Download - 3 2006 06 cs6 4 gait principles v3a
CS6-4:A Guide to the Assessment of
IT General Controls Scope Based on Risk
(GAIT Framework v2 for SOX-404)
Ed Hill, Managing Director, ProtivitiGene Kim, CTO, Tripwire
June 2006
IIA GAIT Core TeamTask Force of IIA Technology
Committee• Ed Hill, Protiviti• Gene Kim, Tripwire• Steve Mar, Microsoft• Norman Marks, Maxtor• Jay Taylor, General Motors Corp• Heriot Prentice, IIA• Julia Allen, Eileen Forrester, Software
Engineering Institute
The Problem
• Lack of well-established guidance for scoping IT work relating to SOX-404 leads to inconsistency and subjectivity.
• As a result: – Auditors and management are frustrated with IT aspects of SOX-
404 compliance because current scoping approaches are creating overly broad scope and excessive testing costs
– SEC registrants are hesitant to reduce scope for fear of increasing risk
– Significant risks to financial assertions may be unaddressed due to lack of consistency
– SEC registrants and CPA firms both experience suboptimal use of scarce resources
Why Is There A Problem?
• No clear guidance exists to determine whether IT processes and activities can invalidate financial application processing or financial assertions– COSO provides an accepted construct for defining overall internal
control objectives, assertions, risks and controls, but its application to the IT environment is ambiguous
– COBIT does not provide a clear mechanism to scope IT processes and controls to the achievement of specific internal control objectives (e.g., COSO objective for internal control over financial reporting)
• Something else is needed…
What We Did About It
• In early 2005, the IIA Technology Committee created the GAIT task force, which has held four GAIT Summits since July 2005
• The GAIT Summits assembled key stakeholders from internal audit, management, external audit and federal regulators
Vision: Create Equivalence to Nine Firm Document on IT
Control ExceptionsGAIT takes the approach used in the nine firm document.
GAIT represents the upfront scoping exercise to appropriately identify the IT controls work relevant to overall internal controls objectives
Chart 3: Evaluating Information Technology General Control (ITGC) Deficiencies, “A Framework for Evaluating Control Exceptions and Deficiencies” (December 20, 2004)
Solution: GAIT…• Establishes four principles that
– Defines the relevance of IT infrastructure elements to financial reporting integrity
– Define the three types of IT processes that can affect them: change management and systems development, operations and security
– Defines an end-to-end process view of these three processes– Defines an approach to defining objectives and key controls within those
three processes• Provides a methodology and thinking process that
continues the top down, risk based approach started in AS2 to scope IT general controls
• Provides a common context for management and auditors to support and test management’s assessment that the necessary IT controls exist and are effective– Initial target is internal control objectives for financial reporting, but
should extend to operating effectiveness and complying with laws and regulations (as defined by COSO)
GAIT Team’s Vision and Goals
• To develop in 2006 a set of widely-used and widely-accepted guiding principles, tools, methodologies and scenarios that can be used by management and auditors to properly scope IT general controls work for financial reporting and SOX-404.
• To develop a short- and medium-term roadmap that moves the GAIT Principles from “new guidance” to “great advice” to “generally accepted.”
• To develop a long-term roadmap that expands the GAIT Principles from internal control objectives for just financial reporting, to one that encompasses compliance with laws and regulations, operating effectiveness, etc.
GAIT Principle #1
• The only IT infrastructure elements (e.g., databases, operating systems, networks) relevant to ITGC assessment are those that support financially-significant applications and data.
(“What are the relevant IT infrastructure elements?”)
GAIT Principle #2
• The IT processes primarily relevant to ITGC assessment are those that directly impact the integrity of financially-significant applications and data:– Change management and systems development: the processes
around developing, implementing, and maintaining financially significant applications and supporting IT infrastructure
– Operations management: the processes around managing the integrity of production data and program execution
– Security management: the processes around limiting access to information assets
(“What are the relevant end-to-end IT processes?”)
GAIT Principle #3
• Implications to the reliability of financially-significant applications and data, including controls, are based upon the achievement or failure of IT process objectives, not the design and operating effectiveness of the individual controls within those processes.
(“What are the relevant objectives of those IT processes? In other words, we shouldn’t get
carried away when reaching a conclusion when testing a control.”)
GAIT Principle #4
• The basis for identifying key controls in the three IT processes is based on:– Inherent risk of not achieving the IT process objectives
– IT process risk indicators
(“How do we select key controls within those IT processes?”)
GAIT Scoping: Step By Step
Evaluate the risks related to (and within) the IT processes which manage the infrastructure & apps
Evaluate overall entity level controls
Identify IT entity level elements and the demonstrated maturity of the process
Identify key financial statement captions
Identify the general ledger accounts related to the key financial statement accounts (significant account)
Identify key transaction processes that affect the general ledger accounts
Identify and understand related business processes
Identify and understand applications and modules that support financially relevant business processes
Analyze the risks within the integrated business process (Identify risks)
Identify manual & automated controls & key functionality within the process that mitigate the risks (Identify key controls)
Identify IT infrastructure elements which support the application (the rest of the stack)
Identify and understand infrastructure that supports the business processes
Validate IT entity level controls
GAIT Starts Here
AS2 begins here
Identify key financial statement captions
Identify the general ledger accounts related to the key financial statement accounts (significant account)Identify key transaction processes that affect the
general ledger accounts
Identify and understand related business processesIdentify and understand applications and modules
that support financially relevant business processes
Analyze the risks within the integrated business process (Identify risks)
Identify manual & automated controls & key functionality within the process that mitigate the risks (Identify key controls)
Identify IT infrastructure elements which support the application (the rest of the stack)
Evaluate the risks related to (and within) the IT processes which manage the infrastructure & apps
Business Process
Business and IT
IT
Identify and understand infrastructure that supports the business processes
Validate IT entity and management level controls
Evaluate overall entity level controls
Identify IT entity level elements and the demonstrated maturity of the process
Evaluate the risks related to (and within) the IT processes which manage the infrastructure & apps
Business and IT
IT
Where GAIT Picks Up
• AS2 provides the steps to identify key controls within the business processes
• Some of those are automated and some are manual, relying on automated functionality (key reports)
• Failures in the above are unlikely to be detected by manual controls (otherwise, probably not key)
When GAIT Is Applied Correctly
• You have identified all the key controls you are reliant upon– You have identified all the ITGC processes that key
controls are reliant upon
• You have identified all the key ITGC processes to protect the security of the application and data
• You will be testing only those ITGC processes and controls that could result in a financial reporting error
When GAIT Is Applied Correctly
• The following risks are identified and controlled:– The ITGC control failing
– The failure not being detected
– The failure impacting a key automated control or allowing an undetected material change to data used in financial reporting
– The automated control failure resulting in a material error
GAIT Scenarios
• GAIT also includes a set of real world business scenarios to show how GAIT is applied to scope ITGCs to:– Reduce learning curve for GAIT adopters– Validate the approach and the resulting scoping
solutions• Ideally, GAIT will cover a variety of
scenarios to include the spectrum of:– Revenue vs general ledger– High vs low reliance on automated controls– High vs low reliance on Change/Operations/Security
GAIT Scenario #1
The following information is provided to help establish the scenario. This information would be uncovered during the business risk assessment process, prior to any application of the GAIT methodology.
Company background: Fortune 100, Manufacturing, $10 billion revenue
Identify and understand the related business processes
• This line of business accounts for $5 billion revenue. The Rebate Approval Process (RAP) business process handles all approval for non-standard customer pricing. In other words, all non-standard customer prices are approved through this process. The amount of revenue flowing through this business approval process is approximately $500 million.
Identify and understand the application/IT organization
• IT management– The application development group is responsible for normal application
support and maintenance– The application operations is run by Global IT Operations, based in
Minneapolis, MN– A DBA group supports the operations group and aids in application
upgrades– A technical network operations team manages the operating system and
networks• Application
– Developed in-house, written in J2EE, and has been in operations for over four years
– Modifications are made to the application on a quarterly basis– Approximately 1000 users run this application on a regular basis– Approximately $500 million revenue is processed through this application
Identify and understand the application/IT organization
• Interfaces– Input interface: data is moved to this application using FTP from a remote server,
which transits the corporate network, touching a series of routers, but no firewalls.– Output interface: identical to input interface.
• Database– Application runs on Microsoft SQL Server– Databases are patched quarterly– DBAs have access to the production database, and could inject information that
bypasses the application• Operating system
– Microsoft Windows 2000– Patched quarterly
• Network– Application has input that transits the network and could result in loss of data
Identify the risks within the integrated business process• We establish that there is a risk that rebate-relate
accounts may be materially misstated due to:– Unauthorized rebates– Incorrectly calculated rebates– Incomplete accounting for rebates due to incorrect accruals, etc.
• We establish that not only revenue-related accounts may be misstated, but also rebate-related balance sheet accounts.
• We establish that the quantify of rebates in this business is so high that materiality threshold is crossed.
• We establish that because the transaction volumes are so high that a report review is not sufficient – a failure here could break the business.
Identify manual, automated controls and key functionality within the process that mitigate the risks
• Identify key controls– Identify manual, automated controls and key functionality within the process that
mitigate the risks
• Automated controls:– Approval of non-standard prices is restricted to authorized managers– Approval of non-standard prices is routed to authorized managers
• Manual controls reliant upon key reports:– There is a later reconciliation in another application that compares approved
prices to prices on customer billings. The approved prices report is generated from this application (RAP), and is therefore reliant on correction functioning of the RAP application.
• Key functionality:– Rebates are completely and accurately calculated– Data is correctly received from (input) ABC application – Data is correctly uploaded to XYZ application
Identify Relevant IT Infrastructure Elements And IT Processes
Layer Change Management
Operations Security/Logical Access
Application ??? ??? ???
Database ??? ??? ???
Operating system ??? ??? ???
Network/infrastructure
??? ??? ???
Validate the IT entity and management control environment
• We establish the CIO is getting appropriate reports on the effectiveness of the change, operations and security processes
• We establish that the organizational maturity of the management organizations are as follows:– Application management: high maturity, no repeat audit findings,
minor incidents of business complaints of outages– Database management: lower maturity, one repeat audit finding,
12 instances of outages due to failures in the change management process
– And so forth…
Identify Relevant IT Infrastructure Elements And IT Processes
Layer Change Management
Operations Security/Logical Access
Application Yes Yes Yes
Database Yes No Yes
Operating system No No Yes
Network/infrastructure
Yes Yes No
Evaluate the risks related to the IT processesApplication layer: Change Management process
Critical functionality, automated controls, key report
Risks: what could go wrong IT processes and process owners
Approval of non-standard prices is restricted to authorized managers
Approval of non-standard prices is routed to authorized managers
The approved prices report generated by the application
Data is correctly received from (input) ABC application
Data is correctly uploaded to XYZ application
Unauthorized changesInadequate or inappropriate
code promotionsFailed changes, unintended
consequences from change…and so forth
Change control teamBob, Director, Change
ManagementRAP support teamFrank Rap, ManagerProduction Migration teamBetty Migration, ManagerDBA team
Evaluate the risks related to the IT processesApplication layer: Operations process
Critical functionality, automated controls, key report
Risks: what could go wrong IT processes and process owners
Approval of non-standard prices is restricted to authorized managersApproval of non-standard prices is routed to authorized managersThe approved prices report generated by the applicationData is correctly received from (input) ABC application Data is correctly uploaded to XYZ application
Interfaces could failIncomplete or inaccurate interface process, due to abnormal endInability to appropriately recover lost data, due to data backup and recovery failuresInability to appropriately recover lost data, due to data backup and recovery failures…and so forth
RAP support teamFrank Rap, ManagerData center operations teamBob, Manager
Evaluate the risks related to the IT processesApplication layer: Security/logical access process
Critical functionality, automated controls, key report
Risks: what could go wrong IT processes and process owners
Approval of non-standard prices is restricted to authorized managersApproval of non-standard prices is routed to authorized managersThe approved prices report generated by the applicationData is correctly received from (input) ABC application Data is correctly uploaded to XYZ application
Add/change/delete data and code not in accordance with management’s intentionsInappropriate changes to data are made by system users (because access privileges are inappropriate – regular and privileged accounts)Inappropriate changes are made to application codeInappropriate or unauthorized transaction/data generation/approvals/deletions…and so forth
User provisioning teamBob, ManagerRAP application and data ownersSupport teamDBA teamDirector of Security
The GAIT Program
• GAIT Principles and Methodology exposure draft
• GAIT Scenarios• GAIT Outreach and Mobilization• GAIT Training
– IIA webcast in July
I Am Interested In GAIT! What Do I Do?
• Email [email protected]• Subscribe to the GAIT status report
and newsletters• Register your interest as a GAIT
Early Adopter• Start using GAIT methodology,
scenarios!
GAIT Scoping: Step By Step
Evaluate the risks related to (and within) the IT processes which manage the infrastructure & apps
Evaluate overall entity level controls
Identify IT entity level elements and the demonstrated maturity of the process
Identify key financial statement captions
Identify the general ledger accounts related to the key financial statement accounts (significant account)
Identify key transaction processes that affect the general ledger accounts
Identify and understand related business processes
Identify and understand applications and modules that support financially relevant business processes
Analyze the risks within the integrated business process (Identify risks)
Identify manual & automated controls & key functionality within the process that mitigate the risks (Identify key controls)
Identify IT infrastructure elements which support the application (the rest of the stack)
Identify and understand infrastructure that supports the business processes
Validate IT entity level controls