audit implications of integrated financial management information systems
DESCRIPTION
Audit Implications of Integrated Financial Management Information Systems Dr. Paul Dorsey Dulcian, IncTRANSCRIPT
Slide 1 of 22
Audit Implications of Integrated Financial Management
Information Systems (IFMISs)
Dr. Paul DorseyDulcian, Inc.May 20, 2009
Slide 2 of 22
Conventional Wisdom
IFMISs reduce audit risk. Audit the IFMIS and the non-IFMIS independently
IT auditors bless the IFMIS. Traditional auditors ignore the IFMIS.
“Auditing” an IFMIS means: Code control Access control Black-box validation
Inputs generate correct outputs.
Slide 3 of 22
Why should we worry?
IFMISs INCREASE exposure.Standard audit techniques will not effectively
assess exposure risks.Standard controls do not protect effectively
against IFMIS impacted exposures.Developed nation companies do not usually
have well controlled environments.
Slide 4 of 22
The Main Problem Manual process flow:
Lots of automatic controls based on many people seeing the transaction.
Lots of controls to avoid manual data entry errors also control fraud.
Separation of duties well understood and controlled. IFMIS process flow:
Single point of failure Vulnerable to anyone with low-level access to system
Slide 5 of 22
Manual Process
Enter transaction Approve transaction Prepare check Approve payment
Slide 6 of 22
IFMIS Process
IFMISPrint Check
Enter transaction
Approve transactionApprove payment
Slide 7 of 22
Why is this problem not widely discussed?
Accountants/Auditors are not Information Technology (IT) trained.
IT audit is a specialty area separated from traditional audit.
Audit culture treats IT as independent.
Slide 8 of 22
Controlling Risk
Control/Exposure Matrix
Invalid Transaction
Data entry error
Coding Error Developer Introduced Fraud
Periodic Audit
Medium Medium High None
Dual Entry High High N/A None
Test Deck Audit
N/A N/A High None
Exposures
Level of Protection High High High None
Slide 9 of 22
Ineffective Controls
Controls that are ignored, bypassed, faked, or not implemented Accountants stay up all night to “sign” documents.
Electronic sign-offs that are not intrusive. Users demand bulk approvals.
Separation of duties Everyone trusts the “system.”
Meaningless validations System auto-calculates footing total.
Slide 10 of 22
New Controls Needed
Artificial separation of dutiesInefficient manual steps
Particularly on cash transfersComprehensive control system auditFunctional controls that go around the system
Slide 11 of 22
Exposure Risks Increased by IFMIS
Data Entry ErrorsFraudulent
Transactions Especially collusion
fraudsSubtle Process ErrorsComputer
Professional Fraud
Total loss of data Physical system
failureHUGE fraudsOutsider access to
system Everyone is virused
System hacking Internet exposure
Slide 12 of 22
Decreasing Risks (1)
Data Entry Errors System validations
Contingent process flows Validation rules Check digits on account codes
Multi-entry (double or triple entry) Review transactions Audit against source documents
Slide 13 of 22
Decreasing Risks (2)
Fraudulent Transactions Same controls as data entry errors More levels of review Random assignment of review Explicitly audit for fraud
Slide 14 of 22
Decreasing Risks (3)
Subtle Process Errors Code review Exhaustive test decks “Test first” philosophy Business Rules approach Manual and automated testing
Slide 15 of 22
Decreasing Risks (4)
Computer Professional Fraud Pair programming Explicit QA of all code Control “around” system
Reports/Controls NOT built/controlled by same team Hire honest people Place manual (non-system dependant) control on all
cash transfers
Slide 16 of 22
Decreasing Risks (5)
Total loss of data Transaction level, off-site back-up Multi-site (out of country) back-up Test back-up strategy
Slide 17 of 22
Decreasing Risks (6)
Huge Frauds Don’t automate cash transfer Don’t automate cash transfer Don’t automate cash transfer Don’t automate cash transfer Don’t automate cash transfer
Slide 18 of 22
Decreasing Risks (7)
Outsider Access to System No administrator rights for users No external data devices for machines
No USB keys No floppy drives
Serious penalty for security violations Real virus, firewall, security software Good security protocol
Passwords Physical access
Slide 19 of 22
Decreasing Risks (7)
System Hacking Get a security audit by leading expert
Slide 20 of 22
Conclusions
IFMISs increase audit risk.Additional controls are necessary to reduce
risks.Most auditors ignore the issue.
Slide 21 of 22
Dulcian’s BRIM® Environment
Full business rules-based development environment
For Demo Write “BRIM” on business card
Slide 22 of 22
Contact Information Dr. Paul Dorsey – [email protected] Dulcian website - www.dulcian.com
Developer AdvancedForms & Reports Designer
Handbook
Latest book Oracle PL/SQL for Dummies
Design Using UMLObject Modeling