Transcription
General IT Controls (GITC)Risk and ImpactNovember 2018Risk Advisory
General IT Controls (GITC)Table of ContentsIntroduction 02IT scoping for evaluation of internal controls 04Importance of GITC 06Implications of GITC deficiencies 07Stepping towards a controlled IT environment 08Conclusive remarks 13Impact of GITC failure on the overall ICFR framework 15Contact 1601
General IT Controls (GITC)IntroductionThe importance of information technology (IT) controls has recently caughtthe attention of organisations using advanced IT products and services.This thought paper has been developed for the management of companies that are required to establish frameworkon internal controls and to ensure its effective operation throughout the year. This document draws attention onhow applications should be scoped-in for monitoring internal controls and how control gaps need to be assessed andconcluded.Increasing complexity of the IT setup has resulted in a greater focus around controls in the IT environment.With mandates emanating from various regulations, internal controls have gained more momentum in India during recent years.There is a trend of automation in processes and controls by adoption of advanced IT products and services for enabling greaterefficiency in operations, compliance and reporting activities. This requires an increased focus on effective operation of controlsaround IT assets and services.Internal Financial Controls over Financial Reporting“Internal controls” refers to those activities within a company that are placed by the management to mitigate the risks that couldhinder the company from achieving its objectives. Under the Committee on Sponsoring Organizations (COSO) framework revisedin May 2013, there are three types of objectives which internal controls need to meet, as depicted below:ComplianceOperationsReporting02
General IT Controls (GITC)The way in which controls are designed andimplemented within the company, so as toaddress identified risks. This component is knownas Control Activities.The way in which information within the companyis gathered and shared, both to people within thecompany responsible for operations and financialreporting, and to external users of financialreports. This component is known as Informationand Communication.ComplianceReportingInformation & CommunicationFunctionControl ActivitiesDivisionRisk AssessmentOperating UnitRisk assessment of various processes and factorsthat might hinder the company from achieving itsobjectives. For example, a process that is highlysusceptible to fraud would be considered a highrisk area.Contro EnvironmentEntityThe company’s control environment at the topmanagement level with respect to controls. Thisincludes elements such as “tone at the top,” andthe effectiveness of the board’s audit committeein its high-level oversight of financial reporting.This component is known as the ControlEnvironment.COSO Cube (2013)OperationsIn many cases, a control may address more than one ofthese objectives. Under the COSO framework, there are fiveinterrelated “components” of an effective internal controlsystem; these are derived from the way the company ismanaged on a day-to-day basis:Monitorng ActivitiesPurpose of Internal ControlInternal control is designed, implemented, and monitoredto address identified business risks that threaten theachievement of any of the entity’s objectives that concern The reliability of the entity’s financial reporting; The effectiveness and efficiency of its operations; and Its compliance with applicable laws and regulations.The way in which the effectiveness of thesecontrols are monitored by the companymanagement who take corrective actionswherever necessary.03
General IT Controls (GITC)IT scoping for evaluation ofinternal controlsMultiple application systems, data warehouses, report writers, and layers ofsupporting IT infrastructure (database, operating system, and network) maybe involved in the business process, right from initiation of a transaction to itsrecording in the general ledger. Such transactions ultimately lead to reportingin the financial statements, and therefore, any or all of these systems and ITinfrastructure may be relevant to the audit.Scoping considerations for ITapplications relevant to auditThe management needs to maintain documentationfor understanding the system landscape mapped tokey business processes that are relevant to financialreporting, including: The classes of transactions in the company'soperations that are significant to the financialstatements; The procedures, within both automated andmanual systems, by which those transactions areinitiated, authorised, processed, recorded, andreported; Significant account balances that are materialwith respect to financial reporting; Ways in which the information system capturestransaction, events and conditions that aresignificant to the financial statements; and The period-end financial reporting process.The determination as to which application system,data warehouses, or report writers are relevant tothe audit requires general IT controls to addresstheir integrity and reliability.04
General IT Controls (GITC)DataThe management relies onan application system or datawarehouse to process or maintaindata (e.g. transactions or otherrelevant data) related to significantaccounts or disclosures or reportsused in the operation of relevantcontrol.Automated ControlsThe management relies upon theapplication system to performcertain automated functions thatare relevant to the audit.System-Generated ReportsThe management relies on anapplication, data warehouse query,or report writer to generate areport that is used in the operationof relevant controls.For ExampleAssume that an entity’s SAP application runs on a UNIX server (operating system) and uses an Oracledatabase. User authentication is dependent upon Windows Active Directory (operating system) and theentity is using Cisco network management software. In this example, the UNIX and Windows Active Directoryoperating systems, Oracle database, and Cisco network management software are the technology elementssupporting the SAP application system, and all of these technology elements are relevant to the audit.05
General IT Controls (GITC)Importance of GITCSustaining reliable financial information is dependent upon effective internalcontrol and General IT Controls (GITCs) are a key part of entities’ internalcontrol framework.GITCs are a critical component of business operations and financial information controls. They provide the foundation for relianceon data, reports, automated controls, and other system functionality underlying business processes. The security, integrity, andreliability of financial information relies on proper access controls, change management, and operational controls.The importance and relevance of General IT Controls to key stakeholders—owners, investors, regulators, audit committees,management, and auditors— continues to increase.Effective controlsin operations,compliancewith laws andregulations,and financialreporting arefundamental towell-managedentities. Entitiesrecognise theimportance ofinternal controlto the reliabilityof the businessprocesses thatthey use to runthe entity.06The processes,controls,and financialdata relevantto financialinformation areoften also reliedupon by themanagementto manage thebusiness and keydecision-making.While financialinformation isnot new, thecomplexityof financialreporting,businessmodels, and thetechnology usedto support themcontinues toevolve.Regulatorsexpect enhancedreliabilityof financialinformation, andstakeholdersare looking formore specificinformation andtransparency.Entities andauditors need toaddress theseconcerns tomeet evolvingowner, investor,and regulatorexpectations.Cyber securityis a broadbusiness risk,which extendsto financialinformation.Automationis becomingincreasinglyimportant giventhe relianceon automatedcontrols suchas calculations,access controls,segregation ofduties and input,processing, andoutput controls.These automatedcontrols rely onGITCs to ensurethey functionproperly.
General IT Controls (GITC)Implications of GITC deficienciesDeficiencies in GITCs may hinderthe management’s ability to prepareaccurate financial information. If thesedeficiencies are not identified andaddressed in a timely manner, theymay impact the overall functioningof internal controls, thereby resultingin delayed financial closing process,impact on internal decisions and/orpublic disclosure. This could ultimatelyaffect the reputation and brand of thecompany.Deficiencies in GITCs may increaseaudit effort and cost due to additionalaudit procedures needed to respond tounaddressed IT risks.Certain GITC deficiencies present"a greater risk" of resulting in amisstatement that could be pervasivein nature and could have far-reachingimplications. The proximity of the GITCdeficiency to financial reporting (e.g., adeficiency at the application layer versusthe operating system layer), and the levelof technical skill necessary to exploit thedeficiency, among other factors, couldaffect the severity of a deficiency.As such, when considering the natureand cause of the deficiency, it isimportant to consider whether theGITC deficiency presents a "lesser risk"of misstatement or a "greater risk" ofmisstatement. These considerationsare relevant to determine the nature,timing, and extent of additional auditprocedures.07
General IT Controls (GITC)Stepping towards a controlledIT environmentThe security, integrity, and reliability of financialinformation relies on proper access controls, changemanagement, and operational controls. IT systems arebecoming more integrated with business processes andcontrols over financial information. This is compellingorganisations to increase their focus on IT controls inorder to maintain the reliability of business processeswithin the organisation.The information within IT systems is crucial for meetingmany requirements in an organisation, including:Following topics are elaborated in detail belowUser AccessManagementChangeManagement Financial information relied upon by decision makersthat is maintained within the IT systems; The continuously changing and increasing complexityof financial reporting; The ability of an organisation to meet the demands ofregulators and investors The ability of an organisation to meet the demands ofregulators and investors08Outsourced ServiceProvider
General IT Controls (GITC)User Access ManagementUser access provisioningGranting any new user access is the initial step formaintaining a controlled environment on the IT application.An inappropriate user access could result in posting ofunauthorised financial transactions.Excessive accessAccess to business application needs to be granted based onroles and responsibilities of users. Provision of access thatis not in line with the user’s job responsibilities could lead toposting of unauthorised financials transactions.In both contexts, it is important to revoke the access on time.User access reviewWhile streamlining, user access provisioning is key tocontrolling the access management of an IT application;periodic user access review keeps the access aligned withrespect to business requirements. In the absence of periodicuser access review, excessive access may remain with the user.User access review also detects if there are any anomaliesin access provisioned, de-provisioned or any other privilege/excessive access.For ExampleIf an employee has access to approve purchaseorder, create goods receipt as well as vendor invoiceprocessing, there is a possibility of unauthorisedvendor payment processing which may be in excessto what is to be paid.Generic User ID and Privilege accessGeneric User IDs could lead to accountability issues fortransactions processed using such IDs. Further, if privileged(administrator) access is granted to Generic User IDs then suchaccess can be misused for posting transactions that could havea pervasive impact on the financial statements.For ExampleGeneric User ID is used for background jobprocessing and granted with privilege access.A user who accesses this Generic ID may makeinappropriate changes to the background job whichcan post unauthorized financial entries.User access de-provisioningWhile access provisioning needs to be controlled, it is equallyimportant to control the access revocation process. Whenemployees are separated from the organisation, their User IDscan be misused for processing of financial transactions. Suchtransactions would not only be unauthorised, but also lackaccountability.Furthermore, if an employee gets transferred to anotherdivision/ department and the old access provisioned to himdoesn’t become obsolete, it leaves a chance to be used lateron. Such access also needs to be de-provisioned on thetransfer of employee.Change managementDirect change accessAccess to make direct changes in a stable IT application’sproduction environment may lead to serious data integrityissues. Direct changes are usually not tested previously, so itcould lead to an adverse impact which would be difficult toroll-back.Direct change may override already existing automatedapplication control for a particular financial transactions orcertain set of transactions. In the absence of audit logs, suchdirect changes will remain undetected.Inappropriate access to modify data can affect the ability torely upon the data within the IT systems. Further, review-typecontrol over direct changes would enable one to detect anyinappropriate change to the IT application. However, a numberof transactions would have already been processed by the timean inappropriate change is identified.For ExampleA direct change made to the calculation algorithmof depreciation posting program may lead toinappropriate depreciation posting for thecompany’s asset. Further, if this direct change isperformed near to the period/year end, it may leadto incorrect representation of
The importance of information technology (IT) controls has recently caught the attention of organisations using advanced IT products and services. Increasing complexity of the IT setup has resulted in a greater focus around controls in the IT environment. With mandates emanating from various regulations, internal controls have gained more momentum in India during recent years. There is a
