Nature Coast Florida Government Finance Officers Association | October 16, 2013 Information...

P r e c i s e

E x p e r i e n c e d

A s s u r a n c e

Nature Coast Florida Government Finance Officer’s Association | October 16, 2013

Information Technology (IT) & The Updated COSO Framework

Phil Gesner, CPA.CITP, CISAAudit Manager and

IT Auditor / Consultant Ocala, FL

http://www.purvisgray.com/

2

Disclaimer

The views expressed by the presenters do not necessarily represent the views, positions, or opinions of the presenter’s respective organizations or any associated organizations cited.

These materials, and the oral presentation accompanying them, are for educational purposes only and do not constitute accounting or legal advice or create an accountant-client or attorney-client relationship.

3

COSO Considerations

• Changed (from implicitly to explicitly recognizing technology’s role in internal control) due to greater use and dependence (reliance) on technology– Use of technology continues to grow– Extent of technology used in organizations continues to increase and evolve

• Recognizes that management judgment (decisions) may be based on the use of and dependence on technology.

• Outsourcing continues to grow– Business Processes (Payroll, Payables, Pension and Benefit Management, Investment

Management)– Technology Activities supporting the Business Processes

• Procure, manage, and maintain previously internally managed technology systems

4

COSO’s Definition of “Technology”

• May be referred to as:– Management Information Systems (MIS)– Information Technology (IT)– Various other Terms

• Technology is the use of a combination of automated and manual processes, and computer hardware and software, methodologies, and processes.– Very Generic Definition – as Technology continually evolves (ie. cloud

computing and social media)

5


• Technology environments vary in size, complexity, and extent of integration.– Large, centralized, and integrated systems– Small, decentralized, and independent systems

• May involve real-time processing environments that enable immediate access to information, including mobile computer applications that can cut across many systems, organizations, and geographies.

6


• Technology enables organizations to process high volumes of transactions, transform data into information to support sound decision making, share information efficiently across the entity and with business partners, and secure confidential information from inappropriate use.

• In addition, technology can allow an entity to share operational and performance data with the public.

7


• Technology innovation creates both opportunities and risks.– Opportunities:• Enable the development of new business markets and models, • Generate efficiencies through automation, and • Enable entities to do things that were previously hard to imagine.

– Risks:• Increased complexity, which makes identifying and managing risks more

difficult.

8

Risk | Complexity of IT Security

Data & Business

Processes

Like Ogres And Onions

IT Security Has Layers

IT Security Also Involves People (Employees); therefore, Training is Critical

9

IT Security Protects the Data and Business Process

Data & Business

Processes

Controls should be in place to protect the data and business processes.• Data is an organizational asset• Value of Data • May not be readily ascertainable• Not recorded on Books

• Varies Depending on Perspective• Your Organization• Other Organizations• Employees• External Individuals• Vendors

• Your garbage is another individual’s or organization’s treasure!!!!

10Source: AICPA Information Management and Technology Assurance (IMTA) Section. IT Audits and What to Pay Attention To. The CITP Body of Knowledge Series Webcast. 2013

11Source: AICPA Information Management and Technology Assurance (IMTA) Section. IT Audits and What to Pay Attention To. The CITP Body of Knowledge Series Webcast. 2013

12

Risk | IT Complexity

• The nature and extent of IT risks are dependent on the level of “complexity”. – Generally, as complexity increases, the type and number of potential IT risks

increase.– The manner in which IT is used in conducting business also has a direct relationship

with the potential IT risks.– Significant changes made to existing systems, or implementation of new system

increase the potential IT risks.– Shared data between systems increases the potential IT risks.– Usage of emerging technologies (cloud computing, mobile - BYOD) increases the

potential IT risks.– Availability of evidence only in electronic formats increases the potential IT risks.

• Including reports

Source: AICPA IT Audit Training School

13

Risks |IT Risk Factors for Internal Control Include

• Reliance on systems or programs that are processing data inaccurately, processing inaccurate data, or both

• Unauthorized access to data that may result in destruction of data or improper changes to data, including the recording of unauthorized or nonexistent transactions or inaccurate recording of transactions

• Unauthorized changes to data in master files• Unauthorized changes to systems or programs• Failure to make necessary changes to systems or programs• Inappropriate manual intervention• Potential loss of data or inability to access data as required


14

Applications | Purchased Systems

• Commercial Off The Shelf (COTS) and/or configurable systems• Advantages • Generally cheaper for general business use applications• On-going support and maintenance

• Disadvantages• Some limitations related to customizations• Vendor dependence

• Example: Quickbooks


15

Applications | Configurable Packages

• Configurable “mid-tier” system• Not as expensive as an ERP System or Custom Developed Application• Found in small, mid or large organizations• Increased capabilities when compared to Commercial Off the Shelf –

Purchased Systems:– Configuration changes– Customizations

• Examples: Microsoft Dynamics (Great Plains/Solomon), MAS/90, Navision, Munis, Eden, etc.

• Most Prevalent


16

Applications | Enterprise Resource Planning (ERP) System

• Integrates all facets of financial processing with operations, marketing, HR

• Requires specialized knowledge to setup (usually with the vendor and outside consultants)

• Generally, found in large organizations• Very expensive to purchase & maintain• Very complex security• Examples: SAP, JD Edwards, PeopleSoft, Oracle Financials,

Lawson, etc.Source: AICPA IT Audit Training School

17

Applications | Custom Developed

• Custom Developed Application – those applications that are designed and developed in-house to meet a specific business need for internal use (not resale)

• Advantages– Customized to meet specific business need– Independence from vendors

• Disadvantages– No outside vendor support – all by on-staff personnel (higher costs)– Often longer deployment times and less controls

• Less prevalent, and becoming more so each day


18

Applications | Outsourced

• Organization contracts with a third-party service organization for one or all of the following activities:– Development of Application and Underlying Technology– Hosting of Application, Data, and Underlying Technology– Maintenance of Application and Underlying Technology– All or part of a/multiple business process(es) (ie. payroll) and

related internal controls


19


• Advantages– Customized and configurable to meet specific business need– Can obtain access to ERP systems at lower costs• May not need to purchase any servers• May not need to hire new IT personnel and may be able to reallocate IT

personnel or positions

– Dependence on vendor rather than employees• IT third-party service organization is able to replace employees easier

than the outsourcing organization


20


• Disadvantages– Dependence on vendor

• Requires increased effort to manage vendors and service level agreements (SLA’s)– Service Organization Control (SOC) Reports – See AICPA Website– www.aicpa.org/InterestAreas/FRC/AssuranceAdvisoryServices/Pages/SORHome.aspx

• Poor end user experience due to performance bottlenecks– Poor customer experiences could be perceived as organization weaknesses rather than

vendor weaknesses

– More limited control over application, data, and underlying technology• Examples: Xero


http://www.aicpa.org/InterestAreas/FRC/AssuranceAdvisoryServices/Pages/SORHome.aspx

21

Control Environment

• Principle 2: The board of directors demonstrates independence from management and exercises oversight of the development and performance of internal control.– Executive management and the board should have an understanding of

relevant systems and technology (or appropriate skills and expertise) needed to evaluate the organization’s approach to managing new technology innovations, critical systems, and the opportunities and risks associated with those challenges.• IT Governance Committee • IT Steering Committees• User Groups

22

Control Environment

• Principle 3: Management establishes, with board oversight, structures, reporting lines, and appropriate authorities and responsibilities in the pursuit of objectives.– Technology is leveraged as appropriate to facilitate the definition and

limitation of roles and responsibilities within the workflow of business.

– Management is supported by requisite processes and technology to provide for clear accountability and information flows within and across the overall entity and its subunits

23

Control Environment

• Principle 4: The organization demonstrates a commitment to attract, develop, and retain competent individuals in alignment with objectives.– The organization should ensure that it has appropriately skilled

personnel with knowledge of the operation of technology platforms underpinning the business processes.

24

Control Environment

• Principle 5: The organization holds individuals accountable for their internal control responsibilities in the pursuit of objectives.– Accountability is driven by tone at the top and supported by the

commitment to integrity and ethical values, competence, structure, processes, and technology, which collectively influence the control culture of the organization.

25

Risk Assessment

• Principle 6: The organization specifies objectives with sufficient clarity to enable the identification and assessment of risks relating to objectives.

• Entity-level risks– Technological—Developments that can affect the availability and use of

data, infrastructure costs, and the demand for technology-based service

– Internal factors• Technology—A disruption in information systems processing that can adversely

affect the entity’s operations

26

Risk Assessment

• Principle 8: The organization considers the potential for fraud in assessing risks to the achievement of objectives.– As part of the risk assessment process, the organization should

identify the various ways that fraudulent reporting can occur, considering:• Nature of technology and management’s ability to manipulate information

– Opportunities (and thereby fraud risks) may increase as a result of:• Turnover in technology staff• Ineffective technology systems

27

Risk Assessment

• Principle 9: The organization identifies and assesses changes that could significantly impact the system of internal control.– New Technology—When new technology is incorporated into

production, service delivery processes, or supporting information systems, internal controls will likely need to be modified.

Principle 10: The organization selects and develops control activities that contribute to the mitigation of risks to the achievement of objectives to acceptable levels.

Control Activities

28

29

Principle 10: Selects and Develops Control Activities

– When determining what actions to put in place to mitigate risk, management considers all aspects of the entity’s internal control components and the relevant business processes, information technology, and locations where control activities are needed.

– Restricted access is especially important where technology is integral to an organization’s processes or business. • Configuring the security in applications to address restricted access can

become very complex and requires technical knowledge and a structured approach. – Discussed in more detail under the Security Management Processes section of Principle

11.

30


– Control activities and technology relate to each other: • Technology Supports Business Processes

– When technology is embedded into the entity’s business processes, such as robotic automation in a manufacturing plant, control activities are needed to mitigate the risk that the technology itself will not continue to operate properly to support the achievement of the organization’s objectives.

• Technology Used to Automate Control Activities– Many control activities in an entity are partially or wholly automated using technology.

Technology Supports Business ProcessesInternal Control Over Financial Reporting (ICFR)

Significant Accounts in the Financial Statements

Balance Sheet IncomeStatement

CashFlows

Notes Other Disclosures

Significant Classes of Transactions / Business Processes

Process A Process B Process C Process D Process E

Significant Financial Applications

Application A Application B Application C

Significant IT Infrastructure Services

Database

Operating System

Network / Physical

IT General Controls

• Program Development

• Program Changes

• Program Operations

• Access Controls

• Control Environment

Key Application and

IT-Dependent Manual Controls

Assertions

• Accuracy

• Completeness

Objectives

• Authorization

• Segregation of Duties

Source: IT Control Objectives for Sarbanes-Oxley: The Role of IT in the Design and Implementation of Internal Control Over Financial Reporting, 2nd Edition 31

Technology Used to Automate Control ActivitiesManual vs. Automated Controls

• Manual Control– A control performed manually (not through techcnology)

• Automated controls: Control activities mostly or wholly performed through technology (e.g., automated control functions programmed into computer software.– Application Control

• A control that occurs automatically, usually through computer systems, based on predefined criteria, circumstances, times, dates, or events.

– IT-Dependent Manual Control (Hybrid Control)• Manual controls that are dependent on an automated process to take place.

32

33

Application Controls

Type• Edit checks• Validations• Calculations• Interfaces• Authorizations

Character• Embedded• Configurable

34

Technology Used to Automate Control Activities Examples of Application Controls

– Computer generated batch control total comparison– Edit and validation checks on information entered into input fields– Master file data look-ups of information entered into input fields– Numeric range controls for data entered into input fields– Data matching– Error checking programs– Computations– Forwarding a transaction to the appropriate person for electronic

authorization (using logical Segregation of Duties)

35

Examples of Application Controls Purchasing and Accounts Payable Business Process

• Initiate/Authorize (Input)– Application will only accept purchase orders entered for vendors on an approved vendor list

(ie. vendors in the vendor master file).– Access to add or modify vendor or vendor information through the purchasing module of the

financial application in to the vendor master file (database) is restricted to purchasing department personnel.

• Process – Application matches the purchase order, receiving report and vendor invoice before payment

can be made (three-way match). – Application automatically selects items for payment based on the due date of the vendor

invoice. • Record (Output)

– Application automatically posts the payment to the G/L.

36

Example of a IT-Dependent Manual ControlPurchasing and Accounts Payable Business Process

– Detection: Computer detects a discrepancy between a PO, receiving report & vendor invoice.(automated control)

– Investigation/Correction: Clerk reviews and follows-up until discrepancy is resolved. (manual control)

– Resubmission: Clerk resubmits reconciled invoice for payment. (manual process)

– NOTE: Test both automated and manual controls

37

Automated Control Implications

• Software is designed to be used by many organizations with different requirements.

• Many features, including controls, are optional or designed with adjustable parameters and thresholds.

• End users may have the ability to change system configuration settings.

• Segregation of duties when software is maintained by vendor.• Program change responsibilities may be shared between vendor

and client.

38


– Most business processes have a mix of manual and automated controls, depending on the availability of technology in the entity.

– Automated controls tend to be more reliable, since they are less susceptible to human judgment and error, and are typically more efficient.• Subject to whether technology general controls (Principle 11) are

implemented and operating.• The design, implementation, and operating effectiveness of automated

controls is dependent on or directly related to the design, implementation, and operating effectiveness of technology general controls.

39

Relationship of Technology General Controls (Principle 11) to Business Process Controls (Principle 10)

Manual ControlsManual Controls Automated Controls

Automated Controls

(Purely) Manual Controls






1. Embedded

2. Configurable Controls

1. Embedded


Technology General Controls

Technology General Controls vs. Application Controls

• IT General Controls– Relate to managing change, logical access and other technology

general controls, including IT operations applied to individual applications and do not operate at the individual transaction level

• Application Controls– Apply to each and every transaction– Reviewed at a “point in time”

• “Application and IT general controls go hand-in-hand.”

40

41



Automated Controls







1. Embedded


1. Embedded



Principle 11: The organization selects and develops general control activities over technology to support the achievement of objectives. (Technology General Controls)

Control Activities

42

43

Principle 11: Technology General Controls

• Determines Dependency between the Use of Technology in Business Processes (Principle 10) and Technology General Controls (Principle 11)– Management understands and determines the dependency and

linkage between business processes, automated control activities, and technology general controls. • The reliability of technology within business processes, including automated

controls, depends on the selection, development, and deployment of general control activities over technology.

44



Automated Controls







1. Embedded


1. Embedded



Technology Supports Business ProcessesInternal Control Over Financial Reporting (ICFR)

Significant Accounts in the Financial Statements

Balance Sheet IncomeStatement

CashFlows

Notes Other Disclosures

Significant Classes of Transactions / Business Processes

Process A Process B Process C Process D Process E

Significant Financial Applications

Application A Application B Application C

Significant IT Infrastructure Services

Database

Operating System

Network / Physical


• Technology Infrastructure

Control Activities

• Security Management

Process Control Activities

• Change Control Activities

• Control Environment

Key Application and


Assertions

• Accuracy

• Completeness

Objectives

• Authorization

• Segregation of Duties

Source: IT Control Objectives for Sarbanes-Oxley: The Role of IT in the Design and Implementation of Internal Control Over Financial Reporting, 2nd Edition 45

46

Principle 11: Technology General Controls• Technology general controls over the acquisition and development of technology are deployed

to help ensure that automated controls work properly when first developed and implemented.• Technology general controls also help information systems continue to function properly after

they are implemented. • Technology general controls apply to all technology

– IT applications on a mainframe computer; – Client/server, – Desktop, – End-user computing, – Portable computer,– Mobile device environments; – Operational technology

• Plant control systems or • Manufacturing robotics.

47

Principle 11: Technology General Controls

• The extent and rigor of control activities will vary for each of these technologies depending on various factors, such as the complexity of the technology and risk of the underlying business process being supported. Similar to business transaction controls, technology general controls may include both manual and automated control activities.

48

Principle 11: Technology General ControlsTechnology Infrastructure Control Activities

• Establishes Relevant Technology Infrastructure Control Activities– Management selects and develops control activities over the technology

infrastructure, which are designed and implemented to help ensure the completeness, accuracy, and availability of technology processing.

• Technology infrastructure includes:– Communication networks – to link technologies to each other and across the

organization• Routers, switches, firewalls, etc.

– Computing resources for applications to operate• Servers, Desktops, Laptops

– Electrical power supply.

49

Principle 11: Technology General ControlsTechnology Infrastructure Control Activities

• Technology Infrastructure– Can be complex– Shared by different business units in an organization– Outsourced to a third-party service organizations (including location-independent

technology services – cloud computing)• Technology changes constantly (3-5 years)• Technology Infrastructure Controls– Batch (mainframe) / real-time (client/server) process scheduling– Problem/incident management– Backup and recovery

• Including disaster recovery plans

50

Principle 11: Technology General ControlsSecurity Management Process Control Activities

• Establishes Relevant Security Management Process Control Activities– Management selects and develops control activities that are designed and

implemented to restrict technology access rights to authorized users commensurate with their job responsibilities and to protect the entity’s assets from external threats.

• Sub-processes and control activities over who and what has access to the organization’s technology, including who has the ability to execute transactions.– Protects the organization from inappropriate or unauthorized access/use of

system– Supports segregation of duties

51


• Sub-processes and control activities over who and what has access to the organization’s technology, including who has the ability to execute transactions.– Prevents unauthorized use/changes to system protects data and

program integrity from malicious intent or a simple error from:• Internal threats – former, disgruntled employees motivated to work against

the organization due to greater access and knowledge of the organization• External threats – due to the many potential uses of technology and points of

entry and use of telecommunications networks and the Internet,

52


• Authentication control activities– Unique user identifications or tokens are authenticated (checked before

access is allowed) against pre-approved list– Technology general control are designed to:

• Allow only authorized users on these pre-approved lists• Restrict authorized users to the applications or functions commensurate with their job

responsibilities and supporting an appropriate segregation of duties• Control activities are in place to update access when employees change job functions

or leave the organization• A periodic review of access rights against the policy is often used to check if access

remains appropriate• Access to different technologies (which may be integrated/connected) are controlled

53

Principle 11: Technology General ControlsChange Control Activities

• Establishes Relevant Technology Acquisition, Development, and Maintenance Process (Change) Control Activities– Management selects and develops control activities over the

acquisition, development, and maintenance of technology and its infrastructure to achieve management’s objectives

– Provides structure for system design and implementation, outlining specific phases, documentation requirements, approvals and checkpoints

54

Principle 11: Technology General ControlsChange Control Activities

• Provides appropriate controls over changes to technology– Authorization of change requests– Verification that the organization has a legal right to use the technology in

the manner in which the technology is being employed– Review to ensure that the changes are appropriate (aka. testing and quality

assurance)– Approval for the changes– Testing results of changes– Implementing protocols to determine whether changes are properly made

• Varies depending on the risks (and complexity) of the technology

Principle 13: The organization obtains or generates and uses relevant, quality information to support the functioning of internal control.

Information & Communication

55

56

Principle 13: Relevant, Quality Information Used to Support Functioning of Internal Controls

• An organization’s information system encompass a combination of people, processes, data, and technology that support business processes managed internally as well as those that are supported through relationships with outsourced service providers and other parties interacting with the entity

57


– Information systems developed with integrated, technology-enabled processes provide opportunities to enhance the efficiency, speed, and accessibility of information to users.

– Additionally, such information systems may enhance internal control over security and privacy risks associated with information obtained and generated by the organization. Information systems designed and implemented to restrict access to information only to those who need it and to reduce the number of access points enhance the effectiveness of mitigating risks associated with the security and privacy of information.

58


– Enterprise resource planning (ERP) systems, association management systems (AMS), corporate intranets, collaboration tools, interactive social media, data warehouses, business intelligence systems, operational systems (e.g., factory automation and energy-usage systems), web-based applications, and other technology solutions present opportunities for management to leverage technology in developing and implementing effective and efficient information systems

59


• Quality of Information is Dependent On:– Accessible—The information is easy to obtain by those who need it. Users know what

information is available and where in the information system the information is accessible.

– Correct—The underlying data is accurate and complete. Information systems include validation checks that address accuracy and completeness, including necessary exception resolution procedures.

– Current—The data gathered is from current sources and is gathered at the frequency needed.

– Protected—Access to sensitive information is restricted to authorized personnel. Data categorization (e.g., confidential and top secret) supports information protection.

– Retained—Information is available over an extended period of time to support inquiries and inspections by external parties.

60


• Quality of Information is Dependent On:– Sufficient—There is enough information at the right level of detail relevant to

information requirements. Extraneous data is eliminated to avoid inefficiency, misuse, or misinterpretation.

– Timely—The information is available from the information system when needed. Timely information helps with the early identification of events, trends, and issues.

– Valid—Information is obtained from authorized sources, gathered according to prescribed procedures, and represents events that actually occurred.

– Verifiable—Information is supported by evidence from the source. Management establishes information management policies with clear responsibility and accountability for the quality of the information

61

Resources

• AICPA’s Information Management and Technology Assurance (IMTA) Interest Area: www.aicpa.org• Located under Interest Areas Tab on AICPA’s Home Page

• Sponsor of the Certified Information Technology Professional (CITP) credential which recognizes CPA’s for their ability to leverage technology to effectively manage information while ensuring the data’s reliability, security, accessibility and relevance.

• Various Webcasts, Whitepapers, Newsletters, Etc.

http://www.aicpa.org/

62

Resources• Information Systems Audit and Control Association (ISACA): www.isaca.org

• Sponsor of the Certified Information Systems Auditor (CISA), Certified Information Systems Manager (CISM), and Certified in Risk and Information Systems Control (CRISC) Exams

• IT Governance Institute• Designed COBIT (Control Objectives for Information and related Technology) w/ ISACA, AICPA,

and Other Interested Parties to serve as a framework for IT governance and control to fit with and support COSO’s Internal Control – Integrated Framework

• COBIT Home Page: www.isaca.org/COBIT/Pages/default.aspx

http://www.isaca.org/

http://www.isaca.org/COBIT/Pages/default.aspx

P r e c i s e

E x p e r i e n c e d

A s s u r a n c e

Nature Coast Florida Government Finance Officer’s Association | October 16, 2013

Contact InformationPhil Gesner, CPA.CITP, CISAAudit Manager and IT Auditor / ConsultantOcala, FL

E-mail:[email protected]

Mobile:352.642.4357

Company Website:www.purvisgray.com

LinkedIn:www.linkedin.com/in/philgesner/

mailto:[email protected]


http://www.linkedin.com/in/philgesner/


Nature Coast Florida Government Finance Officers Association | October 16, 2013 Information...

Documents

Transcript of Nature Coast Florida Government Finance Officers Association | October 16, 2013 Information...