Have you ever imagined learning what an external auditor does in his daily life? I decided to share my knowledge about controls for SOX -Sarbanes Oxley evaluation. Before we get into the controls here are some of the terminologies used in the secret world of Auditing. TOD- Test of design, TOE- Test of Operative effectiveness, PCAOB- Public Company Accounting Oversight Board.
Here goes the story…SEC (Securities exchange Commission) set up a board called PCAOB sometime in 2004 to oversee the auditors of public companies in order to protect their interests of investors. The external auditors follow the rules or auditing standards set by this board. Here are the auditing standards defined by PCAOB. http://pcaobus.org/Standards/Auditing/Pages/default.aspx The general documentation every external auditor on this planet uses something called ITGC – IT general controls. The ITGC has four sections where the controls are defined and evaluated. This is a template used by these auditors to evaluate the company’s processes after mapping them from the ICOFR-Internal Control over Financial Reporting. The four sections are as follows:
I. Access to Programs and Data
II. Program Changes
III. Program Development
IV. Computer Operations
TOD or test of design is used to document the control objectives, Control numbers and their description. Ever since SAP bought VIRSA the world has changed in terms of auditors having to spend less time with their clients. SAP Solutions for Governance, Risk, and Compliance: GRC Access Control (comprising applications formerly known as Virsa Compliance Calibrator, Virsa Firefighter, Virsa Access Enforcer and Virsa Risk Terminator) Virsa Compliance Callibrator is a fantastic tool to solve the SOD conflicts and streamline a steady definition of the roles and authorization. This tool will satisfy the section I.E section of the ITGC and there is no chance they can mark you down with any kind of deficiencies. The Virsa Access Enforcer is another tool which will satisfy the I.C controls. The I.B controls can be satisfied by using another tool called Virsa Firefighter which handles exceptional access requests. The Virsa Role Expert is another web based tool. Auditors love to snap your monitors with their tool called (Alt+Prt Sc). So get ready to snap your own monitors and make your printer auditor friendly. The I.A controls involve the following solutions: maintain a policy document that provides security related guidance for your SAP system landscape. Make sure every user has his own unique ID and no system accounts exist. Make sure the user access to the SAP system is done with the use of profiles defined. Auditors use a system generated report (No excel sheets involved) to assess the periodic review of user access which will satisfy the I.D controls. So generating reports to satisfy their strict controls can only help you from seeing a deficiency in their Test of Operative Effectiveness.
- I. Access to programs and Data
I.A
- The Company has established an information security function that is appropriately aligned within the organization.
- The company has adopted a formalized security policy that provides guidance for information security within the organization and includes within its scope all aspects of the IT environment relevant to financial reporting applications and data (e.g. networks, perimeter security, operation system security, application security, acceptable systems use).
I.B
- The organization has established an authentication mechanism for in-scope information systems that provides individual accountability.
- o If passwords are used for authentication, the organization should have established rules for password management and syntax.
- The organization has established a rule based authorization mechanism that provides access to system and application resources based on job function.
I.C
- An effective mechanism is in place to ensure that access is appropriately modified or revoked when changes in job function through transfer or termination occur.
- Changes to access rights are performed immediately after the user is terminated to minimize the likelihood of system abuse or sabotage.
- Security administration personnel effectively communicate changes to access rights to appropriate management.
- The organization has controls in place to ensure proper management of data access settings (i.e., data file permission)
I.D
- The organization performs a periodic review of active users and user access rights to identify and remove inappropriate system access.
- Inappropriate system access is removed.
- Access changes due to the review process are appropriately documented and the documentation is retained.
- Access groups and roles are periodically reviewed to identify inappropriate or incompatible access rights that conflict with segregation of duties (as established in Audit Objective E below).
I.E
- Controls are in place to allow for effective translation of business rules into system access rules
- Example Control Considerations:
- The organization may group compatible system access privileges into roles or profiles to facilitate security administration.
- Controls should ensure that segregation of duties conflicts do not exist for users having access to multiple system profiles or transactions.
Based on my previous blog SAP GRC- Governance, Risk and Compliance and Secrets of an External Auditor. I had mentioned a couple of terms without a detailed explanation. Below are some of the Key terms and definitions.
COSO: The Committee of Sponsoring Organizations of the tread way Commission provides detailed internal control criteria and defines the components of internal controls. This framework sets a standard for management to follow with regards to internal controls. Read more
PCAOB: Established by Sarbanes-Oxley, the Public Company Accounting Oversight Board has broad powers to oversee audits and auditors of public companies. Through its oversight of public company auditors, the PCAOB influences how companies should prepare for their audits. In March 2004, the PCAOB issued auditing standard #2 which provides the requirement for the audit of internal controls over financial reporting. Read more
Internal Control over financial Reporting: A process designed by or under the supervision of the company’s principal executive and financial officers or persons performing similar functions and affected by the company’s board of directors, management and other personnel to provide reasonable assurance regarding the reliability of financial reporting and the preparation of financial statements for external purposes in accordance with the GAAP (Generally accepted accounting principles)
Test of Design:
Design effectiveness refers to when the controls compiled with would be expected to prevent or detect errors or fraud that could result in material misstatements in the financial institutions. It involves consideration of the financial reporting objectives that the control is meant to achieve and whether it will achieve them.
Test of Operative Effectiveness:
Operating effectiveness refers to whether the control is operating as designed and whether the person performing the control has the necessary authority and qualifications to perform the control effectively. During the testing of operating effectiveness, management gathers evidence regarding how the control was applied, the consistency with which it was applied and by whom it was applied.
SAP GRC Process Controls
SAP GRC Process Controls offer an application for end-to-end control management by managing automated and manual controls by prioritizing remediation activities and providing the management a complete overview of the Control Environment.
To understand the concepts of SAP GRC Process Controls, it is necessary to learn the different controls or control categories for SAP. The Controls mentioned below are considered as the base for testing SAP systems by External Auditors.
Preventative Controls:
Preventative Controls helps to prevent errors or fraud from occurring in the first place that could result in a misstatement of financial statements.
Examples of preventive controls are segregation of duties which is well handled by GRC Access Controls Application, adequate documentation, and physical control over assets.
By performing simulation in GRC Compliance Calibrator, we are implementing a preventive control that avoids introduction of SOD violations before a risk is introduced into the production environment.
Detective Controls:
Detective Controls helps in detecting errors or frauds that have already occurred that could result in a misstatement of financial statements.
Examples of detective controls are Periodic Review of Users and Segregation of duties, analyses, variance analyses and reconciliations. SAP GRC provides management reports at 5 different levels which can be achieved using the transaction code SUIM as well. The 5 levels are SOD at Transaction Code Level reports, SOD at Authorization Object Level reports, Critical Transactions Risk Analysis reports, Critical Role/Profile reports and Mitigation Control reports.
Authorizations: Approval of transactions executed in accordance with management’s generally accepted accounting principles and procedures.
Example of authorizations include a supervisor’s approval using SAP GRC Access Enforcer (Compliant User Provisioning) that he or she has verified and validated that the activity or transaction conforms to established policies and procedures.
Interface/ Conversion Controls: Interface – Data interfaces transfer specifically defined portions of data between two computer systems and should ensure completeness and integrity of data being transferred.
Conversion: The process of converting data from one system to a new system.
Key Performance Indicators: Financial and non Financial quantitative measurements that are collected by the company, either continuously or periodically and used by the management to evaluate the extent and progress towards meeting the managements defined objectives.
Reconciliation: A control designed to determine that two items such as computer systems are consistent.
Segregation of duties: SAP has covered this well enough to be known as SAP GRC Access Controls which describes SOD as segregation of duties and responsibilities of authorizing transactions, recording transactions and maintaining the custody to prevent individuals from being in a position to both perpetrate and conceal an error or irregularity.
Management Review: A person, other than the preparer analyzing and performing oversight of activities performed (does not apply solely to management doing the review)
System Access: The ability that an individual or group has within a computer information system processing environment, as defined by access rights configured in the system. The access rights in the system agree to access in practice.
System Configuration/Account Mapping: Configuration – ‘switches’ that can be set by turning them on or off to secure data against inappropriate processing, based on the organization’s business rules.
Account mapping – ‘switches’ that can be set related to how a transaction is posted to the GL and then to the financial statements.
Exception/ Edit Report:
Exception – A Report generated which shows violations of company standards.
Edit – A report generated that shows changes made to a master file.
A very important concept used by auditors is the Financial Statement Assertions. Auditors use this as a framework to assess the financial statements and present them in a right manner. Based on the Control Activity and the business value an assertion is used to make sure the business process runs fairly.
Below is a brief definition of each of these Assertions:
Consider the below example
The control is about monitoring the changes in the developer keys to detect unauthorized application changes. This control belongs to the Presentation and Disclosure assertion as mentioned in the above table.
Similarly let’s take another example
This control is monitoring changes to the configuration setting that allows or denies General Ledger postings by document types. This control belongs to the Rights and Obligations and Valuation or Allocation assertion as defined in the above table.
For completeness, consider this example
As external auditors continue to conduct tests to verify existence, occurrence or completeness, SAP GRC Process Controls can help you take a complete control over any misstatement in your financial statements.
Gary Prewettt wrote this excellent article on SDN. I’d like to share his article here
http://scn.sap.com/community/grc/blog/2014/12/03/starting-fiscal-year-2015-on-the-right-grc-foot
The Public Company Accounting Oversight Board, established by Congress as part of the Sarbanes-Oxley Act, has responsibility to oversee audits by public companies. Since 2012, the PCAOB has been particularly active, and in September of 2014 the PCAOB announced significant changes to auditing standards have been released and take effect for companies with a fiscal year starting December 15th, 2014 or afterwards – less than two weeks from the time of this writing.
In addition to changes and proposed changes to accounting standards, the PCAOB has been actively releasing staff guidance in the form of practice alerts, directing additional validation of source reporting assumptions, ensuring that system-generated reports are complete and accurate, and verifying top-down risk assessments are conducted (one auditor acquaintance of mine recently termed the current PCAOB validation process “brutal”).
So What Does this Mean for Me?
Practically speaking, SAP customers publicly traded in the U.S. have been seeing and will continue to see increased scrutiny from their external auditors. So what does this mean for SAP customers with U.S. Sarbanes-Oxley obligations? And in particular, what does this mean for SAP customers with SAP Access Control/GRC in place to monitor separation of duties and automate security design and role assignment?
Canned Access Control/GRC reports and rule sets are relatively easy to verify assumptions around completeness and accuracy. That said, the SAP-delivered rule set is not one size fits all – some high risks for certain industries will be medium risks for others, and vice-versa. For those of you who like to spend this time of year planning strategy for the coming year, I recommend considering the following questions when planning your FY 2015 audit report improvements to stay ahead of trends in SOX reporting requirements:
- Have we conducted a top-down risk assessment with high, medium and low SOD risks in our AC/GRC rule set(s) in scope, and have the results been verified and signed off on by senior management? And are we able to trace rule set changes to findings in this risk assessment?
- Mitigating controls are, by design, limited to being effective for one year. Still, many SAP customers will re-apply them for another year without giving a whole lot of thought to the underlying assumptions. Did your risk assessment ensure that the residual risk after mitigating controls is in effect is acceptable? And is there traceability of these management signoffs to your mitigating controls?
- Are my technical controls for my GRC landscape adequately defined and documented? Have we spent time adequately negative testing GRC roles (for example, can mitigating controls owners approve firefighter requests?)
- Have my risk owners been adequately defined by senior management and adequately documented?
- Have my BPOs been adequately defined by senior management?
Final Thoughts
The PCAOB practice and standards changes have had and will continue to have an impact; the full extent of that impact has yet to be determined. That said, early compliance will have significantly less organizational impact than mid-year remediation. It never hurts to plan ahead!
Related Reading
http://www.natlawreview.com/article/public-company-accounting-oversight-board-pcaob-selected-auditing-developments
http://pcaobus.org/Standards/QandA/10-24-2013_SAPA_11.pdf
http://pcaobus.org/Rules/Rulemaking/Docket038/Release_2014_002_Related_Parties.pdf
SAP 