920 likes | 3.01k Views
Ineffective ITGC Impact. TRA – Technology Risk & Assurance September 28, 2010. Session Objectives. After completing this Session, you will be able to: Identify “What Matters” as it relates to risk in a financial audit Relate IT to “What Matters” and scope in applications
E N D
Ineffective ITGC Impact TRA – Technology Risk & Assurance September 28, 2010
Session Objectives • After completing this Session, you will be able to: • Identify “What Matters” as it relates to risk in a financial audit • Relate IT to “What Matters” and scope in applications • Define control categories for evaluation • Describe how to evaluate the impact of ineffective ITGCs
TRA Integrated Audits - Strategy • Our top-down risk based approach can be summarized in the following steps: • Understanding agency goals, objectives, and critical success factors. • Understanding the agency processes and the related IT requirements, including the potential impact if the agency requirements are not met. • Understanding the IT resources and processes that management has implemented to meet the agency requirements.
Applying top-down, risk-based approach to IT controls • Map Significant Accounts / MABs / Significant Classes of Transactions (SCOTs) • Correlation between the risk related to IT general controls (ITGCs) and the underlying application or IT-dependent manual (ITDM) controls • The nature, timing, and extent of ITGC testing should correlate with the risk within the IT environment. • We may elect not to test ITGC if no reliance is being placed on application or ITDM controls
Material Account Balances (MAB) • An MAB or significant account is an account or group of accounts that could contain errors of audit importance: • Accounts or groups of accounts with balances that approach or exceed the amount set for TE are significant. • Qualitative factors must be considered.
Significant Classes of Transactions / Processes (SCOT) • SCOTs are the combination of business processes, accounting activities, or both that are involved in processing major classes of transactions affecting significant accounts or groups of accounts: • Business processes: financial statement close, hire-to-retire • Traditional accounting activities, such as depreciation or cash disbursements • SCOTs are classified into one of the following types: • Financial Statement Related • Routine Data Transactions • Non-Routine Data Transactions • Estimation Transactions
Financial Statement Assertions • Financial statement assertions are representations by management that are embodied in financial statement components. • Existence/ Occurrence • Completeness • Valuation/ Measurement • Rights and Obligations • Presentation and Disclosure
Audit Risk Equation • AR = IR x CR x DR • AR = Audit Risk • IR = Inherent Risk • CR = Control Risk • DR = Detection Risk • The purpose of this equation is to calculate detection risk, which then indicates to the auditor how much substantive testing he has to do to arrive at the acceptable audit risk. It is important to note that the detection risk indicates the detection risk that the auditor is willing to "live with", given the acceptable audit risk and his/her assessment of inherent and control risk
Control Risk Definition • AR = IR x CR x DR • Control Risk is the tendency of the internal control system to lose effectiveness over time and to expose, or fail to prevent /detect weaknesses in the systems of control. Control risk in this equation represents the auditor's assessment of the likelihood that a material misstatement relating to an assertion in the financial statements will not be detected and corrected, on a timely basis, by the client's internal control system. As IT professionals, we evaluate and assess control risk for IT controls in support of ITDM and Applications controls.
CRA / RMM • AR = IR x CR x DR • Combined Risk Assessment or Risk of Material Misstatement: When planning a financial statement audit, we make a preliminary assessment of combined risk (IR x CR) for each assertion related to each significant account or group of accounts. The importance of the assessments of inherent and control risk is highlighted by their effects on detection risk (DR). The effects can be depicted in mathematical form by the equation DR = AR / (IR x CR). The auditor mitigates or compensates for the assessed levels of risk by designing and performing procedures to detect material misstatements. The greater the inherent and control risks, the lower the detection risk needs to be, resulting in “more” procedures (“more” includes their nature and timing as well as their extent) that the auditor would need to carry out. At the end of the day, the objective is to limit audit risk to an appropriately low level, thus enabling the auditor to achieve reasonable assurance that the financial statements are free of material misstatement.
Audit Risk Example • AR = IR x CR x DR • Example: Low Audit Risk = High Inherent Risk x High Control Risk x Low Detection Risk • Low detection risk would indicate low reliance on controls and more substantive testing. • Example: Low Audit Risk = Low Inherent Risk x Low Control Risk x High Detection Risk • High detection risk would indicate higher reliance on controls and less substantive testing.
IT Controls and Audit Risk • AR = IR x CR x DR • Our evaluation of IT controls supports the assessment of the control risk component. • For example, an evaluation of ineffective IT controls over systems supporting significant classes of transactions will result in a higher control risk assessment. This assessment will require a “lower” detection risk (more substantive testing) in order to adequately lower audit risk and gain reasonable assurance that financial statements are not materially misstated. • An evaluation of effective controls over systems supporting significant classes of transactions will result in a lower control risk assessment. This assessment will support a “higher” detection risk and allow less substantive testing in order to gain reasonable assurance that financial statements are not materially misstated.
Scope in Applications • Identify IT risk universe in scope by teaming with the financial auditors to determine applications that initiate, authorize, record, process and report MABs, SCOTs • Review and/or categorize controls identified by financial auditor and intended to place reliance to determine relevant systems • Document relevant applications and related infrastructure in scope for control testing • Confirm scope with financial auditors and leadership
Understand reliance on direct controls • Manual controls • Controls performed outside of the application (ex: Manual sign-off on paper invoices) • IT-Dependent Manual controls • Manual control that relies on information generated from an application (ex: manual review/sign-off of journal entry listing) • Application controls • Automated control performed by the system every time a transaction type is processed (ex: edit check for a required field that is left blank)
Manual Indirect Controls - Support the continued functioning of automated aspects of prevent and detect controls Prevent Detect Direct Controls What are the different control categories? Manual Controls IT-dependent Manual Controls ITGCs Automated Application Controls
Identify “In Scope” applications Significant Accounts (MAB) Processes (SCOTs) Automated/IT dependent controls Application name Plan Document Test ITGCs Report
What are IT General Controls? • IT General Controls • Relate to managing change, logical access, and IT operations applied to individual applications. • These controls do not operate at the individual transaction level • Application controls: • Apply to every transaction (calculation, validation, edit check, etc) • Reviewed at a “point in time”
IT general control considerations • Change Management(CM): • Process that provides for the analysis, implementation, and follow-up of all changes requested and made to the existing infrastructure • Logical access (LA): • Process of safeguarding IT systems and resources against unauthorized use, modification, disclosure, or loss • IT Operations (OP): • Process to determining that IT resources and applications continue to function as intended over time
When are ITGCs important? • We identify, understand, and evaluate IT general controls (ITGC) related to IT applications that support business processes when the following occurs: • When the financial audit team evaluates application and IT-dependent manual (ITDM) controls that support a business process to reduce risk of material misstatement • When the financial audit team identifies electronic audit evidence (EAE) that is important to a control, analytical or substantive procedures related to an account or business process
What is the difference between ITGCs and Automated Controls? • ITGCs are controls that help ensure the continued functioning of application controls, IT-dependent manual controls, and EAE throughout the audit period. There is an assumption that an IT automated control will continue to function as programmed over time if the critical ITGCs are in placed in operation.
Evaluation Categories • Categories for evaluation are in-line ITGC categories • Change Management • Logical Access • IT Operations • Evaluations of each category will be assessed as effective or ineffective. • Evaluation will also be assessed at an aggregate ITGC level as “Support” or “Not Support”
Why ITGC Evaluation Categories? • ITGCs are evaluated by categories since some ineffective controls, due to the nature of the direct control, may not be impacted • Application control – configurable • Application control – inherent (programmed) • As IT Professionals, we will assist in communicating the impact at the direct control level
ITGC Evaluation • ITGC evaluation determines if controls are designed and operating effectively. • Evaluations of each category will be assessed as effective or ineffective.
Ineffective Approach Memo • For “Application 3”, we document an “Ineffective Approach memo” to depict the revision/modification of audit procedures/strategy due to the inability of the information system to adequately support ITDM and application controls related to the MAB.
ITDM/EAE Control Impact? • Can IT-Dependent manual controls or electronic audit evidence still be used by the financial auditors if ITGCs for the application supporting that control are ineffective? • YES
Ineffective impact on ITDM/EAE • Change Management Impact • Financial auditors will need to test clerical accuracy of reports utilized in ITDM controls or EAE for substantive procedures to address weakness in program changes • Logical Access impact • Financial auditors will need to vouch report data to/from source documents to address weakness in logical access. • These additional procedures will need to occur each time a report is relied upon.
Application Control Impact? • Can application controls still be relied upon by the financial auditors if ITGCs for the application supporting that control are ineffective? • YES
Ineffective impact on Application Controls • Financial auditors will need to test application control multiple times over the period under review to determine continued operation. • If application control is inherent to the system, logical access may not have an impact if change management is effective.
Maximum Risk Approach Impact? • If financial auditors take a maximum risk approach and do not test controls, do ineffective ITGCs have an impact? • YES – If electronic audit evidence used in substantive procedures, reports will still need to be tested for clerical accuracy and vouched for validity of transactions.
CRA/RMM Impact? • Does ineffective ITGCs automatically increase your combined risk assessment or risk of material misstatement? • No– Not enough true manual controls are identified and tested to address what could go wrong.
What do we gain by evaluating IT general controls? • Evaluation of IT Controls will be taken into consideration when designing nature, timing, and extent of our financial audit procedures. • For effective ITGCs: • Increase the percentage of automated controls which may decrease manual control testing. • Clerical accuracy of reports can be established once and at interim. • Application controls can be tested by a test of one • Leverage the use of benchmarking as applied to automated controls. • For ineffective ITGCs: • Mitigate the risk of undue reliance on ineffective systems that initiate, authorize, record, process, and report significant transactions. • Provide value by bringing control deficiencies to those charged with governance as it related to the financial statements for corrective action and possible future reliance.
Session Summary • You should now be able to: • Identify “What Matters” as it relates to risk in a financial audit • Relate IT to “What Matters” and scope in applications • Define control categories for evaluation • Describe how to evaluate the impact of ineffective ITGCs