Internal Audit and ITs Role In A Down

Internal Audit and IT's Role In A Down Economy Devin Amato & Heidi Zenger Deloitte Enterprise Risk Services Kansas City ISACA February 12, 2009

Topics Contract Risk & Compliance Renewed focus on Data Mining Controls Rationalization The Next Wave of Green IT Copyright © 2009 Deloitte Development LLC. All rights reserved. 1

Contract Risk & Compliance

What is Contract Risk & Compliance (CRC)? Contract Risk & Compliance helps organizations optimize the performance of strategic business relationships by promoting the integrity and reliability of the contracts that underlie their business relationships • Impacts profits by reclaiming contractual revenue • Reduces risk by improving processes and controls Copyright © 2009 Deloitte Development LLC. All rights reserved. 3

The Extended Enterprise Contractual Obligations and Business Processes • Outsourcing On/Off shore, Licensing IP, Grants, JVs, Alliances • Exposure to Brand or Reputation risk • Revenue leakage, unauthorized product distribution, licensing of IP • Paying for potentially unwarranted variable costs - complicated, cost- plus contracts like Advertising Suppliers Affiliates Joint Ventures Company Franchisee Copyright © 2009 Deloitte Development LLC. All rights reserved. Distributors Agents Licensees Customers 4

The Extended Enterprise Contractual Obligations and Business Processes Consultative (internal) • Contract Management • MFN/MFC • Sales & Marketing • Outsourcing • Strategic • Procurement Supply-Side Partners Joint Ventures / Alliances • Advertising • Revenue Sharing / Cost Sharing • Internet (development) • Manufacturer • Profit Sharing (costing) • MFN/MFC • Benefits • Outsourcing (IT, call center) • Warranty • Construction • Leasing • Telecom Consumer Business Demand Side Partners • Distributor (includes • IP inventory price • Telecom protection) • Subscriber • Dealer/ reseller • OEM • Franchise • Internet • Warranty • Replicator • End User Brand • Policy Adherence • Quality • CSR Manufacturing Consumer Business Health Care Financial Services Royalty Health Care Financial Services Real Estate Copyright © 2009 Deloitte Development LLC. All rights reserved. Health Care Financial Services Real Estate 5

Process overview Copyright © 2009 Deloitte Development LLC. All rights reserved. 6

Discussion Question • In your table groups, discuss what types of contracts exist at your company. Who is managing these? • Discuss Internal Audit’s involvement. Copyright © 2009 Deloitte Development LLC. All rights reserved. 7

Renewed focus on Data Mining A Foundation for Managing Risk

Does an economic downturn mean an uptick in fraud? • Nearly two-thirds (63. 3 percent) of executives surveyed expect accounting fraud to increase during the next two years. • Data from the National White Collar Crime Center shows a spike in arrests for fraud and embezzlement during the two most recent recessions. – Following the savings and loan crisis and the downturn in 1990, white-collar fraud arrests jumped 52% over the next two years; – Following the Internet bust in 2000, arrests jumped 25% in the following two years. 1 1 “Experts Say Fraud Likely to Rise” Business Week, January 9, 2009 Copyright © 2009 Deloitte Development LLC. All rights reserved. 9

Fraud factors • Three common factors drive fraudulent activity • How has the economy impacted these factors in your organization? Opportunity Copyright © 2009 Deloitte Development LLC. All rights reserved. Financial Pressure Rationalization 10

A closer look - Financial pressure - Corporate: Short term performance goals, earnings expectations, revenue forecasts, financial ratios ties to debt covenants, aggressive accounting practices and applications - Personal: Increase in asset misappropriation schemes including skimming, check tempering, and expense reimbursement - Opportunity - Downsizing, re-prioritize towards revenue reducing focus on internal controls, reduced SOD, increased workloads and inexperience - Rationalization - If employees suspect that they may be let go, they may rationalize “what do I have to lose”. - As corporate revenues decline, management may rationalize fraudulent activity believing it is serving the best interest of the company, its employees, and its shareholders. Copyright © 2009 Deloitte Development LLC. All rights reserved. 11

Example risks and data mining procedures Reduced headcount Expenditures Revenue recognition & assurance Fixed assets Copyright © 2009 Deloitte Development LLC. All rights reserved. • Payments to Terminated/Deceased Employee • Software licensing audits • System reviews for Segregation of Duties • Duplicate Payments Analysis • Employee expense reimbursement • Accounts Payable Invoice Three-Way Match Analysis • Identification of Unusual Payment Activity • Credits to Sales Without Corresponding AR/ Cash Entry • Receivables Adjustments Allowance • Over Billing Analysis • Accounts Receivable Aging Analysis and Rollforward • Test for Unusual Additions and Retirements • Depreciation Expectation Analysis and Recalculation 12

Controls Rationalization

Under Pressure What’s the problem with general computer controls? The following factors appear to remain at play at some companies: • Companies are not linking the IT risk assessment to a top-down business risk assessment resulting in over scoping of IT assets (i. e. , applications, databases, etc. ) • Companies are treating all general computer controls equally, even though the inherent risk of IT processes, transactions, controls, and technologies may vary • Companies are not applying IT control frameworks in a manner that is leveraging IT-related company level controls • Companies are not capitalizing on automated controls Copyright © 2009 Deloitte Development LLC. All rights reserved. 14

Discussion Question • In your table groups, discuss what your company is doing, or has done, to rationalize controls across the enterprise. • Discuss Internal Audit’s involvement. Copyright © 2009 Deloitte Development LLC. All rights reserved. 15

Challenges and Opportunities Point of View Solution Companies should adopt a risk-based control rationalization approach to address current and future compliance challenges Definition - Control Rationalization Control rationalization is the continuous process of designing the most effective and efficient controls to address financial reporting risks. Guiding Principles • Management should have an informed understanding of the organization's financial reporting risks in order to drive control rationalization efforts. • Management should explicitly apply a top-down, risk-based scoping approach as a foundational first step toward control rationalization. • Control rationalization is a multi-year, continuous effort, which should be integrated into the company’s operations. • Control rationalization can result in immediate benefits; however more significant cost savings can be achieved by adopting a long-term strategic approach to sustained compliance. Copyright © 2009 Deloitte Development LLC. All rights reserved. 16

Working Toward a Lean and Balanced Control Design Using a risk-based control rationalization approach, companies can enhance the efficiency and effectiveness of their compliance program by: refining their testing approaches and improving their design of controls, by emphasizing efforts towards higher-risk areas while reducing costs associated with lower-level risks. Current State Future State Model (Effective & Efficient) Category 1 5% Category 2 15% Category 3 80% Rationalize 11 22 Risk-Based Approach 33 (Illustrative Example) 15% Areas of Focus Improve Effectiveness 35% 50% Reduce Costs Examples: Category 1: Category 2: Category 3: company-level controls (e. g. , control environment, period end financial reporting, anti-fraud programs) general computer controls; controls over non-routine accounts and accounts with significant judgment; controls over other high-risk areas controls over routine, transactional processing Copyright © 2009 Deloitte Development LLC. All rights reserved. 17

Control Rationalization – Phased Approach Outcomes 1 Perform IT Risk Assessment • Documented financial data flow diagrams • Documented system risk assessment • Documented relevant application and platforms (risk rated) 2 Evaluate GCC 3 Areas and Control Objectives • Documented assessment of GCC risk ratings • Documented assessment of control objective risk ratings Copyright © 2009 Deloitte Development LLC. All rights reserved. 4 Rationalize Controls Develop Risk. Based Testing Approach • Documented IT Company-Level Controls • Documented risk-based testing strategy • Documented IT risk-rating approach • Cost savings analysis • Revised IT control matrix with riskratings and rationale 18

Apply Top-Down Risk-Based Scoping & Rationalize GCC Controls Overview General Computer Control Rationalization In Scope 1 Perform IT risk assessment (identify relevant applications, platforms) Evaluate GCC areas & confirm relevance and risk-rating of GCC control objectives Relevance to financial reporting objectives and risk-rating of associated major classes of transaction 2 Evaluate GCCs for effective and efficient testing 3 Out of Scope Lean and Balanced Remove non-relevant IT applications and platforms Remove non-relevant control objectives Remove unnecessary controls from testing scope Re-designed Testing Approach Develop risk-based testing approach for GCCs 4 *Efficiency Evaluation Criteria • Remove secondary or redundant controls • Consider testing GCC processes before performing detailed tests related to IT configurations (e. g. , test process for granting access before password settings) • Prioritize controls addressing multiple risks Copyright © 2009 Deloitte Development LLC. All rights reserved. NOTE: The foundation for effective control rationalization depends on a strong set of GCCs. Lack of effective GCCs or an inadequate testing approach for GCCs will preclude management from being able to derive benefits of ‘benchmarking’ testing 19 of automated controls

Perform IT Risk Assessment 1 Develop risk profile Dollar throughput of the business process data flowing through the IT systems. Financial Impact Develop a risk profile for each in-scope system using quantitative (e. g. , dollar throughput) and qualitative (e. g. , system risks) factors. H M L Inherent Risk Example risk factors include: - Number of users - Complexity of system configuration/embedded business logic - Number/complexity of data interfaces - Frequency of configuration parameter changes - Extent of system customizations - Level of centralization of IT function - Age of system - Extent of business process control automation Copyright © 2009 Deloitte Development LLC. All rights reserved. 20

Risk Based Approach for GCCs 2 Risk rate GCC areas The illustration below depicts a sample company’s IT risk prioritization for general computer control categories. COSO defines general computer controls as, “Policies and procedures that help ensure the continued, properation of computer information systems… They include controls over data center operations, system software acquisition and maintenance, access security, and application system development and maintenance. ” Illustrative Purposes Only General Computer Control Category Risk Evaluation Considerations Examples of Qualitative Factors Application System Development & Maintenance • High volume of changes Information Security • High employee turnover Information Systems Operations • Mature monitoring Systems Software Support • Application dependencies • Complex architecture processes Risk Ranking H H M • Automated tools • Homogenous environment • Automated tools L Example Procedures • Test all three levels • Test predominantly IT company level and process level controls • Test predominantly IT company level controls NOTE: This illustrates a simplistic risk assessment for IT; consideration should be given to additional qualitative factors relevant to a company’s environment. Also, only selected GCC areas have been included in the example. Copyright © 2009 Deloitte Development LLC. All rights reserved. 21

Risk Based Approach for GCCs 3 Rationalize controls After risk-rating general computer control objectives, specific control activities can be analyzed to further rationalize the testing approach. Control Objective #1 – Controls provide reasonable assurance that application changes are appropriately implemented and function consistent with management’s intentions. CL 01 The company uses a formalized system development methodology to guide all aspects of application development. (COBIT PO 11. 5) CL 02 An IT Steering Committee reviews and approves all major changes to the information systems environment. (COBIT PO 4. 1) CL 03 A project management and quality assurance office tracks and monitors all activity associated with significant changes to applications and infrastructure. (COBIT PO 11. 4) CL 04 The IT organization structure provides for appropriate segregation of duties. (COBIT PO 4. 10) PL 01 PL 02 Information requirements for changes to applications are reviewed and approved by management. (COBIT AI 1. 1) For this example, the three controls in bold text will be assessed, which represents a 50% reduction in testing. The organization’s SDLC has not changed in the fiscal year, accordingly, this control will not be evaluated. These two controls are redundant in nature, accordingly, only one control will be evaluated. This control activity is redundant in nature since test results are approved by users at a point later in the SDLC process, accordingly, this control will not be evaluated. A risk analysis is performed that considers the impact of planned changes on financial reporting processes. (COBIT AI 1. 8) Copyright © 2009 Deloitte Development LLC. All rights reserved. 22

Risk Based Approach for GCCs 4 Develop risk-based testing Alter the nature, timing and extent of control testing based on the control objective riskratings. Risk-Rating Category Sample Size Evidence Timing Testing Owner High Increased Sample Sizes No Change No change SOX PMO and Internal Audit Medium Reduced Sample Sizes No change Low Reduced Sample Sizes Management Self. Assessments No change Test 1/3 of processes each year (rotation) No change Management *Note: Example for illustrative purposes only Risk-based testing strategy focuses resources and effort on the most important controls, and may generate opportunities for savings based on reduced overall testing effort Copyright © 2009 Deloitte Development LLC. All rights reserved. 23

Cost savings analysis* The table below is an illustrative example for measuring the reduced effort that may result from implementing a risk-based testing strategy. Risk Category # of Controls Events Avg Hrs/Control Total time spent Risk-Based Approach Original Approach High Risk Medium Risk Low Risk 800 500 400 1, 700 10 hrs 6 hrs 3 hrs 7 hrs 9. 5 hrs 8, 000 hrs 3, 000 hrs 1, 200 hrs 12, 200 hrs 15, 300 hrs Impact (Savings) (20%) *Note: Example for illustrative purposes only and does not imply likely savings or results Copyright © 2009 Deloitte Development LLC. All rights reserved. 24

The Next Wave of Green IT IT’s role in the future of enterprise sustainability

Overview • Research program to explore senior finance and IT executives’ views on how companies around the world are changing their IT practices in an effort to save money, improve performance, and lessen their impact on the physical environment. • Respondents came from North America (56%), Europe (28%), and Asia (16%) • All industries included encompassing companies of sizes $200 M - $10 B + • Primary benefits fall into three buckets: – Environmental (less pollution, lower carbon emissions, less toxic waste) – Operating (lower costs, higher efficiency, lower risk) – Promotional (brand awareness, public relations, environmental) Copyright © 2009 Deloitte Development LLC. All rights reserved. 26

Discussion Question • In your table groups, discuss what your companies are doing from a greening perspective; specifically around IT. • Discuss Internal Audit’s involvement. Copyright © 2009 Deloitte Development LLC. All rights reserved. 27

General Statistics • More than 9 out of 10 companies have made “incremental” or “aggressive” efforts to reduce their impact on the environment • Many companies have at least basic programs in place for green IT and the funding to support these – Nearly 60% of the respondents say their company has at least 5% of its IT budget set aside for greening efforts and 35% say their company has allocated 15% or more to green IT • Two-thirds of respondents say their company has a formal program in place for measuring, monitoring, and improving its environmental performance Copyright © 2009 Deloitte Development LLC. All rights reserved. 28

Barriers • Lack of information and trusted practices for improving IT’s environmental performance (44%) • Inability to build a sound business case for green IT investments (42%) • Shortage of capital and well-qualified, green IT talent (41%) Copyright © 2009 Deloitte Development LLC. All rights reserved. 29

New Metrics, Incentives, and Influences • 67% of respondents stated their company has a formal program for measuring, monitoring, and improving its environmental performance • When asked “Has your company conducted a formal evaluation of the environmental impact of its business activities in the last two years? ”, respondents said: – Yes, an evaluation has been completed (39%) – Yes, an evaluation is currently under way (36%) – No, we haven’t formally initiated this (25%) • Most common metrics: – Total power consumption – Power usage effectiveness/data center infrastructure efficiency – Carbon dioxide production Copyright © 2009 Deloitte Development LLC. All rights reserved. 30

Risk Management and Performance Improvement Improving Reporting on Environmental Performance Decreasing the Company's Carbon Footprint Reducing Exposures to Environmental Liabilities Reducing Pollution Caused by Business Activities Improving Compliance with Environmental Regulations Cultivating a Public Green Perception Improving Energy Efficiency and Reducing Costs 0% Copyright © 2009 Deloitte Development LLC. All rights reserved. 10% 20% 30% 40% 50% 60% 70% 80% 31

Examples of IT Efforts • • Energy efficient hardware Shared software resources Virtualized server architecture Smaller data center footprints – IT infrastructure within data centers • Printers, copiers, and fax machines • Mobile devices and wireless computers • Hardware recycling, disposal and decommissioning Copyright © 2009 Deloitte Development LLC. All rights reserved. 32

End-User Applications • End user applications focused on productivity are most likely green IT investment candidates: – Videoconferencing – Online collaboration technology – Enhanced/Alternative cooling technology – Energy management software applications for servers and PCs – Server virtualization – Mobile devices Copyright © 2009 Deloitte Development LLC. All rights reserved. 33

Company Examples • Intel took the heat its servers produced and redirected it to warm its cafeteria and restroom water supply. • Approval forms for the FDA – fast tracked when submitted electronically; save paper, ink, physical storage requirements • Wells Fargo addresses the power management of its servers which leads to significant cooling efficiency gains and improvement of electrical distribution within the data centers to reduce power consumption Copyright © 2009 Deloitte Development LLC. All rights reserved. 34

Next Steps • Determining what efforts your company current has in place and your executives’ appetites for greening • Establishing a baseline measurement of current sustainability performance that is satisfactory for both IT and finance • Aligning the company’s tax strategy with its sustainable strategy and green investments • Evaluating IT’s part in these efforts; from capabilities of the systems to measure, monitor, and report to what IT can do to increase the effort Copyright © 2009 Deloitte Development LLC. All rights reserved. 35

Contact Information: Devin Amato damato@deloitte. com 816. 802. 7255 Heidi Zenger hzenger@deloitte. com 816. 802. 7435