Use Degrees of Risk Separation (DoRS™) to Determine ICFR / non-ICFR

One of the challenges that face auditors of service organizations when conducting SOC1 (aka SSAE16) engagements is determining when a control is "reasonable in the circumstances." What that means, according to the attestation standard, is that a control must have relevance to Internal Controls Over Financial Reporting (ICFR) for it to be included in a SOC1 report.

In a previous post, I demonstrated a method I use to determine if a control is ICFR or not. In this post, I would like to elaborate further in hopes of helping anyone out there who may benefit from this approach.

The method I use is called Degrees of Risk Separation (DoRS™). This approach takes the guess work out of the process of determining if a control is ICFR or not by quantifying the number of degrees that separate the control from the risk of material misstatement of the financials. The auditor can then decide how many DoRS are reasonable based on their professional judgment.

In my professional judgment controls with three or more DoRS that separate them from the risk of material misstatement are non-ICFR controls. Here are two examples to illustrate the process of determining how many DoRS there are to material misstatement.


Control #1: Programmer access to production is prohibited.

-->
1st degree:  Programmer gains access to the production environment and makes a change to a G/L balance.
2nd degree:  The change is not caught during the reconciliation process, and causes a material misstatement of the financials.
Conclusion: The control is ICFR
Control #2:  Critical systems are maintained on raised flooring. -->
1st degree:  Lack of raised floor causes increase in temperature.


2nd degree:  All customer hard drives of a server hosting financially relevant application crash.
3rd degree:  There are no redundant or replicated production servers or they are all hosted at the same datacenter and crashed as well.

4th degree:  Backups do not exist for the data on the crashed hard drives.
5th degree:  The data on the crashed hard drives cannot be re-created from source documents. 



6th degree:  The lost data causes the company to materially misstate their financials.


Conclusion:  The control is not ICFR

The DoRS method can be applied to any control that management includes in their system description.  If the service auditor finds that management has included controls in the 3rd, 4th, 5th, or 6th Degree of Risk Separation, it is unreasonable to conclude that the control is relevant to internal controls over financial reporting.  Rather, it is reasonable to conclude that the control is relevant to security, availability, processing integrity, confidentiality, or privacy which falls into the domain of a SOC2 report. Please contact me to receive a comprehensive analysis I performed that explains the DoRS approach in more depth. For a free #DoRS analysis in exchange for an opportunity to bid on your next #SSAE16 or #SOC2 report, please contact me at (404) 368-9228 or jlong@compliancepoint.com. Here is a whitepaper on the subject, and below that is a form you can use to upload controls you would like to have analyzed.  I will perform the analysis for you and send the controls back to you with a DoRS score if you will include your contact information in the comments section.
Please use the form below to upload your list of controls.  I do not need the entire SAS 70 or SSAE 16 report, just the list of controls.  It would also be great if the company names were already sanitized to save me some time and keep things confidential.  If you include your email address in the comments section, I will know how to send back your analyzed document.
Thanks for your help!  Together we are going to revolutionize the risk assurance industry.

10 comments:

  1. interesting article. any firms or institution is backing this up? I would like to know. Thanks!

    ReplyDelete
  2. Thanks John. I have submitted it to the AICPA for review. Would your firm like to be the first to endorse?

    ReplyDelete
  3. Jon,

    Thanks a lot for this website.. I'm a complete newbie but I'm really learning a lot.

    Question 17 of the FAQ is related to this I think:

    "Does SSAE No. 16 require that management’s description of the service organization’s system include a description of the service organization’s
    IT control objectives and related controls? If so, does the SOC 1 SM guide address which IT control objectives and controls would usually be relevant to a user entity’s ICFR?"

    "Paragraph 3.65 of the SOC 1 SM guide indicates that if the control objectives in a service organization’s description of its system only address application controls, and the proper functioning of general computer controls is necessary for the application controls to operate effectively, the service organization would be expected to include the relevant general computer controls in its description of the system as they relate to the specified control objectives."


    So in short, it is the service organization who is still responsible to categorize and describe ICFR over non-ICFR controls but the service auditors of course still have to express their opinion. Do you think we really need to have more than two degrees of risk separation in order to tag a control as non-icfr?

    ReplyDelete
  4. Thank you so much for your comment and for checking out my blog. I completely agree that some ITGCs should be included in a SOC1. My point is that application controls, and supporting general controls fall within two degrees of risk separation from the risk of material misstatement.

    Here's an example of an application control.
    "The password policy requires a minimum password length of eight characters, maximum password retries set to three, and maximum password age set to 45 days."

    1st Degree - Lack of adequate password security leads to a breach of customer financial data, and a hacker makes material change to g/l balance.

    2nd Degree - CFO does not catch the change in the compilation and review of the financial statement, and materially misstates the financials.

    Here's an example of a control that supports an application control:

    "A system management tool is used to gain access to and manage customer servers. Special system privileges (e.g., root or administrator) to customer systems are limited to individuals whose job responsibilities require such access rights. The login process for personnel to gain access to customer systems is completed using two-factor authentication and requires both an Active Directory® user account and RSA® SecuriD® token."

    1st Degree - Inadequate controls over administrator access to application security settings leads to a breach of customer financial data, and hacker makes a material change to g/l balance.

    2nd Degree - CFO does not catch the change in the compilation and review of the financial statement, and materially misstates the financials.

    It is the service organization's responsibility to describe their controls as you mentioned, but it is the service auditor's responsibility to determine whether the controls are "reasonable in the circumstances" which is interpreted to mean that they have relevancy to ICFR. In my professional judgement, it is unreasonable to conclude that controls with 3 or more DoRS are ICFR. In their professional judgement, some auditors might conclude that 4 or more DoRS are non-ICFR, but my point is that there needs to be an objective way to determine ICFR / non-ICFR, and perhaps even an agreed upon industry standard.

    ReplyDelete
  5. I started a petition to ask for the AICPA's adoption of the DoRS approach here: http://riskassuranceguy.blogspot.com/2012/06/petition-for-adoption-of-dors-approach.html

    Please consider signing it.

    Thank you.

    ReplyDelete
  6. Your article is very informative and the use of graphics adds to understanding the process.

    ReplyDelete
  7. damn agree with your thoughts Jon, ... I just found you on Facebook and came through it. I'd love to follow you on every social network, your providing amazing information.

    ReplyDelete
  8. Auditors always have a big deal of auditing any company. :/

    ReplyDelete