1 / 31

IT Risk, SOX and the Smaller Insurance Company

11/17/2006. IT Risk, SOX and the Smaller Insurance Company. Andrew Pinnero. Director of Information Technology Assurance Practice Task Force Member COSO’s New Guidance for Smaller Public Companies. Information Technology Risks SOX History and Challenges.

chin
Download Presentation

IT Risk, SOX and the Smaller Insurance Company

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. 11/17/2006 IT Risk, SOX and the Smaller Insurance Company

  2. Andrew Pinnero • Director of Information Technology Assurance Practice • Task Force Member COSO’s New Guidance for Smaller Public Companies

  3. Information Technology RisksSOX History and Challenges

  4. Public Company Financial Fraud and Sarbanes Oxley Act of 2002 (SOX) • Per SEC… publicly traded companies must comply with SOX • Senior management is responsible for accuracy of financials • Financially relevant IT systems are part of corporate compliance • COSO became the standard framework for majority of companies • External Auditors must objectively assess the IT controls supporting in scope systems

  5. Examples of IT Control Frameworks • Control Objectives for IT (COBIT) – IT-related control framework • Committee of Sponsoring Organizations of the Treadway Commission (COSO) - Original framework weaves IT controls into a general business control framework

  6. The SOX Challenge • The External Auditor must: • Assess the accuracy of the reporting company’s financial statements • Meet the requirements of SOX • Maintain a healthy relationship with its client • The Audited Company must: • Weigh its risk appetite vs. its compliance requirements and costs • Use a generally accepted control framework

  7. SOX Had Created its Own Issues… • Average annual post-SOX cost of reporting to SEC doubled from $1.3M to $2.9M • Second-year filers issued formal complaints to the SEC • Auditors/clients took the approach of documenting every control…not key controls

  8. …and Backlash • Audit Fees paid by companies doubled resulting in calls for new “industry regulations” • Some NYSE companies are considering alternative capital resources including going private • A number of large IPO's have opted to go public overseas

  9. Foreign Capital Inflow Has Slowed… • “Of the 24 largest IPO deals in 2005, Wall Street captured one.” * • “Tougher corporate disclosure laws enacted in 2002 [SOX] have influenced the decisions of many non-US companies…to IPO in Europe” - PWC * *NY Post 9/17/06

  10. COSO Small Company Guidance

  11. Guidance Overview • Provides principles and attributes, aligned with COSO’s 1992 internal controls framework • Assists smaller organizations in understanding how to ensure a robust system of internal control reflecting size, structure and degree of complexity • Provides examples of how small businesses have actually implemented the principles and related attributes identified in the document • Not a checklist !

  12. Why Was it Needed? • A response to the discontent over SOX filing requirements • Smaller companies have unique IT control issues • IT management needed to be considered at the beginning of the assessment process, not at the end

  13. Guidance Objectives Three objectives of good internal control: • Accuracy of financial reporting • Compliance with laws and regulations • Effective and efficient operations The COSO control components are designed to assist the organization in achieving objectives

  14. 2006 Guidance IT Specific Highlights The 2006 COSO “Smaller Companies” framework is comprised of 20 principles clustered into the five COSO areas: • Control Environment – IT Governance should be considered • Risk Assessment – IT should be involved in early stages • Control Activities – Specific IT principles and controls • Information and Communication - Policy flow • Monitoring – IT monitoring is an integral part of SOX

  15. Smaller Public Insurance Companies Internal Control Challenges • Resources: Obtaining sufficient resources (segregation of duties) • Management Domination: Opportunities for improper management override of processes • Board Expertise: Recruiting individuals with requisite financial reporting and insurance expertise to serve effectively on the board

  16. Smaller Public Insurance Companies Internal Control Challenges (cont.) • Management Competence: Recruiting and retaining personnel with sufficient experience and skill in accounting, financial and actuarial reporting • Running the Business: Taking management attention away from daily routines in order to focus on accounting and financial reporting • Information Technology: Controlling information technology and maintaining appropriate general and application controls over computer information systems with limited technical resources

  17. Smaller Insurance Company IT Characteristics • High employee to IT staff ratio • Faster response to internal and external changes • Employees may assume multiple roles and responsibilities and change them often • Segregation of duties may be unfeasible • Actuarial systems usually not managed by IT • Heavy use of end-user applications

  18. Information TechnologyA Dynamic Risk to Financial Reporting

  19. Corporate Risk Tolerance and Appetite • Corporate culture weighs heavily on how management reacts to and manages IT risk • IT Management’s risk appetite is often a reflection of “C” level management attitude toward risk • Management's belief that IT can prevent fraud compounds risk identification and measurement issues

  20. Types of IT Risk • General Computer Operations • IT Supported Applications • End User Systems

  21. General Computer Operations Risk Overview • Unauthorized access to computing resources such as network, O/S or physical systems • Data integration errors • Monitoring and incident escalation issues • Physical security violations go undetected • Programmer access to production systems

  22. GCO Example 1 - Access to IT Resources • Risk: Improper use, disclosure, modification or loss of critical data • Controls: • Physical access limited to authorized people • Logical access controlled via information security policy implemented on the network

  23. GCO Example 2 - Change Management • Risk: Incorrect changes made to system, application, infrastructure and/or database • Controls: • Change management policy & procedure • Changes tested & approved prior to release • Separate development, test & production environments

  24. IT Supported Application Risk Overview • Unauthorized access to applications • Segregation of duties • Administrator independence • Monitoring and incident escalation issues

  25. IT Supported Applications Example 1 • Risk: Segregation of duties in a claims processing system • Controls: • Periodic recertification of users on the claims system • Policies • Management authorization/provisioning

  26. IT Supported Applications Example 2 • Risk: Unauthorized access is not detected • Controls: • Monitoring controls are consistently applied to immediately identify unauthorized activity on the system • Audit logs are protected • Audit triggers are properly configured

  27. End User Systems Risk Overview • High risk of inadvertent changes (e.g., queries, formulas) • High risk of insufficient testing of changes • Undocumented “spaghetti code” understood only by its creator • Difficult to secure

  28. End User Systems – Example IT Controls for Actuarial Loss Triangle Spreadsheets • Consistent change management (version control) • Network security • Substantive review of code • Password Protection

  29. Summary • The risk appetite and corporate culture of a company impacts IT risk exposure • IT systems are tools by which fraudulent behavior may be carried out • IT controls are utilized to mitigate IT risks identified by management • IT controls may be owned by IT or by the end-user, therefore risks are dynamic

  30. Questions and Answers apinnero@verisconsulting.com

  31. THANK YOU FOR VISITING WITH US.

More Related