Control Identification and Implementation

One of our teams just completed a Control Identification and Implementation project for a great client partner that is implementing a new ERP system. Our team analyzed business processes to understand process steps and identified controls in business and IT processes including manual controls and automated system controls. In cases where gaps in controls were identified, we worked with our client to design and implement new controls. We documented the processes in process flow diagrams and documented the risks, controls and internal audit test procedures in the client’s Risk and Control Matrix. As a result of this project, we helped our client improve the design and operating effectiveness of their controls and provided internal and external stakeholders with a better understanding of the control environment.

Evaluating IT General Controls for an ERP System Integration

Implementing an Enterprise Resource Planning (ERP) system is a complex endeavor with far-reaching implications for a company’s operations. Throughout implementation and beyond, the company needs to verify that robust controls are in place to maintain financial and operational integrity, safeguard data, and ensure compliance.

When implementing a new ERP system, a comprehensive review of controls should be completed. This review should cover three primary areas: business process controls, application controls and Information Technology (IT) general controls. The evaluation of business process controls should include identification of changes to processes as a result of the implementation that may require implementation of additional controls or control modifications, as well as the evaluation of current controls to determine whether they are still relevant to the updated process. With the implementation of a new ERP system, application controls built into the system should be evaluated as the automated controls may offer greater safeguards for the organization while also increasing efficiency within the process. IT general controls should also be evaluated to verify that the implementation of the ERP system is following established change management controls and that additional controls, such as data security and system access, are applied to the new system during implementation and beyond.

This article will focus on the evaluation of IT general controls. Business process controls and application controls will be addressed in future articles.

When looking specifically at IT general controls, the following topics should be considered as a part of the ERP implementation. Not every implementation will require all of the following actions to be taken, however, each of these areas should be evaluated to determine which are applicable to the environment prior to implementation.

Access Controls:

User Roles and Permissions: Define user roles and assign appropriate permissions to restrict access to sensitive data and functionality within the ERP system
Segregation of Duties: Verify that no single user has too much control or access over critical processes
- Business users should have proper segregation of duties to prevent fraud and errors (e.g. authorization and approval; custody of assets; recording transactions; reconciliation and control activities)
- IT users should have proper segregation of duties to prevent unauthorized or inappropriate changes as well as inappropriate access to the system
System Authentication: Provide each user with unique credentials in order to securely authenticate to the system

Change Management:

Change Approval Workflow: Require approvals and documentation for any changes made to system configurations or data
Data Conversion Testing: Conduct testing to verify that data transfers from legacy systems are complete and accurate
User Acceptance Testing: Verify that all system functionality and data is performing as expected during user acceptance
System Interface Testing: Conduct testing to verify that data transmissions interfacing with other systems are complete, accurate and valid

Data Security:

Data Encryption: Use encryption to protect data in transit and at rest to prevent unauthorized access
Data Backup and Recovery: Implement regular data backups and a disaster recovery plan to verify data availability in case of system failures

User Access Review: Review and approval of user access prior to go live to ensure roles are appropriate based on business needs and to ensure proper segregation of duties
Final Approval: Approval to move to production is granted by key business and IT stakeholders

Logging and Monitoring:

Activity Logging: Management should evaluate logging capabilities and determine which logs should be turned on prior to go live and which logs should be utilized after implementation is complete. The principle of risk assessment and regulatory compliance should be applied to select and prioritize user activities to be logged within the ERP system. This helps to create an audit trail for monitoring and investigation
Change Logs: Maintain detailed logs of changes to the ERP system for auditing and tracking purposes
Review and Analysis: Regularly review audit logs to detect unusual or unauthorized activities

Data Validation and Accuracy:

Data Validation Rules: Implement data validation rules to confirm that data entered into the system is accurate and meets predefined criteria

Compliance:

Regulatory Compliance: Verify that the ERP system and related processes comply with industry regulations and legal requirements
Internal Policy Compliance: Verify that the ERP system aligns with the organization’s internal policies and procedures

Testing of the above controls may be achieved through multiple different methods. Process walkthroughs may be utilized to understand the control environment and the design effectiveness of controls. Inspection of a selection of transactions may be used to evidence control execution and operating effectiveness. A review of implementation documentation or interviews of key personnel involved in the implementation may provide deeper understanding of the implementation project and steps taken to ensure accuracy.

A thorough evaluation of IT general controls, tailored to the unique needs of the organization, is key to unlocking the ERP system’s full potential upon implementation. Designing IT controls while implementing an ERP system is not just a prudent measure; it is a critical aspect of ensuring the success and sustainability of the entire process. By carefully defining and implementing controls, organizations can mitigate risks, streamline operations, and maintain data integrity.

External Auditor Focus on User Access Reviews

Do you ever feel like just when you think you know what your external Sarbanes-Oxley (SOX) auditor is looking for, they change things? It has been happening since the inception of SOX. Just when management is getting comfortable with performing and documenting their controls, it seems like there is another obstacle to overcome.

A recent change we are seeing from some external auditors is an increased focus on user access reviews. External auditors are looking for documentation around system roles and permissions, training conducted for reviewers and documented analyses or risk assessments justifying why each role and associated permission is included or excluded from a review. In addition, some external auditors are performing interviews of a sample of reviewers to verify that reviewers fully understand the expectations of their review as well as their understanding of each role and associated permissions for the system access they review. There is also increased scrutiny on the completeness and accuracy of the user listing generated for the review. External auditors are documenting new deficiencies around user access reviews that have not been seen in the past, when nothing has changed in management’s process from previous years.

The trigger for the increased focus on user access reviews by external auditors is likely feedback that external audit firms have received from Public Company Accounting Oversight Board (PCAOB) inspections. The PCAOB is the organization that regulates audits of publicly traded companies. Registered public accounting firms undergo PCAOB inspections on an annual basis and once the inspection is completed, firms often communicate the high-level findings internally to ensure their staff are knowledgeable about the issues and focused on implementing procedures to mitigate the risks associated with the PCAOB findings. Each firm’s inspection has different results and, therefore, each firm can have different areas of focus each year.

We can expect further changes from external auditors in the future. Initially these changes can seem burdensome but with collaboration between management, internal audit, and external audit, companies can prepare for the changes and have successful audits.

#ITGCtesting #Useraccessreviews #UAR

SOX Scope: IT Tools

In the ever-evolving landscape of information technology and Sarbanes-Oxley Act (SOX) compliance, IT tools are increasingly getting more attention and being included in the scope of SOX audits by external auditors. It is now critical for management and internal audit to understand the IT tools being used and how they are being used, in order to evaluate the impact on SOX scoping. Once a tool is in scope for SOX, the next step is to determine the appropriate level of SOX testing based on the level of risk.

Traditionally, the scope for SOX IT General Control (ITGC) testing has been defined through risk assessment procedures that consider whether a system captures data that could impact financial reporting. Recently, external audit risk assessment procedures are being expanded to evaluate tools used to support ITGCs. Management and internal auditors should take inventory of the tools used in their IT environment and meet with the IT stakeholders to understand each tool’s purpose and how the company is using the tool.

Once the tools are identified and understood, the auditor needs to assess the role of the tool and determine whether it has an impact on the accuracy, completeness or integrity of financial data. Any tools that play a critical role in these aspects should be included in the SOX ITGC scope. Tools to consider for scoping include tools used to: manage user access to financial systems, to manage changes to IT systems, monitoring system and user activity and generating audit trails.

Specific tools and how they are used may vary from one organization to the next based on their unique processes and technologies in use. If a ticketing system is used to maintain requests for support, it may not be in scope; however if a ticketing system has an automated workflow to approve requests for access or program change, it may be considered in scope.

For in-scope tools, management and internal audit should evaluate the level of risk associated with the tool. Based on the level of risk, management and internal audit may choose to apply all ITGCs to the tool or limited controls based on how the tool is being used and what controls would be sufficient to mitigate the risk to financial reporting.

The trigger for the increased focus on IT tools by external auditors is likely feedback that external audit firms have received from Public Company Accounting Oversight Board (PCAOB) inspections. The PCAOB is the organization that regulates audits of publicly traded companies. Registered public accounting firms undergo PCAOB inspections on an annual basis and once the inspection is completed, firms often communicate the high-level findings internally to ensure their staff are knowledgeable about the issues and focused on implementing procedures to mitigate the risks associated with the PCAOB findings. Each firm’s inspection has different results and, therefore, each firm can have different areas of focus each year.

Collaboration between management, internal audit and external audit can help in defining the appropriate scope and approach to testing and lead to successful audits.

#tools #ITGC #SOXscope #riskassessment #ITGCtesting

Streamlining Control Operations: Control Rationalizations

Control rationalization can help companies align controls with risk, improve governance and deploy resources more efficiently.

Control rationalization helps identify and mitigate risks more efficiently. One of the results of a thorough assessment is that companies can identify control gaps and weaknesses that may expose them to financial misstatements, fraud, compliance breaches, and cybersecurity threats. Changes to business operations, systems or processes occur and require controls to be adjusted in order to address associated risks.

Enhancing Efficiency and Effectiveness: Control rationalization involves evaluating existing controls to identify redundancies and inefficiencies. By eliminating unnecessary controls, companies can streamline activities associated with performing and documenting the controls and streamline control effectiveness assessments.

Tips for Successful Control Rationalization:

Identify the objectives for maintaining your control environment (e.g. improve the accuracy and reliability of financial reporting, compliance with regulatory requirements, prevent fraud etc.)
Assess existing processes and controls. Conduct meetings with stakeholders (control owners, process owners, etc.) to understand current business processes to identify control procedures being performed including both automated and manual controls. Also identify changes to environment, systems and processes.
Evaluate processes to identify relevant risks and associate controls in place to mitigate those risks.
Analyze the risks and controls to:
- Determine if there are risks which are no longer relevant and should be removed;
- Identify which controls most effectively mitigate the associated risks (consider both manual and automated controls);
- Determine if there are controls that can be removed from the risk and control matrix;
- Consider utilizing a tiered control strategy of primary and secondary controls where primary controls are relied upon for initial compliance support and secondary controls are only used for audit support when the primary controls are not operating effectively. Both primary and secondary control procedures would be performed however the documentation requirements for secondary controls maybe different than primary controls.
- Where risks are identified with no associated controls, work with process owners to design and implement appropriate controls.
Collaborate and communicate with stakeholders to finalize the risk and control matrix to help encourage the effective adoption of any changes to the control environment.
Update supporting control documentation (e.g. process flow diagrams, process narratives, etc.) to add new controls, remove controls no longer needed, change controls from primary to secondary, etc.
Perform ongoing monitoring of processes, controls and risks to maintain the risk and control matrix to adapt to changing environment and risks.

Control rationalization helps companies to mitigate risks, strengthen governance and compliance, and enhance efficiency. By streamlining controls and eliminating redundancies, organizations can improve operational agility and allocate resources strategically.

#Audit #InternalControls #RiskMitigation #SOX #SOXCompliance

Navigating the Challenges of Periodic User Access Reviews

In today’s digital age, where data breaches and cyber threats are on the rise, maintaining robust security practices is of utmost importance for organizations. Periodic user access reviews serve as a critical component of ensuring the integrity and confidentiality of sensitive information. However, executing these reviews comes with its fair share of challenges. Here are four of the top challenges that companies face when conducting periodic user access reviews.

Scale and Complexity: As companies grow and their digital landscapes expand, managing user access rights becomes increasingly complex. Organizations often operate multiple systems, applications, and platforms, each with its own set of access controls. The sheer scale and complexity of user access reviews make it challenging to identify all access points accurately.
Manual Processes and Inefficiency: Many organizations still rely on manual processes to conduct user access reviews, involving spreadsheets, email chains, and manual cross-referencing. These methods are time-consuming, error-prone, and inefficient. Manual processes make it difficult to track and monitor changes in user access over time. The administrative burden placed on IT teams can be overwhelming, diverting their focus from more strategic initiatives. Inefficiencies in the review process can lead to delays, increased costs, and potential security gaps.
Compliance and Audit Requirements: Organizations must comply with industry-specific regulations and standards that necessitate regular user access reviews. Meeting these compliance requirements can be a complex task, particularly when faced with tight deadlines and limited resources. Companies must stay abreast of evolving regulations and ensure their access review processes align with the latest compliance frameworks. Failure to meet these requirements can lead to legal consequences, reputational damage, and financial loss.
Technology Limitations and Legacy Systems: Legacy systems and outdated technologies pose additional challenges to conducting user access reviews. Older systems may lack robust access control mechanisms or integration capabilities, making it difficult to obtain accurate and comprehensive user access data. Integrating these systems with modern identity and access management (IAM) solutions can be a complex endeavor. Striking a balance between maintaining legacy systems and adopting modern IAM solutions is crucial for organizations looking to streamline their periodic user access reviews.

Periodic user access reviews are crucial for ensuring the security and compliance of organizational systems and data. Leveraging skilled advisors can help you overcome these challenges through process improvements and technology.