Embed Size (px)
Citation preview
GOVERNMENT'S FRAMEWORK FOR INTERNAL CONTROL IN A CLOUD/ERP WORLD PRESENTED BY:
STEVEN A. SOLOMON DEPUTY DIRECTOR, TECHNICAL SERVICES CENTER, GFOA VGFOA STAUNTON, VA OCTOBER 23, 2015
Traditional presumptions
Internal control is primarily an audit issue
Poor internal control is the fault of management
Focus on mitigating errors and fraud
2
Critical reassessment
Internal control needs to be defined
Case needs to be made for management involvement
Three responsible parties need to work together Management
Governing board
Independent auditor
3
COSO
Committee of Sponsoring Organizations = COSO
Internal Control—An Integrated Framework (1992)
“COSO Report”
4
COSO Definition of Internal Control
Internal control is a process, effected by an entity’s Board of Directors, management, and other personnel, designed to provide reasonable assurance regarding the achievement of objectives in the following categories:
1. Effectiveness and efficiency of operations
2. Reliability of financial reporting
3. Compliance with applicable laws and regulations
5
Basic Approach of COSO Report
All entities share certain common objectives
Internal control = means used to achieve objectives
To be successful, internal control must
Involve both the governing board and management
Be comprehensive
6
Key Concepts
Process Dynamic vs. static
Components interrelated
Personnel More than policies and procedures
Reasonable assurance Cost-benefit must be considered
Achievement of objectives Internal control logically derived from objectives
Source of consistency
7
Who Is Responsible?
Management primarily responsible
Direct beneficiary
Uniquely positioned to establish and maintain
Governing board ultimately responsible
Inherent in oversight function
8
How Much Is Enough?
A framework must be comprehensive Control environment
Risk assessment
Control activities
Information and communication
Monitoring activities
9
What Changed?
Principles-based approach to evaluating the effectiveness of internal control Principles
Fundamental concepts associated with each component of internal control
Points of focus Important characteristics of principles
Guidance on evaluating effectiveness Components and principles must be present and
functioning Components must be operating together
10
Three Basic Objectives
Operations objectives Effectiveness Efficiency Safeguarding of assets against loss
Reporting objectives External
Financial
Non-financial
Internal Financial
Non-financial
Compliance objectives
11
Control Environment
Set of standards, processes, and structures that provide the basis for carrying out internal control
Controls do not function in a vacuum
Is the environment favorable to internal control?
Profoundly affects other components of internal control
12
Importance of Control Environment
Pervasive impact on the overall system of internal control
Importance impossible to exaggerate
Good environment - controls likely to function well
Bad environment - controls unlikely to function properly
13
Responsibility for Control Environment
Board and senior management
Establish tone at the top regarding the importance of internal control
Including expected standards of conduct
Management
Reinforces expectations at various levels of the organization
14
Definition of Risk
Possibility that an event will occur and adversely affect the achievement of objectives
15
Risk Assessment
Ongoing process
Current risk exposure
Future changes
16
Risk Assessment
Dynamic and iterative process for identifying and assessing risks Consider relative to established risk tolerances.
Basis for managing risk
Management Specifies objectives for 1) operations, 2) reporting,
and 3) compliance Sufficient clarity to be able to identify and analyze
risks
Considers potential negative impact of possible external/ internal changes
17
Risk Assessment ERP
Risk Assessment should be part of system development process
Auditors should be involved throughout
18
Definition of Control Activities
Actions established through policies and procedures that help ensure that management’s directives to mitigate risks to the achievement of objectives are carried out
19
Adequate Policies and Procedures
Who has the most in your organization?
Which organization is the most dynamic?
20
Characteristics of Control Activities
All levels, stages, technology
Preventive or detective
Range of manual and automated activities
Authorizations and approvals, verifications, reconciliations, business performance reviews.
Segregation of duties
Alternative control activities if impractical
21
Practical Considerations
Authorization and approvals
Advance approval
Documentation of that fact
Verifications
Comparisons – analytical review
Consistency with other financial data
Consistency with nonfinancial data
Consistency with expectations
Physical controls
Assignment of responsibility for “walk-away” items
22
Control Activities
Policies and procedures to address identified risks
Detection
Prevention
23
Information and Communication
Providing, sharing, and obtaining necessary information
Internally and externally
Upward and downward within the organization
Essential to effectiveness of other components
24
Monitoring Activities
Were controls implemented?
Do they remain effective?
Management’s response
25
Principle 11
The organization selects and develops general control activities over technology to support the achievement of objectives.
Points of focus (4)
A. Determines dependency between the use of technology in business processes and technology general controls
B. Establishes relevant technology infrastructure control activities
26
Principle 11 (cont.)
C. Establishes relevant security management process control activities
Restrict access to authorized users commensurate with job responsibilities
Protect assets from external threats
D. Establishes relevant technology acquisition, development, and maintenance process control activities
27
Evolution of Technology in Government
As government officials many of us have been around long enough to see the evolution:
We may not have thought through the impacts of technology on controls
While becoming proficient users of technology, we don’t typically understand what it takes to deliver it
The pervasiveness of technology now affects every aspect of our operations
28
Technology in the 1970’s
Data Processing Main Frames
Punch cards
Green bar reports
Primarily an accumulation and reporting function
Department Involvement Supplying the data for input
Using the reports
Audit Black Box approach audit inputs/outputs
29
Technology in the New Millennium
IT
Primarily server based
Servers could be downstairs or in the “cloud”
Legacy software phasing out
Huge amount of proprietary data is transmitted over the internet.
Electronic interconnectivity between business partners
30
Technology in the New Millennium
IT (cont.)
Virus, data security and identity theft become major issues
PCI Compliancy
Application Integration
BYOD also becoming a major security issue
31
IT General Controls
Change management procedures
Document version control
Software development cycle
Access standards
Configuration, installation, and testing
Policies and procedures
Disaster recovery
Physical security
32
IT General Controls
Technical controls
Authentication controls (password)
Access controls (operating system, application)
Audit controls (monitoring and testing)
Encryption controls
Architecture controls (firewalls, VPN)
Configuration controls
33
Application Controls
34
Application controls are simply the automated version of what we use to do
manually. Passwords have replaced locked filing cabinets, carefully designed
screens have replaced pre-printed forms and segregation of duties is
accomplished through limiting screen access. They affect specific IT system
applications or functions, such as billing, payroll processing or the application
of cash received from customers, helping to ensure that transactions that have
occurred are completely and accurately processed and recorded.
Other Reporting
Notes Income
Statement Balance
Sheet
General Ledger
Human
Resources
Payroll
Accounts
Payable
Property
Tax
Utility
Billing
Municipal
Court
Current Concern
Why are we concerned about the dependency between application processes and technology general controls now?
What has changed?
Why is this a greater risk now?
Why are cyber attacks a greater risk?
How can focusing on the dependency between these two mitigate risk?
35
Input/Output
Cloud computing Interfaces Portable devices Data storage Flash drives Web technology Use of personal equipment New media Transparency Cyber attacks
36
IT Risks for Governments
Cyber Attacks Denial of Service Account Hijacking Viruses
Compliance PCI Requirements PII Federal Grant Requirements
Multiple Entry Points BYOD Work from Home Portable Storage Devices
37
38
COSO to COBIT
COSO, COBIT
General internal control - COSO
Information technology internal control – COBIT
Control Objectives
for Information &
related Technology
(COBIT)
Developed by ISACA - Information Systems Audit & Control Association
39
40
COBIT FRAMEWORK
COBIT Framework
41
42
Importance of Establishing Relevant Security
Management Processes
Information Security Program
IMPLEMENT | ENFORCE | MAINTAIN | MONITOR
43
Sr. Management
Security Official
Staff
Citizens
Visitors
Third-parties
Physical Security
Logical Security
User Management
Password Management
Business Continuity
Change Management
Systems Development
Incident Response
Training
Firewall
User Access Software
Remote Access Software
VPN Technology
Encryption
Biometrics
Virus
Access Cards
IDS/IPS
Policies & Procedures
People Process Technology
Prevention Protection Recovery Detection
Interruptions
Interceptions
Modifications
Fabrication
Investigate
Risk-Based Information Security Process
Perform an Information Security Risk Assessment
Designate security program responsibility
Develop an Information Security Program
Implement information security controls
Implement employee awareness and training
Regularly test or monitor effectiveness of controls
Prepare an effective Incident Response Procedure
Manage vendor relationships
Periodically evaluate and adjust the Information Security
Program
44
Principle 12
The organization deploys control activities through policies that establish what is expected and procedures that put policies into action.
Points of focus (6) A. Establishes policies and procedures to support
deployment of management’s directives Policies = what is expected
Procedures = specific actions
B. Establishes responsibility and accountability for executing policies and procedures
45
Principle 12 (cont.)
Points of focus (cont.)
C. Performs in a timely manner
D. Takes corrective action
E. Performs using competent personnel
Sufficient authority
Diligence and continuing focus
F. Reassesses policies and procedures
Continued relevance
Refresh as necessary
46
Cloud Policies and Procedures
Do we need more or fewer policies and procedures if we move to the Cloud?
47
Outsourcing of Financial Activities
Governments often outsource financial activities that materially impact on both operations and financial reporting.
Examples include: All or parts of the Information Technology function
Third Party Administrators for self insured health or risk
Pension plan administration
Revenue billing and collection
The internal control framework should provide an adequate basis for the financial statement assertions for both internal and outsourced activities.
48
Outsourcing of Financial Activities SSAE No. 16, “Reporting on Controls at Service
Organization” provides auditors guidance for reporting on the controls of these third party service providers.
SSAE No. 16 guidance specifically provides audit evidence to those auditing the financial statements of entities that use a service organization and is known as a SOC 1 report.
Another service organization report created under general attest guidance is: SOC 2 “Reporting on controls at a Service Organization Relevant to
Security, Availability, Processing Integrity, Confidentiality or Privacy”.
49
Thank You, Again! If you have any questions you can reach me at [email protected]. I always enjoy hearing from you
50
