isaca greater kansas city chapter control rationalization: taking action september 14, 2006

ISACAGreater Kansas City Chapter

Control Rationalization: Taking Action

September 14, 2006

Copyright © 2004 Deloitte Development LLC. All rights reserved. 2

Agenda

• Introductions

• Getting to Know You

• Control Rationalization Overview

• General Computer Control (GCC) Challenges

• GCC Control Rationalization Overview

• Control Risk-Rating

• Control Design

• Risk-Based Testing

• Cost Analysis

• Working with your External Auditors

• Leveraging Company Level Controls & Automation

• Roadmap and Wrap-Up


55%

0%

13%

0%0%5%

2%2%4%

20%

1 2 3 4 5 6 7 8 9 10

Polling Question

1. Financial Services2. Manufacturing3. Technology, Media, and Telecom4. Entertainment5. Consumer Business6. Energy & Utilities7. Transportation8. Health Care & Life Sciences9. Public Sector10. Other

What industry do you work in?


77%

2%9% 5% 7%

1 2 3 4 5

Polling Question

1. Internal Audit / IT Audit

2. Finance & Accounting

3. Information Technology

4. Sarbanes-Oxley Group

5. Other

What is your position?


82%

11% 7%

1 2 3

Polling Question

1. Yes

2. No

3. Don’t Know / No Answer

Does your organization comply with Sarbanes-Oxley or perform testing of controls?


25%

57%

18%

1 2 3

Polling Question

1. Yes

2. No


Do you feel your organization has too many key controls (business process and/or IT) that are tested?


31%

56%

13%

1 2 3

Polling Question

1. Yes

2. No


Do you feel that you spend too much of your time focusing on non-critical controls?


18%

29%

2%5%

2%

30%

2%

13%

1 2 3 4 5 6 7 8

Polling Question

1. Internal Audit / IT Audit

2. Audit Committee / Executive

Management

3. External Auditor

4. Sarbanes-Oxley Group

5. Business Units / IT

6. All of the above

7. None of the above

8. I’m just hear for the CPE and lunch

Who is driving interest in control rationalization in your organization?


Risk-Based Testing

Cost Analysis

Control Rationalization - OverviewO

utc

om

es

• How to identify and use CLCs

• Process to apply

• Examples of applying risk-rating

• Understand benefits of leveraging automation

• Next steps to apply Control Rationalization to company’s control program

• Understand Control Rationalization concepts

• How to apply to company

Acti

vit

ies

Control Rationalization

Overview

Control Risk-Rating

Company Level

Controls

• Define CLCs and BMC’s and process focused

• Identify CLCs that are relevant to company

• Discuss approach

• risk-rate control objectives

• Discuss short and long term impact

• Define roadmap approach

• Discuss next steps

• Wrap up

• Define updated approach

• Discuss impact to company

• Define approach

• Discuss process and impact to company

• Determine impact on risk-rated controls

• Impact on test approach based on risk-rating

• Examples of applying to company controls

• Modeling approach to cost savings

• Define cost analysis approach

• Review modeling of cost savings

ControlAutomation

Roadmap

Control Rationalization Overview


Overview

Control Risk-Rating

Company Level

Controls

Risk-Based Testing

ControlAutomation

RoadmapCost

Analysis


What is Control Rationalization?

Control Rationalization is a top-down, risk-based approach to implement a lean and balanced control program.

Rationalize

Routine / Transactional

Controls Transactional Controls

StrategicControls

StrategicControls


Recent Regulatory Guidance

PCAOB Top-Down Approach Response

1Identify and evaluate design of company-level controls

Pinpoint Company Level Controls that effectively mitigate location/account risks

2Identify significant accounts and disclosures Consider qualitative risk factors (e.g.,

susceptibility of loss due to errors or fraud), not just quantitative significance

3Identify relevant assertions for each significant account

Direct level of effort based on risks related to relevant assertions

4Link significant accounts to significant processes and major classes of transactions

Risk-Rate major classes of transactions to appropriately focus efforts

5Identify the points at which errors or fraud could occur in the process

Confirm that relevant financial reporting risks (including fraud and GCCs) are identified, and risk-rate control objectives

6Identify controls to test that prevent or detect errors or fraud on a timely basis

Rationalize controls and develop appropriate test plans

7Clearly link individual controls with the significant accounts and assertions to which they relate

Verify that design of ICFR addresses relevant risks


Company-Level Controls (“CLCs”)

What are Company-Level Controls (CLCs)?

Controls that have a pervasive impact on financial reporting either because they 1) are a component of the organization’s overall governance practices; or 2) address specific control objectives/risks within the organization’s business processes.

Why do we care about CLCs?– Pervasive impact on transactional processing

– Critical to operational performance

– Often performed by senior management and/or specialized staff (i.e. the Accounting department)

– More efficient to test

• Lower frequency of operation

• Often centralized

Why can’t we rely only on CLCs, and eliminate all the other controls?

– Detective in nature

– Almost always manual

– PCAOB expressly prohibits auditors from relying on CLCs (AS2, paragraph 54)

General Computer Control (GCC) Challenges


16%

63%

11% 11%

1 2 3 4

Polling Question

1. Not integrated / operating in silos

2. Somewhat integrated

3. Highly integrated


How would you describe the relationship and correlation of business process and IT controls in your organization?


Under PressureGeneral Computer Control Challenges

• Chief Information Officers, IT Compliance Directors and IT Audit Directors often find that IT-related Sarbanes-Oxley costs exceed expectations

• Unfortunately, despite continued good faith efforts in Year 2, early evidence from 2005 proxy statements suggests that companies continue to identify weaknesses in controls related to IT

– In effect, many efforts are not working to build a sustainable compliance program regarding general computer controls

• And yet, there’s a continued focus on containing IT costs associated with Sarbanes-Oxley

Companies seeking to manage costs without jeopardizing compliance should evaluate Control Rationalization as the likely first step

Companies seeking to manage costs without jeopardizing compliance should evaluate Control Rationalization as the likely first step


• Companies are not linking the IT risk assessment to a top-down business risk assessment resulting in over scoping of IT assets (i.e., applications, databases, etc.)

• Companies are treating all general computer controls equally, even though the inherent risk of IT processes, transactions, controls, and technologies may vary

• Companies are not applying IT control frameworks in a manner that is leveraging IT-related company level controls

• Companies are still applying a short-term mindset versus a long-term strategy to address flaws in control design, and to drive continuous improvement

• Where cost savings were realized in Year 2, companies are failing to reinvest some of those savings in higher risk areas

The following factors appear to remain at play at some companies:

Under PressureWhat’s the problem with general computer controls?


Challenges and Opportunities

Guiding Principles

• Management should have an informed understanding of the organization's financial reporting risks in order to drive control rationalization efforts.

• Management should explicitly apply a top-down, risk-based scoping approach as a foundational first step toward control rationalization.

• Control rationalization is a multi-year, continuous effort, which should be integrated into the company’s operations.

• Control rationalization can result in immediate benefits; however more significant cost savings can be achieved by adopting a long-term strategic approach to sustained compliance.

Solution

Companies should adopt a risk-based control rationalization approach to address current and future compliance challenges

Definition - Control Rationalization

Control rationalization is the continuous process of designing the most effective and efficient controls to address financial reporting risks.


• Although a direct linkage to a company’s overall risk assessment in many cases may not be possible, risk rate GCC categories and control objectives in a manner that results in greater consideration to those areas or control objectives that more directly promote reliability, integrity of financial related processing, and segregation of duties

• Apply a risk-rating approach towards GCC categories and control objectives to promote appropriate deployment of compliance efforts

• Where GCCs are considered reliable, place a higher reliance on IT-related company level controls (e.g., setting of consistent policy procedures for GCC areas, effective monitoring), particularly for lower risk areas

• Take advantage of opportunities to focus on removing secondary or redundant controls from testing if an effective higher-level control can be identified

• Consider testing GCC processes before performing detailed tests related to IT configurations for lower risk areas

• Be sure to prioritize controls addressing multiple risks

Key PrinciplesRationalizing General Computer Controls

GCC Control Rationalization Overview


Evaluate GCC areas & confirm relevance

and risk-rating of GCC control objectives

Removenon-relevant

control objectives

Remove unnecessary

controls from testing scope

Develop risk-based

testing approach for

GCCs

Evaluate GCCs for effective and efficient testing

Out of ScopeIn Scope

General Computer Control Rationalization

*Efficiency Evaluation Criteria• Remove secondary or redundant controls• Consider testing GCC processes before performing detailed tests related to IT

configurations (e.g., test process for granting access before password settings)• Prioritize controls addressing multiple risks

Lean and Balanced

Relevance to financial reporting objectives and risk-rating of associated major classes of

transaction

Re-designed Testing Approach

1

2

3

Perform IT risk assessment(identify relevant

applications, platforms)

Removenon-relevant

IT applications and platforms

Apply Top-Down Risk-Based Scoping & Rationalize GCC Controls

1

2

3

4Management

Test 1/3 of processes each year (rotation)

Management Self-Assessments

Reduced Sample Sizes

Low

No changeNo change

No changeReduced Sample Sizes

Medium

SOX PMO and Internal Audit

No changeNo ChangeIncreased Sample Sizes

High

Testing OwnerTimingEvidenceSample SizeRisk-Rating Category

ManagementTest 1/3 of processes each year (rotation)

Management Self-Assessments

Reduced Sample Sizes

Low

No changeNo change

No changeReduced Sample Sizes

Medium

SOX PMO and Internal Audit

No changeNo ChangeIncreased Sample Sizes

High

Testing OwnerTimingEvidenceSample SizeRisk-Rating Category

Control Risk-RatingControl

Rationalization Overview

Control Risk-Rating

Company Level

Controls

Risk-Based Testing

ControlAutomation

RoadmapCost

Analysis


What is a Risk-Rating?

• A risk-rating process evaluates the risk of a material control weakness based on the magnitude and likelihood of misstatement (inherent risk)

• risk-rating impacts:– Identification of significant accounts and

processes

– Nature, timing and extent of control testing

– Reliance by external auditor on management’swork

• Sample risk-rating classification:– High

– Medium

– Low

– Remote

• risk-rating is typically applied to the control activity or control objective levels, although it can also be applied at the account, process and transaction levels

Typically scoped-out of testing


Rationalize controls and redesign test plans

Identify PLCs that fully addressmultiple COs

Consider removing redundant PLCs

from testing scope

Note: However, in some cases two controls, which by themselves only partially meet the control objective, can in combination fully meet the objective

Identify PLCsthat fully address

single COs

Consider removingineffective PLCs

from testing scope

Note: In high-risk areas, consider retaining redundant controls

Within these PLCs, prioritize automated

controls

Consider removing redundant manual PLCs

based on risk-rating

Set of controls to be tested (PLCs,

CLCs, auto, manual)

Out of scope

Identify and risk-rate Control

Objectives (COs)

LeverageProcess-Specific

CLCs

Consider removing related PLCs from

testing scope

Re-designed testing approach

Management’s Testing Approach (Example)

High Medium Low

Nature: Testing of both PLCs and process-specific CLCs

Timing: Test closer to year end with roll-forward testing (as necessary)

Extent: Greater number of sample selections

Nature: Increased testing of process-specific CLCs and reduced testing of PLCs

Timing: Any time with basic roll-forward testing (as necessary); consider benchmarking automated application controls

Extent: Medium number of sample selections

Nature: Primary focus on testing CLCs; minimized testing of PLCs

Timing: Any time; minimize roll-forward testing (as necessary); consider benchmarking automated application controls

Extent: Lower number of sample selections

Classificationof Risks

Auditor Impact

Reliance: May place limited or no reliance on management’s testing

Reliance: May rely on certain amount of management’s testing (objective & competent)

Reliance: May place significant reliance on management’s testing (if objective & competent)

Performed By

Competent and objective resources (e.g. internal audit) with focused oversight

Competent and objective resources (e.g. self assessment) with high-level oversight

Competent and objective resources (e.g. self assessment) with high-level oversight

Develop risk-based testing approach

From Phase 1: Significant accounts, relevant assertions, major classes of transactions

Note: CLCs often do not have sufficient precision. If so, consider enhancing CLCs

1

2

3


The illustration below depicts a sample company’s IT risk prioritization for general computer control categories. COSO defines general computer controls as, “Policies and procedures that help ensure the continued, proper operation of computer information systems… They include controls over data center operations, system software acquisition and maintenance, access security, and application system development and maintenance.”

Risk Based Approach for GCCs Risk rate GCC areas

General Computer Control Category

Application System Development & Maintenance

Information Security

Information Systems Operations

Systems Software Support

Examples of Qualitative Factors

Risk Ranking

Risk Evaluation Considerations

• High volume of changes

• Application dependencies

• High employee turnover

• Complex architecture

• Mature monitoring processes

• Automated tools

• Homogenous environment

• Automated tools

H

H

M

L

NOTE: This illustrates a simplistic risk assessment for IT; consideration should be given to additional qualitative factors relevant to a company’s environment. Also, only selected GCC areas have been included in the example.

Illustrative Purposes Only

Example Procedures

• Test all three levels

• Test predominantly IT company level and process level controls

• Test predominantly IT company level controls

• Test all three levels


Risk Based Approach for GCCs Rationalize controls

Control Objective #1 – Controls provide reasonable assurance that application changes are appropriately implemented and function consistent with management’s intentions.

CL01

The company uses a formalized system development methodology to guide all aspects of application development. (COBIT PO 11.5)

CL02

An IT Steering Committee reviews and approves all major changes to the information systems environment. (COBIT PO 4.1)

CL03

A project management and quality assurance office tracks and monitors all activity associated with significant changes to applications and infrastructure. (COBIT PO 11.4)

CL04

The IT organization structure provides for appropriate segregation of duties. (COBIT PO 4.10)

PL01

Information requirements for changes to applications are reviewed and approved by management. (COBIT AI 1.1)

PL02

A risk analysis is performed that considers the impact of planned changes on financial reporting processes. (COBIT AI 1.8)

The organization’s SDLC has not changed in the fiscal year, accordingly, this control will not be evaluated.

These two controls are redundant in nature, accordingly, only one control will be evaluated.

This control activity is redundant in nature since test results are approved by users at a point later in the SDLC process, accordingly, this control will not be evaluated.

After risk-rating general computer control objectives, specific control activities can be analyzed to further rationalize the testing approach.

For this example, the three controls in bold text will be assessed, which represents a 50% reduction in testing.


Risk rate control objectives for applicable assertions

Managing and Processing OrdersCO01 Only valid orders are input and processed.

CO02 Orders are only processed within approved customer credit limits.

CO03 Orders are approved by management as to prices and terms of sale.

CO04 All orders received from customers are input and processed.

CO05 Orders and cancellations of orders are input accurately.

CO06Order entry data is transferred completely and accurately to the shipping and invoicing activities.

Shipping, Invoicing, and Sales ReturnsCO07 Invoices relate to valid shipments.

CO08 All goods shipped are invoiced.

CO09 Invoices are generated using authorized terms and prices.

CO10 All invoices issued are recorded.

CO11 Invoices are accurately calculated and recorded.

CO12 Invoices are recorded in the appropriate period

CO13 All credit notes relate to a return of goods or other valid adjustments.

CO14 All credit notes issued are recorded.

CO15Credit notes and adjustments to accounts receivable are accurately calculated and recorded.

CO16 Credit notes issued are recorded in the appropriate period.

Processing Cash ReceiptsCO17 Cash receipts data is valid and is entered for processing only once.

CO18 All cash receipts data is entered for processing.

CO19 Cash receipts data is entered for processing accurately.

CO20 Cash receipts are recorded in the period in which they are received.

Maintaining Customer Masterfile

Extending the risk assessment to the control objectives provides the foundation for varying the nature, timing and extent of control testing.

a) Understand the flow of transactions. Identify the points within the process where risks of financial misstatement could occur

b) List control objectives based on the relevant assertions identified in Phase 1 step 3

c) Risk rate (using magnitude and likelihood of potential error) the individual control objectives within the major classes of transactions (MCOT). [COs related to low risk rated MCOTs can be classified as low. COs related to high risk MCOTs are more likely to be rated high. However, MCOTs with a high risk rating may have individual COs that are risk rated M or L

Low

Hig

h

Low High

Control Objective Assessment Grid

10

11

17

16

21

204

5

7

2

1

3

8

9

22

23

24

14

15

1312

6

19

18

Mag

nitu

de o

f P

oten

tial E

rror

Likelihood of Potential Error

Why risk rate Control Objectives (COs)?

• Provides foundation for risk based test plan and control rationalization efforts

• Assists in prioritizing remediation efforts, and making concluding process more efficient

• Assists in confirming the risk rating of the major classes of transactions and subsequent work planning efforts

The approach


Example Risk-Ranked Heat Map

RationaleRisk

Risk Rank(H=High, L=Low,

R=Remote)

Risk Num

Sub-Cycle

7.5.1.1 Disbursements

Unauthorized disbursements are made and/or disbursements are not properly recorded.

HHigh fraud potential; Additionally, as the last step in the Expenditures cycle, there are no additional downstream controls which could mitigate the risk.

7.3.1.1 Receive goods and services

Goods and services received are not recorded in the system accurately and/or timely, misstating liabilities.

H

Potential cut-off issue for recording cost of sales and expense, and for placing capital expenditures in service in the appropriate period.

7.4.5.1 Process invoices

Unauthorized individuals have access to make purchases with P-Card.

HAnyone with access to a p-card can make a purchase, no prior approval required. Note: there are 2223 cards issued.

7.1.1.1 Approve new vendors

Unauthorized or fictitious vendors are listed in the master file and have the ability to be paid.

L

Unauthorized vendor cannot result in a fraudulent payment to that vendor without at least 2 persons' involvement (collusion) due to SOD controls in place and monitored.

7.4.4.1 Process invoices

The FSC processes unapproved P.O. invoices.

R

The risk would require collusion. The PeopleSoft system enforces a 3-way match using purchase order, inventory receiver and invoice; System security separates these responsibilities, and the system will not allow 2-way match or "no match" for PO invoice vouchering.

7.2.1.1 Order goods and services

Unauthorized PO purchases can be made. R

Downstream PO authorization controls at invoice vouchering and disbursement prevent significant errors to the applicable account balances (Expense & A/P)

RationaleRisk

Risk Rank(H=High, L=Low,

R=Remote)

Risk Num

Sub-Cycle


Exercise: Risk-rate the control risks below

Financial Reporting: General Computer Controls

Control: Access to test and production environments are appropriately restricted and segregated

Risk Factor (inherent risk) Rating Rationale (example)

Susceptibility of loss or misstatement due to fraud

Account and reporting complexities

Subjectivity of account affected by process

Frequency of transactions processed through the account or process

Volatility of transactions (unpredictability, instability)

Nature of the process (automated vs. manual)

Changes from the prior period in process or supporting technology characteristics

Final Rating

Control Design


12% 13%10%

21%

6%

38%

1 2 3 4 5 6

Polling Question

1. Over 1,000

2. 750 – 999

3. 500 – 749

4. 250 – 499

5. Under 249


How many controls (business process and IT) does your organization have in place that are considered for testing?


63%

30%

7%

1 2 3

Polling Question

1. Yes

2. No


Do you feel your organization has duplicative, or non-unique, controls?


Standardizing Control Design – Best Practices

• Develop a standard set of risks to evaluate across LOBs

– Align to assertions

• Tailor standard risk set to the LOB

– include specific risks and omit irrelevant risks

– include rationale for additions and omissions

• Develop model control activities to link to each standard risk

– provides a consistent starting point for control documentation

– generic in nature; must be tailored to the LOB

• Document control points in high-level process flows

– identify areas where controls should be strengthened

– improves method for selecting key controls

Risk-Based TestingControl


Control Risk-Rating

Company Level

Controls

Risk-Based Testing

ControlAutomation

RoadmapCost

Analysis


Once management has designed appropriate controls to address financial reporting risks, it has the additional opportunity to reduce costs by designing risk-based test plans. Risk-based test plans vary the nature, extent and timing of testing based on risk.

Implementing a risk-based test plan

Classification

Of risksHigh Medium Low

Management’s testing approach (example)

Nature: Testing of both PLCs and process-specific CLCs

Evidence: Re-performance; extensive inquiry; expanded scope of testing

Timing: Test closer to year-end with roll-forward testing (as necessary)

Extent: Greater number of sample selections

Nature: Increased testing of process-specific CLCs and reduced testing of PLCs

Evidence: Inquiry with documentation; some re-performance

Timing: Any time with basic roll-forward testing; consider benchmarking application controls

Extent: Medium number of sample selections

Nature: Primary focus on testing CLCs; minimized testing of PLCs

Evidence: Inquiry with observation

Timing: Any time; minimize roll-forward testing; consider benchmarking application controls

Extent: Minimum number of sample selections

Performed by

Competent and objective resources (e.g., internal audit) with focused oversight. (Deploy best resources to riskier areas)

Competent and objective resources (e.g., self-assessment) with high- level oversight

Competent and objective resources (e.g., self-assessment) with high- level oversight

Auditor impact

Reliance: May place limited or no reliance on management’s testing

Reliance: May rely on certain amount of management’s testing (if objective & competent)

Reliance: May place significant reliance on management’s testing (if objective & competent)

Cost Analysis


Overview

Control Risk-Rating

Company Level

Controls

Risk-Based Testing

Control Automation Roadmap

CostAnalysis


Testing: Cost Analysis*

Risk-Rating Category Risk-Based

Approach

Original Approach

Impact

(Savings)High Medium Low

Number of Control Activities

800 500 400 1,700 1,700

Avg Hrs/Control 10 hrs 6 hrs 3 hrs 7 hrs 9.5 hrs

Total time spent 8,000 hrs 3,000 hrs 1,200 hrs 12,200 hrs 15,300 hrs (20%)

Based on any potential changes to testing effort based on risk-ratings, an organization can assess the impact on management’s testing resources.

A standard framework can be used to measure resource requirements for the risk-based testing program, and provide comparisons to current testing costs.

*Note: the example below is included solely for illustrative purposes and does not imply in any way that these or any other savings are likely or possible. The framework relates only to management’s testing, not auditor testing.

Working with your External Auditors


Working with your External Auditors

Develop rapport with external auditors on concepts that lead to more efficient and effective compliance. Concepts include:

• Role that likelihood of errors and error magnitude should play in scoping decisions for SOX framework testing.

• Scoping of compliance testing should be risk-based.


External Auditor’s CR Considerations

• Auditor’s use of management’s work– Depends on nature of control

– Depends on objectivity and competence of the person who tested it

• Focus on risk associated with a particular control or area

• Overriding consideration is obtaining principal evidence

• Self assessment “trade-off” – auditor may need to do more testing to gain assurance

Leveraging CLCs & AutomationControl


Control Risk-Rating

Company Level

Controls

Risk-Based Testing


CostAnalysis


How Can CLCs Be Applied to CR?

•Relevance: Addresses process level risk

•Frequency: Operates with enough regularity to enable timely detection of errors or fraud

•Precision: Operates at a sufficiently precise level of detail to adequately address risk of misstatement (e.g., precise enough to detect at least “greater than inconsequential” errors in financial reporting. A detective control designed to detect a “material misstatement” is not precise enough to reduce likelihood of material misstatement to remote)

•Relevance: Addresses process level risk

•Frequency: Operates with enough regularity to enable timely detection of errors or fraud

•Precision: Operates at a sufficiently precise level of detail to adequately address risk of misstatement (e.g., precise enough to detect at least “greater than inconsequential” errors in financial reporting. A detective control designed to detect a “material misstatement” is not precise enough to reduce likelihood of material misstatement to remote)

What are Company Level Controls (CLCs)?

The PCAOB describes company-level controls as those that are associated with the control environment, centralized processing, period end financial reporting, monitoring results of operations, etc. As such, they may reside at the entity-level and at the process-level

In the Control Rationalization approach, CLCs that are effective in achieving process-level control objectives are referred to as process-specific CLCs

What are Company Level Controls (CLCs)?

The PCAOB describes company-level controls as those that are associated with the control environment, centralized processing, period end financial reporting, monitoring results of operations, etc. As such, they may reside at the entity-level and at the process-level

In the Control Rationalization approach, CLCs that are effective in achieving process-level control objectives are referred to as process-specific CLCs

To be effective in addressing process-level control objectives, process-specific CLCs possess the following characteristics:

Note: Effectiveness of system-dependent CLCs relies on an underlying set of stronggeneral computer controls (GCCs) and application controls

Certain CLCs, termed process-specific CLCs, may be leveraged to further rationalize the control framework.


Possible process level controls covered by CLCs

1 PL03 -Invoices are approved based on comparison to priced order and shipping source documents (RE834)

2 PL05 - Customers enter and/or cancel orders automatically using EDI protocols (RE807).

3 PL12 - Signed delivery notes are received for all shipments made. The sequence of signed delivery note is accounted for (IM201).

4 PL16 - Order cancellation data is matched to the original order (RE825)(RE801).

5 PL18 - List prices of composed products are automatically calculated based on the list prices of components of such products (IM256).

6 PL20 - Invoice and credit note data is edited and validated; identified errors are corrected promptly (RE202).

Identify the Process Level Control Activities that are adequately covered by the CLCs. Assuming that the CLCs satisfy the criteria of precision, specificity, frequency, etc., they can be used to reduce the extent of reliance placed on related PLCs. The CLCs that address control objectives with a high degree of precision can be used to reduce or eliminate related PLCs from the scope of management’s internal control assessment

Company level controls

Perform Business Performance Review

1 EL01 - Actual orders are compared to a predictive model by, for example, seasonality, product line, customer, and region (RE826).

2 EL02 Sales are compared to forecast and for pricing against orders by, for example, seasonality, product line, customer, and region (RE826).

3 EL03 - Activity, including sell-through and returns, are tracked by customer (by retail outlet) and flagged if outside expected ranges (RE509/612)

4 EL04 - A review of the aging analysis of all customer accounts (and by segmentation) is performed (RE614).

Leveraging CLCs


How Can Automation be Applied to CR?

• More reliable

• Can potentially decrease cost of testing:

– Extent: Much less extensive; typically require lesser number of sample items (because likelihood of an exception is low)

– Timing: ‘Benchmark’ certain application controls so that testing frequency can be reduced (e.g. every 3rd year)

– Nature: More efficient to conduct testing

• Lower cost to perform the control (compared to manual)

Companies should consider enabling functionality in existing IT applications and/or implementing new technology to minimize reliance on people-based controls (requires a strong general computer controls foundation).

Impact on control testing

• Manage segregation of duties conflicts• User access provisioning• Transaction-level controls monitoring• System change management• Fraud detection programs

Automation of controls

SystemBased

DetectiveControl

SystemBased

PreventiveControl

PeopleBased

DetectiveControl

PeopleBased

PreventiveControl

Desirable

Relia

ble

Areas to consider for adding new technology

RoadmapControl


Control Risk-Rating

Company Level

Controls

Risk-Based Testing


CostAnalysis


Example Roadmap


Workshop


Workshop

CRPilot

CRPilot

Top-Down Scoping

Top-Down Scoping



Line of Business/Cycle 1Line of Business/Cycle 1

Line of Business/Cycle 2Line of Business/Cycle 2

• Pilot effort for a single business area

• Benchmarking of key controls, recommendations to streamline

• Perform management testing to validate operating effectiveness

• Top-down scoping across divisions, geographies, offices, etc.

• Prioritize major areas for rationalization based on risk and savings opportunities


Risk-Based Testing

Cost Analysis

Ou

tcom

es

• How to identify and use CLCs

• Process to apply

• Examples of applying risk-rating

• Understand benefits of leveraging automation

• Next steps to apply Control Rationalization to Superior’s control program

• Understand Control Rationalization concepts

• How to apply to Superior

Acti

vit

ies


Overview

Control Risk-Rating

Company Level

Controls

• Define CLCs and BMC’s and process focused

• Identify CLCs that are relevant to Superior

• Discuss approach

• risk-rate control objectives

• Discuss short and long term impact

• Define roadmap approach

• Discuss next steps

• Wrap up

• Define updated approach

• Discuss impact to Superior

• Define approach

• Discuss process and impact to Superior

• Determine impact on risk-rated controls

• Impact on test approach based on risk-rating

• Examples of applying to Superior controls

• Modeling approach to cost savings

• Define cost analysis approach

• Review modeling of cost savings

ControlAutomation

Roadmap

Wrap-Up

• What we covered today:

– Control Rationalization concepts

– Applying a risk-based approach

– Risk-based testing

– Leveraging CLCs and automation

– Cost analysis model

– High-level roadmap

• Closing Remarks


Presenters

Rex Johnson, CISA, PMP

Senior Manager, Deloitte & Touche LLP

Audit & Enterprise Risk Services

816.802.7733

[email protected]

Devin Amato, CISA, CIA

Manager, Deloitte & Touche LLP

Audit & Enterprise Risk Services

816.802.7255

[email protected]


About DeloitteDeloitte, one of the nation's leading professional services firms, provides audit, tax, consulting, and financial advisory services through nearly 30,000 people in more than 80 U.S. cities. Known as an employer of choice for innovative human resources programs, the firm is dedicated to helping its clients and its people excel. "Deloitte" refers to the associated partnerships of Deloitte & Touche USA LLP (Deloitte & Touche LLP and Deloitte Consulting LLP) and subsidiaries. Deloitte is the U.S. member firm of Deloitte Touche Tohmatsu. For more information, please visit Deloitte's Web site at www.deloitte.com/us.Deloitte Touche Tohmatsu is an organization of member firms devoted to excellence in providing professional services and advice. We are focused on client service through a global strategy executed locally in nearly 150 countries. With access to the deep intellectual capital of 120,000 people worldwide, our member firms, including their affiliates, deliver services in four professional areas: audit, tax, consulting, and financial advisory services. Our member firms serve more than one-half of the world’s largest companies, as well as large national enterprises, public institutions, locally important clients, and successful, fast-growing global growth companies. Deloitte Touche Tohmatsu is a Swiss Verein (association), and, as such, neither Deloitte Touche Tohmatsu nor any of its member firms has any liability for each other’s acts or omissions. Each of the member firms is a separate and independent legal entity operating under the names “Deloitte,” "Deloitte & Touche," "Deloitte Touche Tohmatsu," or other, related names. The services described herein are provided by the member firms and not by the Deloitte Touche Tohmatsu Verein. For regulatory and other reasons, certain member firms do not provide services in all four professional areas listed above.

isaca greater kansas city chapter control rationalization: taking action september 14, 2006

Documents

deloitte development

companys control program

polling question

riskrated controls impact

testing of controls

riskrating examples

wrapup slide

roadmap approach