Internal Control Deliverables. For. System Development Projects

Transcription

1 DIVISION OF AUDIT SERVICES Internal Control Deliverables For System Development Projects

2 Table of Contents Introduction... 3 Process Flow... 3 Controls Objectives... 4 Environmental and General IT Controls... 6 Appendix A Process Flow Chart... 7 Appendix B Vendor Payment Narrative Description... 8 Appendix C Control Objective Cross Reference Appendix D Reference Material Internal Control Deliverables For System Development Project - 2 -

3 INTRODUCTION Internal controls are the processes and procedures used to provide assurance that business functions are carried out in a controlled and effective manner. They are implemented through an organization's structure, workflows, people, and information systems. Internal controls govern, direct, manage and monitor the various activities of an organization in order to ensure that the entity s objectives are achieved. The best time to develop and implement a set of controls is during initial process deployment. When dealing with automated application controls, it can be a costly exercise to implement new controls after an application has been moved into production. Therefore, it is essential that internal control issues are properly addressed at the time of system development and implementation. The intent of this document is to provide a framework for identifying required internal controls that need to be implemented during the systems development and implementation process. Project managers will need to work with both business and IT primes in order to successfully address internal controls. The business has ultimate responsibility for defining what application controls are to be implemented for their processes. This assessment should be based on a review of the entire supported business process, not just the components that are to be automated through the system development initiative. The business will decide on what controls are required and whether they should be implemented through manual or automated processes. The system development team will be responsible for the design and implementation of automated application controls, based on requirements established by the business. The project team also needs to give consideration to environmental and general IT controls. These represent the controls that are embedded in the IT processes and services that support the system being designed (e.g. security, change management, backups, etc.). PROCESS FLOW The first step in identifying required internal controls is to document the end to end business processes that are impacted by the project. A process flow provides a narrative on how information moves through the application (including related processes, interfaces, and reports). A graphical representation of the flow will help to provide context to the narrative description. Depending on the complexity of the system or process being designed, it may be necessary to document multiple process flows. Appendix A provides an example of a graphical process flow and Appendix B provides the corresponding narrative description. Each component of the process flow needs to be categorized into either inputs, data transformations (changes and deletes), or outputs. These identified components represent the points within the process where internal controls may be required. Internal Control Deliverables For System Development Project - 3 -

4 Inputs: Any place where information enters into the system. Each inputs should be labeled A1 through A## in the process flow documentation. Inputs include, but are not limited to: - Interfaces from other processes - User data entry - Dedicated devices (e.g. bar code readers, scanners, etc.) Data Transformations: All processes that cause changes to process data (calculations, updates, and deletes). Transformation processes should be labeled B1 through B## in the process flow documentation. Outputs: Any place where information is extracted from the process. Each output should be labeled C1 through C## in the process flow documentation. Outputs include, but are not limited to: - Online queries - Interfaces to other processes - Reports - Deliverables (e.g. cheques, invoices, products, etc.) CONTROLS OBJECTIVES Each control point identified in the process flow documentation should be assessed against a set of relevant control objectives. By mapping the control points with the relevant control objectives, a clear understanding is obtained as to what internal controls already exist within the process and those that need to be defined and implemented. The process flow documentation should be updated to include any new internal controls that are created. There is a different set of control objectives that needs to be applied based on the type of control point being reviewed. The relevant control objective groups are listed below along with the associated control point category: 1. Segregation of Duties (all control points) 2. Source Data Preparation, and Authorization (input control points) 3. Source Data Collection and Entry (input control points) 4. Processing Integrity and Validity (data transformation control points) 5. Output Review, Reconciliation and Error Handling (output control points) 1. Segregation of Duties Segregation of duties focuses on ensuring that individuals are only able to execute authorized processes that are relevant to their role and responsibilities. It reduces the possibility for a single individual to be able to compromise a critical process. Proper segregation of duties provides a means for detecting potential control failures and can help to prevent conflicts of interest, fraud, abuse and errors. The following activities should be segregated from each other: - Data Entry - Transaction Authorization Internal Control Deliverables For System Development Project - 4 -

5 - Transaction Reconciliation - Systems development, acquisition and maintenance - System Administration - Database Administration 2. Source Data Preparation and Authorization Controls designed to ensure the authenticity, accuracy, and validity of source documents (including interfaces) used as input into the system or process. a. Authorization procedures exist for source documents prior to data entry b. Authorized data remains complete, accurate and valid throughout life of source document c. Erroneous source documents are properly handled d. Confirmation receipts are sent to source document originators e. Control over sensitive information exists for source documents f. Source documents are securely stored and maintained in order to facilitate transaction reconstruction, review and audit, litigation inquiries and regulatory requirements 3. Source Data Collection and Entry Controls designed to ensure that data inputs are accurate, complete and authorized. a. Processes are in place to ensure timely data entry and error correction b. Data entry processes are limited to authorized and uniquely identified individuals c. System data can be traced back to originating source documentation and the individual who inputted the data d. Verification and edit checks exist for inputted data e. All authorized transactions are accurately recorded, once and only once f. Incomplete or incorrect transactions are rejected g. Transactions are assigned unique and sequential identifiers 4. Processing Integrity and Validity Controls designed to maintain the integrity and validity of data throughout the system or process. a. Access to data processing routines are limited to authorized and identifiable individuals b. Logs are maintained of programs executed and transactions processed or rejected c. Data changes can be traced back to the changing process and authorized individual d. Multiple versions or repositories of the same data are kept in sync e. Data processing routines include error prevention/detection checks f. Processes are in place to ensure reporting and timely correction of errors g. Correction and resubmission of errors is approved by the original submitting function h. Resubmitted transactions follow the exact processes as the original transaction i. Data updates only occur through fully tested and approved routines j. Controls are in place to ensure the integrity of interdependent routines k. Deleted information is retained for audit purposes and flagged to prevent inclusion in standard reporting l. Recovery processes exist to automatically maintain the integrity of data during unexpected interruptions. Internal Control Deliverables For System Development Project - 5 -

6 5. Output Review, Reconciliation and Error Handling Controls designed to ensure the accuracy and security of output generated by the system or process. a. Access to output data is restricted physically and logically to authorized individuals b. Ad-hoc reporting capabilities are restricted to authorized individuals c. Query and reporting functions do not provide data update capabilities d. Output requirements and needs are periodically reviewed e. System output contains all, and only, the requested information f. Verification checks exist for outputted data g. Origination and content of output should be independently verifiable h. Process and responsibility for output disposal is clearly defined Appendix C provides a cross reference of control objectives with the control points identified in Appendix A and B. ENVIRONMENTAL AND GENERAL IT CONTROLS As part of the system development and implementation process, consideration needs to be given to the IT processes required to support the new system. Similar to the internal controls within an application, if required environmental and general IT controls are not identified during the development and implementation of the system, then it may become a more costly initiative to implement them once the system is in production. For each of the following environmental control issues an explanation needs to be provided describing the actual processes that will be implemented to minimize risk exposure. a. Physical Security b. Logical Security c. System Management and Administration d. Database Administration e. Backup and Recovery f. Contingency Planning and Disaster Recovery g. Program Change Control h. Application system support and maintenance i. Capacity Management Internal Control Deliverables For System Development Project - 6 -

7 APPENDIX A PROCESS FLOW CHART UniFi Information Technology Accounts Payable Clerk Director Purchasing Internal Control Deliverables For System Development Project - 7 -

8 APPENDIX B VENDOR PAYMENT NARRATIVE DESCRIPTION The purpose of the vendor payment process is to ensure that after a vendor provides goods or services that the invoice relating to the goods or services received are paid in an efficient and effective manner. Input A1: Invoices received from vendors are forwarded to the Director for review. Transformation B1: The Director reviews each invoice for appropriateness. Approved invoices are stamped, signed, and forwarded to the Accounts Payable (AP) clerk for processing. Input A2: Before entering invoice details into the local financial application, the Accounts Payable clerk must first create a batch record that is used for the consolidation of invoice details. Multiple invoices can be entered into a single batch. The local financial application requires that a separate batch be created for credit memos. Invoice batches are created using the function Purchase Batch while credit memo batches are created using the Returns Batch function. Typical process is to use the same name for the invoice and returns batch so that the transactions can be consolidated in downstream processes. Input A3: Approved invoices and credit memos are entered into the local financial application by the AP clerk, using the Receiving Transaction Entry and Returns Transaction Entry functions respectively. Output C1: There is no set limit on the number of invoices that can be entered into a single batch. The AP clerk arbitrarily decides when a batch is ready to be submitted for payment processing. Using the internally developed Transfer tool, the AP clerk generates a batch summary report showing the payment total for each invoice contained in the batch. Transformation B2: The batch report is then provided to the Director along with the corresponding invoices. The Director then ensures that his stamp and signature are on each of the invoices and that the invoice total matches the amount shown on the batch report. The Director then initials each invoice and checks off the amount on the batch report. Transformation B3: Once the batch report has been approved by the Director, the AP clerk then posts the batch within the local financial application. Posting the batch prevents any further changes to be made to the invoice details. Transformation B4: Within the Transfer tool, the AP clerk uses the Transfer Batch function to copy posted invoice details from the local financial application database into an intermediary oracle database. Output C2: A script is run nightly that checks the oracle database for new invoices. The job then creates an interface file containing the new invoice records that need to be transferred to UniFi. The interface file is saved in a secure drop box on the server Shelf. Output C3: The interface file creation process (C2) creates a notification that is sent to Systems Support and Development in the Financial Services Division (FSD). The provides a record count and total dollar amount for the interface file that was posted on Shelf. Internal Control Deliverables For System Development Project - 8 -

9 Input A4: A process is run nightly on Shelf that reads the interface file and loads the data into UniFi. A Load confirmation is sent to a pre-defined distribution list that reports the number of invoices loaded in to UniFi and the total dollar value. Output C4: The AP clerk prints out the UniFi Load Confirmation and consolidates it with the corresponding batch report and vendor invoices. The consolidated package is then filed together to support future reviews. Internal Control Deliverables For System Development Project - 9 -

10 APPENDIX C CONTROL OBJECTIVE CROSS REFERENCE CONTROL OBJECTIVE CROSS REFERENCE Control Exists X Control Missing N/A Control Deemed Not Applicable Inputs Control Points Control Objectives # Description 1 2a 2b 2c 2d 2e 2f 3a 3b 3c 3d 3e 3f 3g A1 Invoice N/A N/A X N/A N/A N/A N/A N/A N/A A2 Create Batch N/A N/A N/A N/A N/A N/A N/A X X X N/A N/A A3 Transaction Entry X N/A N/A X X X A4 UniFi Load Confirmation X X N/A N/A X N/A X X N/A N/A A5 Data Transformations Control Points Control Objectives # Description 1 4a 4b 4c 4d 4e 4f 4g 4h 4i 4j 4k 4l B1 Review Invoice N/A N/A N/A X N/A N/A N/A B2 Review Batch Report N/A N/A X N/A N/A N/A B3 Post Batch X X X N/A N/A X X N/A B4 Transfer Batch X X X X X X X X X B5 Review UniFi Load Confirmation X X X X X X X X X X X X X B6 Outputs Control Points Control Objectives # Description 1 5a 5b 5c 5d 5e 5f 5g 5h C1 Batch Report X N/A N/A X C2 UniFi Interface File N/A X N/A X X X X X C3 Trasfer Notification N/A N/A X X X C4 Hardcopy Filing N/A N/A N/A N/A N/A X C5 Notes: A1-3a: No processes are in place to ensure timely data entry A2-3b: Use of common login id prevents the identification of unique users B5: Process does not exist. It represents a new process to be created to address an identified control weakness. Once the process has been defined, and documented in the process flow, it would then be assessed against relevant control objectives and the above chart updated. C4-5h: Food Services has not defined any data archiving and disposal processes Internal Control Deliverables For System Development Project

11 APPENDIX D REFERENCE MATERIAL Accounting Information Systems, Fourth Edition, James A. Hall Auditing and Other Assurance Services, Canadian Eighth Edition, Committee of Sponsoring Organizations of the Treadway Commission (COSO) Control Objectives for Information and related Technology (COBIT) 4.1, IT Governance Institute Control Objectives for Information and related Technology (COBIT) 4.0, IT Governance Institute Control Objectives for Information and related Technology (COBIT) 3 rd Edition, Audit Guidelines, IT Governance Institute Global Technology Audit Guide (GTAG) Auditing Application Controls Information Technology Guidelines, 3rd Edition, Canadian Institute of Chartered Accountants IT Assurance Guide: Using COBIT, IT Governance Institute Statement on Auditing Standards (SAS) No. 78 Internal Control Deliverables For System Development Project