IT Audit Requirements - PowerPoint PPT Presentation

About This Presentation
Title:

IT Audit Requirements

Description:

Title: Building Business Value Author: EmilyT Last modified by: Information Systems Created Date: 10/22/2004 8:29:54 PM Document presentation format – PowerPoint PPT presentation

Number of Views:208
Avg rating:3.0/5.0
Slides: 99
Provided by: Emil1227
Category:

less

Transcript and Presenter's Notes

Title: IT Audit Requirements


1
IT Audit Requirements Management ControlsJack
Heyman, CPA, CISA, CGFM, CIPP, CAPYour Internal
Controls
2
Agenda
  • Introduction
  • Comments
  • Regulation / Guidance
  • Internal Controls
  • COSO
  • A-123
  • SAS 55
  • Yellow Book
  • SAS 112

1
3
Comments
  • Over 800 pages of statutory text govern the
    daily decisions of Federal managers
  • Representative Platts
  • Chairman, Subcommittee on Government Management,
    Finance, and Accountability (June 22, 2005)

2
4
Comments
  • Internal controls are the checks and balances
    that help managers detect and prevent problems.
    They can be as simple as computer passwords or
    having a manager sign off on a time sheet, or as
    complex as installing software to track spending
    and detect spikes that signal trouble.
  • Internal controls provide a foundation for
    accountability and, while they are important in
    the private sector, sound controls are imperative
    in government. Public trust depends on nothing
    less.
  • Representative Platts
  • Chairman, Subcommittee on Government Management,
    Finance, and Accountability (February 16, 2005)

3
5
Comments
  • Events of recent years have dispelled the myth
    that internal control is but a mere academic
    exercise or is of interest only to accountants or
    auditors. High profile fraud and mismanagement
    in the private sector, and the Federal
    governments own financial reporting problems,
    have resulted in an increased focus on
    managements responsibility for internal
    control.
  • February 2005, Subcommittee on Government
    Management, Finance, and Accountability

4
6
Comments
  • Government should lead by example. We should be
    as good or better than those we are regulating.
  • David Walker, Comptroller General to Congress
    (CFO Magazine, June 2003)

5
7
Comments
  • The policy changes in this circular are intended
    to strengthen the requirements for conducting
    managements assessment of internal control over
    financial reporting. The circular also
    emphasizes the need for agencies to integrate and
    coordinate internal assessments with other
    internal control-related activities
  • Linda Springer, Controller
  • Office of Management and Budget
  • December 21, 2004

6
8
Regulation / Guidance
  • Budget Accounting Procedures Act of 1950
  • Internal controls have been talked about for
    almost 60 years.
  • Inspector General Act of 1978, as amended
  • OMB A-123 Managements Responsibility for
    Internal Control (1981)
  • Federal Managers Financial Integrity Act of 1982
  • OMB A-50 Audit Follow Up (1982)
  • GAO Green Book (1983)

7
9
Regulation / Guidance
  • CFO Act of 1990
  • Financial statement audits for approximately 225
    agencies.
  • Government Performance and Results Act of 1993
  • Government Management Reform Act of 1994
  • OMB A-123 Managements Responsibility for
    Internal Control revised (1995)
  • Federal Financial Management Improvement Act of
    1996
  • Clinger-Cohen Act of 1996
  • GAO Green Book revised (1999)

8
10
Regulation / Guidance
  • Reports Consolidation Act of 2000
  • OMB Bulletin 01-02 Audit Requirements for Federal
    Financial Statements (2000)
  • Federal Information Security Management Act of
    2002
  • Includes PIA
  • Improper Payments Information Act of 2002
  • Accountability of Tax Dollars Act of 2002
  • Another 78 agencies must have financial statement
    audits.
  • OMB A-123 Managements Responsibility for
    Internal Control revised (2004)
  • OMB A-136 Financial Reporting Requirements (2004)

9
11
Regulation / Guidance
  • NIST 800-18 Security Plans
  • NIST 800-30 Risk Assessments
  • NIST 800-34 Contingency Planning
  • NIST 800-37 Certification and Accreditation
  • NIST 800-47 Interconnected Systems
  • NIST 800-50 Security Awareness
  • NIST 800-53a Controls (low, moderate, and high)
  • NIST 800-60 Control categories
  • NIST FIPS 199 Security Categorization
  • OMB M 06-16
  • Where and why do we have to follow NIST
    standards?

10
12
Internal controls
  • OMB A-123 Authority
  • Federal Managers Financial Integrity Act of 1982
    as codified in 31 U.S.C. 3512
  • References A-123 to provide guidance on how to
    implement.

11
13
Internal controls
  • Agencies and individual Federal managers must
    take systematic and proactive measures to
  • Develop internal control oriented management.
  • Assess the adequacy of internal control in
    programs and operations.
  • Separately assess and document internal control.
  • Identify needed improvements.
  • Take corrective action.
  • Report annually through management assurance
    statements.
  • Source A-123 Revised dated December 21, 2004.

12
14
Internal controls
  • A-123 makes references to a host of other
    regulations to follow such as
  • FISMA
  • IPIA
  • GPRA
  • CFO Act

13
15
Internal controls
  • What are internal controls?
  • Compliance with Laws and Regulations.
  • Reliability of Financial Data.
  • Effectiveness and Efficiency of operations.
  • The above is mentioned everywhere (e.g. CFOC
    A-123 Implementation guide, many SASs, A-123,
    Greenbook, etc.)

14
16
Internal controls
  • A-123 Applicability
  • Compliance with A-123 AND Appendix A
  • Agencies listed within the CFO Act of 1990, as
    amended by the Government Management Reform Act
    of 1994 (cited in OMB Circular A-136). (ABOUT
    225 AGENCIES)
  • Compliance with A-123 (NOT Appendix A)
  • Executive agencies, as well as independent
    agencies and government corporations within the
    executive branches of the Federal government.

15
17
COSO
  • COSOs influence on the industry
  • National Commission on Fraudulent Financial
    Reporting (Treadway Commission) was formed in
    1985 from the following 5 organizations
  • FEI Financial Executives International
  • AAA American Accounting Association
  • AICPA American Institute of CPAs
  • IIA Institute of Internal Auditors
  • IMA Institute of Management Accountants

16
18
COSO
  • COSOs influence on the industry
  • In 1987, the Treadway Commission issued the
    Report of the National Commission on Fraudulent
    Financial Reporting, which emphasized
  • Importance of control environment
  • Codes of conduct
  • Competent and involved audit committees
  • Active and objective internal audit function

17
19
COSO
  • COSOs influence on the industry
  • In September 1992, COSO issued the Internal
    Control Integrated Framework.
  • Control Environment tone of the organization
  • Risk Assessment assessing the risks of the
    organization
  • Control Activities policies and procedures
  • Information and Communication timely
    communication throughout the organization
  • Monitoring quality control over a period of
    time

18
20
COSO
  • COSOs influence on the industry
  • In September 2004, COSO issued the Enterprise
    Risk Management Integrated Framework (ERM).

19
21
COSO
20
22
SAS 55
  • SAS 55
  • .02
  • In all audits, the auditor should obtain an
    understanding of internal control sufficient to
    plan the audit by performing procedures to
    understand the design of controls relevant to an
    audit of financial statements and determining
    whether they have been placed in operation. In
    obtaining this understanding, the auditor
    considers how an entitys use of information
    technology and manual procedures may affect
    controls relevant to the audit. The auditor then
    assesses control risk for the assertions embodied
    in the account balance, transaction class, and
    disclosure components of the financial
    statements.

21
23
SAS 55
  • SAS 55
  • .04
  • Alternatively, the auditor may assess control
    risk at the maximum level because he or she
    believes controls are unlikely to pertain to an
    assertion or are unlikely to be effective, or
    because evaluating the effectiveness of controls
    would be inefficient.
  • Remember SAS 103 112 now come into play.

22
24
  • Yellow Book

General Standards (chapter 3) Fieldwork Standards (chapter 4) Reporting Standards (chapter 5)
GAAS (AICPA) X X
SAS (AICPA) X X
GAGAS X X (in addition to AICPA) X (in addition to AICPA)
Note Yellow Book (GAGAS) engagements are
subjected to additional AICPA standards for both
fieldwork and reporting aspects.
23
25

SAS 112 1
It is applicable whenever an auditor expresses
an opinion on financial statements. Requires
the auditor to communicate, in writing, to
management and those charged with governance,
significant deficiencies and material weaknesses
identified in an audit.
24
26

SAS 112 5 - 6
Deficiency Type Likelihood Magnitude
Control Deficiency Remote Inconsequential
Significant Deficiency More than remote More than inconsequential
Material Weakness More than remote Material
25
27

SAS 112 9
The auditor must evaluate identified control
deficiencies and determine whether these
deficiencies, individually or in combination, are
significant deficiencies or material weaknesses.
The significance of a control deficiency
depends on the potential for a misstatement, not
on whether a misstatement actually has occurred.
Accordingly, the absence of identified
misstatement does not provide evidence that
identified control deficiencies are not
significant or material weaknesses.
26
28

SAS 112 13
Multiple control deficiencies that affect the
same financial statement account balance or
disclosure increase the likelihood of
misstatement and may, in combination, constitute
a significant deficiency or material weakness,
even though such deficiencies are individually
insignificant.
27
29

SAS 112 14
the auditor also should evaluate the possible
mitigating effects of effective compensating
controls Although compensating controls
mitigate the effects of a control deficiency,
they do not eliminate the control deficiency.
28
30

SAS 112 18
  • Deficiencies in the following areas ordinarily
    are at least significant deficiencies in internal
    control
  • Controls over the selection and application of
    accounting principles
  • Antifraud programs and controls
  • Controls over the period-end financial reporting
    process, including controls over procedures used
    to enter transaction totals into the general
    ledger initiate, authorize, record, and process
    journal entries into the general ledger and
    record recurring and nonrecurring adjustments to
    the financial statements.

29
31

SAS 112 19
  • Each of the following is an indicator of a
    control deficiency that should be regarded as at
    least a significant deficiency and a strong
    indicator of a material weakness in internal
    control
  • Ineffective oversight of the entitys financial
    reporting and internal control by those charged
    with governance.
  • Restatement of previously issued financial
    statements to reflect the correction of a
    material misstatement
  • Identification by the auditor of a material
    misstatement in the financial statements for the
    period under audit that was not initially
    identified by the entitys internal control
  • An ineffective internal audit function or risk
    assessment function at an entity for which such
    functions are important to the monitoring or risk
    assessment component of internal control, such as
    for very large or highly complex entities.

30
32

SAS 112 19
  • Each of the following is an indicator of a
    control deficiency that should be regarded as at
    least a significant deficiency and a strong
    indicator of a material weakness in internal
    control
  • For complex entities in highly regulated
    industries, an ineffective regulatory compliance
    function
  • Identification of fraud of any magnitude on the
    part of senior management
  • Failure by management or those charged with
    governance to assess the effect of a significant
    deficiency previously communicated to them and
    either correct it or conclude that it will not be
    corrected
  • An ineffective control environment.

31
33

SAS 112 32
  • The following are examples of circumstances that
    may be control deficiencies, significant
    deficiencies, or material weaknesses
  • Inadequate design of internal control over a
    significant account or process
  • Inadequate documentation of internal control
  • Insufficient control consciousness within the
    organization
  • Absent or inadequate segregation of duties
  • Absent or inadequate controls over safeguarding
    of assets
  • Inadequate design of IT general and application
    controls
  • Employees or management who lack qualifications
    and training
  • Inadequate design of monitoring controls and
  • Absence of internal process for reporting
    deficiencies

32
34

SAS 112 32
  • The following are examples of circumstances that
    may be control deficiencies, significant
    deficiencies, or material weaknesses
  • Failure in the operation of effectively designed
    controls (e.g. dual authorization)
  • Failure to perform reconciliations of significant
    accounts
  • Undue biases on the part of management
  • Management override of controls and

33
35
  • Internal Controls

36
What is Risk?
  • RISK is the threat that an event, action, or
    non-action will have an adverse affect on the
    ability to achieve ones objectives.
  • To assess risk, the following process is used

Source the Risks
Prioritize the Risks
Identify the Risks
37
What is Internal Control?
  • Internal Control Risk Mitigation
  • Internal control is anything that provides
    reasonable assurance that a specified unwanted
    action is prevented or detected. Examples
    include

Alarm Clock designed to prevent oversleeping.
What are the risks?
Speed Limits designed to prevent aggressive
driving. What are the risks?
Log-on Password designed to prevent unauthorized
access to the proprietary information. What are
the risks?
38
What is Internal Control in an Organization?
  • Internal controls are the policies and procedures
    that help managers and employees be effective and
    efficient while avoiding serious problems such as
    overspending, operational failure, fraud, waste,
    abuse, and violations of law. They provide
    reasonable assurance that the following three
    objectives are met

Relates to an entity's basic business objectives,
including performance goals and safeguarding of
an entitys resources.
Effectiveness Efficiency of Operations
Relates to the preparation of reliable financial
reporting, including interim and consolidated
financial statements, as well as other
significant internal and external reports (i.e.
budget execution reports, monitoring reports, and
reports used to comply with laws and regulations).
Reliability of Financial Reporting
Relates to complying with those laws and
regulations to which the entity is subject.
Compliance with Laws Regulations
39
What are the Benefits of Good Internal Control?
  • Identification and elimination of waste, fraud
    and abuse
  • Reduction of improper or erroneous payments
  • Enhanced understanding of risk exposure
  • Sustained performance, efficiency and
    effectiveness
  • Reduced level of effort for financial management
    system implementation or audit
  • Improved policies and procedures
  • Streamlined processes
  • Clear definition of process ownership
  • Greater accountability
  • Enhanced audit readiness and internal control
    attestation readiness
  • Compliance with laws regulations

40
Office of Management and Budget (OMB) and
Congressional Oversight
  • The role of OMB is to assist the President in the
    development and implementation of budget,
    program, management, and regulatory policies. It
    is an independent component of the Executive
    Branch.
  • Internal control is an integral part of tools
    currently being used by OMB and Congress to
    monitor federal Agencies.
  • Performance and Accountability Report (PAR)
    contains Secretary's assurance statement on
    internal and financial management controls
  • Program Assessment Rating Tool (PART) developed
    to assess and improve program performance so that
    the Federal government can achieve better results
  • Presidents Management Agenda (PMA) aggressive
    strategy for improving the management of the
    Federal government. Contains seven
    government-wide and nine Agency-specific goals
    for improvement. Includes a scorecard

41
Internal Control Policy
Legislative / Regulatory Authorities Internal Control Requirements
Federal Managers' Financial Integrity Act (FMFIA) of 1982 Requires that agency CFOs develop and maintain an integrated system of internal controls and requires GAO to issue internal control standards
Federal Financial Management Improvement Act of 1996 (FFMIA) Requires that Federal financial management (FM) systems have reliable data and comply with financial management requirements
Federal Information Security Management Act of 2002 (FISMA) Requires agencies to ensure the adequacy and effectiveness of information security controls by conducting annual reviews and reporting results to OMB
Improper Payments Information Act of 2002 (IPIA) Provides for estimates and reports of improper payments by Federal agencies
CFO Act of 1990 Requires that agency CFOs develop and maintain an integrated and controlled accounting and FM system
Government Performance and Results Act of 1993 (GPRA) Requires agencies to clarify their missions, set strategic and annual performance goals, and report on performance toward these goals
Inspector General Act of 1978 Requires IGs to report on internal controls when conducting a performance audit
OMB Circular A-123 Requires monitoring and improvement of internal controls associated with programs
OMB Circular A-127 Outlines requirements for FM system controls
OMB Circular A-130 Establishes the policy for the management of Federal information resources
42
OMB Circular A-123
  • Issued under authority of FMFIA entitled,
    Management Accountability and Control
  • Provides guidance to Federal managers on
    improving the accountability and effectiveness of
    Federal programs and operations by establishing,
    assessing, correcting, and reporting on
    management controls
  • Requires annual reporting on the effectiveness of
    management controls
  • Provides the basis for an Agency head's annual
    assessment and report on internal controls
    required by FMFIA

43
Revised OMB Circular A-123
  • Circular A-123 was revised in December 2004
  • Renamed Managements Responsibility for Internal
    Control
  • Changes developed by Chief Financial Officers
    Council (CFOC) and the Presidents Council on
    Integrity and Efficiency (PCIE)
  • Adopts certain concepts from the Sarbanes-Oxley
    Act of 2002
  • Strengthens management requirements for assessing
    controls over financial reporting with the
    addition of Appendix A, Internal Controls over
    Financial Reporting
  • Took effect FY 2006 initial report was due in
    the November 2006 Performance and Accountability
    Report (PAR)

44
Overview of Revised Circular OMB A-123
  • The Revised Circular A-123 includes the following
    Appendices
  • Appendix A Internal Control over Financial
    Reporting
  • Appendix B Improving Management of Government
    Charge Card Programs (Issued Revised Appendix B
    April 2006)
  • Increases frequency of review and scope of
    spending and transaction limits
  • Limits authorization and blocking card use for
    high risk merchant category codes
  • Appendix C Requirements for Effective
    Measurement and Remediation of Improper Payments
    (Issued August 2006)
  • Requires a review of all programs and activities
    to identify those which may be susceptible to
    significant erroneous payments and obtaining a
    statistically valid estimate of the annual amount
    of improper payments
  • Requires implementation of a plan to reduce
    erroneous payments and the reporting of estimates
    of the annual amount of improper payments and the
    progress made in reducing them

45
Revised OMB Circular A-123, Appendix A
Requirements
OMB Circular A-123, Appendix A requires Agencies
to
  • ASSESS internal control over financial reporting
    using the Committee of Sponsoring Organizations
    (COSO)/GAO Framework
  • ESTABLISH a governance structure
  • DOCUMENT the design of controls of material
    accounts and assess their effectiveness as of
    June 30
  • - This includes entity-level controls and
    process/transaction-level controls, including
    Information Technology (IT)
  • TEST the operating effectiveness of internal
    controls

46
Revised OMB Circular A-123, Appendix A
Requirements (continued)
  • INTEGRATE internal control throughout the entire
    agency and through the entire cycle of planning,
    budgeting, management, accounting, and auditing
  • SIGN an annual Statement of Assurance in the
    Performance Accountability Report (PAR)
    certifying effectiveness of internal control
    within the Agency
  • - Assurance Statement must assert to the
    effectiveness of the internal controls as of June
    30 and be issued in the Performance and
    Accountability Report by November 15
  • CORRECT deficiencies in internal control over
    financial reporting
  • - Agencies must create and execute corrective
    action plans to promptly and effectively resolve
    material weaknesses and other significant
    deficiencies

47
Internal Control over Financial Reporting
The specific focus of OMB Circular A-123,
Appendix A is internal control over financial
reporting
  • Internal control over financial reporting is a
    process designed to provide reasonable assurance
    regarding reliability of financial reporting. The
    process starts at the initiation of a transaction
    and ends with reporting
  • Internal control over a complete process involves
    controls at every step of the process including
  • controls over transaction initiation,
  • maintenance of records,
  • recording of transactions, and
  • final reporting
  • Internal control over financial reporting also
    includes
  • entity level controls,
  • information technology controls, and
  • operational and compliance controls

48
Management Responsibilities
  • Management is responsible for establishing and
    maintaining internal control and documentation.
    Management must
  • consistently apply the internal control standards
    of OMB Circular A-123, Appendix A (i.e., the COSO
    Frameworks five components)
  • develop and maintain activities for the three
    objectives of OMB A-123 (i.e., the COSO/GAO
    Framework)
  • maintain up-to-date controls documentation on an
    on-going basis
  • Provide a certification Statement related to the
    the adequacy of controls (signed by Secretary)

49
Manual versus Automated Controls
  • Controls may be either
  • Manual implemented through human action
  • Example General Ledger entries must be reviewed
    and authorized by accountant who signs off on an
    approved document
  • Automated implemented through system action
  • Example Users must have a valid user id and
    password to access a system

50
Detective versus Preventative Controls
  • Controls may be either
  • Detective provide evidence that an error or
    exception has occurred
  • Example Reviews, analyses, reconciliations,
    periodic physical inventories, audits, and
    surveillance cameras are all examples of
    detective controls
  • Preventative are proactive in that they attempt
    to deter or prevent undesirable events from
    occurring
  • Example Separation of duties, proper
    authorization, passwords, and physical control
    over custody of assets are all examples of
    preventative controls

51
Control Activities Specific for Information
Systems
  • There are two types of Information System
    Controls
  • General Computer Controls (GCCs) Pervasive,
    over-arching controls that affect every
    transaction. Used to manage and control the
    organizations information technology
    infrastructure.
  • Application Controls Controls that cover the
    processing of data within an application or
    computer program.
  • OMB Circular A-123 states, general and
    application controls over information systems are
    interrelated both are needed to ensure complete
    and accurate information processing.

52
Control Activities Specific for Information
SystemsGeneral Computer Controls
  • General Computer Controls should be designed to
    ensure that
  • The overall IT environment is well-controlled
  • The IT organization is fit for its purpose, and
    there is proper management control over
    information systems
  • Critical processing can be restored timely in the
    event of a prolonged outage (data / systems are
    backed up)
  • New applications and changes to existing
    applications are properly authorized and only
    approved modifications are moved to the
    production environment
  • Physical and logical security controls restrict
    access to data, systems and sensitive facilities

53
Control Activities Specific for Information
SystemsGeneral Computer Controls (continued)
  • Examples of General Computer Controls include
  • Monitoring of Adherence to Entity-wide Security
    Program
  • Data Processing Policies and Procedures
  • Continuity of Operations Plan (COOP)
  • Regularly Scheduled and Documented Change
    Control Board Meetings
  • Properly Completed and Maintained Access
    Request Forms
  • What must be assessed?
  • Security Planning and Management
  • Change Control
  • Segregation of Duties
  • Access Controls
  • Service Continuity
  • System Software

54
Control Activities Specific for Information
SystemsApplication Controls (continued)
  • Examples of Application Controls include
  • Automated controls built into the application
    (computerized edit checks and required passwords)
  • Manual controls surrounding the application
    (manual reconciliations of interfaced
    applications, management sign-offs, and reviews
    of audit logs)
  • What must be assessed?
  • Input Controls (access restrictions, validity
    checking, source documents)
  • Processing Controls (integrity controls, error
    messages, job scheduling)
  • Output Controls (report generation and
    distribution, manual review of reports for
    obvious errors)

55
Entity Level Controls
  • Definition Entity Level Controls are controls
    that management has in place to ensure that the
    appropriate controls exist throughout the
    organization, including at the individual
    agencies.
  • Responsibility Entity Level Controls are
    assessed at both the agency and department level.
  • Purpose Entity Level Controls can have a
    pervasive effect on the overall control
    effectiveness of the organization therefore the
    assessment of entity-level controls is essential
    to the overall evaluation of controls.

Entity Level Controls
56
Assessing Risk
  • What is meant by Assessing Risk?
  • Assessing Risk
  • Assess
  • to determine the importance, size, or value of
  • Risk
  • A state of uncertainty where, if specific events
    or conditions occur, there exists a possibility
    of an undesirable outcome.

57
Key Terms
  • Confidentiality
  • Integrity
  • Availability
  • Issue
  • Exception
  • Negligible Exception
  • Isolated Incident
  • Control Deficiency
  • Significant Deficiency
  • Material Weakness

58
FISMA
  • The Federal Information Security Management Act
    (FISMA) established in December 2002 requires
    each federal agency to develop, document, and
    implement an agency-wide program to provide
    information security for the information and
    information systems that support the operations
    and assets of the agency, including those
    provided or managed by another agency,
    contractor, or other source.

59
A-123 Appendix A
  • A-123 Appendix A was added in December 2004 to
    incorporate Sarbanes-Oxley Section 404 principles
    into federal financial management.
  • Revision deals primarily with internal controls
    over financial reporting.
  • A-123 Appendix A effective FY 2006.

60
FISMA and A-123 Appendix Ainvolvement with
assessing risk
  • In order to maintain a secure environment for
    information and information systems under FISMA a
    well established set of internal controls should
    be developed and executed.
  • FISMA internal controls incorporate the financial
    internal controls designed by A-123 Appendix A.
  • A necessary element in maintaining a set of
    internal controls is performing risk assessments.

61
FISMA Compliance
A-123 Appendix A Assurance Statement
NIST 800-53 Controls
Financial Reporting Controls
Financial Reporting Controls
62
Vulnerability
  • Definition
  • open to attack or damage
  • Vulnerability is defined as a weakness or
    shortfall in a system that reduces the systems
    ability to protect system assets. The
    vulnerability can be used by the absence of a
    needed security feature, by some inadequacy in
    the functioning of an existing security feature.

63
Threat
  • Definition
  • an indication of something impending
  • Threat is defined as an unwanted event or attack
    against an IS asset(that) exploits a
    vulnerability and is carried out by a threat
    agent, such as an insider, intruder, hostile
    intelligence service, or terrorist.

64
Significance
  • Definition
  • the quality of being important
  • Significance is defined as the magnitude of
    consequence or quantification of the damage that
    may be done if a threat is carried out and an
    unwanted event occurs.

65
Household Example
  • Backyard Pool
  • Objective Keep Child Alive
  • Threat Child may drown in backyard pool
  • Vulnerability Pool gate does not have a lock,
    child cannot swim, child is exploratory
  • Significance Loss of a loved one
  • POAM Teach the child to swim / Add lock

66
General Overview
  • Assessing Risk is more than just an annual
    process, it is continually evolving as the
    company changes on a day to day basis.
  • How does the scenario and risk rating change
    under the following conditions
  • Multiple Children
  • Children are all over the age of 15
  • House is located 50 miles from neighbors
  • No Children within the house
  • 3 Children under the age of 7
  • Changes in the environment change the Risk
    situation.

67
Limited resources - POAM
  • How do we accomplish the control objective when
    we have limited resources?
  • Resource limitation could include
  • Cost to complete
  • Time Available
  • Number of people required to accomplish the
    objective
  • Availability of resources
  • Requires prioritization to use the resources
    effectively

68
Security Objective Control Deficiency Significant Deficiency Material Weakness
Confidentiality Exists when the design or operation of a control does not allow management or employees, in the normal course of performing their assigned functions, to prevent the unauthorized disclosure of sensitive information. Exists when a control deficiency, or combination of control deficiencies, adversely affects the entitys ability to protect sensitive information, such that there is more than a remote likelihood of the unauthorized disclosure of sensitive information, that could be expected to have a serious adverse effect. Exists when a deficiency, or combination of significant deficiencies, results in more than a remote likelihood of the unauthorized disclosure of sensitive information that could be expected to have a severe or catastrophic adverse effect .
Integrity Exists when the design or operation of a control does not allow management or employees, in the normal course of performing their assigned functions, to prevent or detect misstatements of data (both financial and non-financial data) on a timely basis. Exists when a control deficiency, or combination of control deficiencies, adversely affects the entitys ability to initiate, authorize, record, process, or report data (both financial and non-financial data) reliably, such that there is more than a remote likelihood that a misstatement of the entitys reports (both financial and non-financial reports), that is more than inconsequential will not be prevented or detected. Exists when a deficiency, or combination of significant deficiencies, results in more than a remote likelihood that a material misstatement of the entity's reports (both financial and non-financial reports), will not be prevented or detected.
Availability Exists when the design or operation of a control does not allow management or employees, in the normal course of performing their assigned functions, to protect the availability of critical information resources and continuity of operations. Exists when a control deficiency, or combination of control deficiencies, adversely affects the entitys ability to protect critical information resources and continuity of operations, such that there is more than a remote likelihood that a disruption of the entity's operations that could be expected to have a serious adverse effect. Exists when a control deficiency, or combination of control deficiencies, adversely affects the entitys ability to protect critical information resources and continuity of operations, such that there is more than a remote likelihood that a disruption of the entity's operations that could be expected to have a severe or catastrophic adverse effect.
69
Issue Handling
  • Gauging the Problem

Issues
Exceptions
Assessing Risk Framework
Level of Deficiency (CD, SD, MW)
70
A Day in the Life of a Deficiency
Framework Evaluation
Identify/ Verify
Mitigating Controls
Aggregation
Remediation
Issue Identified
Deficiency Remediated
Deficiency Evaluation
POAM Creation
Assess Likelihood and Magnitude
71
  • Identify and Verify
  • (covered in Test Procedure Training)

72
Identify and Verify
  • Once an issue has been identified, the following
    should be performed
  • Speak with the control owner.
  • Determine whether the correct understanding was
    obtained.
  • Determine whether there is any other evidence of
    the control.
  • If the issue still exists, confirm with
    management that it is a true exception.

73
Defining Exceptions
  • Exceptions are deviations from the predefined
    expectations of control activity statements.
  • Exceptions can be found when assessing the design
    of the control activities, or when performing
    operating effectiveness testing of the control.
  • An exception may be detected or a control may not
    operate as expected for a number of reasons.
  • The person who normally performs the control was
    absent for a period of time.
  • The control may have broken down.
  • If the person who normally performs the work was
    absent or the control broke down for other
    reasons, the individual performing this control
    should attempt to identify any additional
    Redundant Controls that might be in place to help
    achieve the objective.

74
Defining Exceptions (cont.)
  • Consider whether or not the identified exception
    is an isolated incident, and therefore a
    negligible exception.
  • Consider whether the exception is within the
    tolerable deviation rate (frequency of the
    control must be at least daily).
  • Tolerable deviation - the number of exceptions
    the auditor will permit in the population and
    still be willing to rely on internal controls.

75
Redundant Controls
  • Redundant Controls (identified and tested) that
    operate effectively should be considered when
    evaluating an exception.
  • Redundant Controls can be found in different
    control objectives or NIST controls, and help to
    eliminate the deficiency.
  • The identified Redundant Controls need to be
    tested, and be operating effectively in order to
    be considered in the exception evaluation
    process.
  • Note Redundant Controls can eliminate a control
    deficiency

76
Identify and Verify, contd
  • Other Comments
  • Not all exceptions within testing will result in
    a deficiency.
  • Key factor is whether the control objective, or
    NIST control, is met
  • Evaluation requires professional judgment
    considering
  • Quantitative and qualitative factors
  • Implications with regard to other controls

77
  • Likelihood and Magnitude

78
Assessing Risk Exception Risk
  • Evaluate the risk level of each deficiency that
    is identified.
  • Level of Risk depends on
  • Proximity of the deficiency to the actual data.
  • Likelihood the chance that the deficiency could
    cause an undesirable outcome
  • Vulnerability
  • Threat
  • Magnitude the size or extent of an undesirable
    outcome that may change or influence the judgment
    of a reasonable person
  • Significance
  • The level or risk does not depend on whether an
    undesirable outcome has actually occurred, but
    rather on whether there is a reasonable
    possibility that the department/agencys controls
    will fail to prevent or detect an undesirable
    outcome.

79
LikelihoodThreat (including Threat Agent)
  • Capability
  • History
  • Gain / Motivation
  • Attributable
  • Detectability

80
Likelihood
  • Determine if it is reasonably possible that the
    failure of the control or combination of controls
    will fail to prevent or detect a undesirable
    outcome.
  • Determine the likelihood of an undesirable
    outcome, not likelihood of a material undesirable
    outcome.
  • Evaluation of likelihood can be made without
    quantification of the probability of the
    occurrence of an undesirable outcome.
  • Risk factors affecting likelihood
  • The subjectivity, complexity, or extent of
    judgment required to determine the amount
    involved
  • The interaction or relationship of the control
    with other controls, including whether they are
    interdependent or redundant
  • The possible future consequences of the
    deficiency.

81
Magnitude
  • Significance
  • Loss of Life
  • Top Secret/Secret
  • Confidential
  • Privacy Data
  • Operations Impact
  • Equipment Loss
  • Data Integrity / Accuracy

82
(No Transcript)
83
CIA and NIST 800-53 Control Families
C I A
AC AU CA CM CP IA IR MA
MP PE PL PS RA SA SI
84
  • Compensating Controls

85
Compensating Controls
  • Definition
  • to cause to become less harsh or hostile
  • Compensating Controls are controls that operate
    at a level of precision that would reduce the
    potential impact of the deficiency to the
    organization.

86
Compensating Controls
  • Compensating Controls (identified and tested)
    that operate effectively should be considered
    when evaluating the level of a deficiency.
  • Compensating Controls can be found in different
    control objectives or NIST controls, and help to
    decrease the severity of the deficiency.
  • The identified Compensating Controls need to be
    tested, and be operating effectively in order to
    be considered in the deficiency evaluation
    process.
  • Note Although Compensating Controls can reduce
    the severity of a control deficiency, they do not
    eliminate the control deficiency.

87
Example of Redundant vs. Compensating Controls
Material Weakness
88
Example of Redundant vs. Compensating Controls
Significant Deficiency
89
Example of Redundant and Compensating Controls
Control Deficiency
90
Example of Redundant and Compensating
Negligible Exception
91
  • Evaluating Deficiencies

92
Deficiency EvaluationIssue Evaluation
  • Issue Evaluation
  • Step 1
  • Determine whether further evaluation is necessary
  • Deficiency Evaluation
  • Step 2
  • Determine the Level of Deficiency


93
Deficiency Evaluation, contd
Likelihood of an undesirable outcome Likelihood of an undesirable outcome
More Than Remote Remote
Material Weakness Significant Deficiency
Significant Deficiency Control Deficiency
Control Deficiency Control Deficiency
Magnitude of undesirable outcome that occurred,
or could have occurred
Quantitatively or qualitatively material
More than inconsequential, but less than material
Inconsequential (i.e., immaterial)
94
Internal Control
  • Definitions A-123, Financial Reporting

Significant Deficiency Material Weakness
Likelihood More than Remote More than Remote
Magnitude More than Inconsequential Material
95
Costs vs. Benefits
  • In some cases it is adequate to accept the risk
    of an undesirable outcome.
  • Factors that should be considered when making
    this decision include
  • Cost vs. Benefit analysis

96
  • Aggregating
  • Deficiencies

97
Aggregation of Deficiencies
98
Aggregation of Deficiencies, contd
  • Consider all control deficiencies and significant
    deficiencies in the aggregate by
  • Significant account balance or disclosure
  • NIST family (i.e., Access Control, Audit and
    Accountability, or Configuration Management)
  • Consider any prior year unremediated findings
    when performing aggregation.
  • Control deficiencies related to a specific
    account balance or disclosure increases the
    relative likelihood and potential magnitude of
    undesirable outcome compared to when only one
    individual control deficiency exists.

99
Aggregation of Deficiencies,contd
  • If you agree with the aggregation of deficiencies
    noted, a position paper is not necessary.
  • After completing your evaluation of the
    aggregation of the deficiencies, consider writing
    a position paper in instances where you disagree
    with the results of aggregation presented by the
    auditors.
Write a Comment
User Comments (0)
About PowerShow.com