CS6-4:A Guide to the Assessment of

IT General Controls Scope Based on Risk

(GAIT Framework v2 for SOX-404)

Ed Hill, Managing Director, ProtivitiGene Kim, CTO, Tripwire

June 2006

IIA GAIT Core TeamTask Force of IIA Technology

Committee• Ed Hill, Protiviti• Gene Kim, Tripwire• Steve Mar, Microsoft• Norman Marks, Maxtor• Jay Taylor, General Motors Corp• Heriot Prentice, IIA• Julia Allen, Eileen Forrester, Software

Engineering Institute

The Problem

• Lack of well-established guidance for scoping IT work relating to SOX-404 leads to inconsistency and subjectivity.

• As a result: – Auditors and management are frustrated with IT aspects of SOX-

404 compliance because current scoping approaches are creating overly broad scope and excessive testing costs

– SEC registrants are hesitant to reduce scope for fear of increasing risk

– Significant risks to financial assertions may be unaddressed due to lack of consistency

– SEC registrants and CPA firms both experience suboptimal use of scarce resources

Why Is There A Problem?

• No clear guidance exists to determine whether IT processes and activities can invalidate financial application processing or financial assertions– COSO provides an accepted construct for defining overall internal

control objectives, assertions, risks and controls, but its application to the IT environment is ambiguous

– COBIT does not provide a clear mechanism to scope IT processes and controls to the achievement of specific internal control objectives (e.g., COSO objective for internal control over financial reporting)

• Something else is needed…

What We Did About It

• In early 2005, the IIA Technology Committee created the GAIT task force, which has held four GAIT Summits since July 2005

• The GAIT Summits assembled key stakeholders from internal audit, management, external audit and federal regulators

Vision: Create Equivalence to Nine Firm Document on IT

Control ExceptionsGAIT takes the approach used in the nine firm document.

GAIT represents the upfront scoping exercise to appropriately identify the IT controls work relevant to overall internal controls objectives

Chart 3: Evaluating Information Technology General Control (ITGC) Deficiencies, “A Framework for Evaluating Control Exceptions and Deficiencies” (December 20, 2004)

Solution: GAIT…• Establishes four principles that

– Defines the relevance of IT infrastructure elements to financial reporting integrity

– Define the three types of IT processes that can affect them: change management and systems development, operations and security

– Defines an end-to-end process view of these three processes– Defines an approach to defining objectives and key controls within those

three processes• Provides a methodology and thinking process that

continues the top down, risk based approach started in AS2 to scope IT general controls

• Provides a common context for management and auditors to support and test management’s assessment that the necessary IT controls exist and are effective– Initial target is internal control objectives for financial reporting, but

should extend to operating effectiveness and complying with laws and regulations (as defined by COSO)

GAIT Team’s Vision and Goals

• To develop in 2006 a set of widely-used and widely-accepted guiding principles, tools, methodologies and scenarios that can be used by management and auditors to properly scope IT general controls work for financial reporting and SOX-404.

• To develop a short- and medium-term roadmap that moves the GAIT Principles from “new guidance” to “great advice” to “generally accepted.”

• To develop a long-term roadmap that expands the GAIT Principles from internal control objectives for just financial reporting, to one that encompasses compliance with laws and regulations, operating effectiveness, etc.

GAIT Principle #1

• The only IT infrastructure elements (e.g., databases, operating systems, networks) relevant to ITGC assessment are those that support financially-significant applications and data.

(“What are the relevant IT infrastructure elements?”)

GAIT Principle #2

• The IT processes primarily relevant to ITGC assessment are those that directly impact the integrity of financially-significant applications and data:– Change management and systems development: the processes

around developing, implementing, and maintaining financially significant applications and supporting IT infrastructure

– Operations management: the processes around managing the integrity of production data and program execution

– Security management: the processes around limiting access to information assets

(“What are the relevant end-to-end IT processes?”)

GAIT Principle #3

• Implications to the reliability of financially-significant applications and data, including controls, are based upon the achievement or failure of IT process objectives, not the design and operating effectiveness of the individual controls within those processes.

(“What are the relevant objectives of those IT processes? In other words, we shouldn’t get

carried away when reaching a conclusion when testing a control.”)

GAIT Principle #4

• The basis for identifying key controls in the three IT processes is based on:– Inherent risk of not achieving the IT process objectives

– IT process risk indicators

(“How do we select key controls within those IT processes?”)

GAIT Scoping: Step By Step

Evaluate the risks related to (and within) the IT processes which manage the infrastructure & apps

Evaluate overall entity level controls

Identify IT entity level elements and the demonstrated maturity of the process

Identify key financial statement captions

Identify the general ledger accounts related to the key financial statement accounts (significant account)

Identify key transaction processes that affect the general ledger accounts

Identify and understand related business processes

Identify and understand applications and modules that support financially relevant business processes

Analyze the risks within the integrated business process (Identify risks)

Identify manual & automated controls & key functionality within the process that mitigate the risks (Identify key controls)

Identify IT infrastructure elements which support the application (the rest of the stack)

Identify and understand infrastructure that supports the business processes

Validate IT entity level controls

GAIT Starts Here

AS2 begins here

Identify key financial statement captions

Identify the general ledger accounts related to the key financial statement accounts (significant account)Identify key transaction processes that affect the

general ledger accounts

Identify and understand related business processesIdentify and understand applications and modules

that support financially relevant business processes

Analyze the risks within the integrated business process (Identify risks)

Identify manual & automated controls & key functionality within the process that mitigate the risks (Identify key controls)

Identify IT infrastructure elements which support the application (the rest of the stack)

Evaluate the risks related to (and within) the IT processes which manage the infrastructure & apps

Business Process

Business and IT

IT

Identify and understand infrastructure that supports the business processes

Validate IT entity and management level controls

Evaluate overall entity level controls

Identify IT entity level elements and the demonstrated maturity of the process

Evaluate the risks related to (and within) the IT processes which manage the infrastructure & apps

Business and IT

IT

Where GAIT Picks Up

• AS2 provides the steps to identify key controls within the business processes

• Some of those are automated and some are manual, relying on automated functionality (key reports)

• Failures in the above are unlikely to be detected by manual controls (otherwise, probably not key)

When GAIT Is Applied Correctly

• You have identified all the key controls you are reliant upon– You have identified all the ITGC processes that key

controls are reliant upon

• You have identified all the key ITGC processes to protect the security of the application and data

• You will be testing only those ITGC processes and controls that could result in a financial reporting error

When GAIT Is Applied Correctly

• The following risks are identified and controlled:– The ITGC control failing

– The failure not being detected

– The failure impacting a key automated control or allowing an undetected material change to data used in financial reporting

– The automated control failure resulting in a material error

GAIT Scenarios

• GAIT also includes a set of real world business scenarios to show how GAIT is applied to scope ITGCs to:– Reduce learning curve for GAIT adopters– Validate the approach and the resulting scoping

solutions• Ideally, GAIT will cover a variety of

scenarios to include the spectrum of:– Revenue vs general ledger– High vs low reliance on automated controls– High vs low reliance on Change/Operations/Security

GAIT Scenario #1

The following information is provided to help establish the scenario. This information would be uncovered during the business risk assessment process, prior to any application of the GAIT methodology.

Company background: Fortune 100, Manufacturing, $10 billion revenue

Identify and understand the related business processes

• This line of business accounts for $5 billion revenue. The Rebate Approval Process (RAP) business process handles all approval for non-standard customer pricing. In other words, all non-standard customer prices are approved through this process. The amount of revenue flowing through this business approval process is approximately $500 million.

Identify and understand the application/IT organization

• IT management– The application development group is responsible for normal application

support and maintenance– The application operations is run by Global IT Operations, based in

Minneapolis, MN– A DBA group supports the operations group and aids in application

upgrades– A technical network operations team manages the operating system and

networks• Application

– Developed in-house, written in J2EE, and has been in operations for over four years

– Modifications are made to the application on a quarterly basis– Approximately 1000 users run this application on a regular basis– Approximately $500 million revenue is processed through this application

Identify and understand the application/IT organization

• Interfaces– Input interface: data is moved to this application using FTP from a remote server,

which transits the corporate network, touching a series of routers, but no firewalls.– Output interface: identical to input interface.

• Database– Application runs on Microsoft SQL Server– Databases are patched quarterly– DBAs have access to the production database, and could inject information that

bypasses the application• Operating system

– Microsoft Windows 2000– Patched quarterly

• Network– Application has input that transits the network and could result in loss of data

Identify the risks within the integrated business process• We establish that there is a risk that rebate-relate

accounts may be materially misstated due to:– Unauthorized rebates– Incorrectly calculated rebates– Incomplete accounting for rebates due to incorrect accruals, etc.

• We establish that not only revenue-related accounts may be misstated, but also rebate-related balance sheet accounts.

• We establish that the quantify of rebates in this business is so high that materiality threshold is crossed.

• We establish that because the transaction volumes are so high that a report review is not sufficient – a failure here could break the business.

Identify manual, automated controls and key functionality within the process that mitigate the risks

• Identify key controls– Identify manual, automated controls and key functionality within the process that

mitigate the risks

• Automated controls:– Approval of non-standard prices is restricted to authorized managers– Approval of non-standard prices is routed to authorized managers

• Manual controls reliant upon key reports:– There is a later reconciliation in another application that compares approved

prices to prices on customer billings. The approved prices report is generated from this application (RAP), and is therefore reliant on correction functioning of the RAP application.

• Key functionality:– Rebates are completely and accurately calculated– Data is correctly received from (input) ABC application – Data is correctly uploaded to XYZ application

Identify Relevant IT Infrastructure Elements And IT Processes

Layer Change Management

Operations Security/Logical Access

Application ??? ??? ???

Database ??? ??? ???

Operating system ??? ??? ???

Network/infrastructure

??? ??? ???

Validate the IT entity and management control environment

• We establish the CIO is getting appropriate reports on the effectiveness of the change, operations and security processes

• We establish that the organizational maturity of the management organizations are as follows:– Application management: high maturity, no repeat audit findings,

minor incidents of business complaints of outages– Database management: lower maturity, one repeat audit finding,

12 instances of outages due to failures in the change management process

– And so forth…

Identify Relevant IT Infrastructure Elements And IT Processes

Layer Change Management

Operations Security/Logical Access

Application Yes Yes Yes

Database Yes No Yes

Operating system No No Yes

Network/infrastructure

Yes Yes No

Evaluate the risks related to the IT processesApplication layer: Change Management process

Critical functionality, automated controls, key report

Risks: what could go wrong IT processes and process owners

Approval of non-standard prices is restricted to authorized managers

Approval of non-standard prices is routed to authorized managers

The approved prices report generated by the application

Data is correctly received from (input) ABC application

Data is correctly uploaded to XYZ application

Unauthorized changesInadequate or inappropriate

code promotionsFailed changes, unintended

consequences from change…and so forth

Change control teamBob, Director, Change

ManagementRAP support teamFrank Rap, ManagerProduction Migration teamBetty Migration, ManagerDBA team

Evaluate the risks related to the IT processesApplication layer: Operations process

Critical functionality, automated controls, key report

Risks: what could go wrong IT processes and process owners

Approval of non-standard prices is restricted to authorized managersApproval of non-standard prices is routed to authorized managersThe approved prices report generated by the applicationData is correctly received from (input) ABC application Data is correctly uploaded to XYZ application

Interfaces could failIncomplete or inaccurate interface process, due to abnormal endInability to appropriately recover lost data, due to data backup and recovery failuresInability to appropriately recover lost data, due to data backup and recovery failures…and so forth

RAP support teamFrank Rap, ManagerData center operations teamBob, Manager

Evaluate the risks related to the IT processesApplication layer: Security/logical access process

Critical functionality, automated controls, key report

Risks: what could go wrong IT processes and process owners

Approval of non-standard prices is restricted to authorized managersApproval of non-standard prices is routed to authorized managersThe approved prices report generated by the applicationData is correctly received from (input) ABC application Data is correctly uploaded to XYZ application

Add/change/delete data and code not in accordance with management’s intentionsInappropriate changes to data are made by system users (because access privileges are inappropriate – regular and privileged accounts)Inappropriate changes are made to application codeInappropriate or unauthorized transaction/data generation/approvals/deletions…and so forth

User provisioning teamBob, ManagerRAP application and data ownersSupport teamDBA teamDirector of Security

The GAIT Program

• GAIT Principles and Methodology exposure draft

• GAIT Scenarios• GAIT Outreach and Mobilization• GAIT Training

– IIA webcast in July

I Am Interested In GAIT! What Do I Do?

• Email Heriot.Prentice@theiia.org• Subscribe to the GAIT status report

and newsletters• Register your interest as a GAIT

Early Adopter• Start using GAIT methodology,

scenarios!

GAIT Scoping: Step By Step

Evaluate the risks related to (and within) the IT processes which manage the infrastructure & apps

Evaluate overall entity level controls

Identify IT entity level elements and the demonstrated maturity of the process

Identify key financial statement captions

Identify the general ledger accounts related to the key financial statement accounts (significant account)

Identify key transaction processes that affect the general ledger accounts

Identify and understand related business processes

Identify and understand applications and modules that support financially relevant business processes

Analyze the risks within the integrated business process (Identify risks)

Identify manual & automated controls & key functionality within the process that mitigate the risks (Identify key controls)

Identify IT infrastructure elements which support the application (the rest of the stack)

Identify and understand infrastructure that supports the business processes

Validate IT entity level controls