Integrated Audit

Chia sẻ: Nguyễn Tuấn Vũ | Ngày: | Loại File: PDF | Số trang:22

Thêm vào BST

Báo xấu

98
lượt xem 8
download

Download Vui lòng tải xuống để xem tài liệu đầy đủ

• History and background of IT Audit • Try to address the gap that exists between financial audit and information technology audit • What is involved in IT general controls and automated application controls • Discuss an approach that will aide in the identification and testing of IT controls • Roles and responsibilities for IT and financial auditors

Chủ đề:

Bình luận(0) Đăng nhập để gửi bình luận!

Lưu

Nội dung Text: Integrated Audit

Integrated Audit IT and Finance - Are We Talking the Same Language? Presented by: Hussain T. Hasan, CISM, CISSP Managing Director Technology Risk Management Services (TRMS) Hussain.hasan@rsmi.com RSM McGladrey, Inc. is a member firm of RSM International – an affiliation of separate and independent legal entities. Session Goals • History and background of IT Audit • Try to address the gap that exists between financial audit and information technology audit • What is involved in IT general controls and automated application controls • Discuss an approach that will aide in the identification and testing of IT controls • Roles and responsibilities for IT and financial auditors 2 1
History of IT Audits • First use of a computerized accounting system - 1954 by GE • Use of computer accounting systems became more prevalent in mid-60s and early 70s • AICPA and the “Big 8” formalize EDP auditing with the release of the book “Auditing & EDP” - 1968 • Electronic Data Processing Auditors Association (EDPAA) formed -late 1960s • First edition of control objectives was published (now known as CoBiT) - 1977 • EDPAA changes name to ISACA (Information Systems Audit and Control Association) - 1994 3 Major Events Impacting IT Auditing • Equity Funding Corporation of America fraud (1964 -1973) • AT&T infrastructure failure -1998 • September 11th terrorist attacks - 2001 • Enron and Arthur Andersen - 2002 4 2
Why is IT Auditing a Challenge? • Unlike the certification of financial statements there is no “universally accepted principle or standard” for IT audit • The concept of “compliance to best practice” • Rapid change in IT is at times too rapid for best practices to fully develop or be recognized as such • IT audit has become a separate discipline over time 5 Today’s Business Process Environment • 24/7 requirement becoming more common • Focus on early error detection • More highly automated – reducing reliance on manual controls • Integrated with complex and highly efficient IT systems • Electronic workflow with paperless trails • Increased business partner involvement through direct access to process – the network extends beyond the company 6 3
IT Control Framework Significant Financial Transaction Accounts Balance Income SCFP Notes Other Sheet Statement Business Processes/Classes of Transactions Process A Process B Class A Class B Automated Application Controls •Application Security •Input Controls Financial Applications •Process Controls Application A Application B Application C •Output Controls •Interface Controls Infrastructure Services IT General Controls Database •Change/Development Platform •Security •Computer Operations Operating System •IT Governance Network 7 Source: Adapted from IT Governance Board, ISACA White Paper IT Control Objectives for Sarbanes-Oxley IT General Controls (ITGC) • IT general controls are pervasive controls within the IT environment and the effectiveness of all automated application controls across the organization depends on them. – Security (access to programs and data) – Change / development – Computer operations – IT governance • Primary responsibility of the IT Team • Constant interaction with the Financial Audit Team 8 4
Automated Application Controls • Application controls apply to the business processes they support. • These controls are embedded within the software applications to prevent or detect unauthorized transactions. • When combined with manual controls, application controls ensure completeness, accuracy, authorization and validity of processing transactions. 9 Automated Application Controls • Automated application-based processes that control access, input, output and reporting • Typically set up in the software implementation phase, and can be modified in the maintenance phase. Depending on the software used, modification may be problematic. • Degree of need for review partially dependent on software used • Also called IT controls or programmed control 10 5
Automated Application Controls • Identify application controls for each business process during walk-throughs • Types of application controls – Application security controls – Input controls – Processing controls – Output controls – Interface controls 11 Link Accounts and Assertions to IT: An Example • Account balance: – Trade A\R, sales • Classes of Transactions: Accounts Order Sales – Invoices, sales orders Receivable Processing Sub-Process Order & supplier Customer • Business Process: controls controls – A\R, sales order processes • Process Stages: Customer – Initiate, record, process SAP, Oracle, Other Applications order entry • Application Controls: – Access controls Automated application controls cover authorized changes, – Built in limits for credit approval segregation of duties, validity, completeness and timeliness of reporting of financial information. • ITGC Controls: Databases and Information – Security (access to programs/ IT Infrastructure Security System Software data) Networks – Change / development – Computer operations IT general controls cover security access, change management, operations, systems and network support, data retention, etc. – IT governance 12 6
Link Accounts and Assertions to IT: Mortgage Loans • Account balance: – Mortgage loans, loan fees, servicing Receipt of Loan Prep fees Loan Process Payment System • Classes of Transactions: Order & Customer supplier – Loan Disbursement, receipt of controls controls payments, loan origination fees • Business Process: – Loan origination, payment processing Customer Core and other applications loan • Process Stages: entry – Initiate, record, process • Application Controls: Automated application controls cover authorized changes, segregation – Access controls of duties, validity, completeness and timeliness of reporting of financial – Delinquent payment report information. – Interest rate adjustment (ARM) – Automatic PMI check Databases and Information IT Infrastructure Security System Software • ITGC Controls: – Security (access to programs/ data) Networks – Change / development IT general controls cover security access, change management, – Computer operations operations, systems and network support, data retention, etc. – IT governance 13 Link Accounts and Assertions to IT: Deposits • Account balance: – Transaction based (checking) Receipt of Account Entry New Account – Non-Transaction based (CDs, savings) Payment System Process • Classes of Transactions: Order & supplier Customer – New accounts, CDs, Interest fee, controls controls disbursement, ACH, ATM • Business Process: – Cash due from, deposit, proof, wires Core and other applications Customer • Process Stages: Inquiry – Initiate, record, process • Application Controls: Automated application controls cover authorized changes, segregation – Access controls of duties, validity, completeness and timeliness of reporting of financial – Various edit checks information. • ITGC Controls: Databases and Information – Security (access to programs/ data) IT Infrastructure Security System Software – Change / development Networks – Computer operations – IT governance IT general controls cover security access, change management, operations, systems and network support, data retention, etc. 14 7
Impact of SOX on IT Audit • The PCAOB rules are clear - auditors must understand how transactions flow through the system… not around it (paragraph 47) “The auditor should obtain an understanding of the design of specific controls by applying procedures that include… tracing transactions through the information system relevant to financial reporting” (paragraph 73) “Most processes involve a series of tasks such as capturing input data, sorting and merging data, making calculations, updating transactions and master files, generating transactions, and summarizing and displaying or reporting data. The processing procedures relevant for the auditor to understand the flow of transactions generally are those activities required to initiate, authorize, record, process and report transactions.” 15 Impact of SOX on IT Audit – Application Controls (paragraph 69) “The auditor should identify each significant process over each major class of transactions affecting significant accounts or groups of accounts and… • Understand the flow of transactions, including how transactions are initiated, authorized, recorded, processed, and reported. • Identify the points within the process at which a misstatement – including a misstatement due to fraud – related to each relevant financial statement assertion could arise. • Identify the controls that management has implemented over the prevention or timely detection of unauthorized acquisition, use, or disposition of the company's assets. 16 8
Impact of SOX on IT Audit - ITGC • PCAOB statements applicable to IT general controls: (paragraph 40) “Determining which controls should be tested… Generally, such controls include… information technology general controls, on which other controls are dependent” (paragraph 50) “Some controls have a pervasive effect on the achievement of many objectives… for example, information technology general controls over program development, program changes, computer operations, and access to programs and data” 17 Dispelling the Myth Automated application controls do not require an IT expert or programmer for identification and testing. Interpreting source code is generally not included in the process. 18 9
The Confusion • Some say that IT auditors should address application controls because a computer/system is involved. • Some say that financial auditors should address application controls because the processes are related to the business side of the objectives. 19 The Truth Be Told….. • The task of addressing application controls is a joint team effort between financial auditors and IT auditors. – They complement one another – Each brings to the table different expertise 20 10
Joint Team Effort • Financial auditors – Business process – Segregation of duties – Significance of the accounts and processes • IT auditors – Operating platform – Database structure – Infrastructure 21 IT GC – High-Impact Areas / Security IT Auditors Financial Auditors SOX focus on applications that Review for propriety of impact financials and supporting access rights; sufficient infrastructure thereof segregation of duties; adequate approval of access; adequate Requires review of operating notification of changes systems, database, network, firewalls and infrastructure Sufficient controls “around the system” that impact application use/ entry 22 11
IT GC – High-Impact Areas – Change / Development IT Auditors Financial Auditors Procedures are sufficient for proper approval of Evaluate new financial changes to production systems; data conversion and environment. testing are critical. Technical controls limit and control developer access to production. Proper system controls before a new system or system changes go in the production environment. 23 IT GC – High-Impact Areas / Operations IT Auditors – Focus on basic backup and recoverability of financial data – Physical security/computer operations 24 12
IT GC – High-Impact Areas / Governance IT Auditors – Focus on confirming existence of clear policies, procedures, and communications within IT – Clear segregation of duties with IT? – Is there appropriate “tone at the top” within IT? 25 Automated Application Controls – Roles and Responsibilities • Primary responsibility for identifying and testing automated application controls reside with the financial audit team. • IT auditors to provide front-end training, as requested, and support in identification, testing and results interpretation as necessary. 26 13
Automated Application Controls Specific Tasks – Financial Auditors • Financial Auditors – Materiality assessment – enterprise level; may include link to applications – Inherent risk assessment – application and IT infrastructure level – Link applications to significant accounts/relevant assertions 27 Automated Application Controls Specific Tasks - Together • IT auditors along with financial auditors – Map key business cycles to applications – Should include application owners at both the business and IT levels 28 14
Automated Application Controls Specific Tasks - IT Auditors • IT auditors – Map IT applications to infrastructure – Identify system interface(s) – Identify IT-specific risks/gaps 29 Automated Application Controls • Identify application controls for each business process during walk-throughs • Types of application controls – Application security controls – Input controls – Processing controls – Output controls – Interface controls 30 15
Automated Application Controls • Application security controls Controls to ensure that minimum access to applications is allowed for individuals to perform their job. • IT auditors • Financial auditors – Password controls – Segregation of duties within business – Time of day process restrictions – Access to screens and modules – Database access – Cross reference of user access between – Tools access primary applications e.g., GL & wire transfers – Manager and business process owner review of system access 31 Automated Application Controls • Input controls All transactions are initially recorded, entered and accepted by the application accurately and completely. • IT auditors • Financial auditors – As needed – Verification against product code defaults – Verification against ceiling/floor values – Verification against duplicate entries – Sequence checking – Verification of secondary approver requirement 32 16
Automated Application Controls • Processing controls All transactions are processed by the application programs accurately and completely. • Financial auditors • IT auditors – Transactions processed once – As needed – Accurately calculated and recorded – Internal checks are performed to ensure that transaction data being processed has been edited and validated 33 Automated Application Controls • Output controls All output is complete and is delivered (standard or customized) to the appropriate parties in an appropriate manner. • IT auditors • Financial auditors – As needed – Activity reports – Exception reports – Total and update reports – Timely execution of various reports 34 17
Automated Application Controls • Interface controls All transactions between multiple systems are secure and integrity of the information transmitted is maintained. • IT auditors • Financial auditors – Interface configuration (mapping) – Pre-/post-transmission – Security – transmission method verification – Security – temporary data holding areas – Manual data manipulation 35 Developing Automated Application Controls Tests • Purchasing process – Security • New item entry access is restricted to a few authorized members and segregated from incompatible duties. – Input • Verification that orders of a certain volume/dollar require approval. – Processing • Three way match in purchasing – PO to receiver to invoice – dollars and quantities must match or be reported on the exception report. – Output • Review of exception reporting in purchasing – over received, difference in invoiced pricing. 36 18
Developing Automated Application Controls Tests • Sales process – Security • Access to enter prices into price catalogs is restricted to a few authorized members and is segregated from incompatible duties. • Salespeople enter customer orders into the application generating a sales order. Salespeople are not able to setup and approve new customers. • Only accounting personnel can set up and/or change customer credit as well as release credit holds. – Input • New customers are setup and approved by the credit department. • Checks against set credit limit • Duplicate order number checking . 37 Developing Automated Application Controls Tests • Sales process - continued – Processing • Based upon the item # and catalog name entered into application by the sales associate the price for the item is automatically populated into the sales order. • Deleted sales order numbers are maintained and tracked. – Output • The sales order report is reviewed by shipping personnel to ensure that orders are processed and shipped in a timely manner. Adjustments are made if needed. 38 19
Developing Automated Application Controls Tests • Bank customer setup/loan process – Security • Access to create new customer records is restricted to a few authorized branch personnel who require the access in the normal course of their jobs and is segregated from incompatible duties. • Loan personnel cannot create and approve new customer records. • Only loan approval personnel can set up and/or change customer credit as well as release credit holds. – Input • Loan personnel enter customer loan information into the loan application, which accesses the customer database. • Various input limits. 39 Developing Automated Application Controls Tests • Bank customer setup/loan process - continued – Processing • Based upon the account # entered into application by the Bank associate, customer information is automatically populated into loan paperwork. • Deleted loan numbers are maintained and tracked. – Output • Loan paperwork undergoes secondary review to ensure that pricing is appropriate and paperwork is correct. Adjustments are made if needed. 40 20