Automated Controls Strategy, Implementation & Practical Examples. By Danny Miller, CGEIT, CISA, ITIL



Similar documents
Information overload: How to make data analytics work for the internal audit function

Moving Forward with IT Governance and COBIT

Corporate Governor. New COSO Framework links IT and business process

ISACA PROFESSIONAL RESOURCES

1. FPO. Guide to the Sarbanes-Oxley Act: IT Risks and Controls. Second Edition

Dallas IIA Chapter / ISACA N. Texas Chapter. January 7, 2010

Director, IT Security District Office Kern Community College District JOB DESCRIPTION

Framework: Supporting transformation of government financial

G24: Audits of Controls at a Service Organization: New Standards SSAE 16 and ISAE 3402 Duff Donnelly and Jeffrey Spivack, Grant Thornton LLP

Sarbanes-Oxley Control Transformation Through Automation

Enabling Information PREVIEW VERSION

Guide to the Sarbanes-Oxley Act: IT Risks and Controls. Frequently Asked Questions

CIIA South West Analytics in Internal Audit - Tackling Fraud

Mapping COBIT 5 with IT Governance, Risk and Compliance at Ecopetrol S.A. By Alberto León Lozano, CISA, CGEIT, CIA, CRMA

Application controls testing in an integrated audit

Continuous Controls Monitoring ISACA, Houston Chapter. August 17, 2006

Application Control Effectiveness for SAP. December 2007

Capital Requirements Directive Pillar 3 Disclosure. December 2015

Continuous Monitoring and Auditing: What is the difference? By John Verver, ACL Services Ltd.

Auditing Applications. ISACA Seminar: February 10, 2012

Capital Projects. Providing assurance over effective delivery of projects

An Introduction to Continuous Controls Monitoring

Office of the Auditor General. Audit of Accounts Payable. Tabled at Audit Committee November 26, 2015

Domain 5 Information Security Governance and Risk Management

Table of Contents. Auditor's Guide to Information Systems Auditing Richard E. Cascarino Copyright 2007, John Wiley & Sons, Inc.

IT Service Management ITIL, COBIT

Puzzled about PCI compliance? Proactive ways to navigate through the standard for compliance

Internal Auditing Guidelines

The Information Systems Audit

3rd Party Assurance & Information Governance outlook IIA Ireland Annual Conference Straightforward Security and Compliance

Fraud Prevention and Detection in a Manufacturing Environment

Using COSO Small Business Guidance for Assessing Internal Financial Controls

Final Audit Report. Audit of Data Integrity MCCS Feeder System Interfacing with SAP

Following up recommendations/management actions

Risk Management Advisory Services, LLC Capital markets audit and control

Integrated Governance, Risk and Compliance (igrc) Approach

Internal Audit Testing and Sampling Techniques. Chartered Institute of Internal Auditors May 2014

AUD105-2nd Edition. Auditor s Guide to IT - 20 hours. Objectives

ACL WHITEPAPER. Automating Fraud Detection: The Essential Guide. John Verver, CA, CISA, CMC, Vice President, Product Strategy & Alliances

Spillemyndigheden s Certification Programme Change Management Programme

Strategic IT audit. Develop an IT Strategic IT Assurance Plan

Access Governance. Delivering value. What you gain. Putting a project back on track for success

Leveraging Your ERP System to Enhance Internal Controls

HEALTH SERVICE EXECUTIVE NATIONAL FINANCIAL REGULATION INTRODUCTION TO NATIONAL FINANCIAL REGULATIONS NFR - 00

Application Testing: Not Just for IT Auditors. Insert Logo Here

Recommendation for IT Governance Using the COBIT 4.1 Framework

Contract risk and assurance

Identity and Access. Management Services. HCL Information Security Practice. Terrorist Sabotage. Identity Theft. Credit Card Fraud

ISO/IEC 17021:2011 Conformity assessment Requirements for bodies providing audit and certification of management systems

OVERVIEW OF THE ISSUE

Security Survey 2009: Privileged User Management It s Time to Take Control Frequently Asked Questions and Background

How to Ensure IT Compliance Without Compromising Innovation. Nik Teshima, IBM Phil Odence, Black Duck

Independent Accountants Report

Care360 Guide for CMS Meaningful Use Audit

Information Technology Auditing for Non-IT Specialist

Module 1 Study Guide

Frequently asked questions: SOC 2 and 3

The Importance of IT Controls to Sarbanes-Oxley Compliance

IT GOVERNANCE WITH ROBERT GOODSELL, MANAGING DIRECTOR JOE BRUTSCHE, DIRECTOR

IT audit updates. Current hot topics and key considerations. IT risk assessment leading practices

NERC CIP Compliance with Security Professional Services

An Integrated Approach to Performing Pre-implementation Reviews. Securities Industry and Financial Markets Association February 29, 2012

IT General Controls Domain COBIT Domain Control Objective Control Activity Test Plan Test of Controls Results

Why SDLC Controls are important for a project. Jason D. Lannen CISA, CISM August 21, :15 AM

Continuous Controls Monitoring. Virginia ISACA January Meeting 19 January 2010

Sarbanes-Oxley Section 404: Management s Assessment Process

Knowledge Management Series. Internal Audit in ERP Environment

Introduction to Change

Sarbanes-Oxley Section 404 Implementation Practices of Leading Companies

Development and Acquisition D&A

Performance Audit of the San Diego Convention Center s Information Technology Infrastructure JULY 2012

Top Ten Technology Risks Facing Colleges and Universities

WHITE PAPER. Sarbanes - Oxley Section 404: How BMC Software Solutions Address General IT Control Requirements

Managing data security and privacy risk of third-party vendors

FIRST CITIZENS BANCSHARES, INC. FIRST-CITIZENS BANK & TRUST COMPANY CHARTER OF THE JOINT AUDIT COMMITTEE

C21 Introduction to User Access

Domain 1 The Process of Auditing Information Systems

How to improve account reconciliation activities*

Insight and Peer Analysis

High Value Audits: An Update on Information Technology Auditing. Robert B. Hirth Jr., Managing Director

Your Guide to Going Global with AP Automation. Donna Sawyer Paymode-X Product Manager, Bottomline Technologies

Infor CloudSuite Industrial (SyteLine) for Medical Devices

IBM InfoSphere Guardium Data Activity Monitor for Hadoop-based systems

Internal Control Deliverables. For. System Development Projects

FINANCIAL MARKETS AUTHORITY CORPORATE GOVERNANCE IN NEW ZEALAND. Principles and Guidelines A handbook for directors, executives and advisers

1/21/2014. Agenda. Audit Testing. The Basics of Internal Auditing January 23-24, 2014

What Should IS Majors Know About Regulatory Compliance?

Transcription:

Automated Controls Strategy, Implementation & Practical Examples By Danny Miller, CGEIT, CISA, ITIL

Contents 1 Introduction 1 What are automated controls? 2 How do automated controls benefit IT and the business? 3 Strategies for implementing & monitoring automated controls 3 Benchmarking/baselining automated controls 4 Practical examples of automated controls 4 Summary Introduction Automated controls exist in most IT applications, interfaces and appliances. All Enterprise Resource Planning (ERP) systems contain them in one form or another. Automated controls are generally highly configurable to the client s environment to meet its control and automation needs. Some key questions to ask with automated controls include: (1) where do they exist? (2) how do they match up with my business process so that I can use them? (3) are they reasonable or worthwhile to turn on and use? and (4) are they hard to configure and maintain? This white paper seeks to give the reader guidance for answering those questions and discussing strategies around the implementation of automated controls. We will also provide some practical examples on taking advantage of automated controls and give a baseline example. What are automated controls? An automated control is a mechanism or device inside an application, interface or appliance that enforces or controls a rule-set or validation on one or more conditions inside of a process. A very simple example is an order-entry screen inside an application that contains a field that only allows the user to select from a list of approved vendors to complete the order. The control is the mechanism that limits the choices of vendors. Inside the application, certain rule-sets are set in place to limit the list of vendors based on information in a separate file that the application reads when that screen is presented to an enduser. Automated controls can exist in an application at any of the stages of information flow, including input, processing and output. 1

How do automated controls benefit IT and the business? While there are many benefits of automated controls, there are several key benefits that organizations should be aware of for purposes of placing them in the proper context. Regulatory compliance/fraud In the current business climate, fraud-related regulations applicable to many industries are likely to become more intrusive and prescriptive. Controls which can reduce the likelihood and impact of fraud, mismanagement and error through automated means are therefore a welcome tool for management. Examples of automated controls in this area include those that enforce defined segregation of duties and those that ensure that a company delegation of authority policy is followed. Business process monitoring With responsibilities being pushed down inside organizations, management needs ways in which they can control the process flow inside their organizations without adding significant overhead. In a well considered implementation of automated controls, policies which define how the organization works can be automated. The types of controls involved include positive edit, user authority and/or work flow controls. An example is the control over delegation of authority in a financial context. The company s main accounting system may have a routine inside which, based on previously defined limits, allows individuals with the requisite authority to approve certain transactions. Others without that configured authority in the control cannot approve transactions outside their limits. User Position DOA Limit Dmiller Controller $10,000 Mrose CEO $100,000 Compliance/internal audit testing Companies are routinely pressured by shareholders, Board of Directors and Audit Committees not only to keep general audit costs down, but also to continuously look for cost reduction opportunities in their audit compliance efforts involving internal and external testing of their controls. As a result, there has been a corresponding demand by client companies for external audit firms to rely more heavily on the testing conducted by management. External audit firms have universally welcomed the addition of automated controls inside their clients - with the understanding that effective change management practices are in place. With the advent of the one transaction test per year on a given automated control, the internal and external testing cycles can be substantially accelerated, with resulting cost savings. Development controls In order to have an effective automated control implementation, organizations must have a robust system development life cycle (SDLC) with sound change management and strong quality control. To prove an automated control from its foundation, the company must show that the control was implemented correctly and there is a clear and documented history of change management. While there are many benefits of automated controls, there are several key benefits that organizations should be aware of for purposes of placing them in the proper context. Mmellor CFO $50,000 2

Strategies for implementing & monitoring automated controls A strategy for the usage of automated controls is needed inside organizations to ensure that benefit is derived from their use. Some example strategies to use with automated controls include: Obtain agreement with your external auditor on the reliance around automated controls for all your compliance testing. In a heavily regulated industry such as banking, it is also recommended that you work with regulatory agencies that audit the organization to accept the value of automated controls. Recognize that only relevant controls inside applications available for automation should be turned on. A good number of organizations have simply turned on automated controls and found that it has negatively impacted their usage of both the application and the underlying business process. Examine business processes tied to the balance sheet and cross-reference available automated controls within the supporting applications. Following this examination, determine if it makes sense to implement the available automated controls. As mentioned before, a return on investment (ROI) calculation is helpful in making this determination. Consider the overall access and segregation of duties (SoD) strategy when determining whether and how to implement automated controls. The implementation of automated controls almost always will affect access and SoD controls Benchmarking/baselining automated controls For a well-established and accepted strategy around baselining automated controls, listed below are four key elements which form the foundation for the successful baselining of an application: The relevant/key automated controls embedded in the application are appropriately designed The automated key controls operate effectively The relevant supporting IT general controls, especially management of changes to the application, are appropriately designed, and The relevant supporting IT general controls operate effectively 3

Practical examples of automated controls Here are the steps one would take to baseline the controls around the Foreign Exchange process within Hyperion, as an example: (1) Check the updates to the system since the last baseline. If there are changes that impacted the controls that were last baselined, then a new baseline for that control must be done. This means that if the control or the code which actions the control has changed significantly, then the control should be re-baselined. (2) Check that the change management process over the application is robust. Look for evidence of good change management practices, such as good documentation, welldefined test plans and scripts, approvals for changes and approvals for the implementation of changes, i.e., User- Acceptance Testing. (3) For the FX process in Hyperion, for example a) The Supervisor logs into the system as supervisor-level b) Supervisor takes rates from whatever official source, such as TravelEx c) Supervisor enters rates into the system (a control may be here to have some limit checks internally) d) A separate report is printed and signed (or an e-mail originated) by the supervisor s superior noting that they checked that the correct rates were entered and that the entries were authorized. (4) Data test a) Run or trace existing # s through the FX calculator and re-perform calculator to confirm it is working properly. b) If doing a re-performance, look at the mappings to determine if the # s are properly classified. c) Document all steps. Once the baseline over the control has been completed, a single transaction may be used to exercise the control every period it is to be tested for a maximum of 3 years before it will need to be re-baselined. The key to ensuring that the baseline stays valid is the observance of steps (1) and (2) above, with special emphasis around a rigorous change management process and appropriately documenting the original baseline. Summary Automated controls provide many benefits to organizations which have a heavily mechanized infrastructure and which are also burdened with manual business processes. Larger organizations, who have traditionally relied heavily on manual business process controls can greatly benefit from the replacement of those manuals controls with automated controls to enhance their control structure and reduce the cost of compliance. Organizations should undertake and understand the cost/benefit analysis before tackling the actual implementation of automated controls, since there is a real and definable effort in implementing and maintaining those controls. At each step of the process, there should be verification by observation and through various kinds of evidence such as screen-shots that each part of the process and the controls were being appropriately managed. 4

About the author Danny Miller is a Principal and Practice Leader of Grant Thornton s Advisory Services practice in Philadelphia. Danny has over 22 years of experience in the Information Technology and Audit fields. He has been a software developer, IT auditor, database administrator, project manager and Chief Information Officer in a wide-range of industries. Danny holds certifications as a Certified Information Systems Auditor (CISA), a Yellow-Belt in Six-Sigma, a Certification in the Governance of Enterprise IT (CGEIT), and a Green Badge in ITIL. He is also a published author in computer fraud, fraud detection and prevention. Danny is a member of the Institute of Internal Auditors (IIA) and the Information Systems Audit and Control Association (ISACA). The people in the independent firms of Grant Thornton International Ltd provide personalized attention and the highest quality service to public and private clients in more than 100 countries. Grant Thornton LLP is the U.S. member firm of Grant Thornton International Ltd, one of the six global audit, tax and advisory organizations. Grant Thornton International Ltd and its member firms are not a worldwide partnership, as each member firm is a separate and distinct legal entity. In the U.S., visit Grant Thornton LLP at www.grantthornton.com. Article content is not intended to answer specific questions or suggest suitability of action in a particular case. For additional information on the issues discussed in the article, consult your Grant Thornton client-service partner. Comments or questions about the article may be directed to the author at Daniel.Miller@gt.com. Grant Thornton LLP All rights reserved U.S. member firm of Grant Thornton International Ltd

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information