Audit Implications of Integrated Financial Management Information Systems (IFMISs) Dr. Paul Dorsey Dulcian, Inc. May 20, 2009

Conventional Wisdom IFMISs reduce audit risk. Audit the IFMIS and the non-IFMIS independently IT auditors bless the IFMIS. Traditional auditors ignore the IFMIS. “ Auditing” an IFMIS means: Code control Access control Black-box validation Inputs generate correct outputs.

IFMISs reduce audit risk.

Audit the IFMIS and the non-IFMIS independently

IT auditors bless the IFMIS.

Traditional auditors ignore the IFMIS.

“ Auditing” an IFMIS means:

Code control

Access control

Black-box validation

Inputs generate correct outputs.

Why should we worry? IFMISs INCREASE exposure. Standard audit techniques will not effectively assess exposure risks. Standard controls do not protect effectively against IFMIS impacted exposures. Developed nation companies do not usually have well controlled environments.

IFMISs INCREASE exposure.

Standard audit techniques will not effectively assess exposure risks.

Standard controls do not protect effectively against IFMIS impacted exposures.

Developed nation companies do not usually have well controlled environments.

The Main Problem Manual process flow: Lots of automatic controls based on many people seeing the transaction. Lots of controls to avoid manual data entry errors also control fraud. Separation of duties well understood and controlled. IFMIS process flow: Single point of failure Vulnerable to anyone with low-level access to system

Manual process flow:

Lots of automatic controls based on many people seeing the transaction.

Lots of controls to avoid manual data entry errors also control fraud.

Separation of duties well understood and controlled.

IFMIS process flow:

Single point of failure

Vulnerable to anyone with low-level access to system

Manual Process Enter transaction Approve transaction Prepare check Approve payment

IFMIS Process IFMIS Print Check Enter transaction Approve transaction Approve payment

Why is this problem not widely discussed? Accountants/Auditors are not Information Technology (IT) trained. IT audit is a specialty area separated from traditional audit. Audit culture treats IT as independent.

Accountants/Auditors are not Information Technology (IT) trained.

IT audit is a specialty area separated from traditional audit.

Audit culture treats IT as independent.

Controlling Risk Control/Exposure Matrix Controls Exposures Level of Protection High High High None Invalid Transaction Data entry error Coding Error Developer Introduced Fraud Periodic Audit Medium Medium High None Dual Entry High High N/A None Test Deck Audit N/A N/A High None

Control/Exposure Matrix

Ineffective Controls Controls that are ignored, bypassed, faked, or not implemented Accountants stay up all night to “sign” documents. Electronic sign-offs that are not intrusive. Users demand bulk approvals. Separation of duties Everyone trusts the “system.” Meaningless validations System auto-calculates footing total.

Controls that are ignored, bypassed, faked, or not implemented

Accountants stay up all night to “sign” documents.

Electronic sign-offs that are not intrusive.

Users demand bulk approvals.

Separation of duties

Everyone trusts the “system.”

Meaningless validations

System auto-calculates footing total.

New Controls Needed Artificial separation of duties Inefficient manual steps Particularly on cash transfers Comprehensive control system audit Functional controls that go around the system

Artificial separation of duties

Inefficient manual steps

Particularly on cash transfers

Comprehensive control system audit

Functional controls that go around the system

Exposure Risks Increased by IFMIS Data Entry Errors Fraudulent Transactions Especially collusion frauds Subtle Process Errors Computer Professional Fraud Total loss of data Physical system failure HUGE frauds Outsider access to system Everyone is virused System hacking Internet exposure

Data Entry Errors

Fraudulent Transactions

Especially collusion frauds

Subtle Process Errors

Computer Professional Fraud

Total loss of data

Physical system failure

HUGE frauds

Outsider access to system

Everyone is virused

System hacking

Internet exposure

Decreasing Risks (1) Data Entry Errors System validations Contingent process flows Validation rules Check digits on account codes Multi-entry (double or triple entry) Review transactions Audit against source documents

Data Entry Errors

System validations

Contingent process flows

Validation rules

Check digits on account codes

Multi-entry (double or triple entry)

Review transactions

Audit against source documents

Decreasing Risks (2) Fraudulent Transactions Same controls as data entry errors More levels of review Random assignment of review Explicitly audit for fraud

Fraudulent Transactions

Same controls as data entry errors

More levels of review

Random assignment of review

Explicitly audit for fraud

Decreasing Risks (3) Subtle Process Errors Code review Exhaustive test decks “ Test first” philosophy Business Rules approach Manual and automated testing

Subtle Process Errors

Code review

Exhaustive test decks

“ Test first” philosophy

Business Rules approach

Manual and automated testing

Decreasing Risks (4) Computer Professional Fraud Pair programming Explicit QA of all code Control “around” system Reports/Controls NOT built/controlled by same team Hire honest people Place manual (non-system dependant) control on all cash transfers

Computer Professional Fraud

Pair programming

Explicit QA of all code

Control “around” system

Reports/Controls NOT built/controlled by same team

Hire honest people

Place manual (non-system dependant) control on all cash transfers

Decreasing Risks (5) Total loss of data Transaction level, off-site back-up Multi-site (out of country) back-up Test back-up strategy

Total loss of data

Transaction level, off-site back-up

Multi-site (out of country) back-up

Test back-up strategy

Decreasing Risks (6) Huge Frauds Don’t automate cash transfer Don’t automate cash transfer Don’t automate cash transfer Don’t automate cash transfer Don’t automate cash transfer

Huge Frauds

Don’t automate cash transfer

Don’t automate cash transfer

Don’t automate cash transfer

Don’t automate cash transfer

Don’t automate cash transfer

Decreasing Risks (7) Outsider Access to System No administrator rights for users No external data devices for machines No USB keys No floppy drives Serious penalty for security violations Real virus, firewall, security software Good security protocol Passwords Physical access

Outsider Access to System

No administrator rights for users

No external data devices for machines

No USB keys

No floppy drives

Serious penalty for security violations

Real virus, firewall, security software

Good security protocol

Passwords

Physical access

Decreasing Risks (7) System Hacking Get a security audit by leading expert

System Hacking

Get a security audit by leading expert

Conclusions IFMISs increase audit risk. Additional controls are necessary to reduce risks. Most auditors ignore the issue.

IFMISs increase audit risk.

Additional controls are necessary to reduce risks.

Most auditors ignore the issue.

Dulcian’s BRIM ® Environment Full business rules-based development environment For Demo Write “BRIM” on business card

Full business rules-based development environment

For Demo

Write “BRIM” on business card

Contact Information Dr. Paul Dorsey – [email_address] Dulcian website - www.dulcian.com Latest book Oracle PL/SQL for Dummies Developer Advanced Forms & Reports Designer Handbook Design Using UML Object Modeling

Dr. Paul Dorsey – [email_address]

Dulcian website - www.dulcian.com