember • The GAO FISCAM manual is the primary authoritative source for relevant control objectives and control techniques that should be included in the scope of the IT controls evaluation. • It is essential that the controls documentation be prepared in enough detail for the reader to easily understand if the control objective has been addressed. • Performing an assessment of design effectiveness is important because it allows management to identify areas for remediation quickly instead of wasting time testing a poorly designed control. • Testing the actual operational effectiveness of the internal control over time is absolutely critical, as this provides the basis of reliance for the audit / assertion period. • When testing operational effectiveness appropriate testing techniques and sample sizes should be used. • Completion of system certification and accreditation does not completely address ICOFR requirements. 39 FIAR 301 Section 4 Other Considerations What is the relevance of evaluating exceptions for the Reporting Entity? In evaluating test results and exceptions, the Reporting Entity should perform an evaluation to understand the matter and their potential consequences. Internal control deficiencies are defined by the Public Company Accounting Oversight Board (PCAOB) and the AICPA. GAO and OMB typically adopt these same definitions by reference into their own guidance. How many exceptions were there and how severe? Has the control operated effectively throughout the period? Can we still rely on this control? Are there appropriate compensating controls? Is the control objective satisfied? Are there unmitigated financial reporting risks? 41 What is the relevance of evaluating exceptions for the Reporting Entity? A Deficiency in internal control exists when the design or operation of a control does not allow management or employees, in the normal course of performing their assigned functions, to prevent, or detect and correct misstatements on a timely basis. A Significant Deficiency is a deficiency, or a combination of deficiencies, in internal control that is less severe than a material weakness, yet important enough to merit attention by those charged with governance. Material Weakness is a deficiency, or combination of deficiencies, in internal control, such that there is a reasonable possibility that a material misstatement of the entity’s financial statements will not be prevented, or detected and corrected on a timely basis. 42 What is the role of Third Party Service Providers? Reporting Entities and Service Providers perform roles in different segments of end to-end processes in the Department. Neither party actively participates in every segment of the entire process. Below is overview example of a Service Provider functional view, of a representative Civilian Pay Process that summarizes the roles of the Reporting Entity and Service Provider. When the Reporting Entity asserts audit readiness, it is for the entire process including those activities and controls performed by the Service Provider. 43 What are the responsibilities of Reporting Entities and third party Service Providers relevant to Federal financial audits? • With respect to financial audits, a Service Provider’s services are part of an entity’s information systems and therefore, could be significant to the Reporting Entity’s information system. If the user organization’s (Reporting Entity) management and/or user auditor determine that the service organization’s controls are significant to the entity’s internal control, the Reporting Entity should gain an understanding of controls at the Service Provider by obtaining a service auditor’s report. • According to OMB Bulletin 07-04, as revised, Audit Requirements for Federal Financial Statements, service organizations must either provide its user organizations with an audit report on whether (1) internal controls were designed properly to achieve specified objectives and placed into operation as of a specified date and (2) the controls that were tested were operating effectively to provide reasonable assurance that the related control objectives were met during the period specified or allow user auditors to perform appropriate tests of controls at the service organization. 44 What are the types of service auditor reports? • Type 1 Report - is a report on the design and implementation of controls (placed in operation) at a service organization, but does not include testing whether the controls are operating effectively. • Type 2 Report - is a report on the design and implementation of controls (placed in operation) and on their operating effectiveness. In a Type 2 engagement, the service auditor performs the procedures required for a Type 1 engagement and also performs tests of specific controls to evaluate whether they operate effectively in achieving the specified control objectives. • Introduction of a New AICPA Standard and Revised GAO Guidance Statement on Standards for Attestation Engagement (SSAE) No. 16 is replacing Statement on Auditing Standards (SAS) No. 70 effective June 15, 2011. 45 Key Points to Remember • In evaluating test results and exceptions, the Reporting Entity should perform an evaluation to understand the matter and their potential consequences. • Deficiencies, Significant Deficiencies, and Material Weaknesses have differing levels of impact on the Reporting Entities audit readiness and should be reported, prioritized, and remediated accordingly. • When the Reporting Entity asserts audit readiness, it is for the entire process including those activities and controls performed by the Service Provider. • A Type 1 Service Auditor’s Report does not provide assurance regarding the operational effectiveness on the Service Providers internal controls over a period of time. This type of assurance is provided in a Type 2 report. 46 Comments and Questions? © 2011 PricewaterhouseCoopers. All rights reserved. “PricewaterhouseCoopers” refers to the network of member firms of PricewaterhouseCoopers International Limited, each of which is a separate and independent legal entity. Want to contact us? Bobbi Markley, CDFM, CISA, CISM PricewaterhouseCoopers LLP 1800 Tysons Boulevard McLean VA 22102 703.918.3138 Bradley Keith, CPA, CISA, PMP PricewaterhouseCoopers LLP 1800 Tysons Boulevard McLean VA 22102 703.918.3564 PricewaterhouseCoopers Slide 48