1 / 14

INTEGRATED AUDITING

INTEGRATED AUDITING. Carol Rapps CISA, CIA, CCSA, CRMA, GLIT, ACUA Faculty carol.rapps@utsa.edu 210-458-4679 Mark Bigler CPA, CFE, CISA mark.bigler@sanantonio.gov 210- 2013. Objectives. Introduction to Integrated Auditing Definition, Benefits & Shortcomings

luz
Download Presentation

INTEGRATED AUDITING

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript


  1. INTEGRATEDAUDITING Carol Rapps CISA, CIA, CCSA, CRMA, GLIT, ACUA Faculty carol.rapps@utsa.edu 210-458-4679 Mark Bigler CPA, CFE, CISA mark.bigler@sanantonio.gov 210- 2013

  2. Objectives • Introduction to Integrated Auditing • Definition, Benefits & Shortcomings • Are there Knowledge Gaps? • Areas in Need of Integrated Auditing • Staffing & Skill Requirements • Real World Example (s) • Current: Office of City Auditor’s • Past: If there is time….. Carol Rapps - 2013

  3. What is Integrated Auditing? • Adding IT Auditor to every internal audit to look at IT Systems? • Training Internal Auditor to look at IT Systems in every audit? • Training and IT Auditor to perform internal audits? • Training one auditor to do every type of audit, operational, financial, IT, security, compliance? • What hat do you want me to wear today CAE? Carol Rapps - 2013

  4. IIA - Practice Guide Integrated AuditingJuly 2012 • Difference between Integrated and Non-integrated Audit Approach • An integrated audit differs from a non-integrated audit in terms of scope and overall complexity • Complexity Directly Related to Broader Nature of Integrated Audit Requires: • Use of Multiple Audit Techniques • Increased use of external resources or increased knowledge of staff • Enhanced project management skills • Balanced approach to risk identification & ratings • Increased oversight & creativity by the auditor • Changes to current staffing model Carol Rapps - 2013

  5. Advantages of Integrated Audit • Increase Coverage? • Get An Audit Done Faster? • Increase Audit Activity Credibility? • Increased Auditors Confidence? • Increased Auditors Proficiency Multiple Operations? • Reduce Cost? • Improved Reporting? • More Effective Risk Assessments & Audit Planning? • ?’s For CAEs - • How does this affect traditional internal audit productivity metrics? • How do you measure quality and value of an audit VS how fast it get’s done and how much it costs? Carol Rapps - 2013

  6. Advantages of Traditional Audit • Grows knowledge of the organization? • Increases Auditor Knowledge & Skills? • Limited Scope – Done Faster? • Covers what needs to be covered? • Challenge Auditors? • Limited Scope - Cost Less? • ?’s for CAEs • Does this produce quality results? • Does this effectively cover entire organization? Carol Rapps - 2013

  7. Key Areas Where Integrated Auditing Is Needed • Operations: • IT – Application Audits • Compliance - Specific regulations & internal policies associated with individual operations • Information Security • Data Integrity (e.g. edit checks, authorization limits) • Calculations • Interface Controls (Balancing) • Security • Financial (Audit Applications / Systems Used to produce financial statements) • IT Application Audit (Data Integrity, Calculations, Authorization Limits) • GAAP Compliance • Security Carol Rapps - 2013

  8. Key Areas Where Integrated Auditing Is Needed (Cont’d) • Security (Yes different than IT) • IS Governance • Physical • Logical • IT Operations • IT Governance • Change Management • Departmental Management • Others? • IT Technical Audits • Specialized Skills (out-side expertise) • Security (can use all auditors) Carol Rapps - 2013

  9. Office of City Auditor (OCA) • OCA - directed by City Auditor Kevin Barthold CPA, CIA, CISA • 21 auditors in total which includes 3 “IT auditors” • 4 CISAs (2 in management) • 2 additional auditors have passed CISA exam (working on experience) • 3 Audit teams of 5 – 6 auditors; each team headed by a manager • All IT auditors are on my team • OCA is responsible for auditing the City’s 36 Departments (e.g. Police, Fire, Airports, Public Works, Waste Management, Municipal Courts, Parks & Recreation, Health, Library, etc.) • OCA performs IT Audits of the City’s IT Department which provides services to all City Departments, delegate agencies, and various local, state, and federal government entities. Major systems include: SAP, 9-1-1 Dispatch, 3-1-1 CRM, etc. Carol Rapps - 2013

  10. OCA’s Approach • OCA’s 2013 audit plan includes 21 performance (operational) audits, 2 IT audits, and 6 follow-up audits • IT Audits • OCA’s overarching IT audit Plan was to first evaluate general controls that apply to all (or a large segment) of the City’s systems, then audit application controls • OCA uses FISCAM and GAGAS (Yellow-Book), NIST, COBIT, ITIL • FISCAM General Control Areas include: Security Management, Contingency Planning, Configuration Management, Segregation of Duties, Access Controls • Access Control audits: identification/authentication systems (e.g. Active Directory), network (e.g. firewalls, web servers, routers), operating systems (server and workstation), infrastructure applications (e.g. database management, email, etc.) • Potential Application Controls Audits: SAP security, 9-1-1 System, 3-1-1 System Carol Rapps - 2013

  11. OCA’s Approach • Performance Audits • Most of OCA’s performance audits have an IT controls facet to them • OCA’s “IT auditors” are assigned to perform IT and performance audits but are available for assistance to other audit teams as needed • Non-IT audit teams are developing IT audit skills mainly through taking entry/intermediate level group training courses Carol Rapps - 2013

  12. OCA’s Approach • OCA generally grows/hires its own (IT auditors) • Advantages (vs. Contracting): • Internal auditors maintain historical knowledge of the organization’s systems, procedures, players, etc. resulting in a learning curve advantage • Vested interest in the organization; part of the internal audit team • Always there to assist with IT issues and good for interpreting IT geek speak • Disadvantages: • Ongoing and significant investment in training • Salary demands are usually higher than non-IT auditors • May not have required breadth and depth of technology skills • Turnover (demand for IT auditors exceeds supply) Carol Rapps - 2013

  13. Other Examples(If Time Allows) • American National Bank • Tokai Limited • Times Mirror Carol Rapps - 2013

  14. QUESTIONS Carol Rapps - 2013

More Related