How to Audit an ERP System via the Risk Management Route Presented by: Gabriel Lung ISACA London Chapter Events 2003/2004 ABN-AMRO, 250 Bishopsgate, London.

Slides:



Advertisements
Similar presentations
A Joint Code of Practice Objectives and Summary Presentation
Advertisements

Murdoch University RISK MANAGEMENT Senate Induction.
Auditing, Assurance and Governance in Local Government
Risk Management Policy & Procedures An Overview for Staff Prepared by MSM Compliance Services Pty Ltd.
Development of internal control: methodology and responsibility
It’s Time to Talk About Risk and Control
Executive Insight through Enhanced Enterprise Risk Management Leverage Value From Your Risk Management Investment.
Chapter 3 Project Initiation
Tax Risk Management Keeping Up with the Ever-Changing World of Corporate Tax March 27, 2007 Tax Services Bryan Slone March 27, 2007.
Institute of Municipal Finance Officers & Related Professions
IS Audit Function Knowledge
Risk-Focused Examinations David Vacca, Assistant Director – Insurance Analysis & Information Services, NAIC Welcome to the © 2009 The National Association.
ISO 9001 Interpretation : Exclusions
By Saurabh Sardesai October 2014.
18- 1 © 2006 The McGraw-Hill Companies, Inc., All Rights Reserved. Chapter 18 Integrated Audits of Internal Control (For Public Companies Under Sarbanes-Oxley.
NAIC Review of ERM & Internal Controls David Altmaier Florida Office of Insurance Regulation.
Compliance Policy & Procedures An Overview for Staff Prepared by MSM Compliance Services Pty Ltd.
What are the challenges of implementing ISSAIs in NAO of Estonia? Krista Zibo Audit manager of Financial Audit Department Meeting of Experts of SAIs of.
PETER SCOTT CONSULTING Business Management Systemize your compliance with Rule 5 Peter Scott Peter Scott Consulting
Systemise your compliance management Peter Scott Consulting
Chapter 3 Project Initiation. The stages of a project  Project concept  Project proposal request  Project proposal  Project green light  Project.
Implementing an effective risk management strategy based upon knowledge Peter Scott.
PAINTING THE FULL PICTURE
Implementing an effective risk management strategy in a law firm
Corporate Governance: Beyond Compliance at a time of Recession Prof. Ashley G. Frank BA(Econ)[Magna Cum Laude], MDPA (Cum Laude], MBA, MCom [Cum Laude],
Internal Auditing and Outsourcing
Internal auditing for credit unions Nuala Comerford, Chair IIA Irish Region Committee Pamela McDonald Council Member IIA Credit Union Summer School Thursday,
Key changes and transition process
Key changes from OHSAS 18001:1999
WHERE WE ARE 22 member associations in 20 countries Over 4300 individual members who are responsible for risk management and/or insurance in their organisations.
Introduction to ISO New and modified requirements.
The role of internal audit in enterprise-wide risk management (ERM)
D-1 McGraw-Hill/Irwin ©2005 by the McGraw-Hill Companies, Inc. All rights reserved. Module D Internal, Governmental, and Fraud Audits “I predict that audit.
Global Risk Management Solutions Risk Management and the Board of Director: Moving Beyond Concepts to Execution Anton VAN WYK Partner, Global Risk Management.
Improving Corporate Governance in Malaysian Capital Markets – The Role of the Audit Committee Role of the Audit Committee in Assessing Audit Quality.
Effective Management and Compliance 1 ANA GRANTEE MEETING  FEBRUARY 5, 2015.
The Policy Company Limited © Control of Infection.
Chapter 07 Internal Control McGraw-Hill/IrwinCopyright © 2014 by The McGraw-Hill Companies, Inc. All rights reserved.
CDS Operational Risk Management - October 28, 2005 Existing Methodologies for Operational Risk Mitigation - CDS’s ERM Program ACSDA Seminar - October 26.
© 2013 Cengage Learning. All Rights Reserved. 1 Part Four: Implementing Business Ethics in a Global Economy Chapter 9: Managing and Controlling Ethics.
How to be an effective COLP Peter Scott Consulting
E q Is Your Audit Plan Keeping Pace With Your Business? Duncan Edwards Liam McCaul – Partner, Risk Advisory Services E Q Internal Audit — Adding Value.
Advice Strategies Advice Strategies in Bedford Borough and Central Bedfordshire Bedfordshire Advice Forum Facilitated by Organised by Supported by.
AUDITOR-GENERAL Presentation to the Public Service and Administration Portfolio Committee on the appointment and utilisation of consultants Report of the.
Private & Confidential1 (SIA) 13 Enterprise Risk Management The Standard should be read in the conjunction with the "Preface to the Standards on Internal.
Risk Management Policy & Procedures An Overview for Staff Prepared by MSM Compliance Services Pty Ltd.
The Connection between Risk Management and Internal Control in Organizations Mag. Norbert Wagner Budapest,
The UNIVERSITY of GREENWICH 1 October 2009 L8a Audit and assurance J. E. Spencer-Wood Auditing and assurance Lecture 8a Internal audit.
Risk Management & Corporate Governance 1. What is Risk?  Risk arises from uncertainty; but all uncertainties do not carry risk.  Possibility of an unfavorable.
Copyright  2005 McGraw-Hill Australia Pty Ltd PPTs t/a Australian Human Resources Management by Jeremy Seward and Tim Dein Slides prepared by Michelle.
Practical Investment Assurance Framework PIAF Copyright © 2009 Group Joy Pty. Ltd. All rights reserved. Recommended for C- Level Executives.
Copyright © 2013 by The McGraw-Hill Companies, Inc. All rights reserved.McGraw-Hill/Irwin.
WEC MADRID 18 TH MARCH 2004 ASTRAZENECA’S APPROACH TO SUPPLIER RISK MANAGEMENT.
Example Incident Mgmt Initiation No recording of Incidents Users can approach different departments Solutions of previous incidents are not available.
1 Kingsley Karunaratne, Department of Accounting, University of Sri Jayewardenepura, Colombo - Sri Lanka Practice Management.
INTRODUCTION TO PUBLIC FINANCE MANAGEMENT Module 4.3: Internal Control & Audit.
Internal/External Audit Corporate Governance part 5.
BY: CMA SUKRUT MEHTA KIRIT MEHTA & COMPANY COST ACCOUNTANTS Pre-Audit Preparation and Documentation 1.
Risk Management and the Audit Plan abc CIPFA in the Midlands Audit Training Seminar Wednesday 24th November 2004 Tina Spiers.
Copyright © 2007 Pearson Education Canada 9-1 Chapter 9: Internal Controls and Control Risk.
Quality Assurance. Define Quality (product & service) Exceeds the requirements of the customer. General excellence of standard or level. A product which.
Company LOGO. Company LOGO PE, PMP, PgMP, PME, MCT, PRINCE2 Practitioner.
Current risk and compliance priorities for law firms PETER SCOTT CONSULTING.
F8: Audit and Assurance. 2 Audit and Assurance Designed to give you knowledge and application of: Section A: Audit Framework and Regulation Section B:
Organizations of all types and sizes face a range of risks that can affect the achievement of their objectives. Organization's activities Strategic initiatives.
Chapter 6 Internal Control in a Financial Statement Audit McGraw-Hill/IrwinCopyright © 2012 by The McGraw-Hill Companies, Inc. All rights reserved.
Lean Auditing Adding value and reducing waste.
Risk Management Policy & Procedures
HUMAN RESOURCE GOVERNANCE, RISK MANAGEMENT AND COMPLIANCE
Project Risk Analysis and Management: L3
Presentation transcript:

How to Audit an ERP System via the Risk Management Route Presented by: Gabriel Lung ISACA London Chapter Events 2003/2004 ABN-AMRO, 250 Bishopsgate, London 27 May 2004

Disclaimer This presentation is based solely on my view and not that of my company

Introduction 4Risk Management in BAA corporate governance risk management process and methodology 4The principle of trust 4The ERP rationale and coverage 4The ERP audit the RM way 4Lessons Learnt 4Q&A

BAA Business Activities Airport Management Airport retail management Property Development Duty free retailing Train operations Designer outlets

Turnbull/combined Code Requirements 4BAA must report annually on its’ systems of internal: financial control operational control compliance control risk management process 4The majority of assurance will come from management

Risk Management Process MB XC Corporate Risk Director (Key Corporate Risks) How are these key risks managed ? Residual Operational Risks Key Operational Risks This is how Local Risk Management GIA Audit This GIA Audit This

Risk Management Stages Business Objective Risk The identification of those things that would PREVENT an objective from being achieved Inherent Level The likelihood and consequence of risk crystallisation before mitigating actions (controls) have been put in place Control Those actions that, if taken, will reduce either the likelihood or consequence of a risk crystallising Residual Level The likelihood and consequence of risk crystallisation after mitigating actions (controls) have been put in place Insurance The risk can sometimes be reduced (transferred) by insurance Retained Level The level of risk formally accepted by the organisation.

The Principle of Trust Do you trust your clients?

On What Basis Do We Trust Them? Based on: 4The strength of the control environment organisation methods & practices culture & behaviour 4Previous audits - these indicate strong internal controls The caveat is that: 4We trust but reserve the right to verify

The Rationale of Investing in An ERP IT, HR & Procurement Silo One Silo Two Silo Three The Business Support Centre The Business Support Centre Cultivates Better Customer Relationship s Takes Calculated Risks Control E. R. P.

Scope of the ERP (What does it cover?) 4 Resource, Develop & Manage People (RDMP) 4 Plan & Develop the Business (PDB) 4 Acquire & Maintain Asset (AMA) 4 Others (income and financial ledgers)

Audit Drivers 4 Corporate Governance (Turnbull & LSE) 4 Audit & Assurance 4 Management Requests

Pre-Audit Assessment 8 No formal business risk register 8 Lack of practical experience in assessing risks by process management 4 The ERP system was subject to regular audits before it went live 4 Process management believed that checks and balances are in place and operating

What did we do before the audit? 4 Gave a full day risk management training course to key business process managers 4 Facilitated initial risk assessment workshops 4 Provided feedback on initial risk registers and ongoing advice on the risk management methodology 4 Agreed with management that we would be returning to audit the risk registers and processes

Phase 1 Audit Focus To review how well management identified risks in the ERP processes that could threaten the achievement of business objectives

What did they do? 1/2

What did they do? 2/2 (This example is for demonstration only) AM

How Do We Assess Them? Inherent Risks Status of controls Residual Risks An example)

What We Found? 4 Management gained confidence in the risk management process: All key risks were identified Risks were aligned with business objectives Controls were reasonably well specified 8 However, the control monitors and early warning indicators had not been explicitly identified

Remedial Actions 4 A formal project board was established with Main Board representation and a dedicated project manager to oversee the detailed design of ERP controls 4 More risk assessment workshops were carried out 4 Further controls were improved

Phase 2 Audit Focus To review how well the designed controls and associated embedded monitors address the risks identified in phase 1

What We Found This Time 4 Project Board is working effectively in accordance to the project charter 4 Risks and controls are well designed 8 However, more work is still required in the design of suitable embedded monitors and early warning indicators (Management has sought assistance from GIA to remedy this situation)

What We Did? 4A half day workshop was given to 15 key process managers specifically on the design of embedded monitors and early warning indicators including: good and bad examples 4 case studies relevant to our business for syndicate work group presentation of results to each other 4Provided continuous support to all process managers who required assistance on the risk management methodology

Embedded Monitors Design Methodology

Phase 3 Audit Focus 4 In phase 1, we examined how well management identified risks in the ERP processes that could threaten the achievement of business objectives 4 In phase 2, we reviewed how well the designed controls and associated embedded monitors address the risks identified in phase 1 4 In the final phase,we carried out an audit to review how well the designed controls and associated embedded monitors are working in practice over the ERP processes

Phase 3 – What We Found? No major issues identified in our audits and that: 4 Management has established formal governance structures for reviewing embedded monitors 4 Formal Service Level Agreement (SLA) established between the Business Support Centre (BSC) and BAA airports 4 Key stakeholders have held regular meetings to evaluate SLA performance and to prescribe remedial actions for areas requiring improvement

What We Have Learned 4 Auditors increasingly demand consultancy skills 4 Audit and consultancy work well together if the assurance role is segregated 4 Our method would not have worked in a different organisation culture (we have full support from Top Management) 4 Risk management is the catalyst to facilitate management in achieving their objectives 4 Improving risk management maturity of an organisation requires a vigorous process

Risk Management Maturity Continuum (Among the ERP Process Managers) NoviceCompetentProficientExpert Before After

Could We Have Done It Differently? 4 Yes – except that the audit department would need to be 2-3 times our current size or we would need to reduce the level of assurance provided to Management risking non-compliance to the corporate governance requirement

Questions?

How to Audit an ERP System via the Risk Management Route Presented by: Gabriel Lung ISACA London Chapter Events 2003/2004 ABN-AMRO, 250 Bishopsgate, London 27 May 2004

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2024 SlidePlayer.com. Inc. All rights reserved.