310 likes | 459 Views
11/17/2006. IT Risk, SOX and the Smaller Insurance Company. Andrew Pinnero. Director of Information Technology Assurance Practice Task Force Member COSO’s New Guidance for Smaller Public Companies. Information Technology Risks SOX History and Challenges.
E N D
11/17/2006 IT Risk, SOX and the Smaller Insurance Company
Andrew Pinnero • Director of Information Technology Assurance Practice • Task Force Member COSO’s New Guidance for Smaller Public Companies
Public Company Financial Fraud and Sarbanes Oxley Act of 2002 (SOX) • Per SEC… publicly traded companies must comply with SOX • Senior management is responsible for accuracy of financials • Financially relevant IT systems are part of corporate compliance • COSO became the standard framework for majority of companies • External Auditors must objectively assess the IT controls supporting in scope systems
Examples of IT Control Frameworks • Control Objectives for IT (COBIT) – IT-related control framework • Committee of Sponsoring Organizations of the Treadway Commission (COSO) - Original framework weaves IT controls into a general business control framework
The SOX Challenge • The External Auditor must: • Assess the accuracy of the reporting company’s financial statements • Meet the requirements of SOX • Maintain a healthy relationship with its client • The Audited Company must: • Weigh its risk appetite vs. its compliance requirements and costs • Use a generally accepted control framework
SOX Had Created its Own Issues… • Average annual post-SOX cost of reporting to SEC doubled from $1.3M to $2.9M • Second-year filers issued formal complaints to the SEC • Auditors/clients took the approach of documenting every control…not key controls
…and Backlash • Audit Fees paid by companies doubled resulting in calls for new “industry regulations” • Some NYSE companies are considering alternative capital resources including going private • A number of large IPO's have opted to go public overseas
Foreign Capital Inflow Has Slowed… • “Of the 24 largest IPO deals in 2005, Wall Street captured one.” * • “Tougher corporate disclosure laws enacted in 2002 [SOX] have influenced the decisions of many non-US companies…to IPO in Europe” - PWC * *NY Post 9/17/06
Guidance Overview • Provides principles and attributes, aligned with COSO’s 1992 internal controls framework • Assists smaller organizations in understanding how to ensure a robust system of internal control reflecting size, structure and degree of complexity • Provides examples of how small businesses have actually implemented the principles and related attributes identified in the document • Not a checklist !
Why Was it Needed? • A response to the discontent over SOX filing requirements • Smaller companies have unique IT control issues • IT management needed to be considered at the beginning of the assessment process, not at the end
Guidance Objectives Three objectives of good internal control: • Accuracy of financial reporting • Compliance with laws and regulations • Effective and efficient operations The COSO control components are designed to assist the organization in achieving objectives
2006 Guidance IT Specific Highlights The 2006 COSO “Smaller Companies” framework is comprised of 20 principles clustered into the five COSO areas: • Control Environment – IT Governance should be considered • Risk Assessment – IT should be involved in early stages • Control Activities – Specific IT principles and controls • Information and Communication - Policy flow • Monitoring – IT monitoring is an integral part of SOX
Smaller Public Insurance Companies Internal Control Challenges • Resources: Obtaining sufficient resources (segregation of duties) • Management Domination: Opportunities for improper management override of processes • Board Expertise: Recruiting individuals with requisite financial reporting and insurance expertise to serve effectively on the board
Smaller Public Insurance Companies Internal Control Challenges (cont.) • Management Competence: Recruiting and retaining personnel with sufficient experience and skill in accounting, financial and actuarial reporting • Running the Business: Taking management attention away from daily routines in order to focus on accounting and financial reporting • Information Technology: Controlling information technology and maintaining appropriate general and application controls over computer information systems with limited technical resources
Smaller Insurance Company IT Characteristics • High employee to IT staff ratio • Faster response to internal and external changes • Employees may assume multiple roles and responsibilities and change them often • Segregation of duties may be unfeasible • Actuarial systems usually not managed by IT • Heavy use of end-user applications
Corporate Risk Tolerance and Appetite • Corporate culture weighs heavily on how management reacts to and manages IT risk • IT Management’s risk appetite is often a reflection of “C” level management attitude toward risk • Management's belief that IT can prevent fraud compounds risk identification and measurement issues
Types of IT Risk • General Computer Operations • IT Supported Applications • End User Systems
General Computer Operations Risk Overview • Unauthorized access to computing resources such as network, O/S or physical systems • Data integration errors • Monitoring and incident escalation issues • Physical security violations go undetected • Programmer access to production systems
GCO Example 1 - Access to IT Resources • Risk: Improper use, disclosure, modification or loss of critical data • Controls: • Physical access limited to authorized people • Logical access controlled via information security policy implemented on the network
GCO Example 2 - Change Management • Risk: Incorrect changes made to system, application, infrastructure and/or database • Controls: • Change management policy & procedure • Changes tested & approved prior to release • Separate development, test & production environments
IT Supported Application Risk Overview • Unauthorized access to applications • Segregation of duties • Administrator independence • Monitoring and incident escalation issues
IT Supported Applications Example 1 • Risk: Segregation of duties in a claims processing system • Controls: • Periodic recertification of users on the claims system • Policies • Management authorization/provisioning
IT Supported Applications Example 2 • Risk: Unauthorized access is not detected • Controls: • Monitoring controls are consistently applied to immediately identify unauthorized activity on the system • Audit logs are protected • Audit triggers are properly configured
End User Systems Risk Overview • High risk of inadvertent changes (e.g., queries, formulas) • High risk of insufficient testing of changes • Undocumented “spaghetti code” understood only by its creator • Difficult to secure
End User Systems – Example IT Controls for Actuarial Loss Triangle Spreadsheets • Consistent change management (version control) • Network security • Substantive review of code • Password Protection
Summary • The risk appetite and corporate culture of a company impacts IT risk exposure • IT systems are tools by which fraudulent behavior may be carried out • IT controls are utilized to mitigate IT risks identified by management • IT controls may be owned by IT or by the end-user, therefore risks are dynamic
Questions and Answers apinnero@verisconsulting.com