380 likes | 580 Views
Internal Audit and IT's Role In A Down Economy. Devin Amato & Heidi Zenger Deloitte Enterprise Risk Services Kansas City ISACA February 12, 2009. Topics. Contract Risk & Compliance. What is Contract Risk & Compliance (CRC)?.
E N D
Internal Audit and IT's Role In A Down Economy Devin Amato & Heidi Zenger Deloitte Enterprise Risk Services Kansas City ISACA February 12, 2009
What is Contract Risk & Compliance (CRC)? Contract Risk & Compliance helps organizations optimize the performance of strategic business relationships by promoting the integrity and reliability of the contracts that underlie their business relationships • Impacts profits by reclaiming contractual revenue • Reduces risk by improving processes and controls
Outsourcing On/Off shore, Licensing IP, Grants, JVs, Alliances Exposure to Brand or Reputation risk Revenue leakage, unauthorized product distribution, licensing of IP Paying for potentially unwarranted variable costs - complicated, cost- plus contracts like Advertising The Extended Enterprise Contractual Obligations and Business Processes Suppliers Affiliates Company Joint Ventures Franchisee Distributors Agents Licensees Customers
Consumer Business Manufacturing Manufacturing Consumer Business Health Care Health Care Health Care Financial Services Financial Services Financial Services Real Estate Real Estate Real Estate The Extended Enterprise Contractual Obligations and Business Processes
Discussion Question • In your table groups, discuss what types of contracts exist at your company. Who is managing these? • Discuss Internal Audit’s involvement.
Renewed focus on Data Mining A Foundation for Managing Risk
Does an economic downturn mean an uptick in fraud? • Nearly two-thirds (63.3 percent) of executives surveyed expect accounting fraud to increase during the next two years. • Data from the National White Collar Crime Center shows a spike in arrests for fraud and embezzlement during the two most recent recessions. • Following the savings and loan crisis and the downturn in 1990, white-collar fraud arrests jumped 52% over the next two years; • Following the Internet bust in 2000, arrests jumped 25% in the following two years.1 1 “Experts Say Fraud Likely to Rise” Business Week, January 9, 2009
Fraud factors • Three common factors drive fraudulent activity • How has the economy impacted these factors in your organization?
A closer look • Financial pressure • Corporate: Short term performance goals, earnings expectations, revenue forecasts, financial ratios ties to debt covenants, aggressive accounting practices and applications • Personal: Increase in asset misappropriation schemes including skimming, check tempering, and expense reimbursement • Opportunity • Downsizing, re-prioritize towards revenue reducing focus on internal controls, reduced SOD, increased workloads and inexperience • Rationalization • If employees suspect that they may be let go, they may rationalize “what do I have to lose”. • As corporate revenues decline, management may rationalize fraudulent activity believing it is serving the best interest of the company, its employees, and its shareholders.
Under PressureWhat’s the problem with general computer controls? The following factors appear to remain at play at some companies: • Companies are not linking the IT risk assessment to a top-down business risk assessment resulting in over scoping of IT assets (i.e., applications, databases, etc.) • Companies are treating all general computer controls equally, even though the inherent risk of IT processes, transactions, controls, and technologies may vary • Companies are not applying IT control frameworks in a manner that is leveraging IT-related company level controls • Companies are not capitalizing on automated controls
Discussion Question • In your table groups, discuss what your company is doing, or has done, to rationalize controls across the enterprise. • Discuss Internal Audit’s involvement.
Challenges and OpportunitiesPoint of View Solution Companies should adopt a risk-based control rationalization approach to address current and future compliance challenges Definition - Control Rationalization Control rationalization is the continuous process of designing the most effective and efficient controls to address financial reporting risks. • Guiding Principles • Management should have an informed understanding of the organization's financial reporting risks in order to drive control rationalization efforts. • Management should explicitly apply a top-down, risk-based scoping approach as a foundational first step toward control rationalization. • Control rationalization is a multi-year, continuous effort, which should be integrated into the company’s operations. • Control rationalization can result in immediate benefits; however more significant cost savings can be achieved by adopting a long-term strategic approach to sustained compliance.
Rationalize 1 1 Category Category 5% 5% 2 2 Category Category 15% 15% 3 3 Category Category 80% 80% Working Toward a Lean and Balanced Control Design Using a risk-based control rationalization approach, companies can enhance the efficiency and effectiveness of their compliance program by: refining their testing approaches and improving their design of controls, by emphasizing efforts towards higher-risk areas while reducing costs associated with lower-level risks. Future State Model (Effective & Efficient) Current State Current State Areas of Focus Improve Effectiveness 15% 15% 1 1 2 2 35% 35% Risk-Based Approach Reduce Costs 50% 50% 3 3 (Illustrative Example) Examples: Category 1: company-level controls (e.g., control environment, period end financial reporting, anti-fraud programs) Category 2: general computer controls; controls over non-routine accounts and accounts with significant judgment; controls over other high-risk areas Category 3: controls over routine, transactional processing
Perform IT Risk Assessment Evaluate GCC Areas and Control Objectives Rationalize Controls Develop Risk- Based Testing Approach 1 2 3 4 Control Rationalization – Phased Approach • Documented financial data flow diagrams • Documented system risk assessment • Documented relevant application and platforms (risk rated) • Documented assessment of GCC risk ratings • Documented assessment of control objective risk ratings • Documented IT Company-Level Controls • Documented IT risk-rating approach • Revised IT control matrix with risk-ratings and rationale • Documented risk-based testing strategy • Cost savings analysis Outcomes
4 2 1 3 Apply Top-Down Risk-Based Scoping & Rationalize GCC ControlsOverview General Computer Control Rationalization Lean and Balanced In Scope Out of Scope Perform IT risk assessment (identify relevant applications, platforms) Remove non-relevant IT applications and platforms Relevance to financial reporting objectives and risk-rating of associated major classes of transaction Remove non-relevant control objectives Evaluate GCC areas & confirm relevance and risk-rating of GCC control objectives Remove unnecessary controls from testing scope Re-designed Testing Approach Evaluate GCCs for effective and efficient testing Develop risk-based testing approach for GCCs NOTE: The foundation for effective control rationalization depends on a strong set of GCCs. Lack of effective GCCs or an inadequate testing approach for GCCs will preclude management from being able to derive benefits of ‘benchmarking’ testing of automated controls • *Efficiency Evaluation Criteria • Remove secondary or redundant controls • Consider testing GCC processes before performing detailed tests related to IT configurations (e.g., test process for granting access before password settings) • Prioritize controls addressing multiple risks
1 Perform IT Risk Assessment Develop risk profile Develop a risk profile for each in-scope system using quantitative (e.g., dollar throughput) and qualitative (e.g., system risks) factors. Dollar throughput of the business process data flowing through the IT systems. H Financial Impact M L Inherent Risk • Example risk factors include: • Number of users • Complexity of system configuration/embedded business logic • Number/complexity of data interfaces • Frequency of configuration parameter changes • Extent of system customizations • - Level of centralization of IT function • Age of system • Extent of business process control automation
2 Risk Based Approach for GCCsRisk rate GCC areas The illustration below depicts a sample company’s IT risk prioritization for general computer control categories. COSO defines general computer controls as, “Policies and procedures that help ensure the continued, proper operation of computer information systems… They include controls over data center operations, system software acquisition and maintenance, access security, and application system development and maintenance.” Illustrative Purposes Only Risk Evaluation Considerations • General Computer Control • Category • Application System Development & Maintenance • Information Security • Information Systems Operations • Systems Software Support Examples of Qualitative Factors Example Procedures Risk Ranking • High volume of changes • Application dependencies • Test all three levels H • Test all three levels • High employee turnover • Complex architecture H • Mature monitoring processes • Automated tools • Test predominantly IT company level and process level controls M • Homogenous environment • Automated tools • Test predominantly IT company level controls L NOTE: This illustrates a simplistic risk assessment for IT; consideration should be given to additional qualitative factors relevant to a company’s environment. Also, only selected GCC areas have been included in the example.
3 Risk Based Approach for GCCsRationalize controls After risk-rating general computer control objectives, specific control activities can be analyzed to further rationalize the testing approach. For this example, the three controls in bold text will be assessed, which represents a 50% reduction in testing. The organization’s SDLC has not changed in the fiscal year, accordingly, this control will not be evaluated. These two controls are redundant in nature, accordingly, only one control will be evaluated. This control activity is redundant in nature since test results are approved by users at a point later in the SDLC process, accordingly, this control will not be evaluated.
4 Risk Based Approach for GCCs Develop risk-based testing Alter the nature, timing and extent of control testing based on the control objective risk-ratings. *Note: Example for illustrative purposes only Risk-based testing strategy focuses resources and effort on the most important controls, and may generate opportunities for savings based on reduced overall testing effort
Cost savings analysis* The table below is an illustrative example for measuring the reduced effort that may result from implementing a risk-based testing strategy. *Note: Example for illustrative purposes only and does not imply likely savings or results
The Next Wave of Green ITIT’s role in the future of enterprise sustainability
Overview • Research program to explore senior finance and IT executives’ views on how companies around the world are changing their IT practices in an effort to save money, improve performance, and lessen their impact on the physical environment. • Respondents came from North America (56%), Europe (28%), and Asia (16%) • All industries included encompassing companies of sizes $200M - $10B + • Primary benefits fall into three buckets: • Environmental (less pollution, lower carbon emissions, less toxic waste) • Operating (lower costs, higher efficiency, lower risk) • Promotional (brand awareness, public relations, environmental)
Discussion Question • In your table groups, discuss what your companies are doing from a greening perspective; specifically around IT. • Discuss Internal Audit’s involvement.
General Statistics • More than 9 out of 10 companies have made “incremental” or “aggressive” efforts to reduce their impact on the environment • Many companies have at least basic programs in place for green IT and the funding to support these • Nearly 60% of the respondents say their company has at least 5% of its IT budget set aside for greening efforts and 35% say their company has allocated 15% or more to green IT • Two-thirds of respondents say their company has a formal program in place for measuring, monitoring, and improving its environmental performance
Barriers • Lack of information and trusted practices for improving IT’s environmental performance (44%) • Inability to build a sound business case for green IT investments (42%) • Shortage of capital and well-qualified, green IT talent (41%)
New Metrics, Incentives, and Influences • 67% of respondents stated their company has a formal program for measuring, monitoring, and improving its environmental performance • When asked “Has your company conducted a formal evaluation of the environmental impact of its business activities in the last two years?”, respondents said: • Yes, an evaluation has been completed (39%) • Yes, an evaluation is currently under way (36%) • No, we haven’t formally initiated this (25%) • Most common metrics: • Total power consumption • Power usage effectiveness/data center infrastructure efficiency • Carbon dioxide production
Examples of IT Efforts • Energy efficient hardware • Shared software resources • Virtualized server architecture • Smaller data center footprints – IT infrastructure within data centers • Printers, copiers, and fax machines • Mobile devices and wireless computers • Hardware recycling, disposal and decommissioning
End-User Applications • End user applications focused on productivity are most likely green IT investment candidates: • Videoconferencing • Online collaboration technology • Enhanced/Alternative cooling technology • Energy management software applications for servers and PCs • Server virtualization • Mobile devices
Company Examples • Intel took the heat its servers produced and redirected it to warm its cafeteria and restroom water supply. • Approval forms for the FDA – fast tracked when submitted electronically; save paper, ink, physical storage requirements • Wells Fargo addresses the power management of its servers which leads to significant cooling efficiency gains and improvement of electrical distribution within the data centers to reduce power consumption
Next Steps • Determining what efforts your company current has in place and your executives’ appetites for greening • Establishing a baseline measurement of current sustainability performance that is satisfactory for both IT and finance • Aligning the company’s tax strategy with its sustainable strategy and green investments • Evaluating IT’s part in these efforts; from capabilities of the systems to measure, monitor, and report to what IT can do to increase the effort
Contact Information:Devin Amatodamato@deloitte.com816.802.7255Heidi Zengerhzenger@deloitte.com816.802.7435