Transcript Building Business Value

Introduction
Comments
Regulation
/ Guidance
Internal Controls
COSO
A-123
SAS 55
Yellow Book
SAS 112
1



“Over 800 pages of statutory text govern the
daily decisions of Federal managers …”
Representative Platts
Chairman, Subcommittee on Government
Management, Finance, and Accountability (June
22, 2005)
2
2




“Internal controls are the checks and balances that help managers detect
and prevent problems. They can be as simple as computer passwords or
having a manager sign off on a time sheet, or as complex as installing
software to track spending and detect spikes that signal trouble.
Internal controls provide a foundation for accountability; and, while they
are important in the private sector, sound controls are imperative in
government. Public trust depends on nothing less.
Representative Platts
Chairman, Subcommittee on Government Management, Finance, and
Accountability (February 16, 2005)
3
3


“Events of recent years have dispelled the myth that internal
control is but a mere academic exercise or is of interest only to
accountants or auditors. High profile fraud and mismanagement
in the private sector, and the Federal government’s own financial
reporting problems, have resulted in an increased focus on
management’s responsibility for internal control.”
February 2005, Subcommittee on Government Management,
Finance, and Accountability
4
4


“Government should lead by example. We
should be as good or better than those we are
regulating.”
David Walker, Comptroller General to
Congress (CFO Magazine, June 2003)
5
5




“The policy changes in this circular are intended to strengthen the
requirements for conducting management’s assessment of internal
control over financial reporting. The circular also emphasizes the
need for agencies to integrate and coordinate internal assessments
with other internal control-related activities”
Linda Springer, Controller
Office of Management and Budget
December 21, 2004
6
6

Budget & Accounting Procedures Act of 1950






Internal controls have been talked about for almost 60
years.
Inspector General Act of 1978, as amended
OMB A-123 Management’s Responsibility for
Internal Control (1981)
Federal Managers Financial Integrity Act of 1982
OMB A-50 Audit Follow Up (1982)
GAO Green Book (1983)
7
7

CFO Act of 1990







Financial statement audits for approximately 225 agencies.
Government Performance and Results Act of 1993
Government Management Reform Act of 1994
OMB A-123 Management’s Responsibility for Internal Control
revised (1995)
Federal Financial Management Improvement Act of 1996
Clinger-Cohen Act of 1996
GAO Green Book revised (1999)
8
8
Reports Consolidation Act of 2000
OMB Bulletin 01-02 Audit Requirements for Federal Financial
Statements (2000)
Federal Information Security Management Act of 2002



Includes PIA



Improper Payments Information Act of 2002
Accountability of Tax Dollars Act of 2002



Another 78 agencies must have financial statement audits.
OMB A-123 Management’s Responsibility for Internal Control
revised (2004)
OMB A-136 Financial Reporting Requirements (2004)
9
9










NIST 800-18 Security Plans
NIST 800-30 Risk Assessments
NIST 800-34 Contingency Planning
NIST 800-37 Certification and Accreditation
NIST 800-47 Interconnected Systems
NIST 800-50 Security Awareness
NIST 800-53a Controls (low, moderate, and high)
NIST 800-60 Control categories
NIST FIPS 199 Security Categorization
OMB M 06-16
Where and why do we have to follow NIST standards?
10
10
OMB A-123 Authority:
Federal Managers’ Financial Integrity Act
of 1982 as codified in 31 U.S.C. 3512
References A-123 to provide guidance on
how to implement.
11
“Agencies and individual Federal managers must take
systematic and proactive measures to:”
1.
Develop internal control oriented management.
2.
Assess the adequacy of internal control in programs
and operations.
3.
Separately assess and document internal control.
4.
Identify needed improvements.
5.
Take corrective action.
6.
Report annually through management assurance
statements.
Source: A-123 Revised dated December 21, 2004.
12
A-123 makes references to a host of other regulations to follow
such as:
•
•
•
•
FISMA
IPIA
GPRA
CFO Act
13
What are internal controls?
1.
Compliance with Laws and Regulations.
2.
Reliability of Financial Data.
3.
Effectiveness and Efficiency of operations.
The above is mentioned everywhere (e.g. CFOC A-123
Implementation guide, many SASs, A-123, Greenbook, etc.)
14
A-123 Applicability:
Compliance with A-123 AND Appendix A
Agencies listed within the CFO Act of 1990, as amended by
the Government Management Reform Act of 1994 (cited
in OMB Circular A-136). (ABOUT 225 AGENCIES)
Compliance with A-123 (NOT Appendix A)
Executive agencies, as well as independent agencies and
government corporations within the executive branches
of the Federal government.
15
COSO’s influence on the industry:






National Commission on Fraudulent Financial Reporting (Treadway
Commission) was formed in 1985 from the following 5 organizations:
FEI – Financial Executives International
AAA – American Accounting Association
AICPA – American Institute of CPAs
IIA – Institute of Internal Auditors
IMA – Institute of Management Accountants
16
16
COSO’s influence on the industry:





In 1987, the Treadway Commission issued the Report of the
National Commission on Fraudulent Financial Reporting, which
emphasized:
Importance of control environment
Codes of conduct
Competent and involved audit committees
Active and objective internal audit function
17
17
COSO’s influence on the industry:

In September 1992, COSO issued the Internal Control Integrated
Framework.

Control Environment – tone of the organization

Risk Assessment – assessing the risks of the organization

Control Activities – policies and procedures

Information and Communication – timely communication throughout the
organization

Monitoring – quality control over a period of time
18
18
COSO’s influence on the industry:

In September 2004, COSO issued the Enterprise
Risk Management – Integrated Framework
(ERM).
19
19
20
20
SAS 55
SAS 55
.02
“In all audits, the auditor should obtain an understanding of internal
control sufficient to plan the audit by performing procedures to
understand the design of controls relevant to an audit of financial
statements and determining whether they have been placed in
operation. In obtaining this understanding, the auditor considers
how an entity’s use of information technology and manual
procedures may affect controls relevant to the audit. The auditor
then assesses control risk for the assertions embodied in the
account balance, transaction class, and disclosure components of
the financial statements.”
21
SAS 55
SAS 55
.04
“Alternatively, the auditor may assess control risk at the maximum
level because he or she believes controls are unlikely to pertain to
an assertion or are unlikely to be effective, or because evaluating
the effectiveness of controls would be inefficient.”
Remember: SAS 103 – 112 now come into play….
22
Yellow Book
General
Standards
(chapter 3)
Fieldwork
Standards
(chapter 4)
Reporting
Standards
(chapter 5)
GAAS
(AICPA)
X
X
SAS
(AICPA)
X
X
X
(in addition to
AICPA)
X
(in addition to
AICPA)
X
GAGAS
Note: Yellow Book (GAGAS) engagements are subjected to additional
AICPA standards for both fieldwork
and reporting aspects.
23
SAS 112
1
“It is applicable whenever an auditor expresses an opinion on financial
statements.”
“Requires the auditor to communicate, in writing, to management and
those charged with governance, significant deficiencies and
material weaknesses identified in an audit.”
24
SAS 112
5-6
Deficiency
Type
Control
Deficiency
Significant
Deficiency
Material
Weakness
Likelihood
Magnitude
Remote
Inconsequential
More than
remote
More than
remote
More than
inconsequential
Material
25
SAS 112
9
“The auditor must evaluate identified control deficiencies and determine
whether these deficiencies, individually or in combination, are
significant deficiencies or material weaknesses.
The significance of a control deficiency depends on the potential for a
misstatement, not on whether a misstatement actually has occurred.
Accordingly, the absence of identified misstatement does not provide
evidence that identified control deficiencies are not significant or
material weaknesses.”
26
SAS 112
13
“Multiple control deficiencies that affect the same financial statement account
balance or disclosure increase the likelihood of misstatement and may,
in combination, constitute a significant deficiency or material weakness,
even though such deficiencies are individually insignificant.”
27
SAS 112
14
“… the auditor also should evaluate the possible mitigating effects of effective
compensating controls …”
“Although compensating controls mitigate the effects of a control deficiency,
they do not eliminate the control deficiency.”
28
SAS 112
18
“Deficiencies in the following areas ordinarily are at least significant
deficiencies in internal control:

Controls over the selection and application of accounting principles;

Antifraud programs and controls;

Controls over the period-end financial reporting process, including
controls over procedures used to enter transaction totals into the
general ledger; initiate, authorize, record, and process journal entries
into the general ledger; and record recurring and nonrecurring
adjustments to the financial statements.”
29
SAS 112
19
Each of the following is an indicator of a control deficiency that should be
regarded as at least a significant deficiency and a strong indicator
of a material weakness in internal control:

Ineffective oversight of the entity’s financial reporting and internal control
by those charged with governance.;

Restatement of previously issued financial statements to reflect the
correction of a material misstatement;

Identification by the auditor of a material misstatement in the financial
statements for the period under audit that was not initially identified by
the entity’s internal control;

An ineffective internal audit function or risk assessment function at an
entity for which such functions are important to the monitoring or risk
assessment component of internal control, such as for very large or
highly complex entities.
30
SAS 112
19
Each of the following is an indicator of a control deficiency that should be
regarded as at least a significant deficiency and a strong indicator
of a material weakness in internal control:

For complex entities in highly regulated industries, an ineffective
regulatory compliance function;

Identification of fraud of any magnitude on the part of senior
management;

Failure by management or those charged with governance to assess the
effect of a significant deficiency previously communicated to them and
either correct it or conclude that it will not be corrected;

An ineffective control environment.
31
SAS 112
32
The following are examples of circumstances that may be control
deficiencies, significant deficiencies, or material weaknesses:

Inadequate design of internal control over a significant account or
process;

Inadequate documentation of internal control;

Insufficient control consciousness within the organization;

Absent or inadequate segregation of duties;

Absent or inadequate controls over safeguarding of assets;

Inadequate design of IT general and application controls;

Employees or management who lack qualifications and training;

Inadequate design of monitoring controls; and

Absence of internal process 32for reporting deficiencies
SAS 112
32
The following are examples of circumstances that may be control
deficiencies, significant deficiencies, or material weaknesses:

Failure in the operation of effectively designed controls (e.g. dual
authorization);

Failure to perform reconciliations of significant accounts;

Undue biases on the part of management;

Management override of controls; and
33
Internal Controls
What is Risk?
35
RISK is the threat that an event, action, or non-action will have an
adverse affect on the ability to achieve one’s objectives.
To assess risk, the following process is used:
Identify the Risks
Source the Risks
Prioritize the Risks
What is Internal Control?
Internal Control = Risk Mitigation
36
Internal control is anything that provides reasonable assurance that a specified unwanted action is
prevented or detected. Examples include:
Alarm Clock: designed to prevent oversleeping.
What are the risks?
Speed Limits: designed to prevent aggressive driving.
What are the risks?
Log-on Password: designed to prevent unauthorized access to
the proprietary information.
What are the risks?
What is Internal Control in an Organization?
37
Internal controls are the policies and procedures that help managers and
employees be effective and efficient while avoiding serious problems such as
overspending, operational failure, fraud, waste, abuse, and violations of law.
They provide reasonable assurance that the following three objectives are met:
Effectiveness & Efficiency of
Operations
Reliability of Financial Reporting
Compliance with Laws &
Regulations
Relates to an entity's basic business objectives, including
performance goals and safeguarding of an entity’s resources.
Relates to the preparation of reliable financial reporting,
including interim and consolidated financial statements, as
well as other significant internal and external reports (i.e.
budget execution reports, monitoring reports, and reports used
to comply with laws and regulations).
Relates to complying with those laws and regulations to which
the entity is subject.
What are the Benefits of Good Internal Control?
38

Identification and elimination of waste, fraud and abuse

Reduction of improper or erroneous payments

Enhanced understanding of risk exposure

Sustained performance, efficiency and effectiveness

Reduced level of effort for financial management system implementation or audit

Improved policies and procedures

Streamlined processes

Clear definition of process ownership

Greater accountability

Enhanced audit readiness and internal control attestation readiness

Compliance with laws & regulations
Office of Management and Budget (OMB) and Congressional
Oversight
39


The role of OMB is to assist the President in the development and
implementation of budget, program, management, and regulatory policies. It is
an independent component of the Executive Branch.
Internal control is an integral part of tools currently being used by OMB and
Congress to monitor federal Agencies.
and Accountability Report (PAR) – contains Secretary's
assurance statement on internal and financial management controls
 Program Assessment Rating Tool (PART) – developed to assess and
improve program performance so that the Federal government can achieve
better results
 President’s Management Agenda (PMA) – aggressive strategy for
improving the management of the Federal government. Contains seven
government-wide and nine Agency-specific goals for improvement. Includes a
“scorecard”
 Performance
Internal Control Policy
Legislative / Regulatory Authorities
Internal Control Requirements
Federal Managers' Financial Integrity
Act (FMFIA) of 1982
Federal Financial Management
Improvement Act of 1996 (FFMIA)
Federal Information Security
Management Act of 2002 (FISMA)
Requires that agency CFOs develop and maintain an integrated system
of internal controls and requires GAO to issue internal control standards
Improper Payments Information Act of
2002 (IPIA)
CFO Act of 1990
Provides for estimates and reports of improper payments by Federal
agencies
Government Performance and Results
Act of 1993 (GPRA)
Inspector General Act of 1978
OMB Circular A-123
OMB Circular A-127
OMB Circular A-130
Requires that Federal financial management (FM) systems have reliable
data and comply with financial management requirements
Requires agencies to ensure the adequacy and effectiveness of
information security controls by conducting annual reviews and
reporting results to OMB
Requires that agency CFOs develop and maintain an integrated and
controlled accounting and FM system
Requires agencies to clarify their missions, set strategic and annual
performance goals, and report on performance toward these goals
Requires IGs to report on internal controls when conducting a
performance audit
Requires monitoring and improvement of internal controls associated
with programs
Outlines requirements for FM system controls
Establishes the policy for the management of Federal information
resources
40
OMB Circular A-123
•
Issued under authority of FMFIA; entitled, “Management Accountability and
Control”
•
Provides guidance to Federal managers on improving the accountability and
effectiveness of Federal programs and operations by establishing, assessing,
correcting, and reporting on management controls
•
Requires annual reporting on the effectiveness of management controls
•
Provides the basis for an Agency head's annual assessment and report on
internal controls required by FMFIA
41
Revised OMB Circular A-123
•
Circular A-123 was revised in December 2004
•
Renamed “Management’s Responsibility for Internal Control”
•
Changes developed by Chief Financial Officers Council (CFOC) and the President’s
Council on Integrity and Efficiency (PCIE)
•
Adopts certain concepts from the Sarbanes-Oxley Act of 2002
•
Strengthens management requirements for assessing controls over financial reporting
with the addition of Appendix A, “Internal Controls over Financial Reporting”
•
Took effect FY 2006 – initial report was due in the November 2006 Performance and
Accountability Report (PAR)
42
Overview of Revised Circular OMB A-123
43
The Revised Circular A-123 includes the following Appendices:

Appendix A – Internal Control over Financial Reporting

Appendix B – Improving Management of Government Charge Card Programs (Issued Revised
Appendix B – April 2006)



Increases frequency of review and scope of spending and transaction limits
Limits authorization and blocking card use for ‘high risk merchant category codes”
Appendix C – Requirements for Effective Measurement and Remediation of Improper Payments (Issued
August 2006)


Requires a review of all programs and activities to identify those which may be susceptible to significant
erroneous payments and obtaining a statistically valid estimate of the annual amount of improper
payments
Requires implementation of a plan to reduce erroneous payments and the reporting of estimates of the
annual amount of improper payments and the progress made in reducing them
Revised OMB Circular A-123, Appendix A Requirements
44
OMB Circular A-123, Appendix A requires Agencies to:
•
ASSESS internal control over financial reporting using the Committee of Sponsoring Organizations (COSO)/GAO Framework
•
ESTABLISH a governance structure
•
DOCUMENT the design of controls of material accounts and assess their effectiveness as of June 30
- This includes entity-level controls and process/transaction-level controls, including Information Technology (IT)
•
TEST the operating effectiveness of internal controls
Revised OMB Circular A-123, Appendix A Requirements (continued)
45
•
INTEGRATE internal control throughout the entire agency and through the entire cycle of planning, budgeting,
management, accounting, and auditing
•
SIGN an annual Statement of Assurance in the Performance Accountability Report (PAR) certifying effectiveness of
internal control within the Agency
- Assurance Statement must assert to the effectiveness of the internal controls as of June 30 and be issued in
the Performance and Accountability Report by November 15
•
CORRECT deficiencies in internal control over financial reporting
- Agencies must create and execute corrective action plans to promptly and effectively resolve material
weaknesses and other significant deficiencies
Internal Control over Financial Reporting
46
The specific focus of OMB Circular A-123, Appendix A is internal control over
financial reporting



Internal control over financial reporting is a process designed to provide reasonable assurance regarding
reliability of financial reporting. The process starts at the initiation of a transaction and ends with reporting
Internal control over a complete process involves controls at every step of the process including
 controls over transaction initiation,
 maintenance of records,
 recording of transactions, and
 final reporting
Internal control over financial reporting also includes
 entity level controls,
 information technology controls, and
 operational and compliance controls
Management Responsibilities
47
Management is responsible for establishing and maintaining
internal control and documentation. Management must:
 consistently
apply the internal control standards of OMB Circular A-123,
Appendix A (i.e., the COSO Framework’s five components)
 develop and maintain activities for the three objectives of OMB A-123 (i.e., the
COSO/GAO Framework)
 maintain up-to-date controls documentation on an on-going basis
 Provide a certification Statement related to the the adequacy of controls (signed
by Secretary)
Manual versus Automated Controls
48
Controls may be either:
•
Manual – implemented through human action
 Example:
General Ledger entries must be reviewed and authorized by
accountant who signs off on an approved document
•
Automated – implemented through system action
 Example:
system
Users must have a valid user id and password to access a
Detective versus Preventative Controls
49
Controls may be either:
•
Detective – provide evidence that an error or exception has
occurred

•
Example: Reviews, analyses, reconciliations, periodic physical
inventories, audits, and surveillance cameras are all examples of
detective controls
Preventative – are proactive in that they attempt to deter or
prevent undesirable events from occurring

Example: Separation of duties, proper authorization, passwords, and
physical control over custody of assets are all examples of
preventative controls
Control Activities Specific for Information Systems
50
There are two types of Information System Controls:
General Computer Controls (GCCs): Pervasive, over-arching controls that affect
every transaction. Used to manage and control the organization’s information
technology infrastructure.

Application Controls: Controls that cover the processing of data within an application
or computer program.

OMB Circular A-123 states, “general and application controls over information systems
are interrelated; both are needed to ensure complete and accurate information
processing.”
Control Activities Specific for Information Systems:
General Computer Controls
51
General Computer Controls should be designed to ensure that:
•
The overall IT environment is well-controlled
•
The IT organization is fit for its purpose, and there is proper management control
over information systems
•
Critical processing can be restored timely in the event of a prolonged outage (data
/ systems are backed up)
•
New applications and changes to existing applications are properly authorized
and only approved modifications are moved to the production environment
•
Physical and logical security controls restrict access to data, systems and sensitive
facilities
Control Activities Specific for Information Systems:
General Computer Controls (continued)
52
Examples of General Computer Controls include:
•
•
•
•
•
Monitoring of Adherence to Entity-wide Security Program
Data Processing Policies and Procedures
Continuity of Operations Plan (COOP)
Regularly Scheduled and Documented Change Control Board Meetings
Properly Completed and Maintained Access Request Forms
What must be assessed?
•
•
•
•
•
•
Security Planning and Management
Change Control
Segregation of Duties
Access Controls
Service Continuity
System Software
Control Activities Specific for Information Systems:
Application Controls (continued)
53
Examples of Application Controls include:
•
•
Automated controls built into the application (computerized edit checks and required
passwords)
Manual controls surrounding the application (manual reconciliations of interfaced
applications, management sign-offs, and reviews of audit logs)
What must be assessed?
•
•
•
Input Controls (access restrictions, validity checking, source documents)
Processing Controls (integrity controls, error messages, job scheduling)
Output Controls (report generation and distribution, manual review of reports for obvious
errors)
Entity Level Controls



Definition: Entity Level Controls are controls that
management has in place to ensure that the
appropriate controls exist throughout the
organization, including at the individual agencies.
Entity Level Controls
Responsibility: Entity Level Controls are assessed
at both the agency and department level.
Purpose: Entity Level Controls can have a
pervasive effect on the overall control effectiveness
of the organization therefore the assessment of
entity-level controls is essential to the overall
evaluation of controls.
54
Assessing Risk
55

What is meant by Assessing Risk?
 Assessing
Risk
 Assess:

to determine the importance, size, or value of
 Risk:

A state of uncertainty where, if specific events or conditions occur,
there exists a possibility of an undesirable outcome.
Key Terms
56










Confidentiality
Integrity
Availability
Issue
Exception
Negligible Exception
Isolated Incident
Control Deficiency
Significant Deficiency
Material Weakness
FISMA
57

The Federal Information Security Management Act (FISMA)
established in December 2002 requires each federal agency
to develop, document, and implement an agency-wide
program to provide information security for the information
and information systems that support the operations and assets
of the agency, including those provided or managed by
another agency, contractor, or other source.
A-123 Appendix A
58

A-123 Appendix A was added in December 2004
to incorporate Sarbanes-Oxley Section 404
principles into federal financial management.
 Revision
deals primarily with internal controls over
financial reporting.

A-123 Appendix A effective FY 2006.
FISMA and A-123 Appendix A
involvement with assessing risk
59



In order to maintain a secure environment for information
and information systems under FISMA a well established set
of internal controls should be developed and executed.
FISMA internal controls incorporate the financial internal
controls designed by A-123 Appendix A.
A necessary element in maintaining a set of internal controls
is performing risk assessments.
60
FISMA Compliance
NIST
800-53
Controls
Financial
Reporting
Controls
A-123 Appendix A
Assurance Statement
Financial
Reporting
Controls
Vulnerability
61

Definition


open to attack or damage
Vulnerability is defined as “a weakness or shortfall in a
system that reduces the system’s ability to protect system
assets. The vulnerability can be used by the absence of a
needed security feature, by some inadequacy in the
functioning of an existing security feature”.
Threat
62

Definition:


an indication of something impending
Threat is defined as “an unwanted event or attack against an
IS asset…(that) exploits a vulnerability and is carried out by a
threat agent, such as an insider, intruder, hostile intelligence
service, or terrorist.
Significance
63

Definition:


the quality of being important
Significance is defined as “the magnitude of consequence or
quantification of the damage that may be done if a threat is
carried out and an unwanted event occurs.
Household Example
64

Backyard Pool
 Objective:
Keep Child Alive
 Threat: Child may drown in backyard pool
 Vulnerability: Pool gate does not have a lock, child
cannot swim, child is exploratory
 Significance: Loss of a loved one
 POAM: Teach the child to swim / Add lock
General Overview
65


Assessing Risk is more than just an annual process, it is
continually evolving as the company changes on a day to day
basis.
How does the scenario and risk rating change under the
following conditions:






Multiple Children
Children are all over the age of 15
House is located 50 miles from neighbors
No Children within the house
3 Children under the age of 7
Changes in the environment change the Risk situation.
Limited resources - POAM
66

How do we accomplish the control objective
when we have limited resources?
 Resource
limitation could include:
 Cost
to complete
 Time Available
 Number of people required to accomplish the objective
 Availability of resources
 Requires
prioritization to use the resources
effectively
Security Objective
Confidentiality
Integrity
Availability
Control Deficiency
Significant Deficiency
Material Weakness
Exists when the design or
operation of a control does
not allow management or
employees, in the normal
course of performing their
assigned functions, to prevent
the unauthorized disclosure of
sensitive information.
Exists when a control deficiency, or
combination of control deficiencies,
adversely affects the entity’s ability to
protect sensitive information, such
that there is more than a remote
likelihood of the unauthorized
disclosure of sensitive information,
that could be expected to have a
serious adverse effect.
Exists when a deficiency, or
combination of significant
deficiencies, results in more than a
remote likelihood of the
unauthorized disclosure of
sensitive information that could be
expected to have a severe or
catastrophic adverse effect .
Exists when the design or
operation of a control does
not allow management or
employees, in the normal
course of performing their
assigned functions, to prevent
or detect misstatements of
data (both financial and nonfinancial data) on a timely
basis.
Exists when a control deficiency, or
combination of control deficiencies,
adversely affects the entity’s ability to
initiate, authorize, record, process, or
report data (both financial and nonfinancial data) reliably, such that
there is more than a remote
likelihood that a misstatement of the
entity’s reports (both financial and
non-financial reports), that is more
than inconsequential will not be
prevented or detected.
Exists when a deficiency, or
combination of significant
deficiencies, results in more than a
remote likelihood that a material
misstatement of the entity's reports
(both financial and non-financial
reports), will not be prevented or
detected.
Exists when the design or
operation of a control does
not allow management or
employees, in the normal
course of performing their
assigned functions, to protect
the availability of critical
information resources and
continuity of operations.
Exists when a control deficiency, or
combination of control deficiencies,
adversely affects the entity’s ability to
protect critical information resources
and continuity of operations, such
that there is more than a remote
likelihood that a disruption of the
entity's operations that could be
expected to have a serious adverse
effect.
Exists when a control deficiency, or
combination of control deficiencies,
adversely affects the entity’s ability
to protect critical information
resources and continuity of
operations, such that there is more
than a remote likelihood that a
disruption of the entity's operations
that could be expected to have a
severe or catastrophic adverse
effect.
Issue Handling
Gauging the Problem
68
Issues
Exceptions
Assessing
Risk
Framework
Level of
Deficiency
(CD, SD, MW)
A Day in the Life of a Deficiency
Framework Evaluation
69
Identify/
Verify
Mitigating
Controls
Aggregation
Remediation
Issue
Identified
Deficiency
Remediated
Assess
Likelihood and
Magnitude
Deficiency
Evaluation
POA&M
Creation
70
Identify and Verify
(covered in Test Procedure Training)
Identify and Verify
71

Once an issue has been identified, the following
should be performed:

Speak with the control owner.
Determine whether the correct understanding was obtained.
 Determine whether there is any other evidence of the control.


If the issue still exists, confirm with management that it is a
true exception.
72
Defining
Exceptions
Exceptions are deviations from the predefined expectations of control



activity statements.
 Exceptions can be found when assessing the design of the control
activities, or when performing operating effectiveness testing of
the control.
An exception may be detected or a control may not operate as
expected for a number of reasons.
 The person who normally performs the control was absent for a
period of time.
 The control may have broken down.
If the person who normally performs the work was absent or the
control broke down for other reasons, the individual performing this
control should attempt to identify any additional Redundant Controls
that might be in place to help achieve the objective.
Defining Exceptions (cont.)
73


Consider whether or not the identified exception is an isolated
incident, and therefore a negligible exception.
Consider whether the exception is within the tolerable
deviation rate (frequency of the control must be at least daily).
 Tolerable deviation - the number of exceptions the
auditor will permit in the population and still be willing to
rely on internal controls.
74
Redundant Controls
 Redundant Controls (identified and tested) that operate
effectively should be considered when evaluating an
exception.



Redundant Controls can be found in different control objectives or
NIST controls, and help to eliminate the deficiency.
The identified Redundant Controls need to be tested, and be
operating effectively in order to be considered in the exception
evaluation process.
Note: Redundant Controls can eliminate a control
deficiency
Identify and Verify, cont’d
75
Other Comments:
 Not all exceptions within testing will result in a
deficiency.
 Key
factor is whether the control objective, or NIST
control, is met

Evaluation requires professional judgment
considering:
 Quantitative
and qualitative factors
 Implications with regard to other controls
76
Likelihood and Magnitude
Assessing Risk – Exception Risk
77

Evaluate the risk level of each deficiency that is identified.

Level of Risk depends on:


Proximity of the deficiency to the actual data.
Likelihood – the chance that the deficiency could cause an undesirable outcome



Magnitude – the size or extent of an undesirable outcome that may change or influence
the judgment of a reasonable person


Vulnerability
Threat
Significance
The level or risk does not depend on whether an undesirable outcome has
actually occurred, but rather on whether there is a reasonable possibility
that the department/agency’s controls will fail to prevent or detect an
undesirable outcome.
Likelihood
Threat (including Threat Agent)
78





Capability
History
Gain / Motivation
Attributable
Detectability
Likelihood
79

Determine if it is reasonably possible that the failure of the control or
combination of controls will fail to prevent or detect a undesirable
outcome.



Determine the likelihood of an undesirable outcome, not likelihood of a
material undesirable outcome.
Evaluation of likelihood can be made without quantification of the
probability of the occurrence of an undesirable outcome.
Risk factors affecting likelihood:

The subjectivity, complexity, or extent of judgment required to determine
the amount involved;

The interaction or relationship of the control with other controls, including
whether they are interdependent or redundant;

The possible future consequences of the deficiency.
Magnitude
80

Significance
 Loss
of Life
 Top Secret/Secret
 Confidential
 Privacy Data
 Operations Impact
 Equipment Loss
 Data Integrity / Accuracy
Network
Operating
System
IT Control
Environment
Application
Program
Development
Data Files /
Databases
Computer
Operations
Access to
Programs &
Data
Program
Changes
83
Compensating Controls
Compensating Controls
84

Definition:
 to
cause to become less harsh or hostile
 Compensating Controls are controls that operate at a
level of precision that would reduce the potential
impact of the deficiency to the organization.
85
Compensating Controls
 Compensating Controls (identified and tested) that
operate effectively should be considered when evaluating
the level of a deficiency.



Compensating Controls can be found in different control objectives
or NIST controls, and help to decrease the severity of the
deficiency.
The identified Compensating Controls need to be tested, and be
operating effectively in order to be considered in the deficiency
evaluation process.
Note: Although Compensating Controls can reduce the
severity of a control deficiency, they do not eliminate the
control deficiency.
Example of Redundant vs. Compensating Controls
86
Control Objective: Only authorized users can access application data
Control Activity:
Application Access is disabled
within 5 days of a user’s
termination
Example of Redundant vs. Compensating Controls
87
Control Objective: Access Controls
Control Activity:
Application Access is disabled
within 5 days of a user’s
termination
Mitigating
Control:
Security badges are obtained
upon termination, preventing
physical access to the
building
Example of Redundant and Compensating Controls
88
Control Objective: Access Controls
Control Activity:
Application Access is disabled
within 5 days of a user’s
termination
Mitigating
Control:
Network access is disabled
based on notification from HR
of termination.
Mitigating
Control:
Security badges are obtained
upon termination, preventing
physical access to the
building
Example of Redundant and Compensating
89
Control Objective: Access Controls
Control Activity:
Application Access is removed
within 5 days of a user’s
termination
Compensating
Control:
User IDs are deleted upon
weekly notification of
termination from HR
90
Evaluating Deficiencies
Deficiency Evaluation
Issue Evaluation
91
 Issue Evaluation

Step 1:
 Determine whether further evaluation is necessary
 Deficiency Evaluation

Step 2:
 Determine the Level of Deficiency
Deficiency Evaluation, cont’d
Magnitude of undesirable
outcome that occurred, or could
have occurred
Quantitatively or qualitatively
material
Likelihood of an undesirable outcome
More Than Remote
Remote
Material Weakness
Significant Deficiency
Significant Deficiency
Control Deficiency
Control Deficiency
Control Deficiency
More than inconsequential, but
less than material
Inconsequential (i.e., immaterial)
92
Internal Control
Definitions – A-123, Financial Reporting
Significant
Deficiency
Material
Weakness
Likelihood
More than
Remote
More than
Remote
Magnitude
More than
Inconsequential
Material
93
Costs vs. Benefits
94


In some cases it is adequate to accept the risk of an
undesirable outcome.
Factors that should be considered when making this
decision include:
 Cost
vs. Benefit analysis
95
Aggregating
Deficiencies
Aggregation of Deficiencies
96
Internal
Control
InternalControl
Control
Internal
Deficiency
Deficiency
Deficiency
Internal
Control
InternalControl
Control
Internal
Deficiency
Deficiency
Deficiency
Internal
Control
InternalControl
Control
Internal
Deficiency
Deficiency
Deficiency
Internal
Internal
Control
InternalControl
Control
Deficiency
Deficiency
Deficiency
Significant
Significant
Significant
Deficiency
Deficiency
Deficiency
Material
Material
Material
Weakness
Weakness
Weakness
Significant
Significant
Significant
Deficiency
Deficiency
Deficiency
Aggregation of Deficiencies, cont’d
97

Consider all control deficiencies and significant deficiencies in the
aggregate by:




Significant account balance or disclosure
NIST family (i.e., Access Control, Audit and Accountability, or Configuration
Management)
Consider any prior year unremediated findings when performing
aggregation.
Control deficiencies related to a specific account balance or disclosure
increases the relative likelihood and potential magnitude of undesirable
outcome compared to when only one individual control deficiency exists.
Aggregation of Deficiencies,
cont’d
98


If you agree with the aggregation of deficiencies noted, a position paper is
not necessary.
After completing your evaluation of the aggregation of the deficiencies,
consider writing a position paper in instances where you disagree with the
results of aggregation presented by the auditors.