kpmg information risk management (irm) audit team – scope of work
Post on 31-Dec-2015
56 Views
Preview:
DESCRIPTION
TRANSCRIPT
Information Risk Management in the Audit
Chapter 9
Presented by Julie Flaiz-Windham, Senior ManagerKPMG LLP
KPMG LLP
2
May 2008 GAAP Reporting Workshop
© 2
00
8 K
PM
G L
LP,
the U
.S.
mem
ber
firm
of
KPM
G In
tern
ati
on
al, a
Sw
iss
coop
era
tive.
All
rig
hts
rese
rved
. Pri
nte
d in
U.S
.A.
KPM
G a
nd
th
e K
PM
G log
o a
re r
eg
iste
red
tra
dem
ark
s of
KPM
G In
tern
ati
on
al.
KPMG Information RiskManagement (IRM) Audit Team – Scope of Work
IT General Controls Review Please note that General Control Reviews Include Program
Development Program Development In-Scope Campuses that implemented PS FIN in 2008:
– Fullerton In-Scope Campuses that implemented PS SA in 2008:
– Los Angeles
– Sacramento
The program development review will include analysis of System Development Life Cycle Policies; Business Requirement Documents (project charters); management approvals; Integration, IT, and End-User testing performed prior to go-live; testing sign offs by appropriate IT, management, and end users; and data migration testing performed by management and end users from the impacted business areas.
3
May 2008 GAAP Reporting Workshop
© 2
00
8 K
PM
G L
LP,
the U
.S.
mem
ber
firm
of
KPM
G In
tern
ati
on
al, a
Sw
iss
coop
era
tive.
All
rig
hts
rese
rved
. Pri
nte
d in
U.S
.A.
KPM
G a
nd
th
e K
PM
G log
o a
re r
eg
iste
red
tra
dem
ark
s of
KPM
G In
tern
ati
on
al.
KPMG Information RiskManagement (IRM) Audit Team – Scope of Work(continued)
Enterprise Resource Planning review Access controls
Configuration controls
New Automated Derivation Control Added in 2008
Financial aid system controls at selected campuses (8 higher scope A-133 campuses)
Department of Education upload to campus Student Information System (PeopleSoft or Legacy)
Grade system – user access
Interface from grade system to financial aid system (if applicable)
4
May 2008 GAAP Reporting Workshop
© 2
00
8 K
PM
G L
LP,
the U
.S.
mem
ber
firm
of
KPM
G In
tern
ati
on
al, a
Sw
iss
coop
era
tive.
All
rig
hts
rese
rved
. Pri
nte
d in
U.S
.A.
KPM
G a
nd
th
e K
PM
G log
o a
re r
eg
iste
red
tra
dem
ark
s of
KPM
G In
tern
ati
on
al.
IRM Test Work – Key Dates
March 26, 2008 – Campus IT PBC list was sent to campuses
April 18, 2008 – Campus PBC were due to KPMGApril - July, 2008 – Campus IT general controls test work
and specific business process controls test work To gain efficiencies by working from one location, the
IRM team will conduct testing remotely from our Orange County office. Please be prepared to accommodate conference calls during the week our teams are focusing on your campus as the testwork will be conducted via phone interviews and review of requested documents.
UNISYS Data Center review(May 12 – 16, 2008)
Project wrap up / Campus close out meetings(April ~ July)
5
May 2008 GAAP Reporting Workshop
© 2
00
8 K
PM
G L
LP,
the U
.S.
mem
ber
firm
of
KPM
G In
tern
ati
on
al, a
Sw
iss
coop
era
tive.
All
rig
hts
rese
rved
. Pri
nte
d in
U.S
.A.
KPM
G a
nd
th
e K
PM
G log
o a
re r
eg
iste
red
tra
dem
ark
s of
KPM
G In
tern
ati
on
al.
IRM Deficiency and Communication
Impact on Financial Audit Team As IRM lead in their testwork timing, IRM will report all deficiencies to
the financial audit team. The financial audit team will analyze these deficiencies as they relate to their year-end financial statement audit. This may or may not have an impact on their audit procedures and sample sizes.
Control deficiencies There is a focus on prior year deficiencies, as un-remediated issues
are of more concern and high risk as management needs to be sure the prior issues are acknowledged and resolved.
Pervasive issues have an impact on the progress of the IRM audit. If we find a pervasive deficiency preliminary to detailed testwork, we will not be testing all controls as testwork over alternative controls will not mitigate the risk of a such pervasive deficiencies.
Close out meetings / deficiency meetings will be conducted after each campus has been properly analyzed and reviewed by KPMG management. This meeting will be conducted prior to KPMG’s formal notification to the Chancellor’s Office. We will invite all GAAP and IT contacts associated with the respective campus noted within the Chancellor’s Office contact listing. We ask that each campus review the listing to help us ensure the appropriate contacts are notified of deficiencies for each campus.
6
May 2008 GAAP Reporting Workshop
© 2
00
8 K
PM
G L
LP,
the U
.S.
mem
ber
firm
of
KPM
G In
tern
ati
on
al, a
Sw
iss
coop
era
tive.
All
rig
hts
rese
rved
. Pri
nte
d in
U.S
.A.
KPM
G a
nd
th
e K
PM
G log
o a
re r
eg
iste
red
tra
dem
ark
s of
KPM
G In
tern
ati
on
al.
Questions
top related