Your SlideShare is downloading. ×
0
Audit Implications of   Integrated Financial Management  Information Systems (IFMISs) Dr. Paul Dorsey Dulcian, Inc. May 20...
Conventional Wisdom <ul><li>IFMISs reduce audit risk. </li></ul><ul><li>Audit the IFMIS and the non-IFMIS independently </...
Why should we worry? <ul><li>IFMISs INCREASE exposure. </li></ul><ul><li>Standard audit techniques will not effectively as...
The Main Problem <ul><li>Manual process flow: </li></ul><ul><ul><li>Lots of automatic controls based on many people seeing...
Manual Process Enter transaction Approve transaction Prepare check Approve payment
IFMIS Process IFMIS Print  Check Enter transaction Approve transaction Approve payment
Why is this problem not widely discussed? <ul><li>Accountants/Auditors are not Information Technology (IT) trained. </li><...
Controlling Risk <ul><li>Control/Exposure Matrix </li></ul>Controls Exposures Level of Protection  High  High   High  None...
Ineffective Controls <ul><li>Controls that are ignored, bypassed, faked, or not implemented </li></ul><ul><ul><li>Accounta...
New Controls Needed <ul><li>Artificial separation of duties </li></ul><ul><li>Inefficient manual steps </li></ul><ul><ul><...
Exposure Risks Increased  by IFMIS <ul><li>Data Entry Errors </li></ul><ul><li>Fraudulent Transactions </li></ul><ul><ul><...
Decreasing Risks (1) <ul><li>Data Entry Errors </li></ul><ul><ul><li>System validations </li></ul></ul><ul><ul><ul><li>Con...
Decreasing Risks (2) <ul><li>Fraudulent Transactions </li></ul><ul><ul><li>Same controls as data entry errors </li></ul></...
Decreasing Risks (3) <ul><li>Subtle Process Errors </li></ul><ul><ul><li>Code review </li></ul></ul><ul><ul><li>Exhaustive...
Decreasing Risks (4) <ul><li>Computer Professional Fraud </li></ul><ul><ul><li>Pair programming </li></ul></ul><ul><ul><li...
Decreasing Risks (5) <ul><li>Total loss of data </li></ul><ul><ul><li>Transaction level, off-site back-up </li></ul></ul><...
Decreasing Risks (6) <ul><li>Huge Frauds </li></ul><ul><ul><li>Don’t automate cash transfer  </li></ul></ul><ul><ul><li>Do...
Decreasing Risks (7) <ul><li>Outsider Access to System </li></ul><ul><ul><li>No administrator rights for users  </li></ul>...
Decreasing Risks (7) <ul><li>System Hacking </li></ul><ul><ul><li>Get a security audit by leading expert </li></ul></ul>
Conclusions <ul><li>IFMISs increase audit risk. </li></ul><ul><li>Additional controls are necessary to reduce risks. </li>...
Dulcian’s BRIM ®  Environment <ul><li>Full business rules-based development environment </li></ul><ul><li>For Demo </li></...
Contact Information <ul><li>Dr. Paul Dorsey –  [email_address] </li></ul><ul><li>Dulcian website - www.dulcian.com </li></...
Upcoming SlideShare
Loading in...5
×

Audit Implications of Integrated Financial Management Information Systems

2,575

Published on

Audit Implications of Integrated Financial Management Information Systems
Dr. Paul Dorsey
Dulcian, Inc

0 Comments
1 Like
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total Views
2,575
On Slideshare
0
From Embeds
0
Number of Embeds
0
Actions
Shares
0
Downloads
94
Comments
0
Likes
1
Embeds 0
No embeds

No notes for slide

Transcript of "Audit Implications of Integrated Financial Management Information Systems "

  1. 1. Audit Implications of Integrated Financial Management Information Systems (IFMISs) Dr. Paul Dorsey Dulcian, Inc. May 20, 2009
  2. 2. Conventional Wisdom <ul><li>IFMISs reduce audit risk. </li></ul><ul><li>Audit the IFMIS and the non-IFMIS independently </li></ul><ul><ul><li>IT auditors bless the IFMIS. </li></ul></ul><ul><ul><li>Traditional auditors ignore the IFMIS. </li></ul></ul><ul><li>“ Auditing” an IFMIS means: </li></ul><ul><ul><li>Code control </li></ul></ul><ul><ul><li>Access control </li></ul></ul><ul><ul><li>Black-box validation </li></ul></ul><ul><ul><ul><li>Inputs generate correct outputs. </li></ul></ul></ul>
  3. 3. Why should we worry? <ul><li>IFMISs INCREASE exposure. </li></ul><ul><li>Standard audit techniques will not effectively assess exposure risks. </li></ul><ul><li>Standard controls do not protect effectively against IFMIS impacted exposures. </li></ul><ul><li>Developed nation companies do not usually have well controlled environments. </li></ul>
  4. 4. The Main Problem <ul><li>Manual process flow: </li></ul><ul><ul><li>Lots of automatic controls based on many people seeing the transaction. </li></ul></ul><ul><ul><li>Lots of controls to avoid manual data entry errors also control fraud. </li></ul></ul><ul><ul><li>Separation of duties well understood and controlled. </li></ul></ul><ul><li>IFMIS process flow: </li></ul><ul><ul><li>Single point of failure </li></ul></ul><ul><ul><li>Vulnerable to anyone with low-level access to system </li></ul></ul>
  5. 5. Manual Process Enter transaction Approve transaction Prepare check Approve payment
  6. 6. IFMIS Process IFMIS Print Check Enter transaction Approve transaction Approve payment
  7. 7. Why is this problem not widely discussed? <ul><li>Accountants/Auditors are not Information Technology (IT) trained. </li></ul><ul><li>IT audit is a specialty area separated from traditional audit. </li></ul><ul><li>Audit culture treats IT as independent. </li></ul>
  8. 8. Controlling Risk <ul><li>Control/Exposure Matrix </li></ul>Controls Exposures Level of Protection High High High None Invalid Transaction Data entry error Coding Error Developer Introduced Fraud Periodic Audit Medium Medium High None Dual Entry High High N/A None Test Deck Audit N/A N/A High None
  9. 9. Ineffective Controls <ul><li>Controls that are ignored, bypassed, faked, or not implemented </li></ul><ul><ul><li>Accountants stay up all night to “sign” documents. </li></ul></ul><ul><li>Electronic sign-offs that are not intrusive. </li></ul><ul><ul><li>Users demand bulk approvals. </li></ul></ul><ul><li>Separation of duties </li></ul><ul><ul><li>Everyone trusts the “system.” </li></ul></ul><ul><li>Meaningless validations </li></ul><ul><ul><li>System auto-calculates footing total. </li></ul></ul>
  10. 10. New Controls Needed <ul><li>Artificial separation of duties </li></ul><ul><li>Inefficient manual steps </li></ul><ul><ul><li>Particularly on cash transfers </li></ul></ul><ul><li>Comprehensive control system audit </li></ul><ul><li>Functional controls that go around the system </li></ul>
  11. 11. Exposure Risks Increased by IFMIS <ul><li>Data Entry Errors </li></ul><ul><li>Fraudulent Transactions </li></ul><ul><ul><li>Especially collusion frauds </li></ul></ul><ul><li>Subtle Process Errors </li></ul><ul><li>Computer Professional Fraud </li></ul><ul><li>Total loss of data </li></ul><ul><ul><li>Physical system failure </li></ul></ul><ul><li>HUGE frauds </li></ul><ul><li>Outsider access to system </li></ul><ul><ul><li>Everyone is virused </li></ul></ul><ul><li>System hacking </li></ul><ul><ul><li>Internet exposure </li></ul></ul>
  12. 12. Decreasing Risks (1) <ul><li>Data Entry Errors </li></ul><ul><ul><li>System validations </li></ul></ul><ul><ul><ul><li>Contingent process flows </li></ul></ul></ul><ul><ul><ul><li>Validation rules </li></ul></ul></ul><ul><ul><ul><li>Check digits on account codes </li></ul></ul></ul><ul><ul><li>Multi-entry (double or triple entry) </li></ul></ul><ul><ul><li>Review transactions </li></ul></ul><ul><ul><li>Audit against source documents </li></ul></ul>
  13. 13. Decreasing Risks (2) <ul><li>Fraudulent Transactions </li></ul><ul><ul><li>Same controls as data entry errors </li></ul></ul><ul><ul><li>More levels of review </li></ul></ul><ul><ul><li>Random assignment of review </li></ul></ul><ul><ul><li>Explicitly audit for fraud </li></ul></ul>
  14. 14. Decreasing Risks (3) <ul><li>Subtle Process Errors </li></ul><ul><ul><li>Code review </li></ul></ul><ul><ul><li>Exhaustive test decks </li></ul></ul><ul><ul><li>“ Test first” philosophy </li></ul></ul><ul><ul><li>Business Rules approach </li></ul></ul><ul><ul><li>Manual and automated testing </li></ul></ul>
  15. 15. Decreasing Risks (4) <ul><li>Computer Professional Fraud </li></ul><ul><ul><li>Pair programming </li></ul></ul><ul><ul><li>Explicit QA of all code </li></ul></ul><ul><ul><li>Control “around” system </li></ul></ul><ul><ul><ul><li>Reports/Controls NOT built/controlled by same team </li></ul></ul></ul><ul><ul><li>Hire honest people </li></ul></ul><ul><ul><li>Place manual (non-system dependant) control on all cash transfers </li></ul></ul>
  16. 16. Decreasing Risks (5) <ul><li>Total loss of data </li></ul><ul><ul><li>Transaction level, off-site back-up </li></ul></ul><ul><ul><li>Multi-site (out of country) back-up </li></ul></ul><ul><ul><li>Test back-up strategy </li></ul></ul>
  17. 17. Decreasing Risks (6) <ul><li>Huge Frauds </li></ul><ul><ul><li>Don’t automate cash transfer </li></ul></ul><ul><ul><li>Don’t automate cash transfer </li></ul></ul><ul><ul><li>Don’t automate cash transfer </li></ul></ul><ul><ul><li>Don’t automate cash transfer </li></ul></ul><ul><ul><li>Don’t automate cash transfer </li></ul></ul>
  18. 18. Decreasing Risks (7) <ul><li>Outsider Access to System </li></ul><ul><ul><li>No administrator rights for users </li></ul></ul><ul><ul><li>No external data devices for machines </li></ul></ul><ul><ul><ul><li>No USB keys </li></ul></ul></ul><ul><ul><ul><li>No floppy drives </li></ul></ul></ul><ul><ul><li>Serious penalty for security violations </li></ul></ul><ul><ul><li>Real virus, firewall, security software </li></ul></ul><ul><ul><li>Good security protocol </li></ul></ul><ul><ul><ul><li>Passwords </li></ul></ul></ul><ul><ul><ul><li>Physical access </li></ul></ul></ul>
  19. 19. Decreasing Risks (7) <ul><li>System Hacking </li></ul><ul><ul><li>Get a security audit by leading expert </li></ul></ul>
  20. 20. Conclusions <ul><li>IFMISs increase audit risk. </li></ul><ul><li>Additional controls are necessary to reduce risks. </li></ul><ul><li>Most auditors ignore the issue. </li></ul>
  21. 21. Dulcian’s BRIM ® Environment <ul><li>Full business rules-based development environment </li></ul><ul><li>For Demo </li></ul><ul><ul><li>Write “BRIM” on business card </li></ul></ul>
  22. 22. Contact Information <ul><li>Dr. Paul Dorsey – [email_address] </li></ul><ul><li>Dulcian website - www.dulcian.com </li></ul>Latest book Oracle PL/SQL for Dummies Developer Advanced Forms & Reports Designer Handbook Design Using UML Object Modeling
  1. A particular slide catching your eye?

    Clipping is a handy way to collect important slides you want to go back to later.

×