Transcript Texas Instruments IT P2P

The GAIT Methodology
A Guide to Assessing the Scope of
IT General Controls
A Top-Down, Risk-Based Approach to the
Scoping of Key ITGC
GAIT
Topics Covered:




Problems with IT SOX Compliance
Overview / Advantages of GAIT
The Four Principles
The Methodologies – Five Phases
 Bonus discussion
 Implementation
 Examples
The Problem
 Challenge defining an effective and efficient scope for
the annual assessments of ICFR
 Internal control assessments and testing by
management and external auditors was not focused on
risk of material errors (e.g., not following a risk-based
approach)
 Lack of established guidance (i.e., inconsistency and
subjectivity, reliance on checklists, etc.)
 CobiT and ITGI provide more scope than SOX expects,
causing companies to do too much
 Significant cost overruns
Why was GAIT formed?
 Difficulty defining the key IT general controls required to
address risks of material errors to financial reports
 Based on these problems, the IIA noticed the need to
help companies identify key IT general controls where a
failure indirectly result in a material error to the financial
statements
4
Who helped with GAIT?
Core team of 7 people wrote and edited the
documents
•
•
•
•
•
•
•
Christine Bellino, Jefferson Wells
Ed Hill, Protiviti
Fawn Weaver, Intel
Gene Kim, Tripwire
Heriot Prentice, The IIA
Norman Marks, Business Objects
Steve Mar, Microsoft – Team Leader
Advisory Board
• CPA Firms – Big Four, Mid-sized Firms
• SEC Registrants
• Regulators
5
Who is a part of GAIT?
The Institute of Internal Auditors
• IIA Support Staff
• Advanced Technology Committee
Others
• American Institute of Certified Public Accountants
(AICPA)
• International Federation of Accountants (IFAC)
What is GAIT?
 GAIT provides a set principle and methodology that
facilitates the cost-effective scoping of IT general control
assessments
 GAIT is a reasoned thinking process that continues the
top-down and risk-based approach to assess risk in
ITGCs
 GAIT focuses on identifying risk in IT processes that
could affect critical functionality needed to prevent/detect
material errors
 Control objectives are identified in GAIT, but not specific
key controls
How does GAIT work?
 The GAIT document has two main parts:
 Four Core Principles
Define the relationship between business risk, IT
general controls risk, and the IT general controls that
can mitigate these threats as they pertain to financial
reporting objectives
 Five Phase Methodology
Helps organizations to examine each financially
significant application and determine whether failures in
the IT general control processes at each layer of the IT
infrastructure represent a likely threat to the consistent
operation of the application's critical functionality –
HOW TO APPLY THE PRINCIPLES
Advantages of Applying GAIT
 Two Primary Advantages
 Improves cost effectiveness of IT General Controls
auditing by including within audit scope only the
elements or layers of infrastructure and IT general
control processes that are relevant to financial control
risks.
 Aids in the documentation of scoping decisions.
Overall GAIT Scoping
RISK of material misstatement/fraud
to financial statements & disclosures
Significant accounts
Business processes
Business controls
Applications
General Controls
Scope SOX according to RISK of material misstatement/fraud.
IT Risk Assessment and Scoping
STEP 1:
validate
understanding
Significant accounts
Business processes
Business controls
Applications
IT Process Controls:
STEP 2: perform
risk assessment
at each layer
Change Mgt, Operations, Security
» Application
» Database
» Operating System
» Network
STEP 3: Conclude: is it REASONABLY LIKELY a failure in this IT Process area
could impact application controls & result in a material misstatement?
Reasonableness
Risk is not eliminated;
is it reduced to a
REASONABLE level.
Risk of not using GAIT
Ignoring a top-down and risk based approach starting
at the financial statements and significant account
level, increases the likelihood that:


Controls may be assessed and tested that are not critical,
resulting in unnecessary cost and diversion of resources
Controls that are key may not be tested, or may be tested
late in the process, presenting a risk to the assessment or
audit
GAIT’s Four Principles
1.
The identification of risks and related controls in IT
business processes should be a continuation of the topdown and risk-based approach used to identify significant
accounts, risks to those accounts, and key controls in the
business processes.
2.
The IT general control process risks that need to be
identified are those that affect critical IT functionality in
financially significant applications and related data.
GAIT’s Four Principles
3.
The IT general control process risks that need to be
identified exist in processes and at various IT layers:
application program code, databases, operating systems,
and network.
4.
Risks in IT general control processes are mitigated by the
achievement of IT control objectives, not individual
controls.
Financially Significant – Definition
 Application: contains functionality relied upon to assure
the integrity of the financial reporting process.
– Should that functionality not function consistently and
correctly, there is at least a reasonable likelihood of a
material misstatement that would not be prevented or
detected.
 Data: data that, if affected by an unauthorized change
that bypasses normal application controls (i.e., as a
result of an ITGC failure), is at least reasonably likely to
result in a material misstatement that would not be
prevented or detected.
The GAIT Methodology
. . . guides you by asking
three questions:
1.
2.
3.
What IT functionality in the financially significant
applications is critical to the proper operation of the
business process key controls that prevent/detect
material misstatement?
For each IT process at each layer in the stack, is there
a reasonable likelihood that a process failure would
cause the critical functionality to fail — indirectly
representing a risk of material misstatement?
If such IT business process risks exist, what are the
relevant IT control objectives?
Phases of GAIT Methodology
AS5
Identify controls over financial reporting to provide
reasonable assurance as to their reliability
Phase 1
Identify and validate critical IT functionality
Phase 2
Identify significant applications where ITGCs need to be tested
Phase 3
Identify ITGC process risks and related control objectives
Phase 4
Identify ITGC to test that meet control objectives
Phase 5
Perform a reasonable person review
AS5
Top Down Approach
 Effective internal control over financial reporting
provides reasonable assurance regarding the reliability
of financial reporting and the preparation of financial
statements.
 The auditor should use a top-down approach to the
audit of internal control over financial reporting to select
the controls to test. A top-down approach begins at the
financial statement level and with the auditor's
understanding of the overall risks to internal control over
financial reporting.
AS5 (cont’d)
Role of IT
 The auditor should assess the extent of information
technology ("IT") involvement in the period-end financial
reporting process;
 The identification of risks and controls within IT should
not be a separate evaluation but, rather, an integral
part of the auditor's top down risk assessment, including
identification of significant accounts and disclosures and
their relevant assertions, as well as the controls to test.
Methodology – Phase 1
Identify and validate critical IT functionality
1.
2.
3.
4.
Review key controls, reports, and other functionality in
the company’s business processes and determine which
are manual and which are automated.
Develop a list of critical IT functionality.
Confirm key automated controls.
Determine whether there is additional critical IT
functionality not identified as a key control.
Real Life Examples
1. Depreciation expense is automatically computed from
fixed asset system.
2. Hours transferred or keyed into ADP are reconciled to
hours in E-time by a weekly hours report.
3. ADP reports are balanced against the hourly Kronos
reports and the non-exempt employee manual
spreadsheet.
4. Total dollars received daily are transmitted to Corporate
Treasury from Data Control. These totals are added to
the Daily Cash Control Statement for reconciliation by
Corporate Treasury.
5. Billing Services receives an email weekly with a report
on Duplicate Meters…
6. The Work Management System used by the production
groups assigns work order numbers to specific jobs
and types of activities.
Real Life Examples (cont’d)
7. The Treasury Department records interest expense
using the STX system.
8. Based on the actuary reports and payroll data, a memo
is prepared and sent prior to January closing by the
Lead Accountant to the Controller, Director of
Accounting …
9. At the end of each month-end close, capital stock
amounts are verified by Corporate Accounting with
reports prepared by Investor Relations/ Treasury.
10. A pocket database is created that stores the last 15
days of read data and is maintained internally by IT. In
the event of connectivity problems with MeterNet, these
reads can be utilized to complete billing activities.
11. Meter read data is auto validated by the Validator-2000
application (meter reads are compared to meter pulse
data) …
Some Systems Hiding Places
“Additional critical IT functionality not identified as a key
control”
Some places to look:
 Stock options
 Taxes
 Hedging activities (fuel, currency, inventory)
 Depreciation
 Reserves (warranty, pension, etc.)
 Bonds/loans
__________________________
GAIT Bonus – Key Spreadsheets
Many organizations wrestle with properly
identifying (scoping) and testing key
spreadsheets
 Overwhelmed by the number of spreadsheets
 Some define key based on complexity, not
necessarily significance
 (Don’t forget Access databases, etc.)
 GAIT approach offers a good approach to begin:
What financial controls indicate
spreadsheets?
Key Spreadsheets - Examples
1. Comparison of prepaid amounts to forecast and budget
is performed monthly by the Staff Accountants.
2. Each month, Accounting will run a miscellaneous query
and review the adjustments charged to the Dollar
Scholar general ledger account.
3. Billing Services also populates an Excel spreadsheet in
the Accounting E: drive with the reissued check number
and amount.
4. An accountant in the Corporate Accounting Department
maintains an Excel worksheet for fixed rate long-term
debt, and an Excel worksheet for interest expense
related to variable rate long-term debt.
5. Equity compensation worksheets and totals are
reconciled to the Long Term Incentive Plan (LTIP) file
from the Corporate Secretary’s office quarterly.
Methodology – Phase 2
Identify significant applications where ITGCs
need to be tested
1.
2.
Sort the critical IT functionality by application.
Identify the financially significant applications that
are in scope for ITGC.
Methodology – Phase 2
Continue only with
financially significant applications
(AND the applications used by IT to administer
the ITGC)
Methodology – Phase 3
Identify ITGC process risks and related
control objectives
Risk of IT Process Failures
1. What is the likelihood of an IT process failure
occurring and what is the potential impact?
2. What is the likelihood of the IT process failing in
such a way that it would cause the critical IT
functionality to fail?
3. Is it at least reasonably likely that the critical
functionality would fail without prompt detection
and result in a material error in the financial
statements?
Methodology – Phase 4
Identify ITGC to test that meet control
objectives
1. Consider the pervasiveness of ITGC . . .

Are there risks that may affect multiple applications and their
critical IT functionality?
2. Select Key IT general controls to test.



Consider the entire stack
Consider the nature of the stack
Are their common stacks
3. Link each key IT general control to the control
objectives identified through GAIT.
Processes within the Stack
IT Process Controls:
Process
Change
Mgt
Operations
Security
Etc…
Application
Database
O/S
Network
Sample GAIT Matrix
Methodology – Phase 5
Perform a reasonable person review
1. Confirm that the risks and key controls represent a
reasonable view of risk to financial reporting.
2. Ensure that the selection of risks is reasonable, given
the organization’s risk tolerance in their 404 scope.
33
Risk Factors
Factors that affect the risk associated with a
control include:
• The degree to which the control relies on the
effectiveness of other controls (e.g., the control
environment or information technology general controls);
• Whether the control relies on performance by an
individual or is automated (i.e., an automated control
would generally be expected to be lower risk if relevant
information technology general controls are effective);
Case Study 1
Energy Trading Company
•
•
•
•
Key IT general controls reduced from 48 to 20
Able to consolidate many of the controls
Added 2 applications due to reliance of financial controls
Identified other risk areas related to a key application
Case Study 2
Financial Institution
• Eliminated 3 systems from scope – no controls
dependent upon the systems
• Able to eliminate all Network related controls except for
access
• Some controls were added back at management’s
request due to the immaturity of the processes
• At another financial institution was able to eliminate a
whole class of servers and corresponding infrastructure
Case Study 3
Utility Company
• Reduced key IT general controls from 49 to 18
• Reduction had significant potential for reducing
administrative overhead
• Paved the way for self assessment program
• Able to provide good rationale for in-scope applications
Implementation GAIT
 Prior to implementing GAIT, companies should
perform a top-down, risk-based assessment of
their business processes and identify the key
controls in those processes.
 GAIT will utilize the information gathered from this
assessment and define what functionality within
the IT applications is critical and to see what IT
applications provide this functionality.
Maximizing GAIT’s Implementation
Tips and Techniques
 Start with a top-down, risk-based assessment of each
risk and key control in the business process being
evaluated
 Build a team of internal controls experts with both
business and IT knowledge to complete or review
GAIT results
 Engage external auditor
 Perform GAIT assessment early in the process
 Focus on getting scope right, not just on reductions
 Document results carefully and be sure to explain
what is and is not in scope
More Information . . .
 GAIT Resources
www.theiia.org
 Questions? Ask Dr. GAIT
[email protected]
Questions?
• Feel free to contact me with questions:
Bill McSpadden, CISA
Protiviti
913-685-6200 or 913-661-7403
[email protected]