Control Identification and Implementation

One of our teams just completed a Control Identification and Implementation project for a great client partner that is implementing a new ERP system. Our team analyzed business processes to understand process steps and identified controls in business and IT processes including manual controls and automated system controls. In cases where gaps in controls were identified, we worked with our client to design and implement new controls.  We documented the processes in process flow diagrams and documented the risks, controls and internal audit test procedures in the client’s Risk and Control Matrix. As a result of this project, we helped our client improve the design and operating effectiveness of their controls and provided internal and external stakeholders with a better understanding of the control environment.

 

Evaluating IT General Controls for an ERP System Integration

Implementing an Enterprise Resource Planning (ERP) system is a complex endeavor with far-reaching implications for a company’s operations. Throughout implementation and beyond, the company needs to verify that robust controls are in place to maintain financial and operational integrity, safeguard data, and ensure compliance.

When implementing a new ERP system, a comprehensive review of controls should be completed.  This review should cover three primary areas: business process controls, application controls and Information Technology (IT) general controls.  The evaluation of business process controls should include identification of changes to processes as a result of the implementation that may require implementation of additional controls or control modifications, as well as the evaluation of current controls to determine whether they are still relevant to the updated process.  With the implementation of a new ERP system, application controls built into the system should be evaluated as the automated controls may offer greater safeguards for the organization while also increasing efficiency within the process.  IT general controls should also be evaluated to verify that the implementation of the ERP system is following established change management controls and that additional controls, such as data security and system access, are applied to the new system during implementation and beyond. 

This article will focus on the evaluation of IT general controls.  Business process controls and application controls will be addressed in future articles. 

When looking specifically at IT general controls, the following topics should be considered as a part of the ERP implementation. Not every implementation will require all of the following actions to be taken, however, each of these areas should be evaluated to determine which are applicable to the environment prior to implementation.   

Access Controls:

  • User Roles and Permissions: Define user roles and assign appropriate permissions to restrict access to sensitive data and functionality within the ERP system
  • Segregation of Duties: Verify that no single user has too much control or access over critical processes
    • Business users should have proper segregation of duties to prevent fraud and errors (e.g. authorization and approval; custody of assets; recording transactions; reconciliation and control activities)
    • IT users should have proper segregation of duties to prevent unauthorized or inappropriate changes as well as inappropriate access to the system
  • System Authentication: Provide each user with unique credentials in order to securely authenticate to the system

Change Management:

  • Change Approval Workflow: Require approvals and documentation for any changes made to system configurations or data
  • Data Conversion Testing: Conduct testing to verify that data transfers from legacy systems are complete and accurate
  • User Acceptance Testing: Verify that all system functionality and data is performing as expected during user acceptance
  • System Interface Testing: Conduct testing to verify that data transmissions interfacing with other systems are complete, accurate and valid

Data Security:

  • Data Encryption: Use encryption to protect data in transit and at rest to prevent unauthorized access
  • Data Backup and Recovery: Implement regular data backups and a disaster recovery plan to verify data availability in case of system failures
  • User Access Review: Review and approval of user access prior to go live to ensure roles are appropriate based on business needs and to ensure proper segregation of duties
  • Final Approval: Approval to move to production is granted by key business and IT stakeholders

Logging and Monitoring:

  • Activity Logging: Management should evaluate logging capabilities and determine which logs should be turned on prior to go live and which logs should be utilized after implementation is complete. The principle of risk assessment and regulatory compliance should be applied to select and prioritize user activities to be logged within the ERP system. This helps to create an audit trail for monitoring and investigation
  • Change Logs: Maintain detailed logs of changes to the ERP system for auditing and tracking purposes
  • Review and Analysis: Regularly review audit logs to detect unusual or unauthorized activities

Data Validation and Accuracy:

  • Data Validation Rules: Implement data validation rules to confirm that data entered into the system is accurate and meets predefined criteria

Compliance:

  • Regulatory Compliance: Verify that the ERP system and related processes comply with industry regulations and legal requirements
  • Internal Policy Compliance: Verify that the ERP system aligns with the organization’s internal policies and procedures

Testing of the above controls may be achieved through multiple different methods.  Process walkthroughs may be utilized to understand the control environment and the design effectiveness of controls.  Inspection of a selection of transactions may be used to evidence control execution and operating effectiveness.  A review of implementation documentation or interviews of key personnel involved in the implementation may provide deeper understanding of the implementation project and steps taken to ensure accuracy. 

A thorough evaluation of IT general controls, tailored to the unique needs of the organization, is key to unlocking the ERP system’s full potential upon implementation. Designing IT controls while implementing an ERP system is not just a prudent measure; it is a critical aspect of ensuring the success and sustainability of the entire process. By carefully defining and implementing controls, organizations can mitigate risks, streamline operations, and maintain data integrity.

 

External Auditor Focus on User Access Reviews

Do you ever feel like just when you think you know what your external Sarbanes-Oxley (SOX) auditor is looking for, they change things? It has been happening since the inception of SOX. Just when management is getting comfortable with performing and documenting their controls, it seems like there is another obstacle to overcome.

A recent change we are seeing from some external auditors is an increased focus on user access reviews. External auditors are looking for documentation around system roles and permissions, training conducted for reviewers and documented analyses or risk assessments justifying why each role and associated permission is included or excluded from a review. In addition, some external auditors are performing interviews of a sample of reviewers to verify that reviewers fully understand the expectations of their review as well as their understanding of each role and associated permissions for the system access they review. There is also increased scrutiny on the completeness and accuracy of the user listing generated for the review. External auditors are documenting new deficiencies around user access reviews that have not been seen in the past, when nothing has changed in management’s process from previous years.

The trigger for the increased focus on user access reviews by external auditors is likely feedback that external audit firms have received from Public Company Accounting Oversight Board (PCAOB) inspections. The PCAOB is the organization that regulates audits of publicly traded companies. Registered public accounting firms undergo PCAOB inspections on an annual basis and once the inspection is completed, firms often communicate the high-level findings internally to ensure their staff are knowledgeable about the issues and focused on implementing procedures to mitigate the risks associated with the PCAOB findings.  Each firm’s inspection has different results and, therefore, each firm can have different areas of focus each year.

We can expect further changes from external auditors in the future. Initially these changes can seem burdensome but with collaboration between management, internal audit, and external audit, companies can prepare for the changes and have successful audits.

#ITGCtesting #Useraccessreviews #UAR

 

SOX Scope: IT Tools

In the ever-evolving landscape of information technology and Sarbanes-Oxley Act (SOX) compliance, IT tools are increasingly getting more attention and being included in the scope of SOX audits by external auditors. It is now critical for management and internal audit to understand the IT tools being used and how they are being used, in order to evaluate the impact on SOX scoping.  Once a tool is in scope for SOX, the next step is to determine the appropriate level of SOX testing based on the level of risk.

Traditionally, the scope for SOX IT General Control (ITGC) testing has been defined through risk assessment procedures that consider whether a system captures data that could impact financial reporting.  Recently, external audit risk assessment procedures are being expanded to evaluate tools used to support ITGCs.  Management and internal auditors should take inventory of the tools used in their IT environment and meet with the IT stakeholders to understand each tool’s purpose and how the company is using the tool. 

Once the tools are identified and understood, the auditor needs to assess the role of the tool and determine whether it has an impact on the accuracy, completeness or integrity of financial data.  Any tools that play a critical role in these aspects should be included in the SOX ITGC scope.  Tools to consider for scoping include tools used to: manage user access to financial systems, to manage changes to IT systems, monitoring system and user activity and generating audit trails.

Specific tools and how they are used may vary from one organization to the next based on their unique processes and technologies in use.  If a ticketing system is used to maintain requests for support, it may not be in scope; however if a ticketing system has an automated workflow to approve requests for access or program change, it may be considered in scope.

For in-scope tools, management and internal audit should evaluate the level of risk associated with the tool.  Based on the level of risk, management and internal audit may choose to apply all ITGCs to the tool or limited controls based on how the tool is being used and what controls would be sufficient to mitigate the risk to financial reporting. 

The trigger for the increased focus on IT tools by external auditors is likely feedback that external audit firms have received from Public Company Accounting Oversight Board (PCAOB) inspections. The PCAOB is the organization that regulates audits of publicly traded companies. Registered public accounting firms undergo PCAOB inspections on an annual basis and once the inspection is completed, firms often communicate the high-level findings internally to ensure their staff are knowledgeable about the issues and focused on implementing procedures to mitigate the risks associated with the PCAOB findings.  Each firm’s inspection has different results and, therefore, each firm can have different areas of focus each year.

Collaboration between management, internal audit and external audit can help in defining the appropriate scope and approach to testing and lead to successful audits.

#tools #ITGC #SOXscope #riskassessment #ITGCtesting

 

New Expectations for Application Control Testing

Risks and controls. When we hear this phrase, we often think of the organization’s financial controls or maybe even the IT general controls; however, there’s another set of controls that are equally important: application controls.

Application controls are automated controls that are performed by a specific application or system. For example, an application control could perform a validity check or a completeness check to verify that data entered matches a pre-determined criteria. Often application controls are tested by doing a walkthrough; observing the performance of the control by entering data, for each type of transaction and processing alternative, into the system to verify how the control functions. In the past, this testing approach has been sufficient for external auditors to gain comfort that the application controls are operating as expected.

Review comments coming from the PCAOB to external auditors are creating the expectation that additional information for configurable and non-configurable application controls be gathered. External auditors are now looking for evidence directly from the application and its developers indicating that the specific item is not configurable within the system. For example, if the application in question is SAP, information directly from an SAP manual would need to be referenced to show that the specific item or criteria cannot be changed. Similarly, for configurable controls, external auditors are beginning to request additional evidence showing the current configuration and who can change the configuration within the system, and when it was last changed.

The combined walkthrough and testing approach is still appropriate; however, these additional procedures to support the configurable or non-configurable are also needed in order for some external auditors to gain comfort with application controls.

 

Navigating the Challenges of Periodic User Access Reviews

In today’s digital age, where data breaches and cyber threats are on the rise, maintaining robust security practices is of utmost importance for organizations. Periodic user access reviews serve as a critical component of ensuring the integrity and confidentiality of sensitive information. However, executing these reviews comes with its fair share of challenges. Here are four of the top challenges that companies face when conducting periodic user access reviews.

  1. Scale and Complexity: As companies grow and their digital landscapes expand, managing user access rights becomes increasingly complex. Organizations often operate multiple systems, applications, and platforms, each with its own set of access controls. The sheer scale and complexity of user access reviews make it challenging to identify all access points accurately.
  2. Manual Processes and Inefficiency: Many organizations still rely on manual processes to conduct user access reviews, involving spreadsheets, email chains, and manual cross-referencing. These methods are time-consuming, error-prone, and inefficient. Manual processes make it difficult to track and monitor changes in user access over time. The administrative burden placed on IT teams can be overwhelming, diverting their focus from more strategic initiatives. Inefficiencies in the review process can lead to delays, increased costs, and potential security gaps.
  3. Compliance and Audit Requirements: Organizations must comply with industry-specific regulations and standards that necessitate regular user access reviews. Meeting these compliance requirements can be a complex task, particularly when faced with tight deadlines and limited resources. Companies must stay abreast of evolving regulations and ensure their access review processes align with the latest compliance frameworks. Failure to meet these requirements can lead to legal consequences, reputational damage, and financial loss.
  4. Technology Limitations and Legacy Systems: Legacy systems and outdated technologies pose additional challenges to conducting user access reviews. Older systems may lack robust access control mechanisms or integration capabilities, making it difficult to obtain accurate and comprehensive user access data. Integrating these systems with modern identity and access management (IAM) solutions can be a complex endeavor. Striking a balance between maintaining legacy systems and adopting modern IAM solutions is crucial for organizations looking to streamline their periodic user access reviews.

Periodic user access reviews are crucial for ensuring the security and compliance of organizational systems and data. Leveraging skilled advisors can help you overcome these challenges through process improvements and technology.

 

Preparing for a System Implementation Audit

Whether it’s a global ERP system, or a small payroll system, it’s likely any system implementation has the potential to interest internal audit and possibly even your external auditors. You may be wondering what aspects of an implementation your stakeholders will be most interested in, when the time comes. The following paragraphs identify some of the most common areas that are reviewed during an implementation audit.

Testing.

Testing is often the area where auditors spend a majority of their time during an implementation review. User acceptance testing, validation testing, and interface testing are the main types of testing that auditors will want to review. Consider whether the testing performed was documented in a way to allow an auditor to follow the testing process and understand whether the test was successful or not. When it comes to testing, maintaining adequate documentation is often the key.

End-User Access. 

End-user access is another area to consider when performing an implementation. Your auditors will want to gain comfort that only appropriate users that require access for their job function, are the users that have been set up within the system, and that there are no concerns around the segregation of duties associated with the users, as well. A documented pre-implementation user access review is instrumental in providing your auditors with the comfort they will be looking for, regarding the end-user access to the new system.

Governance and Ongoing Maintenance. 

As you already know, the work doesn’t end when the system goes live, and your auditors know this too. It’s important to show that consideration has been given to the ongoing processes and procedures that will be in place around such things as granting and removing access to the system and handling program changes or upgrades. Ideally, these processes or procedures are formally documented by the time the system is fully implemented.

Documentation. 

You’ve probably heard the phrase, “if it’s not documented, it’s not done.” Often, organizations have very strong system implementation processes and procedures in place; however, the areas where gaps occur are in the documentation and support to evidence the process. Appropriate documentation needs to be maintained to evidence each aspect of the system implementation, so that the support can be provided to auditors, or anyone that is interested in understanding your system implementation process and outcome.