External ITGC Audits – An Internal Auditor’s …

1 External itgc Audits AnInternal Auditor s Opportunity These slides are incomplete without the benefit of the commentsmade at the session. Theinformation and considerations presented herein do not constitute legal or any other type ofprofessional 2, 2009 Presented to: The Dallas Chapter of the Institute of Internal AuditorsPage2 PricewaterhouseCoopersExternal itgc Audits An Internal Auditor s OpportunityToday s Agenda Brief Overview of ITGCs Impact on Application Controls and system Generated Data Linkage to the Financial audit Internal audit Involvement in the itgc audit Life Cycle Additional Opportunities Final ThoughtsPage3 PricewaterhouseCoopersExternal itgc Audits An Internal Auditor s OpportunityQuestions to contemplate Have I contemplated Internal audit s role in driving efficiencies in the External itgc audit ? Does the External auditor s itgc budget seem high given the amount of workrequired?

2 Am I doing everything I can to ensure the External auditors perform an efficient andeffective itgc audit ? Have I been consistently interfacing with the External auditorsduring the planning,fieldwork and wrap up phases of the itgc audit ? Do the External auditors realize the maximum amount of relianceon my work? If not,what needs to happen to achieve maximum reliance? What else can I do to drive an efficient and effective itgc audit ?Brief Overview of ITGCsPage5 PricewaterhouseCoopersExternal itgc Audits An Internal Auditor s OpportunityEntity Level Controls Over IT Relate to the softer COSO components ELCs should reflect how management approaches information technology needs and shouldserve to promote ongoing effectiveness of ITGCs Examples include: IT Policies Employee training Communication Adequacy of IT Team External audit will assess the overall tone at the top to decideif the nature or extent ofprocedures should be modified.

3 When past Audits have indicated deficiencies in the control environment or relevant ITGCs andremediation efforts have been insufficient, the audit plan willbe developed in consideration ofthe potential inability to rely on impacted automated over IT Set the Tone for controls in the itgc Audits An Internal Auditor s OpportunityITGCs- What s Relevant for Testing Access to programs and data Program changes Program development Computer operationsBoth of these domains are almost alwaysrelevant, but their complexity and the extentof audit evidence needed can vary greatlyby only if needed to directly address assertions oversignificant accounts (more common in high transactionvolume industries with complex systems, such as banking)or to address specific only where new system implementations willimpact ICFR and the risk of material generally not required if no impact on currentyear financial statements and Auditors will generallyconsiderrisks in each ofthese areas, even if little or no testing is itgc Audits An Internal Auditor s OpportunityITGCs- Access to Programs and Data Areas for consideration: Importance of restricted access to.

4 Segregation of duties objectives Fraud risk Risk of inadvertent errors Company s approach to application security and the securityinfrastructure Access (user and administrative) at the application, operating systemand database levels It is usually not necessary to test perimeter security and anti-hackingcontrols, such as firewalls and intrusion detection systems, unless materialfinancial reporting risks exist that are not adequately addressed byapplication-level security closer you get to financial data, the greater the risk tomaterial itgc Audits An Internal Auditor s OpportunityDBAPPOSINFI nfrastructure (INF)Operating system (OS)Application (APP)Database (DB)Increasing Level of RiskLayers of the Application Architecture and their Relative RiskPage9 PricewaterhouseCoopersExternal itgc Audits An Internal Auditor s OpportunityITGCs- Program Changes Areas for consideration: In house developed versus third party application Ownership of source code Volume / frequency of changes Complexity of changes Ownership of changes to key reports (business versus IT) Where accountability sits in the organization for identifying changesimpacting ICFR Degree of finance and IT interactionForms the basis for relying on the ongoing operatingeffectiveness of application controlsPage10 PricewaterhouseCoopersExternal itgc Audits An Internal Auditor s OpportunityITGCs- Program Development Areas for consideration.

5 Methodology for implementing projects Business involvement and buy-in on requirements and design Contemplation of Internal Controls in design phase Nature and extent of quality assurance (unit, regression, integrationtesting) Accuracy and completeness of converted data Go-live approvalsNot required to be tested unless there are specific dataconversions or system implementations that impact the riskof material misstatementPage11 PricewaterhouseCoopersExternal itgc Audits An Internal Auditor s OpportunityITGCs Computer Operations Areas for consideration: Job maintenance and monitoring (specific to financial jobs) Backup and recovery procedures (in an unstable environment) Operating system patch maintenance Anti-virus controls Environmental controls Computer Operations controls, otherwise not included in scope for thefinancial audit , are sometimes included in scope for the purposes of astatutory present operational risk, not ICFR risk, depending onthe specific circumstancesImpact on Application Controls includingSystem Generated DataPage13 PricewaterhouseCoopersExternal itgc Audits An Internal Auditor s OpportunityApplication Control vs.

6 An IT General Control? itgc Scoping ITGCs-Activities that ensure thecontinuedeffective operation of applicationcontrols, automated accountingprocedures that depend on computerprocesses and manual controls thatuse application-generated information /reports-Some ITGCs may also serve asApplication Controls, passwordcontrols-ITGCs are pervasive, and thereforeoften do not directly support financialstatement assertions Application controls-Think in terms of does this directlyrelate to the input, processing oroutput of financial transactions -Directly support CAVR(Completeness, Accuracy, Validity andRestricted Access), therebycontributing to comfort over financialstatement assertionsPage14 PricewaterhouseCoopersExternal itgc Audits An Internal Auditor s OpportunityApplication controls Programmed or configured automated controls Reports or data generated from the system and used in manual controls oraccounting procedures Automated calculations or data processing routines programmed into theapplication Restricted access to transaction processing capabilities Restricted access to programs and data ITGCs that directly address relevant financial statement assertionsPage15 PricewaterhouseCoopersExternal itgc Audits An Internal Auditor s OpportunityAutomated Controls- Baselining ApproachThe ability to rely on the proper and consistent operation ofapplication controls usually depends on the effectiveoperation of related ITGCs.

7 A baseline test provides evidence that an automated control is functioningas intendedat a point in time. ITGCs support a baselining approach: If ITGCs are effective and continue to be tested AND an automatedcontrol hasn t changed since the last time it was tested We can conclude the automated control continues to be itgc Audits An Internal Auditor s OpportunitySystem Generated DataThe ability to rely on the proper and consistent operation ofapplication controls usually depends on the effectiveoperation of related ITGCs. Often used in the execution of a manual control (ex: applicationgeneratedreports) The higher the risk associated with the control and the more thecontroldepends on the accuracy and completeness of data, the greater theimportance of ITGCs Effective ITGCs provide greater comfort that the programs and datasources are controlled and protected from unauthorized access orchangesLinkage to the Financial AuditPage18 PricewaterhouseCoopersExternal itgc Audits An Internal Auditor s OpportunityLinkage of ITGCs to audit ComfortPage19 PricewaterhouseCoopersExternal itgc Audits An Internal Auditor s OpportunityPlanning and Scoping considerations as it relates to thefinancial statement audit Overall scoping should be completed prior to planning for an evaluation of ITGCs ITGCs should be evaluated for those systems that have a direct linkage to the in-scope financial statement accounts considering relevant risk considerations Special consideration should be given when there are major system implementations Effective control design often includes a mix of automated controls and manualcontrols which rely

8 On system generated reports Ensure approach is well coordinated between your IT auditors andthe remainder ofthe teamPage20 PricewaterhouseCoopersExternal itgc Audits An Internal Auditor s OpportunityImpact of itgc deficiencies on the financial statement audit itgc deficiencies should be evaluated for their individual and collective impact onthe reliability of the dependent automated application controls ITGCs should not be presumed to be ineffective because a few controldeficiencies exist If the integrity of an automated control is impacted by an itgc deficiency,determine whether the itgc deficiency actually culminated in anapplication-levelcontrol issueEvaluation of itgc deficiencies requires integratedteam judgment (both Internal and External ). Internal audit Involvement in theITGC audit Life CyclePage22 PricewaterhouseCoopersExternal itgc Audits An Internal Auditor s OpportunityKey External Auditor Activities Risk assessment Map in scope financialstatement accounts andprocesses to applications Understand significantchanges in operations,personnel and systems Determine planned reliance onthe applications and relatedapplication controls Determine planned reliance onmanagement testing Develop the budgetAudit PlanningFieldworkWrap up Risk rank the controls and selectcontrols to test Develop test plans Documentation request lists Meet with control owner to performdesign assessments Evaluate entity level controls over IT Evaluate all other ITGCs Communicate interim issues Communicate final deficiencies As necessary.

9 Performadditional procedures for auditcomfort Aggregate and evaluate controldeficienciesTo ensure efficiencies are maximized, Internal audit teams should be involved in allthree phases of the itgc audit life cycle. Understanding the key activities for eachphase is therefore itgc Audits An Internal Auditor s OpportunityInternal Auditor Opportunities during the Planning Read the SOX risk assessment/scoping memo to understand the financial statementrisk; this may help you identify additional opportunities Risk rank the applications and controls Document and communicate competence and objectivity to the External auditorsearly Understand the External auditor s reliance approach and propose creative solutionsto expand their reliance on management testing Document test plans early and submit to the External audit teamfor reviewFieldworkPlanningWrap-upDevelop a point of view and communicate it!

10 Page24 PricewaterhouseCoopersExternal itgc Audits An Internal Auditor s OpportunityInternal Auditor Opportunities during Validate deficiencies early via a combined effort between Internal audit , ExternalAudit and IT Provide management s workpapers timely and perform a thorough root causeanalysis on any deficiencies found Clearly document Internal audit s test procedures and results in a manner thatfacilitates efficient reliance by the External Auditors Communicate changes in your testing approach real time Understand the interim deficiencies and perform additional procedures to help theexternal auditors understand the exposure and any mitigating controlsFieldworkPlanningWrap-upStay involved!Page25 PricewaterhouseCoopersExternal itgc Audits An Internal Auditor s OpportunityInternal Auditor Opportunities during Always come with a point of view on deficiencies Understand differences in what management found versus your External auditors Anticipate and perform additional procedures resulting from itgc deficiencies tohelp the External auditors understand the exposure and mitigating controls Aggregate and evaluate deficiencies via a defined framework (preferably one theexternal auditor uses)FieldworkPlanningWrap-upHelp drive management s deficiency evaluation to achievegreater relianceAdditional OpportunitiesPage27 PricewaterhouseCoopersExternal itgc Audits An Internal Auditor s OpportunityAdditional Opportunities for Driving a point of view on risk and support it with thoroughdocumentation Always think with AS5 (top down, risk based approach)