building an effective it audit strategy to support your sox or csox program by a. bellehumeur risk...

Building an Effective IT Audit Strategy to Support Your SOX/CSOX Program

1

By Adrienne Bellehumeur Risk Oversight

Risk Oversight, January 2016

Objectives This presentation is designed to provide you with helpful guidance with building, refreshing or communicating your IT Audit Strategy to support your SOX or CSOX program. This presentation outlines some best practices for an IT Audit program integrated with financial risks and updated to best practices including the COBIT framework. If you have any questions or feedback about this presentation, please contact: Adrienne Bellehumeur Director, Risk Oversight (403) 478-6643 [email protected] www.riskoversight.ca We would love to talk to you more about your IT Audit issues, concerns and needs!

Risk Oversight, January 2016 2

mailto:[email protected]



http://www.riskoversight.ca/





Best Practices

IT Dept.

Financial Risk

IT Audit Strategy Objectives Align IT Strategy with the organization’s financial

risks and controls. Reflect the nature of the organization’s current

IT environment and the specific risks to this environment.

Update to current best practices, based on changes to technology, technology risks and current methodologies.

Establish and outline the rhythm for ongoing ITGC testing (quarterly) and process-level IT testing (annual, tests of “one”).

Provide more efficiency and effectiveness in the overall IT testing approach


GAIT Framework for Internal Audit


Application Functionality

Application Controls

IT General Controls

This slide illustrates the alignment with the GAIT framework. This framework can be very useful for Internal Audit departments.

Assessing Overall IT Risk Level IT Risk Level Considerations:

The nature of the company’s revenues and expenses (manual or automated processes)

Management oversight

Reliance on IT

Stability of IT functions, processes and controls

Combination of manual and IT related organizational risks


High

•High dependence on IT controls (e.g. airlines, manufacturers)

Medium •Medium dependence

Low •Low dependence (e.g. consulting companies)

IT Approach Overview

Application Level

• Application Controls

• Key Reports

• Interfaces

• Spreadsheets

ITGCs

• User Access Management

• Change Management

• Solutions Delivery Framework

• Server and Database Management


Application Level

7 Risk Oversight, January 2016

Automated Controls Approach Step back and align automated controls with

financial risks

Stop or reduce testing canned features

Stop testing controls that haven’t changed from previous year

Reduce the amount of work for the Financial Auditors through effective test planning

Start understanding application level programs and codes in more depth and having an effective and efficient approach to addressing this


Automated Controls – Benchmarking

An approach that enables us to rely on Change Management

“Proving” that the system controls haven’t changed year to year

Understand and document the names of underlying programs and/or code

Documenting the last change dates and reviewing only the areas of change year to year


Document Underlying Code

Prove No Change Rely on Change

Management Controls

Key Reports

Identify critical reports used in financial processes

Identify which reports are canned or custom-built

Test custom-built reports through approaches including

Reviewing the controls around them

Screenshots of code

Samples

Rely on benchmarking strategy


Identify

Canned vs. Custom-built

Test

Benchmark

Interfaces Step back and look at the organization’s critical transaction flow impacting the financial statements.

Analyze the risk associated with transaction flow and areas where existing manual controls don’t cover.

Identify critical interfaces through creating High Level Diagram

Link Data Transfers and interfaces with Existing Financial Controls

Discuss with IT Department to vet understanding of the IT risks and controls

January 8 2016 11

Spreadsheets May be considered to be a

CFO/Controller concern Area with a high chance of error Testing for integrity is performed through

manual testing/linked to financial processes

From an IT perspective, the focus of critical spreadsheet testing is on Access Controls to folders

High priority spreadsheets often exist in processes including Tax, Goodwill & Intangibles, Financial Statement Preparation


Integrity

Access

Back-Up

Version Control

IT General Controls (ITGCs)


Areas No Longer required for SOX/CSOX

× Job Scheduling × Problem and Incident Management testing (a sample of one is

sufficient) × Network Management and Security × Desktop Configuration × Service Level Agreements × Anti-Virus controls × IT Expenditures (covered under PPP testing) × Systems development project management practices × Patch Management × Physical Access and Security × Back-up and Recovery


Possible In Scope Processes

•Access for (1) ERP/In scope applications and (2) Active Directory, (3) Third Parties, segregation of duties (SOD), passwords

User Access Management

•Changes are documented, authorized, approved, tested, SOD

•Change Advisory Board (CAB) review, Emergency changes

Change Management

•Business approval of requirements

•Approval before move into production

Solutions Delivery Framework

•Access, Change, Configuration Management, Monitoring Server and Database

Management


User Access Management

•Granting access to Active Directory, ERP/in-scope applications, and in-scope third party applications

Granting

•Quarterly access reviews Monitoring

•Segregation of duties in ERP/in-scope applications SOD

•Termination procedures across systems Termination


Change Management

Authorized

Documented

Tested

Approved

(before move into production)

Segregation of Duties


Solutions Delivery Framework

Approval of Business Requirements

• Has the Business Owner signed off on the Business Requirements?

Approval before move into Production

• Have the appropriate testers documented their approval of the new system before moving it into production?

• Has the Business Owner performed UAT testing?


Server and Database Management

•Granting Administrator/DBA access rights

•Monitoring access regularly

Access Management

•Reference to Change Management

•Deployment new Servers and Databases

Change Management

•Monitoring Servers and Databases against configuration standards, back-up, etc.

•Tools Monitoring


Summary To reiterate the purpose of this presentation, the objectives are to: Align with the organization’s financial risks Align with best, current practices for SOX/CSOX and IT audit Provide an efficient and effective approach for testing IT

controls Help with understanding of how IT controls link with and

should be tested with financial processes and manual controls


Questions for CIO and IT Management


If you are building a program from scratch or revising your existing program, here are some great questions to ask your CIO or IT management. Their answers will influence how you design your IT strategy and IT SOX program going forward.

What is the organization’s Strategic Direction for IT over the next three years?

Could you describe the direction that the organization is taking regarding its IT strategy over the next three years?

Are there any strategic changes that might impact our proposed changes to the SOX program?

– Continue use of ERP and other key systems?

– Managing acquired systems?

– Structure of team?

– Outsourcing?


What keeps you up at night?

What are the high risk areas in your mind?

How can we improve the IT audit program to best address these areas?


How can we drive more value out of the IT SOX program and IT audit program?

How can we drive more value out of the SOX/CSOX program? Other than SOX/CSOX, are there other special projects where we

can drive more value? – Segregation of duties review? – Review of new company acquisitions or other strategic

changes? – Network and security? – Project Management practices? – IT Service Levels?


Questions or Comments?

If you have any questions or feedback about this presentation, please contact: Adrienne Bellehumeur (403) 478-6643 [email protected] Risk Oversight www.riskoversight.ca We would love to talk to you more about your IT Audit issues, concerns and needs!




building an effective it audit strategy to support your sox or csox program by a. bellehumeur risk...

Documents