Post on 14-Apr-2017
transcript
Place Logo Here
Session Objectives
• Overview of IT Audit– Areas of IT Audit– Importance of IT Audit– Top IT challenges
• Understanding and Maximizing IT Audit– Planning– Executing the IT audit– Evaluating results
3
Place Logo Here
What is IT Audit?
• Examination of controls within an IT infrastructure• Process of collecting and evaluating evidence of an
organization's information systems, practices, andoperations– Evaluation determines if information systems are
safeguarding assets, maintaining integrity ofinformation, and operating effectively to achieve theorganization's goals or objectives
– May be performed in conjunction with a financialstatement audit, internal audit, or other form ofattestation engagement
7
Place Logo Here
What is IT Audit?
• IT audit's agenda may be summarized by thefollowing questions:– Will the information in the systems be disclosed only to
authorized users? (Confidentiality)– Will the information provided by the system always be
accurate, reliable, and timely? (Integrity)– Will the organization's computer systems be available
for the business at all times when required?(Availability)
8
Place Logo Here
IT Audit to support Financial Audit
• Most business use multiple IT systems to supporttheir business processes– Includes different systems for financial accounting,
procurement, research & development, businessintelligence, customer relationship management, sales,etc
– Enterprise Resource Planning (ERP) systems, whichintegrate various such IT systems and provides onesystem to manage all important business processes
– Commonly used ERP systems include SAP, OracleApplications, PeopleSoft, IFS, JDE Edwards, etc.
9
Place Logo Here
IT Audit to support Financial Audit
– Most banks use core banking system as a back-endsystem that processes daily banking transactions, andposts updates to accounts and other financial records
– Include deposit, loan and credit-processing capabilities,with interfaces to general ledger systems and reportingtools
– Enables banks to interconnect different branches bymeans of communication lines and allows the customersto operate accounts from any branch
– Commonly used core banking systems include iFlex,TEMENOS, Finacle, BaNCS, Equation, FinnOne, etc
10
Place Logo Here
IT Audit to support Financial Audit
• A financial audit, or more accurately, an audit offinancial statements– Review of financial statements of a company or any
other legal entity (including governments)– Resulting in publication of an independent opinion on
whether or not those financial statements are relevant,accurate, complete, and fairly presented
• Substantive tests of detail– Selecting a sample of items from major account
balances, and finding hard evidence (e.g., invoices, bankstatements) for those items
11
Place Logo Here
IT Audit to support Financial Audit
• Risk based approach– Includes combination of internal controls testing and
substantive testing– Internal controls testing allow financial auditors to
assess operating effectiveness of internal controls (e.g.authorization of transactions, account reconciliations,segregation of duties) including IT General Controls
– If internal controls are assessed as effective, this willreduce (but not entirely eliminate) amount of'substantive test of detail’
12
Place Logo Here
IT Audit to support Financial Audit
– If internal controls are strong, auditors typically relymore on substantive analytical procedures (thecomparison of sets of financial information, and financialwith non-financial information, to see if the numbers'make sense' and that unexpected movements can beexplained)
– If internal controls are assessed as ineffective or weak,financial auditors need to rely on traditional substantivetests of detail
13
Place Logo Here
Areas of IT Audit
• There are broadly 2 areas of IT audits, which coversthe following:– IT General Controls (ITGC)– IT Application/ Automated Controls (ITAC)
14
Place Logo Here
WCGW
• Activity: Invoice Receipt• What Can Go Wrong?– Receive Invoice without PO or GR– Invoice amount is more than PO amount– Vendor bank details in Invoice is different from vendor
master record– Invoice is entered twice in the system– Unauthorized person enters invoice in the system
16
Place Logo Here
WCGW
• How Can ‘IT’ Go Wrong– IT system is not ‘configured’ correctly• Reference to PO/ GR is not mandatory• GR and invoice tolerance limits (i.e., 3-way match) is
not appropriate• Field status is not appropriately configured• Double invoice check is not used
– Access control is not restrictive• Unauthorized person have access to enter invoice
17
Place Logo Here
WCGW
• Which ‘IT CONTROLS’ can prevent these from goingwrong– System settings are appropriately configured to prevent
the following:• Invoice without PO/ GR reference• Invoice posting if invoice does not match PO and GR• Change of vendor in invoice• Duplicate entry of invoice
– User access controls are appropriate– Only authorized person have access to enter invoice
18
Place Logo Here
WCGW – IT Controls
• For these IT automated/ application controls to work,certain other IT controls should be effective– Without strong change controls, unauthorized changes
may be made to the system settings– Without access controls, unauthorized users may have
access to enter invoice• Basically, without these IT controls, the IT automated/
application controls may not remain effective over aperiod of time and therefore, may not be relied upon!
20
Place Logo Here
IT Controls (Looking Another Way)
• There are broadly two categories of IT controls:– Manual– Automated
• Manual controls – Management, procedural andoperational controls. For example, security policies,operational procedures, personnel security, etc.– For example, approval of user access or review of
duplicate invoice report
22
Place Logo Here
IT Controls (Looking Another Way)
• Automated controls – Incorporated into systems (i.e.,computer hardware, software, or firmware). Forexample, access control mechanisms, identificationand authentication mechanisms, encryption methods,etc.– Case in point, access controls are AUTOMATICALLY enforced by
the system and users cannot access information which theyare not granted explicitly in the system. Therefore, they arereferred as automated control.
23
Place Logo Here
Areas of IT Audit
• The ITGCs are broadly classified as follows:– Information security policies and procedures– Access Management– Change Management– System Development– IT Operations Management– End-User Computing
26
Place Logo Here
Interdependence
27
ITGC exceptions do not necessarily meanwe cannot rely on automated controls –
there are many strategies to resolvethem!
Place Logo Here
Importance of IT Audit
• Reduced sample size• Focus on areas of higher risks• Reliance on system generated reports• Understanding of risks due to use of IT systems
28
Place Logo Here
Top IT Challenges
• Access and Segregation of Duties• Risks arising due to use of IT systems– 3-way match is not a “match” but “tolerance of
differences”– PO release workflow may not always work– Reports output (e.g., ageing report, duplicate invoices)
depends on system settings• Business Continuity/ Disaster Recovery
29
Place Logo Here
Deciding Audit Approach
• Total audit time• Regulatory/ compliance requirements• Criticality of IT to the business– How will it affect the business if the critical systems are
down?– Are critical business transactions performed using IT
systems?– Are critical controls performed by IT systems?
32
Place Logo Here
Identifying ITAC
• Activity: Invoice Receipt• What Can Go Wrong?– Receive Invoice without PO or GR– Invoice amount is more than PO amount– Vendor bank details in Invoice is different from vendor
master record– Invoice is entered twice in the system– Unauthorized person enters invoice in the system
33
Place Logo Here
Identifying ITAC
• How Can ‘IT’ Go Wrong– IT system is not ‘configured’ correctly• Reference to PO/ GR is not mandatory• GR and invoice tolerance limits (i.e., 3-way match) is
not appropriate• Field status is not appropriately configured• Double invoice check is not used
– Access control is not restrictive• Unauthorized person have access to enter invoice
34
Place Logo Here
Identifying ITAC
• IT control vs Manual Control• Which ‘IT CONTROLS’ can prevent these from going
wrong– System settings are appropriately configured to prevent
the following:• Invoice without PO/ GR reference• Invoice posting if invoice does not match PO and GR• Change of vendor in invoice• Duplicate entry of invoice
– User access controls are appropriate• Only authorized person have access to enter invoice
35
Place Logo Here
Which ITGCs to Test?
• Depends on the ITAC• At a minimum, should test controls over the following:– Logical access– Program change
36
Place Logo Here
Testing Frequency
• ITAC– Every year, if it relates to a significant risk– Every 3 years otherwise
• ITGC– If audit procedures can demonstrate that changes
were minimal, limited tests can be performed• Logical access – depends on employee attrition,
changes in system access, changes in roles &responsibilities, etc• Program changes – depends on magnitude of changes,
major changes, new functionalities/ reports, etc– Changes in key personnel (IT or non-IT)– New system implementation/ system upgrade
37
Place Logo Here
Executing IT Audits
• Test of Design (TOD)– Evaluation of design effectiveness is critical because only
properly designed controls are capable of operatingeffectively. A control deficiency exists when the designor operation of a control, or group of controls, does notallow management or employees to prevent or detectfailures on a timely basis. A walkthrough is usuallyperformed to assess design effectiveness
• Test of Operating Effectiveness (TOE)– The purpose of test of operating effectiveness is to
gather sufficient documented evidence to enable aconclusion as to whether or not the controls asdocumented are operating in practice
38
Place Logo Here
Executing IT Audits
• Testing techniques include the following:– Inquiry: In itself, not sufficient to support a conclusion
about the effectiveness of a specific control– Observation: Appropriate if there is no documentation
of the operation of a control– Inspection: Often used for manual controls, like the
follow-up of exception reports– Re-performance: Generally provides better evidence
than other techniques and is therefore used when acombination of inquiry, observation and examination ofevidence does not provide sufficient assurance that acontrol is operating effectively
39
Place Logo Here
Executing IT Audits
• ITAC– Perform on “Production” environment– If “Quality/ Testing” environment is used, ensure that
there are controls to keep it synched with “Production”environment
• Sample selection– Based on the frequency and/ or risks– ITAC: “Test of One” is acceptable, but should encompass
all “scenarios”
40
Place Logo Here
Analyzing Results
• ITAC deficiencies– Often more serious than manual control deficiencies due
to reliance on systems within financial reporting– Is it a “key” risk?– Are there other automated/ manual controls addressing
same risk?– Is the exposure “substantive”?– Typically extending sample size does not help for ITAC
deficiencies
41
Place Logo Here
Analyzing Results
• ITGC deficiencies– There are no ‘blanket’ reliance or non-reliance on IT
automated controls– Assess the individual impact of ineffective IT general
controls on various IT automated controls– Example• Ineffective IT general controls – developer has access to
production system• IT automated control – Access to enter invoice is restricted
to authorized users
42
Place Logo Here
Analyzing Results
• IT automated control: Access to change bank detailsof vendors is restricted to authorized users.– IT automated control testing result: EFFECTIVE
• IT general control: There are procedures in place forthe management of users and user privileges. Themanagement procedures require formal approvals forthe establishment of users and granting of privileges– IT general control testing result: INEFFECTIVE
43
Place Logo Here
Analyzing Results
• Are there alternative controls?– IT automated control: Bank details is defined as
sensitive field for dual control– IT manual control:• All changes to vendor master records are required to be
approved by an authorized personnel.• All changes to vendor are reviewed monthly for
appropriateness and approvals by an independent person.
• Which control should be relied upon?– IT automated control is preferred but reliance depends
on other IT automated and IT general controls
44
Place Logo Here
Analyzing Results
• Let’s assume, we rely on the manual controls– Select samples based on sample selection methodology
and perform tests to determine adherence to the definedprocedures – both for approval and review of changes
• What if this manual control is not effective?– Perform data analytics to list all changes to bank details
and determine the following• Whether users performing these changes are appropriate• Whether changes are appropriate
45
Place Logo Here
Recap
• Overview of IT Audit– Areas of IT Audit– Importance of IT Audit– Top IT challenges
• Understanding and Maximizing IT Audit– Planning– Executing the IT audit– Evaluating results
47
Place Logo Here
Q & AMantran Consulting Pte Ltd14 Robinson Road #13-00Far East Finance BuildingSingapore 048545Tel. +65 6401 5160Fax. +65 6323 1839Web. www.mantranconsulting.comEmail. info@mantranconsulting.com
Barun Kumar, DirectorMob. +65 8118 9972Email. barunkumar@mantranconsulting.com
Jesus Lava III, ManagerMob. +65 9026 3812Email. jesuslava@mantranconsulting.com
Contact Details: