3 2006 06 cs6 4 gait principles v3a

CS6-4: A Guide to the Assessment of IT General Controls Scope Based on Risk (GAIT Framework v2 for SOX-404) Ed Hill, Managing Director, Protiviti Gene Kim, CTO, Tripwire June 2006

IIA GAIT Core Team Task Force of IIA Technology Committee Ed Hill, Protiviti Gene Kim, Tripwire Steve Mar, Microsoft Norman Marks, Maxtor Jay Taylor, General Motors Corp Heriot Prentice, IIA Julia Allen, Eileen Forrester, Software Engineering Institute

The Problem Lack of well-established guidance for scoping IT work relating to SOX-404 leads to inconsistency and subjectivity. As a result: Auditors and management are frustrated with IT aspects of SOX-404 compliance because current scoping approaches are creating overly broad scope and excessive testing costs SEC registrants are hesitant to reduce scope for fear of increasing risk Significant risks to financial assertions may be unaddressed due to lack of consistency SEC registrants and CPA firms both experience suboptimal use of scarce resources

Why Is There A Problem? No clear guidance exists to determine whether IT processes and activities can invalidate financial application processing or financial assertions COSO provides an accepted construct for defining overall internal control objectives, assertions, risks and controls, but its application to the IT environment is ambiguous COBIT does not provide a clear mechanism to scope IT processes and controls to the achievement of specific internal control objectives (e.g., COSO objective for internal control over financial reporting) Something else is needed…

What We Did About It In early 2005, the IIA Technology Committee created the GAIT task force, which has held four GAIT Summits since July 2005 The GAIT Summits assembled key stakeholders from internal audit, management, external audit and federal regulators

Vision: Create Equivalence to Nine Firm Document on IT Control Exceptions GAIT takes the approach used in the nine firm document. GAIT represents the upfront scoping exercise to appropriately identify the IT controls work relevant to overall internal controls objectives Chart 3: Evaluating Information Technology General Control (ITGC) Deficiencies , “A Framework for Evaluating Control Exceptions and Deficiencies” (December 20, 2004)

Solution: GAIT… Establishes four principles that Defines the relevance of IT infrastructure elements to financial reporting integrity Define the three types of IT processes that can affect them: change management and systems development, operations and security Defines an end-to-end process view of these three processes Defines an approach to defining objectives and key controls within those three processes Provides a methodology and thinking process that continues the top down, risk based approach started in AS2 to scope IT general controls Provides a common context for management and auditors to support and test management’s assessment that the necessary IT controls exist and are effective Initial target is internal control objectives for financial reporting, but should extend to operating effectiveness and complying with laws and regulations (as defined by COSO)

GAIT Team’s Vision and Goals To develop in 2006 a set of widely-used and widely-accepted guiding principles, tools, methodologies and scenarios that can be used by management and auditors to properly scope IT general controls work for financial reporting and SOX-404. To develop a short- and medium-term roadmap that moves the GAIT Principles from “new guidance” to “great advice” to “generally accepted.” To develop a long-term roadmap that expands the GAIT Principles from internal control objectives for just financial reporting, to one that encompasses compliance with laws and regulations, operating effectiveness, etc.

GAIT Principle #1 The only IT infrastructure elements (e.g., databases, operating systems, networks) relevant to ITGC assessment are those that support financially-significant applications and data. (“What are the relevant IT infrastructure elements?”)

GAIT Principle #2 The IT processes primarily relevant to ITGC assessment are those that directly impact the integrity of financially-significant applications and data: Change management and systems development: the processes around developing, implementing, and maintaining financially significant applications and supporting IT infrastructure Operations management: the processes around managing the integrity of production data and program execution Security management: the processes around limiting access to information assets (“What are the relevant end-to-end IT processes?”)

GAIT Principle #3 Implications to the reliability of financially-significant applications and data, including controls, are based upon the achievement or failure of IT process objectives, not the design and operating effectiveness of the individual controls within those processes. (“What are the relevant objectives of those IT processes? In other words, we shouldn’t get carried away when reaching a conclusion when testing a control.”)

GAIT Principle #4 The basis for identifying key controls in the three IT processes is based on: Inherent risk of not achieving the IT process objectives IT process risk indicators (“How do we select key controls within those IT processes?”)

GAIT Scoping: Step By Step GAIT Starts Here AS2 begins here

Identify key financial statement captions Identify the general ledger accounts related to the key financial statement accounts (significant account) Identify key transaction processes that affect the general ledger accounts Identify and understand related business processes Identify and understand applications and modules that support financially relevant business processes Analyze the risks within the integrated business process (Identify risks) Identify manual & automated controls & key functionality within the process that mitigate the risks (Identify key controls) Identify IT infrastructure elements which support the application (the rest of the stack) Evaluate the risks related to (and within) the IT processes which manage the infrastructure & apps Business Process Business and IT IT Identify and understand infrastructure that supports the business processes Validate IT entity and management level controls

Evaluate overall entity level controls Identify IT entity level elements and the demonstrated maturity of the process Evaluate the risks related to (and within) the IT processes which manage the infrastructure & apps Business and IT IT

Where GAIT Picks Up AS2 provides the steps to identify key controls within the business processes Some of those are automated and some are manual, relying on automated functionality (key reports) Failures in the above are unlikely to be detected by manual controls (otherwise, probably not key)

When GAIT Is Applied Correctly You have identified all the key controls you are reliant upon You have identified all the ITGC processes that key controls are reliant upon You have identified all the key ITGC processes to protect the security of the application and data You will be testing only those ITGC processes and controls that could result in a financial reporting error

When GAIT Is Applied Correctly The following risks are identified and controlled: The ITGC control failing The failure not being detected The failure impacting a key automated control or allowing an undetected material change to data used in financial reporting The automated control failure resulting in a material error

GAIT Scenarios GAIT also includes a set of real world business scenarios to show how GAIT is applied to scope ITGCs to: Reduce learning curve for GAIT adopters Validate the approach and the resulting scoping solutions Ideally, GAIT will cover a variety of scenarios to include the spectrum of: Revenue vs general ledger High vs low reliance on automated controls High vs low reliance on Change/Operations/Security

GAIT Scenario #1 The following information is provided to help establish the scenario. This information would be uncovered during the business risk assessment process, prior to any application of the GAIT methodology. Company background: Fortune 100, Manufacturing, $10 billion revenue

Identify and understand the related business processes This line of business accounts for $5 billion revenue. The Rebate Approval Process (RAP) business process handles all approval for non-standard customer pricing. In other words, all non-standard customer prices are approved through this process. The amount of revenue flowing through this business approval process is approximately $500 million.

Identify and understand the application/IT organization IT management The application development group is responsible for normal application support and maintenance The application operations is run by Global IT Operations, based in Minneapolis, MN A DBA group supports the operations group and aids in application upgrades A technical network operations team manages the operating system and networks Application Developed in-house, written in J2EE, and has been in operations for over four years Modifications are made to the application on a quarterly basis Approximately 1000 users run this application on a regular basis Approximately $500 million revenue is processed through this application

Identify and understand the application/IT organization Interfaces Input interface: data is moved to this application using FTP from a remote server, which transits the corporate network, touching a series of routers, but no firewalls. Output interface: identical to input interface. Database Application runs on Microsoft SQL Server Databases are patched quarterly DBAs have access to the production database, and could inject information that bypasses the application Operating system Microsoft Windows 2000 Patched quarterly Network Application has input that transits the network and could result in loss of data

Identify the risks within the integrated business process We establish that there is a risk that rebate-relate accounts may be materially misstated due to: Unauthorized rebates Incorrectly calculated rebates Incomplete accounting for rebates due to incorrect accruals, etc. We establish that not only revenue-related accounts may be misstated, but also rebate-related balance sheet accounts. We establish that the quantify of rebates in this business is so high that materiality threshold is crossed. We establish that because the transaction volumes are so high that a report review is not sufficient – a failure here could break the business.

Identify manual, automated controls and key functionality within the process that mitigate the risks Identify key controls Identify manual, automated controls and key functionality within the process that mitigate the risks Automated controls: Approval of non-standard prices is restricted to authorized managers Approval of non-standard prices is routed to authorized managers Manual controls reliant upon key reports: There is a later reconciliation in another application that compares approved prices to prices on customer billings. The approved prices report is generated from this application (RAP), and is therefore reliant on correction functioning of the RAP application. Key functionality: Rebates are completely and accurately calculated Data is correctly received from (input) ABC application Data is correctly uploaded to XYZ application

Identify Relevant IT Infrastructure Elements And IT Processes Layer Change Management Operations Security/Logical Access Application ??? ??? ??? Database ??? ??? ??? Operating system ??? ??? ??? Network/infrastructure ??? ??? ???

Validate the IT entity and management control environment We establish the CIO is getting appropriate reports on the effectiveness of the change, operations and security processes We establish that the organizational maturity of the management organizations are as follows: Application management: high maturity, no repeat audit findings, minor incidents of business complaints of outages Database management: lower maturity, one repeat audit finding, 12 instances of outages due to failures in the change management process And so forth…

Identify Relevant IT Infrastructure Elements And IT Processes Layer Change Management Operations Security/Logical Access Application Yes Yes Yes Database Yes No Yes Operating system No No Yes Network/infrastructure Yes Yes No

Evaluate the risks related to the IT processes Application layer: Change Management process Critical functionality, automated controls, key report Risks: what could go wrong IT processes and process owners Approval of non-standard prices is restricted to authorized managers Approval of non-standard prices is routed to authorized managers The approved prices report generated by the application Data is correctly received from (input) ABC application Data is correctly uploaded to XYZ application Unauthorized changes Inadequate or inappropriate code promotions Failed changes, unintended consequences from change … and so forth Change control team Bob, Director, Change Management RAP support team Frank Rap, Manager Production Migration team Betty Migration, Manager DBA team

Evaluate the risks related to the IT processes Application layer: Operations process Critical functionality, automated controls, key report Risks: what could go wrong IT processes and process owners Approval of non-standard prices is restricted to authorized managers Approval of non-standard prices is routed to authorized managers The approved prices report generated by the application Data is correctly received from (input) ABC application Data is correctly uploaded to XYZ application Interfaces could fail Incomplete or inaccurate interface process, due to abnormal end Inability to appropriately recover lost data, due to data backup and recovery failures Inability to appropriately recover lost data, due to data backup and recovery failures … and so forth RAP support team Frank Rap, Manager Data center operations team Bob, Manager

Evaluate the risks related to the IT processes Application layer: Security/logical access process Critical functionality, automated controls, key report Risks: what could go wrong IT processes and process owners Approval of non-standard prices is restricted to authorized managers Approval of non-standard prices is routed to authorized managers The approved prices report generated by the application Data is correctly received from (input) ABC application Data is correctly uploaded to XYZ application Add/change/delete data and code not in accordance with management’s intentions Inappropriate changes to data are made by system users (because access privileges are inappropriate – regular and privileged accounts) Inappropriate changes are made to application code Inappropriate or unauthorized transaction/data generation/approvals/deletions … and so forth User provisioning team Bob, Manager RAP application and data owners Support team DBA team Director of Security

The GAIT Program GAIT Principles and Methodology exposure draft GAIT Scenarios GAIT Outreach and Mobilization GAIT Training IIA webcast in July

I Am Interested In GAIT! What Do I Do? Email [email_address] Subscribe to the GAIT status report and newsletters Register your interest as a GAIT Early Adopter Start using GAIT methodology, scenarios!

3 2006 06 cs6 4 gait principles v3a

More Related Content

3 2006 06 cs6 4 gait principles v3a

Editor's Notes