SOX MISC

.

Raj Mehta – Partner CPA, CITP, CISA, CISSP 713-982-2955 [email protected]

Enterprise Risk Services

DISCUSSION ITEMS

• Trends in IT Documentation/Testing • Definition and Evaluation of Deficiencies • Rollforward Procedures • Q&A 2 IS Security Risk & Controls ©2003 Deloitte & Touche LLP

Trends in IT Documentation

• In scope applications, third-party providers, infrastructure, etc., still keep changing!

• Documentation does not focus on key aspects related to financials 3 IS Security Risk & Controls ©2003 Deloitte & Touche LLP

Trends in IT Documentation

• Documentation Trends Very High Level Too Granular Level Who Cares?

How can you miss that?

IMPACT = STILL DOCUMENTING, COSTING MONEY & RESOURCES 4 IS Security Risk & Controls ©2003 Deloitte & Touche LLP

Trends in IT Documentation

• SCOPE it right – • How important are the application control(s) for the transaction life cycle? Initiate Transaction Level Authorize Record Process 5 IS Security Risk & Controls ©2003 Deloitte & Touche LLP

Trends in IT Documentation

• Disconnect of “process/manual” controls from application controls assessments based on “silo” approach.

• Disconnect between authentication and authorization – if application has “weak” authentication controls, and so it fails, so does authorization.

6 IS Security Risk & Controls ©2003 Deloitte & Touche LLP

Evaluation of Deficiency Definitions: • A significant deficiency is a control deficiency, or combination of control deficiencies, that adversely affects the company's ability to initiate, authorize, record, process, or report external financial data reliably in accordance with generally accepted accounting principles such that there is more than a remote likelihood that a misstatement of the company's annual or interim financial statements that is more than inconsequential will not be prevented or detected.

• A material weakness is a significant deficiency, or combination of significant deficiencies, that results in more than a remote likelihood that a material misstatement of the annual or interim financial statements will not be prevented or detected.

7 IS Security Risk & Controls ©2003 Deloitte & Touche LLP

How to determine?

• Evaluate - magnitude and likelihood • Potential misstatements equal to or greater than 20% of overall annual or interim financial statement materiality are presumed to be more than inconsequential. • Potential misstatements less than 20% of overall annual or interim financial statement materiality may be concluded to be more than inconsequential as a result of the consideration of qualitative factors, as required by AS2.

8 IS Security Risk & Controls ©2003 Deloitte & Touche LLP

Themes

• Important to correctly classify the type of control deficiency – Application control deficiencies – GCC deficiencies • GCC are evaluated in relation to their effect on application controls – GCC deficiencies do not directly result in misstatements – Misstatements result from ineffective application controls 9 IS Security Risk & Controls ©2003 Deloitte & Touche LLP

Theory – Evaluating Process Level Controls (Applications)

10 IS Security Risk & Controls ©2003 Deloitte & Touche LLP

Theory – Evaluating Process Level Controls (Applications) – cont.

11 IS Security Risk & Controls ©2003 Deloitte & Touche LLP

Box 1. Are there complementary or redundant GCC that were tested and evaluated that achieve the same GCC objective?

Box 2. Are there application control deficiencies of a design or performance nature that are related to or caused by the GCC deficiency?

Box 3. Are there application control deficiencies related to or caused by the GCC deficiency classified as only a deficiency?

Box 4. Are there application control deficiencies related to or caused by the GCC deficiency classified as a significant deficiency?

12 IS Security Risk & Controls Box 5. Does additional evaluation result in a judgment that the GCC deficiency is a significant deficiency?

Would a prudent official conclude that the GCC deficiency is a significant deficiency?

©2003 Deloitte & Touche LLP

How does this work of IT Controls?

• Application/Process Level Controls: – Group deficiencies together by Major Class of Transactions (related processes) – e.g., for Expenditure cycle include deficiencies from procurement, invoice processing, cash disbursements, etc.

– For application specific issues, consider, what aspects of the transaction life cycle, volume and dollar amount of transactions (e.g., if authentication control fails for Payroll system, and no compensating/mitigating controls, then the Payroll Expense balance is the total exposure and has to be evaluated for materiality.) • General Computer Controls: – Can the failure be isolated to specific application(s) or is it truly pervasive? For example, UNIX security may just impact the Payroll system versus user access administration will likely impact all systems.

13 IS Security Risk & Controls ©2003 Deloitte & Touche LLP

• Consider factors related to the deficiency: – Nature and significance of deficiency – Proximity of control to applications and data – Pervasiveness of control across applications and processes – Complexity of entity’s systems environment – GCC deficiency supporting applications related to accounts susceptible to loss or fraud – Cause and frequency of known or detected exceptions in the operating effectiveness of GCC – An indication of increased risk evidenced by a history of misstatements relating to applications affected by the GCC 14 IS Security Risk & Controls ©2003 Deloitte & Touche LLP

Likely Candidates for SD or Higher related to IT?

• Information Security • Change Controls 15 IS Security Risk & Controls ©2003 Deloitte & Touche LLP

Roll Forward Procedures

• Management has a responsibility to update/roll forward its interim evaluation for purposes of their assessment and reporting on the effectiveness of internal control to the “as of” date as required by the SEC’s Final Rule, Management's Reports on Internal Control Over Financial Reporting and Certification of Disclosure in Exchange Act Periodic Reports: The management of each company should perform evaluations of the design and operation of the company's entire system of internal control over financial reporting over a period of time that is adequate for it to determine whether, as of the end of the company's fiscal year, the design and operation of the company's internal control over financial reporting are effective.

• The SEC Rule also requires: . . . a company's management, with the participation of the principal executive and financial officers, to evaluate any change in the company's internal control over financial reporting that occurred during a fiscal quarter (or the issuer's fourth fiscal quarter in the case of an annual report) that has materially affected, or is reasonably likely to materially affect, the company's internal control over financial reporting. 16 IS Security Risk & Controls ©2003 Deloitte & Touche LLP

Roll Forward Procedures (cont.)

Evaluation of Design Effectiveness: Identify and evaluate significant changes in the business or the business environment in which the company operates that may impact the continued effectiveness of the design of ICFR. Procedures may include: – Considering the results of the monitoring processes – Identifying and responding to new risks as they are identified (continuously updating the risk assessment process) – Making inquiries of managers and others as to their knowledge of any significant changes or events that may affect the design of internal control – Updating the self-assessment process, whereby the organization confirms the continued design effectiveness of internal control.

17 IS Security Risk & Controls ©2003 Deloitte & Touche LLP

Roll Forward Procedures (cont.)

Tests of Operating Effectiveness: Determine whether significant changes in the operating effectiveness of ICFR have occurred. Procedures may include: – Considering the results of the monitoring processes – Performing independent tests, whereby the test may be applied directly to the control activity or by: – Testing an effective control that specifically monitors the continued operation of the underlying control activity (e.g., review of the bank reconciliation) – Testing an effective control upon which the underlying control activity is dependent (e.g., program change controls) – Updating the self-assessment process, whereby the organization confirms the continued operation of the controls. To ensure integrity, the self-assessment process should be tested periodically by someone independent of the self-assessment process (e.g., internal audit). 18 IS Security Risk & Controls ©2003 Deloitte & Touche LLP

Q&A

• Any questions?

• Thank you 19 IS Security Risk & Controls ©2003 Deloitte & Touche LLP

Deloitte & Touche LLP A member firm of

Deloitte Touche Tohmatsu