Post on 26-Dec-2015
IntroductionCommentsRegulation / GuidanceInternal ControlsCOSOA-123SAS 55Yellow BookSAS 112
2
“Over 800 pages of statutory text govern the daily decisions of Federal managers …”
Representative Platts Chairman, Subcommittee on Government
Management, Finance, and Accountability (June 22, 2005)
33
“Internal controls are the checks and balances that help managers detect and prevent problems. They can be as simple as computer passwords or having a manager sign off on a time sheet, or as complex as installing software to track spending and detect spikes that signal trouble.
Internal controls provide a foundation for accountability; and, while they are important in the private sector, sound controls are imperative in government. Public trust depends on nothing less.
Representative Platts Chairman, Subcommittee on Government Management, Finance,
and Accountability (February 16, 2005)
44
“Events of recent years have dispelled the myth that internal control is but a mere academic exercise or is of interest only to accountants or auditors. High profile fraud and mismanagement in the private sector, and the Federal government’s own financial reporting problems, have resulted in an increased focus on management’s responsibility for internal control.”
February 2005, Subcommittee on Government Management, Finance, and Accountability
55
“Government should lead by example. We should be as good or better than those we are regulating.”
David Walker, Comptroller General to Congress (CFO Magazine, June 2003)
66
“The policy changes in this circular are intended to strengthen the requirements for conducting management’s assessment of internal control over financial reporting. The circular also emphasizes the need for agencies to integrate and coordinate internal assessments with other internal control-related activities”
Linda Springer, Controller Office of Management and Budget December 21, 2004
77
Budget & Accounting Procedures Act of 1950 Internal controls have been talked about for almost
60 years. Inspector General Act of 1978, as amended OMB A-123 Management’s Responsibility for
Internal Control (1981) Federal Managers Financial Integrity Act of
1982 OMB A-50 Audit Follow Up (1982) GAO Green Book (1983)
88
CFO Act of 1990 Financial statement audits for approximately 225 agencies.
Government Performance and Results Act of 1993 Government Management Reform Act of 1994 OMB A-123 Management’s Responsibility for Internal
Control revised (1995) Federal Financial Management Improvement Act of 1996 Clinger-Cohen Act of 1996 GAO Green Book revised (1999)
99
Reports Consolidation Act of 2000 OMB Bulletin 01-02 Audit Requirements for Federal
Financial Statements (2000) Federal Information Security Management Act of 2002
Includes PIA Improper Payments Information Act of 2002 Accountability of Tax Dollars Act of 2002
Another 78 agencies must have financial statement audits. OMB A-123 Management’s Responsibility for Internal
Control revised (2004) OMB A-136 Financial Reporting Requirements (2004)
1010
NIST 800-18 Security Plans NIST 800-30 Risk Assessments NIST 800-34 Contingency Planning NIST 800-37 Certification and Accreditation NIST 800-47 Interconnected Systems NIST 800-50 Security Awareness NIST 800-53a Controls (low, moderate, and high) NIST 800-60 Control categories NIST FIPS 199 Security Categorization OMB M 06-16
Where and why do we have to follow NIST standards?
1111
OMB A-123 Authority:Federal Managers’ Financial Integrity
Act of 1982 as codified in 31 U.S.C. 3512
References A-123 to provide guidance on how to implement.
12
“Agencies and individual Federal managers must take systematic and proactive measures to:”
1. Develop internal control oriented management.
2. Assess the adequacy of internal control in programs and operations.
3. Separately assess and document internal control.
4. Identify needed improvements.5. Take corrective action.6. Report annually through management assurance
statements.Source: A-123 Revised dated December 21, 2004.
13
A-123 makes references to a host of other regulations to follow such as:
• FISMA• IPIA• GPRA• CFO Act
14
What are internal controls?
1. Compliance with Laws and Regulations.
2. Reliability of Financial Data.
3. Effectiveness and Efficiency of operations.
The above is mentioned everywhere (e.g. CFOC A-123 Implementation guide, many SASs, A-123, Greenbook, etc.) 15
A-123 Applicability:
Compliance with A-123 AND Appendix AAgencies listed within the CFO Act of 1990, as
amended by the Government Management Reform Act of 1994 (cited in OMB Circular A-136). (ABOUT 225 AGENCIES)
Compliance with A-123 (NOT Appendix A)Executive agencies, as well as independent agencies
and government corporations within the executive branches of the Federal government.
16
COSO’s influence on the industry:
National Commission on Fraudulent Financial Reporting (Treadway Commission) was formed in 1985 from the following 5 organizations:
FEI – Financial Executives International AAA – American Accounting Association AICPA – American Institute of CPAs IIA – Institute of Internal Auditors IMA – Institute of Management Accountants
1717
COSO’s influence on the industry:
In 1987, the Treadway Commission issued the Report of the National Commission on Fraudulent Financial Reporting, which emphasized:
Importance of control environment Codes of conduct Competent and involved audit committees Active and objective internal audit function
1818
COSO’s influence on the industry:
In September 1992, COSO issued the Internal Control Integrated Framework.
Control Environment – tone of the organization
Risk Assessment – assessing the risks of the organization
Control Activities – policies and procedures
Information and Communication – timely communication
throughout the organization
Monitoring – quality control over a period of time
1919
COSO’s influence on the industry:
In September 2004, COSO issued the Enterprise Risk Management – Integrated Framework (ERM).
2020
2121
SAS 55.02“In all audits, the auditor should obtain an understanding of
internal control sufficient to plan the audit by performing procedures to understand the design of controls relevant to an audit of financial statements and determining whether they have been placed in operation. In obtaining this understanding, the auditor considers how an entity’s use of information technology and manual procedures may affect controls relevant to the audit. The auditor then assesses control risk for the assertions embodied in the account balance, transaction class, and disclosure components of the financial statements.”
SAS 55SAS 55
22
SAS 55.04“Alternatively, the auditor may assess control risk at the
maximum level because he or she believes controls are unlikely to pertain to an assertion or are unlikely to be effective, or because evaluating the effectiveness of controls would be inefficient.”
Remember: SAS 103 – 112 now come into play….
SAS 55SAS 55
23
General General StandardsStandards
(chapter 3)(chapter 3)
Fieldwork Fieldwork StandardsStandards
(chapter 4)(chapter 4)
Reporting Reporting StandardsStandards
(chapter 5)(chapter 5)
GAASGAAS
(AICPA)(AICPA) XX XX
SASSAS
(AICPA)(AICPA) XX XX
GAGASGAGASXX XX
(in addition (in addition to AICPA)to AICPA)
XX
(in addition (in addition to AICPA)to AICPA)
Yellow BookYellow Book
Note: Yellow Book (GAGAS) engagements are subjected to additional AICPA standards for both fieldwork and reporting aspects.
24
SAS 112SAS 112
1 “It is applicable whenever an auditor expresses an opinion on financial statements.”
“Requires the auditor to communicate, in writing, to management and those charged with governance, significant deficiencies and material weaknesses identified in an audit.”
25
Deficiency Deficiency TypeType
LikelihoodLikelihood MagnitudeMagnitude
Control Control DeficiencyDeficiency
RemoteRemote InconsequentialInconsequential
Significant Significant DeficiencyDeficiency
More than More than remoteremote
More than More than inconsequentialinconsequential
Material Material WeaknessWeakness
More than More than remoteremote
MaterialMaterial
SAS 112SAS 112
5 - 6
26
SAS 112SAS 112
9 “The auditor must evaluate identified control deficiencies and determine whether these deficiencies, individually or in combination, are significant deficiencies or material weaknesses.
The significance of a control deficiency depends on the potential for a misstatement, not on whether a misstatement actually has occurred.
Accordingly, the absence of identified misstatement does not provide evidence that identified control deficiencies are not significant or material weaknesses.”
27
SAS 112SAS 112
13 “Multiple control deficiencies that affect the same financial statement account balance or disclosure increase the likelihood of misstatement and may, in combination, constitute a significant deficiency or material weakness, even though such deficiencies are individually insignificant.”
28
SAS 112SAS 112
14 “… the auditor also should evaluate the possible mitigating effects of effective compensating controls …”
“Although compensating controls mitigate the effects of a control deficiency, they do not eliminate the control deficiency.”
29
SAS 112SAS 112
18 “Deficiencies in the following areas ordinarily are at least significant deficiencies in internal control:
Controls over the selection and application of accounting principles;
Antifraud programs and controls;
Controls over the period-end financial reporting process, including controls over procedures used to enter transaction totals into the general ledger; initiate, authorize, record, and process journal entries into the general ledger; and record recurring and nonrecurring adjustments to the financial statements.”
30
SAS 112SAS 11219 Each of the following is an indicator of a control deficiency that
should be regarded as at least a significant deficiency and a strong indicator of a material weakness in internal control:
Ineffective oversight of the entity’s financial reporting and internal control by those charged with governance.;
Restatement of previously issued financial statements to reflect the correction of a material misstatement;
Identification by the auditor of a material misstatement in the financial statements for the period under audit that was not initially identified by the entity’s internal control;
An ineffective internal audit function or risk assessment function at an entity for which such functions are important to the monitoring or risk assessment component of internal control, such as for very large or highly complex entities.31
SAS 112SAS 11219 Each of the following is an indicator of a control deficiency that
should be regarded as at least a significant deficiency and a strong indicator of a material weakness in internal control:
For complex entities in highly regulated industries, an ineffective regulatory compliance function;
Identification of fraud of any magnitude on the part of senior management;
Failure by management or those charged with governance to assess the effect of a significant deficiency previously communicated to them and either correct it or conclude that it will not be corrected;
An ineffective control environment.
32
SAS 112SAS 11232 The following are examples of circumstances that may be control
deficiencies, significant deficiencies, or material weaknesses:
Inadequate design of internal control over a significant account or process;
Inadequate documentation of internal control;
Insufficient control consciousness within the organization;
Absent or inadequate segregation of duties;
Absent or inadequate controls over safeguarding of assets;
Inadequate design of IT general and application controls;
Employees or management who lack qualifications and training;
Inadequate design of monitoring controls; and
Absence of internal process for reporting deficiencies33
SAS 112SAS 11232 The following are examples of circumstances that may be control
deficiencies, significant deficiencies, or material weaknesses:
Failure in the operation of effectively designed controls (e.g. dual authorization);
Failure to perform reconciliations of significant accounts;
Undue biases on the part of management;
Management override of controls; and
34
Internal Controls
36
What is Risk?
RISK is the threat that an event, action, or non-action will have an adverse affect on the ability to achieve one’s objectives.
To assess risk, the following process is used:
Identify the Risks Source the Risks Prioritize the Risks
37
What is Internal Control?
Internal Control = Risk MitigationInternal control is anything that provides reasonable assurance that a specified unwanted action is prevented or detected. Examples include:
Alarm Clock: designed to prevent oversleeping.
What are the risks?
Speed Limits: designed to prevent aggressive driving.
What are the risks?
Log-on Password: designed to prevent unauthorized access to the proprietary information.
What are the risks?
38
What is Internal Control in an Organization?
Internal controls are the policies and procedures that help managers and employees be effective and efficient while avoiding serious problems such as overspending, operational failure, fraud, waste, abuse, and violations of law. They provide reasonable assurance that the following three objectives are met:
Relates to an entity's basic business objectives, including performance goals and safeguarding of an entity’s resources.
Relates to the preparation of reliable financial reporting, including interim and consolidated financial statements, as well as other significant internal and external reports (i.e. budget execution reports, monitoring reports, and reports used to comply with laws and regulations).
Relates to complying with those laws and regulations to which the entity is subject.
Reliability of Financial Reporting
Reliability of Financial Reporting
Compliance with Laws & Regulations
Compliance with Laws & Regulations
Effectiveness & Efficiency of Operations
Effectiveness & Efficiency of Operations
39
What are the Benefits of Good Internal Control?
Identification and elimination of waste, fraud and abuse Reduction of improper or erroneous payments Enhanced understanding of risk exposure Sustained performance, efficiency and effectiveness Reduced level of effort for financial management system
implementation or audit Improved policies and procedures Streamlined processes Clear definition of process ownership Greater accountability Enhanced audit readiness and internal control attestation
readiness Compliance with laws & regulations
40
Office of Management and Budget (OMB) and Congressional Oversight
The role of OMB is to assist the President in the development and implementation of budget, program, management, and regulatory policies. It is an independent component of the Executive Branch.
Internal control is an integral part of tools currently being used by OMB and Congress to monitor federal Agencies.
Performance and Accountability Report (PAR) – contains Secretary's assurance statement on internal and financial management controls
Program Assessment Rating Tool (PART) – developed to assess and improve program performance so that the Federal government can achieve better results
President’s Management Agenda (PMA) – aggressive strategy for improving the management of the Federal government. Contains seven government-wide and nine Agency-specific goals for improvement. Includes a “scorecard”
41
Internal Control Policy
Legislative / Regulatory Authorities Internal Control RequirementsFederal Managers' Financial Integrity Act (FMFIA) of 1982
Requires that agency CFOs develop and maintain an integrated system of internal controls and requires GAO to issue internal control standards
Federal Financial Management Improvement Act of 1996 (FFMIA)
Requires that Federal financial management (FM) systems have reliable data and comply with financial management requirements
Federal Information Security Management Act of 2002 (FISMA)
Requires agencies to ensure the adequacy and effectiveness of information security controls by conducting annual reviews and reporting results to OMB
Improper Payments Information Act of 2002 (IPIA)
Provides for estimates and reports of improper payments by Federal agencies
CFO Act of 1990 Requires that agency CFOs develop and maintain an integrated and controlled accounting and FM system
Government Performance and Results Act of 1993 (GPRA)
Requires agencies to clarify their missions, set strategic and annual performance goals, and report on performance toward these goals
Inspector General Act of 1978 Requires IGs to report on internal controls when conducting a performance audit
OMB Circular A-123 Requires monitoring and improvement of internal controls associated with programs
OMB Circular A-127 Outlines requirements for FM system controls
OMB Circular A-130 Establishes the policy for the management of Federal information resources
42
OMB Circular A-123
• Issued under authority of FMFIA; entitled, “Management Accountability and Control”
• Provides guidance to Federal managers on improving the accountability and effectiveness of Federal programs and operations by establishing, assessing, correcting, and reporting on management controls
• Requires annual reporting on the effectiveness of management controls
• Provides the basis for an Agency head's annual assessment and report on internal controls required by FMFIA
43
Revised OMB Circular A-123
• Circular A-123 was revised in December 2004
• Renamed “Management’s Responsibility for Internal Control”
• Changes developed by Chief Financial Officers Council (CFOC) and the President’s Council on Integrity and Efficiency (PCIE)
• Adopts certain concepts from the Sarbanes-Oxley Act of 2002
• Strengthens management requirements for assessing controls over financial reporting with the addition of Appendix A, “Internal Controls over Financial Reporting”
• Took effect FY 2006 – initial report was due in the November 2006 Performance and Accountability Report (PAR)
44
Overview of Revised Circular OMB A-123
The Revised Circular A-123 includes the following Appendices:
Appendix A – Internal Control over Financial Reporting
Appendix B – Improving Management of Government Charge Card Programs (Issued Revised Appendix B – April 2006)
Increases frequency of review and scope of spending and transaction limits Limits authorization and blocking card use for ‘high risk merchant category codes”
Appendix C – Requirements for Effective Measurement and Remediation of Improper Payments (Issued August 2006)
Requires a review of all programs and activities to identify those which may be susceptible to significant erroneous payments and obtaining a statistically valid estimate of the annual amount of improper payments
Requires implementation of a plan to reduce erroneous payments and the reporting of estimates of the annual amount of improper payments and the progress made in reducing them
45
Revised OMB Circular A-123, Appendix A Requirements
• ASSESS internal control over financial reporting using the Committee of Sponsoring Organizations (COSO)/GAO Framework
• ESTABLISH a governance structure
• DOCUMENT the design of controls of material accounts and assess their effectiveness as of June 30- This includes entity-level controls and process/transaction-level controls, including Information
Technology (IT)
• TEST the operating effectiveness of internal controls
OMB Circular A-123, Appendix A requires Agencies to:
46
Revised OMB Circular A-123, Appendix A Requirements (continued)
• INTEGRATE internal control throughout the entire agency and through the entire cycle of planning, budgeting, management, accounting, and auditing
• SIGN an annual Statement of Assurance in the Performance Accountability Report (PAR) certifying effectiveness of internal control within the Agency
- Assurance Statement must assert to the effectiveness of the internal controls as of June 30 and be issued in the Performance and Accountability Report by November 15
• CORRECT deficiencies in internal control over financial reporting- Agencies must create and execute corrective action plans to promptly and
effectively resolve material weaknesses and other significant deficiencies
47
Internal Control over Financial Reporting
Internal control over financial reporting is a process designed to provide reasonable assurance regarding reliability of financial reporting. The process starts at the initiation of a transaction and ends with reporting
Internal control over a complete process involves controls at every step of the process including
controls over transaction initiation, maintenance of records, recording of transactions, and final reporting
Internal control over financial reporting also includes entity level controls, information technology controls, and operational and compliance controls
The specific focus of OMB Circular A-123, Appendix A is internal control over financial reporting
48
Management Responsibilities
Management is responsible for establishing and maintaining internal control and documentation. Management must:
consistently apply the internal control standards of OMB Circular A-123, Appendix A (i.e., the COSO Framework’s five components)
develop and maintain activities for the three objectives of OMB A-123 (i.e., the COSO/GAO Framework)
maintain up-to-date controls documentation on an on-going basis
Provide a certification Statement related to the the adequacy of controls (signed by Secretary)
49
Manual versus Automated Controls
Controls may be either:
• Manual – implemented through human action Example: General Ledger entries must be reviewed and
authorized by accountant who signs off on an approved document
• Automated – implemented through system action
Example: Users must have a valid user id and password to access a system
50
Detective versus Preventative Controls
Controls may be either:
• Detective – provide evidence that an error or exception has occurred Example: Reviews, analyses, reconciliations, periodic
physical inventories, audits, and surveillance cameras are all examples of detective controls
• Preventative – are proactive in that they attempt to deter or prevent undesirable events from occurring Example: Separation of duties, proper authorization,
passwords, and physical control over custody of assets are all examples of preventative controls
51
Control Activities Specific for Information Systems
There are two types of Information System Controls:
General Computer Controls (GCCs): Pervasive, over-arching controls that affect every transaction. Used to manage and control the organization’s information technology infrastructure.
Application Controls: Controls that cover the processing of data within an application or computer program.
OMB Circular A-123 states, “general and application controls over information systems are interrelated; both are needed to ensure complete and accurate information processing.”
52
Control Activities Specific for Information Systems:General Computer Controls
General Computer Controls should be designed to ensure that:
• The overall IT environment is well-controlled
• The IT organization is fit for its purpose, and there is proper management control over information systems
• Critical processing can be restored timely in the event of a prolonged outage (data / systems are backed up)
• New applications and changes to existing applications are properly authorized and only approved modifications are moved to the production environment
• Physical and logical security controls restrict access to data, systems and sensitive facilities
53
Control Activities Specific for Information Systems:General Computer Controls (continued)
Examples of General Computer Controls include:• Monitoring of Adherence to Entity-wide Security Program • Data Processing Policies and Procedures • Continuity of Operations Plan (COOP)• Regularly Scheduled and Documented Change Control Board Meetings• Properly Completed and Maintained Access Request Forms
What must be assessed?• Security Planning and Management• Change Control• Segregation of Duties• Access Controls• Service Continuity• System Software
54
Control Activities Specific for Information Systems:Application Controls (continued)
Examples of Application Controls include:
• Automated controls built into the application (computerized edit checks and required passwords)
• Manual controls surrounding the application (manual reconciliations of interfaced applications, management sign-offs, and reviews of audit logs)
What must be assessed?• Input Controls (access restrictions, validity checking, source
documents)• Processing Controls (integrity controls, error messages, job scheduling)• Output Controls (report generation and distribution, manual review of
reports for obvious errors)
55
Entity Level Controls
Definition: Entity Level Controls are controls that management has in place to ensure that the appropriate controls exist throughout the organization, including at the individual agencies.
Responsibility: Entity Level Controls are assessed at both the agency and department level.
Purpose: Entity Level Controls can have a pervasive effect on the overall control effectiveness of the organization therefore the assessment of entity-level controls is essential to the overall evaluation of controls.
Entity Level Controls
56
Assessing Risk
What is meant by Assessing Risk? Assessing Risk
Assess: to determine the importance, size, or value of
Risk: A state of uncertainty where, if specific events or
conditions occur, there exists a possibility of an undesirable outcome.
57
Key Terms Confidentiality Integrity Availability Issue Exception Negligible Exception Isolated Incident Control Deficiency Significant Deficiency Material Weakness
58
FISMA The Federal Information Security Management
Act (FISMA) established in December 2002 requires each federal agency to develop, document, and implement an agency-wide program to provide information security for the information and information systems that support the operations and assets of the agency, including those provided or managed by another agency, contractor, or other source.
59
A-123 Appendix A
A-123 Appendix A was added in December 2004 to incorporate Sarbanes-Oxley Section 404 principles into federal financial management. Revision deals primarily with internal
controls over financial reporting. A-123 Appendix A effective FY 2006.
60
FISMA and A-123 Appendix Ainvolvement with assessing risk
In order to maintain a secure environment for information and information systems under FISMA a well established set of internal controls should be developed and executed.
FISMA internal controls incorporate the financial internal controls designed by A-123 Appendix A.
A necessary element in maintaining a set of internal controls is performing risk assessments.
61
FISMA Compliance A-123 Appendix AAssurance Statement
NIST800-53
Controls
FinancialReportingControls
FinancialReportingControls
62
Vulnerability Definition
open to attack or damage Vulnerability is defined as “a weakness or
shortfall in a system that reduces the system’s ability to protect system assets. The vulnerability can be used by the absence of a needed security feature, by some inadequacy in the functioning of an existing security feature”.
63
Threat Definition:
an indication of something impending Threat is defined as “an unwanted event or
attack against an IS asset…(that) exploits a vulnerability and is carried out by a threat agent, such as an insider, intruder, hostile intelligence service, or terrorist.
64
Significance Definition:
the quality of being important
Significance is defined as “the magnitude of consequence or quantification of the damage that may be done if a threat is carried out and an unwanted event occurs.
65
Household Example
Backyard Pool Objective: Keep Child Alive Threat: Child may drown in backyard pool Vulnerability: Pool gate does not have a
lock, child cannot swim, child is exploratory Significance: Loss of a loved one POAM: Teach the child to swim / Add lock
66
General Overview Assessing Risk is more than just an annual
process, it is continually evolving as the company changes on a day to day basis.
How does the scenario and risk rating change under the following conditions: Multiple Children Children are all over the age of 15 House is located 50 miles from neighbors No Children within the house 3 Children under the age of 7
Changes in the environment change the Risk situation.
67
Limited resources - POAM How do we accomplish the control
objective when we have limited resources? Resource limitation could include:
Cost to complete Time Available Number of people required to accomplish
the objective Availability of resources
Requires prioritization to use the resources effectively
Security Objective Control Deficiency Significant Deficiency Material Weakness
Confidentiality
Exists when the design or operation of a control does not allow management or employees, in the normal course of performing their assigned functions, to prevent the unauthorized disclosure of sensitive information.
Exists when a control deficiency, or combination of control deficiencies, adversely affects the entity’s ability to protect sensitive information, such that there is more than a remote likelihood of the unauthorized disclosure of sensitive information, that could be expected to have a serious adverse effect.
Exists when a deficiency, or combination of significant deficiencies, results in more than a remote likelihood of the unauthorized disclosure of sensitive information that could be expected to have a severe or catastrophic adverse effect .
Integrity
Exists when the design or operation of a control does not allow management or employees, in the normal course of performing their assigned functions, to prevent or detect misstatements of data (both financial and non-financial data) on a timely basis.
Exists when a control deficiency, or combination of control deficiencies, adversely affects the entity’s ability to initiate, authorize, record, process, or report data (both financial and non-financial data) reliably, such that there is more than a remote likelihood that a misstatement of the entity’s reports (both financial and non-financial reports), that is more than inconsequential will not be prevented or detected.
Exists when a deficiency, or combination of significant deficiencies, results in more than a remote likelihood that a material misstatement of the entity's reports (both financial and non-financial reports), will not be prevented or detected.
Availability
Exists when the design or operation of a control does not allow management or employees, in the normal course of performing their assigned functions, to protect the availability of critical information resources and continuity of operations.
Exists when a control deficiency, or combination of control deficiencies, adversely affects the entity’s ability to protect critical information resources and continuity of operations, such that there is more than a remote likelihood that a disruption of the entity's operations that could be expected to have a serious adverse effect.
Exists when a control deficiency, or combination of control deficiencies, adversely affects the entity’s ability to protect critical information resources and continuity of operations, such that there is more than a remote likelihood that a disruption of the entity's operations that could be expected to have a severe or catastrophic adverse effect.
69
Issue HandlingGauging the Problem
Issues ExceptionsAssessing
Risk Framework
Level ofDeficiency
(CD, SD, MW)
70
Identify/Verify
AssessLikelihood and
Magnitude
MitigatingControls
DeficiencyEvaluation
Aggregation
POA&MCreation
Framework Evaluation
A Day in the Life of a Deficiency
Remediation
Issue Identified
DeficiencyRemediated
71
Identify and Verify(covered in Test Procedure Training)
72
Identify and Verify Once an issue has been identified, the
following should be performed:
Speak with the control owner. Determine whether the correct understanding was
obtained. Determine whether there is any other evidence of the
control.
If the issue still exists, confirm with management that it is a true exception.
73
Defining Exceptions Exceptions are deviations from the predefined expectations of control activity statements. Exceptions can be found when assessing the design
of the control activities, or when performing operating effectiveness testing of the control.
An exception may be detected or a control may not operate as expected for a number of reasons. The person who normally performs the control was
absent for a period of time. The control may have broken down.
If the person who normally performs the work was absent or the control broke down for other reasons, the individual performing this control should attempt to identify any additional Redundant Controls that might be in place to help achieve the objective.
74
Defining Exceptions (cont.) Consider whether or not the identified exception
is an isolated incident, and therefore a negligible exception.
Consider whether the exception is within the tolerable deviation rate (frequency of the control must be at least daily).
Tolerable deviation - the number of exceptions the auditor will permit in the population and still be willing to rely on internal controls.
75
Redundant Controls Redundant Controls (identified and tested) that operate effectively should be considered when evaluating an exception. Redundant Controls can be found in different control
objectives or NIST controls, and help to eliminate the deficiency.
The identified Redundant Controls need to be tested, and be operating effectively in order to be considered in the exception evaluation process.
Note: Redundant Controls can eliminate a control deficiency
76
Identify and Verify, cont’dOther Comments: Not all exceptions within testing will
result in a deficiency. Key factor is whether the control objective,
or NIST control, is met
Evaluation requires professional judgment considering: Quantitative and qualitative factors Implications with regard to other controls
77
Likelihood and Magnitude
78
Assessing Risk – Exception Risk Evaluate the risk level of each deficiency that is identified.
Level of Risk depends on: Proximity of the deficiency to the actual data. Likelihood – the chance that the deficiency could cause an undesirable
outcome Vulnerability Threat
Magnitude – the size or extent of an undesirable outcome that may change or influence the judgment of a reasonable person Significance
The level or risk does not depend on whether an undesirable outcome has actually occurred, but rather on whether there is a reasonable possibility that the department/agency’s controls will fail to prevent or detect an undesirable outcome.
79
LikelihoodThreat (including Threat Agent)
Capability History Gain / Motivation Attributable Detectability
80
Likelihood Determine if it is reasonably possible that the failure of
the control or combination of controls will fail to prevent or detect a undesirable outcome. Determine the likelihood of an undesirable outcome, not
likelihood of a material undesirable outcome. Evaluation of likelihood can be made without quantification
of the probability of the occurrence of an undesirable outcome.
Risk factors affecting likelihood: The subjectivity, complexity, or extent of judgment
required to determine the amount involved; The interaction or relationship of the control with other
controls, including whether they are interdependent or redundant;
The possible future consequences of the deficiency.
81
Magnitude
Significance Loss of Life Top Secret/Secret Confidential Privacy Data Operations Impact Equipment Loss Data Integrity / Accuracy
Data Files / Databases
Application
Operating System
Network
Program Development
Program Changes
Access to Programs &
Data
Computer Operations
IT Control Environment
84
Compensating Controls
85
Compensating Controls
Definition: to cause to become less harsh or hostile Compensating Controls are controls that
operate at a level of precision that would reduce the potential impact of the deficiency to the organization.
86
Compensating Controls Compensating Controls (identified and tested)
that operate effectively should be considered when evaluating the level of a deficiency. Compensating Controls can be found in different
control objectives or NIST controls, and help to decrease the severity of the deficiency.
The identified Compensating Controls need to be tested, and be operating effectively in order to be considered in the deficiency evaluation process.
Note: Although Compensating Controls can reduce the severity of a control deficiency, they do not eliminate the control deficiency.
87
Control Activity: Application Access is disabled
within 5 days of a user’s termination
Control Objective: Only authorized users can access application data
Example of Redundant vs. Compensating Controls
88
Control Activity: Application Access is disabled
within 5 days of a user’s termination
Control Objective: Access Controls
Mitigating Control:
Security badges are obtained upon termination, preventing
physical access to the building
Example of Redundant vs. Compensating Controls
89
Control Activity: Application Access is disabled
within 5 days of a user’s termination
Control Objective: Access Controls
Mitigating Control:
Network access is disabled based on notification from HR
of termination.
Mitigating Control:
Security badges are obtained upon termination, preventing
physical access to the building
Example of Redundant and Compensating Controls
90
Control Activity: Application Access is removed
within 5 days of a user’s termination
Control Objective: Access Controls
CompensatingControl:
User IDs are deleted upon weekly notification of termination from HR
Example of Redundant and Compensating
91
Evaluating Deficiencies
92
Deficiency EvaluationIssue Evaluation
Issue Evaluation Step 1:
Determine whether further evaluation is necessary
Deficiency Evaluation Step 2:
Determine the Level of Deficiency
93
Deficiency Evaluation, cont’d
Likelihood of an undesirable outcome
More Than Remote Remote
Material Weakness Significant Deficiency
Significant Deficiency Control Deficiency
Control Deficiency Control Deficiency
Magnitude of undesirable outcome that occurred, or could have occurred
Quantitatively or qualitatively material
More than inconsequential, but less than material
Inconsequential (i.e., immaterial)
94
Internal ControlDefinitions – A-123, Financial
Reporting
Significant Deficiency
Material Weakness
LikelihoodMore than Remote
More than Remote
MagnitudeMore than
Inconsequential Material
95
Costs vs. Benefits
In some cases it is adequate to accept the risk of an undesirable outcome.
Factors that should be considered when making this decision include: Cost vs. Benefit analysis
96
AggregatingDeficiencies
97
Aggregation of Deficiencies
Material
Weakness
Material
Weakness
Material
WeaknessMaterial
Weakness
Significant
Deficiency
Significant
Deficiency
Significant
Deficiency
Significant
Deficiency
Significant
DeficiencySignificantDeficiency
Significant
DeficiencySignificantDeficiency
Internal ControlDeficiency
Internal ControlDeficiency
Internal ControlDeficiency
Internal ControlDeficiency
Internal ControlDeficiency
Internal ControlDeficiency
Internal ControlDeficiency
Internal ControlDeficiency
Internal ControlDeficiency
Internal ControlDeficiency
Internal ControlDeficiency
Internal ControlDeficiency
Internal ControlDeficiency
Internal ControlDeficiency
Internal ControlDeficiency
Internal ControlDeficiency
98
Aggregation of Deficiencies, cont’d Consider all control deficiencies and significant
deficiencies in the aggregate by: Significant account balance or disclosure NIST family (i.e., Access Control, Audit and Accountability, or
Configuration Management)
Consider any prior year unremediated findings when performing aggregation.
Control deficiencies related to a specific account balance or disclosure increases the relative likelihood and potential magnitude of undesirable outcome compared to when only one individual control deficiency exists.
99 If you agree with the aggregation of deficiencies noted, a position paper is not necessary.
After completing your evaluation of the aggregation of the deficiencies, consider writing a position paper in instances where you disagree with the results of aggregation presented by the auditors.
Aggregation of Deficiencies,cont’d