3 2006 06 cs6 4 gait principles v3a

CS6-4: A Guide to the Assessment of IT General Controls Scope Based on Risk (GAIT Framework v2 for SOX-404) Ed Hill, Managing Director, Protiviti Gene Kim, CTO, Tripwire June 2006

IIA GAIT Core Team Task Force of IIA Technology Committee
Ed Hill, Protiviti
Gene Kim, Tripwire
Steve Mar, Microsoft
Norman Marks, Maxtor
Jay Taylor, General Motors Corp
Heriot Prentice, IIA
Julia Allen, Eileen Forrester, Software Engineering Institute

The Problem
Lack of well-established guidance for scoping IT work relating to SOX-404 leads to inconsistency and subjectivity.
As a result:
Auditors and management are frustrated with IT aspects of SOX-404 compliance because current scoping approaches are creating overly broad scope and excessive testing costs
SEC registrants are hesitant to reduce scope for fear of increasing risk
Significant risks to financial assertions may be unaddressed due to lack of consistency
SEC registrants and CPA firms both experience suboptimal use of scarce resources

Why Is There A Problem?
No clear guidance exists to determine whether IT processes and activities can invalidate financial application processing or financial assertions
COSO provides an accepted construct for defining overall internal control objectives, assertions, risks and controls, but its application to the IT environment is ambiguous
COBIT does not provide a clear mechanism to scope IT processes and controls to the achievement of specific internal control objectives (e.g., COSO objective for internal control over financial reporting)
Something else is needed…

What We Did About It
In early 2005, the IIA Technology Committee created the GAIT task force, which has held four GAIT Summits since July 2005
The GAIT Summits assembled key stakeholders from internal audit, management, external audit and federal regulators

Vision: Create Equivalence to Nine Firm Document on IT Control Exceptions GAIT takes the approach used in the nine firm document. GAIT represents the upfront scoping exercise to appropriately identify the IT controls work relevant to overall internal controls objectives Chart 3: Evaluating Information Technology General Control (ITGC) Deficiencies , “A Framework for Evaluating Control Exceptions and Deficiencies” (December 20, 2004)

Solution: GAIT…
Establishes four principles that
Defines the relevance of IT infrastructure elements to financial reporting integrity
Define the three types of IT processes that can affect them: change management and systems development, operations and security
Defines an end-to-end process view of these three processes
Defines an approach to defining objectives and key controls within those three processes
Provides a methodology and thinking process that continues the top down, risk based approach started in AS2 to scope IT general controls
Provides a common context for management and auditors to support and test management’s assessment that the necessary IT controls exist and are effective
Initial target is internal control objectives for financial reporting, but should extend to operating effectiveness and complying with laws and regulations (as defined by COSO)

GAIT Team’s Vision and Goals
To develop in 2006 a set of widely-used and widely-accepted guiding principles, tools, methodologies and scenarios that can be used by management and auditors to properly scope IT general controls work for financial reporting and SOX-404.
To develop a short- and medium-term roadmap that moves the GAIT Principles from “new guidance” to “great advice” to “generally accepted.”
To develop a long-term roadmap that expands the GAIT Principles from internal control objectives for just financial reporting, to one that encompasses compliance with laws and regulations, operating effectiveness, etc.

GAIT Principle #1
The only IT infrastructure elements (e.g., databases, operating systems, networks) relevant to ITGC assessment are those that support financially-significant applications and data.
(“What are the relevant IT infrastructure elements?”)

GAIT Principle #2
The IT processes primarily relevant to ITGC assessment are those that directly impact the integrity of financially-significant applications and data:
Change management and systems development: the processes around developing, implementing, and maintaining financially significant applications and supporting IT infrastructure
Operations management: the processes around managing the integrity of production data and program execution
Security management: the processes around limiting access to information assets
(“What are the relevant end-to-end IT processes?”)

GAIT Principle #3
Implications to the reliability of financially-significant applications and data, including controls, are based upon the achievement or failure of IT process objectives, not the design and operating effectiveness of the individual controls within those processes.
(“What are the relevant objectives of those IT processes? In other words, we shouldn’t get carried away when reaching a conclusion when testing a control.”)

GAIT Principle #4
The basis for identifying key controls in the three IT processes is based on:
Inherent risk of not achieving the IT process objectives
IT process risk indicators
(“How do we select key controls within those IT processes?”)

GAIT Scoping: Step By Step GAIT Starts Here AS2 begins here

Identify key financial statement captions Identify the general ledger accounts related to the key financial statement accounts (significant account) Identify key transaction processes that affect the general ledger accounts Identify and understand related business processes Identify and understand applications and modules that support financially relevant business processes Analyze the risks within the integrated business process (Identify risks) Identify manual & automated controls & key functionality within the process that mitigate the risks (Identify key controls) Identify IT infrastructure elements which support the application (the rest of the stack) Evaluate the risks related to (and within) the IT processes which manage the infrastructure & apps Business Process Business and IT IT Identify and understand infrastructure that supports the business processes Validate IT entity and management level controls

Evaluate overall entity level controls Identify IT entity level elements and the demonstrated maturity of the process Evaluate the risks related to (and within) the IT processes which manage the infrastructure & apps Business and IT IT

Where GAIT Picks Up
AS2 provides the steps to identify key controls within the business processes
Some of those are automated and some are manual, relying on automated functionality (key reports)
Failures in the above are unlikely to be detected by manual controls (otherwise, probably not key)

When GAIT Is Applied Correctly
You have identified all the key controls you are reliant upon
You have identified all the ITGC processes that key controls are reliant upon
You have identified all the key ITGC processes to protect the security of the application and data
You will be testing only those ITGC processes and controls that could result in a financial reporting error

When GAIT Is Applied Correctly
The following risks are identified and controlled:
The ITGC control failing
The failure not being detected
The failure impacting a key automated control or allowing an undetected material change to data used in financial reporting
The automated control failure resulting in a material error

GAIT Scenarios
GAIT also includes a set of real world business scenarios to show how GAIT is applied to scope ITGCs to:
Reduce learning curve for GAIT adopters
Validate the approach and the resulting scoping solutions
Ideally, GAIT will cover a variety of scenarios to include the spectrum of:
Revenue vs general ledger
High vs low reliance on automated controls
High vs low reliance on Change/Operations/Security

GAIT Scenario #1
The following information is provided to help establish the scenario. This information would be uncovered during the business risk assessment process, prior to any application of the GAIT methodology.
Company background: Fortune 100, Manufacturing, $10 billion revenue

Identify and understand the related business processes
This line of business accounts for $5 billion revenue. The Rebate Approval Process (RAP) business process handles all approval for non-standard customer pricing. In other words, all non-standard customer prices are approved through this process. The amount of revenue flowing through this business approval process is approximately $500 million.

Identify and understand the application/IT organization
IT management
The application development group is responsible for normal application support and maintenance
The application operations is run by Global IT Operations, based in Minneapolis, MN
A DBA group supports the operations group and aids in application upgrades
A technical network operations team manages the operating system and networks
Application
Developed in-house, written in J2EE, and has been in operations for over four years
Modifications are made to the application on a quarterly basis
Approximately 1000 users run this application on a regular basis
Approximately $500 million revenue is processed through this application

Identify and understand the application/IT organization
Interfaces
Input interface: data is moved to this application using FTP from a remote server, which transits the corporate network, touching a series of routers, but no firewalls.
Output interface: identical to input interface.
Database
Application runs on Microsoft SQL Server
Databases are patched quarterly
DBAs have access to the production database, and could inject information that bypasses the application
Operating system
Microsoft Windows 2000
Patched quarterly
Network
Application has input that transits the network and could result in loss of data

Identify the risks within the integrated business process
We establish that there is a risk that rebate-relate accounts may be materially misstated due to:
Unauthorized rebates
Incorrectly calculated rebates
Incomplete accounting for rebates due to incorrect accruals, etc.
We establish that not only revenue-related accounts may be misstated, but also rebate-related balance sheet accounts.
We establish that the quantify of rebates in this business is so high that materiality threshold is crossed.
We establish that because the transaction volumes are so high that a report review is not sufficient – a failure here could break the business.

Identify manual, automated controls and key functionality within the process that mitigate the risks
Identify key controls
Identify manual, automated controls and key functionality within the process that mitigate the risks
Automated controls:
Approval of non-standard prices is restricted to authorized managers
Approval of non-standard prices is routed to authorized managers
Manual controls reliant upon key reports:
There is a later reconciliation in another application that compares approved prices to prices on customer billings. The approved prices report is generated from this application (RAP), and is therefore reliant on correction functioning of the RAP application.
Key functionality:
Rebates are completely and accurately calculated
Data is correctly received from (input) ABC application
Data is correctly uploaded to XYZ application

Identify Relevant IT Infrastructure Elements And IT Processes Layer Change Management Operations Security/Logical Access Application ??? ??? ??? Database ??? ??? ??? Operating system ??? ??? ??? Network/infrastructure ??? ??? ???

Validate the IT entity and management control environment
We establish the CIO is getting appropriate reports on the effectiveness of the change, operations and security processes
We establish that the organizational maturity of the management organizations are as follows:
Application management: high maturity, no repeat audit findings, minor incidents of business complaints of outages
Database management: lower maturity, one repeat audit finding, 12 instances of outages due to failures in the change management process
And so forth…

Identify Relevant IT Infrastructure Elements And IT Processes Layer Change Management Operations Security/Logical Access Application Yes Yes Yes Database Yes No Yes Operating system No No Yes Network/infrastructure Yes Yes No

Evaluate the risks related to the IT processes Application layer: Change Management process Critical functionality, automated controls, key report Risks: what could go wrong IT processes and process owners Approval of non-standard prices is restricted to authorized managers Approval of non-standard prices is routed to authorized managers The approved prices report generated by the application Data is correctly received from (input) ABC application Data is correctly uploaded to XYZ application Unauthorized changes Inadequate or inappropriate code promotions Failed changes, unintended consequences from change … and so forth Change control team Bob, Director, Change Management RAP support team Frank Rap, Manager Production Migration team Betty Migration, Manager DBA team

Evaluate the risks related to the IT processes Application layer: Operations process Critical functionality, automated controls, key report Risks: what could go wrong IT processes and process owners Approval of non-standard prices is restricted to authorized managers Approval of non-standard prices is routed to authorized managers The approved prices report generated by the application Data is correctly received from (input) ABC application Data is correctly uploaded to XYZ application Interfaces could fail Incomplete or inaccurate interface process, due to abnormal end Inability to appropriately recover lost data, due to data backup and recovery failures Inability to appropriately recover lost data, due to data backup and recovery failures … and so forth RAP support team Frank Rap, Manager Data center operations team Bob, Manager

Evaluate the risks related to the IT processes Application layer: Security/logical access process Critical functionality, automated controls, key report Risks: what could go wrong IT processes and process owners Approval of non-standard prices is restricted to authorized managers Approval of non-standard prices is routed to authorized managers The approved prices report generated by the application Data is correctly received from (input) ABC application Data is correctly uploaded to XYZ application Add/change/delete data and code not in accordance with management’s intentions Inappropriate changes to data are made by system users (because access privileges are inappropriate – regular and privileged accounts) Inappropriate changes are made to application code Inappropriate or unauthorized transaction/data generation/approvals/deletions … and so forth User provisioning team Bob, Manager RAP application and data owners Support team DBA team Director of Security

The GAIT Program
GAIT Principles and Methodology exposure draft
GAIT Scenarios
GAIT Outreach and Mobilization
GAIT Training
IIA webcast in July

I Am Interested In GAIT! What Do I Do?
Email [email_address]
Subscribe to the GAIT status report and newsletters
Register your interest as a GAIT Early Adopter
Start using GAIT methodology, scenarios!

GAIT Scoping: Step By Step

3 2006 06 cs6 4 gait principles v3a

by realgenekim on Jul 25, 2010

Accessibility

Upload Details

Usage Rights

2 Embeds 78

Statistics

3 2006 06 cs6 4 gait principles v3a — Presentation Transcript

http://www.realgenekim.me	71
http://realgenekim.squarespace.com	7