Internal and external control in an automated environment

Slides:



Advertisements
Similar presentations
Alignment of COBIT to Botswana IT Audit Methodology
Advertisements

Sodexo.com Group Internal Audit. page 2 helps an organization accomplish its objectives by bringing a systematic, disciplined approach to evaluate and.
Audit Guidance Using the Federal Information System Controls Audit Manual (FISCAM) to Achieve Audit Objectives in Financial and Performance Audits Mickie.
5-1 McGraw-Hill/Irwin ©2002 by The McGraw-Hill Companies, Inc. All rights reserved. Chapter 5 Audit Planning.
COSO Framework A company should include IT in all five COSO components: –Control Environment –Risk Assessment –Control activities –Information and communication.
Auditing A Risk-Based Approach To Conducting A Quality Audit
18- 1 © 2006 The McGraw-Hill Companies, Inc., All Rights Reserved. Chapter 18 Integrated Audits of Internal Control (For Public Companies Under Sarbanes-Oxley.
Quality evaluation and improvement for Internal Audit
The Information Systems Audit Process
Lecture 8 Understanding entity and its environment
INTERNAL CONTROL OVER FINANCIAL REPORTING
Chapter Nine Conducting the IT Audit. Audit Standards AICPA — Statements of Auditing Standards (SASs) AICPA — Statements of Auditing Standards (SASs)
Due Diligence - The Regulator’s Perspective ABA Telephone/Webcast Briefing August 14, 2001 Cynthia Bonnette, Assistant Director FDIC Bank Technology Group.
Audit objectives, Planning The Audit
Planning an Audit The Audit Process consists of the following phases:
PwC Internal Control Reports: Facts, Myths and Best Practices FIRMA National Risk Management Training Conference – San Francisco, CA Wednesday March 31,
Considering Internal Control
9 - 1 ©2003 Prentice Hall Business Publishing, Essentials of Auditing 1/e, Arens/Elder/Beasley Internal Control and Control Risk Chapter 9.
©2003 Prentice Hall Business Publishing, Auditing and Assurance Services 9/e, Arens/Elder/Beasley Internal Control and Control Risk Chapter 10.
Evaluation of Internal Control System
Conducting an Information Systems Audit
Evaluation of Internal Control System. Learning Objective 1 Contrast management’s need for internal control with the auditor’s need to consider internal.
McGraw-Hill/Irwin © The McGraw-Hill Companies 2010 Audit Planning and Types of Audit Tests Chapter Five.
普 华 永 道 Phase 1: Project Preparation Phase 1: Project Preparation Phase Overview Phase Overview.
Copyright © 2006 by The McGraw-Hill Companies, Inc. All rights reserved. McGraw-Hill/Irwin 5-1 Chapter Five Audit Planning and Types of Audit Tests Chapter.
Audit Planning Process
1 Chapter Nine Conducting the IT Audit Lecture Outline Audit Standards IT Audit Life Cycle Four Main Types of IT Audits Using COBIT to Perform an Audit.
McGraw-Hill/Irwin © 2003 The McGraw-Hill Companies, Inc., All Rights Reserved. 6-1 Chapter 6 CHAPTER 6 INTERNAL CONTROL IN A FINANCIAL STATEMENT AUDIT.
McGraw-Hill/Irwin © The McGraw-Hill Companies 2010 Auditing Internal Control over Financial Reporting Chapter Seven.
Audit Evidence Process
Chapter 8 Auditing in an E-commerce Environment
©2012 Prentice Hall Business Publishing, Auditing 14/e, Arens/Elder/Beasley Section 404 Audits of Internal Control and Control Risk Chapter.
Copyright © 2007 Pearson Education Canada 9-1 Chapter 9: Internal Controls and Control Risk.
An Overview THE AUDIT PROCESS. MAJOR PHASES IN AN AUDIT Client acceptance and retention Establish terms of the engagement Plan the audit Consider internal.
Learn Integrated Management System Documentation Process with Ready-to-use EQHSMS Documentation Kit
©©2012 Pearson Education, Auditing 14/e, Arens/Elder/Beasley Considering Internal Control Chapter 10.
Copyright © 2014 Pearson Education, Inc. Publishing as Prentice Hall. Chapter
AUDIT STAFF TRAINING WORKSHOP 13 TH – 14 TH NOVEMBER 2014, HILTON HOTEL NAIROBI AUDIT PLANNING 1.
Chapter 6 Internal Control in a Financial Statement Audit McGraw-Hill/IrwinCopyright © 2012 by The McGraw-Hill Companies, Inc. All rights reserved.
©2005 Prentice Hall Business Publishing, Auditing and Assurance Services 10/e, Arens/Elder/Beasley Internal Control and Control Risk Chapter 10.
ISACA Willamette Valley Chapter Luncheon Thursday, March 20, 2008 Practical Auditors Guide for CobiT Steve Balough, CISA.
Internal Control Chapter 7. McGraw-Hill/Irwin © 2008 The McGraw-Hill Companies, Inc., All Rights Reserved. 7-2 Summary of Internal Control Definition.
Audit Planning, Understanding the Client, Assessing Risks and Responding Chapter 6.
Auditing & Investigations II
IT Focus Areas- PCAOB Inspection
Modern Auditing: Assurance Services and the Integrity of Financial Reporting, 8th Edition William C. Boynton California Polytechnic State University at.
Auditing Concepts.
Internal Audit & Accounting Systems Review
Question 4-1 Which of the following statements concerning noncompliance by clients is correct?    A.  An auditor's responsibility to detect noncompliance.
PLANNING, MATERIALITY AND ASSESSING THE RISK OF MISSTATEMENT
Compliance with Framework of Quality Control - General & Specific Controls CA Vimal Chopra, Ex Chairman of CIRC of ICAI.
Data Architecture World Class Operations - Impact Workshop.
Audit Planning, Types of Audit Tests and Materiality
Developing the Overall Audit Plan and Audit Program
Audit Planning, Types of Audit Tests, and Materiality
Modern Auditing: Assurance Services and the Integrity of Financial Reporting, 8th Edition William C. Boynton California Polytechnic State University at.
Defining Internal Control
Alignment of COBIT to Botswana IT Audit Methodology
Sarbanes-Oxley Act (404) An IT Viewpoint
UK National Audit Office
What is IT audit? An examination of how IT systems where implemented to ensure that they meet the organization’s business needs without compromising.
An IT Viewpoint Darin Kreimeyer, Senior Manager Newel Linford, Manager
INTERNAL CONTROLS AND THE ASSESSMENT OF CONTROL RISK
Internal Control Internal control is the process designed and affected by owners, management, and other personnel. It is implemented to address business.
Good practices for risk assessment and control activities
Financial Control Measures
WORK STREAM TEAM DELIVERABLES
Financial Control Measures
Presentation transcript:

Internal and external control in an automated environment Dirk Timmerman November 2002

Content When involve an IT Auditor in the Audit Process Audit objectives Overview of external audit process Overview of internal audit process IT Auditor in strategic analysis – external audit IT Auditor in strategic analysis – internal audit IT Auditor in Process Analysis IT Auditor in Remaining Audit Procedures General guidelines to IT Auditor

When to involve an IT Auditor KPMG policy IT auditor involvement is mandatory in the following cases More than 1000 hrs Banks and Insurance companies Quoted on stock exchange Rated as “highly complex” per IT Criticality Scorecard, which measures : IT complexity IT changes IT issues/problems IT auditor involvement is advisable for clients with a “sophisticated” IT environment

Audit objectives External audit Internal audit Provide assurance over the truth and fairness of financial statements Key deliverable : audit opinion By-Product : management letter points Internal audit Independent assessment of the effectiveness of risk management and control Key deliverable : Assist management in identification of risk areas and assessment of residual risks Management letter points By-Products : consulting opportunities

Audit objectives (cont’d) External auditor “What controls can I rely on to reduce substantive testing” Internal auditor “Are these controls appropriate, optimal and how could the company do things differently”

Overview of external audit process Strategic analysis Project Plan Plan • Understand entity’s business definition • Understand strategic business risks • Identify financial statement implications of strategic business risks and identify S.C.O.Ts Classes of Business risks transaction s Select key processes Process analysis Process l evel Residual b usiness r isks b usiness r isk Remaining audit procedures Financial and reporting Business Statement ROSM c ontrols r isks and • Perform remaining audit procedures controls • Identify & investigate audit differences, & evaluate findings 1. Audit Opinion 2. Report

Internal audit process - overview Stage One Stage Two STEP 1 Engagement initiation STEP 9 Project planning STEP 10 Opening conference STEP 2 Strategic analysis STEP 11 Business process analysis STEP 3 Strategic risk assessment STEP 12 Review & validation program Projects STEP 4 Business process analysis (planning) STEP 13 Business process review Risk assessment STEP 5 Independent assessment STEP 14 Validation STEP 6 Flash report - strategic issues STEP 15 Exit conference STEP 7 Risk management framework STEP 16 Reporting STEP 17 Close out & evaluation STEP 8 Management assurance plan Follow up STEP 18 Audit committee reporting STEP 19

IT Auditor in strategic analysis – external audit Gain understanding of IT organization How key processes are supported by IT applications and on which platforms these are operated IT strategy IT changes : current year – future years Significant IT risks IT Controls (high level understanding)

IT Auditor in strategic analysis – external audit (cont’d) Tools IT Risk Assessment (long form – short form) IT Business Understanding Document (contains template) IT Risks & Controls Questionnaire => IT Traffic Lights Report

IT Traffic Lights Report

IT Auditor in strategic analysis – external audit (cont’d) Risk analysis IT Risk that could threaten the entity’s business objectives Determine if impact on financial statements is significant If yes, plan analysis of selected IT processes that reduce the identified risks IT Risk that affect the completeness, existence and accuracy of transactions Take into account when performing process analysis on significant classes of transactions (SCOTs) Tools IT Risk Analysis Document - examples

IT Auditor in strategic analysis – internal audit Similar to external audit but… Control objectives are broader : Effectiveness Efficiency Confidentiality Integrity Availability Compliance Additional tools : COBIT Workshops All significant IT risks are addressed, not only those with a significant financial statement impact

IT Auditor in Process Analysis (external & internal audit ) Perform process analysis for selected IT sub-processes For external audit, this tends to focus on IT security, change management and continuity Potential roles in process analysis of non-IT processes Assist in mapping of process and information flow Assist in identification of process risks Assist in identification of controls Their added value Familiar with structured process analysis Familiar with complex systems and ERP’s Familiar with IT Tools BPA tool + templates SAP Authorizations tool DEMO of BPA tool

BPA -Risk & controls matrix

BPA - Control Grid

BPA – residual risk report

IT Auditor in Remaining Audit Procedures Test of Controls : Access controls Perform system queries Evaluate and test security administration process Evaluate risk of by-passing authorizations Password settings Super users Direct access to data through utilities External communication risk

IT Auditor in Remaining Audit Procedures (cont’d) Test of Controls (cont’d) System configurations First year of reliance + in case of major upgrade : “test of one” Review and evaluated client tests, or Reperform tests in test environment, or Test of detail to confirm effectiveness of control Subsequent years Inquire about nature and extent of changes to key systems Test change management = to ensure that all program changes are properly authorized, tested and approved Review system access to change configuration

IT Auditor in Remaining Audit Procedures (cont’d) Test of controls Exception reports Same as for system configuration Interfaces Gain understanding of interface process Data migration Gain understanding of data migration process Identify key controls and test

IT Auditor in Remaining Audit Procedures (cont’d) Test of details Do not test of details if same result can be obtained by evaluating and testing internal controls Tools Excel Ms Access ACL IDEA

General guidelines to IT Auditor Participate at planning meeting (=before start of audit) Scope of IT audit should fit 100% within the financial audit scope Go for joint teams with financial auditors to perform process analysis Do not deliver separate reports but prepare working papers If your appointments with IT people are going to be arranged by financial audit => highlight that on average there is a time lag of 2 weeks between the request and the interview

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.