Is your ERP ready for COSO 2013?

Size: px

Start display at page:

Download "Is your ERP ready for COSO 2013?"

Arlene Woods
5 years ago
Views:

1 Is your ERP ready for COSO 2013? Securing the ERP Webcast series February 26, 2015

2 Agenda COSO 2013 overview What is changing and what is not? Internal control definition Components and principles Transition timing and effort Security and automated control considerations Selected COSO 2013 principles with IT control implications Securing the ERP approach to COSO 2013 transition Securing the ERP approach Securing the ERP maturity model Maturity model example Record to report Securing the ERP Webcast series overview Some or all of the services described herein may not be permissible for KPMG audit clients and their affiliates. 1

3 Questions Please send any questions during the presentation 2

4 Presenters - Timothy Murphy, Director Professional and industry experience Timothy Murphy Director KPMG LLP Two Financial Center 60 South St. Boston, MA Tel Fax Cell tlmurphy@kpmg.com Function and specialization Tim is a member of the IT GRC practice specializing in IT risk and compliance with a particular focus on ERP security and controls and Oracle Advanced Controls (OAC) Education, licenses & certifications BS, Bentley University Oracle Certified Professional Oracle General Ledger and Oracle Advanced Controls Certified Information Systems Auditor (CISA) Certified in Risk and Information Systems Control (CRISC) Tim is a Director in KPMG s IT Governance Risk and Compliance (GRC) practice with over 15 years of experience leading engagements with a focus on Information Systems risk and control. He has led multiple engagements focusing on design and implementation of IT internal controls and security as well as implementations of Governance Risk and Compliance packages including the Oracle Advanced Controls (OAC) suite. Tim has extensive experience in the diversified industrials, life sciences, and several other industries and a particular focus on ERP security and controls. Additionally, he has played a significant role in developing and delivering training for KPMG professionals in assessing controls within an ERP environment as well as on assessing controls in support of SOX 404 Attestation engagements. Tim has also managed numerous Sarbanes-Oxley 404 IT documentation and testing engagements both in an advisory and audit capacity for clients spanning multiple industries. He also serves as lead engagement director overseeing IT audit and compliance activities for a multinational diversified industrials client. 3

Presenters - Chris McGee, Director Professional and industry experience Christopher McGee Director KPMG LLP 191 West Nationwide Blvd. Columbus, OH 43215 Tel 614-249-1850 Cell 614-859-9080 cmcgee@kpmg.

5 Presenters - Chris McGee, Director Professional and industry experience Christopher McGee Director KPMG LLP 191 West Nationwide Blvd. Columbus, OH Tel Cell cmcgee@kpmg.com Function and specialization Chris is a member of the IT Advisory Oracle GRC practice focusing on IT Governance Risk and Controls and IT Risk Management Education, licenses & certifications B.S. Electrical and Computer Engineering from The Ohio State University Masters in Business Administration from The Ohio State University ITIL Foundation Certified Certified Information System Auditor (CISA) US Patent US 2005/ A1 for Microfluidic chemical reactor Chris is a Director with KPMG's Columbus Advisory practice. He has seventeen years of experience in engineering, consulting and industry. This combination of backgrounds allows him to bring a different perspective to business process reengineering and in the identification and design of business process controls to minimize organizational risk. Chris focuses on process-related risk and how technology solutions can help manage/mitigate those risks in a cost effective manner. He has worked on various IT and process controls projects focused on driving down the cost of controls while minimizing risk profile.. Prior to joining KPMG he worked on the deployment of master data governance solutions for large scale ERP projects. Chris has also managed numerous Sarbanes-Oxley 404 IT documentation and testing engagements both in an advisory and audit capacity for clients spanning multiple industries. Chris Also acts as the Director of Internal Audit for five Fortune 500 companies and is the lead External Audit IT Director for an additional five. 4

6 COSO 2013 overview

Introduction to COSO 2013 Updated Internal Control Integrated Framework (2013 Framework) issued on May 14, 2013 Companion documents: Internal Control Integrated Framework: Executive Summary

7 Introduction to COSO 2013 Updated Internal Control Integrated Framework (2013 Framework) issued on May 14, 2013 Companion documents: Internal Control Integrated Framework: Executive Summary Illustrative Tools for Assessing Effectiveness of a System of Internal Control Internal Control over External Financial Reporting: A Compendium of Approaches and Examples COSO 1992 Framework was superseded as of December 15,

8 COSO 2013 Framework Summary of changes What is not changing... Core definition of internal control Three categories of objectives and five components of internal control Each of the five components of internal control are required for effective internal control Important role of judgment in designing, implementing, and conducting internal control and in assessing its effectiveness What is changing... Updated for changes in business and operating environments Emphasis on governance Expanded operations and reporting objectives suitable for other purposes Implicit fundamental concepts underlying five components that are codified as 17 principles Updated for increased relevance and dependence on IT Addresses fraud risk assessment and response 7

SEC definition of internal control over financial reporting Regulation 13a-15(f) defines internal control over financial reporting as: A process.

9 SEC definition of internal control over financial reporting Regulation 13a-15(f) defines internal control over financial reporting as: A process... to provide reasonable assurance regarding the reliability of financial reporting and the preparation of financial statements for external purposes in accordance with generally accepted accounting principles... Includes policies and procedures that: 1. Maintain records in reasonable detail that accurately and fairly reflect the transactions and dispositions of the assets of the issuer 2. Ensure receipts and expenditures of the issuer are made only in accordance with authorizations of management and directors 3. Provide reasonable assurance regarding prevention or timely detection of the unauthorized acquisition, use, or disposition of the issuer's assets that could have a material effect on the financial statements. 8

10 COSO components and principles For effective internal control: Each of the five components and 17 principles must be present and functioning Points of focus provide example characteristics of the principles The five components must operate together in an integrated manner Control environment 1. Demonstrates commitment to integrity and ethical values 2. Exercises oversight responsibility 3. Establishes structure, authority, and responsibility 4. Demonstrates commitment to competence 5. Enforces accountability Risk assessment 6. Specifies suitable objectives 7. Identifies and analyzes risk 8. Assesses fraud risk 9. Identifies and analyzes significant change Control activities Information & communication 10. Selects and develops control activities 11. Selects and develops general controls over technology 12. Deploys through policies and procedures 13. Uses relevant information 14. Communicates internally 15. Communicates externally Monitoring activities 16. Conducts ongoing and/or separate evaluations 17. Evaluates and communicates deficiencies 9

11 Transition: Time line and effort COSO determined the 2013 Framework will supersede the 1992 Framework effective December 15, SEC monitoring of the transition phase Assess the implications of the 2013 Framework as soon as feasible This is more than a mapping exercise Impact of adopting the updated framework will vary by entity Organizations should disclose whether the 1992 or 2013 version of the Framework is used during the transition period. Plan sufficient time for testing and remediation of deficiencies. Opportunity to take a fresh look Consider the efficiency and effectiveness of business processes, risk assessments, and controls responsive to the risks 10

12 Security and automated control considerations of COSO 2013

13 Selected COSO 2013 principles with IT security and control implications Multiple COSO 2013 principles have IT security and control implications. Principle #3 (Control Environment) Establishes structure, authority, and responsibility Principle #8 (Risk Assessment) Assesses fraud risk Principle #10 (Control Activities) Selects and develops control activities Principle #11 (Control Activities) Selects and develops general controls over technology Principle #13 (Information & Communications) Uses relevant information 12

14 IT control and security implications of COSO 2013 principles Principle #3 Management establishes, with board oversight, structures, reporting lines, and appropriate authorities and responsibilities in the pursuit of objectives. Selected points of focus: Establishes reporting lines Authorization limits for transactions consistent with organization s Delegation of Authority policies Audit trail documenting the approvers of each transaction Defines, assigns, and limits authorities and responsibilities Access to sensitive functions consistent with individuals job functions Access rights are configured to enforce proper segregation of duties 13

15 IT control and security implications of COSO 2013 principles (continued) Principle #8 The organization considers the potential for fraud in assessing risks to the achievement of objectives. Selected points of focus: Considers various types of fraud Assesses opportunities Segregation of duties (SOD) and access to sensitive functionality Monitoring and data analytics to detect suspicious activity 14

16 IT control and security implications of COSO 2013 principles (continued) Principle #10 The organization selects and develops control activities that contribute to the mitigation of risks to the achievement of objectives to acceptable levels. Selected points of focus: Evaluates a mix of control activity types Automated controls (e.g., configurable parameters, account mapping, edit checks, interfaces, user access, etc.) IT-dependent manual controls, typically review of system-generated reports Addresses segregation of duties Dependence on automated and IT-dependent controls typically increases with complexity of systems and automation of business processes. 15

17 IT control and security implications of COSO 2013 principles (continued) Principle #11 The organization selects and develops general control activities over technology to support the achievement of objectives. Selected points of focus: Determines dependency between the use of technology in business process and technology general controls Focus shifts toward identifying the specific general IT controls linked to the application controls on which the organization relies, e.g. Access to modify data underlying system-generated reports used in management s control activities and monitoring procedures Controls over changes to system configuration settings, reports, and functionality Access management processes related to sensitive functionality Completeness and accuracy over interfaces and batch processes that move or transform data 16

18 IT control and security implications of COSO 2013 principles (continued) Principle #13 The organization obtains or generates and uses relevant, quality information to support the functioning of internal control. Selected points of focus: Processes relevant data into information Maintains quality throughout processing Increased focus on ensuring management reviews take place using complete and accurate data Requires an assessment of control such as user access, batch controls, edit checks, etc., at each point in the process where data may be transformed prior to being used as part of a management review Requires controls to prevent or detect malicious or accidental changes that may compromise the integrity of system-generated reports 17

19 Securing the ERP approach to COSO 2013 transition

20 Evolution of internal controls In the initial effort to identify internal controls to comply with the Sarbanes-Oxley act, many organizations focused heavily on manual controls such as management reviews. While organizations business processes have become increasingly automated, many have not reflected this transition in their mix of manual versus automated controls. As the size and complexity of a business increases, the ability of management reviews and other manual detective controls to identify and correct fraud and misstatements may decrease. Automated controls reduce risk to the organization as they are significantly less subject to human error or management override. The transition to COSO 2013 will require organizations that have lagged behind to reassess their use and documentation of automated controls. 19

21 Securing the ERP approach Securing the ERP KPMG s Securing the ERP approach is a 360 degree view of ERP security and controls and is positioned to help industry-leading organizations effectively balance the divergent tasks of empowering ERP business users while simultaneously protecting sensitive data and transactions. ERP Advanced Controls 360 o View of ERP Security 20

22 Securing the ERP approach Tools Discussion Application Security Segregation of Duties Adaptive Authentication ERP Advanced Controls Advanced Controls Preventative Detective Configuration Monitoring Authentication Database Security Database Firewall Database Vault Privilege Access 360 o View of ERP Security User Access Administration Identity Management User Provisioning User Certification 21

23 Securing the ERP maturity model Securing the ERP maturity model Security Individual user permission approach Defined user request and approval process RBAC HR positionbased permissions User selfservice Single sign-on Identity integration Adaptive authentication Level Controls Initial Repeatable Defined Managed Optimized Ad Hoc Reactive Automated Manual controls No SOD ERP configurable controls Controls matrix Automated SOD management Configuration controls Detective controls Preventative controls 22

24 Maturity example Record to report 1 Initial 2 Repeatable 3 Defined 4 Managed 5 Optimized Manual approval of journal entries (JEs) Periodic reviews of JEs to ensure appropriateness and segregation of entry/posting Subledger to G/L reconciliations Periodic review of access to GL roles and responsibilities Automated journal entry approval limits Configuration of control accounts to prevent manual entries to subledger accounts Manual reviews of access and JE appropriateness continue along with reviews of JE approval limits Automated SOD enforcement between entry and posting Automated tools for monitoring sensitive access (entry, posting, chart of accounts maintenance, etc.) Tools to aid management in assessing key system configurations (e.g., approval limits) Automated transaction monitoring capability to identify suspect JE Automated, real-time monitoring and/or change control over JE approval limits Real-time notification or additional approval requirements for suspect JE Complex pattern analysis to identify highrisk JE activity Identity management solution to maintain appropriate user access 23

25 Key takeaways COSO 2013 codifies principles and points of focus that will require many organizations to identify or design/implement additional IT controls. IT controls provide several advantages in comparison to manual controls, including: Less susceptible to human error Less potential for management override Less ongoing effort to maintain IT-dependent manual controls require a focus on automated controls, ensuring completeness, accuracy, and timeliness of information used in the performance of controls. KPMG s Securing the ERP approach supports organizations in their efforts to attain benefits from adoption of COSO 2013 by progressing through the Maturity Model toward a more effective and efficient system of internal controls. 24

26 Securing the ERP Webcast series overview

27 Securing the ERP series Date Topic January 2015 Securing the EPR Is Your ERP Secure? February 2015 COSO 2013 ERP Security and COSO Deep Dive March 2015 April 2015 May 2015 June 2015 July 2015 August 2015 September 2015 October 2015 October 2015 Oracle R12 Security & Controls Functionality leading practices User Access Controls (RBAC Story) PeopleSoft Security & Controls Functionality leading practices User Administration Leading Practices Internal Audit Considerations related to Oracle ERP Oracle Advanced Controls Leading Practices Oracle ERP Data and Infrastructure Security Securing the ERP Client Case Studies OOW Securing the ERP Over view and Client Case Studies 26

28 Thank you Presentation by Tim Murphy and Chris McGee

29 2015 KPMG LLP, a Delaware limited liability partnership and the U.S. member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative ( KPMG International ), a Swiss entity. All rights reserved. NDPPS The KPMG name, logo and cutting through complexity are registered trademarks or trademarks of KPMG International.