Introduction Comments Regulation / Guidance Internal Controls COSO A-123 SAS 55 Yellow Book SAS 112 1

IntroductionCommentsRegulation / GuidanceInternal ControlsCOSOA-123SAS 55Yellow BookSAS 112

2

“Over 800 pages of statutory text govern the daily decisions of Federal managers …”

Representative Platts Chairman, Subcommittee on Government

Management, Finance, and Accountability (June 22, 2005)

33

“Internal controls are the checks and balances that help managers detect and prevent problems. They can be as simple as computer passwords or having a manager sign off on a time sheet, or as complex as installing software to track spending and detect spikes that signal trouble.

Internal controls provide a foundation for accountability; and, while they are important in the private sector, sound controls are imperative in government. Public trust depends on nothing less.

Representative Platts Chairman, Subcommittee on Government Management, Finance,

and Accountability (February 16, 2005)

44

“Events of recent years have dispelled the myth that internal control is but a mere academic exercise or is of interest only to accountants or auditors. High profile fraud and mismanagement in the private sector, and the Federal government’s own financial reporting problems, have resulted in an increased focus on management’s responsibility for internal control.”

February 2005, Subcommittee on Government Management, Finance, and Accountability

55

“Government should lead by example. We should be as good or better than those we are regulating.”

David Walker, Comptroller General to Congress (CFO Magazine, June 2003)

66

“The policy changes in this circular are intended to strengthen the requirements for conducting management’s assessment of internal control over financial reporting. The circular also emphasizes the need for agencies to integrate and coordinate internal assessments with other internal control-related activities”

Linda Springer, Controller Office of Management and Budget December 21, 2004

77

Budget & Accounting Procedures Act of 1950 Internal controls have been talked about for almost

60 years. Inspector General Act of 1978, as amended OMB A-123 Management’s Responsibility for

Internal Control (1981) Federal Managers Financial Integrity Act of

1982 OMB A-50 Audit Follow Up (1982) GAO Green Book (1983)

88

CFO Act of 1990 Financial statement audits for approximately 225 agencies.

Government Performance and Results Act of 1993 Government Management Reform Act of 1994 OMB A-123 Management’s Responsibility for Internal

Control revised (1995) Federal Financial Management Improvement Act of 1996 Clinger-Cohen Act of 1996 GAO Green Book revised (1999)

99

Reports Consolidation Act of 2000 OMB Bulletin 01-02 Audit Requirements for Federal

Financial Statements (2000) Federal Information Security Management Act of 2002

Includes PIA Improper Payments Information Act of 2002 Accountability of Tax Dollars Act of 2002

Another 78 agencies must have financial statement audits. OMB A-123 Management’s Responsibility for Internal

Control revised (2004) OMB A-136 Financial Reporting Requirements (2004)

1010

NIST 800-18 Security Plans NIST 800-30 Risk Assessments NIST 800-34 Contingency Planning NIST 800-37 Certification and Accreditation NIST 800-47 Interconnected Systems NIST 800-50 Security Awareness NIST 800-53a Controls (low, moderate, and high) NIST 800-60 Control categories NIST FIPS 199 Security Categorization OMB M 06-16

Where and why do we have to follow NIST standards?

1111

OMB A-123 Authority:Federal Managers’ Financial Integrity

Act of 1982 as codified in 31 U.S.C. 3512

References A-123 to provide guidance on how to implement.

12

“Agencies and individual Federal managers must take systematic and proactive measures to:”

1. Develop internal control oriented management.

2. Assess the adequacy of internal control in programs and operations.

3. Separately assess and document internal control.

4. Identify needed improvements.5. Take corrective action.6. Report annually through management assurance

statements.Source: A-123 Revised dated December 21, 2004.

13

A-123 makes references to a host of other regulations to follow such as:

• FISMA• IPIA• GPRA• CFO Act

14

What are internal controls?

1. Compliance with Laws and Regulations.

2. Reliability of Financial Data.

3. Effectiveness and Efficiency of operations.

The above is mentioned everywhere (e.g. CFOC A-123 Implementation guide, many SASs, A-123, Greenbook, etc.) 15

A-123 Applicability:

Compliance with A-123 AND Appendix AAgencies listed within the CFO Act of 1990, as

amended by the Government Management Reform Act of 1994 (cited in OMB Circular A-136). (ABOUT 225 AGENCIES)

Compliance with A-123 (NOT Appendix A)Executive agencies, as well as independent agencies

and government corporations within the executive branches of the Federal government.

16

COSO’s influence on the industry:

National Commission on Fraudulent Financial Reporting (Treadway Commission) was formed in 1985 from the following 5 organizations:

FEI – Financial Executives International AAA – American Accounting Association AICPA – American Institute of CPAs IIA – Institute of Internal Auditors IMA – Institute of Management Accountants

1717


In 1987, the Treadway Commission issued the Report of the National Commission on Fraudulent Financial Reporting, which emphasized:

Importance of control environment Codes of conduct Competent and involved audit committees Active and objective internal audit function

1818


In September 1992, COSO issued the Internal Control Integrated Framework.

Control Environment – tone of the organization

Risk Assessment – assessing the risks of the organization

Control Activities – policies and procedures

Information and Communication – timely communication

throughout the organization

Monitoring – quality control over a period of time

1919


In September 2004, COSO issued the Enterprise Risk Management – Integrated Framework (ERM).

2020

2121

SAS 55.02“In all audits, the auditor should obtain an understanding of

internal control sufficient to plan the audit by performing procedures to understand the design of controls relevant to an audit of financial statements and determining whether they have been placed in operation. In obtaining this understanding, the auditor considers how an entity’s use of information technology and manual procedures may affect controls relevant to the audit. The auditor then assesses control risk for the assertions embodied in the account balance, transaction class, and disclosure components of the financial statements.”

SAS 55SAS 55

22

SAS 55.04“Alternatively, the auditor may assess control risk at the

maximum level because he or she believes controls are unlikely to pertain to an assertion or are unlikely to be effective, or because evaluating the effectiveness of controls would be inefficient.”

Remember: SAS 103 – 112 now come into play….

SAS 55SAS 55

23

General General StandardsStandards

(chapter 3)(chapter 3)

Fieldwork Fieldwork StandardsStandards


Reporting Reporting StandardsStandards


GAASGAAS

(AICPA)(AICPA) XX XX

SASSAS

(AICPA)(AICPA) XX XX

GAGASGAGASXX XX

(in addition (in addition to AICPA)to AICPA)

XX

(in addition (in addition to AICPA)to AICPA)

Yellow BookYellow Book

Note: Yellow Book (GAGAS) engagements are subjected to additional AICPA standards for both fieldwork and reporting aspects.

24

SAS 112SAS 112

1 “It is applicable whenever an auditor expresses an opinion on financial statements.”

“Requires the auditor to communicate, in writing, to management and those charged with governance, significant deficiencies and material weaknesses identified in an audit.”

25

Deficiency Deficiency TypeType

LikelihoodLikelihood MagnitudeMagnitude

Control Control DeficiencyDeficiency

RemoteRemote InconsequentialInconsequential

Significant Significant DeficiencyDeficiency

More than More than remoteremote

More than More than inconsequentialinconsequential

Material Material WeaknessWeakness

More than More than remoteremote

MaterialMaterial

SAS 112SAS 112

5 - 6

26

SAS 112SAS 112

9 “The auditor must evaluate identified control deficiencies and determine whether these deficiencies, individually or in combination, are significant deficiencies or material weaknesses.

The significance of a control deficiency depends on the potential for a misstatement, not on whether a misstatement actually has occurred.

Accordingly, the absence of identified misstatement does not provide evidence that identified control deficiencies are not significant or material weaknesses.”

27

SAS 112SAS 112

13 “Multiple control deficiencies that affect the same financial statement account balance or disclosure increase the likelihood of misstatement and may, in combination, constitute a significant deficiency or material weakness, even though such deficiencies are individually insignificant.”

28

SAS 112SAS 112

14 “… the auditor also should evaluate the possible mitigating effects of effective compensating controls …”

“Although compensating controls mitigate the effects of a control deficiency, they do not eliminate the control deficiency.”

29

SAS 112SAS 112

18 “Deficiencies in the following areas ordinarily are at least significant deficiencies in internal control:

Controls over the selection and application of accounting principles;

Antifraud programs and controls;

Controls over the period-end financial reporting process, including controls over procedures used to enter transaction totals into the general ledger; initiate, authorize, record, and process journal entries into the general ledger; and record recurring and nonrecurring adjustments to the financial statements.”

30

SAS 112SAS 11219 Each of the following is an indicator of a control deficiency that

should be regarded as at least a significant deficiency and a strong indicator of a material weakness in internal control:

Ineffective oversight of the entity’s financial reporting and internal control by those charged with governance.;

Restatement of previously issued financial statements to reflect the correction of a material misstatement;

Identification by the auditor of a material misstatement in the financial statements for the period under audit that was not initially identified by the entity’s internal control;

An ineffective internal audit function or risk assessment function at an entity for which such functions are important to the monitoring or risk assessment component of internal control, such as for very large or highly complex entities.31

SAS 112SAS 11219 Each of the following is an indicator of a control deficiency that

should be regarded as at least a significant deficiency and a strong indicator of a material weakness in internal control:

For complex entities in highly regulated industries, an ineffective regulatory compliance function;

Identification of fraud of any magnitude on the part of senior management;

Failure by management or those charged with governance to assess the effect of a significant deficiency previously communicated to them and either correct it or conclude that it will not be corrected;

An ineffective control environment.

32

SAS 112SAS 11232 The following are examples of circumstances that may be control

deficiencies, significant deficiencies, or material weaknesses:

Inadequate design of internal control over a significant account or process;

Inadequate documentation of internal control;

Insufficient control consciousness within the organization;

Absent or inadequate segregation of duties;

Absent or inadequate controls over safeguarding of assets;

Inadequate design of IT general and application controls;

Employees or management who lack qualifications and training;

Inadequate design of monitoring controls; and

Absence of internal process for reporting deficiencies33

SAS 112SAS 11232 The following are examples of circumstances that may be control

deficiencies, significant deficiencies, or material weaknesses:

Failure in the operation of effectively designed controls (e.g. dual authorization);

Failure to perform reconciliations of significant accounts;

Undue biases on the part of management;

Management override of controls; and

34

Internal Controls

36

What is Risk?

RISK is the threat that an event, action, or non-action will have an adverse affect on the ability to achieve one’s objectives.

To assess risk, the following process is used:

Identify the Risks Source the Risks Prioritize the Risks

37

What is Internal Control?

Internal Control = Risk MitigationInternal control is anything that provides reasonable assurance that a specified unwanted action is prevented or detected. Examples include:

Alarm Clock: designed to prevent oversleeping.

What are the risks?

Speed Limits: designed to prevent aggressive driving.

What are the risks?

Log-on Password: designed to prevent unauthorized access to the proprietary information.

What are the risks?

38

What is Internal Control in an Organization?

Internal controls are the policies and procedures that help managers and employees be effective and efficient while avoiding serious problems such as overspending, operational failure, fraud, waste, abuse, and violations of law. They provide reasonable assurance that the following three objectives are met:

Relates to an entity's basic business objectives, including performance goals and safeguarding of an entity’s resources.

Relates to the preparation of reliable financial reporting, including interim and consolidated financial statements, as well as other significant internal and external reports (i.e. budget execution reports, monitoring reports, and reports used to comply with laws and regulations).

Relates to complying with those laws and regulations to which the entity is subject.

Reliability of Financial Reporting

Reliability of Financial Reporting

Compliance with Laws & Regulations

Compliance with Laws & Regulations

Effectiveness & Efficiency of Operations

Effectiveness & Efficiency of Operations

39

What are the Benefits of Good Internal Control?

Identification and elimination of waste, fraud and abuse Reduction of improper or erroneous payments Enhanced understanding of risk exposure Sustained performance, efficiency and effectiveness Reduced level of effort for financial management system

implementation or audit Improved policies and procedures Streamlined processes Clear definition of process ownership Greater accountability Enhanced audit readiness and internal control attestation

readiness Compliance with laws & regulations

40

Office of Management and Budget (OMB) and Congressional Oversight

The role of OMB is to assist the President in the development and implementation of budget, program, management, and regulatory policies. It is an independent component of the Executive Branch.

Internal control is an integral part of tools currently being used by OMB and Congress to monitor federal Agencies.

Performance and Accountability Report (PAR) – contains Secretary's assurance statement on internal and financial management controls

Program Assessment Rating Tool (PART) – developed to assess and improve program performance so that the Federal government can achieve better results

President’s Management Agenda (PMA) – aggressive strategy for improving the management of the Federal government. Contains seven government-wide and nine Agency-specific goals for improvement. Includes a “scorecard”

41

Internal Control Policy

Legislative / Regulatory Authorities Internal Control RequirementsFederal Managers' Financial Integrity Act (FMFIA) of 1982

Requires that agency CFOs develop and maintain an integrated system of internal controls and requires GAO to issue internal control standards

Federal Financial Management Improvement Act of 1996 (FFMIA)

Requires that Federal financial management (FM) systems have reliable data and comply with financial management requirements

Federal Information Security Management Act of 2002 (FISMA)

Requires agencies to ensure the adequacy and effectiveness of information security controls by conducting annual reviews and reporting results to OMB

Improper Payments Information Act of 2002 (IPIA)

Provides for estimates and reports of improper payments by Federal agencies

CFO Act of 1990 Requires that agency CFOs develop and maintain an integrated and controlled accounting and FM system

Government Performance and Results Act of 1993 (GPRA)

Requires agencies to clarify their missions, set strategic and annual performance goals, and report on performance toward these goals

Inspector General Act of 1978 Requires IGs to report on internal controls when conducting a performance audit

OMB Circular A-123 Requires monitoring and improvement of internal controls associated with programs

OMB Circular A-127 Outlines requirements for FM system controls

OMB Circular A-130 Establishes the policy for the management of Federal information resources

42

OMB Circular A-123

• Issued under authority of FMFIA; entitled, “Management Accountability and Control”

• Provides guidance to Federal managers on improving the accountability and effectiveness of Federal programs and operations by establishing, assessing, correcting, and reporting on management controls

• Requires annual reporting on the effectiveness of management controls

• Provides the basis for an Agency head's annual assessment and report on internal controls required by FMFIA

43

Revised OMB Circular A-123

• Circular A-123 was revised in December 2004

• Renamed “Management’s Responsibility for Internal Control”

• Changes developed by Chief Financial Officers Council (CFOC) and the President’s Council on Integrity and Efficiency (PCIE)

• Adopts certain concepts from the Sarbanes-Oxley Act of 2002

• Strengthens management requirements for assessing controls over financial reporting with the addition of Appendix A, “Internal Controls over Financial Reporting”

• Took effect FY 2006 – initial report was due in the November 2006 Performance and Accountability Report (PAR)

44

Overview of Revised Circular OMB A-123

The Revised Circular A-123 includes the following Appendices:

Appendix A – Internal Control over Financial Reporting

Appendix B – Improving Management of Government Charge Card Programs (Issued Revised Appendix B – April 2006)

Increases frequency of review and scope of spending and transaction limits Limits authorization and blocking card use for ‘high risk merchant category codes”

Appendix C – Requirements for Effective Measurement and Remediation of Improper Payments (Issued August 2006)

Requires a review of all programs and activities to identify those which may be susceptible to significant erroneous payments and obtaining a statistically valid estimate of the annual amount of improper payments

Requires implementation of a plan to reduce erroneous payments and the reporting of estimates of the annual amount of improper payments and the progress made in reducing them

45

Revised OMB Circular A-123, Appendix A Requirements

• ASSESS internal control over financial reporting using the Committee of Sponsoring Organizations (COSO)/GAO Framework

• ESTABLISH a governance structure

• DOCUMENT the design of controls of material accounts and assess their effectiveness as of June 30- This includes entity-level controls and process/transaction-level controls, including Information

Technology (IT)

• TEST the operating effectiveness of internal controls

OMB Circular A-123, Appendix A requires Agencies to:

46

Revised OMB Circular A-123, Appendix A Requirements (continued)

• INTEGRATE internal control throughout the entire agency and through the entire cycle of planning, budgeting, management, accounting, and auditing

• SIGN an annual Statement of Assurance in the Performance Accountability Report (PAR) certifying effectiveness of internal control within the Agency

- Assurance Statement must assert to the effectiveness of the internal controls as of June 30 and be issued in the Performance and Accountability Report by November 15

• CORRECT deficiencies in internal control over financial reporting- Agencies must create and execute corrective action plans to promptly and

effectively resolve material weaknesses and other significant deficiencies

47

Internal Control over Financial Reporting

Internal control over financial reporting is a process designed to provide reasonable assurance regarding reliability of financial reporting. The process starts at the initiation of a transaction and ends with reporting

Internal control over a complete process involves controls at every step of the process including

controls over transaction initiation, maintenance of records, recording of transactions, and final reporting

Internal control over financial reporting also includes entity level controls, information technology controls, and operational and compliance controls

The specific focus of OMB Circular A-123, Appendix A is internal control over financial reporting

48

Management Responsibilities

Management is responsible for establishing and maintaining internal control and documentation. Management must:

consistently apply the internal control standards of OMB Circular A-123, Appendix A (i.e., the COSO Framework’s five components)

develop and maintain activities for the three objectives of OMB A-123 (i.e., the COSO/GAO Framework)

maintain up-to-date controls documentation on an on-going basis

Provide a certification Statement related to the the adequacy of controls (signed by Secretary)

49

Manual versus Automated Controls

Controls may be either:

• Manual – implemented through human action Example: General Ledger entries must be reviewed and

authorized by accountant who signs off on an approved document

• Automated – implemented through system action

Example: Users must have a valid user id and password to access a system

50

Detective versus Preventative Controls

Controls may be either:

• Detective – provide evidence that an error or exception has occurred Example: Reviews, analyses, reconciliations, periodic

physical inventories, audits, and surveillance cameras are all examples of detective controls

• Preventative – are proactive in that they attempt to deter or prevent undesirable events from occurring Example: Separation of duties, proper authorization,

passwords, and physical control over custody of assets are all examples of preventative controls

51

Control Activities Specific for Information Systems

There are two types of Information System Controls:

General Computer Controls (GCCs): Pervasive, over-arching controls that affect every transaction. Used to manage and control the organization’s information technology infrastructure.

Application Controls: Controls that cover the processing of data within an application or computer program.

OMB Circular A-123 states, “general and application controls over information systems are interrelated; both are needed to ensure complete and accurate information processing.”

52

Control Activities Specific for Information Systems:General Computer Controls

General Computer Controls should be designed to ensure that:

• The overall IT environment is well-controlled

• The IT organization is fit for its purpose, and there is proper management control over information systems

• Critical processing can be restored timely in the event of a prolonged outage (data / systems are backed up)

• New applications and changes to existing applications are properly authorized and only approved modifications are moved to the production environment

• Physical and logical security controls restrict access to data, systems and sensitive facilities

53

Control Activities Specific for Information Systems:General Computer Controls (continued)

Examples of General Computer Controls include:• Monitoring of Adherence to Entity-wide Security Program • Data Processing Policies and Procedures • Continuity of Operations Plan (COOP)• Regularly Scheduled and Documented Change Control Board Meetings• Properly Completed and Maintained Access Request Forms

What must be assessed?• Security Planning and Management• Change Control• Segregation of Duties• Access Controls• Service Continuity• System Software

54

Control Activities Specific for Information Systems:Application Controls (continued)

Examples of Application Controls include:

• Automated controls built into the application (computerized edit checks and required passwords)

• Manual controls surrounding the application (manual reconciliations of interfaced applications, management sign-offs, and reviews of audit logs)

What must be assessed?• Input Controls (access restrictions, validity checking, source

documents)• Processing Controls (integrity controls, error messages, job scheduling)• Output Controls (report generation and distribution, manual review of

reports for obvious errors)

55

Entity Level Controls

Definition: Entity Level Controls are controls that management has in place to ensure that the appropriate controls exist throughout the organization, including at the individual agencies.

Responsibility: Entity Level Controls are assessed at both the agency and department level.

Purpose: Entity Level Controls can have a pervasive effect on the overall control effectiveness of the organization therefore the assessment of entity-level controls is essential to the overall evaluation of controls.

Entity Level Controls

56

Assessing Risk

What is meant by Assessing Risk? Assessing Risk

Assess: to determine the importance, size, or value of

Risk: A state of uncertainty where, if specific events or

conditions occur, there exists a possibility of an undesirable outcome.

57

Key Terms Confidentiality Integrity Availability Issue Exception Negligible Exception Isolated Incident Control Deficiency Significant Deficiency Material Weakness

58

FISMA The Federal Information Security Management

Act (FISMA) established in December 2002 requires each federal agency to develop, document, and implement an agency-wide program to provide information security for the information and information systems that support the operations and assets of the agency, including those provided or managed by another agency, contractor, or other source.

59

A-123 Appendix A

A-123 Appendix A was added in December 2004 to incorporate Sarbanes-Oxley Section 404 principles into federal financial management. Revision deals primarily with internal

controls over financial reporting. A-123 Appendix A effective FY 2006.

60

FISMA and A-123 Appendix Ainvolvement with assessing risk

In order to maintain a secure environment for information and information systems under FISMA a well established set of internal controls should be developed and executed.

FISMA internal controls incorporate the financial internal controls designed by A-123 Appendix A.

A necessary element in maintaining a set of internal controls is performing risk assessments.

61

FISMA Compliance A-123 Appendix AAssurance Statement

NIST800-53

Controls

FinancialReportingControls

FinancialReportingControls

62

Vulnerability Definition

open to attack or damage Vulnerability is defined as “a weakness or

shortfall in a system that reduces the system’s ability to protect system assets. The vulnerability can be used by the absence of a needed security feature, by some inadequacy in the functioning of an existing security feature”.

63

Threat Definition:

an indication of something impending Threat is defined as “an unwanted event or

attack against an IS asset…(that) exploits a vulnerability and is carried out by a threat agent, such as an insider, intruder, hostile intelligence service, or terrorist.

64

Significance Definition:

the quality of being important

Significance is defined as “the magnitude of consequence or quantification of the damage that may be done if a threat is carried out and an unwanted event occurs.

65

Household Example

Backyard Pool Objective: Keep Child Alive Threat: Child may drown in backyard pool Vulnerability: Pool gate does not have a

lock, child cannot swim, child is exploratory Significance: Loss of a loved one POAM: Teach the child to swim / Add lock

66

General Overview Assessing Risk is more than just an annual

process, it is continually evolving as the company changes on a day to day basis.

How does the scenario and risk rating change under the following conditions: Multiple Children Children are all over the age of 15 House is located 50 miles from neighbors No Children within the house 3 Children under the age of 7

Changes in the environment change the Risk situation.

67

Limited resources - POAM How do we accomplish the control

objective when we have limited resources? Resource limitation could include:

Cost to complete Time Available Number of people required to accomplish

the objective Availability of resources

Requires prioritization to use the resources effectively

Security Objective Control Deficiency Significant Deficiency Material Weakness

Confidentiality

Exists when the design or operation of a control does not allow management or employees, in the normal course of performing their assigned functions, to prevent the unauthorized disclosure of sensitive information.

Exists when a control deficiency, or combination of control deficiencies, adversely affects the entity’s ability to protect sensitive information, such that there is more than a remote likelihood of the unauthorized disclosure of sensitive information, that could be expected to have a serious adverse effect.

Exists when a deficiency, or combination of significant deficiencies, results in more than a remote likelihood of the unauthorized disclosure of sensitive information that could be expected to have a severe or catastrophic adverse effect .

Integrity

Exists when the design or operation of a control does not allow management or employees, in the normal course of performing their assigned functions, to prevent or detect misstatements of data (both financial and non-financial data) on a timely basis.

Exists when a control deficiency, or combination of control deficiencies, adversely affects the entity’s ability to initiate, authorize, record, process, or report data (both financial and non-financial data) reliably, such that there is more than a remote likelihood that a misstatement of the entity’s reports (both financial and non-financial reports), that is more than inconsequential will not be prevented or detected.

Exists when a deficiency, or combination of significant deficiencies, results in more than a remote likelihood that a material misstatement of the entity's reports (both financial and non-financial reports), will not be prevented or detected.

Availability

Exists when the design or operation of a control does not allow management or employees, in the normal course of performing their assigned functions, to protect the availability of critical information resources and continuity of operations.

Exists when a control deficiency, or combination of control deficiencies, adversely affects the entity’s ability to protect critical information resources and continuity of operations, such that there is more than a remote likelihood that a disruption of the entity's operations that could be expected to have a serious adverse effect.

Exists when a control deficiency, or combination of control deficiencies, adversely affects the entity’s ability to protect critical information resources and continuity of operations, such that there is more than a remote likelihood that a disruption of the entity's operations that could be expected to have a severe or catastrophic adverse effect.

69

Issue HandlingGauging the Problem

Issues ExceptionsAssessing

Risk Framework

Level ofDeficiency

(CD, SD, MW)

70

Identify/Verify

AssessLikelihood and

Magnitude

MitigatingControls

DeficiencyEvaluation

Aggregation

POA&MCreation

Framework Evaluation

A Day in the Life of a Deficiency

Remediation

Issue Identified

DeficiencyRemediated

71

Identify and Verify(covered in Test Procedure Training)

72

Identify and Verify Once an issue has been identified, the

following should be performed:

Speak with the control owner. Determine whether the correct understanding was

obtained. Determine whether there is any other evidence of the

control.

If the issue still exists, confirm with management that it is a true exception.

73

Defining Exceptions Exceptions are deviations from the predefined expectations of control activity statements. Exceptions can be found when assessing the design

of the control activities, or when performing operating effectiveness testing of the control.

An exception may be detected or a control may not operate as expected for a number of reasons. The person who normally performs the control was

absent for a period of time. The control may have broken down.

If the person who normally performs the work was absent or the control broke down for other reasons, the individual performing this control should attempt to identify any additional Redundant Controls that might be in place to help achieve the objective.

74

Defining Exceptions (cont.) Consider whether or not the identified exception

is an isolated incident, and therefore a negligible exception.

Consider whether the exception is within the tolerable deviation rate (frequency of the control must be at least daily).

Tolerable deviation - the number of exceptions the auditor will permit in the population and still be willing to rely on internal controls.

75

Redundant Controls Redundant Controls (identified and tested) that operate effectively should be considered when evaluating an exception. Redundant Controls can be found in different control

objectives or NIST controls, and help to eliminate the deficiency.

The identified Redundant Controls need to be tested, and be operating effectively in order to be considered in the exception evaluation process.

Note: Redundant Controls can eliminate a control deficiency

76

Identify and Verify, cont’dOther Comments: Not all exceptions within testing will

result in a deficiency. Key factor is whether the control objective,

or NIST control, is met

Evaluation requires professional judgment considering: Quantitative and qualitative factors Implications with regard to other controls

77

Likelihood and Magnitude

78

Assessing Risk – Exception Risk Evaluate the risk level of each deficiency that is identified.

Level of Risk depends on: Proximity of the deficiency to the actual data. Likelihood – the chance that the deficiency could cause an undesirable

outcome Vulnerability Threat

Magnitude – the size or extent of an undesirable outcome that may change or influence the judgment of a reasonable person Significance

The level or risk does not depend on whether an undesirable outcome has actually occurred, but rather on whether there is a reasonable possibility that the department/agency’s controls will fail to prevent or detect an undesirable outcome.

79

LikelihoodThreat (including Threat Agent)

Capability History Gain / Motivation Attributable Detectability

80

Likelihood Determine if it is reasonably possible that the failure of

the control or combination of controls will fail to prevent or detect a undesirable outcome. Determine the likelihood of an undesirable outcome, not

likelihood of a material undesirable outcome. Evaluation of likelihood can be made without quantification

of the probability of the occurrence of an undesirable outcome.

Risk factors affecting likelihood: The subjectivity, complexity, or extent of judgment

required to determine the amount involved; The interaction or relationship of the control with other

controls, including whether they are interdependent or redundant;

The possible future consequences of the deficiency.

81

Magnitude

Significance Loss of Life Top Secret/Secret Confidential Privacy Data Operations Impact Equipment Loss Data Integrity / Accuracy

Data Files / Databases

Application

Operating System

Network

Program Development

Program Changes

Access to Programs &

Data

Computer Operations

IT Control Environment

84

Compensating Controls

85

Compensating Controls

Definition: to cause to become less harsh or hostile Compensating Controls are controls that

operate at a level of precision that would reduce the potential impact of the deficiency to the organization.

86

Compensating Controls Compensating Controls (identified and tested)

that operate effectively should be considered when evaluating the level of a deficiency. Compensating Controls can be found in different

control objectives or NIST controls, and help to decrease the severity of the deficiency.

The identified Compensating Controls need to be tested, and be operating effectively in order to be considered in the deficiency evaluation process.

Note: Although Compensating Controls can reduce the severity of a control deficiency, they do not eliminate the control deficiency.

87

Control Activity: Application Access is disabled

within 5 days of a user’s termination

Control Objective: Only authorized users can access application data

Example of Redundant vs. Compensating Controls

88



Control Objective: Access Controls

Mitigating Control:

Security badges are obtained upon termination, preventing

physical access to the building

Example of Redundant vs. Compensating Controls

89




Mitigating Control:

Network access is disabled based on notification from HR

of termination.

Mitigating Control:

Security badges are obtained upon termination, preventing

physical access to the building

Example of Redundant and Compensating Controls

90

Control Activity: Application Access is removed



CompensatingControl:

User IDs are deleted upon weekly notification of termination from HR

Example of Redundant and Compensating

91

Evaluating Deficiencies

92

Deficiency EvaluationIssue Evaluation

Issue Evaluation Step 1:

Determine whether further evaluation is necessary

Deficiency Evaluation Step 2:

Determine the Level of Deficiency

93

Deficiency Evaluation, cont’d

Likelihood of an undesirable outcome

More Than Remote Remote

Material Weakness Significant Deficiency

Significant Deficiency Control Deficiency

Control Deficiency Control Deficiency

Magnitude of undesirable outcome that occurred, or could have occurred

Quantitatively or qualitatively material

More than inconsequential, but less than material

Inconsequential (i.e., immaterial)

94

Internal ControlDefinitions – A-123, Financial

Reporting

Significant Deficiency

Material Weakness

LikelihoodMore than Remote

More than Remote

MagnitudeMore than

Inconsequential Material

95

Costs vs. Benefits

In some cases it is adequate to accept the risk of an undesirable outcome.

Factors that should be considered when making this decision include: Cost vs. Benefit analysis

96

AggregatingDeficiencies

97

Aggregation of Deficiencies

Material

Weakness

Material

Weakness

Material

WeaknessMaterial

Weakness

Significant

Deficiency

Significant

Deficiency

Significant

Deficiency

Significant

Deficiency

Significant

DeficiencySignificantDeficiency

Significant

DeficiencySignificantDeficiency

Internal ControlDeficiency
















98

Aggregation of Deficiencies, cont’d Consider all control deficiencies and significant

deficiencies in the aggregate by: Significant account balance or disclosure NIST family (i.e., Access Control, Audit and Accountability, or

Configuration Management)

Consider any prior year unremediated findings when performing aggregation.

Control deficiencies related to a specific account balance or disclosure increases the relative likelihood and potential magnitude of undesirable outcome compared to when only one individual control deficiency exists.

99 If you agree with the aggregation of deficiencies noted, a position paper is not necessary.

After completing your evaluation of the aggregation of the deficiencies, consider writing a position paper in instances where you disagree with the results of aggregation presented by the auditors.

Aggregation of Deficiencies,cont’d

Documents

Introduction Comments Regulation / Guidance Internal Controls COSO A-123 SAS 55 Yellow Book SAS 112 1