Internal Audit and IT's Role In A Down Economy Devin Amato & Heidi Zenger Deloitte Enterprise Risk Services Kansas City ISACA February 12, 2009

Internal Audit and IT's Role In A Down Economy

Devin Amato & Heidi Zenger

Deloitte Enterprise Risk Services

Kansas City ISACA

February 12, 2009

2Copyright © 2009 Deloitte Development LLC. All rights reserved.

Topics

Contract Risk & Compliance

Renewed focus on Data Mining

Controls Rationalization

The Next Wave of Green IT

Contract Risk & Compliance


What is Contract Risk & Compliance (CRC)?

Contract Risk & Compliance helps organizations optimize the performance of strategic business relationships by promoting the integrity and reliability of the contracts that underlie their business relationships

• Impacts profits by reclaiming contractual revenue• Reduces risk by improving processes and

controls


The Extended Enterprise Contractual Obligations and Business Processes

• Outsourcing On/Off shore, Licensing IP, Grants, JVs, Alliances

• Exposure to Brand or Reputation risk

• Revenue leakage, unauthorized product distribution, licensing of IP

• Paying for potentially unwarranted variable costs - complicated, cost- plus contracts like Advertising

Suppliers

Company

Licensees

Joint Ventures

Distributors

Customers

Agents

Franchisee

Affiliates


The Extended Enterprise Contractual Obligations and Business Processes

Consultative

(internal)

Supply-Side

Partners

Joint Ventures

/ Alliances

Demand Side Partners

Royalty Brand

• Contract Management

• MFN/MFC• Sales & Marketing• Outsourcing• Strategic• Procurement

• Advertising• Internet• Manufacturer

(costing)• MFN/MFC• Benefits• Outsourcing (IT,

call center) • Warranty• Construction• Leasing• Telecom

• Revenue Sharing / Cost Sharing (development)

• Profit Sharing

• Distributor (includes inventory price protection)

• Dealer/ reseller• OEM• Franchise• Internet• Warranty• Replicator• End User

• IP• Telecom• Subscriber

• Policy Adherence• Quality • CSR

Health CareHealth Care

Financial Services

Real Estate

Manufacturing

Financial Services

Real Estate

Consumer Business

Health Care

Financial Services

Real Estate

Consumer Business

Manufacturing


Process overview


Discussion Question

• In your table groups, discuss what types of contracts exist at your company. Who is managing these?

• Discuss Internal Audit’s involvement.

Renewed focus on Data Mining

A Foundation for Managing Risk


Does an economic downturn mean an uptick in fraud?

• Nearly two-thirds (63.3 percent) of executives surveyed expect accounting fraud to increase during the next two years.

• Data from the National White Collar Crime Center shows a spike in arrests for fraud and embezzlement during the two most recent recessions. – Following the savings and loan crisis and the downturn in 1990, white-collar

fraud arrests jumped 52% over the next two years;

– Following the Internet bust in 2000, arrests jumped 25% in the following two years.1

1 “Experts Say Fraud Likely to Rise” Business Week, January 9, 2009


Fraud factors

• Three common factors drive fraudulent activity

• How has the economy impacted these factors in your organization?


A closer look

- Financial pressure- Corporate: Short term performance goals, earnings expectations,

revenue forecasts, financial ratios ties to debt covenants, aggressive accounting practices and applications

- Personal: Increase in asset misappropriation schemes including skimming, check tempering, and expense reimbursement

- Opportunity- Downsizing, re-prioritize towards revenue reducing focus on internal

controls, reduced SOD, increased workloads and inexperience- Rationalization

- If employees suspect that they may be let go, they may rationalize “what do I have to lose”.

- As corporate revenues decline, management may rationalize fraudulent activity believing it is serving the best interest of the company, its employees, and its shareholders.


Example risks and data mining procedures

Controls Rationalization


• Companies are not linking the IT risk assessment to a top-down business risk assessment resulting in over scoping of IT assets (i.e., applications, databases, etc.)

• Companies are treating all general computer controls equally, even though the inherent risk of IT processes, transactions, controls, and technologies may vary

• Companies are not applying IT control frameworks in a manner that is leveraging IT-related company level controls

• Companies are not capitalizing on automated controls

The following factors appear to remain at play at some companies:

Under Pressure

What’s the problem with general computer controls?


Discussion Question

• In your table groups, discuss what your company is doing, or has done, to rationalize controls across the enterprise.



Challenges and Opportunities

Point of View

Guiding Principles

• Management should have an informed understanding of the organization's financial reporting risks in order to drive control rationalization efforts.

• Management should explicitly apply a top-down, risk-based scoping approach as a foundational first step toward control rationalization.

• Control rationalization is a multi-year, continuous effort, which should be integrated into the company’s operations.

• Control rationalization can result in immediate benefits; however more significant cost savings can be achieved by adopting a long-term strategic approach to sustained compliance.

Solution

Companies should adopt a risk-based control rationalization approach to address current and future compliance challenges

Definition - Control Rationalization

Control rationalization is the continuous process of designing the most effective and efficient controls to address financial reporting risks.


Working Toward a Lean and Balanced Control Design

Rationalize

Risk-Based Approach

Improve Effectiveness

Reduce Costs

Areas of Focus

Using a risk-based control rationalization approach, companies can enhance the efficiency and effectiveness of their compliance program by: refining their testing approaches and improving their design of controls, by emphasizing efforts towards higher-risk areas while reducing costs associated with lower-level risks.

(Illustrative Example)

Current StateCurrent State

Category1 5%

Category2 15%

Category3 80%

Category1 5%

Category2 15%

Category3 80%

Future State Model(Effective & Efficient)

50%

35%

15%1

2

3 50%

35%

15%1

2

3

Examples:

Category 1: company-level controls (e.g., control environment, period end financial reporting, anti-fraud programs)Category 2: general computer controls; controls over non-routine accounts and accounts with significant judgment; controls

over other high-risk areas Category 3: controls over routine, transactional processing


Control Rationalization – Phased Approach

•Documented financial data flow diagrams

•Documented system risk assessment

•Documented relevant application and platforms (risk rated)

Ou

tcom

es

Develop Risk-Based Testing

Approach

PerformIT Risk

Assessment

Rationalize Controls

Evaluate GCC Areas and

Control Objectives

1 2 3 4

•Documented assessment of GCC risk ratings

•Documented assessment of control objective risk ratings

•Documented IT Company-Level Controls

•Documented IT risk-rating approach

•Revised IT control matrix with risk-ratings and rationale

•Documented risk-based testing strategy

•Cost savings analysis


Evaluate GCC areas & confirm relevance

and risk-rating of GCC control objectives

Removenon-relevant

control objectives

Remove unnecessary

controls from testing scope

Develop risk-based

testing approach for

GCCs

Evaluate GCCs for effective and efficient testing

Out of ScopeIn Scope

General Computer Control Rationalization

*Efficiency Evaluation Criteria• Remove secondary or redundant controls• Consider testing GCC processes before performing detailed tests related to IT

configurations (e.g., test process for granting access before password settings)• Prioritize controls addressing multiple risks

Lean and Balanced

Relevance to financial reporting objectives and risk-rating of associated major classes of

transaction

Re-designed Testing Approach

1

2

3

NOTE: The foundation for effective control rationalization depends on a strong set of GCCs. Lack of effective GCCs or an inadequate testing approach for GCCs will preclude management from being able to derive benefits of ‘benchmarking’ testing of automated controls

Perform IT risk assessment(identify relevant

applications, platforms)

Removenon-relevant

IT applications and platforms

Apply Top-Down Risk-Based Scoping & Rationalize GCC Controls Overview

1

2

3

4Management

Test 1/3 of processes each year (rotation)

Management Self-Assessments

Reduced Sample Sizes

Low

No changeNo change

No changeReduced Sample Sizes

Medium

SOX PMO and Internal Audit

No changeNo ChangeIncreased Sample Sizes

High

Testing OwnerTimingEvidenceSample SizeRisk-Rating Category

ManagementTest 1/3 of processes each year (rotation)


Reduced Sample Sizes

Low

No changeNo change

No changeReduced Sample Sizes

Medium

SOX PMO and Internal Audit

No changeNo ChangeIncreased Sample Sizes

High

Testing OwnerTimingEvidenceSample SizeRisk-Rating Category


Dollar throughput of the business process data flowing through the IT systems.

Inherent Risk

L

M

H

Example risk factors include:- Number of users- Complexity of system configuration/embedded business logic- Number/complexity of data interfaces- Frequency of configuration parameter changes- Extent of system customizations- Level of centralization of IT function- Age of system- Extent of business process control automation

Develop a risk profile for each in-scope system using quantitative (e.g., dollar throughput) and qualitative (e.g., system risks) factors.

Perform IT Risk Assessment Develop risk profile1


Approach

PerformIT Risk

Assessment



ControlObjectives

1 2 3 4Develop Risk-Based Testing

Approach

PerformIT Risk

Assessment



ControlObjectives

11 22 33 44

Fin

an

cia

l Im

pact


The illustration below depicts a sample company’s IT risk prioritization for general computer control categories. COSO defines general computer controls as, “Policies and procedures that help ensure the continued, proper operation of computer information systems… They include controls over data center operations, system software acquisition and maintenance, access security, and application system development and maintenance.”

Risk Based Approach for GCCs Risk rate GCC areas

General Computer Control Category

Application System Development & Maintenance

Information Security

Information Systems Operations

Systems Software Support

Examples of Qualitative Factors

Risk Ranking

Risk Evaluation Considerations

• High volume of changes

• Application dependencies

• High employee turnover

• Complex architecture

• Mature monitoring processes

• Automated tools

• Homogenous environment

• Automated tools

H

H

M

L

NOTE: This illustrates a simplistic risk assessment for IT; consideration should be given to additional qualitative factors relevant to a company’s environment. Also, only selected GCC areas have been included in the example.

Illustrative Purposes Only

Example Procedures

• Test all three levels

• Test predominantly IT company level and process level controls

• Test predominantly IT company level controls

• Test all three levels

2


Approach

PerformIT Risk

Assessment



ControlObjectives


Approach

PerformIT Risk

Assessment



ControlObjectives

11 22 33 44


Risk Based Approach for GCCs Rationalize controls

Control Objective #1 – Controls provide reasonable assurance that application changes are appropriately implemented and function consistent with management’s intentions.

CL01

The company uses a formalized system development methodology to guide all aspects of application development. (COBIT PO 11.5)

CL02

An IT Steering Committee reviews and approves all major changes to the information systems environment. (COBIT PO 4.1)

CL03

A project management and quality assurance office tracks and monitors all activity associated with significant changes to applications and infrastructure. (COBIT PO 11.4)

CL04

The IT organization structure provides for appropriate segregation of duties. (COBIT PO 4.10)

PL01Information requirements for changes to applications are reviewed and approved by management. (COBIT AI 1.1)

PL02

A risk analysis is performed that considers the impact of planned changes on financial reporting processes. (COBIT AI 1.8)

The organization’s SDLC has not changed in the fiscal year, accordingly, this control will not be evaluated.

These two controls are redundant in nature, accordingly, only one control will be evaluated.

This control activity is redundant in nature since test results are approved by users at a point later in the SDLC process, accordingly, this control will not be evaluated.

After risk-rating general computer control objectives, specific control activities can be analyzed to further rationalize the testing approach.

For this example, the three controls in bold text will be assessed, which represents a 50% reduction in testing.

3


Approach

PerformIT Risk

Assessment



ControlObjectives


Approach

PerformIT Risk

Assessment



ControlObjectives

11 22 33 44


Risk-Rating Category

Sample Size Evidence Timing Testing Owner

HighIncreased Sample Sizes

No Change No changeSOX PMO and Internal Audit

MediumReduced Sample Sizes

No changeNo change

No change

LowReduced Sample Sizes


Test 1/3 of processes each year (rotation)

Management

Risk-based testing strategy focuses resources and effort on the most important controls, and may generate opportunities for savings based on reduced overall testing effort

Risk-based testing strategy focuses resources and effort on the most important controls, and may generate opportunities for savings based on reduced overall testing effort

Alter the nature, timing and extent of control testing based on the control objective risk-ratings.

*Note: Example for illustrative purposes only


Approach

PerformIT Risk

Assessment



ControlObjectives


Approach

PerformIT Risk

Assessment



ControlObjectives

11 22 33 44

Risk Based Approach for GCCs Develop risk-based testing4


Risk Category Risk-Based Approach

Original Approach

Impact(Savings)

High Risk Medium Risk

Low Risk

# of Controls Events800 500 400 1,700 1,700

Avg Hrs/Control 10 hrs 6 hrs 3 hrs 7 hrs 9.5 hrs

Total time spent8,000 hrs 3,000 hrs 1,200 hrs 12,200 hrs 15,300 hrs (20%)

*Note: Example for illustrative purposes only and does not imply likely savings or results

The table below is an illustrative example for measuring the reduced effort that may result from implementing a risk-based testing strategy.

Cost savings analysis*

The Next Wave of Green IT

IT’s role in the future of enterprise sustainability


Overview

• Research program to explore senior finance and IT executives’ views on how companies around the world are changing their IT practices in an effort to save money, improve performance, and lessen their impact on the physical environment.

• Respondents came from North America (56%), Europe (28%), and Asia (16%)

• All industries included encompassing companies of sizes $200M - $10B +

• Primary benefits fall into three buckets:

– Environmental (less pollution, lower carbon emissions, less toxic waste)

– Operating (lower costs, higher efficiency, lower risk)

– Promotional (brand awareness, public relations, environmental)


Discussion Question

• In your table groups, discuss what your companies are doing from a greening perspective; specifically around IT.



General Statistics

• More than 9 out of 10 companies have made “incremental” or “aggressive” efforts to reduce their impact on the environment

• Many companies have at least basic programs in place for green IT and the funding to support these– Nearly 60% of the respondents say their company has at least 5%

of its IT budget set aside for greening efforts and 35% say their company has allocated 15% or more to green IT

• Two-thirds of respondents say their company has a formal program in place for measuring, monitoring, and improving its environmental performance


Barriers

• Lack of information and trusted practices for improving IT’s environmental performance (44%)

• Inability to build a sound business case for green IT investments (42%)

• Shortage of capital and well-qualified, green IT talent (41%)


New Metrics, Incentives, and Influences

• 67% of respondents stated their company has a formal program for measuring, monitoring, and improving its environmental performance

• When asked “Has your company conducted a formal evaluation of the environmental impact of its business activities in the last two years?”, respondents said: – Yes, an evaluation has been completed (39%)– Yes, an evaluation is currently under way (36%)– No, we haven’t formally initiated this (25%)

• Most common metrics:– Total power consumption – Power usage effectiveness/data center infrastructure efficiency– Carbon dioxide production


Risk Management and Performance Improvement


Examples of IT Efforts

• Energy efficient hardware• Shared software resources• Virtualized server architecture• Smaller data center footprints – IT infrastructure within

data centers• Printers, copiers, and fax machines• Mobile devices and wireless computers• Hardware recycling, disposal and decommissioning


End-User Applications

• End user applications focused on productivity are most likely green IT investment candidates:– Videoconferencing– Online collaboration technology– Enhanced/Alternative cooling technology– Energy management software applications for servers

and PCs– Server virtualization– Mobile devices


Company Examples

• Intel took the heat its servers produced and redirected it to warm its cafeteria and restroom water supply.

• Approval forms for the FDA – fast tracked when submitted electronically; save paper, ink, physical storage requirements

• Wells Fargo addresses the power management of its servers which leads to significant cooling efficiency gains and improvement of electrical distribution within the data centers to reduce power consumption


Next Steps

• Determining what efforts your company current has in place and your executives’ appetites for greening

• Establishing a baseline measurement of current sustainability performance that is satisfactory for both IT and finance

• Aligning the company’s tax strategy with its sustainable strategy and green investments

• Evaluating IT’s part in these efforts; from capabilities of the systems to measure, monitor, and report to what IT can do to increase the effort

Contact Information:

Devin [email protected]

Heidi [email protected]

mailto:[email protected]

mailto:[email protected]

Documents

Internal Audit and IT's Role In A Down Economy Devin Amato & Heidi Zenger Deloitte Enterprise Risk Services Kansas City ISACA February 12, 2009