200 likes | 447 Views
SOX MISC . Raj Mehta – Partner CPA, CITP, CISA, CISSP 713-982-2955 rmehta@deloitte.com Enterprise Risk Services. DISCUSSION ITEMS. Trends in IT Documentation/Testing Definition and Evaluation of Deficiencies Rollforward Procedures Q&A. Trends in IT Documentation.
E N D
SOX MISC. Raj Mehta – Partner CPA, CITP, CISA, CISSP 713-982-2955 rmehta@deloitte.com Enterprise Risk Services
DISCUSSION ITEMS • Trends in IT Documentation/Testing • Definition and Evaluation of Deficiencies • Rollforward Procedures • Q&A IS Security Risk & Controls
Trends in IT Documentation • In scope applications, third-party providers, infrastructure, etc., still keep changing! • Documentation does not focus on key aspects related to financials IS Security Risk & Controls
Trends in IT Documentation • Documentation Trends Very High Level Too Granular Level Who Cares? How can you miss that? IMPACT = STILL DOCUMENTING, COSTING MONEY & RESOURCES IS Security Risk & Controls
Trends in IT Documentation • SCOPE it right – • How important are the application control(s) for the transaction life cycle? IS Security Risk & Controls
Trends in IT Documentation • Disconnect of “process/manual” controls from application controls assessments based on “silo” approach. • Disconnect between authentication and authorization – if application has “weak” authentication controls, and so it fails, so does authorization. IS Security Risk & Controls
Evaluation of Deficiency Definitions: • A significant deficiency is a control deficiency, or combination of control deficiencies, that adversely affects the company's ability to initiate, authorize, record, process, or report external financial data reliably in accordance with generally accepted accounting principles such that there is more than a remote likelihood that a misstatement of the company's annual or interim financial statements that is more than inconsequential will not be prevented or detected. • A material weakness is a significant deficiency, or combination of significant deficiencies, that results in more than a remote likelihood that a material misstatement of the annual or interim financial statements will not be prevented or detected. IS Security Risk & Controls
How to determine? • Evaluate - magnitude and likelihood • Potential misstatements equal to or greater than 20% of overall annual or interim financial statement materiality are presumed to be more than inconsequential. • Potential misstatements less than 20% of overall annual or interim financial statement materiality may be concluded to be more than inconsequential as a result of the consideration of qualitative factors, as required by AS2. IS Security Risk & Controls
Themes • Important to correctly classify the type of control deficiency • Application control deficiencies • GCC deficiencies • GCC are evaluated in relation to their effect on application controls • GCC deficiencies do not directly result in misstatements • Misstatements result from ineffective application controls IS Security Risk & Controls
Theory – Evaluating Process Level Controls (Applications) IS Security Risk & Controls
Theory – Evaluating Process Level Controls (Applications) – cont. IS Security Risk & Controls
How does this work of IT Controls? • Application/Process Level Controls: • Group deficiencies together by Major Class of Transactions (related processes) – e.g., for Expenditure cycle include deficiencies from procurement, invoice processing, cash disbursements, etc. • For application specific issues, consider, what aspects of the transaction life cycle, volume and dollar amount of transactions (e.g., if authentication control fails for Payroll system, and no compensating/mitigating controls, then the Payroll Expense balance is the total exposure and has to be evaluated for materiality.) • General Computer Controls: • Can the failure be isolated to specific application(s) or is it truly pervasive? For example, UNIX security may just impact the Payroll system versus user access administration will likely impact all systems. IS Security Risk & Controls
Consider factors related to the deficiency: • Nature and significance of deficiency • Proximity of control to applications and data • Pervasiveness of control across applications and processes • Complexity of entity’s systems environment • GCC deficiency supporting applications related to accounts susceptible to loss or fraud • Cause and frequency of known or detected exceptions in the operating effectiveness of GCC • An indication of increased risk evidenced by a history of misstatements relating to applications affected by the GCC IS Security Risk & Controls
Likely Candidates for SD or Higher related to IT? • Information Security • Change Controls IS Security Risk & Controls
Roll Forward Procedures • Management has a responsibility to update/roll forward its interim evaluation for purposes of their assessment and reporting on the effectiveness of internal control to the “as of” date as required by the SEC’s Final Rule, Management's Reports on Internal Control Over Financial Reporting and Certification of Disclosure in Exchange Act Periodic Reports: The management of each company should perform evaluations of the design and operation of the company's entire system of internal control over financial reporting over a period of time that is adequate for it to determine whether, as of the end of the company's fiscal year, the design and operation of the company's internal control over financial reporting are effective. • The SEC Rule also requires: . . . a company's management, with the participation of the principal executive and financial officers, to evaluate any change in the company's internal control over financial reporting that occurred during a fiscal quarter (or the issuer's fourth fiscal quarter in the case of an annual report) that has materially affected, or is reasonably likely to materially affect, the company's internal control over financial reporting. IS Security Risk & Controls
Roll Forward Procedures (cont.) Evaluation of Design Effectiveness: Identify and evaluate significant changes in the business or the business environment in which the company operates that may impact the continued effectiveness of the design of ICFR. Procedures may include: • Considering the results of the monitoring processes • Identifying and responding to new risks as they are identified (continuously updating the risk assessment process) • Making inquiries of managers and others as to their knowledge of any significant changes or events that may affect the design of internal control • Updating the self-assessment process, whereby the organization confirms the continued design effectiveness of internal control. IS Security Risk & Controls
Roll Forward Procedures (cont.) Tests of Operating Effectiveness: Determine whether significant changes in the operating effectiveness of ICFR have occurred. Procedures may include: • Considering the results of the monitoring processes • Performing independent tests, whereby the test may be applied directly to the control activity or by: • Testing an effective control that specifically monitors the continued operation of the underlying control activity (e.g., review of the bank reconciliation) • Testing an effective control upon which the underlying control activity is dependent (e.g., program change controls) • Updating the self-assessment process, whereby the organization confirms the continued operation of the controls. To ensure integrity, the self-assessment process should be tested periodically by someone independent of the self-assessment process (e.g., internal audit). IS Security Risk & Controls
Q&A • Any questions? • Thank you IS Security Risk & Controls
A member firm of Deloitte Touche Tohmatsu Deloitte & Touche LLP