ISACA Greater Kansas City Chapter Control Rationalization: Taking Action September 14, 2006.
-
Upload
rafe-harry-lawson -
Category
Documents
-
view
215 -
download
1
Transcript of ISACA Greater Kansas City Chapter Control Rationalization: Taking Action September 14, 2006.
Copyright © 2004 Deloitte Development LLC. All rights reserved. 2
Agenda
• Introductions
• Getting to Know You
• Control Rationalization Overview
• General Computer Control (GCC) Challenges
• GCC Control Rationalization Overview
• Control Risk-Rating
• Control Design
• Risk-Based Testing
• Cost Analysis
• Working with your External Auditors
• Leveraging Company Level Controls & Automation
• Roadmap and Wrap-Up
Copyright © 2004 Deloitte Development LLC. All rights reserved. 3
55%
0%
13%
0%0%5%
2%2%4%
20%
1 2 3 4 5 6 7 8 9 10
Polling Question
1. Financial Services2. Manufacturing3. Technology, Media, and Telecom4. Entertainment5. Consumer Business6. Energy & Utilities7. Transportation8. Health Care & Life Sciences9. Public Sector10. Other
What industry do you work in?
Copyright © 2004 Deloitte Development LLC. All rights reserved. 4
77%
2%9% 5% 7%
1 2 3 4 5
Polling Question
1. Internal Audit / IT Audit
2. Finance & Accounting
3. Information Technology
4. Sarbanes-Oxley Group
5. Other
What is your position?
Copyright © 2004 Deloitte Development LLC. All rights reserved. 5
82%
11% 7%
1 2 3
Polling Question
1. Yes
2. No
3. Don’t Know / No Answer
Does your organization comply with Sarbanes-Oxley or perform testing of controls?
Copyright © 2004 Deloitte Development LLC. All rights reserved. 6
25%
57%
18%
1 2 3
Polling Question
1. Yes
2. No
3. Don’t Know / No Answer
Do you feel your organization has too many key controls (business process and/or IT) that are tested?
Copyright © 2004 Deloitte Development LLC. All rights reserved. 7
31%
56%
13%
1 2 3
Polling Question
1. Yes
2. No
3. Don’t Know / No Answer
Do you feel that you spend too much of your time focusing on non-critical controls?
Copyright © 2004 Deloitte Development LLC. All rights reserved. 8
18%
29%
2%5%
2%
30%
2%
13%
1 2 3 4 5 6 7 8
Polling Question
1. Internal Audit / IT Audit
2. Audit Committee / Executive
Management
3. External Auditor
4. Sarbanes-Oxley Group
5. Business Units / IT
6. All of the above
7. None of the above
8. I’m just hear for the CPE and lunch
Who is driving interest in control rationalization in your organization?
Copyright © 2006 Deloitte Development LLC. All rights reserved. 9
Risk-Based Testing
Cost Analysis
Control Rationalization - OverviewO
utc
om
es
• How to identify and use CLCs
• Process to apply
• Examples of applying risk-rating
• Understand benefits of leveraging automation
• Next steps to apply Control Rationalization to company’s control program
• Understand Control Rationalization concepts
• How to apply to company
Acti
vit
ies
Control Rationalization
Overview
Control Risk-Rating
Company Level
Controls
• Define CLCs and BMC’s and process focused
• Identify CLCs that are relevant to company
• Discuss approach
• risk-rate control objectives
• Discuss short and long term impact
• Define roadmap approach
• Discuss next steps
• Wrap up
• Define updated approach
• Discuss impact to company
• Define approach
• Discuss process and impact to company
• Determine impact on risk-rated controls
• Impact on test approach based on risk-rating
• Examples of applying to company controls
• Modeling approach to cost savings
• Define cost analysis approach
• Review modeling of cost savings
ControlAutomation
Roadmap
Control Rationalization Overview
Control Rationalization
Overview
Control Risk-Rating
Company Level
Controls
Risk-Based Testing
ControlAutomation
RoadmapCost
Analysis
Copyright © 2006 Deloitte Development LLC. All rights reserved. 11
What is Control Rationalization?
Control Rationalization is a top-down, risk-based approach to implement a lean and balanced control program.
Rationalize
Routine / Transactional
Controls Transactional Controls
StrategicControls
StrategicControls
Copyright © 2006 Deloitte Development LLC. All rights reserved. 12
Recent Regulatory Guidance
PCAOB Top-Down Approach Response
1Identify and evaluate design of company-level controls
Pinpoint Company Level Controls that effectively mitigate location/account risks
2Identify significant accounts and disclosures Consider qualitative risk factors (e.g.,
susceptibility of loss due to errors or fraud), not just quantitative significance
3Identify relevant assertions for each significant account
Direct level of effort based on risks related to relevant assertions
4Link significant accounts to significant processes and major classes of transactions
Risk-Rate major classes of transactions to appropriately focus efforts
5Identify the points at which errors or fraud could occur in the process
Confirm that relevant financial reporting risks (including fraud and GCCs) are identified, and risk-rate control objectives
6Identify controls to test that prevent or detect errors or fraud on a timely basis
Rationalize controls and develop appropriate test plans
7Clearly link individual controls with the significant accounts and assertions to which they relate
Verify that design of ICFR addresses relevant risks
Copyright © 2006 Deloitte Development LLC. All rights reserved. 13
Company-Level Controls (“CLCs”)
What are Company-Level Controls (CLCs)?
Controls that have a pervasive impact on financial reporting either because they 1) are a component of the organization’s overall governance practices; or 2) address specific control objectives/risks within the organization’s business processes.
Why do we care about CLCs?– Pervasive impact on transactional processing
– Critical to operational performance
– Often performed by senior management and/or specialized staff (i.e. the Accounting department)
– More efficient to test
• Lower frequency of operation
• Often centralized
Why can’t we rely only on CLCs, and eliminate all the other controls?
– Detective in nature
– Almost always manual
– PCAOB expressly prohibits auditors from relying on CLCs (AS2, paragraph 54)
Copyright © 2006 Deloitte Development LLC. All rights reserved. 15
16%
63%
11% 11%
1 2 3 4
Polling Question
1. Not integrated / operating in silos
2. Somewhat integrated
3. Highly integrated
4. Don’t Know / No Answer
How would you describe the relationship and correlation of business process and IT controls in your organization?
Copyright © 2006 Deloitte Development LLC. All rights reserved. 16
Under PressureGeneral Computer Control Challenges
• Chief Information Officers, IT Compliance Directors and IT Audit Directors often find that IT-related Sarbanes-Oxley costs exceed expectations
• Unfortunately, despite continued good faith efforts in Year 2, early evidence from 2005 proxy statements suggests that companies continue to identify weaknesses in controls related to IT
– In effect, many efforts are not working to build a sustainable compliance program regarding general computer controls
• And yet, there’s a continued focus on containing IT costs associated with Sarbanes-Oxley
Companies seeking to manage costs without jeopardizing compliance should evaluate Control Rationalization as the likely first step
Companies seeking to manage costs without jeopardizing compliance should evaluate Control Rationalization as the likely first step
Copyright © 2006 Deloitte Development LLC. All rights reserved. 17
• Companies are not linking the IT risk assessment to a top-down business risk assessment resulting in over scoping of IT assets (i.e., applications, databases, etc.)
• Companies are treating all general computer controls equally, even though the inherent risk of IT processes, transactions, controls, and technologies may vary
• Companies are not applying IT control frameworks in a manner that is leveraging IT-related company level controls
• Companies are still applying a short-term mindset versus a long-term strategy to address flaws in control design, and to drive continuous improvement
• Where cost savings were realized in Year 2, companies are failing to reinvest some of those savings in higher risk areas
The following factors appear to remain at play at some companies:
Under PressureWhat’s the problem with general computer controls?
Copyright © 2006 Deloitte Development LLC. All rights reserved. 18
Challenges and Opportunities
Guiding Principles
• Management should have an informed understanding of the organization's financial reporting risks in order to drive control rationalization efforts.
• Management should explicitly apply a top-down, risk-based scoping approach as a foundational first step toward control rationalization.
• Control rationalization is a multi-year, continuous effort, which should be integrated into the company’s operations.
• Control rationalization can result in immediate benefits; however more significant cost savings can be achieved by adopting a long-term strategic approach to sustained compliance.
Solution
Companies should adopt a risk-based control rationalization approach to address current and future compliance challenges
Definition - Control Rationalization
Control rationalization is the continuous process of designing the most effective and efficient controls to address financial reporting risks.
Copyright © 2006 Deloitte Development LLC. All rights reserved. 19
• Although a direct linkage to a company’s overall risk assessment in many cases may not be possible, risk rate GCC categories and control objectives in a manner that results in greater consideration to those areas or control objectives that more directly promote reliability, integrity of financial related processing, and segregation of duties
• Apply a risk-rating approach towards GCC categories and control objectives to promote appropriate deployment of compliance efforts
• Where GCCs are considered reliable, place a higher reliance on IT-related company level controls (e.g., setting of consistent policy procedures for GCC areas, effective monitoring), particularly for lower risk areas
• Take advantage of opportunities to focus on removing secondary or redundant controls from testing if an effective higher-level control can be identified
• Consider testing GCC processes before performing detailed tests related to IT configurations for lower risk areas
• Be sure to prioritize controls addressing multiple risks
Key PrinciplesRationalizing General Computer Controls
Copyright © 2006 Deloitte Development LLC. All rights reserved. 21
Evaluate GCC areas & confirm relevance
and risk-rating of GCC control objectives
Removenon-relevant
control objectives
Remove unnecessary
controls from testing scope
Develop risk-based
testing approach for
GCCs
Evaluate GCCs for effective and efficient testing
Out of ScopeIn Scope
General Computer Control Rationalization
*Efficiency Evaluation Criteria• Remove secondary or redundant controls• Consider testing GCC processes before performing detailed tests related to IT
configurations (e.g., test process for granting access before password settings)• Prioritize controls addressing multiple risks
Lean and Balanced
Relevance to financial reporting objectives and risk-rating of associated major classes of
transaction
Re-designed Testing Approach
1
2
3
Perform IT risk assessment(identify relevant
applications, platforms)
Removenon-relevant
IT applications and platforms
Apply Top-Down Risk-Based Scoping & Rationalize GCC Controls
1
2
3
4Management
Test 1/3 of processes each year (rotation)
Management Self-Assessments
Reduced Sample Sizes
Low
No changeNo change
No changeReduced Sample Sizes
Medium
SOX PMO and Internal Audit
No changeNo ChangeIncreased Sample Sizes
High
Testing OwnerTimingEvidenceSample SizeRisk-Rating Category
ManagementTest 1/3 of processes each year (rotation)
Management Self-Assessments
Reduced Sample Sizes
Low
No changeNo change
No changeReduced Sample Sizes
Medium
SOX PMO and Internal Audit
No changeNo ChangeIncreased Sample Sizes
High
Testing OwnerTimingEvidenceSample SizeRisk-Rating Category
Control Risk-RatingControl
Rationalization Overview
Control Risk-Rating
Company Level
Controls
Risk-Based Testing
ControlAutomation
RoadmapCost
Analysis
Copyright © 2006 Deloitte Development LLC. All rights reserved. 23
What is a Risk-Rating?
• A risk-rating process evaluates the risk of a material control weakness based on the magnitude and likelihood of misstatement (inherent risk)
• risk-rating impacts:– Identification of significant accounts and
processes
– Nature, timing and extent of control testing
– Reliance by external auditor on management’swork
• Sample risk-rating classification:– High
– Medium
– Low
– Remote
• risk-rating is typically applied to the control activity or control objective levels, although it can also be applied at the account, process and transaction levels
Typically scoped-out of testing
Copyright © 2006 Deloitte Development LLC. All rights reserved. 24
Rationalize controls and redesign test plans
Identify PLCs that fully addressmultiple COs
Consider removing redundant PLCs
from testing scope
Note: However, in some cases two controls, which by themselves only partially meet the control objective, can in combination fully meet the objective
Identify PLCsthat fully address
single COs
Consider removingineffective PLCs
from testing scope
Note: In high-risk areas, consider retaining redundant controls
Within these PLCs, prioritize automated
controls
Consider removing redundant manual PLCs
based on risk-rating
Set of controls to be tested (PLCs,
CLCs, auto, manual)
Out of scope
Identify and risk-rate Control
Objectives (COs)
LeverageProcess-Specific
CLCs
Consider removing related PLCs from
testing scope
Re-designed testing approach
Management’s Testing Approach (Example)
High Medium Low
Nature: Testing of both PLCs and process-specific CLCs
Timing: Test closer to year end with roll-forward testing (as necessary)
Extent: Greater number of sample selections
Nature: Increased testing of process-specific CLCs and reduced testing of PLCs
Timing: Any time with basic roll-forward testing (as necessary); consider benchmarking automated application controls
Extent: Medium number of sample selections
Nature: Primary focus on testing CLCs; minimized testing of PLCs
Timing: Any time; minimize roll-forward testing (as necessary); consider benchmarking automated application controls
Extent: Lower number of sample selections
Classificationof Risks
Auditor Impact
Reliance: May place limited or no reliance on management’s testing
Reliance: May rely on certain amount of management’s testing (objective & competent)
Reliance: May place significant reliance on management’s testing (if objective & competent)
Performed By
Competent and objective resources (e.g. internal audit) with focused oversight
Competent and objective resources (e.g. self assessment) with high-level oversight
Competent and objective resources (e.g. self assessment) with high-level oversight
Develop risk-based testing approach
From Phase 1: Significant accounts, relevant assertions, major classes of transactions
Note: CLCs often do not have sufficient precision. If so, consider enhancing CLCs
1
2
3
Copyright © 2006 Deloitte Development LLC. All rights reserved. 25
The illustration below depicts a sample company’s IT risk prioritization for general computer control categories. COSO defines general computer controls as, “Policies and procedures that help ensure the continued, proper operation of computer information systems… They include controls over data center operations, system software acquisition and maintenance, access security, and application system development and maintenance.”
Risk Based Approach for GCCs Risk rate GCC areas
General Computer Control Category
Application System Development & Maintenance
Information Security
Information Systems Operations
Systems Software Support
Examples of Qualitative Factors
Risk Ranking
Risk Evaluation Considerations
• High volume of changes
• Application dependencies
• High employee turnover
• Complex architecture
• Mature monitoring processes
• Automated tools
• Homogenous environment
• Automated tools
H
H
M
L
NOTE: This illustrates a simplistic risk assessment for IT; consideration should be given to additional qualitative factors relevant to a company’s environment. Also, only selected GCC areas have been included in the example.
Illustrative Purposes Only
Example Procedures
• Test all three levels
• Test predominantly IT company level and process level controls
• Test predominantly IT company level controls
• Test all three levels
Copyright © 2006 Deloitte Development LLC. All rights reserved. 26
Risk Based Approach for GCCs Rationalize controls
Control Objective #1 – Controls provide reasonable assurance that application changes are appropriately implemented and function consistent with management’s intentions.
CL01
The company uses a formalized system development methodology to guide all aspects of application development. (COBIT PO 11.5)
CL02
An IT Steering Committee reviews and approves all major changes to the information systems environment. (COBIT PO 4.1)
CL03
A project management and quality assurance office tracks and monitors all activity associated with significant changes to applications and infrastructure. (COBIT PO 11.4)
CL04
The IT organization structure provides for appropriate segregation of duties. (COBIT PO 4.10)
PL01
Information requirements for changes to applications are reviewed and approved by management. (COBIT AI 1.1)
PL02
A risk analysis is performed that considers the impact of planned changes on financial reporting processes. (COBIT AI 1.8)
The organization’s SDLC has not changed in the fiscal year, accordingly, this control will not be evaluated.
These two controls are redundant in nature, accordingly, only one control will be evaluated.
This control activity is redundant in nature since test results are approved by users at a point later in the SDLC process, accordingly, this control will not be evaluated.
After risk-rating general computer control objectives, specific control activities can be analyzed to further rationalize the testing approach.
For this example, the three controls in bold text will be assessed, which represents a 50% reduction in testing.
Copyright © 2006 Deloitte Development LLC. All rights reserved. 27
Risk rate control objectives for applicable assertions
Managing and Processing OrdersCO01 Only valid orders are input and processed.
CO02 Orders are only processed within approved customer credit limits.
CO03 Orders are approved by management as to prices and terms of sale.
CO04 All orders received from customers are input and processed.
CO05 Orders and cancellations of orders are input accurately.
CO06Order entry data is transferred completely and accurately to the shipping and invoicing activities.
Shipping, Invoicing, and Sales ReturnsCO07 Invoices relate to valid shipments.
CO08 All goods shipped are invoiced.
CO09 Invoices are generated using authorized terms and prices.
CO10 All invoices issued are recorded.
CO11 Invoices are accurately calculated and recorded.
CO12 Invoices are recorded in the appropriate period
CO13 All credit notes relate to a return of goods or other valid adjustments.
CO14 All credit notes issued are recorded.
CO15Credit notes and adjustments to accounts receivable are accurately calculated and recorded.
CO16 Credit notes issued are recorded in the appropriate period.
Processing Cash ReceiptsCO17 Cash receipts data is valid and is entered for processing only once.
CO18 All cash receipts data is entered for processing.
CO19 Cash receipts data is entered for processing accurately.
CO20 Cash receipts are recorded in the period in which they are received.
Maintaining Customer Masterfile
Extending the risk assessment to the control objectives provides the foundation for varying the nature, timing and extent of control testing.
a) Understand the flow of transactions. Identify the points within the process where risks of financial misstatement could occur
b) List control objectives based on the relevant assertions identified in Phase 1 step 3
c) Risk rate (using magnitude and likelihood of potential error) the individual control objectives within the major classes of transactions (MCOT). [COs related to low risk rated MCOTs can be classified as low. COs related to high risk MCOTs are more likely to be rated high. However, MCOTs with a high risk rating may have individual COs that are risk rated M or L
Low
Hig
h
Low High
Control Objective Assessment Grid
10
11
17
16
21
204
5
7
2
1
3
8
9
22
23
24
14
15
1312
6
19
18
Mag
nitu
de o
f P
oten
tial E
rror
Likelihood of Potential Error
Why risk rate Control Objectives (COs)?
• Provides foundation for risk based test plan and control rationalization efforts
• Assists in prioritizing remediation efforts, and making concluding process more efficient
• Assists in confirming the risk rating of the major classes of transactions and subsequent work planning efforts
The approach
Copyright © 2006 Deloitte Development LLC. All rights reserved. 28
Example Risk-Ranked Heat Map
RationaleRisk
Risk Rank(H=High, L=Low,
R=Remote)
Risk Num
Sub-Cycle
7.5.1.1 Disbursements
Unauthorized disbursements are made and/or disbursements are not properly recorded.
HHigh fraud potential; Additionally, as the last step in the Expenditures cycle, there are no additional downstream controls which could mitigate the risk.
7.3.1.1 Receive goods and services
Goods and services received are not recorded in the system accurately and/or timely, misstating liabilities.
H
Potential cut-off issue for recording cost of sales and expense, and for placing capital expenditures in service in the appropriate period.
7.4.5.1 Process invoices
Unauthorized individuals have access to make purchases with P-Card.
HAnyone with access to a p-card can make a purchase, no prior approval required. Note: there are 2223 cards issued.
7.1.1.1 Approve new vendors
Unauthorized or fictitious vendors are listed in the master file and have the ability to be paid.
L
Unauthorized vendor cannot result in a fraudulent payment to that vendor without at least 2 persons' involvement (collusion) due to SOD controls in place and monitored.
7.4.4.1 Process invoices
The FSC processes unapproved P.O. invoices.
R
The risk would require collusion. The PeopleSoft system enforces a 3-way match using purchase order, inventory receiver and invoice; System security separates these responsibilities, and the system will not allow 2-way match or "no match" for PO invoice vouchering.
7.2.1.1 Order goods and services
Unauthorized PO purchases can be made. R
Downstream PO authorization controls at invoice vouchering and disbursement prevent significant errors to the applicable account balances (Expense & A/P)
RationaleRisk
Risk Rank(H=High, L=Low,
R=Remote)
Risk Num
Sub-Cycle
Copyright © 2006 Deloitte Development LLC. All rights reserved. 29
Exercise: Risk-rate the control risks below
Financial Reporting: General Computer Controls
Control: Access to test and production environments are appropriately restricted and segregated
Risk Factor (inherent risk) Rating Rationale (example)
Susceptibility of loss or misstatement due to fraud
Account and reporting complexities
Subjectivity of account affected by process
Frequency of transactions processed through the account or process
Volatility of transactions (unpredictability, instability)
Nature of the process (automated vs. manual)
Changes from the prior period in process or supporting technology characteristics
Final Rating
Copyright © 2006 Deloitte Development LLC. All rights reserved. 31
12% 13%10%
21%
6%
38%
1 2 3 4 5 6
Polling Question
1. Over 1,000
2. 750 – 999
3. 500 – 749
4. 250 – 499
5. Under 249
6. Don’t Know / No Answer
How many controls (business process and IT) does your organization have in place that are considered for testing?
Copyright © 2006 Deloitte Development LLC. All rights reserved. 32
63%
30%
7%
1 2 3
Polling Question
1. Yes
2. No
3. Don’t Know / No Answer
Do you feel your organization has duplicative, or non-unique, controls?
Copyright © 2006 Deloitte Development LLC. All rights reserved. 33
Standardizing Control Design – Best Practices
• Develop a standard set of risks to evaluate across LOBs
– Align to assertions
• Tailor standard risk set to the LOB
– include specific risks and omit irrelevant risks
– include rationale for additions and omissions
• Develop model control activities to link to each standard risk
– provides a consistent starting point for control documentation
– generic in nature; must be tailored to the LOB
• Document control points in high-level process flows
– identify areas where controls should be strengthened
– improves method for selecting key controls
Risk-Based TestingControl
Rationalization Overview
Control Risk-Rating
Company Level
Controls
Risk-Based Testing
ControlAutomation
RoadmapCost
Analysis
Copyright © 2006 Deloitte Development LLC. All rights reserved. 35
Once management has designed appropriate controls to address financial reporting risks, it has the additional opportunity to reduce costs by designing risk-based test plans. Risk-based test plans vary the nature, extent and timing of testing based on risk.
Implementing a risk-based test plan
Classification
Of risksHigh Medium Low
Management’s testing approach (example)
Nature: Testing of both PLCs and process-specific CLCs
Evidence: Re-performance; extensive inquiry; expanded scope of testing
Timing: Test closer to year-end with roll-forward testing (as necessary)
Extent: Greater number of sample selections
Nature: Increased testing of process-specific CLCs and reduced testing of PLCs
Evidence: Inquiry with documentation; some re-performance
Timing: Any time with basic roll-forward testing; consider benchmarking application controls
Extent: Medium number of sample selections
Nature: Primary focus on testing CLCs; minimized testing of PLCs
Evidence: Inquiry with observation
Timing: Any time; minimize roll-forward testing; consider benchmarking application controls
Extent: Minimum number of sample selections
Performed by
Competent and objective resources (e.g., internal audit) with focused oversight. (Deploy best resources to riskier areas)
Competent and objective resources (e.g., self-assessment) with high- level oversight
Competent and objective resources (e.g., self-assessment) with high- level oversight
Auditor impact
Reliance: May place limited or no reliance on management’s testing
Reliance: May rely on certain amount of management’s testing (if objective & competent)
Reliance: May place significant reliance on management’s testing (if objective & competent)
Cost Analysis
Control Rationalization
Overview
Control Risk-Rating
Company Level
Controls
Risk-Based Testing
Control Automation Roadmap
CostAnalysis
Copyright © 2006 Deloitte Development LLC. All rights reserved. 37
Testing: Cost Analysis*
Risk-Rating Category Risk-Based
Approach
Original Approach
Impact
(Savings)High Medium Low
Number of Control Activities
800 500 400 1,700 1,700
Avg Hrs/Control 10 hrs 6 hrs 3 hrs 7 hrs 9.5 hrs
Total time spent 8,000 hrs 3,000 hrs 1,200 hrs 12,200 hrs 15,300 hrs (20%)
Based on any potential changes to testing effort based on risk-ratings, an organization can assess the impact on management’s testing resources.
A standard framework can be used to measure resource requirements for the risk-based testing program, and provide comparisons to current testing costs.
*Note: the example below is included solely for illustrative purposes and does not imply in any way that these or any other savings are likely or possible. The framework relates only to management’s testing, not auditor testing.
Copyright © 2006 Deloitte Development LLC. All rights reserved. 39
Working with your External Auditors
Develop rapport with external auditors on concepts that lead to more efficient and effective compliance. Concepts include:
• Role that likelihood of errors and error magnitude should play in scoping decisions for SOX framework testing.
• Scoping of compliance testing should be risk-based.
Copyright © 2006 Deloitte Development LLC. All rights reserved. 40
External Auditor’s CR Considerations
• Auditor’s use of management’s work– Depends on nature of control
– Depends on objectivity and competence of the person who tested it
• Focus on risk associated with a particular control or area
• Overriding consideration is obtaining principal evidence
• Self assessment “trade-off” – auditor may need to do more testing to gain assurance
Leveraging CLCs & AutomationControl
Rationalization Overview
Control Risk-Rating
Company Level
Controls
Risk-Based Testing
Control Automation Roadmap
CostAnalysis
Copyright © 2006 Deloitte Development LLC. All rights reserved. 42
How Can CLCs Be Applied to CR?
•Relevance: Addresses process level risk
•Frequency: Operates with enough regularity to enable timely detection of errors or fraud
•Precision: Operates at a sufficiently precise level of detail to adequately address risk of misstatement (e.g., precise enough to detect at least “greater than inconsequential” errors in financial reporting. A detective control designed to detect a “material misstatement” is not precise enough to reduce likelihood of material misstatement to remote)
•Relevance: Addresses process level risk
•Frequency: Operates with enough regularity to enable timely detection of errors or fraud
•Precision: Operates at a sufficiently precise level of detail to adequately address risk of misstatement (e.g., precise enough to detect at least “greater than inconsequential” errors in financial reporting. A detective control designed to detect a “material misstatement” is not precise enough to reduce likelihood of material misstatement to remote)
What are Company Level Controls (CLCs)?
The PCAOB describes company-level controls as those that are associated with the control environment, centralized processing, period end financial reporting, monitoring results of operations, etc. As such, they may reside at the entity-level and at the process-level
In the Control Rationalization approach, CLCs that are effective in achieving process-level control objectives are referred to as process-specific CLCs
What are Company Level Controls (CLCs)?
The PCAOB describes company-level controls as those that are associated with the control environment, centralized processing, period end financial reporting, monitoring results of operations, etc. As such, they may reside at the entity-level and at the process-level
In the Control Rationalization approach, CLCs that are effective in achieving process-level control objectives are referred to as process-specific CLCs
To be effective in addressing process-level control objectives, process-specific CLCs possess the following characteristics:
Note: Effectiveness of system-dependent CLCs relies on an underlying set of stronggeneral computer controls (GCCs) and application controls
Certain CLCs, termed process-specific CLCs, may be leveraged to further rationalize the control framework.
Copyright © 2006 Deloitte Development LLC. All rights reserved. 43
Possible process level controls covered by CLCs
1 PL03 -Invoices are approved based on comparison to priced order and shipping source documents (RE834)
2 PL05 - Customers enter and/or cancel orders automatically using EDI protocols (RE807).
3 PL12 - Signed delivery notes are received for all shipments made. The sequence of signed delivery note is accounted for (IM201).
4 PL16 - Order cancellation data is matched to the original order (RE825)(RE801).
5 PL18 - List prices of composed products are automatically calculated based on the list prices of components of such products (IM256).
6 PL20 - Invoice and credit note data is edited and validated; identified errors are corrected promptly (RE202).
Identify the Process Level Control Activities that are adequately covered by the CLCs. Assuming that the CLCs satisfy the criteria of precision, specificity, frequency, etc., they can be used to reduce the extent of reliance placed on related PLCs. The CLCs that address control objectives with a high degree of precision can be used to reduce or eliminate related PLCs from the scope of management’s internal control assessment
Company level controls
Perform Business Performance Review
1 EL01 - Actual orders are compared to a predictive model by, for example, seasonality, product line, customer, and region (RE826).
2 EL02 Sales are compared to forecast and for pricing against orders by, for example, seasonality, product line, customer, and region (RE826).
3 EL03 - Activity, including sell-through and returns, are tracked by customer (by retail outlet) and flagged if outside expected ranges (RE509/612)
4 EL04 - A review of the aging analysis of all customer accounts (and by segmentation) is performed (RE614).
Leveraging CLCs
Copyright © 2006 Deloitte Development LLC. All rights reserved. 44
How Can Automation be Applied to CR?
• More reliable
• Can potentially decrease cost of testing:
– Extent: Much less extensive; typically require lesser number of sample items (because likelihood of an exception is low)
– Timing: ‘Benchmark’ certain application controls so that testing frequency can be reduced (e.g. every 3rd year)
– Nature: More efficient to conduct testing
• Lower cost to perform the control (compared to manual)
Companies should consider enabling functionality in existing IT applications and/or implementing new technology to minimize reliance on people-based controls (requires a strong general computer controls foundation).
Impact on control testing
• Manage segregation of duties conflicts• User access provisioning• Transaction-level controls monitoring• System change management• Fraud detection programs
Automation of controls
SystemBased
DetectiveControl
SystemBased
PreventiveControl
PeopleBased
DetectiveControl
PeopleBased
PreventiveControl
Desirable
Relia
ble
Areas to consider for adding new technology
RoadmapControl
Rationalization Overview
Control Risk-Rating
Company Level
Controls
Risk-Based Testing
Control Automation Roadmap
CostAnalysis
Copyright © 2006 Deloitte Development LLC. All rights reserved. 46
Example Roadmap
Control Rationalization
Workshop
Control Rationalization
Workshop
CRPilot
CRPilot
Top-Down Scoping
Top-Down Scoping
Control Rationalization
Control Rationalization
Line of Business/Cycle 1Line of Business/Cycle 1
Line of Business/Cycle 2Line of Business/Cycle 2
• Pilot effort for a single business area
• Benchmarking of key controls, recommendations to streamline
• Perform management testing to validate operating effectiveness
• Top-down scoping across divisions, geographies, offices, etc.
• Prioritize major areas for rationalization based on risk and savings opportunities
Copyright © 2006 Deloitte Development LLC. All rights reserved. 47
Risk-Based Testing
Cost Analysis
Ou
tcom
es
• How to identify and use CLCs
• Process to apply
• Examples of applying risk-rating
• Understand benefits of leveraging automation
• Next steps to apply Control Rationalization to Superior’s control program
• Understand Control Rationalization concepts
• How to apply to Superior
Acti
vit
ies
Control Rationalization
Overview
Control Risk-Rating
Company Level
Controls
• Define CLCs and BMC’s and process focused
• Identify CLCs that are relevant to Superior
• Discuss approach
• risk-rate control objectives
• Discuss short and long term impact
• Define roadmap approach
• Discuss next steps
• Wrap up
• Define updated approach
• Discuss impact to Superior
• Define approach
• Discuss process and impact to Superior
• Determine impact on risk-rated controls
• Impact on test approach based on risk-rating
• Examples of applying to Superior controls
• Modeling approach to cost savings
• Define cost analysis approach
• Review modeling of cost savings
ControlAutomation
Roadmap
Wrap-Up
• What we covered today:
– Control Rationalization concepts
– Applying a risk-based approach
– Risk-based testing
– Leveraging CLCs and automation
– Cost analysis model
– High-level roadmap
• Closing Remarks
Copyright © 2006 Deloitte Development LLC. All rights reserved. 48
Presenters
Rex Johnson, CISA, PMP
Senior Manager, Deloitte & Touche LLP
Audit & Enterprise Risk Services
816.802.7733
Devin Amato, CISA, CIA
Manager, Deloitte & Touche LLP
Audit & Enterprise Risk Services
816.802.7255
Copyright © 2006 Deloitte Development LLC. All rights reserved. 49
About DeloitteDeloitte, one of the nation's leading professional services firms, provides audit, tax, consulting, and financial advisory services through nearly 30,000 people in more than 80 U.S. cities. Known as an employer of choice for innovative human resources programs, the firm is dedicated to helping its clients and its people excel. "Deloitte" refers to the associated partnerships of Deloitte & Touche USA LLP (Deloitte & Touche LLP and Deloitte Consulting LLP) and subsidiaries. Deloitte is the U.S. member firm of Deloitte Touche Tohmatsu. For more information, please visit Deloitte's Web site at www.deloitte.com/us.Deloitte Touche Tohmatsu is an organization of member firms devoted to excellence in providing professional services and advice. We are focused on client service through a global strategy executed locally in nearly 150 countries. With access to the deep intellectual capital of 120,000 people worldwide, our member firms, including their affiliates, deliver services in four professional areas: audit, tax, consulting, and financial advisory services. Our member firms serve more than one-half of the world’s largest companies, as well as large national enterprises, public institutions, locally important clients, and successful, fast-growing global growth companies. Deloitte Touche Tohmatsu is a Swiss Verein (association), and, as such, neither Deloitte Touche Tohmatsu nor any of its member firms has any liability for each other’s acts or omissions. Each of the member firms is a separate and independent legal entity operating under the names “Deloitte,” "Deloitte & Touche," "Deloitte Touche Tohmatsu," or other, related names. The services described herein are provided by the member firms and not by the Deloitte Touche Tohmatsu Verein. For regulatory and other reasons, certain member firms do not provide services in all four professional areas listed above.