External ITGC Audits An Internal Auditor s Opportunity

Similar documents
Auditing Standard 5- Effective and Efficient SOX Compliance

COSO s 2013 Internal Control Framework in Depth: Implementing the Enhanced Guidance for Internal Control over External Financial Reporting

COSO 2013 Internal Control Integrated Framework FRED J. PETERSON, PARTNER MOSS ADAMS LLP

Internal Controls over Financial Reporting. Integrating in Business Processes & Key Lessons learned

The Information Systems Audit

COSO 2013: WHAT HAS CHANGED & STEPS TO TAKE TO ENSURE COMPLIANCE

Understanding ERP Architectures, Security and Risk Brandon Sprankle PwC Partner March 2015

IT audit updates. Current hot topics and key considerations. IT risk assessment leading practices

Impact of New Internal Control Frameworks

OBSERVATIONS FROM 2010 INSPECTIONS OF DOMESTIC ANNUALLY INSPECTED FIRMS REGARDING DEFICIENCIES IN AUDITS OF INTERNAL CONTROL OVER FINANCIAL REPORTING

Internal Financial Controls

J-SOX Compliance Approach Best Practices for Foreign Subsidiaries November 8, 2007

19/10/2012. How do you monitor. (...And why should you?) CAS Annual Meeting - Henry Jupe

Application controls testing in an integrated audit

Service Organization Control (SOC) Reports Focus on SOC 2 Reporting Standard

The Value of Vulnerability Management*

1. FPO. Guide to the Sarbanes-Oxley Act: IT Risks and Controls. Second Edition

4 Testing General and Automated Controls

The Importance of IT Controls to Sarbanes-Oxley Compliance

Comparison of ISA 330 with AS-402 Objectives and Requirements Only

COSO Internal Control Integrated Framework (2013)

Inspection Observations Related to PCAOB "Risk Assessment" Auditing Standards (No. 8 through No.15)

The Use of Spreadsheets: Considerations for Section 404 of the Sarbanes-Oxley Act*

Fraud and Role of Information Technology. September 2008

Risikobaseret tilgang til revision

Electronic Audit Evidence (EAE) and Application Controls. Tulsa ISACA Chapter December 11, 2014

Automating the Audit July 2010

Sarbanes-Oxley Section 404: Management s Assessment Process

Corporate Governor. New COSO Framework links IT and business process

Internal Audit Testing and Sampling Techniques. Chartered Institute of Internal Auditors May 2014

SESSION 3 AUDIT PLANNING

Information Technology General Controls (ITGCs) 101

IFRS in Asia 2008 Driving the Capital Markets of Tomorrow October 2008, Beijing, China

Antifraud program and controls assessment grid*

Table of Contents. Auditor's Guide to Information Systems Auditing Richard E. Cascarino Copyright 2007, John Wiley & Sons, Inc.

Service Organization Control Reports

Third Party Risk Management 12 April 2012

Aboriginal Affairs and Northern Development Canada. Internal Audit Report. Audit of Internal Controls Over Financial Reporting.

INTERNATIONAL STANDARD ON AUDITING 330 THE AUDITOR S RESPONSES TO ASSESSED RISKS CONTENTS

Creating an effective Internal Control Framework. Marcus Guenther CA, MBA

INTERNATIONAL STANDARD ON ASSURANCE ENGAGEMENTS (ISAE) 3402 ASSURANCE REPORTS ON CONTROLS AT A SERVICE ORGANIZATION

Sarbanes-Oxley Section 404 Compliance: A Guiding Framework using igrafx SOX Accelerator

EMBEDDING BCM IN THE ORGANIZATION S CULTURE

G24 - SAS 70 Practices and Developments Todd Bishop

Guide to the Sarbanes-Oxley Act: IT Risks and Controls. Frequently Asked Questions

Sarbanes-Oxley Control Transformation Through Automation

AUD105-2nd Edition. Auditor s Guide to IT - 20 hours. Objectives

Sarbanes-Oxley 404. Sarbanes-Oxley Background. SOX 404 Internal Controls. Goals of Sarbanes-Oxley

How To Audit A Company

California ISO Audit of the Financial Statements for the Year Ending December 31, 2015 December 18, 2015

Performing Audit Procedures in Response to Assessed Risks and Evaluating the Audit Evidence Obtained

Using COBiT For Sarbanes Oxley. Japan November 18 th 2006 Gary A Bannister

IMPROVING AUDIT READINESS BY MANAGING YOUR DYNAMICS ERP

SARBANES-OXLEY SECTION 404: A Guide for Management by Internal Controls Practitioners

IT General Controls Domain COBIT Domain Control Objective Control Activity Test Plan Test of Controls Results

THE AUDITOR S RESPONSES TO ASSESSED RISKS

Report on Inspection of PricewaterhouseCoopers LLP (Headquartered in New York, New York) Public Company Accounting Oversight Board

Connecting the dots: IT to Business

Product comparison. GFI LanGuard 2014 vs. Microsoft Windows InTune (October 2013 Release)

The Changing IT Risk Landscape Understanding and managing existing and emerging risks

Communicating Internal Control Related Matters Identified in an Audit

INTERNATIONAL STANDARD ON REVIEW ENGAGEMENTS 2410 REVIEW OF INTERIM FINANCIAL INFORMATION PERFORMED BY THE INDEPENDENT AUDITOR OF THE ENTITY CONTENTS

How To Audit A Company

Integrated Governance, Risk and Compliance (igrc) Approach

PwC The Path Forward for Data Analysis and Continuous Auditing May 2011

How Software Asset Management Enables Businesses to Meet Sarbanes-Oxley Requirements

Information Technology General Controls Review (ITGC) Audit Program Prepared by:

Information Technology General Controls And Best Practices

Model Risk, A company perspective Peter K. Reilly, FSA Valuation Actuary & Head of Actuarial Strategic Initiatives Aetna, Inc

Effectively using SOC 1, SOC 2, and SOC 3 reports for increased assurance over outsourced operations. kpmg.com

Sarbanes-Oxley Compliance Workbook. From Zero to SOX. Sarbanes-Oxley Compliance Workbook. sensiba san filippo

Massachusetts Bay Transportation Authority


Audit Evidence and Documentation AN AUDIT: SUMMARY CHAPTER PCAOB ONE-UP S THE AICPA MANAGEMENT S ASSERTIONS

Best Practices Report

Audit Quality Thematic Review

INTERNATIONAL STANDARD ON AUDITING (UK AND IRELAND) 315

INNOVATE. MSP Services Overview SVEN RADEMACHER THROUGH MOTIVATION

PRACTICE NOTE 1013 ELECTRONIC COMMERCE - EFFECT ON THE AUDIT OF FINANCIAL STATEMENTS

ERM006 ERM and Business Continuity Management: Together at Last RIMS Annual Conference April 13, 2016

Industry Trends An Introduction to Security Breach Prevention, BYOD, & ERP System Implementation

Practical Guidance for Auditing IT General Controls. September 2, 2009

Guide to Internal Control Over Financial Reporting

Product comparison. GFI LanGuard 2014 vs. Microsoft Windows Server Update Services 3.0 SP2

[RELEASE NOS ; ; FR-77; File No. S ]

IT Audit Perspective on Continuous Auditing/ Continuous Monitoring KPMG LLP

Pursuing Compliance with the FFIEC Guidance Risk Assessment 101 KPMG RISK ADVISORY SERVICES

Understanding the Entity and Its Environment and Assessing the Risks of Material Misstatement

AUDIT OF READINESS FOR THE IMPLEMENTATION OF THE POLICY ON INTERNAL CONTROL

COSO Framework 2013 & SOX Compliance. Roxanne L. Halverson, CISM, CGEIT Atlanta ISACA Geek Week August 19, 2013

How to improve account reconciliation activities*

THE ROLE OF AN SOC 1 REPORT (formerly SAS 70) IN FREIGHT PAYMENT

Risk Management Advisory Services, LLC Capital markets audit and control

Compliance & Internal Audit Collaboration

Department of Homeland Security

Part A OVERVIEW Introduction Applicability Legal Provision...2. Part B SOUND DATA MANAGEMENT AND MIS PRACTICES...

Effectively Assessing IT General Controls

Master Document Audit Program. Version 7.4, dated November 2006 B-1 Planning Considerations. Purpose and Scope

GFI Product Comparison. GFI LanGuard 2011 vs Retina Network Security Scanner

Audit of Policy on Internal Control Information Technology General Controls (ITGCs) Audit

Transcription:

External ITGC Audits An Internal Auditor s Opportunity April 2, 2009 Presented to: The Dallas Chapter of the Institute of Internal Auditors These slides are incomplete without the benefit of the comments made at the session. The information and considerations presented herein do not constitute legal or any other type of professional advice.

Today s Agenda Brief Overview of ITGCs Impact on Application Controls and System Generated Data Linkage to the Financial Audit Internal Audit Involvement in the ITGC Audit Life Cycle Additional Opportunities Final Thoughts Page 2

Questions to contemplate Have I contemplated Internal Audit s role in driving efficiencies in the external ITGC audit? Does the external auditor s ITGC budget seem high given the amount of work required? Am I doing everything I can to ensure the external auditors perform an efficient and effective ITGC audit? Have I been consistently interfacing with the external auditors during the planning, fieldwork and wrap up phases of the ITGC audit? Do the external auditors realize the maximum amount of reliance on my work? If not, what needs to happen to achieve maximum reliance? What else can I do to drive an efficient and effective ITGC audit? Page 3

Brief Overview of ITGCs

Entity Level Controls Over IT Relate to the softer COSO components ELCs should reflect how management approaches information technology needs and should serve to promote ongoing effectiveness of ITGCs Examples include: IT Policies Employee training Communication Adequacy of IT Team External Audit will assess the overall tone at the top to decide if the nature or extent of procedures should be modified. When past audits have indicated deficiencies in the control environment or relevant ITGCs and remediation efforts have been insufficient, the audit plan will be developed in consideration of the potential inability to rely on impacted automated controls. ELCs over IT Set the Tone for controls in the organization. Page 5

ITGCs - What s Relevant for Testing Access to programs and data Program changes Both of these domains are almost always relevant, but their complexity and the extent of audit evidence needed can vary greatly by organization. Program development Relevant only where new system implementations will impact ICFR and the risk of material misstatement. Testing generally not required if no impact on current year financial statements and ICFR. Computer operations Relevant only if needed to directly address assertions over significant accounts (more common in high transaction volume industries with complex systems, such as banking) or to address specific risks. External Auditors will generally consider risks in each of these areas, even if little or no testing is performed. Page 6

ITGCs - Access to Programs and Data Areas for consideration: Importance of restricted access to: Segregation of duties objectives Fraud risk Risk of inadvertent errors Company s approach to application security and the security infrastructure Access (user and administrative) at the application, operating system and database levels It is usually not necessary to test perimeter security and anti-hacking controls, such as firewalls and intrusion detection systems, unless material financial reporting risks exist that are not adequately addressed by application-level security alone. The closer you get to financial data, the greater the risk to material misstatement. Page 7

Layers of the Application Architecture and their Relative Risk INF OS APP Increasing Level of Risk DB Infrastructure (INF) Operating System (OS) Application (APP) Database (DB) Page 8

ITGCs - Program Changes Areas for consideration: In house developed versus third party application Ownership of source code Volume / frequency of changes Complexity of changes Ownership of changes to key reports (business versus IT) Where accountability sits in the organization for identifying changes impacting ICFR Degree of finance and IT interaction Forms the basis for relying on the ongoing operating effectiveness of application controls Page 9

ITGCs - Program Development Areas for consideration: Methodology for implementing projects Business involvement and buy-in on requirements and design Contemplation of Internal Controls in design phase Nature and extent of quality assurance (unit, regression, integration testing) Accuracy and completeness of converted data Go-live approvals Not required to be tested unless there are specific data conversions or system implementations that impact the risk of material misstatement Page 10

ITGCs Computer Operations Areas for consideration: Job maintenance and monitoring (specific to financial jobs) Backup and recovery procedures (in an unstable environment) Operating system patch maintenance Anti-virus controls Environmental controls Computer Operations controls, otherwise not included in scope for the financial audit, are sometimes included in scope for the purposes of a statutory audit. Often present operational risk, not ICFR risk, depending on the specific circumstances Page 11

Impact on Application Controls including System Generated Data

ITGC External Scoping ITGC Audits An Internal Auditor s Opportunity Application Control vs. an IT General Control? Application controls - Think in terms of does this directly relate to the input, processing or output of financial transactions - Directly support CAVR (Completeness, Accuracy, Validity and Restricted Access), thereby contributing to comfort over financial statement assertions ITGCs - Activities that ensure the continued effective operation of application controls, automated accounting procedures that depend on computer processes and manual controls that use application-generated information / reports - Some ITGCs may also serve as Application Controls, e.g. password controls - ITGCs are pervasive, and therefore often do not directly support financial statement assertions Page 13

Application controls include Programmed or configured automated controls Reports or data generated from the system and used in manual controls or accounting procedures Automated calculations or data processing routines programmed into the application Restricted access to transaction processing capabilities Restricted access to programs and data ITGCs that directly address relevant financial statement assertions Page 14

Automated Controls - Baselining Approach A baseline test provides evidence that an automated control is functioning as intended at a point in time. ITGCs support a baselining approach: If ITGCs are effective and continue to be tested AND an automated control hasn t changed since the last time it was tested then. We can conclude the automated control continues to be effective. The ability to rely on the proper and consistent operation of application controls usually depends on the effective operation of related ITGCs. Page 15

System Generated Data Often used in the execution of a manual control (ex: application generated reports) The higher the risk associated with the control and the more the control depends on the accuracy and completeness of data, the greater the importance of ITGCs Effective ITGCs provide greater comfort that the programs and data sources are controlled and protected from unauthorized access or changes The ability to rely on the proper and consistent operation of application controls usually depends on the effective operation of related ITGCs. Page 16

Linkage to the Financial Audit

Linkage of ITGCs to Audit Comfort Page 18

Planning and Scoping considerations as it relates to the financial statement audit Overall scoping should be completed prior to planning for an evaluation of ITGCs ITGCs should be evaluated for those systems that have a direct linkage to the inscope financial statement accounts considering relevant risk considerations Special consideration should be given when there are major system implementations Effective control design often includes a mix of automated controls and manual controls which rely on system generated reports Ensure approach is well coordinated between your IT auditors and the remainder of the team Page 19

Impact of ITGC deficiencies on the financial statement audit ITGC deficiencies should be evaluated for their individual and collective impact on the reliability of the dependent automated application controls ITGCs should not be presumed to be ineffective because a few control deficiencies exist If the integrity of an automated control is impacted by an ITGC deficiency, determine whether the ITGC deficiency actually culminated in an application-level control issue Evaluation of ITGC deficiencies requires integrated team judgment (both internal and external). Page 20

Internal Audit Involvement in the ITGC Audit Life Cycle

To ensure efficiencies are maximized, Internal Audit teams should be involved in all three phases of the ITGC audit life cycle. Understanding the key activities for each phase is therefore critical. Key External Auditor Activities Audit Planning Fieldwork Wrap up Risk assessment Map in scope financial statement accounts and processes to applications Understand significant changes in operations, personnel and systems Determine planned reliance on the applications and related application controls Determine planned reliance on management testing Develop the budget Risk rank the controls and select controls to test Develop test plans Documentation request lists Meet with control owner to perform design assessments Evaluate entity level controls over IT Evaluate all other ITGCs Communicate interim issues Communicate final deficiencies As necessary, perform additional procedures for audit comfort Aggregate and evaluate control deficiencies Page 22

Planning Fieldwork Wrap-up Internal Auditor Opportunities during the Planning Phase Read the SOX risk assessment/scoping memo to understand the financial statement risk; this may help you identify additional opportunities Risk rank the applications and controls Document and communicate competence and objectivity to the external auditors early Understand the external auditor s reliance approach and propose creative solutions to expand their reliance on management testing Document test plans early and submit to the external audit team for review Develop a point of view and communicate it! Page 23

Planning Fieldwork Wrap-up Internal Auditor Opportunities during Fieldwork Validate deficiencies early via a combined effort between Internal Audit, External Audit and IT Provide management s workpapers timely and perform a thorough root cause analysis on any deficiencies found Clearly document Internal Audit s test procedures and results in a manner that facilitates efficient reliance by the External Auditors Communicate changes in your testing approach real time Understand the interim deficiencies and perform additional procedures to help the external auditors understand the exposure and any mitigating controls Stay involved! Page 24

Planning Fieldwork Wrap-up Internal Auditor Opportunities during Wrap-up Always come with a point of view on deficiencies Understand differences in what management found versus your external auditors Anticipate and perform additional procedures resulting from ITGC deficiencies to help the external auditors understand the exposure and mitigating controls Aggregate and evaluate deficiencies via a defined framework (preferably one the external auditor uses) Help drive management s deficiency evaluation to achieve greater reliance Page 25

Additional Opportunities

Additional Opportunities for Driving Efficiencies Always think with AS5 (top down, risk based approach) in mind Be aware of upcoming changes in your environment that might impact ITGC scope, develop a point of view and bring to the table Risk rank the applications (in a complex environment with multiple apps) Enhance already existing SOX documentation (ex: ITGC narratives, scoping/planning memos, in-scope applications, SAS70s) Direct assistance (walkthroughs and/or testing) Pre and post implementation reviews Develop a point of view on risk and support it with thorough documentation Page 27

Indicators of changes in the environment that might impact ITGC scope System implementation projects Data corruption / recovery issues Employee right-size activities Outsourcing of functions previously performed internally Page 28

Final Thoughts

Questions? Page 30

Contact information Dana Smith, Senior Manager (214) 754-4583 Dana.Smith@us.pwc.com Geoffrey Woodbury, Manager (214) 754-5480 Geoffrey.S.Woodbury@us.pwc.com Page 31

This publication has been prepared for general guidance on matters of interest only, and does not constitute professional advice. You should not act upon the information contained in this publication without obtaining specific professional advice. No representation or warranty (express or implied) is given as to the accuracy or completeness of the information contained in this publication, and, to the extent permitted by law, LLP, its members, employees and agents accept no liability, and disclaim all responsibility, for the consequences of you or anyone else acting, or refraining to act, in reliance on the information contained in this publication or for any decision based on it. 2007 LLP. All rights reserved. "" refers to LLP (a Delaware limited liability partnership) or, as the context requires, other member firms of International Ltd., each of which is a separate and independent legal entity. *connectedthinking is a trademark of LLP. Page 32

2024 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information