introduction to automated controls jay swaminathan
play

Introduction to Automated Controls Jay Swaminathan San Francisco - PowerPoint PPT Presentation

Dec 05, 2023 •123 likes •395 views

Introduction to Automated Controls Jay Swaminathan San Francisco Chapter Agenda Defining Automated Controls The Value of Automated Controls Common Testing Approaches ITGC considerations The Concept of Benchmarking

  1. Introduction to Automated Controls Jay Swaminathan San Francisco Chapter

  2. Agenda • Defining Automated Controls • The Value of Automated Controls • Common Testing Approaches • ITGC considerations • The Concept of ‘Benchmarking’ • Capabilities of GRC tools • Increasing reliance on automated controls • Questions / Comments San Francisco Chapter

  3. Examples Example 1 Example 2 Example 3 Example 4 System Three way System Custom logic calculates match enforced to enforce Depreciation journal sales order based on approval limits by sales setting based on person limits Type Inherent Configurable Configurable Customized Nature Calculation Validation Authorization Authorization Key Change Program Program and Program Program Manage changes Configuration changes changes considerations changes Key Logical None Access to Access to None Access configuration configuration considerations Walkthrough Positive Negative Positive Positive San Francisco Chapter

  4. Categories of Controls Manual Controls Manual Type Of Control IT-Dependent Manual Controls IT General Controls Automated Application Controls Prevent Detect Support The Continued Functioning Of Automated Aspects Of Prevent And Misstatement In The Financial Statements Detect Controls Objective Of Control San Francisco Chapter

  5. Control Layout San Francisco Chapter

  6. Type of Controls • Inherent processing and controls – Built into the application – Examples: DR = CR, Depreciation calculation, etc. • Programmed controls (custom coded) – Custom functionality – Based on specific business requirement • Configurable controls – Customized and can be disabled or set up to operate in different ways – Examples: three-way matching, auto-accounting San Francisco Chapter

  7. Nature of Application Controls • Validations • Calculations • Authorizations San Francisco Chapter

  8. Examples Example 1 Example 2 Example 3 Example 4 System Three way System Custom logic calculates match enforced to enforce Depreciation journal sales order based on approval limits by sales setting based on person limits Type Inherent Configurable Configurable Customized Nature Calculation Validation Authorization Authorization Key Change Program Program and Program Program Manage changes Configuration changes changes considerations changes Key Logical None Access to Access to None Access configuration configuration considerations Walkthrough Positive Negative Positive Positive San Francisco Chapter

  9. Application Controls Benefits • Implement once (cost depending on type of control) • Lower cost in operation of control – Less dependence on humans – Fewer errors – Less paper • Control assessment usually more efficient – Test of One – Benchmarking San Francisco Chapter

  10. Random Application Control points • Control nomenclature – SOAP Subject, Object, Action and Purpose • Control where system defaults information are not strong • Logical Access controls as Application controls • Restricted Access & SOD Controls • Ignorance is not a control San Francisco Chapter

  11. Testing Approach • Test of Design (Test of one) – Inquiry and observation procedures. – Review of configurations for configurable control – Examination of one or more transactions to confirm the design. • Test of Effectiveness – Rely on underlying IT General Controls Questions / Discussion: • When is a ‘negative test’ appropriate? • How to confirm whether setup is same across the whole organization • What additional considerations for configurable controls • Do we review code for customizable controls? San Francisco Chapter

  12. Testing Examples • Inspect configuration – Inspect 2/3/4-way match configuration – Inspect tolerance levels configured • Re-performance via a walkthrough of each significant flow of transactions – Demonstrate the operating effectiveness of the control via positive and negative confirmation • Inspect the authorizations and re-perform controls to confirm the design – Inspect privileges assigned to all users • Determine how overrides are possible throughout testing and how they are monitored San Francisco Chapter

  13. ITGC Considerations • IT General Controls must be effective • ITGC must cover automated controls (e.g., configuration changes) • Configuration not made at entity/instance level (customer, supplier, item, etc.) San Francisco Chapter

  14. ITGC Considerations continued… • SOD between access to configuration vs. transaction • Emphasis could shift between change management and logical access – Authorizations, configurations – Logical Access – Calculation, customization, Inherent – Change Management San Francisco Chapter

  15. ITGC Concerns Change Management • Ability to make code changes is not limited to programmers • Standard change management process not followed for configuration settings Logical Access • End users have ability to change configuration settings (Users Vs. Super Users Vs. System administrator) • Override of the control by super users or system/database administrators • Improper Segregation of Duties (Create document Vs. release holds) San Francisco Chapter

  16. Testing – Ineffective ITGC • Sample based Application control testing • WCGW never went wrong – E.g. configuration not changed although change management around configurations not effective. • Professional judgment on inherent controls San Francisco Chapter

  17. Examples Example 1 Example 2 Example 3 Example 4 System Three way System Custom logic calculates match enforced to enforce Depreciation journal sales order based on approval limits by sales setting based on person limits Type Inherent Configurable Configurable Customized Nature Calculation Validation Authorization Authorization Key Change Program Program and Program Program Manage changes Configuration changes changes considerations changes Key Logical None Access to Access to None Access configuration configuration considerations Walkthrough Positive Negative Positive Positive San Francisco Chapter

  18. Benchmarking • Benchmarking is the ability to roll forward prior conclusions on control effectiveness based on the ability to demonstrate a static and controlled environment. • Historically very difficult to achieve due to complexities within the ERP environment and the dynamic (regularly changing) nature. • GRC Software packages now making true benchmarking feasible. Question / Discussion: Does benchmarking become irrelevant if continuous monitoring (via GRC tools, etc.) can be achieved? San Francisco Chapter

  19. Benchmark Testing Approach • Monitoring • Rotational Testing San Francisco Chapter

  20. GRC Capabilities • Monitor SOD real time • Efficiently Implement SOD prevent controls • Monitor configuration changes real time • Document risks, audit, findings, etc San Francisco Chapter

  21. Case Study Expanding Reliance on Automated Controls San Francisco Chapter

  22. Objective • Identification of unmitigated risks or redundant controls • Identify additional automated controls • Increase the efficiency of testing the controls San Francisco Chapter

  23. Rationale • Once implemented, application controls are significantly cheaper to operate. • Application controls are more consistent and secure than manual controls. • Application controls are very often the only controls within an automated process. • It could be more efficient to rely on application controls rather than doing substantive testing. San Francisco Chapter

  24. Process 1. Meetings with Process Owners to understand the process 2. Working session to determine control set and testing approach 3. Draft implementation plan 4. Confirm changes and discuss the plan to implement San Francisco Chapter

  25. Result • Identified controls that were already implemented and contributed to the mitigation of risk • Implemented new application controls that reduced the need for manual controls • Used benchmarking for some application controls to increase the efficiency of the controls assessment Control mix prior to review – 90% manual, 10% automated Control mix after review – 50% manual, 50% automated San Francisco Chapter

  26. Questions? San Francisco Chapter

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Automated and Modern Trading Markets Subcommittee FIA Best Practices for Exchange Risk Controls

Automated and Modern Trading Markets Subcommittee FIA Best Practices for Exchange Risk Controls

Automated and Modern Trading Markets Subcommittee FIA Best Practices for Exchange Risk Controls October 3, 2019 FIA Best Practices for Exchange Risk Controls Electronic trading has become an integral tool for an increasingly large percentage of

136 views • 10 slides
Who Controls the Past Controls the Future Who Controls the Present Controls the Past Nothing

Who Controls the Past Controls the Future Who Controls the Present Controls the Past Nothing

Who Controls the Past Controls the Future Who Controls the Present Controls the Past Nothing gives rest but the sincere search for truth. -Pascal Greetz from Room 101 Kenneth Geers 1984 # Nineteen Eighty-Four (Orwell) # Govt IW vs own

1.03k views • 77 slides
Oracle Buys Automated Applications Controls Leader LogicalApps To strengthen Oracles

Oracle Buys Automated Applications Controls Leader LogicalApps To strengthen Oracles

Oracle Buys Automated Applications Controls Leader LogicalApps To strengthen Oracles Governance, Risk and Compliance Suite with Real-time Policy Enforcement October 26, 2007 Disclaimer The following is intended to outline our general product

408 views • 17 slides
Automated Reasoning Introduction Jacques Fleuriot Automated Reasoning Introduction Lecture 1,

Automated Reasoning Introduction Jacques Fleuriot Automated Reasoning Introduction Lecture 1,

Automated Reasoning Introduction Jacques Fleuriot Automated Reasoning Introduction Lecture 1, page 1 What is it to Reason? Informally, reasoning is: to seek or attain knowledge or truth or the process of drawing conclusions with

876 views • 18 slides
IT Security Controls By: Jay Chen What are IT Security Controls? Safeguards or

IT Security Controls By: Jay Chen What are IT Security Controls? Safeguards or

IT Security Controls By: Jay Chen What are IT Security Controls? Safeguards or countermeasures to avoid, detect, counteract, or minimize security risk Types of Controls Preventive Controls (E.g. Password lockout after 5 failed

483 views • 31 slides
Benchmarking Automated Controls Vijay Venkatesh, IT Audit Lead Carrie Gilstrap, IT Audit Manager

Benchmarking Automated Controls Vijay Venkatesh, IT Audit Lead Carrie Gilstrap, IT Audit Manager

Benchmarking Automated Controls Vijay Venkatesh, IT Audit Lead Carrie Gilstrap, IT Audit Manager Brad Ames, Internal Audit Director Hewlett-Packard Company San Francisco Chapter San Francisco Chapter Premise for Continuous Monitoring

879 views • 70 slides
Todays Keys What are IT Controls Basic IT Controls Where to Find Resources What are IT

Todays Keys What are IT Controls Basic IT Controls Where to Find Resources What are IT

Todays Keys What are IT Controls Basic IT Controls Where to Find Resources What are IT Controls Objectives of IT Controls are Interrelated Prevent & Detect Fraud Automate Ensure controls Prevent integrity & accidental

308 views • 16 slides
Chapter 7 System & Controls Chapter 7. System and controls Introduction 1. How do ICS

Chapter 7 System & Controls Chapter 7. System and controls Introduction 1. How do ICS

Chapter 7 System & Controls Chapter 7. System and controls Introduction 1. How do ICS operates 2. Ascertaining the systems 3. Documenting client systems 4. Testing the system 5. The revenue cycle 6. The purchase cycle 7. The

358 views • 32 slides
ASCEM Conference Lighting Controls Roundtable Discussion Why do we want lighting controls?

ASCEM Conference Lighting Controls Roundtable Discussion Why do we want lighting controls?

ASCEM Conference Lighting Controls Roundtable Discussion Why do we want lighting controls? Behavior Modification versus lighting controls Implementation and outcomes Typical Controls Keyed Switches Dual switching

973 views • 15 slides
Automated Planning Introduction and Overview 1 Literature Malik Ghallab, Dana Nau, and

Automated Planning Introduction and Overview 1 Literature Malik Ghallab, Dana Nau, and

Automated Planning Introduction and Overview Automated Planning Introduction and Overview 1 Literature Malik Ghallab, Dana Nau, and Paolo Traverso. Automated PlanningTheory and Practice , chapter 1. Elsevier/Morgan Kaufmann, 2004.

476 views • 32 slides
Introduction to Automated Reasoning and Satisfiability Marijn J.H. Heule

Introduction to Automated Reasoning and Satisfiability Marijn J.H. Heule

Introduction to Automated Reasoning and Satisfiability Marijn J.H. Heule http://www.cs.cmu.edu/~mheule/15816-f19/ Automated Reasoning and Satisfiability, September 3, 2019 1/40 Automated Reasoning Has Many Applications security planning and

1.04k views • 56 slides
13 Automated Reasoning 13.0 Introduction to Weak 13.3 PROLOG and Methods in Theorem

13 Automated Reasoning 13.0 Introduction to Weak 13.3 PROLOG and Methods in Theorem

13 Automated Reasoning 13.0 Introduction to Weak 13.3 PROLOG and Methods in Theorem Automated Reasoning Proving 13.4 Further Issues in 13.1 The General Problem Automated Reasoning Solver and Difference 13.5 Epilogue and Tables

775 views • 51 slides
Mr.Coffee Espresso Machine Jefferson Delgado Allan Li Thanh Tran Antonio Whitehead

Mr.Coffee Espresso Machine Jefferson Delgado Allan Li Thanh Tran Antonio Whitehead

Mr.Coffee Espresso Machine Jefferson Delgado Allan Li Thanh Tran Antonio Whitehead Introduction Model: ECMP50 Brand: Mr. Coffee Type: Espresso Machine Features: Automated pump Automated temperature controls Switches Diagram

217 views • 17 slides
Introduction to Automated Task Planning Jonas Kvarnstrm Automated Planning and Diagnosis

Introduction to Automated Task Planning Jonas Kvarnstrm Automated Planning and Diagnosis

Introduction to Automated Task Planning Jonas Kvarnstrm Automated Planning and Diagnosis Group Artificial Intelligence and Integrated Computer Systems (AIICS) / IDA jonkv@ida jonkv@ida What is Planning? Shakey 3 4 Classical example:

763 views • 30 slides
Controls on aboveground net primary productivity & the partitioning of canopy and wood

Controls on aboveground net primary productivity & the partitioning of canopy and wood

Controls on aboveground net primary productivity & the partitioning of canopy and wood production in tropical rainforests Florian Hofhansl, & Wolfgang Wanek ATBC 2013 San Jos, Costa Rica Climatic Controls Introduction Global

414 views • 17 slides
Automated Reasoning: Some Successes and New Challenges Predrag Jani ci c

Automated Reasoning: Some Successes and New Challenges Predrag Jani ci c

What is this talk about? What is automated reasoning? Automated reasoning in propositional logic Automated reasoning in first-order logic Automated reasoning in higher-order logic Automated reasoning in geometry Conclusions Automated

806 views • 52 slides
Circular A 133 Audits for Non Profit Clients: Protecting Grant Eligibility Successful Audit

Circular A 133 Audits for Non Profit Clients: Protecting Grant Eligibility Successful Audit

Presenting a live 110 minute teleconference with interactive Q&A Circular A 133 Audits for Non Profit Clients: Protecting Grant Eligibility Successful Audit Tactics Based on Latest Guidance and Standards WEDNES DAY, FEBRUARY 2,

775 views • 61 slides
Unified Computing System (UCS) Its not a collection of servers. Its a fully self-integrating

Unified Computing System (UCS) Its not a collection of servers. Its a fully self-integrating

Unified Computing System (UCS) Its not a collection of servers. Its a fully self-integrating system Luis Florian Ingeniero Implementador lflorian@martinexsa.com Agenda What is UCS? 1. Architecture Overview 2. Stateless Computing &

384 views • 12 slides
VDI, Notes From the Field Chris McDuffie Manager, Application Delivery Agenda VDI Should

VDI, Notes From the Field Chris McDuffie Manager, Application Delivery Agenda VDI Should

VDI, Notes From the Field Chris McDuffie Manager, Application Delivery Agenda VDI Should Solve a Business Problem Know What You Have Know What You Have Know Where You Are Going Dont Be an Overlord How to Get

473 views • 19 slides
PeeringDB Arnold Nipper arnold@peeringdb.com 2017-02-28 Apricot 2017, Ho Chi Minh City, Viet

PeeringDB Arnold Nipper arnold@peeringdb.com 2017-02-28 Apricot 2017, Ho Chi Minh City, Viet

PeeringDB Arnold Nipper arnold@peeringdb.com 2017-02-28 Apricot 2017, Ho Chi Minh City, Viet Nam 1 Agenda PeeringDB 2.0 Membership and Governance Committees Sponsorship Information and Resources 2017-02-28 Apricot 2017,

478 views • 36 slides
1 Your team, here today Ted Singeris Katherine Saarlaid Kathleen Stankowitsch VP, Client

1 Your team, here today Ted Singeris Katherine Saarlaid Kathleen Stankowitsch VP, Client

1 Your team, here today Ted Singeris Katherine Saarlaid Kathleen Stankowitsch VP, Client Relationships & Client Relationship Executive Business Development Implementation Project Manager Michael Carter Allan Porter Carol Edwards

610 views • 44 slides
GOLD FORUM Process 2019/20 Information presentation WELCOME GOLD FORUM Process 2019/20 2 GOLD

GOLD FORUM Process 2019/20 Information presentation WELCOME GOLD FORUM Process 2019/20 2 GOLD

GOLD FORUM Process 2019/20 Information presentation WELCOME GOLD FORUM Process 2019/20 2 GOLD PROCESS Organisation Team 2019/20 Kate Frazer Tanja Lux Susann Koalick Mag. Claudia Kurat GOLD Process GOLD Process Assistant GOLD Process Lead

525 views • 39 slides
Asset Integrity Management The House of Integrity Integrating Process Safety Steven Saunders

Asset Integrity Management The House of Integrity Integrating Process Safety Steven Saunders

: Asset Integrity Management The House of Integrity Integrating Process Safety Steven Saunders TUV Rheinland/Risktec This Presentation What is asset integrity? Why should we invest in asset integrity? A modern interpretation of

1.34k views • 27 slides
Annual Results Presentation For the 12 month period ending 31 May 2019 and Plans for the

Annual Results Presentation For the 12 month period ending 31 May 2019 and Plans for the

Annual Results Presentation For the 12 month period ending 31 May 2019 and Plans for the Recharged Cell C Agenda The Cell C story to date Turnaround strategy Performance over the last three months post the annual reporting

696 views • 17 slides

More recommend