building an effective it audit strategy to support your sox or csox program by a. bellehumeur risk...
TRANSCRIPT
Building an Effective IT Audit Strategy to Support Your SOX/CSOX Program
1
By Adrienne Bellehumeur Risk Oversight
Risk Oversight, January 2016
Objectives This presentation is designed to provide you with helpful guidance with building, refreshing or communicating your IT Audit Strategy to support your SOX or CSOX program. This presentation outlines some best practices for an IT Audit program integrated with financial risks and updated to best practices including the COBIT framework. If you have any questions or feedback about this presentation, please contact: Adrienne Bellehumeur Director, Risk Oversight (403) 478-6643 [email protected] www.riskoversight.ca We would love to talk to you more about your IT Audit issues, concerns and needs!
Risk Oversight, January 2016 2
Best Practices
IT Dept.
Financial Risk
IT Audit Strategy Objectives Align IT Strategy with the organization’s financial
risks and controls. Reflect the nature of the organization’s current
IT environment and the specific risks to this environment.
Update to current best practices, based on changes to technology, technology risks and current methodologies.
Establish and outline the rhythm for ongoing ITGC testing (quarterly) and process-level IT testing (annual, tests of “one”).
Provide more efficiency and effectiveness in the overall IT testing approach
Risk Oversight, January 2016 3
GAIT Framework for Internal Audit
Risk Oversight, January 2016 4
Application Functionality
Application Controls
IT General Controls
This slide illustrates the alignment with the GAIT framework. This framework can be very useful for Internal Audit departments.
Assessing Overall IT Risk Level IT Risk Level Considerations:
The nature of the company’s revenues and expenses (manual or automated processes)
Management oversight
Reliance on IT
Stability of IT functions, processes and controls
Combination of manual and IT related organizational risks
Risk Oversight, January 2016 5
High
•High dependence on IT controls (e.g. airlines, manufacturers)
Medium •Medium dependence
Low •Low dependence (e.g. consulting companies)
IT Approach Overview
Application Level
• Application Controls
• Key Reports
• Interfaces
• Spreadsheets
ITGCs
• User Access Management
• Change Management
• Solutions Delivery Framework
• Server and Database Management
Risk Oversight, January 2016 6
Application Level
7 Risk Oversight, January 2016
Automated Controls Approach Step back and align automated controls with
financial risks
Stop or reduce testing canned features
Stop testing controls that haven’t changed from previous year
Reduce the amount of work for the Financial Auditors through effective test planning
Start understanding application level programs and codes in more depth and having an effective and efficient approach to addressing this
Risk Oversight, January 2016 8
Automated Controls – Benchmarking
An approach that enables us to rely on Change Management
“Proving” that the system controls haven’t changed year to year
Understand and document the names of underlying programs and/or code
Documenting the last change dates and reviewing only the areas of change year to year
Risk Oversight, January 2016 9
Document Underlying Code
Prove No Change Rely on Change
Management Controls
Key Reports
Identify critical reports used in financial processes
Identify which reports are canned or custom-built
Test custom-built reports through approaches including
Reviewing the controls around them
Screenshots of code
Samples
Rely on benchmarking strategy
Risk Oversight, January 2016 10
Identify
Canned vs. Custom-built
Test
Benchmark
Interfaces Step back and look at the organization’s critical transaction flow impacting the financial statements.
Analyze the risk associated with transaction flow and areas where existing manual controls don’t cover.
Identify critical interfaces through creating High Level Diagram
Link Data Transfers and interfaces with Existing Financial Controls
Discuss with IT Department to vet understanding of the IT risks and controls
January 8 2016 11
Spreadsheets May be considered to be a
CFO/Controller concern Area with a high chance of error Testing for integrity is performed through
manual testing/linked to financial processes
From an IT perspective, the focus of critical spreadsheet testing is on Access Controls to folders
High priority spreadsheets often exist in processes including Tax, Goodwill & Intangibles, Financial Statement Preparation
Risk Oversight, January 2016 12
Integrity
Access
Back-Up
Version Control
IT General Controls (ITGCs)
13 Risk Oversight, January 2016
Areas No Longer required for SOX/CSOX
× Job Scheduling × Problem and Incident Management testing (a sample of one is
sufficient) × Network Management and Security × Desktop Configuration × Service Level Agreements × Anti-Virus controls × IT Expenditures (covered under PPP testing) × Systems development project management practices × Patch Management × Physical Access and Security × Back-up and Recovery
Risk Oversight, January 2016 14
Possible In Scope Processes
•Access for (1) ERP/In scope applications and (2) Active Directory, (3) Third Parties, segregation of duties (SOD), passwords
User Access Management
•Changes are documented, authorized, approved, tested, SOD
•Change Advisory Board (CAB) review, Emergency changes
Change Management
•Business approval of requirements
•Approval before move into production
Solutions Delivery Framework
•Access, Change, Configuration Management, Monitoring Server and Database
Management
Risk Oversight, January 2016 15
User Access Management
•Granting access to Active Directory, ERP/in-scope applications, and in-scope third party applications
Granting
•Quarterly access reviews Monitoring
•Segregation of duties in ERP/in-scope applications SOD
•Termination procedures across systems Termination
Risk Oversight, January 2016 16
Change Management
Authorized
Documented
Tested
Approved
(before move into production)
Segregation of Duties
Risk Oversight, January 2016 17
Solutions Delivery Framework
Approval of Business Requirements
• Has the Business Owner signed off on the Business Requirements?
Approval before move into Production
• Have the appropriate testers documented their approval of the new system before moving it into production?
• Has the Business Owner performed UAT testing?
Risk Oversight, January 2016 18
Server and Database Management
•Granting Administrator/DBA access rights
•Monitoring access regularly
Access Management
•Reference to Change Management
•Deployment new Servers and Databases
Change Management
•Monitoring Servers and Databases against configuration standards, back-up, etc.
•Tools Monitoring
Risk Oversight, January 2016 19
Summary To reiterate the purpose of this presentation, the objectives are to: Align with the organization’s financial risks Align with best, current practices for SOX/CSOX and IT audit Provide an efficient and effective approach for testing IT
controls Help with understanding of how IT controls link with and
should be tested with financial processes and manual controls
Risk Oversight, January 2016 20
Questions for CIO and IT Management
21 Risk Oversight, January 2016
If you are building a program from scratch or revising your existing program, here are some great questions to ask your CIO or IT management. Their answers will influence how you design your IT strategy and IT SOX program going forward.
What is the organization’s Strategic Direction for IT over the next three years?
Could you describe the direction that the organization is taking regarding its IT strategy over the next three years?
Are there any strategic changes that might impact our proposed changes to the SOX program?
– Continue use of ERP and other key systems?
– Managing acquired systems?
– Structure of team?
– Outsourcing?
Risk Oversight, January 2016 22
What keeps you up at night?
What are the high risk areas in your mind?
How can we improve the IT audit program to best address these areas?
Risk Oversight, January 2016 23
How can we drive more value out of the IT SOX program and IT audit program?
How can we drive more value out of the SOX/CSOX program? Other than SOX/CSOX, are there other special projects where we
can drive more value? – Segregation of duties review? – Review of new company acquisitions or other strategic
changes? – Network and security? – Project Management practices? – IT Service Levels?
Risk Oversight, January 2016 24
Questions or Comments?
If you have any questions or feedback about this presentation, please contact: Adrienne Bellehumeur (403) 478-6643 [email protected] Risk Oversight www.riskoversight.ca We would love to talk to you more about your IT Audit issues, concerns and needs!
Risk Oversight, January 2016 25