Title slide for on-screen presentation (default type = 60
Download
Report
Transcript Title slide for on-screen presentation (default type = 60
Internal Audit and IT's Role In
A Down Economy
Devin Amato & Heidi Zenger
Deloitte Enterprise Risk Services
Kansas City ISACA
February 12, 2009
Topics
Contract Risk & Compliance
Renewed focus on Data Mining
Controls Rationalization
The Next Wave of Green IT
Copyright © 2009 Deloitte Development LLC. All rights reserved.
1
Contract Risk & Compliance
What is Contract Risk & Compliance (CRC)?
Contract Risk & Compliance helps organizations
optimize the performance of strategic business
relationships by promoting the integrity and
reliability of the contracts that underlie their
business relationships
• Impacts profits by reclaiming contractual revenue
• Reduces risk by improving processes and
controls
Copyright © 2009 Deloitte Development LLC. All rights reserved.
3
The Extended Enterprise
Contractual Obligations and Business Processes
• Outsourcing On/Off
shore, Licensing
IP, Grants, JVs,
Alliances
• Exposure to Brand
or Reputation risk
• Revenue leakage,
unauthorized
product
distribution,
licensing of IP
• Paying for
potentially
unwarranted
variable costs complicated, costplus contracts like
Advertising
Suppliers
Affiliates
Joint
Ventures
Company
Franchisee
Copyright © 2009 Deloitte Development LLC. All rights reserved.
Distributors
Agents
Licensees
Customers
4
The Extended Enterprise
Contractual Obligations and Business Processes
Consultative
(internal)
• Contract
Management
• MFN/MFC
• Sales & Marketing
• Outsourcing
• Strategic
• Procurement
Supply-Side
Partners
Joint Ventures
/ Alliances
• Advertising
• Internet
• Manufacturer
(costing)
• MFN/MFC
• Benefits
• Outsourcing (IT,
call center)
• Warranty
• Construction
• Leasing
• Telecom
• Revenue Sharing /
Cost Sharing
(development)
• Profit Sharing
Consumer Business
Demand Side
Partners
• Distributor (includes
inventory price
protection)
• Dealer/ reseller
• OEM
• Franchise
• Internet
• Warranty
• Replicator
• End User
• IP
• Telecom
• Subscriber
Brand
• Policy Adherence
• Quality
• CSR
Manufacturing
Manufacturing
Consumer Business
Health Care
Financial Services
Royalty
Health Care
Financial Services
Real Estate
Copyright © 2009 Deloitte Development LLC. All rights reserved.
Health Care
Financial Services
Real Estate
Real Estate
5
Process overview
Copyright © 2009 Deloitte Development LLC. All rights reserved.
6
Discussion Question
• In your table groups, discuss what
types of contracts exist at your
company. Who is managing these?
• Discuss Internal Audit’s involvement.
Copyright © 2009 Deloitte Development LLC. All rights reserved.
7
Renewed focus on Data Mining
A Foundation for Managing Risk
Does an economic downturn mean an uptick in fraud?
• Nearly two-thirds (63.3 percent) of executives surveyed expect
accounting fraud to increase during the next two years.
• Data from the National White Collar Crime Center shows a spike in
arrests for fraud and embezzlement during the two most recent
recessions.
– Following the savings and loan crisis and the downturn in 1990, white-collar
fraud arrests jumped 52% over the next two years;
– Following the Internet bust in 2000, arrests jumped 25% in the following two
years.1
1
“Experts Say Fraud Likely to Rise” Business Week, January 9, 2009
Copyright © 2009 Deloitte Development LLC. All rights reserved.
9
Fraud factors
• Three common factors drive
fraudulent activity
• How has the economy
impacted these factors in your
organization?
Copyright © 2009 Deloitte Development LLC. All rights reserved.
10
A closer look
- Financial pressure
- Corporate: Short term performance goals, earnings expectations,
revenue forecasts, financial ratios ties to debt covenants, aggressive
accounting practices and applications
- Personal: Increase in asset misappropriation schemes including
skimming, check tempering, and expense reimbursement
- Opportunity
- Downsizing, re-prioritize towards revenue reducing focus on internal
controls, reduced SOD, increased workloads and inexperience
- Rationalization
- If employees suspect that they may be let go, they may rationalize
“what do I have to lose”.
- As corporate revenues decline, management may rationalize
fraudulent activity believing it is serving the best interest of the
company, its employees, and its shareholders.
Copyright © 2009 Deloitte Development LLC. All rights reserved.
11
Example risks and data mining procedures
Reduced headcount
Expenditures
Revenue recognition
& assurance
Fixed assets
Copyright © 2009 Deloitte Development LLC. All rights reserved.
• Payments to Terminated/Deceased Employee
• Software licensing audits
• System reviews for Segregation of Duties
• Duplicate Payments Analysis
• Employee expense reimbursement
• Accounts Payable Invoice Three-Way Match Analysis
• Identification of Unusual Payment Activity
• Credits to Sales Without Corresponding AR/ Cash Entry
• Receivables Adjustments Allowance
• Over Billing Analysis
• Accounts Receivable Aging Analysis and Rollforward
• Test for Unusual Additions and Retirements
• Depreciation Expectation Analysis and Recalculation
12
Controls Rationalization
Under Pressure
What’s the problem with general computer controls?
The following factors appear to remain at play at some
companies:
• Companies are not linking the IT risk assessment to a top-down business
risk assessment resulting in over scoping of IT assets (i.e., applications,
databases, etc.)
• Companies are treating all general computer controls equally, even
though the inherent risk of IT processes, transactions, controls, and
technologies may vary
• Companies are not applying IT control frameworks in a manner that is
leveraging IT-related company level controls
• Companies are not capitalizing on automated controls
Copyright © 2009 Deloitte Development LLC. All rights reserved.
14
Discussion Question
• In your table groups, discuss what
your company is doing, or has done, to
rationalize controls across the
enterprise.
• Discuss Internal Audit’s involvement.
Copyright © 2009 Deloitte Development LLC. All rights reserved.
15
Challenges and Opportunities
Point of View
Solution
Companies should adopt a risk-based control rationalization approach to address
current and future compliance challenges
Definition - Control Rationalization
Control rationalization is the continuous process of designing the most effective and
efficient controls to address financial reporting risks.
Guiding Principles
• Management should have an informed understanding of the organization's financial
reporting risks in order to drive control rationalization efforts.
• Management should explicitly apply a top-down, risk-based scoping approach as a
foundational first step toward control rationalization.
• Control rationalization is a multi-year, continuous effort, which should be integrated
into the company’s operations.
• Control rationalization can result in immediate benefits; however more significant
cost savings can be achieved by adopting a long-term strategic approach to sustained
compliance.
Copyright © 2009 Deloitte Development LLC. All rights reserved.
16
Working Toward a Lean and Balanced Control
Design
Using a risk-based control rationalization approach, companies can enhance the efficiency
and effectiveness of their compliance program by: refining their testing approaches and
improving their design of controls, by emphasizing efforts towards higher-risk areas while
reducing costs associated with lower-level risks.
Current State
Future State Model
(Effective & Efficient)
Category 1
5%
Category 2
15%
Category 3
80%
Rationalize
11
22
Risk-Based Approach
33
(Illustrative Example)
15%
Areas of
Focus
Improve
Effectiveness
35%
50%
Reduce
Costs
Examples:
Category 1:
Category 2:
Category 3:
company-level controls (e.g., control environment, period end financial reporting, anti-fraud programs)
general computer controls; controls over non-routine accounts and accounts with significant judgment; controls
over other high-risk areas
controls over routine, transactional processing
Copyright © 2009 Deloitte Development LLC. All rights reserved.
17
Control Rationalization – Phased Approach
Outcomes
1
Perform
IT Risk
Assessment
• Documented
financial data
flow diagrams
• Documented
system risk
assessment
• Documented
relevant
application
and platforms
(risk rated)
2 Evaluate GCC 3
Areas and
Control
Objectives
• Documented
assessment of
GCC risk
ratings
• Documented
assessment of
control
objective risk
ratings
Copyright © 2009 Deloitte Development LLC. All rights reserved.
4
Rationalize
Controls
Develop RiskBased Testing
Approach
• Documented IT
Company-Level
Controls
• Documented
risk-based
testing strategy
• Documented IT
risk-rating
approach
• Cost savings
analysis
• Revised IT
control matrix
with riskratings and
rationale
18
Apply Top-Down Risk-Based Scoping & Rationalize GCC Controls
Overview
General Computer Control Rationalization
In Scope
1
Perform IT
risk assessment
(identify relevant
applications,
platforms)
Evaluate GCC areas
& confirm relevance
and risk-rating of
GCC control
objectives
Relevance to financial reporting
objectives and risk-rating of
associated major classes of
transaction
2
Evaluate GCCs for effective and efficient
testing
3
Remove
non-relevant
IT
applications
and platforms
Remove
non-relevant
control
objectives
3
Remove
unnecessary
controls from
testing scope
4
Evaluation Criteria
• Remove secondary or redundant controls
• Consider testing GCC processes before performing detailed tests related to IT
configurations (e.g., test process for granting access before password settings)
• Prioritize controls addressing multiple risks
Copyright © 2009 Deloitte Development LLC. All rights reserved.
1
2
Develop
risk-based
testing
approach for
GCCs
*Efficiency
Lean and
Balanced
Out of Scope
Re-designed
Testing Approach
Risk-Rating
Category
High
Sample Size
Evidence
Timing
Testing Owner
Increased Sample
Sizes
No Change
No change
SOX PMO and
Internal Audit
Medium
Reduced Sample
Sizes
No change
Low
Reduced Sample
Sizes
Management SelfAssessments
No change
Test 1/3 of
processes each
year (rotation)
No change
Management
NOTE: The foundation for effective control
rationalization depends on a strong set of
GCCs. Lack of effective GCCs or an
inadequate testing approach for GCCs will
preclude management from being able to
derive benefits of ‘benchmarking’ testing 19
of
automated controls
1
Perform IT Risk Assessment
1
Develop risk profile
Perform
IT Risk
Assessment
2 Evaluate GCC
Areas and
Control
Objectives
3
4
Rationalize
Controls
Develop RiskBased Testing
Approach
Dollar throughput of
the business process
data flowing through
the IT systems.
Financial Impact
Develop a risk profile for each in-scope system using quantitative (e.g., dollar throughput)
and qualitative (e.g., system risks) factors.
H
M
L
Inherent Risk
Example risk factors include:
- Number of users
- Complexity of system configuration/embedded business logic
- Number/complexity of data interfaces
- Frequency of configuration parameter changes
- Extent of system customizations
- Level of centralization of IT function
- Age of system
- Extent of business process control automation
Copyright © 2009 Deloitte Development LLC. All rights reserved.
20
1
Risk Based Approach for GCCs
2
Risk rate GCC areas
Perform
IT Risk
Assessment
2 Evaluate GCC
Areas and
Control
Objectives
3
4
Rationalize
Controls
Develop RiskBased Testing
Approach
The illustration below depicts a sample company’s IT risk prioritization for general computer
control categories. COSO defines general computer controls as, “Policies and procedures
that help ensure the continued, proper operation of computer information systems… They
include controls over data center operations, system software acquisition and maintenance,
access security, and application system development and maintenance.”
Illustrative Purposes Only
General Computer Control
Category
Risk Evaluation Considerations
Examples of
Qualitative Factors
Application System
Development & Maintenance
• High volume of changes
Information Security
• High employee turnover
Information Systems
Operations
• Mature monitoring
processes
Systems Software Support
• Application dependencies
• Complex architecture
Risk Ranking
H
H
• Automated tools
• Test all three levels
• Test all three levels
M
• Test predominantly IT
company level and
process level controls
L
• Test predominantly IT
company level controls
• Automated tools
• Homogenous environment
Example Procedures
NOTE:
This illustrates a simplistic risk assessment for IT; consideration should be given to additional
qualitative factors relevant to a company’s environment. Also, only selected GCC areas have been
included in the example.
Copyright © 2009 Deloitte Development LLC. All rights reserved.
21
Risk Based Approach for GCCs
3
Rationalize controls
1
Perform
IT Risk
Assessment
2 Evaluate GCC
Areas and
Control
Objectives
3
4
Rationalize
Controls
Develop RiskBased Testing
Approach
After risk-rating general computer control objectives, specific control activities can be
analyzed to further rationalize the testing approach.
Control Objective #1 – Controls provide reasonable
assurance that application changes are appropriately
implemented and function consistent with
management’s intentions.
CL01
The company uses a formalized system development
methodology to guide all aspects of application
development. (COBIT PO 11.5)
CL02
An IT Steering Committee reviews and approves all
major changes to the information systems
environment. (COBIT PO 4.1)
CL03
A project management and quality assurance
office tracks and monitors all activity associated
with significant changes to applications and
infrastructure. (COBIT PO 11.4)
CL04
The IT organization structure provides for
appropriate segregation of duties. (COBIT PO
4.10)
PL01
PL02
Information requirements for changes to applications
are reviewed and approved by management. (COBIT AI
1.1)
For this example, the three controls in bold
text will be assessed, which represents a
50% reduction in testing.
The organization’s SDLC has not changed in the
fiscal year, accordingly, this control will not be
evaluated.
These two controls are redundant in nature,
accordingly, only one control will be evaluated.
This control activity is redundant in nature
since test results are approved by users at a
point later in the SDLC process, accordingly,
this control will not be evaluated.
A risk analysis is performed that considers the
impact of planned changes on financial reporting
processes. (COBIT AI 1.8)
Copyright © 2009 Deloitte Development LLC. All rights reserved.
22
1
Risk Based Approach for GCCs
4
Develop risk-based testing
Perform
IT Risk
Assessment
2 Evaluate GCC
Areas and
Control
Objectives
3
4
Rationalize
Controls
Develop RiskBased Testing
Approach
Alter the nature, timing and extent of control testing based on the control objective riskratings.
Risk-Rating
Category
Sample Size
Evidence
Timing
Testing Owner
High
Increased Sample
Sizes
No Change
No change
SOX PMO and
Internal Audit
Medium
Reduced Sample
Sizes
No change
Low
Reduced Sample
Sizes
Management SelfAssessments
No change
Test 1/3 of
processes each
year (rotation)
No change
Management
*Note: Example for illustrative purposes only
Risk-based testing strategy focuses resources and effort on the
most important controls, and may generate opportunities for
savings based on reduced overall testing effort
Copyright © 2009 Deloitte Development LLC. All rights reserved.
23
Cost savings analysis*
The table below is an illustrative example for measuring the reduced effort that may result
from implementing a risk-based testing strategy.
Risk Category
# of Controls Events
Avg Hrs/Control
Total time spent
Risk-Based
Approach
Original
Approach
High Risk
Medium
Risk
Low Risk
800
500
400
1,700
1,700
10 hrs
6 hrs
3 hrs
7 hrs
9.5 hrs
8,000 hrs
3,000 hrs
1,200 hrs
12,200 hrs
15,300 hrs
Impact
(Savings)
(20%)
*Note: Example for illustrative purposes only and does not imply likely savings or results
Copyright © 2009 Deloitte Development LLC. All rights reserved.
24
The Next Wave of Green IT
IT’s role in the future of enterprise sustainability
Overview
•
Research program to explore senior finance and IT executives’ views on how
companies around the world are changing their IT practices in an effort to
save money, improve performance, and lessen their impact on the physical
environment.
•
Respondents came from North America (56%), Europe (28%), and Asia (16%)
•
All industries included encompassing companies of sizes $200M - $10B +
•
Primary benefits fall into three buckets:
– Environmental (less pollution, lower carbon emissions, less toxic waste)
– Operating (lower costs, higher efficiency, lower risk)
– Promotional (brand awareness, public relations, environmental)
Copyright © 2009 Deloitte Development LLC. All rights reserved.
26
Discussion Question
• In your table groups, discuss what
your companies are doing from a
greening perspective; specifically
around IT.
• Discuss Internal Audit’s involvement.
Copyright © 2009 Deloitte Development LLC. All rights reserved.
27
General Statistics
•
More than 9 out of 10 companies have made “incremental” or
“aggressive” efforts to reduce their impact on the environment
•
Many companies have at least basic programs in place for green IT
and the funding to support these
– Nearly 60% of the respondents say their company has at least 5%
of its IT budget set aside for greening efforts and 35% say their
company has allocated 15% or more to green IT
•
Two-thirds of respondents say their company has a formal program in
place for measuring, monitoring, and improving its environmental
performance
Copyright © 2009 Deloitte Development LLC. All rights reserved.
28
Barriers
• Lack of information and trusted practices for
improving IT’s environmental performance
(44%)
• Inability to build a sound business case for
green IT investments (42%)
• Shortage of capital and well-qualified, green
IT talent (41%)
Copyright © 2009 Deloitte Development LLC. All rights reserved.
29
New Metrics, Incentives, and Influences
•
67% of respondents stated their company has a formal program for
measuring, monitoring, and improving its environmental performance
•
When asked “Has your company conducted a formal evaluation of the
environmental impact of its business activities in the last two years?”,
respondents said:
– Yes, an evaluation has been completed (39%)
– Yes, an evaluation is currently under way (36%)
– No, we haven’t formally initiated this (25%)
•
Most common metrics:
– Total power consumption
– Power usage effectiveness/data center infrastructure efficiency
– Carbon dioxide production
Copyright © 2009 Deloitte Development LLC. All rights reserved.
30
Risk Management and Performance Improvement
Improving Reporting on Environmental Performance
Decreasing the Company's Carbon Footprint
Reducing Exposures to Environmental Liabilities
Reducing Pollution Caused by Business Activities
Improving Compliance with Environmental Regulations
Cultivating a Public Green Perception
Improving Energy Efficiency and Reducing Costs
0%
Copyright © 2009 Deloitte Development LLC. All rights reserved.
10%
20%
30%
40%
50%
60%
70%
80%
31
Examples of IT Efforts
•
•
•
•
Energy efficient hardware
Shared software resources
Virtualized server architecture
Smaller data center footprints – IT infrastructure within
data centers
• Printers, copiers, and fax machines
• Mobile devices and wireless computers
• Hardware recycling, disposal and decommissioning
Copyright © 2009 Deloitte Development LLC. All rights reserved.
32
End-User Applications
• End user applications focused on productivity are most
likely green IT investment candidates:
– Videoconferencing
– Online collaboration technology
– Enhanced/Alternative cooling technology
– Energy management software applications for servers
and PCs
– Server virtualization
– Mobile devices
Copyright © 2009 Deloitte Development LLC. All rights reserved.
33
Company Examples
• Intel took the heat its servers produced and redirected it to
warm its cafeteria and restroom water supply.
• Approval forms for the FDA – fast tracked when submitted
electronically; save paper, ink, physical storage
requirements
• Wells Fargo addresses the power management of its
servers which leads to significant cooling efficiency gains
and improvement of electrical distribution within the data
centers to reduce power consumption
Copyright © 2009 Deloitte Development LLC. All rights reserved.
34
Next Steps
• Determining what efforts your company current has in
place and your executives’ appetites for greening
• Establishing a baseline measurement of current
sustainability performance that is satisfactory for both IT
and finance
• Aligning the company’s tax strategy with its sustainable
strategy and green investments
• Evaluating IT’s part in these efforts; from capabilities of the
systems to measure, monitor, and report to what IT can do
to increase the effort
Copyright © 2009 Deloitte Development LLC. All rights reserved.
35
Contact Information:
Devin Amato
[email protected]
816.802.7255
Heidi Zenger
[email protected]
816.802.7435