IT Audit Requirements

1
IT Audit Requirements Management ControlsJack
Heyman, CPA, CISA, CGFM, CIPP, CAPYour Internal
Controls
2
Agenda

• Introduction
• Comments
• Regulation / Guidance
• Internal Controls
• COSO
• A-123
• SAS 55
• Yellow Book
• SAS 112

1
3
Comments

• Over 800 pages of statutory text govern the
  daily decisions of Federal managers
• Representative Platts
• Chairman, Subcommittee on Government Management,
  Finance, and Accountability (June 22, 2005)

2
4
Comments

• Internal controls are the checks and balances
  that help managers detect and prevent problems.
  They can be as simple as computer passwords or
  having a manager sign off on a time sheet, or as
  complex as installing software to track spending
  and detect spikes that signal trouble.
• Internal controls provide a foundation for
  accountability and, while they are important in
  the private sector, sound controls are imperative
  in government. Public trust depends on nothing
  less.
• Representative Platts
• Chairman, Subcommittee on Government Management,
  Finance, and Accountability (February 16, 2005)

3
5
Comments

• Events of recent years have dispelled the myth
  that internal control is but a mere academic
  exercise or is of interest only to accountants or
  auditors. High profile fraud and mismanagement
  in the private sector, and the Federal
  governments own financial reporting problems,
  have resulted in an increased focus on
  managements responsibility for internal
  control.
• February 2005, Subcommittee on Government
  Management, Finance, and Accountability

4
6
Comments

• Government should lead by example. We should be
  as good or better than those we are regulating.
• David Walker, Comptroller General to Congress
  (CFO Magazine, June 2003)

5
7
Comments

• The policy changes in this circular are intended
  to strengthen the requirements for conducting
  managements assessment of internal control over
  financial reporting. The circular also
  emphasizes the need for agencies to integrate and
  coordinate internal assessments with other
  internal control-related activities
• Linda Springer, Controller
• Office of Management and Budget
• December 21, 2004

6
8
Regulation / Guidance

• Budget Accounting Procedures Act of 1950
• Internal controls have been talked about for
  almost 60 years.
• Inspector General Act of 1978, as amended
• OMB A-123 Managements Responsibility for
  Internal Control (1981)
• Federal Managers Financial Integrity Act of 1982
• OMB A-50 Audit Follow Up (1982)
• GAO Green Book (1983)

7
9
Regulation / Guidance

• CFO Act of 1990
• Financial statement audits for approximately 225
  agencies.
• Government Performance and Results Act of 1993
• Government Management Reform Act of 1994
• OMB A-123 Managements Responsibility for
  Internal Control revised (1995)
• Federal Financial Management Improvement Act of
  1996
• Clinger-Cohen Act of 1996
• GAO Green Book revised (1999)

8
10
Regulation / Guidance

• Reports Consolidation Act of 2000
• OMB Bulletin 01-02 Audit Requirements for Federal
  Financial Statements (2000)
• Federal Information Security Management Act of
  2002
• Includes PIA
• Improper Payments Information Act of 2002
• Accountability of Tax Dollars Act of 2002
• Another 78 agencies must have financial statement
  audits.
• OMB A-123 Managements Responsibility for
  Internal Control revised (2004)
• OMB A-136 Financial Reporting Requirements (2004)

9
11
Regulation / Guidance

• NIST 800-18 Security Plans
• NIST 800-30 Risk Assessments
• NIST 800-34 Contingency Planning
• NIST 800-37 Certification and Accreditation
• NIST 800-47 Interconnected Systems
• NIST 800-50 Security Awareness
• NIST 800-53a Controls (low, moderate, and high)
• NIST 800-60 Control categories
• NIST FIPS 199 Security Categorization
• OMB M 06-16
• Where and why do we have to follow NIST
  standards?

10
12
Internal controls

• OMB A-123 Authority
• Federal Managers Financial Integrity Act of 1982
  as codified in 31 U.S.C. 3512
• References A-123 to provide guidance on how to
  implement.

11
13
Internal controls

• Agencies and individual Federal managers must
  take systematic and proactive measures to
• Develop internal control oriented management.
• Assess the adequacy of internal control in
  programs and operations.
• Separately assess and document internal control.
• Identify needed improvements.
• Take corrective action.
• Report annually through management assurance
  statements.
• Source A-123 Revised dated December 21, 2004.

12
14
Internal controls

• A-123 makes references to a host of other
  regulations to follow such as
• FISMA
• IPIA
• GPRA
• CFO Act

13
15
Internal controls

• What are internal controls?
• Compliance with Laws and Regulations.
• Reliability of Financial Data.
• Effectiveness and Efficiency of operations.
• The above is mentioned everywhere (e.g. CFOC
  A-123 Implementation guide, many SASs, A-123,
  Greenbook, etc.)

14
16
Internal controls

• A-123 Applicability
• Compliance with A-123 AND Appendix A
• Agencies listed within the CFO Act of 1990, as
  amended by the Government Management Reform Act
  of 1994 (cited in OMB Circular A-136). (ABOUT
  225 AGENCIES)
• Compliance with A-123 (NOT Appendix A)
• Executive agencies, as well as independent
  agencies and government corporations within the
  executive branches of the Federal government.

15
17
COSO

• COSOs influence on the industry
• National Commission on Fraudulent Financial
  Reporting (Treadway Commission) was formed in
  1985 from the following 5 organizations
• FEI Financial Executives International
• AAA American Accounting Association
• AICPA American Institute of CPAs
• IIA Institute of Internal Auditors
• IMA Institute of Management Accountants

16
18
COSO

• COSOs influence on the industry
• In 1987, the Treadway Commission issued the
  Report of the National Commission on Fraudulent
  Financial Reporting, which emphasized
• Importance of control environment
• Codes of conduct
• Competent and involved audit committees
• Active and objective internal audit function

17
19
COSO

• COSOs influence on the industry
• In September 1992, COSO issued the Internal
  Control Integrated Framework.
• Control Environment tone of the organization
• Risk Assessment assessing the risks of the
  organization
• Control Activities policies and procedures
• Information and Communication timely
  communication throughout the organization
• Monitoring quality control over a period of
  time

18
20
COSO

• COSOs influence on the industry
• In September 2004, COSO issued the Enterprise
  Risk Management Integrated Framework (ERM).

19
21
COSO
20
22
SAS 55

• SAS 55
• .02
• In all audits, the auditor should obtain an
  understanding of internal control sufficient to
  plan the audit by performing procedures to
  understand the design of controls relevant to an
  audit of financial statements and determining
  whether they have been placed in operation. In
  obtaining this understanding, the auditor
  considers how an entitys use of information
  technology and manual procedures may affect
  controls relevant to the audit. The auditor then
  assesses control risk for the assertions embodied
  in the account balance, transaction class, and
  disclosure components of the financial
  statements.

21
23
SAS 55

• SAS 55
• .04
• Alternatively, the auditor may assess control
  risk at the maximum level because he or she
  believes controls are unlikely to pertain to an
  assertion or are unlikely to be effective, or
  because evaluating the effectiveness of controls
  would be inefficient.
• Remember SAS 103 112 now come into play.

22
24

• Yellow Book

General Standards (chapter 3) Fieldwork Standards (chapter 4) Reporting Standards (chapter 5)
GAAS (AICPA) X X
SAS (AICPA) X X
GAGAS X X (in addition to AICPA) X (in addition to AICPA)
Note Yellow Book (GAGAS) engagements are
subjected to additional AICPA standards for both
fieldwork and reporting aspects.
23
25

SAS 112 1
It is applicable whenever an auditor expresses
an opinion on financial statements. Requires
the auditor to communicate, in writing, to
management and those charged with governance,
significant deficiencies and material weaknesses
identified in an audit.
24
26

SAS 112 5 - 6
Deficiency Type Likelihood Magnitude
Control Deficiency Remote Inconsequential
Significant Deficiency More than remote More than inconsequential
Material Weakness More than remote Material
25
27

SAS 112 9
The auditor must evaluate identified control
deficiencies and determine whether these
deficiencies, individually or in combination, are
significant deficiencies or material weaknesses.
The significance of a control deficiency
depends on the potential for a misstatement, not
on whether a misstatement actually has occurred.
Accordingly, the absence of identified
misstatement does not provide evidence that
identified control deficiencies are not
significant or material weaknesses.
26
28

SAS 112 13
Multiple control deficiencies that affect the
same financial statement account balance or
disclosure increase the likelihood of
misstatement and may, in combination, constitute
a significant deficiency or material weakness,
even though such deficiencies are individually
insignificant.
27
29

SAS 112 14
the auditor also should evaluate the possible
mitigating effects of effective compensating
controls Although compensating controls
mitigate the effects of a control deficiency,
they do not eliminate the control deficiency.
28
30

SAS 112 18

• Deficiencies in the following areas ordinarily
  are at least significant deficiencies in internal
  control
• Controls over the selection and application of
  accounting principles
• Antifraud programs and controls
• Controls over the period-end financial reporting
  process, including controls over procedures used
  to enter transaction totals into the general
  ledger initiate, authorize, record, and process
  journal entries into the general ledger and
  record recurring and nonrecurring adjustments to
  the financial statements.

29
31

SAS 112 19

• Each of the following is an indicator of a
  control deficiency that should be regarded as at
  least a significant deficiency and a strong
  indicator of a material weakness in internal
  control
• Ineffective oversight of the entitys financial
  reporting and internal control by those charged
  with governance.
• Restatement of previously issued financial
  statements to reflect the correction of a
  material misstatement
• Identification by the auditor of a material
  misstatement in the financial statements for the
  period under audit that was not initially
  identified by the entitys internal control
• An ineffective internal audit function or risk
  assessment function at an entity for which such
  functions are important to the monitoring or risk
  assessment component of internal control, such as
  for very large or highly complex entities.

30
32

SAS 112 19

• Each of the following is an indicator of a
  control deficiency that should be regarded as at
  least a significant deficiency and a strong
  indicator of a material weakness in internal
  control
• For complex entities in highly regulated
  industries, an ineffective regulatory compliance
  function
• Identification of fraud of any magnitude on the
  part of senior management
• Failure by management or those charged with
  governance to assess the effect of a significant
  deficiency previously communicated to them and
  either correct it or conclude that it will not be
  corrected
• An ineffective control environment.

31
33

SAS 112 32

• The following are examples of circumstances that
  may be control deficiencies, significant
  deficiencies, or material weaknesses
• Inadequate design of internal control over a
  significant account or process
• Inadequate documentation of internal control
• Insufficient control consciousness within the
  organization
• Absent or inadequate segregation of duties
• Absent or inadequate controls over safeguarding
  of assets
• Inadequate design of IT general and application
  controls
• Employees or management who lack qualifications
  and training
• Inadequate design of monitoring controls and
• Absence of internal process for reporting
  deficiencies

32
34

SAS 112 32

• The following are examples of circumstances that
  may be control deficiencies, significant
  deficiencies, or material weaknesses
• Failure in the operation of effectively designed
  controls (e.g. dual authorization)
• Failure to perform reconciliations of significant
  accounts
• Undue biases on the part of management
• Management override of controls and

33
35

• Internal Controls

36
What is Risk?

• RISK is the threat that an event, action, or
  non-action will have an adverse affect on the
  ability to achieve ones objectives.
• To assess risk, the following process is used

Source the Risks
Prioritize the Risks
Identify the Risks
37
What is Internal Control?

• Internal Control Risk Mitigation
• Internal control is anything that provides
  reasonable assurance that a specified unwanted
  action is prevented or detected. Examples
  include

Alarm Clock designed to prevent oversleeping.
What are the risks?
Speed Limits designed to prevent aggressive
driving. What are the risks?
Log-on Password designed to prevent unauthorized
access to the proprietary information. What are
the risks?
38
What is Internal Control in an Organization?

• Internal controls are the policies and procedures
  that help managers and employees be effective and
  efficient while avoiding serious problems such as
  overspending, operational failure, fraud, waste,
  abuse, and violations of law. They provide
  reasonable assurance that the following three
  objectives are met

Relates to an entity's basic business objectives,
including performance goals and safeguarding of
an entitys resources.
Effectiveness Efficiency of Operations
Relates to the preparation of reliable financial
reporting, including interim and consolidated
financial statements, as well as other
significant internal and external reports (i.e.
budget execution reports, monitoring reports, and
reports used to comply with laws and regulations).
Reliability of Financial Reporting
Relates to complying with those laws and
regulations to which the entity is subject.
Compliance with Laws Regulations
39
What are the Benefits of Good Internal Control?

• Identification and elimination of waste, fraud
  and abuse
• Reduction of improper or erroneous payments
• Enhanced understanding of risk exposure
• Sustained performance, efficiency and
  effectiveness
• Reduced level of effort for financial management
  system implementation or audit
• Improved policies and procedures
• Streamlined processes
• Clear definition of process ownership
• Greater accountability
• Enhanced audit readiness and internal control
  attestation readiness
• Compliance with laws regulations

40
Office of Management and Budget (OMB) and
Congressional Oversight

• The role of OMB is to assist the President in the
  development and implementation of budget,
  program, management, and regulatory policies. It
  is an independent component of the Executive
  Branch.
• Internal control is an integral part of tools
  currently being used by OMB and Congress to
  monitor federal Agencies.
• Performance and Accountability Report (PAR)
  contains Secretary's assurance statement on
  internal and financial management controls
• Program Assessment Rating Tool (PART) developed
  to assess and improve program performance so that
  the Federal government can achieve better results
• Presidents Management Agenda (PMA) aggressive
  strategy for improving the management of the
  Federal government. Contains seven
  government-wide and nine Agency-specific goals
  for improvement. Includes a scorecard

41
Internal Control Policy
Legislative / Regulatory Authorities Internal Control Requirements
Federal Managers' Financial Integrity Act (FMFIA) of 1982 Requires that agency CFOs develop and maintain an integrated system of internal controls and requires GAO to issue internal control standards
Federal Financial Management Improvement Act of 1996 (FFMIA) Requires that Federal financial management (FM) systems have reliable data and comply with financial management requirements
Federal Information Security Management Act of 2002 (FISMA) Requires agencies to ensure the adequacy and effectiveness of information security controls by conducting annual reviews and reporting results to OMB
Improper Payments Information Act of 2002 (IPIA) Provides for estimates and reports of improper payments by Federal agencies
CFO Act of 1990 Requires that agency CFOs develop and maintain an integrated and controlled accounting and FM system
Government Performance and Results Act of 1993 (GPRA) Requires agencies to clarify their missions, set strategic and annual performance goals, and report on performance toward these goals
Inspector General Act of 1978 Requires IGs to report on internal controls when conducting a performance audit
OMB Circular A-123 Requires monitoring and improvement of internal controls associated with programs
OMB Circular A-127 Outlines requirements for FM system controls
OMB Circular A-130 Establishes the policy for the management of Federal information resources
42
OMB Circular A-123

• Issued under authority of FMFIA entitled,
  Management Accountability and Control
• Provides guidance to Federal managers on
  improving the accountability and effectiveness of
  Federal programs and operations by establishing,
  assessing, correcting, and reporting on
  management controls
• Requires annual reporting on the effectiveness of
  management controls
• Provides the basis for an Agency head's annual
  assessment and report on internal controls
  required by FMFIA

43
Revised OMB Circular A-123

• Circular A-123 was revised in December 2004
• Renamed Managements Responsibility for Internal
  Control
• Changes developed by Chief Financial Officers
  Council (CFOC) and the Presidents Council on
  Integrity and Efficiency (PCIE)
• Adopts certain concepts from the Sarbanes-Oxley
  Act of 2002
• Strengthens management requirements for assessing
  controls over financial reporting with the
  addition of Appendix A, Internal Controls over
  Financial Reporting
• Took effect FY 2006 initial report was due in
  the November 2006 Performance and Accountability
  Report (PAR)

44
Overview of Revised Circular OMB A-123

• The Revised Circular A-123 includes the following
  Appendices
• Appendix A Internal Control over Financial
  Reporting
• Appendix B Improving Management of Government
  Charge Card Programs (Issued Revised Appendix B
  April 2006)
• Increases frequency of review and scope of
  spending and transaction limits
• Limits authorization and blocking card use for
  high risk merchant category codes
• Appendix C Requirements for Effective
  Measurement and Remediation of Improper Payments
  (Issued August 2006)
• Requires a review of all programs and activities
  to identify those which may be susceptible to
  significant erroneous payments and obtaining a
  statistically valid estimate of the annual amount
  of improper payments
• Requires implementation of a plan to reduce
  erroneous payments and the reporting of estimates
  of the annual amount of improper payments and the
  progress made in reducing them

45
Revised OMB Circular A-123, Appendix A
Requirements
OMB Circular A-123, Appendix A requires Agencies
to

• ASSESS internal control over financial reporting
  using the Committee of Sponsoring Organizations
  (COSO)/GAO Framework
• ESTABLISH a governance structure
• DOCUMENT the design of controls of material
  accounts and assess their effectiveness as of
  June 30
• - This includes entity-level controls and
  process/transaction-level controls, including
  Information Technology (IT)
• TEST the operating effectiveness of internal
  controls

46
Revised OMB Circular A-123, Appendix A
Requirements (continued)

• INTEGRATE internal control throughout the entire
  agency and through the entire cycle of planning,
  budgeting, management, accounting, and auditing
• SIGN an annual Statement of Assurance in the
  Performance Accountability Report (PAR)
  certifying effectiveness of internal control
  within the Agency
• - Assurance Statement must assert to the
  effectiveness of the internal controls as of June
  30 and be issued in the Performance and
  Accountability Report by November 15
• CORRECT deficiencies in internal control over
  financial reporting
• - Agencies must create and execute corrective
  action plans to promptly and effectively resolve
  material weaknesses and other significant
  deficiencies

47
Internal Control over Financial Reporting
The specific focus of OMB Circular A-123,
Appendix A is internal control over financial
reporting

• Internal control over financial reporting is a
  process designed to provide reasonable assurance
  regarding reliability of financial reporting. The
  process starts at the initiation of a transaction
  and ends with reporting
• Internal control over a complete process involves
  controls at every step of the process including
• controls over transaction initiation,
• maintenance of records,
• recording of transactions, and
• final reporting
• Internal control over financial reporting also
  includes
• entity level controls,
• information technology controls, and
• operational and compliance controls

48
Management Responsibilities

• Management is responsible for establishing and
  maintaining internal control and documentation.
  Management must
• consistently apply the internal control standards
  of OMB Circular A-123, Appendix A (i.e., the COSO
  Frameworks five components)
• develop and maintain activities for the three
  objectives of OMB A-123 (i.e., the COSO/GAO
  Framework)
• maintain up-to-date controls documentation on an
  on-going basis
• Provide a certification Statement related to the
  the adequacy of controls (signed by Secretary)

49
Manual versus Automated Controls

• Controls may be either
• Manual implemented through human action
• Example General Ledger entries must be reviewed
  and authorized by accountant who signs off on an
  approved document
• Automated implemented through system action
• Example Users must have a valid user id and
  password to access a system

50
Detective versus Preventative Controls

• Controls may be either
• Detective provide evidence that an error or
  exception has occurred
• Example Reviews, analyses, reconciliations,
  periodic physical inventories, audits, and
  surveillance cameras are all examples of
  detective controls
• Preventative are proactive in that they attempt
  to deter or prevent undesirable events from
  occurring
• Example Separation of duties, proper
  authorization, passwords, and physical control
  over custody of assets are all examples of
  preventative controls

51
Control Activities Specific for Information
Systems

• There are two types of Information System
  Controls
• General Computer Controls (GCCs) Pervasive,
  over-arching controls that affect every
  transaction. Used to manage and control the
  organizations information technology
  infrastructure.
• Application Controls Controls that cover the
  processing of data within an application or
  computer program.
• OMB Circular A-123 states, general and
  application controls over information systems are
  interrelated both are needed to ensure complete
  and accurate information processing.

52
Control Activities Specific for Information
SystemsGeneral Computer Controls

• General Computer Controls should be designed to
  ensure that
• The overall IT environment is well-controlled
• The IT organization is fit for its purpose, and
  there is proper management control over
  information systems
• Critical processing can be restored timely in the
  event of a prolonged outage (data / systems are
  backed up)
• New applications and changes to existing
  applications are properly authorized and only
  approved modifications are moved to the
  production environment
• Physical and logical security controls restrict
  access to data, systems and sensitive facilities

53
Control Activities Specific for Information
SystemsGeneral Computer Controls (continued)

• Examples of General Computer Controls include
• Monitoring of Adherence to Entity-wide Security
  Program
• Data Processing Policies and Procedures
• Continuity of Operations Plan (COOP)
• Regularly Scheduled and Documented Change
  Control Board Meetings
• Properly Completed and Maintained Access
  Request Forms
• What must be assessed?
• Security Planning and Management
• Change Control
• Segregation of Duties
• Access Controls
• Service Continuity
• System Software

54
Control Activities Specific for Information
SystemsApplication Controls (continued)

• Examples of Application Controls include
• Automated controls built into the application
  (computerized edit checks and required passwords)
• Manual controls surrounding the application
  (manual reconciliations of interfaced
  applications, management sign-offs, and reviews
  of audit logs)
• What must be assessed?
• Input Controls (access restrictions, validity
  checking, source documents)
• Processing Controls (integrity controls, error
  messages, job scheduling)
• Output Controls (report generation and
  distribution, manual review of reports for
  obvious errors)

55
Entity Level Controls

• Definition Entity Level Controls are controls
  that management has in place to ensure that the
  appropriate controls exist throughout the
  organization, including at the individual
  agencies.
• Responsibility Entity Level Controls are
  assessed at both the agency and department level.
• Purpose Entity Level Controls can have a
  pervasive effect on the overall control
  effectiveness of the organization therefore the
  assessment of entity-level controls is essential
  to the overall evaluation of controls.

Entity Level Controls
56
Assessing Risk

• What is meant by Assessing Risk?
• Assessing Risk
• Assess
• to determine the importance, size, or value of
• Risk
• A state of uncertainty where, if specific events
  or conditions occur, there exists a possibility
  of an undesirable outcome.

57
Key Terms

• Confidentiality
• Integrity
• Availability
• Issue
• Exception
• Negligible Exception
• Isolated Incident
• Control Deficiency
• Significant Deficiency
• Material Weakness

58
FISMA

• The Federal Information Security Management Act
  (FISMA) established in December 2002 requires
  each federal agency to develop, document, and
  implement an agency-wide program to provide
  information security for the information and
  information systems that support the operations
  and assets of the agency, including those
  provided or managed by another agency,
  contractor, or other source.

59
A-123 Appendix A

• A-123 Appendix A was added in December 2004 to
  incorporate Sarbanes-Oxley Section 404 principles
  into federal financial management.
• Revision deals primarily with internal controls
  over financial reporting.
• A-123 Appendix A effective FY 2006.

60
FISMA and A-123 Appendix Ainvolvement with
assessing risk

• In order to maintain a secure environment for
  information and information systems under FISMA a
  well established set of internal controls should
  be developed and executed.
• FISMA internal controls incorporate the financial
  internal controls designed by A-123 Appendix A.
• A necessary element in maintaining a set of
  internal controls is performing risk assessments.

61
FISMA Compliance
A-123 Appendix A Assurance Statement
NIST 800-53 Controls
Financial Reporting Controls
Financial Reporting Controls
62
Vulnerability

• Definition
• open to attack or damage
• Vulnerability is defined as a weakness or
  shortfall in a system that reduces the systems
  ability to protect system assets. The
  vulnerability can be used by the absence of a
  needed security feature, by some inadequacy in
  the functioning of an existing security feature.

63
Threat

• Definition
• an indication of something impending
• Threat is defined as an unwanted event or attack
  against an IS asset(that) exploits a
  vulnerability and is carried out by a threat
  agent, such as an insider, intruder, hostile
  intelligence service, or terrorist.

64
Significance

• Definition
• the quality of being important
• Significance is defined as the magnitude of
  consequence or quantification of the damage that
  may be done if a threat is carried out and an
  unwanted event occurs.

65
Household Example

• Backyard Pool
• Objective Keep Child Alive
• Threat Child may drown in backyard pool
• Vulnerability Pool gate does not have a lock,
  child cannot swim, child is exploratory
• Significance Loss of a loved one
• POAM Teach the child to swim / Add lock

66
General Overview

• Assessing Risk is more than just an annual
  process, it is continually evolving as the
  company changes on a day to day basis.
• How does the scenario and risk rating change
  under the following conditions
• Multiple Children
• Children are all over the age of 15
• House is located 50 miles from neighbors
• No Children within the house
• 3 Children under the age of 7
• Changes in the environment change the Risk
  situation.

67
Limited resources - POAM

• How do we accomplish the control objective when
  we have limited resources?
• Resource limitation could include
• Cost to complete
• Time Available
• Number of people required to accomplish the
  objective
• Availability of resources
• Requires prioritization to use the resources
  effectively

68
Security Objective Control Deficiency Significant Deficiency Material Weakness
Confidentiality Exists when the design or operation of a control does not allow management or employees, in the normal course of performing their assigned functions, to prevent the unauthorized disclosure of sensitive information. Exists when a control deficiency, or combination of control deficiencies, adversely affects the entitys ability to protect sensitive information, such that there is more than a remote likelihood of the unauthorized disclosure of sensitive information, that could be expected to have a serious adverse effect. Exists when a deficiency, or combination of significant deficiencies, results in more than a remote likelihood of the unauthorized disclosure of sensitive information that could be expected to have a severe or catastrophic adverse effect .
Integrity Exists when the design or operation of a control does not allow management or employees, in the normal course of performing their assigned functions, to prevent or detect misstatements of data (both financial and non-financial data) on a timely basis. Exists when a control deficiency, or combination of control deficiencies, adversely affects the entitys ability to initiate, authorize, record, process, or report data (both financial and non-financial data) reliably, such that there is more than a remote likelihood that a misstatement of the entitys reports (both financial and non-financial reports), that is more than inconsequential will not be prevented or detected. Exists when a deficiency, or combination of significant deficiencies, results in more than a remote likelihood that a material misstatement of the entity's reports (both financial and non-financial reports), will not be prevented or detected.
Availability Exists when the design or operation of a control does not allow management or employees, in the normal course of performing their assigned functions, to protect the availability of critical information resources and continuity of operations. Exists when a control deficiency, or combination of control deficiencies, adversely affects the entitys ability to protect critical information resources and continuity of operations, such that there is more than a remote likelihood that a disruption of the entity's operations that could be expected to have a serious adverse effect. Exists when a control deficiency, or combination of control deficiencies, adversely affects the entitys ability to protect critical information resources and continuity of operations, such that there is more than a remote likelihood that a disruption of the entity's operations that could be expected to have a severe or catastrophic adverse effect.
69
Issue Handling

• Gauging the Problem

Issues
Exceptions
Assessing Risk Framework
Level of Deficiency (CD, SD, MW)
70
A Day in the Life of a Deficiency
Framework Evaluation
Identify/ Verify
Mitigating Controls
Aggregation
Remediation
Issue Identified
Deficiency Remediated
Deficiency Evaluation
POAM Creation
Assess Likelihood and Magnitude
71

• Identify and Verify
• (covered in Test Procedure Training)

72
Identify and Verify

• Once an issue has been identified, the following
  should be performed
• Speak with the control owner.
• Determine whether the correct understanding was
  obtained.
• Determine whether there is any other evidence of
  the control.
• If the issue still exists, confirm with
  management that it is a true exception.

73
Defining Exceptions

• Exceptions are deviations from the predefined
  expectations of control activity statements.
• Exceptions can be found when assessing the design
  of the control activities, or when performing
  operating effectiveness testing of the control.
• An exception may be detected or a control may not
  operate as expected for a number of reasons.
• The person who normally performs the control was
  absent for a period of time.
• The control may have broken down.
• If the person who normally performs the work was
  absent or the control broke down for other
  reasons, the individual performing this control
  should attempt to identify any additional
  Redundant Controls that might be in place to help
  achieve the objective.

74
Defining Exceptions (cont.)

• Consider whether or not the identified exception
  is an isolated incident, and therefore a
  negligible exception.
• Consider whether the exception is within the
  tolerable deviation rate (frequency of the
  control must be at least daily).
• Tolerable deviation - the number of exceptions
  the auditor will permit in the population and
  still be willing to rely on internal controls.

75
Redundant Controls

• Redundant Controls (identified and tested) that
  operate effectively should be considered when
  evaluating an exception.
• Redundant Controls can be found in different
  control objectives or NIST controls, and help to
  eliminate the deficiency.
• The identified Redundant Controls need to be
  tested, and be operating effectively in order to
  be considered in the exception evaluation
  process.
• Note Redundant Controls can eliminate a control
  deficiency

76
Identify and Verify, contd

• Other Comments
• Not all exceptions within testing will result in
  a deficiency.
• Key factor is whether the control objective, or
  NIST control, is met
• Evaluation requires professional judgment
  considering
• Quantitative and qualitative factors
• Implications with regard to other controls

77

• Likelihood and Magnitude

78
Assessing Risk Exception Risk

• Evaluate the risk level of each deficiency that
  is identified.
• Level of Risk depends on
• Proximity of the deficiency to the actual data.
• Likelihood the chance that the deficiency could
  cause an undesirable outcome
• Vulnerability
• Threat
• Magnitude the size or extent of an undesirable
  outcome that may change or influence the judgment
  of a reasonable person
• Significance
• The level or risk does not depend on whether an
  undesirable outcome has actually occurred, but
  rather on whether there is a reasonable
  possibility that the department/agencys controls
  will fail to prevent or detect an undesirable
  outcome.

79
LikelihoodThreat (including Threat Agent)

• Capability
• History
• Gain / Motivation
• Attributable
• Detectability

80
Likelihood

• Determine if it is reasonably possible that the
  failure of the control or combination of controls
  will fail to prevent or detect a undesirable
  outcome.
• Determine the likelihood of an undesirable
  outcome, not likelihood of a material undesirable
  outcome.
• Evaluation of likelihood can be made without
  quantification of the probability of the
  occurrence of an undesirable outcome.
• Risk factors affecting likelihood
• The subjectivity, complexity, or extent of
  judgment required to determine the amount
  involved
• The interaction or relationship of the control
  with other controls, including whether they are
  interdependent or redundant
• The possible future consequences of the
  deficiency.

81
Magnitude

• Significance
• Loss of Life
• Top Secret/Secret
• Confidential
• Privacy Data
• Operations Impact
• Equipment Loss
• Data Integrity / Accuracy

82
(No Transcript)
83
CIA and NIST 800-53 Control Families
C I A
AC AU CA CM CP IA IR MA
MP PE PL PS RA SA SI
84

• Compensating Controls

85
Compensating Controls

• Definition
• to cause to become less harsh or hostile
• Compensating Controls are controls that operate
  at a level of precision that would reduce the
  potential impact of the deficiency to the
  organization.

86
Compensating Controls

• Compensating Controls (identified and tested)
  that operate effectively should be considered
  when evaluating the level of a deficiency.
• Compensating Controls can be found in different
  control objectives or NIST controls, and help to
  decrease the severity of the deficiency.
• The identified Compensating Controls need to be
  tested, and be operating effectively in order to
  be considered in the deficiency evaluation
  process.
• Note Although Compensating Controls can reduce
  the severity of a control deficiency, they do not
  eliminate the control deficiency.

87
Example of Redundant vs. Compensating Controls
Material Weakness
88
Example of Redundant vs. Compensating Controls
Significant Deficiency
89
Example of Redundant and Compensating Controls
Control Deficiency
90
Example of Redundant and Compensating
Negligible Exception
91

• Evaluating Deficiencies

92
Deficiency EvaluationIssue Evaluation

• Issue Evaluation
• Step 1
• Determine whether further evaluation is necessary
• Deficiency Evaluation
• Step 2
• Determine the Level of Deficiency

93
Deficiency Evaluation, contd
Likelihood of an undesirable outcome Likelihood of an undesirable outcome
More Than Remote Remote
Material Weakness Significant Deficiency
Significant Deficiency Control Deficiency
Control Deficiency Control Deficiency
Magnitude of undesirable outcome that occurred,
or could have occurred
Quantitatively or qualitatively material
More than inconsequential, but less than material
Inconsequential (i.e., immaterial)
94
Internal Control

• Definitions A-123, Financial Reporting

Significant Deficiency Material Weakness
Likelihood More than Remote More than Remote
Magnitude More than Inconsequential Material
95
Costs vs. Benefits

• In some cases it is adequate to accept the risk
  of an undesirable outcome.
• Factors that should be considered when making
  this decision include
• Cost vs. Benefit analysis

96

• Aggregating
• Deficiencies

97
Aggregation of Deficiencies
98
Aggregation of Deficiencies, contd

• Consider all control deficiencies and significant
  deficiencies in the aggregate by
• Significant account balance or disclosure
• NIST family (i.e., Access Control, Audit and
  Accountability, or Configuration Management)
• Consider any prior year unremediated findings
  when performing aggregation.
• Control deficiencies related to a specific
  account balance or disclosure increases the
  relative likelihood and potential magnitude of
  undesirable outcome compared to when only one
  individual control deficiency exists.

99
Aggregation of Deficiencies,contd

• If you agree with the aggregation of deficiencies
  noted, a position paper is not necessary.
• After completing your evaluation of the
  aggregation of the deficiencies, consider writing
  a position paper in instances where you disagree
  with the results of aggregation presented by the
  auditors.