Place Logo Here

ICPAS Breakfast Talk SeriesMaximising IT Audit

13 March 2013, Wednesday

Place Logo Here

by

DirectorMANTRAN Consulting Pte Ltd

Maximising IT Audit

Barun Kumar

Place Logo Here

Session Objectives

• Overview of IT Audit– Areas of IT Audit– Importance of IT Audit– Top IT challenges

• Understanding and Maximizing IT Audit– Planning– Executing the IT audit– Evaluating results

3

Place Logo Here

OVERVIEW OF IT AUDIT

Place Logo Here

Information Security

5

Place Logo Here

Information Security

6

Place Logo Here

What is IT Audit?

• Examination of controls within an IT infrastructure• Process of collecting and evaluating evidence of an

organization's information systems, practices, andoperations– Evaluation determines if information systems are

safeguarding assets, maintaining integrity ofinformation, and operating effectively to achieve theorganization's goals or objectives

– May be performed in conjunction with a financialstatement audit, internal audit, or other form ofattestation engagement

7

Place Logo Here

What is IT Audit?

• IT audit's agenda may be summarized by thefollowing questions:– Will the information in the systems be disclosed only to

authorized users? (Confidentiality)– Will the information provided by the system always be

accurate, reliable, and timely? (Integrity)– Will the organization's computer systems be available

for the business at all times when required?(Availability)

8

Place Logo Here

IT Audit to support Financial Audit

• Most business use multiple IT systems to supporttheir business processes– Includes different systems for financial accounting,

procurement, research & development, businessintelligence, customer relationship management, sales,etc

– Enterprise Resource Planning (ERP) systems, whichintegrate various such IT systems and provides onesystem to manage all important business processes

– Commonly used ERP systems include SAP, OracleApplications, PeopleSoft, IFS, JDE Edwards, etc.

9

Place Logo Here

IT Audit to support Financial Audit

– Most banks use core banking system as a back-endsystem that processes daily banking transactions, andposts updates to accounts and other financial records

– Include deposit, loan and credit-processing capabilities,with interfaces to general ledger systems and reportingtools

– Enables banks to interconnect different branches bymeans of communication lines and allows the customersto operate accounts from any branch

– Commonly used core banking systems include iFlex,TEMENOS, Finacle, BaNCS, Equation, FinnOne, etc

10

Place Logo Here

IT Audit to support Financial Audit

• A financial audit, or more accurately, an audit offinancial statements– Review of financial statements of a company or any

other legal entity (including governments)– Resulting in publication of an independent opinion on

whether or not those financial statements are relevant,accurate, complete, and fairly presented

• Substantive tests of detail– Selecting a sample of items from major account

balances, and finding hard evidence (e.g., invoices, bankstatements) for those items

11

Place Logo Here

IT Audit to support Financial Audit

• Risk based approach– Includes combination of internal controls testing and

substantive testing– Internal controls testing allow financial auditors to

assess operating effectiveness of internal controls (e.g.authorization of transactions, account reconciliations,segregation of duties) including IT General Controls

– If internal controls are assessed as effective, this willreduce (but not entirely eliminate) amount of'substantive test of detail’

12

Place Logo Here

IT Audit to support Financial Audit

– If internal controls are strong, auditors typically relymore on substantive analytical procedures (thecomparison of sets of financial information, and financialwith non-financial information, to see if the numbers'make sense' and that unexpected movements can beexplained)

– If internal controls are assessed as ineffective or weak,financial auditors need to rely on traditional substantivetests of detail

13

Place Logo Here

Areas of IT Audit

• There are broadly 2 areas of IT audits, which coversthe following:– IT General Controls (ITGC)– IT Application/ Automated Controls (ITAC)

14

Place Logo Here

WCGW

15

W-C-G-W is an acronym for What Can GoWrong!

Place Logo Here

WCGW

• Activity: Invoice Receipt• What Can Go Wrong?– Receive Invoice without PO or GR– Invoice amount is more than PO amount– Vendor bank details in Invoice is different from vendor

master record– Invoice is entered twice in the system– Unauthorized person enters invoice in the system

16

Place Logo Here

WCGW

• How Can ‘IT’ Go Wrong– IT system is not ‘configured’ correctly• Reference to PO/ GR is not mandatory• GR and invoice tolerance limits (i.e., 3-way match) is

not appropriate• Field status is not appropriately configured• Double invoice check is not used

– Access control is not restrictive• Unauthorized person have access to enter invoice

17

Place Logo Here

WCGW

• Which ‘IT CONTROLS’ can prevent these from goingwrong– System settings are appropriately configured to prevent

the following:• Invoice without PO/ GR reference• Invoice posting if invoice does not match PO and GR• Change of vendor in invoice• Duplicate entry of invoice

– User access controls are appropriate– Only authorized person have access to enter invoice

18

Place Logo Here

WCGW – IT Controls

19

Place Logo Here

WCGW – IT Controls

• For these IT automated/ application controls to work,certain other IT controls should be effective– Without strong change controls, unauthorized changes

may be made to the system settings– Without access controls, unauthorized users may have

access to enter invoice• Basically, without these IT controls, the IT automated/

application controls may not remain effective over aperiod of time and therefore, may not be relied upon!

20

Place Logo Here

WCGW – IT Controls

21

Place Logo Here

IT Controls (Looking Another Way)

• There are broadly two categories of IT controls:– Manual– Automated

• Manual controls – Management, procedural andoperational controls. For example, security policies,operational procedures, personnel security, etc.– For example, approval of user access or review of

duplicate invoice report

22

Place Logo Here

IT Controls (Looking Another Way)

• Automated controls – Incorporated into systems (i.e.,computer hardware, software, or firmware). Forexample, access control mechanisms, identificationand authentication mechanisms, encryption methods,etc.– Case in point, access controls are AUTOMATICALLY enforced by

the system and users cannot access information which theyare not granted explicitly in the system. Therefore, they arereferred as automated control.

23

Place Logo Here

IT Controls

24

Place Logo Here

Areas of IT Audit

25

ITACs

Place Logo Here

Areas of IT Audit

• The ITGCs are broadly classified as follows:– Information security policies and procedures– Access Management– Change Management– System Development– IT Operations Management– End-User Computing

26

Place Logo Here

Interdependence

27

ITGC exceptions do not necessarily meanwe cannot rely on automated controls –

there are many strategies to resolvethem!

Place Logo Here

Importance of IT Audit

• Reduced sample size• Focus on areas of higher risks• Reliance on system generated reports• Understanding of risks due to use of IT systems

28

Place Logo Here

Top IT Challenges

• Access and Segregation of Duties• Risks arising due to use of IT systems– 3-way match is not a “match” but “tolerance of

differences”– PO release workflow may not always work– Reports output (e.g., ageing report, duplicate invoices)

depends on system settings• Business Continuity/ Disaster Recovery

29

Place Logo Here

MAXIMISING IT AUDIT

Place Logo Here

Planning

31

Place Logo Here

Deciding Audit Approach

• Total audit time• Regulatory/ compliance requirements• Criticality of IT to the business– How will it affect the business if the critical systems are

down?– Are critical business transactions performed using IT

systems?– Are critical controls performed by IT systems?

32

Place Logo Here

Identifying ITAC

• Activity: Invoice Receipt• What Can Go Wrong?– Receive Invoice without PO or GR– Invoice amount is more than PO amount– Vendor bank details in Invoice is different from vendor

master record– Invoice is entered twice in the system– Unauthorized person enters invoice in the system

33

Place Logo Here

Identifying ITAC

• How Can ‘IT’ Go Wrong– IT system is not ‘configured’ correctly• Reference to PO/ GR is not mandatory• GR and invoice tolerance limits (i.e., 3-way match) is

not appropriate• Field status is not appropriately configured• Double invoice check is not used

– Access control is not restrictive• Unauthorized person have access to enter invoice

34

Place Logo Here

Identifying ITAC

• IT control vs Manual Control• Which ‘IT CONTROLS’ can prevent these from going

wrong– System settings are appropriately configured to prevent

the following:• Invoice without PO/ GR reference• Invoice posting if invoice does not match PO and GR• Change of vendor in invoice• Duplicate entry of invoice

– User access controls are appropriate• Only authorized person have access to enter invoice

35

Place Logo Here

Which ITGCs to Test?

• Depends on the ITAC• At a minimum, should test controls over the following:– Logical access– Program change

36

Place Logo Here

Testing Frequency

• ITAC– Every year, if it relates to a significant risk– Every 3 years otherwise

• ITGC– If audit procedures can demonstrate that changes

were minimal, limited tests can be performed• Logical access – depends on employee attrition,

changes in system access, changes in roles &responsibilities, etc• Program changes – depends on magnitude of changes,

major changes, new functionalities/ reports, etc– Changes in key personnel (IT or non-IT)– New system implementation/ system upgrade

37

Place Logo Here

Executing IT Audits

• Test of Design (TOD)– Evaluation of design effectiveness is critical because only

properly designed controls are capable of operatingeffectively. A control deficiency exists when the designor operation of a control, or group of controls, does notallow management or employees to prevent or detectfailures on a timely basis. A walkthrough is usuallyperformed to assess design effectiveness

• Test of Operating Effectiveness (TOE)– The purpose of test of operating effectiveness is to

gather sufficient documented evidence to enable aconclusion as to whether or not the controls asdocumented are operating in practice

38

Place Logo Here

Executing IT Audits

• Testing techniques include the following:– Inquiry: In itself, not sufficient to support a conclusion

about the effectiveness of a specific control– Observation: Appropriate if there is no documentation

of the operation of a control– Inspection: Often used for manual controls, like the

follow-up of exception reports– Re-performance: Generally provides better evidence

than other techniques and is therefore used when acombination of inquiry, observation and examination ofevidence does not provide sufficient assurance that acontrol is operating effectively

39

Place Logo Here

Executing IT Audits

• ITAC– Perform on “Production” environment– If “Quality/ Testing” environment is used, ensure that

there are controls to keep it synched with “Production”environment

• Sample selection– Based on the frequency and/ or risks– ITAC: “Test of One” is acceptable, but should encompass

all “scenarios”

40

Place Logo Here

Analyzing Results

• ITAC deficiencies– Often more serious than manual control deficiencies due

to reliance on systems within financial reporting– Is it a “key” risk?– Are there other automated/ manual controls addressing

same risk?– Is the exposure “substantive”?– Typically extending sample size does not help for ITAC

deficiencies

41

Place Logo Here

Analyzing Results

• ITGC deficiencies– There are no ‘blanket’ reliance or non-reliance on IT

automated controls– Assess the individual impact of ineffective IT general

controls on various IT automated controls– Example• Ineffective IT general controls – developer has access to

production system• IT automated control – Access to enter invoice is restricted

to authorized users

42

Place Logo Here

Analyzing Results

• IT automated control: Access to change bank detailsof vendors is restricted to authorized users.– IT automated control testing result: EFFECTIVE

• IT general control: There are procedures in place forthe management of users and user privileges. Themanagement procedures require formal approvals forthe establishment of users and granting of privileges– IT general control testing result: INEFFECTIVE

43

Place Logo Here

Analyzing Results

• Are there alternative controls?– IT automated control: Bank details is defined as

sensitive field for dual control– IT manual control:• All changes to vendor master records are required to be

approved by an authorized personnel.• All changes to vendor are reviewed monthly for

appropriateness and approvals by an independent person.

• Which control should be relied upon?– IT automated control is preferred but reliance depends

on other IT automated and IT general controls

44

Place Logo Here

Analyzing Results

• Let’s assume, we rely on the manual controls– Select samples based on sample selection methodology

and perform tests to determine adherence to the definedprocedures – both for approval and review of changes

• What if this manual control is not effective?– Perform data analytics to list all changes to bank details

and determine the following• Whether users performing these changes are appropriate• Whether changes are appropriate

45

Place Logo Here

RECAP

Place Logo Here

Recap

• Overview of IT Audit– Areas of IT Audit– Importance of IT Audit– Top IT challenges

• Understanding and Maximizing IT Audit– Planning– Executing the IT audit– Evaluating results

47

Place Logo Here

Q & AMantran Consulting Pte Ltd14 Robinson Road #13-00Far East Finance BuildingSingapore 048545Tel. +65 6401 5160Fax. +65 6323 1839Web. www.mantranconsulting.comEmail. info@mantranconsulting.com

Barun Kumar, DirectorMob. +65 8118 9972Email. barunkumar@mantranconsulting.com

Jesus Lava III, ManagerMob. +65 9026 3812Email. jesuslava@mantranconsulting.com

Contact Details:

Place Logo Here

Thank you