Preparing for an it audit l.jpg
This presentation is the property of its rightful owner.
Sponsored Links
1 / 27

Preparing for an IT Audit PowerPoint PPT Presentation


  • 83 Views
  • Uploaded on
  • Presentation posted in: General

Preparing for an IT Audit. September 11, 2007 2:00pm EDT, 11:00am PDT George Spafford, Principal Consultant Pepperweed Consulting, LLC “Optimizing The Business Value of IT” www.pepperweed.com. Housekeeping. Submitting questions to speaker

Download Presentation

Preparing for an IT Audit

An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.


- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -

Presentation Transcript


Preparing for an it audit l.jpg

Preparing for an IT Audit

September 11, 2007

2:00pm EDT, 11:00am PDT

George Spafford,

Principal Consultant

Pepperweed Consulting, LLC

“Optimizing The Business Value of IT”

www.pepperweed.com


Housekeeping l.jpg

Housekeeping

  • Submitting questions to speaker

    • Submit question at any time by using the “Ask a question” section located on lower left-hand side of your console.

    • Questions about presentation content will be answered during 10 minute Q&A session at end of webcast.

  • Technical difficulties?

    • Click on “Help” button

    • Use “Ask a question” interface


Main presentation l.jpg

Main Presentation


Agenda l.jpg

Agenda

  • Background on Audit

  • Why audits are part of the Deming cycle of plan-do-check-act

  • How to prepare for audits

  • What auditors look for

  • For a copy of today’s webcast PPT, please email:

    • George at: [email protected]

    • Kendra at: [email protected]


The shewhart cycle l.jpg

The Shewhart Cycle

  • Popularized by Deming

    • We plan

    • We do

    • We check results

    • We take corrective action

  • How can we objectively check?

    • Audit

  • Auditors must be objective

  • The process is necessary for improvement


Ia risk management control l.jpg

IA - Risk Management & Control

  • Reliability and integrity of financial and operational information

  • Effectiveness and efficiency of operations

  • Safeguarding of assets

  • Compliance with laws, regulations, and contracts.

Source: International Standards for the Professional Practice of Internal Auditing, http://www.theiia.org/?doc_id=1499


Ia governance l.jpg

IA - Governance

  • Promoting appropriate ethics and values within the organization.

  • Ensuring effective organizational performance management and accountability.

  • Effectively communicating risk and control information to appropriate areas of the organization.

  • Effectively coordinating the activities of and communicating information among the board, external and internal auditors and management.

Source: International Standards for the Professional Practice of Internal Auditing, http://www.theiia.org/?doc_id=1499


External audit l.jpg

External Audit

  • Is driven by the regulatory requirement to have an independent third party certify the financial information provided to stockholders is reasonably accurate.

  • Some feel that internal review of external audit reports creates another layer of protection for financial reporting.

  • Primarily reports to the audit committee on the accuracy of the financial reports, attests to management’s assessment of internal controls over financial reporting.

Source: “Common Misconceptions”, Tone From the Top, Institute of Internal Auditors, March 2005.


Work with audit not around audit l.jpg

Work with Audit, not around Audit


Important establish key controls l.jpg

Important: Establish Key Controls

  • Review risks

    • Management’s current risk assessment

    • Use of a control framework as a proxy (verify with audit if acceptable)

    • If nothing to go on, the auditor will impose his/her belief system

  • Review key controls

    • Auditor may want to understand the state of the overall control environment – be sure to plan in advance

    • The emphasis and testing will be on key controls

    • Want as few key controls as possible grounded in risks

  • You want to be clear

  • Doesn’t benefit IT or audit if guessing or misinterpretation happens


Cost of control l.jpg

100%

You can spend a fortune and you will never truly hit a 100% level of assurance.

The objective is to lower risk to an acceptable level, not eliminate it because you can’t!

Level of Assurance

Level of Investment

Cost of Control


Preparing 1 l.jpg

Preparing (1)

  • Emphasis – talk to your audit group ahead of time

  • Auditing is not a science

  • Practices will vary between audit firms, within firms and between auditors

  • Work with Internal Audit closely to understand company requirements and External Audit Requirements

  • Put everything in writing and get approval – do not rely on verbal communications

    • Summarize your conversations in the form of meeting minutes and send them to the other party for confirmation.

  • Bear in mind that auditors leave firms and so do audit partners

    • Who you deal with can change year to year.


Preparing 2 l.jpg

Preparing (2)

  • Determine a formal documentation plan

    • Policies and Procedures

    • Evidence of activity / compliance

  • Clearly identify what IT services/systems are in scope

    • Materiality

    • Guide to the Assessment of IT General Controls Scope Based on Risk

  • Take care in documenting control activity, test plans, etc. If they are ambiguous or inaccurate, deficiencies may well result

  • Documenting controls that don’t exist will guarantee findings

  • Be sure to document exceptions along with risks, the business case and management’s approval

    • It is better for management to disclose known exceptions than for auditors to find them.

    • How exceptions are documented and handled vary from auditor to auditor so be sure to understand what to do, ramifications, etc.


  • During the audit 1 l.jpg

    During the Audit (1)

    • Never lie to an auditor - the repercussions can be severe

    • Do not tamper with evidence - the repercussions can be severe

      • Be sure to outline the process for making any urgent remediation or changes during an audit with the auditor.

    • Be prompt in replying or providing samples

      • Delays may be interpreted as a lack of controls or that evidence is being created or altered

    • Auditors will follow the key controls and test plans verbatim if things go as planned

    • Do not be antagonistic


    During the audit 2 l.jpg

    During the Audit (2)

    • Auditors make mistakes like everyone else.

      • Be sure to help them with any requested quality assurance processes that they have to make sure that the findings are accurate

    • The management response is the proper place to voice disagreements about findings

      • Do not get into senseless arguments


    The audit process 1 l.jpg

    The Audit Process (1)

    • Coordinate Auditors

      • Internal Audit should coordinate with External Audit (This coordination is typically done by the Chief Audit Executive.)

      • Faster audits

      • Lower costs

      • Fewer interruptions

    • Schedule the audit

      • IT’s availability

      • Internal Audit’s availability

      • External audit’s availability

    • Kick off meeting

      • Goals of the audit

      • Scope

      • Roles and Responsibilities

      • Schedule / Plan


    The audit process 2 l.jpg

    The Audit Process (2)

    • Review

      • Risks

      • Key Controls

      • Documentation (Requirements will vary so inquire as to what is needed)

        • Policies and Procedures

        • What systems are in scope

        • Narratives (An audit device used when documentation doesn’t exist)

        • Flowcharts

        • Test Plans (These should have been developed between management and internal audit. Care must be taken that they are very clear and concise.)

    • Execute Tests

      • Observe

      • Inquire

      • Obtain samples according to the test plan


    Sample size example l.jpg

    Sample Size Example


    The audit process 3 l.jpg

    The Audit Process (3)

    • Organize Work Papers

      • Management/IA should determine what documentation to retain from audits.

      • Part of the document retention is driven by what External Audit can leverage

      • The more management testing that External Audit can leverage, the faster the external audit goes and the lower the costs.

    • Document Results

      • The auditor will record results of tests and relate scores to work papers.

    • Make recommendations

      • Control Improvement Opportunities

      • Remediation Recommendations

    • Exit Meeting

      • Review rough draft of results as a QA step

      • Review any open items


    Example test plan and test results l.jpg

    Example Test Plan and Test Results


    The audit process 4 l.jpg

    The Audit Process (4)

    • Generate Management Letter

      • Once the testing is finished, the auditor reviews the audit documentation and develops a formal letter for management summarizing findings and recommendations.

    • Solicit Management Response

      • Management can then review and respond to the findings.

    • Finalize the audit documentation

    • Share Results with Management, Audit Committee and External Audit


    Audit findings l.jpg

    Audit Findings

    • Audits always generate findings

    • Management can

      • Agree with a given finding and remediate

      • Dispute the finding

      • Accept the risk and do nothing

    • Remediation depends on the auditor and situation.

      • They may, or may not, wish to see remediation of audit findings.

    • Some external auditors leave remediation up to management

      • Bear in mind, that if this year’s audit turned up the control deficiencies, then there is a strong likelihood that next year’s audit will turn up the same things unless there are changes to scope, key controls, etc.

    • If the same deficiencies show up over and over again, the auditor may choose to increase their severity


    Continuous improvement l.jpg

    Continuous Improvement

    • Audits are vital

    • Provide objective opinions

    • Look at audit as another tool for process improvement

      • Set the proper tone from the top

      • If you think audits are a waste, then so will your team

    • The idea is to take their findings, and review what to do

    * Adapted from ITIL Service Support Graphic


    Learning more about audit l.jpg

    Learning More About Audit

    • Institute of Internal Auditorshttp://www.theiia.org/GAIThttp://www.theiia.org/guidance/technology/gait/

    • Information Systems Audit and Control Associationhttp://www.isaca.org

    • IT Compliance Institutehttp://www.itcinstitute.com/

    • Jim Kaplan’s Audit Nethttp://www.auditnet.org/

    • Subscribe to Dan Swanson’s Email Listshttp://www.securitybenchmark.com/


    Thank you for the privilege of facilitating this webcast l.jpg

    Thank you for the privilege of facilitating this webcast

    George Spafford

    Principal Consultant

    Pepperweed Consulting

    Optimizing the Value of IT

    [email protected]

    http://www.pepperweed.com

    Daily News Archive and Subscription Instructions

    http://www.spaffordconsulting.com/dailynews.html


    Questions l.jpg

    Questions?


    Slide27 l.jpg

    If you have any further questions, e-mail [email protected]

    For future ITSM Watch Webcasts, visit www.jupiterwebcasts.com/itsm

    Thank you again for attending


  • Login