General IT Controls (GITC) - Deloitte
General IT Controls (GITC)Risk and ImpactNovember 2018Risk Advisory
General IT Controls (GITC)Table of ContentsIntroduction 02IT scoping for evaluation of internal controls 04Importance of GITC 06Implications of GITC deficiencies 07Stepping towards a controlled IT environment 08Conclusive remarks 13Impact of GITC failure on the overall ICFR framework 15Contact 1601
General IT Controls (GITC)IntroductionThe importance of information technology (IT) controls has recently caughtthe attention of organisations using advanced IT products and services.This thought paper has been developed for the management of companies that are required to establish frameworkon internal controls and to ensure its effective operation throughout the year. This document draws attention onhow applications should be scoped-in for monitoring internal controls and how control gaps need to be assessed andconcluded.Increasing complexity of the IT setup has resulted in a greater focus around controls in the IT environment.With mandates emanating from various regulations, internal controls have gained more momentum in India during recent years.There is a trend of automation in processes and controls by adoption of advanced IT products and services for enabling greaterefficiency in operations, compliance and reporting activities. This requires an increased focus on effective operation of controlsaround IT assets and services.Internal Financial Controls over Financial Reporting“Internal controls” refers to those activities within a company that are placed by the management to mitigate the risks that couldhinder the company from achieving its objectives. Under the Committee on Sponsoring Organizations (COSO) framework revisedin May 2013, there are three types of objectives which internal controls need to meet, as depicted below:ComplianceOperationsReporting02
General IT Controls (GITC)The way in which controls are designed andimplemented within the company, so as toaddress identified risks. This component is knownas Control Activities.The way in which information within the companyis gathered and shared, both to people within thecompany responsible for operations and financialreporting, and to external users of financialreports. This component is known as Informationand Communication.ComplianceReportingInformation & CommunicationFunctionControl ActivitiesDivisionRisk AssessmentOperating UnitRisk assessment of various processes and factorsthat might hinder the company from achieving itsobjectives. For example, a process that is highlysusceptible to fraud would be considered a highrisk area.Contro EnvironmentEntityThe company’s control environment at the topmanagement level with respect to controls. Thisincludes elements such as “tone at the top,” andthe effectiveness of the board’s audit committeein its high-level oversight of financial reporting.This component is known as the ControlEnvironment.COSO Cube (2013)OperationsIn many cases, a control may address more than one ofthese objectives. Under the COSO framework, there are fiveinterrelated “components” of an effective internal controlsystem; these are derived from the way the company ismanaged on a day-to-day basis:Monitorng ActivitiesPurpose of Internal ControlInternal control is designed, implemented, and monitoredto address identified business risks that threaten theachievement of any of the entity’s objectives that concern The reliability of the entity’s financial reporting; The effectiveness and efficiency of its operations; and Its compliance with applicable laws and regulations.The way in which the effectiveness of thesecontrols are monitored by the companymanagement who take corrective actionswherever necessary.03
General IT Controls (GITC)IT scoping for evaluation ofinternal controlsMultiple application systems, data warehouses, report writers, and layers ofsupporting IT infrastructure (database, operating system, and network) maybe involved in the business process, right from initiation of a transaction to itsrecording in the general ledger. Such transactions ultimately lead to reportingin the financial statements, and therefore, any or all of these systems and ITinfrastructure may be relevant to the audit.Scoping considerations for ITapplications relevant to auditThe management needs to maintain documentationfor understanding the system landscape mapped tokey business processes that are relevant to financialreporting, including: The classes of transactions in the company'soperations that are significant to the financialstatements; The procedures, within both automated andmanual systems, by which those transactions areinitiated, authorised, processed, recorded, andreported; Significant account balances that are materialwith respect to financial reporting; Ways in which the information system capturestransaction, events and conditions that aresignificant to the financial statements; and The period-end financial reporting process.The determination as to which application system,data warehouses, or report writers are relevant tothe audit requires general IT controls to addresstheir integrity and reliability.04
General IT Controls (GITC)DataThe management relies onan application system or datawarehouse to process or maintaindata (e.g. transactions or otherrelevant data) related to significantaccounts or disclosures or reportsused in the operation of relevantcontrol.Automated ControlsThe management relies upon theapplication system to performcertain automated functions thatare relevant to the audit.System-Generated ReportsThe management relies on anapplication, data warehouse query,or report writer to generate areport that is used in the operationof relevant controls.For ExampleAssume that an entity’s SAP application runs on a UNIX server (operating system) and uses an Oracledatabase. User authentication is dependent upon Windows Active Directory (operating system) and theentity is using Cisco network management software. In this example, the UNIX and Windows Active Directoryoperating systems, Oracle database, and Cisco network management software are the technology elementssupporting the SAP application system, and all of these technology elements are relevant to the audit.05
General IT Controls (GITC)Importance of GITCSustaining reliable financial information is dependent upon effective internalcontrol and General IT Controls (GITCs) are a key part of entities’ internalcontrol framework.GITCs are a critical component of business operations and financial information controls. They provide the foundation for relianceon data, reports, automated controls, and other system functionality underlying business processes. The security, integrity, andreliability of financial information relies on proper access controls, change management, and operational controls.The importance and relevance of General IT Controls to key stakeholders—owners, investors, regulators, audit committees,management, and auditors— continues to increase.Effective controlsin operations,compliancewith laws andregulations,and financialreporting arefundamental towell-managedentities. Entitiesrecognise theimportance ofinternal controlto the reliabilityof the businessprocesses thatthey use to runthe entity.06The processes,controls,and financialdata relevantto financialinformation areoften also reliedupon by themanagementto manage thebusiness and keydecision-making.While financialinformation isnot new, thecomplexityof financialreporting,businessmodels, and thetechnology usedto support themcontinues toevolve.Regulatorsexpect enhancedreliabilityof financialinformation, andstakeholdersare looking formore specificinformation andtransparency.Entities andauditors need toaddress theseconcerns tomeet evolvingowner, investor,and regulatorexpectations.Cyber securityis a broadbusiness risk,which extendsto financialinformation.Automationis becomingincreasinglyimportant giventhe relianceon automatedcontrols suchas calculations,access controls,segregation ofduties and input,processing, andoutput controls.These automatedcontrols rely onGITCs to ensurethey functionproperly.
General IT Controls (GITC)Implications of GITC deficienciesDeficiencies in GITCs may hinderthe management’s ability to prepareaccurate financial information. If thesedeficiencies are not identified andaddressed in a timely manner, theymay impact the overall functioningof internal controls, thereby resultingin delayed financial closing process,impact on internal decisions and/orpublic disclosure. This could ultimatelyaffect the reputation and brand of thecompany.Deficiencies in GITCs may increaseaudit effort and cost due to additionalaudit procedures needed to respond tounaddressed IT risks.Certain GITC deficiencies present"a greater risk" of resulting in amisstatement that could be pervasivein nature and could have far-reachingimplications. The proximity of the GITCdeficiency to financial reporting (e.g., adeficiency at the application layer versusthe operating system layer), and the levelof technical skill necessary to exploit thedeficiency, among other factors, couldaffect the severity of a deficiency.As such, when considering the natureand cause of the deficiency, it isimportant to consider whether theGITC deficiency presents a "lesser risk"of misstatement or a "greater risk" ofmisstatement. These considerationsare relevant to determine the nature,timing, and extent of additional auditprocedures.07
General IT Controls (GITC)Stepping towards a controlledIT environmentThe security, integrity, and reliability of financialinformation relies on proper access controls, changemanagement, and operational controls. IT systems arebecoming more integrated with business processes andcontrols over financial information. This is compellingorganisations to increase their focus on IT controls inorder to maintain the reliability of business processeswithin the organisation.The information within IT systems is crucial for meetingmany requirements in an organisation, including:Following topics are elaborated in detail belowUser AccessManagementChangeManagement Financial information relied upon by decision makersthat is maintained within the IT systems; The continuously changing and increasing complexityof financial reporting; The ability of an organisation to meet the demands ofregulators and investors The ability of an organisation to meet the demands ofregulators and investors08Outsourced ServiceProvider
General IT Controls (GITC)User Access ManagementUser access provisioningGranting any new user access is the initial step formaintaining a controlled environment on the IT application.An inappropriate user access could result in posting ofunauthorised financial transactions.Excessive accessAccess to business application needs to be granted based onroles and responsibilities of users. Provision of access thatis not in line with the user’s job responsibilities could lead toposting of unauthorised financials transactions.In both contexts, it is important to revoke the access on time.User access reviewWhile streamlining, user access provisioning is key tocontrolling the access management of an IT application;periodic user access review keeps the access aligned withrespect to business requirements. In the absence of periodicuser access review, excessive access may remain with the user.User access review also detects if there are any anomaliesin access provisioned, de-provisioned or any other privilege/excessive access.For ExampleIf an employee has access to approve purchaseorder, create goods receipt as well as vendor invoiceprocessing, there is a possibility of unauthorisedvendor payment processing which may be in excessto what is to be paid.Generic User ID and Privilege accessGeneric User IDs could lead to accountability issues fortransactions processed using such IDs. Further, if privileged(administrator) access is granted to Generic User IDs then suchaccess can be misused for posting transactions that could havea pervasive impact on the financial statements.For ExampleGeneric User ID is used for background jobprocessing and granted with privilege access.A user who accesses this Generic ID may makeinappropriate changes to the background job whichcan post unauthorized financial entries.User access de-provisioningWhile access provisioning needs to be controlled, it is equallyimportant to control the access revocation process. Whenemployees are separated from the organisation, their User IDscan be misused for processing of financial transactions. Suchtransactions would not only be unauthorised, but also lackaccountability.Furthermore, if an employee gets transferred to anotherdivision/ department and the old access provisioned to himdoesn’t become obsolete, it leaves a chance to be used lateron. Such access also needs to be de-provisioned on thetransfer of employee.Change managementDirect change accessAccess to make direct changes in a stable IT application’sproduction environment may lead to serious data integrityissues. Direct changes are usually not tested previously, so itcould lead to an adverse impact which would be difficult toroll-back.Direct change may override already existing automatedapplication control for a particular financial transactions orcertain set of transactions. In the absence of audit logs, suchdirect changes will remain undetected.Inappropriate access to modify data can affect the ability torely upon the data within the IT systems. Further, review-typecontrol over direct changes would enable one to detect anyinappropriate change to the IT application. However, a numberof transactions would have already been processed by the timean inappropriate change is identified.For ExampleA direct change made to the calculation algorithmof depreciation posting program may lead toinappropriate depreciation posting for thecompany’s asset. Further, if this direct change isperformed near to the period/year end, it may leadto incorrect representation of asset values.09
General IT Controls (GITC)Change evaluationA change can be initiated either due to a new requirement orwhen an enhancement is required in an already implementedfunctionality of IT applications. In any of these cases, changeis to be developed, tested and then implemented in theProduction environment.An emergency change is implemented to perform animmediate fix and usually does not involve rigorous testingprior to implementation in production. If a change isimplemented without testing, its impact cannot be determined.For ExampleIf a change is implemented in Production forinclusion of one of the pricing element in salesorder, then without testing, it cannot be ascertainedthat this pricing element will make any impact onother modes of sales order, such as domestic sale orimport sale. An unauthorised change may be incomplete, leading toinstability of the underlying transactions processed. An unauthorised change may have bundled together withother changes as comparison to the original change request,leading to processing of incorrect business data. An unauthorised change might not be intended forimplementation, and may lead to frauds in the worst casescenario.Change authorisation timing is an important aspect fromcontrolling perspective. Usually, a change is authorised at2 levels—once prior to development and finally just beforemigration/implementation of change in production environment.Change authorisation prior to its development willensure that the intended change is aligned to businessrequirements. Change authorisation before migration/implementation in production will ensure that the developedchange is tested by end user and found aligned to what isrequested.Direct changes in productionChange AuthorisationIf an unauthorised change is implemented in the productionenvironment then it may cause severe data integrity issues,including but not limited to the following:10Direct changes in IT application’s production environmentwould override the established change management process.This could result in inappropriate and untested applicationchanges that can potentially affect the system’s stability andsanity of financial data.
General IT Controls (GITC)A direct change made to the production environment cannotbe assessed for its impact if the corresponding quality/testingenvironment of the applications is not available. Further, if thequality/testing environment is available, but not synchronisedwith the production environment, the direct change testingperformed on quality environment might not serve the testingpurpose.For ExampleA company code is directly created in Productionenvironment and later on pricing elements areto be configured in the sales order applicableto that company code. In such cases, pricingelement related change cannot be tested in qualityenvironment as the relevant company code is notavailable in quality/test environment.Segregation of duties in change managementSegregation of duties plays an important role in theentire change management process. If a developer hasalso provisioned the change migration/implementationaccess in production environment, then it may lead to bothunauthorised and/or inappropriate change implementation inthe production environment.For ExampleA developer develops the change, tests andmigrates it to the production environment byhimself leading to the possibility of incorrectchange implementation in production even thoughthe production environment is separate from thedevelopment and quality/ test environment. As adeveloper, the user may not be aware of businessrequirements that need to be evaluated for changesto be appropriate.11
General IT Controls (GITC)Outsourced Service Provider for Infrastructure servicesToday’s global economy means virtually all entities use external service providers. Service providers must be able to demonstratethat they have adequate controls and safeguards when they host or process data belonging to their customers.Many service organisations perform controls for multiple customers and provide an independent service auditor report thatincludes results from tests of controls.The intent of ‘Service Auditor Report’ (SAR) is to provide guidance and uniformity in the way service providers disclose theircontrol activities and processes to their customers and the entity’s auditors.An entity needs to evaluate the service audit reports on following aspects, but not limited to:12Not evaluating exceptions related to relevantcontrols in the SARNot properly evaluating the appropriatenessof the SARAn organisation needs to evaluate the SAR reportfrom the perspective of exceptions/ deficienciesidentified by service auditors. For example, ifthe physical access controls to outsourced datacentre are mentioned as deficient in SAR, thereis possibility of inappropriate access to entityfinancial data.An organisation needs to assess whether theperiod of coverage of the report is adequate tocover the underlying risk. If the service auditorreport is issued only for 6 months, it means theunderlying IT Control might be ineffective for theremaining period of the financial year.
General IT Controls (GITC)Conclusive remarksGITC deficiencies may seem to be isolated gaps when assessed individuallybased on the mitigating controls and procedures. However, it is essentialto assess gaps in a domain collectively as logically similar gaps can increasethe overall vulnerability. An evaluation with this approach can help themanagement and auditors to identify failures across multiple levels thatcould ultimately result in frauds or financial misstatements.13
General IT Controls (GITC)In order to illustrate this approach, we could consider following gaps that are commonly identifiedin IT controls:Logical accessDeficiency identifiedDeficiency typeUnaddressed risk and risk in aggregationAppropriate approvals were not available for 8 out of 25samples tested.OperatingEffectiveness Testing of user creation/modification hasbeen carr
General IT Controls (GITC) IT scoping for evaluation of internal controls Multiple application systems, data warehouses, report writers, and layers of supporting IT infrastructure (database, operating system, and network) may be involved in the business process, right from initiation of a transaction to its recording in the general ledger.
XaaS Models: Our Offerings @DeloitteTMT As used in this document, "Deloitte" means Deloitte & Touche LLP, Deloitte Tax LLP, Deloitte Consulting LLP, and Deloitte Financial Advisory Services LLP. These entities are separate subsidiaries of Deloitte LLP. Deloitte & Touche LLP will be responsible for the services and the other subsidiaries
Deloitte & Touche South Africa is referred to throughout this report as Deloitte South Africa, and Deloitte Pan African Trust is referred to throughout this report as Deloitte Africa. Deloitte Africa holds practice rights to provide professional services using the Deloitte name which it extends to Deloitte entities within its territory,
Connections Summer Camp at NJIT (Cyber-RWC) that will provide more than 40 middle & high school students . 5 Monday, July 11, 2016 11AM 5PM Cyber Security Training & Project-Based Learning GITC 4415 6 Tuesday, July 12, 2016 11AM 5PM Cyber Security Training & Project-Based Learning GITC 4415 7 Wednesday, July 13, 2016 10AM 10PM Cyber Security .
General Information Technology Controls and IT Entity-Level Controls The . Federal Information System Controls Audit Manual (FISCAM), issued by the U.S. Government Accountability Office (GAO), formed the basis for our GITC and IT ELC evaluation procedures. FISCAM was designed to inform financial statement auditors about IT controls and related .
May 02, 2011 · Deloitte & Touche LLP Cleveland, Ohio 1 216 589 5717 tgriffiths@deloitte.com Theresa Cui . Engagement Consultant . Deloitte & Touche LLP . Cleveland, Ohio Cleveland, Ohio 1 216 589 5018 1 216 . tcui@deloitte.com . Kathie Schwerdtfeger Advisory Principal Deloitte & Touche LLP . Austin, Texas 1 512 691 2333 . kschwerdtfeger@deloitte.com .File Size: 720KB
Knabe, Andrea Consulting Deloitte Consulting LLP Chicago Kwan, Anne Consulting Deloitte Consulting LLP San Francisco . Miller, Christian L. Tax Deloitte Tax LLP Washington DC . Smith, Sandra Consulting Deloitte Consulting LLP Chicago Spangrud, Chad Audit & Assurance Deloitte & Touche LLP Costa Mesa Springs, Christanna R. Tax Deloitte Tax .
** Deloitte Risk Advisory, Löffelstrasse 42, D-70597 Stuttgart, Germany, anlanger@deloitte.de *** Deloitte Legal, Schwannstraße 6, 40476 Düsseldorf, Germany, fwesche@deloitte.de **** Deloitte Risk Advisory, Löffelstrasse 42, D-7059
as advanced engineering mathematics and applied numerical methods. The greatest beneÞt to the reader will probably be derived through study of the programs relat-' 2003 by CRC Press LLC. ing mainly to physics and engineering applications. Furthermore, we believe that several of the MATLAB functions are useful as general utilities. Typical examples include routines for spline interpolation .
