Upload
daisy-skinner
View
213
Download
5
Tags:
Embed Size (px)
Citation preview
Internal Audit and IT's Role In A Down Economy
Devin Amato & Heidi Zenger
Deloitte Enterprise Risk Services
Kansas City ISACA
February 12, 2009
2Copyright © 2009 Deloitte Development LLC. All rights reserved.
Topics
Contract Risk & Compliance
Renewed focus on Data Mining
Controls Rationalization
The Next Wave of Green IT
Contract Risk & Compliance
4Copyright © 2009 Deloitte Development LLC. All rights reserved.
What is Contract Risk & Compliance (CRC)?
Contract Risk & Compliance helps organizations optimize the performance of strategic business relationships by promoting the integrity and reliability of the contracts that underlie their business relationships
• Impacts profits by reclaiming contractual revenue• Reduces risk by improving processes and
controls
5Copyright © 2009 Deloitte Development LLC. All rights reserved.
The Extended Enterprise Contractual Obligations and Business Processes
• Outsourcing On/Off shore, Licensing IP, Grants, JVs, Alliances
• Exposure to Brand or Reputation risk
• Revenue leakage, unauthorized product distribution, licensing of IP
• Paying for potentially unwarranted variable costs - complicated, cost- plus contracts like Advertising
Suppliers
Company
Licensees
Joint Ventures
Distributors
Customers
Agents
Franchisee
Affiliates
6Copyright © 2009 Deloitte Development LLC. All rights reserved.
The Extended Enterprise Contractual Obligations and Business Processes
Consultative
(internal)
Supply-Side
Partners
Joint Ventures
/ Alliances
Demand Side Partners
Royalty Brand
• Contract Management
• MFN/MFC• Sales & Marketing• Outsourcing• Strategic• Procurement
• Advertising• Internet• Manufacturer
(costing)• MFN/MFC• Benefits• Outsourcing (IT,
call center) • Warranty• Construction• Leasing• Telecom
• Revenue Sharing / Cost Sharing (development)
• Profit Sharing
• Distributor (includes inventory price protection)
• Dealer/ reseller• OEM• Franchise• Internet• Warranty• Replicator• End User
• IP• Telecom• Subscriber
• Policy Adherence• Quality • CSR
Health CareHealth Care
Financial Services
Real Estate
Manufacturing
Financial Services
Real Estate
Consumer Business
Health Care
Financial Services
Real Estate
Consumer Business
Manufacturing
7Copyright © 2009 Deloitte Development LLC. All rights reserved.
Process overview
8Copyright © 2009 Deloitte Development LLC. All rights reserved.
Discussion Question
• In your table groups, discuss what types of contracts exist at your company. Who is managing these?
• Discuss Internal Audit’s involvement.
Renewed focus on Data Mining
A Foundation for Managing Risk
10Copyright © 2009 Deloitte Development LLC. All rights reserved.
Does an economic downturn mean an uptick in fraud?
• Nearly two-thirds (63.3 percent) of executives surveyed expect accounting fraud to increase during the next two years.
• Data from the National White Collar Crime Center shows a spike in arrests for fraud and embezzlement during the two most recent recessions. – Following the savings and loan crisis and the downturn in 1990, white-collar
fraud arrests jumped 52% over the next two years;
– Following the Internet bust in 2000, arrests jumped 25% in the following two years.1
1 “Experts Say Fraud Likely to Rise” Business Week, January 9, 2009
11Copyright © 2009 Deloitte Development LLC. All rights reserved.
Fraud factors
• Three common factors drive fraudulent activity
• How has the economy impacted these factors in your organization?
12Copyright © 2009 Deloitte Development LLC. All rights reserved.
A closer look
- Financial pressure- Corporate: Short term performance goals, earnings expectations,
revenue forecasts, financial ratios ties to debt covenants, aggressive accounting practices and applications
- Personal: Increase in asset misappropriation schemes including skimming, check tempering, and expense reimbursement
- Opportunity- Downsizing, re-prioritize towards revenue reducing focus on internal
controls, reduced SOD, increased workloads and inexperience- Rationalization
- If employees suspect that they may be let go, they may rationalize “what do I have to lose”.
- As corporate revenues decline, management may rationalize fraudulent activity believing it is serving the best interest of the company, its employees, and its shareholders.
13Copyright © 2009 Deloitte Development LLC. All rights reserved.
Example risks and data mining procedures
Controls Rationalization
15Copyright © 2009 Deloitte Development LLC. All rights reserved.
• Companies are not linking the IT risk assessment to a top-down business risk assessment resulting in over scoping of IT assets (i.e., applications, databases, etc.)
• Companies are treating all general computer controls equally, even though the inherent risk of IT processes, transactions, controls, and technologies may vary
• Companies are not applying IT control frameworks in a manner that is leveraging IT-related company level controls
• Companies are not capitalizing on automated controls
The following factors appear to remain at play at some companies:
Under Pressure
What’s the problem with general computer controls?
16Copyright © 2009 Deloitte Development LLC. All rights reserved.
Discussion Question
• In your table groups, discuss what your company is doing, or has done, to rationalize controls across the enterprise.
• Discuss Internal Audit’s involvement.
17Copyright © 2009 Deloitte Development LLC. All rights reserved.
Challenges and Opportunities
Point of View
Guiding Principles
• Management should have an informed understanding of the organization's financial reporting risks in order to drive control rationalization efforts.
• Management should explicitly apply a top-down, risk-based scoping approach as a foundational first step toward control rationalization.
• Control rationalization is a multi-year, continuous effort, which should be integrated into the company’s operations.
• Control rationalization can result in immediate benefits; however more significant cost savings can be achieved by adopting a long-term strategic approach to sustained compliance.
Solution
Companies should adopt a risk-based control rationalization approach to address current and future compliance challenges
Definition - Control Rationalization
Control rationalization is the continuous process of designing the most effective and efficient controls to address financial reporting risks.
18Copyright © 2009 Deloitte Development LLC. All rights reserved.
Working Toward a Lean and Balanced Control Design
Rationalize
Risk-Based Approach
Improve Effectiveness
Reduce Costs
Areas of Focus
Using a risk-based control rationalization approach, companies can enhance the efficiency and effectiveness of their compliance program by: refining their testing approaches and improving their design of controls, by emphasizing efforts towards higher-risk areas while reducing costs associated with lower-level risks.
(Illustrative Example)
Current StateCurrent State
Category1 5%
Category2 15%
Category3 80%
Category1 5%
Category2 15%
Category3 80%
Future State Model(Effective & Efficient)
50%
35%
15%1
2
3 50%
35%
15%1
2
3
Examples:
Category 1: company-level controls (e.g., control environment, period end financial reporting, anti-fraud programs)Category 2: general computer controls; controls over non-routine accounts and accounts with significant judgment; controls
over other high-risk areas Category 3: controls over routine, transactional processing
19Copyright © 2009 Deloitte Development LLC. All rights reserved.
Control Rationalization – Phased Approach
•Documented financial data flow diagrams
•Documented system risk assessment
•Documented relevant application and platforms (risk rated)
Ou
tcom
es
Develop Risk-Based Testing
Approach
PerformIT Risk
Assessment
Rationalize Controls
Evaluate GCC Areas and
Control Objectives
1 2 3 4
•Documented assessment of GCC risk ratings
•Documented assessment of control objective risk ratings
•Documented IT Company-Level Controls
•Documented IT risk-rating approach
•Revised IT control matrix with risk-ratings and rationale
•Documented risk-based testing strategy
•Cost savings analysis
20Copyright © 2009 Deloitte Development LLC. All rights reserved.
Evaluate GCC areas & confirm relevance
and risk-rating of GCC control objectives
Removenon-relevant
control objectives
Remove unnecessary
controls from testing scope
Develop risk-based
testing approach for
GCCs
Evaluate GCCs for effective and efficient testing
Out of ScopeIn Scope
General Computer Control Rationalization
*Efficiency Evaluation Criteria• Remove secondary or redundant controls• Consider testing GCC processes before performing detailed tests related to IT
configurations (e.g., test process for granting access before password settings)• Prioritize controls addressing multiple risks
Lean and Balanced
Relevance to financial reporting objectives and risk-rating of associated major classes of
transaction
Re-designed Testing Approach
1
2
3
NOTE: The foundation for effective control rationalization depends on a strong set of GCCs. Lack of effective GCCs or an inadequate testing approach for GCCs will preclude management from being able to derive benefits of ‘benchmarking’ testing of automated controls
Perform IT risk assessment(identify relevant
applications, platforms)
Removenon-relevant
IT applications and platforms
Apply Top-Down Risk-Based Scoping & Rationalize GCC Controls Overview
1
2
3
4Management
Test 1/3 of processes each year (rotation)
Management Self-Assessments
Reduced Sample Sizes
Low
No changeNo change
No changeReduced Sample Sizes
Medium
SOX PMO and Internal Audit
No changeNo ChangeIncreased Sample Sizes
High
Testing OwnerTimingEvidenceSample SizeRisk-Rating Category
ManagementTest 1/3 of processes each year (rotation)
Management Self-Assessments
Reduced Sample Sizes
Low
No changeNo change
No changeReduced Sample Sizes
Medium
SOX PMO and Internal Audit
No changeNo ChangeIncreased Sample Sizes
High
Testing OwnerTimingEvidenceSample SizeRisk-Rating Category
21Copyright © 2009 Deloitte Development LLC. All rights reserved.
Dollar throughput of the business process data flowing through the IT systems.
Inherent Risk
L
M
H
Example risk factors include:- Number of users- Complexity of system configuration/embedded business logic- Number/complexity of data interfaces- Frequency of configuration parameter changes- Extent of system customizations- Level of centralization of IT function- Age of system- Extent of business process control automation
Develop a risk profile for each in-scope system using quantitative (e.g., dollar throughput) and qualitative (e.g., system risks) factors.
Perform IT Risk Assessment Develop risk profile1
Develop Risk-Based Testing
Approach
PerformIT Risk
Assessment
Rationalize Controls
Evaluate GCC Areas and
ControlObjectives
1 2 3 4Develop Risk-Based Testing
Approach
PerformIT Risk
Assessment
Rationalize Controls
Evaluate GCC Areas and
ControlObjectives
11 22 33 44
Fin
an
cia
l Im
pact
22Copyright © 2009 Deloitte Development LLC. All rights reserved.
The illustration below depicts a sample company’s IT risk prioritization for general computer control categories. COSO defines general computer controls as, “Policies and procedures that help ensure the continued, proper operation of computer information systems… They include controls over data center operations, system software acquisition and maintenance, access security, and application system development and maintenance.”
Risk Based Approach for GCCs Risk rate GCC areas
General Computer Control Category
Application System Development & Maintenance
Information Security
Information Systems Operations
Systems Software Support
Examples of Qualitative Factors
Risk Ranking
Risk Evaluation Considerations
• High volume of changes
• Application dependencies
• High employee turnover
• Complex architecture
• Mature monitoring processes
• Automated tools
• Homogenous environment
• Automated tools
H
H
M
L
NOTE: This illustrates a simplistic risk assessment for IT; consideration should be given to additional qualitative factors relevant to a company’s environment. Also, only selected GCC areas have been included in the example.
Illustrative Purposes Only
Example Procedures
• Test all three levels
• Test predominantly IT company level and process level controls
• Test predominantly IT company level controls
• Test all three levels
2
Develop Risk-Based Testing
Approach
PerformIT Risk
Assessment
Rationalize Controls
Evaluate GCC Areas and
ControlObjectives
1 2 3 4Develop Risk-Based Testing
Approach
PerformIT Risk
Assessment
Rationalize Controls
Evaluate GCC Areas and
ControlObjectives
11 22 33 44
23Copyright © 2009 Deloitte Development LLC. All rights reserved.
Risk Based Approach for GCCs Rationalize controls
Control Objective #1 – Controls provide reasonable assurance that application changes are appropriately implemented and function consistent with management’s intentions.
CL01
The company uses a formalized system development methodology to guide all aspects of application development. (COBIT PO 11.5)
CL02
An IT Steering Committee reviews and approves all major changes to the information systems environment. (COBIT PO 4.1)
CL03
A project management and quality assurance office tracks and monitors all activity associated with significant changes to applications and infrastructure. (COBIT PO 11.4)
CL04
The IT organization structure provides for appropriate segregation of duties. (COBIT PO 4.10)
PL01Information requirements for changes to applications are reviewed and approved by management. (COBIT AI 1.1)
PL02
A risk analysis is performed that considers the impact of planned changes on financial reporting processes. (COBIT AI 1.8)
The organization’s SDLC has not changed in the fiscal year, accordingly, this control will not be evaluated.
These two controls are redundant in nature, accordingly, only one control will be evaluated.
This control activity is redundant in nature since test results are approved by users at a point later in the SDLC process, accordingly, this control will not be evaluated.
After risk-rating general computer control objectives, specific control activities can be analyzed to further rationalize the testing approach.
For this example, the three controls in bold text will be assessed, which represents a 50% reduction in testing.
3
Develop Risk-Based Testing
Approach
PerformIT Risk
Assessment
Rationalize Controls
Evaluate GCC Areas and
ControlObjectives
1 2 3 4Develop Risk-Based Testing
Approach
PerformIT Risk
Assessment
Rationalize Controls
Evaluate GCC Areas and
ControlObjectives
11 22 33 44
24Copyright © 2009 Deloitte Development LLC. All rights reserved.
Risk-Rating Category
Sample Size Evidence Timing Testing Owner
HighIncreased Sample Sizes
No Change No changeSOX PMO and Internal Audit
MediumReduced Sample Sizes
No changeNo change
No change
LowReduced Sample Sizes
Management Self-Assessments
Test 1/3 of processes each year (rotation)
Management
Risk-based testing strategy focuses resources and effort on the most important controls, and may generate opportunities for savings based on reduced overall testing effort
Risk-based testing strategy focuses resources and effort on the most important controls, and may generate opportunities for savings based on reduced overall testing effort
Alter the nature, timing and extent of control testing based on the control objective risk-ratings.
*Note: Example for illustrative purposes only
Develop Risk-Based Testing
Approach
PerformIT Risk
Assessment
Rationalize Controls
Evaluate GCC Areas and
ControlObjectives
1 2 3 4Develop Risk-Based Testing
Approach
PerformIT Risk
Assessment
Rationalize Controls
Evaluate GCC Areas and
ControlObjectives
11 22 33 44
Risk Based Approach for GCCs Develop risk-based testing4
25Copyright © 2009 Deloitte Development LLC. All rights reserved.
Risk Category Risk-Based Approach
Original Approach
Impact(Savings)
High Risk Medium Risk
Low Risk
# of Controls Events800 500 400 1,700 1,700
Avg Hrs/Control 10 hrs 6 hrs 3 hrs 7 hrs 9.5 hrs
Total time spent8,000 hrs 3,000 hrs 1,200 hrs 12,200 hrs 15,300 hrs (20%)
*Note: Example for illustrative purposes only and does not imply likely savings or results
The table below is an illustrative example for measuring the reduced effort that may result from implementing a risk-based testing strategy.
Cost savings analysis*
The Next Wave of Green IT
IT’s role in the future of enterprise sustainability
27Copyright © 2009 Deloitte Development LLC. All rights reserved.
Overview
• Research program to explore senior finance and IT executives’ views on how companies around the world are changing their IT practices in an effort to save money, improve performance, and lessen their impact on the physical environment.
• Respondents came from North America (56%), Europe (28%), and Asia (16%)
• All industries included encompassing companies of sizes $200M - $10B +
• Primary benefits fall into three buckets:
– Environmental (less pollution, lower carbon emissions, less toxic waste)
– Operating (lower costs, higher efficiency, lower risk)
– Promotional (brand awareness, public relations, environmental)
28Copyright © 2009 Deloitte Development LLC. All rights reserved.
Discussion Question
• In your table groups, discuss what your companies are doing from a greening perspective; specifically around IT.
• Discuss Internal Audit’s involvement.
29Copyright © 2009 Deloitte Development LLC. All rights reserved.
General Statistics
• More than 9 out of 10 companies have made “incremental” or “aggressive” efforts to reduce their impact on the environment
• Many companies have at least basic programs in place for green IT and the funding to support these– Nearly 60% of the respondents say their company has at least 5%
of its IT budget set aside for greening efforts and 35% say their company has allocated 15% or more to green IT
• Two-thirds of respondents say their company has a formal program in place for measuring, monitoring, and improving its environmental performance
30Copyright © 2009 Deloitte Development LLC. All rights reserved.
Barriers
• Lack of information and trusted practices for improving IT’s environmental performance (44%)
• Inability to build a sound business case for green IT investments (42%)
• Shortage of capital and well-qualified, green IT talent (41%)
31Copyright © 2009 Deloitte Development LLC. All rights reserved.
New Metrics, Incentives, and Influences
• 67% of respondents stated their company has a formal program for measuring, monitoring, and improving its environmental performance
• When asked “Has your company conducted a formal evaluation of the environmental impact of its business activities in the last two years?”, respondents said: – Yes, an evaluation has been completed (39%)– Yes, an evaluation is currently under way (36%)– No, we haven’t formally initiated this (25%)
• Most common metrics:– Total power consumption – Power usage effectiveness/data center infrastructure efficiency– Carbon dioxide production
32Copyright © 2009 Deloitte Development LLC. All rights reserved.
Risk Management and Performance Improvement
33Copyright © 2009 Deloitte Development LLC. All rights reserved.
Examples of IT Efforts
• Energy efficient hardware• Shared software resources• Virtualized server architecture• Smaller data center footprints – IT infrastructure within
data centers• Printers, copiers, and fax machines• Mobile devices and wireless computers• Hardware recycling, disposal and decommissioning
34Copyright © 2009 Deloitte Development LLC. All rights reserved.
End-User Applications
• End user applications focused on productivity are most likely green IT investment candidates:– Videoconferencing– Online collaboration technology– Enhanced/Alternative cooling technology– Energy management software applications for servers
and PCs– Server virtualization– Mobile devices
35Copyright © 2009 Deloitte Development LLC. All rights reserved.
Company Examples
• Intel took the heat its servers produced and redirected it to warm its cafeteria and restroom water supply.
• Approval forms for the FDA – fast tracked when submitted electronically; save paper, ink, physical storage requirements
• Wells Fargo addresses the power management of its servers which leads to significant cooling efficiency gains and improvement of electrical distribution within the data centers to reduce power consumption
36Copyright © 2009 Deloitte Development LLC. All rights reserved.
Next Steps
• Determining what efforts your company current has in place and your executives’ appetites for greening
• Establishing a baseline measurement of current sustainability performance that is satisfactory for both IT and finance
• Aligning the company’s tax strategy with its sustainable strategy and green investments
• Evaluating IT’s part in these efforts; from capabilities of the systems to measure, monitor, and report to what IT can do to increase the effort