Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.
Place Logo Here
ICPAS Breakfast Talk Series
Maximising IT Audit
13 March 2013, Wednesday
Place Logo Here
by
Director
MANTRAN Consulting Pte Ltd
Maximising IT Audit
Barun Kumar
Place Logo Here
Session Objectives
• Overview of IT Audit
– Areas of IT Audit
– Importance of IT Audit
– Top IT challenges...
Place Logo Here
OVERVIEW OF IT AUDIT
Place Logo Here
Information Security
5
Place Logo Here
Information Security
6
Place Logo Here
What is IT Audit?
• Examination of controls within an IT infrastructure
• Process of collecting and evalua...
Place Logo Here
What is IT Audit?
• IT audit's agenda may be summarized by the
following questions:
– Will the information...
Place Logo Here
IT Audit to support Financial Audit
• Most business use multiple IT systems to support
their business proc...
Place Logo Here
IT Audit to support Financial Audit
– Most banks use core banking system as a back-end
system that process...
Place Logo Here
IT Audit to support Financial Audit
• A financial audit, or more accurately, an audit of
financial stateme...
Place Logo Here
IT Audit to support Financial Audit
• Risk based approach
– Includes combination of internal controls test...
Place Logo Here
IT Audit to support Financial Audit
– If internal controls are strong, auditors typically rely
more on sub...
Place Logo Here
Areas of IT Audit
• There are broadly 2 areas of IT audits, which covers
the following:
– IT General Contr...
Place Logo Here
WCGW
15
W-C-G-W is an acronym for What Can Go
Wrong!
Place Logo Here
WCGW
• Activity: Invoice Receipt
• What Can Go Wrong?
– Receive Invoice without PO or GR
– Invoice amount ...
Place Logo Here
WCGW
• How Can ‘IT’ Go Wrong
– IT system is not ‘configured’ correctly
• Reference to PO/ GR is not mandat...
Place Logo Here
WCGW
• Which ‘IT CONTROLS’ can prevent these from going
wrong
– System settings are appropriately configur...
Place Logo Here
WCGW – IT Controls
19
Place Logo Here
WCGW – IT Controls
• For these IT automated/ application controls to work,
certain other IT controls shoul...
Place Logo Here
WCGW – IT Controls
21
Place Logo Here
IT Controls (Looking Another Way)
• There are broadly two categories of IT controls:
– Manual
– Automated
...
Place Logo Here
IT Controls (Looking Another Way)
• Automated controls – Incorporated into systems (i.e.,
computer hardwar...
Place Logo Here
IT Controls
24
Place Logo Here
Areas of IT Audit
25
ITACs
Place Logo Here
Areas of IT Audit
• The ITGCs are broadly classified as follows:
– Information security policies and proce...
Place Logo Here
Interdependence
27
ITGC exceptions do not necessarily mean
we cannot rely on automated controls –
there ar...
Place Logo Here
Importance of IT Audit
• Reduced sample size
• Focus on areas of higher risks
• Reliance on system generat...
Place Logo Here
Top IT Challenges
• Access and Segregation of Duties
• Risks arising due to use of IT systems
– 3-way matc...
Place Logo Here
MAXIMISING IT AUDIT
Place Logo Here
Planning
31
Place Logo Here
Deciding Audit Approach
• Total audit time
• Regulatory/ compliance requirements
• Criticality of IT to th...
Place Logo Here
Identifying ITAC
• Activity: Invoice Receipt
• What Can Go Wrong?
– Receive Invoice without PO or GR
– Inv...
Place Logo Here
Identifying ITAC
• How Can ‘IT’ Go Wrong
– IT system is not ‘configured’ correctly
• Reference to PO/ GR i...
Place Logo Here
Identifying ITAC
• IT control vs Manual Control
• Which ‘IT CONTROLS’ can prevent these from going
wrong
–...
Place Logo Here
Which ITGCs to Test?
• Depends on the ITAC
• At a minimum, should test controls over the following:
– Logi...
Place Logo Here
Testing Frequency
• ITAC
– Every year, if it relates to a significant risk
– Every 3 years otherwise
• ITG...
Place Logo Here
Executing IT Audits
• Test of Design (TOD)
– Evaluation of design effectiveness is critical because only
p...
Place Logo Here
Executing IT Audits
• Testing techniques include the following:
– Inquiry: In itself, not sufficient to su...
Place Logo Here
Executing IT Audits
• ITAC
– Perform on “Production” environment
– If “Quality/ Testing” environment is us...
Place Logo Here
Analyzing Results
• ITAC deficiencies
– Often more serious than manual control deficiencies due
to relianc...
Place Logo Here
Analyzing Results
• ITGC deficiencies
– There are no ‘blanket’ reliance or non-reliance on IT
automated co...
Place Logo Here
Analyzing Results
• IT automated control: Access to change bank details
of vendors is restricted to author...
Place Logo Here
Analyzing Results
• Are there alternative controls?
– IT automated control: Bank details is defined as
sen...
Place Logo Here
Analyzing Results
• Let’s assume, we rely on the manual controls
– Select samples based on sample selectio...
Place Logo Here
RECAP
Place Logo Here
Recap
• Overview of IT Audit
– Areas of IT Audit
– Importance of IT Audit
– Top IT challenges
• Understand...
Place Logo Here
Q & A
Mantran Consulting Pte Ltd
14 Robinson Road #13-00
Far East Finance Building
Singapore 048545
Tel. +...
Place Logo Here
Thank you
Upcoming SlideShare
Loading in …5
×

ICPAS Breakfast Talk Series - Maximising IT Audit 13 Mar 2013

2,080 views

Published on

  • Be the first to comment

ICPAS Breakfast Talk Series - Maximising IT Audit 13 Mar 2013

  1. 1. Place Logo Here ICPAS Breakfast Talk Series Maximising IT Audit 13 March 2013, Wednesday
  2. 2. Place Logo Here by Director MANTRAN Consulting Pte Ltd Maximising IT Audit Barun Kumar
  3. 3. Place Logo Here Session Objectives • Overview of IT Audit – Areas of IT Audit – Importance of IT Audit – Top IT challenges • Understanding and Maximizing IT Audit – Planning – Executing the IT audit – Evaluating results 3
  4. 4. Place Logo Here OVERVIEW OF IT AUDIT
  5. 5. Place Logo Here Information Security 5
  6. 6. Place Logo Here Information Security 6
  7. 7. Place Logo Here What is IT Audit? • Examination of controls within an IT infrastructure • Process of collecting and evaluating evidence of an organization's information systems, practices, and operations – Evaluation determines if information systems are safeguarding assets, maintaining integrity of information, and operating effectively to achieve the organization's goals or objectives – May be performed in conjunction with a financial statement audit, internal audit, or other form of attestation engagement 7
  8. 8. Place Logo Here What is IT Audit? • IT audit's agenda may be summarized by the following questions: – Will the information in the systems be disclosed only to authorized users? (Confidentiality) – Will the information provided by the system always be accurate, reliable, and timely? (Integrity) – Will the organization's computer systems be available for the business at all times when required? (Availability) 8
  9. 9. Place Logo Here IT Audit to support Financial Audit • Most business use multiple IT systems to support their business processes – Includes different systems for financial accounting, procurement, research & development, business intelligence, customer relationship management, sales, etc – Enterprise Resource Planning (ERP) systems, which integrate various such IT systems and provides one system to manage all important business processes – Commonly used ERP systems include SAP, Oracle Applications, PeopleSoft, IFS, JDE Edwards, etc. 9
  10. 10. Place Logo Here IT Audit to support Financial Audit – Most banks use core banking system as a back-end system that processes daily banking transactions, and posts updates to accounts and other financial records – Include deposit, loan and credit-processing capabilities, with interfaces to general ledger systems and reporting tools – Enables banks to interconnect different branches by means of communication lines and allows the customers to operate accounts from any branch – Commonly used core banking systems include iFlex, TEMENOS, Finacle, BaNCS, Equation, FinnOne, etc 10
  11. 11. Place Logo Here IT Audit to support Financial Audit • A financial audit, or more accurately, an audit of financial statements – Review of financial statements of a company or any other legal entity (including governments) – Resulting in publication of an independent opinion on whether or not those financial statements are relevant, accurate, complete, and fairly presented • Substantive tests of detail – Selecting a sample of items from major account balances, and finding hard evidence (e.g., invoices, bank statements) for those items 11
  12. 12. Place Logo Here IT Audit to support Financial Audit • Risk based approach – Includes combination of internal controls testing and substantive testing – Internal controls testing allow financial auditors to assess operating effectiveness of internal controls (e.g. authorization of transactions, account reconciliations, segregation of duties) including IT General Controls – If internal controls are assessed as effective, this will reduce (but not entirely eliminate) amount of 'substantive test of detail’ 12
  13. 13. Place Logo Here IT Audit to support Financial Audit – If internal controls are strong, auditors typically rely more on substantive analytical procedures (the comparison of sets of financial information, and financial with non-financial information, to see if the numbers 'make sense' and that unexpected movements can be explained) – If internal controls are assessed as ineffective or weak, financial auditors need to rely on traditional substantive tests of detail 13
  14. 14. Place Logo Here Areas of IT Audit • There are broadly 2 areas of IT audits, which covers the following: – IT General Controls (ITGC) – IT Application/ Automated Controls (ITAC) 14
  15. 15. Place Logo Here WCGW 15 W-C-G-W is an acronym for What Can Go Wrong!
  16. 16. Place Logo Here WCGW • Activity: Invoice Receipt • What Can Go Wrong? – Receive Invoice without PO or GR – Invoice amount is more than PO amount – Vendor bank details in Invoice is different from vendor master record – Invoice is entered twice in the system – Unauthorized person enters invoice in the system 16
  17. 17. Place Logo Here WCGW • How Can ‘IT’ Go Wrong – IT system is not ‘configured’ correctly • Reference to PO/ GR is not mandatory • GR and invoice tolerance limits (i.e., 3-way match) is not appropriate • Field status is not appropriately configured • Double invoice check is not used – Access control is not restrictive • Unauthorized person have access to enter invoice 17
  18. 18. Place Logo Here WCGW • Which ‘IT CONTROLS’ can prevent these from going wrong – System settings are appropriately configured to prevent the following: • Invoice without PO/ GR reference • Invoice posting if invoice does not match PO and GR • Change of vendor in invoice • Duplicate entry of invoice – User access controls are appropriate – Only authorized person have access to enter invoice 18
  19. 19. Place Logo Here WCGW – IT Controls 19
  20. 20. Place Logo Here WCGW – IT Controls • For these IT automated/ application controls to work, certain other IT controls should be effective – Without strong change controls, unauthorized changes may be made to the system settings – Without access controls, unauthorized users may have access to enter invoice • Basically, without these IT controls, the IT automated/ application controls may not remain effective over a period of time and therefore, may not be relied upon! 20
  21. 21. Place Logo Here WCGW – IT Controls 21
  22. 22. Place Logo Here IT Controls (Looking Another Way) • There are broadly two categories of IT controls: – Manual – Automated • Manual controls – Management, procedural and operational controls. For example, security policies, operational procedures, personnel security, etc. – For example, approval of user access or review of duplicate invoice report 22
  23. 23. Place Logo Here IT Controls (Looking Another Way) • Automated controls – Incorporated into systems (i.e., computer hardware, software, or firmware). For example, access control mechanisms, identification and authentication mechanisms, encryption methods, etc. – Case in point, access controls are AUTOMATICALLY enforced by the system and users cannot access information which they are not granted explicitly in the system. Therefore, they are referred as automated control. 23
  24. 24. Place Logo Here IT Controls 24
  25. 25. Place Logo Here Areas of IT Audit 25 ITACs
  26. 26. Place Logo Here Areas of IT Audit • The ITGCs are broadly classified as follows: – Information security policies and procedures – Access Management – Change Management – System Development – IT Operations Management – End-User Computing 26
  27. 27. Place Logo Here Interdependence 27 ITGC exceptions do not necessarily mean we cannot rely on automated controls – there are many strategies to resolve them!
  28. 28. Place Logo Here Importance of IT Audit • Reduced sample size • Focus on areas of higher risks • Reliance on system generated reports • Understanding of risks due to use of IT systems 28
  29. 29. Place Logo Here Top IT Challenges • Access and Segregation of Duties • Risks arising due to use of IT systems – 3-way match is not a “match” but “tolerance of differences” – PO release workflow may not always work – Reports output (e.g., ageing report, duplicate invoices) depends on system settings • Business Continuity/ Disaster Recovery 29
  30. 30. Place Logo Here MAXIMISING IT AUDIT
  31. 31. Place Logo Here Planning 31
  32. 32. Place Logo Here Deciding Audit Approach • Total audit time • Regulatory/ compliance requirements • Criticality of IT to the business – How will it affect the business if the critical systems are down? – Are critical business transactions performed using IT systems? – Are critical controls performed by IT systems? 32
  33. 33. Place Logo Here Identifying ITAC • Activity: Invoice Receipt • What Can Go Wrong? – Receive Invoice without PO or GR – Invoice amount is more than PO amount – Vendor bank details in Invoice is different from vendor master record – Invoice is entered twice in the system – Unauthorized person enters invoice in the system 33
  34. 34. Place Logo Here Identifying ITAC • How Can ‘IT’ Go Wrong – IT system is not ‘configured’ correctly • Reference to PO/ GR is not mandatory • GR and invoice tolerance limits (i.e., 3-way match) is not appropriate • Field status is not appropriately configured • Double invoice check is not used – Access control is not restrictive • Unauthorized person have access to enter invoice 34
  35. 35. Place Logo Here Identifying ITAC • IT control vs Manual Control • Which ‘IT CONTROLS’ can prevent these from going wrong – System settings are appropriately configured to prevent the following: • Invoice without PO/ GR reference • Invoice posting if invoice does not match PO and GR • Change of vendor in invoice • Duplicate entry of invoice – User access controls are appropriate • Only authorized person have access to enter invoice 35
  36. 36. Place Logo Here Which ITGCs to Test? • Depends on the ITAC • At a minimum, should test controls over the following: – Logical access – Program change 36
  37. 37. Place Logo Here Testing Frequency • ITAC – Every year, if it relates to a significant risk – Every 3 years otherwise • ITGC – If audit procedures can demonstrate that changes were minimal, limited tests can be performed • Logical access – depends on employee attrition, changes in system access, changes in roles & responsibilities, etc • Program changes – depends on magnitude of changes, major changes, new functionalities/ reports, etc – Changes in key personnel (IT or non-IT) – New system implementation/ system upgrade 37
  38. 38. Place Logo Here Executing IT Audits • Test of Design (TOD) – Evaluation of design effectiveness is critical because only properly designed controls are capable of operating effectively. A control deficiency exists when the design or operation of a control, or group of controls, does not allow management or employees to prevent or detect failures on a timely basis. A walkthrough is usually performed to assess design effectiveness • Test of Operating Effectiveness (TOE) – The purpose of test of operating effectiveness is to gather sufficient documented evidence to enable a conclusion as to whether or not the controls as documented are operating in practice 38
  39. 39. Place Logo Here Executing IT Audits • Testing techniques include the following: – Inquiry: In itself, not sufficient to support a conclusion about the effectiveness of a specific control – Observation: Appropriate if there is no documentation of the operation of a control – Inspection: Often used for manual controls, like the follow-up of exception reports – Re-performance: Generally provides better evidence than other techniques and is therefore used when a combination of inquiry, observation and examination of evidence does not provide sufficient assurance that a control is operating effectively 39
  40. 40. Place Logo Here Executing IT Audits • ITAC – Perform on “Production” environment – If “Quality/ Testing” environment is used, ensure that there are controls to keep it synched with “Production” environment • Sample selection – Based on the frequency and/ or risks – ITAC: “Test of One” is acceptable, but should encompass all “scenarios” 40
  41. 41. Place Logo Here Analyzing Results • ITAC deficiencies – Often more serious than manual control deficiencies due to reliance on systems within financial reporting – Is it a “key” risk? – Are there other automated/ manual controls addressing same risk? – Is the exposure “substantive”? – Typically extending sample size does not help for ITAC deficiencies 41
  42. 42. Place Logo Here Analyzing Results • ITGC deficiencies – There are no ‘blanket’ reliance or non-reliance on IT automated controls – Assess the individual impact of ineffective IT general controls on various IT automated controls – Example • Ineffective IT general controls – developer has access to production system • IT automated control – Access to enter invoice is restricted to authorized users 42
  43. 43. Place Logo Here Analyzing Results • IT automated control: Access to change bank details of vendors is restricted to authorized users. – IT automated control testing result: EFFECTIVE • IT general control: There are procedures in place for the management of users and user privileges. The management procedures require formal approvals for the establishment of users and granting of privileges – IT general control testing result: INEFFECTIVE 43
  44. 44. Place Logo Here Analyzing Results • Are there alternative controls? – IT automated control: Bank details is defined as sensitive field for dual control – IT manual control: • All changes to vendor master records are required to be approved by an authorized personnel. • All changes to vendor are reviewed monthly for appropriateness and approvals by an independent person. • Which control should be relied upon? – IT automated control is preferred but reliance depends on other IT automated and IT general controls 44
  45. 45. Place Logo Here Analyzing Results • Let’s assume, we rely on the manual controls – Select samples based on sample selection methodology and perform tests to determine adherence to the defined procedures – both for approval and review of changes • What if this manual control is not effective? – Perform data analytics to list all changes to bank details and determine the following • Whether users performing these changes are appropriate • Whether changes are appropriate 45
  46. 46. Place Logo Here RECAP
  47. 47. Place Logo Here Recap • Overview of IT Audit – Areas of IT Audit – Importance of IT Audit – Top IT challenges • Understanding and Maximizing IT Audit – Planning – Executing the IT audit – Evaluating results 47
  48. 48. Place Logo Here Q & A Mantran Consulting Pte Ltd 14 Robinson Road #13-00 Far East Finance Building Singapore 048545 Tel. +65 6401 5160 Fax. +65 6323 1839 Web. www.mantranconsulting.com Email. info@mantranconsulting.com Barun Kumar, Director Mob. +65 8118 9972 Email. barunkumar@mantranconsulting.com Jesus Lava III, Manager Mob. +65 9026 3812 Email. jesuslava@mantranconsulting.com Contact Details:
  49. 49. Place Logo Here Thank you

×