470 likes | 1.01k Views
Deloitte. Presented by: Chris Patrick Dana Hunter. Introductions. Dana Hunter Consultant – ERS Graduated from CU in 2004 Degree: B.S. Business Administration, emphasis in Accounting and Information Systems Specializes in Business Cycles and Financial Reporting Controls Chris Patrick
E N D
Deloitte. Presented by: Chris Patrick Dana Hunter
Introductions • Dana Hunter Consultant – ERS Graduated from CU in 2004 Degree: B.S. Business Administration, emphasis in Accounting and Information Systems Specializes in Business Cycles and Financial Reporting Controls • Chris Patrick Senior Consultant – ERS Graduated from CU in 2002 Degree: B.S Business Administration, emphasis on Information Systems 2 years of systems administration and support Specializes in General Computer Controls
Agenda • Deloitte Overview • ERS Overview • Controls Auditing • General Computer Controls • Business Cycle Controls • Questions/Comments
Deloitte. • One of the Big 4 Accounting Firms • Located in over 150 countries • Approximately 120,000 people world wide • Over 100 offices in the US • Approximately 30,000 people in the US • Serves more than 50% of the world’s largest companies
What is ERS? Deloitte’s Enterprise Risk Services (ERS) practice is a global leader in helping clients manage risk and uncertainty-from the boardroom to the network. We provide a broad array of services that allow clients around the world to better measure and manage risk and control and to enhance the reliability of systems and processes throughout the enterprise. With core competencies encompassing capital markets, control assurance, data quality and integrity, internal audit, regulatory consulting, and security services, our ERS professionals offer a wealth of experience across a wide spectrum of industries.
Denver ERS Overview Helping clients manage risk and uncertainty – from the boardroom to the network. • People • 23 Staff, 11 Managers, 2 Partner/Directors • Accounting, IT, Finance, Law backgrounds • Services • Assurance Services • SAS 70 • Internal Audit Consulting and Co-Sourcing • Sarbanes Oxley
Service Lines • Audit and Enterprise Risk Services (AERS) • 40% of 2004 Revenue • Audit, internal control, risk identification and management solutions • Tax Services • 26% of 2004 Revenue • Tax preparation and planning • Consulting • 30% of 2004 Revenue • Technology, internal controls, business processes, business solutions consulting • Financial Advisory Service • 4% of 2004 Revenue • Corporate finance, forensic audit, reorganization solutions
SAS 70 • Assurance over the controls environment of outsourced transactions • In depth audit of Business Controls • In depth audit of General Computer Controls • Primarily for: • Application service providers • Bank trust departments • Claims processing centers • Internet data centers • Other data processing service bureaus
Internal Audit • Internal Audit Co-Sourcing • Risk analysis • Business cycle controls • Design, implementation and effectiveness • General computer controls • Design, implementation and effectiveness • Special projects • Internal Audit Out-Sourcing • Function as internal audit staff at client organizations
Sarbanes Oxley • Readiness • Internal Audit consulting or co-sourcing • Risk analysis • Business cycle controls • Design, implementation and effectiveness • General computer controls • Design, implementation and effectiveness • Attest • Assurance Service • Typically Integrated with the Financial Statement Audit • COSO Framework applied to Deloitte Methodology
Sarbanes-Oxley Objectives • Restore public trust and confidence in the public securities market • Improve corporate governance and promote ethical business practices • Enhance transparency and completeness of financial statements and disclosures • Ensure that company executives are aware of material information emanating from a well-controlled environment • Hold company management accountable for material information that is filed with the SEC and released to investors • Achieve new levels of corporate excellence The objectives of the Sarbanes-Oxley Act are to:
Section 404 Compliance:Management’s Assessment of Internal Controls • CEO and CFO are required to annually: • State their responsibility for establishing and maintaining an adequate internal control structure and procedures for financial reporting • Conduct and provide an assessment of the effectiveness of the enterprise’s internal controls for financial reporting • External auditor to: • Attest to, and report on, management's assessment of the company's internal controls and procedures for financial reporting • Express two opinions on internal control over financial reporting, which requires: • Evaluating and opining on management’s assessment of the effectiveness of internal control over financial reporting. • Evaluating and opining on the effectiveness of internal control over financial reporting. • As well as the current opinion on the annual financial statements
Financial Risk Assessment • AR = IR xCRx DR • AR = Audit Risk • IR = Inherent Risk • CR =Control Risk • DR = Detection Risk • Business Cycle Controls for financially significant business cycles • General Computer Controls for financially significant systems • SAS99 – Utilizing ACL for Auditing over J/E’s
Why Assess Control Risk? • Provides value added recommendations for improvements in internal controls over financial reporting and addressing the risk of financial misstatement • Evaluate the risk of weak or ineffective internal controls adversely impacting the financial statements We assess the reliability of the controls (Control Assurance) so that Audit may rely/not rely on controls and perform less/more substantive testing (Substantive Assurance)
Controls Auditing • Existence • Does a control activity exist? • Design • Does the control mitigate the risk it’s intended to mitigate? • Operating Effectiveness • Are people actually performing the control as it’s designed?
General Computer Controls Auditing • What we look at • Security controls • Change management controls • Operations controls • Layers we look at • Applications • Databases • Operating Systems • Network
General Computer ControlsCommon Systems • Applications • Vary widely • ERP Systems • Off the shelf, zero customization applications • Highly configured off the shelf applications • Home grown applications • Peoplesoft, SAP, Oracle Financials • Databases • SQL Server, Oracle
General Computer ControlsCommon Systems • Operating Systems • UNIX • Windows • AS400 • Mainframes • Networks • Novell • Active Directory
Business Cycle Controls • What is a Business Cycle? A business cycle is a sequence of principal business activities performed to process related classes of transactions. Transactions within an entity can typically be classified into one of these 7 business cycles • Expenditure • Revenue • Payroll & Personnel • Inventory Management • Fixed Assets • Treasury • Financial Accounting
Business Cycle Controls, Cont. • Step 1: Obtain management’s process description • Step 2: Obtain management’s documentation of the control structure and evaluate the appropriateness of management’s control objectives. • Step 3: Perform a preliminary assessment of the design of control activities. • Step 4:Walkthrough the significant process and Identify and understand the types and transactions and related risks. • Step 5: Perform tests of operating effectiveness on control activities which meet the identified control objectives.
What We Do… Assess Risk • Evaluate the macro-level control environment (tone, discipline, structure) governing financial transactions and financial reporting. • Assess at a high level the relative strength of internal controls over each financial process at each reporting site worldwide • Assess at a high level the general computer controls over financial systems and transactions Document Controls • Document the business processes supporting all financial transactions • Document manual controls over financial transactions and financial reporting • Document financial systems and related systematic (IT) internal controls over financial transactions Test Controls • Test controls for business processes supporting all financial transactions • Test manual controls over financial transactions and financial reporting • Test financial systems and related systematic (IT) internal controls over financial transactions Remediate Control Weaknesses • Identify control gaps and prioritize based on risk • Develop control deficiency remediation plan to address control deficiencies • Design and implement new controls to address deficiencies Develop Monitoring Process • Define the roles and responsibilities of various parties to monitor the control management program • Develop sustainable testing and documentation procedures to support quarterly and annual evaluations of internal control effectiveness • Develop control self-assessment process
Procure to Pay – Purchasing Control Objective Control Objective Control Activity Testing Option Appropriate segregation of duties exists between the recording, approving and reconciliation functions related to purchasing. Individuals responsible for the creation of purchase orders are independent of the purchase requisition and master file maintenance functions. Corroborative Inquiry Supported by System Review: Following discussion with the Purchase Order Entry system administrator, obtain the following access listings: 1) Purchase Order entry; 2) Purchase Order Requisition entry; and 3) Master File maintenance. Reconciliation of the user listings should facilitate assessment of the control activity. For any exceptions, further discussion with the administrator may be necessary.
General Computer Controls – Information Security Control Objective Control Objective Control Activity Testing Option Logical security tools and techniques are implemented and configured to enable restriction of access to programs, data, and other information resources. The identity of users (both local and remote) is authenticated to the system through passwords or other authentication mechanisms. The use of passwords should incorporate policies on periodic change, confidentiality and password format (e.g. password length, alphanumeric content). Corroborative Inquiry Supported by System Review: Following discussions with the network, database, financial application and system software administrators, obtain system generated evidence of password requirements for all systems defined to be in scope for this environment. Confirm that password controls are in place that require minimum password length, password history, password complexity, password expirations and password lockout, and that those parameters are in line with best practices.
Deloitte Touche Tohmatsu Partners in Learning