integrated audit approach an overview - qap advice & audit
TRANSCRIPT
1
Integrated Audit ApproachAn Overview
Monique Garsoux, DexiaQualified Audit Partners
RTM 22/01/2005
2
Presentation Outline
The Need for Enterprises
What is Integrated Auditing
The integrated audit process –Audit methodology
Best practises
Logical security
DB2
Client Accounts
Manage Problems& Incidents
Networks
CardsWhere areMy
BusinessRisks ?
ComplianceOperational risk, Basle II
Where is the integrated audit approach (IAA)?An example
Batch
Account OrdersManagement
Client OrdersDB
Accounting
Banksys
Branches
Interest calculations
Asynchrone
Synchrone
Dialog Appl
CRICRE
Reconciliation
Operations
SecurityOracleDB2
AccountingApplication
Problemmanagement
NetworkCics
MQM
Compliance
Integrated Audit
6
What is Integrated Auditing
Combines elements of three traditionalaudit types; Information technology(IT), operational and financial.
Provides a broader audit scope in whichto render an opinion on the adequacyand effectiveness of a system ofinternal control to mitigate globalbusiness risks : One report
7
Benefits of IAA
Eliminates redundant or narrow view audits,Duplicated work , Missed opportunities forcontribution, Risk of false assurance
Creates a broad based audit.
Examines global process risks.
Provides Executives with a coherent view
Once adopted, subsequent audits becomehighly efficient, focusing risks
Combines what people do with what thecomputer does (or the contrary)
8
Effects of Technology
Technology makes certain traditionalaudit procedures invalid and/or oflimited value
Transaction processing becomesautomatic & invisible with reducedoversight due to less manualintervention
New products / services / competition
9
Elements of IAA
Examines the combined manual proceduresthat people use with “invisible” proceduresthat computers perform in the following stepsimpacts on:
Planning.
Evaluation.
Testing.
Reporting.
Follow-up.
10
Effect of traditional approach onthe Audit Process
Uncoordinated audit plans
Separate audits
Parallel audits; two or more distinctaudits
Concurrent audits; risk analysisinitiatives, process reegineering,performed around the same timeframe
11
Results of Auditor’s Response
Specialization & Silo Auditing
Staff segregation between IT andFinancial - Operational
“The wall” erected within auditdepartments
12
IAA Audit Planning
IAA critical success factor:
For each critical Potential Process, identify theIT system that supports the activities. Foreach business activity (main businessfunctions), identify critical system, interfaces,key manual procedures, especiallyreconciliations, and General Ledger impact.
Coordinate efforts
13
IAA Planning
IAA pitfall to avoid:
Not identifying IT components.
Not involving/confirming with PotentialAudit Client management.
Not identifying manual “work arounds”;processes that take place outside of thenormal process flow.
Not taking enough time to plan.
14
IAA Planning
IAA planning should also identify foreach Potential Audit Client (Processes)and related IT system: Master Files.
System connectivity.
Sensitive/confidential data.
Information output; reports, computergenerated transactions, and computer-to-computer transmissions.
15
IAA Planning
Based on criticality ranking, select auditmissions
Result is coordinated audit plan whereaudit missions have been documentedby an overview understanding of thesubject
16
IAA Evaluation
Depending on the scope of the auditsselected (entire Potential Audit Client, one ormore business activities), the auditor will“drill down” to obtain more detailedunderstanding of the specific controls relatedto the Potential Audit Client or businessactivity under review.
Where necessary (based on potential risks)
17
IAA Evaluation
IAA evaluation consists of obtaining adetailed understanding of the controlenvironment design; “Do adequatecontrols exist” to mitigate business risks(scope selected based on risks)
18
IAA Evaluation – Risk Assessment
IAA critical success factor – controldesign MUST include operational and ITcontrols.
TOTAL risk assessment incorporatesbusiness/industry risk, operational riskCOMBINED with technology risk to forman opinion on the overall design ofcontrols.
Where are the risks ?
Batch
Account OrdersManagement
Client OrdersDB
Accounting
Banksys
Branches
Interest calculations
Asynchrone
Synchrone
Dialog Appl
CRICRE
Reconciliation
Operations
SecurityOracleDB2
AccountingApplication
Problemmanagement
NetworkCics
MQM
Compliance
Integrated Audit
20
IAA Evaluation
IAA risk assessment guidelines:
A limited number of risk factors
Including Business - Technology specific.
Risk factors should be weighted bycriticality and measurable.
Some factors should be IT specific.
21
IAA - Integrated Risk Assessment
For EACH business unit, identifytechnology platform (PC, LAN, etc)
“What does the system do?”
Interview users, read documentation,look at system menu
“What are you connected to?” -Interfaces
Establishes span of control
22
IAA - Integrated Risk Assessment
What could go wrong?
Establishes the risk
What would happen ?
Establishes the materiality
“How would you know if somethingwent wrong?”
Determines the control
23
Integrated Risk Assessment
Business criticality – degree of reliancea business Unit places on the system
Technological complexity – degree ofcomputer generated transactionsutilized with minimal manualintervention
24
IAA Evaluation
Based upon the information obtainedand confirmed during the planningphase, combined with the combinedrisk assessment, the auditor selects therelevant areas to include in the auditscope and performs a detailed review ofthese areas.
25
IAA Evaluation
Auditors usually perform a walkthroughduring the evaluation to assist inunderstanding the process flow, obtainrelevant sample documentation, spottest the key controls, and observe thegeneral environment.
26
IAA Evaluation
IAA critical success factor – the auditormust flowchart the IT system to obtaina detailed understanding of key systemprocesses, files and controls.
27
IAA Evaluation
The auditor should develop an integratedflow chart that combines manual andcomputer processes, key calculations, masterfile updates, downloads, and uploads.
Examine processes and control design bysplitting them into three categories:
Those that only people perform.
Those that people and computers perform.
Those that only the computer performs.
Batch Journalier
GEKT contrôlefiltres validité
abonnement
Batch
IPDT
Liste des rejetsMessagesd'erreur àexaminer
GEKT Abonnementen attente de
recyclage / examencode rejet
AbonnementOK ?
Rejettemporaire
OU
I
Batch
Génération codesecret
1. DEMANDE D'ABONNEMENT VIA AGENCE
Demanded'abonnement
signée
Online
EncodageGEKT - contrôle
online des filtres etautorisation sur
compte
LettreCode Secret (lelendemain si 2
ième abo)
Lettre N°Abonnement si
pas premierabonnement
OUI
Code secretencrypté
AutorisationConvivialité
IntégrtitéFiabilité
Contrôles :validité des
filtres
Autorisation - AccèsContrôles
Exhaustivité
ConfidentialitéIntégrité
délaiintégrité
intégritéinterception
perte
intégrité
interceptionperte
Algorithme fortSécurité
ConfidentialitéIntégrité
Process
Process
Process
InputInput
Data
Data
Output
Output
Rejet définitif
29
IAA Evaluation Examine the following objectives for each
transaction Completeness of input processing.
Accuracy of input processing.
Completeness of master file updates.
Accuracy of master file updates.
Accuracy and reliability of processing(calculations)
Access to and confidentiality of information.
Authorization of processing.
Reconciliations and verifications.
Monitoring and oversight.
30
IAA Evaluation
Based on the evaluation of the designof the entire control environment (ITand manual), the auditor expresses anopinion on the “adequacy” of controldesign.
31
IAA Evaluation
Audit approach - evaluation
- What does the system do?
- What is it connected to?
- Who has access?
- What type of access do they have?
- What is logged?
32
IAA Evaluation
Evaluation
- Totals (completeness)
- Edits (accuracy)
- System generated calculations/summarization/categorization
- System menu
33
IAA Evaluation
Better evaluation
- Transaction file - input - journal
- Master file - processing - ledger
- “Master file update”
- “How do you know”
34
IAA Testing
The testing phase is the area thatmakes the IAA the most efficient.
Based on the information obtained inplanning and evaluation, the auditorselects which controls require testing.
35
IAA Testing
Better audit tests
- On screen edits
- Batch totals
- Calculations
- Master file updates
- Output
36
IAA Testing
Better audit tests
- System demo
- Access
- Violations
- Computer generated logs/listings
37
IAA Reporting
Although reporting is largely a matter ofpreference and style, IAA reporting hascertain benefits that can beincorporated into any reporting style: asingle report that renders an opinion onthe entire system of risks and control.
Visual = no long narrative texts
38
IAA Reporting
IAA pitfall to avoid - reporting that isdone by a technical auditor and a non-technical auditor and then piecedtogether. This tends to mitigate theconsistency of ideas. Judicious editing isrequired to scrub the report to eliminatejargon and facilitate easy reading.
39
IAA Hitting the High Spots
Application audits
- Transaction processing
- Business critical
- “Bread and butter”
40
EXPECTATIONS
Depends on …
DUE DILIGENCE AUDIT MODEL ?
STAFFING AND DEVELOPEMENT AUDIT MODEL ?
PROFESSIONAL INTERNAL AUDIT MODEL ?
41
WHAT WORKS
Expanding the information technologyknowledge base of each and every auditor
Realistic audit assignments based onknowledge, skill levels and degree ofdifficulty of the subject (planning audits)
Pre-audit of technical aspects (typical ITaudits)
Extensive IT audit tools and support
Effective technical supervision
42
BARRIERS
IT audit is a separate and unique audit discipline
The fundamental internal auditor skill set is accountingand general business oriented with limited ITknowledge required
Specialization is good – only IT auditors should auditIT topics
Generalization is good – It auditors can audit anythingIT related
The board and senior management really understandauditing in an IT environment
No one really cares whether audits are integrated ornot
Auditors are not on staff long enough to justifyextensive training costs
43
IAA Integrated auditor ?
Traditional auditor that addressescomputer audit techniques, rely on themethodology
Specialized IT auditor that addresses bothbusiness flow and Highly automatedsystems
All auditors integrated auditors with somehaving just more skills than others
44
IAA Audit Tools
Reference materials
Cobit (Manage Data)
ISACA Bookstore material (bits and piecesin many books)
Integrated referential a real need …
Audit software ACL, IDEA
MANAGE DATA
PROCESS 1 : Procédures d'introduction des données
Evaluation: Not Assessed RiskRating:
Impact:
Objectif Risques Potentiels Contrôles Risques résiduels et recommandations
Management should establish datapreparation procedures to be followedby user departments. In this context,input form design should help to assurethat errors and omissions are minimised.Error handling procedures during dataorigination should reasonably ensurethat errors and irregularities aredetected, reported and corrected.
Management should ensure that sourcedocuments are properly prepared byauthorised personnel who are actingwithin their authority and that anadequate segregation of duties is inplace regarding the origination andapproval of source documents.
The organisation's procedures shouldensure that all authorised sourcedocuments are complete and accurate,properly accounted for and transmittedin a timely manner for entry.
Error handling procedures during dataorigination should reasonably ensurethat errors and irregularities aredetected, reported and corrected.
Procedures should be in place toensure original source documents areretained or are reproducible by theorganisation for an adequate amount oftime to facilitate retrieval orreconstruction of data as well as tosatisfy legal requirements.
The organisation should establishappropriate procedures to ensure thatdata input is performed only byauthorised staff.
Risque potentiel est l'introduction decrédits ou de placements
mes constatations risque résiduel et recommandations
PROCESS 1 : Caractère complet, correct et autorisé de l'introduction
Evaluation: Not Assessed RiskRating:
Impact:
Objectif Risques Potentiels Contrôles Risques résiduels et recommandations
Les données introduites doivent êtrevalidées le plus près possible dumoment de la saisie
PROCESS 1 : Traitement des erreurs de saisie
Evaluation: Not Assessed RiskRating:
Impact:
Objectif Risques Potentiels Contrôles Risques résiduels et recommandations
Des prcédures doivent être prévues pourla correction et la re-soumission desdonnées incorrectes.
PROCESS 1 : Validation dans le traitement de l'information
Evaluation: Not Assessed RiskRating:
Impact:
Objectif Risques Potentiels Contrôles Risques résiduels et recommandations
The organisation should establishprocedures to ensure that dataprocessing validation, authenticationand editing is performed as close to thepoint of origination as possible. Whenusing Artificial Intelligence systems,these systems should be placed in aninteractive control framework withhuman operators to ensure that vitaldecisions are approved.The organisation should establishprocedures for the processing of datathat ensure separation of duties ismaintained and that work performed isroutinely verified. The proceduresshould ensure adequate update controlssuch as run-to-run control totals andmaster file update controls are in place.
47
IAA Education
On the field but …
Continuing education
- Budget $$$
- Established education vendors $$
- Local IIA/ISACA chapters if…
- In-house training if …
- Partner with other companies on-site… notcommonly used