Information Risk Management in the Audit

Chapter 9

Presented by Julie Flaiz-Windham, Senior ManagerKPMG LLP

KPMG LLP

2

May 2008 GAAP Reporting Workshop

© 2

00

8 K

PM

G L

LP,

the U

.S.

mem

ber

firm

of

KPM

G In

tern

ati

on

al, a

Sw

iss

coop

era

tive.

All

rig

hts

rese

rved

. Pri

nte

d in

U.S

.A.

KPM

G a

nd

th

e K

PM

G log

o a

re r

eg

iste

red

tra

dem

ark

s of

KPM

G In

tern

ati

on

al.

KPMG Information RiskManagement (IRM) Audit Team – Scope of Work

IT General Controls Review Please note that General Control Reviews Include Program

Development Program Development In-Scope Campuses that implemented PS FIN in 2008:

– Fullerton In-Scope Campuses that implemented PS SA in 2008:

– Los Angeles

– Sacramento

The program development review will include analysis of System Development Life Cycle Policies; Business Requirement Documents (project charters); management approvals; Integration, IT, and End-User testing performed prior to go-live; testing sign offs by appropriate IT, management, and end users; and data migration testing performed by management and end users from the impacted business areas.

3

May 2008 GAAP Reporting Workshop

© 2

00

8 K

PM

G L

LP,

the U

.S.

mem

ber

firm

of

KPM

G In

tern

ati

on

al, a

Sw

iss

coop

era

tive.

All

rig

hts

rese

rved

. Pri

nte

d in

U.S

.A.

KPM

G a

nd

th

e K

PM

G log

o a

re r

eg

iste

red

tra

dem

ark

s of

KPM

G In

tern

ati

on

al.

KPMG Information RiskManagement (IRM) Audit Team – Scope of Work(continued)

Enterprise Resource Planning review Access controls

Configuration controls

New Automated Derivation Control Added in 2008

Financial aid system controls at selected campuses (8 higher scope A-133 campuses)

Department of Education upload to campus Student Information System (PeopleSoft or Legacy)

Grade system – user access

Interface from grade system to financial aid system (if applicable)

4

May 2008 GAAP Reporting Workshop

© 2

00

8 K

PM

G L

LP,

the U

.S.

mem

ber

firm

of

KPM

G In

tern

ati

on

al, a

Sw

iss

coop

era

tive.

All

rig

hts

rese

rved

. Pri

nte

d in

U.S

.A.

KPM

G a

nd

th

e K

PM

G log

o a

re r

eg

iste

red

tra

dem

ark

s of

KPM

G In

tern

ati

on

al.

IRM Test Work – Key Dates

March 26, 2008 – Campus IT PBC list was sent to campuses

April 18, 2008 – Campus PBC were due to KPMGApril - July, 2008 – Campus IT general controls test work

and specific business process controls test work To gain efficiencies by working from one location, the

IRM team will conduct testing remotely from our Orange County office. Please be prepared to accommodate conference calls during the week our teams are focusing on your campus as the testwork will be conducted via phone interviews and review of requested documents.

UNISYS Data Center review(May 12 – 16, 2008)

Project wrap up / Campus close out meetings(April ~ July)

5

May 2008 GAAP Reporting Workshop

© 2

00

8 K

PM

G L

LP,

the U

.S.

mem

ber

firm

of

KPM

G In

tern

ati

on

al, a

Sw

iss

coop

era

tive.

All

rig

hts

rese

rved

. Pri

nte

d in

U.S

.A.

KPM

G a

nd

th

e K

PM

G log

o a

re r

eg

iste

red

tra

dem

ark

s of

KPM

G In

tern

ati

on

al.

IRM Deficiency and Communication

Impact on Financial Audit Team As IRM lead in their testwork timing, IRM will report all deficiencies to

the financial audit team. The financial audit team will analyze these deficiencies as they relate to their year-end financial statement audit. This may or may not have an impact on their audit procedures and sample sizes.

Control deficiencies There is a focus on prior year deficiencies, as un-remediated issues

are of more concern and high risk as management needs to be sure the prior issues are acknowledged and resolved.

Pervasive issues have an impact on the progress of the IRM audit. If we find a pervasive deficiency preliminary to detailed testwork, we will not be testing all controls as testwork over alternative controls will not mitigate the risk of a such pervasive deficiencies.

Close out meetings / deficiency meetings will be conducted after each campus has been properly analyzed and reviewed by KPMG management. This meeting will be conducted prior to KPMG’s formal notification to the Chancellor’s Office. We will invite all GAAP and IT contacts associated with the respective campus noted within the Chancellor’s Office contact listing. We ask that each campus review the listing to help us ensure the appropriate contacts are notified of deficiencies for each campus.

6

May 2008 GAAP Reporting Workshop

© 2

00

8 K

PM

G L

LP,

the U

.S.

mem

ber

firm

of

KPM

G In

tern

ati

on

al, a

Sw

iss

coop

era

tive.

All

rig

hts

rese

rved

. Pri

nte

d in

U.S

.A.

KPM

G a

nd

th

e K

PM

G log

o a

re r

eg

iste

red

tra

dem

ark

s of

KPM

G In

tern

ati

on

al.

Questions