1 / 23

Dirk Timmerman November 2002

Internal and external control in an automated environment. Dirk Timmerman November 2002. Content. When involve an IT Auditor in the Audit Process Audit objectives Overview of external audit process Overview of internal audit process IT Auditor in strategic analysis – external audit

ora-hudson
Download Presentation

Dirk Timmerman November 2002

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript


  1. Internal and external control in an automated environment Dirk Timmerman November 2002

  2. Content • When involve an IT Auditor in the Audit Process • Audit objectives • Overview of external audit process • Overview of internal audit process • IT Auditor in strategic analysis – external audit • IT Auditor in strategic analysis – internal audit • IT Auditor in Process Analysis • IT Auditor in Remaining Audit Procedures • General guidelines to IT Auditor

  3. When to involve an IT Auditor • KPMG policy IT auditor involvement is mandatory in the following cases • More than 1000 hrs • Banks and Insurance companies • Quoted on stock exchange • Rated as “highly complex” per IT Criticality Scorecard, which measures : • IT complexity • IT changes • IT issues/problems IT auditor involvement is advisable for clients with a “sophisticated” IT environment

  4. Audit objectives • External audit • Provide assurance over the truth and fairness of financial statements • Key deliverable : audit opinion • By-Product : management letter points • Internal audit • Independent assessment of the effectiveness of risk management and control • Key deliverable : • Assist management in identification of risk areas and assessment of residual risks • Management letter points • By-Products : consulting opportunities

  5. Audit objectives (cont’d) • External auditor • “What controls can I rely on to reduce substantive testing” • Internal auditor • “Are these controls appropriate, optimal and how could the company do things differently”

  6. Overview of external audit process Strategic analysis Project • Understand entity’s business Plan Plan definition • Understand strategic business risks • Identify financial statement implications of strategic business risks and identify S.C.O.Ts Classes of Business risks transaction s Select key processes Process analysis Residual Process l evel b usiness r isk b usiness r isks Remaining audit procedures Financial and reporting Statement Business ROSM r isks and • Perform remaining audit procedures c ontrols controls • Identify & investigate audit differences, & evaluate findings 1. Audit Opinion 2. Report

  7. Internal audit process - overview Stage Two Stage One STEP 1 Engagement initiation STEP 9 Project planning STEP 10 Opening conference STEP 2 Strategic analysis STEP 11 Business process analysis STEP 3 Strategic risk assessment STEP 12 Review & validation program Projects STEP 4 Business process analysis (planning) STEP 13 Business process review Risk assessment STEP 5 Independent assessment STEP 14 Validation STEP 6 Flash report - strategic issues STEP 15 Exit conference STEP 7 Risk management framework STEP 16 Reporting STEP 17 Close out & evaluation STEP 8 Management assurance plan Follow up STEP 18 STEP 19 Audit committee reporting

  8. IT Auditor in strategic analysis – external audit • Gain understanding of • IT organization • How key processes are supported by IT applications and on which platforms these are operated • IT strategy • IT changes : current year – future years • Significant IT risks • IT Controls (high level understanding)

  9. IT Auditor in strategic analysis – external audit (cont’d) • Tools • IT Risk Assessment (long form – short form) • IT Business Understanding Document (contains template) • IT Risks & Controls Questionnaire => IT Traffic Lights Report

  10. IT Traffic Lights Report

  11. IT Auditor in strategic analysis – external audit (cont’d) • Risk analysis • IT Risk that could threaten the entity’s business objectives • Determine if impact on financial statements is significant • If yes, plan analysis of selected IT processes that reduce the identified risks • IT Risk that affect the completeness, existence and accuracy of transactions • Take into account when performing process analysis on significant classes of transactions (SCOTs) • Tools • IT Risk Analysis Document - examples

  12. IT Auditor in strategic analysis – internal audit • Similar to external audit but… • Control objectives are broader : • Effectiveness • Efficiency • Confidentiality • Integrity • Availability • Compliance • Additional tools : • COBIT • Workshops • All significant IT risks are addressed, not only those with a significant financial statement impact

  13. IT Auditor in Process Analysis (external & internal audit ) • Perform process analysis for selected IT sub-processes • For external audit, this tends to focus on IT security, change management and continuity • Potential roles in process analysis of non-IT processes • Assist in mapping of process and information flow • Assist in identification of process risks • Assist in identification of controls • Their added value • Familiar with structured process analysis • Familiar with complex systems and ERP’s • Familiar with IT • Tools • BPA tool + templates • SAP Authorizations tool • DEMO of BPA tool

  14. BPA -Risk & controls matrix

  15. BPA - Control Grid

  16. BPA – residual risk report

  17. IT Auditor in Remaining Audit Procedures • Test of Controls : • Access controls • Perform system queries • Evaluate and test security administration process • Evaluate risk of by-passing authorizations • Password settings • Super users • Direct access to data through utilities • External communication risk

  18. IT Auditor in Remaining Audit Procedures (cont’d) • Test of Controls (cont’d) • System configurations • First year of reliance + in case of major upgrade : “test of one” • Review and evaluated client tests, or • Reperform tests in test environment, or • Test of detail to confirm effectiveness of control • Subsequent years • Inquire about nature and extent of changes to key systems • Test change management = to ensure that all program changes are properly authorized, tested and approved • Review system access to change configuration

  19. IT Auditor in Remaining Audit Procedures (cont’d) • Test of controls • Exception reports • Same as for system configuration • Interfaces • Gain understanding of interface process • Same as for system configuration • Data migration • Gain understanding of data migration process • Identify key controls and test

  20. IT Auditor in Remaining Audit Procedures (cont’d) • Test of details • Do not test of details if same result can be obtained by evaluating and testing internal controls • Tools • Excel • Ms Access • ACL • IDEA

  21. General guidelines to IT Auditor • Participate at planning meeting (=before start of audit) • Scope of IT audit should fit 100% within the financial audit scope • Go for joint teams with financial auditors to perform process analysis • Do not deliver separate reports but prepare working papers • If your appointments with IT people are going to be arranged by financial audit => highlight that on average there is a time lag of 2 weeks between the request and the interview

More Related