Expect the Unexpected Planning the Scope of an IT Performance Audit Robin Garity, C.P.A., C.I.S.A. October 2014.

Slides:



Advertisements
Similar presentations
Program Management Office (PMO) Design
Advertisements

Presented by YOUR NAME THE DATE
Financial Statements Audit
Auditing Concepts.
Learning Objectives LO5 Document an accounting system to identify key controls and weaknesses in order to assess control risk. LO6 Write key control tests.
Learning Objectives LO1 Distinguish between management and auditor’s responsibilities regarding an auditee organization’s internal controls. LO2 Explain.
The Islamic University of Gaza
© Grant Thornton UK LLP. All rights reserved. Review of Sickness Absence Vale of Glamorgan Council Final Report- November 2009.
Audit Guidance Using the Federal Information System Controls Audit Manual (FISCAM) to Achieve Audit Objectives in Financial and Performance Audits Mickie.
Review Questions List and describe the purpose of the four phases of Systems Analysis. The preliminary investigation phase quickly determines whether or.
Pertemuan Matakuliah: A0214/Audit Sistem Informasi Tahun: 2007.
Purpose of the Standards
AUDIT PROCEDURES. Commonly used Audit Procedures Analytical Procedures Analytical Procedures Basic Audit Approaches - Basic Audit Approaches - System.
Information Technology Audit
Fundamentals of ISO.
Internal Auditing and Outsourcing
Certification of Market Values STEB PROGRAM Briefing Points 2011 Pennsylvania Department of the Auditor General Thomas E. Marks, CPA Deputy Auditor General.
Compliance System Validation - An Audit Based Approach December 2012 Uday Gulvadi, CPA, CIA, CISA, CAMS Director - Internal Audit, Risk and Compliance.
Introduction to Information System Development.
© The HPO 2003 Overview of ‘on-line’ process auditing ‘ the future of auditing… …is here’
Database System Development Lifecycle © Pearson Education Limited 1995, 2005.
Company Confidential Registration Management Committee 1 Asking the Right Questions Right Dale Gordon Aerojet Rocketdyne July 16, 2014.
Audits & Assessments: What are the Differences and How Do We Learn from the Results? Brown Bag March 12, 2009 Sal Rubano – Director, Office of the Vice.
Audit objectives, Planning The Audit
1 Designing Substantive Procedures The auditor “must plan and perform the audit to reduce the audit risk to an acceptably low level that is consistent.
Lecture #9 Project Quality Management Quality Processes- Quality Assurance and Quality Control Ghazala Amin.
Pass SOX security audits and Improve XA security CISTECH Security Solutions Belinda Daub, Senior Consultant Technical Services
Roles and Responsibilities
Audit Planning & Audit Evidence
Internal Control in a Financial Statement Audit
Appendix E – Checklist for Review of Performance Audits Presented by: Ashton Coleman Department of Defense Office of the Inspector General August 16, 2012.
IIA_Tampa_ Beth Breier, City of Tallahassee1 IT Auditing in the Small Audit Shop Beth Breier, CPA, CISA City of Tallahassee
NSAA Information Technology Conference Hartford, Connecticut September 24, 2015 Presented by: Mike Billo and Anne Skorija PA Department of the Auditor.
Auditing Information Systems (AIS)
Understanding the IT environment of the entity. Session objectives Defining contours of financial accounting in an IT environment and its characteristics.
S14: Analytical Review and Audit Approaches. Session Objectives To define analytical review To define analytical review To explain commonly used analytical.
S4: Understanding the IT environment of the entity.
Evaluation of Internal Control System. Learning Objective 1 Contrast management’s need for internal control with the auditor’s need to consider internal.
DEPARTMENT OF DEFENCE Briefing on Audit Outcomes Year ended 31 March 2010 AGSA AUDIT TEAM.
C6 Databases. 2 Traditional file environment Data Redundancy and Inconsistency: –Data redundancy: The presence of duplicate data in multiple data files.
Webinar for FY 2011 i3 Grantees February 9, 2012 Fiscal Oversight of i3 Grants Erin McHughJames Evans, CPA, CGFM, CGMA Office of Innovation and Improvement.
Audit Planning Process
Copyright © 2007 Pearson Education Canada 1 Chapter 21: Completing the Audit.
ISSAI 400 Compliance Auditing
McGraw-Hill/Irwin © 2003 The McGraw-Hill Companies, Inc., All Rights Reserved. 6-1 Chapter 6 CHAPTER 6 INTERNAL CONTROL IN A FINANCIAL STATEMENT AUDIT.
Copyright © 2006 by The McGraw-Hill Companies, Inc. All rights reserved. McGraw-Hill/Irwin 6-1 Chapter Six Internal Control in a Financial Statement Audit.
Project Management Cross lifecycle Activity
Copyright © 2007 Pearson Education Canada 7-1 Chapter 7: Audit Planning and Documentation.
Copyright © 2007 Pearson Education Canada 23-1 Chapter 23: Using Advanced Skills.
Internal Auditing ISO 9001:2015
Case 6.2 Waste Management Copyright © 2014 McGraw-Hill Education. All rights reserved. No reproduction or distribution without the prior written consent.
Chapter 8 Auditing in an E-commerce Environment
Analytical Review and Audit Approaches
Session 11 & 12. Auditing standard of I.A. & A.D. Prescribes: Auditor should report about weakness in Internal Control of management (Para 7.1.) Weakness.
The Power of Recommendations Dainius Jakimavičius National Audit Office of Lithuania Vilnius, April 23, 2013.
Department of Public Works (DPW) and Property Management Trading Entity (PMTE) and Department of Communications (DOC) Overview of audit outcomes for 2009/10.
The Contract Management Process Post Award Activities.
ICAJ/PAB - Improving Compliance with International Standards on Auditing Planning an audit of financial statements 19 July 2014.
Board Financial Oversight Governing Board Online Training Module.
Welcome. Contents: 1.Organization’s Policies & Procedure 2.Internal Controls 3.Manager’s Financial Role 4.Procurement Process 5.Monthly Financial Report.
ACCA/PAB/ICAJ/ICAC Practice Monitoring Reviews OVERVIEW OF FINDINGS 19 July 2014.
1 Auditing Your Fusion Center Privacy Policy. 22 Recommendations to the program resulting in improvements Updates to privacy documentation Informal discussions.
©2005 Prentice Hall Business Publishing, Auditing and Assurance Services 10/e, Arens/Elder/Beasley Internal Control and Control Risk Chapter 10.
Auditing Concepts.
Legislative-Citizen Commission on Minnesota Resources July 18, 2018
How to conduct Effective Stage-1 Audit
INTERNAL CONTROLS AND THE ASSESSMENT OF CONTROL RISK
Internal Control Internal control is the process designed and affected by owners, management, and other personnel. It is implemented to address business.
Role of State Audit Bureau of Kuwait in promoting and audit of IT Security  
Presentation transcript:

Expect the Unexpected Planning the Scope of an IT Performance Audit Robin Garity, C.P.A., C.I.S.A. October 2014

 Standards  Importance  Audit Assignment #1 – Michigan Business One Stop System  Audit Assignment #2 – Branch Office System Agenda

 Generally Accepted Governmental Auditing Standards (GAGAS) states  6.07 Auditors must plan the audit to reduce audit risk to an appropriate level for the auditors to obtain reasonable assurance that the evidence is sufficient and appropriate to support the auditors’ findings and conclusions.  6.09 The scope defines the subject matter that the auditors will assess and report on, such as a particular program or aspect of a program, the necessary documents or records, the period of time review, and the locations that will be included. What do the standards say about Performance Audit Planning?

 Determines direction of audit (many possibilities)  Security  Accurate processing  Efficiency of system  Governance  Determines audit value  What will change if the conclusion is that the auditee/system is not effective?  Will recommendations be useful? Why is planning the audit scope important in a performance audit?

 Ensures that all significant risks are identified and addressed during the audit  Poor scope planning can result in a stressful audit  Inadequate resources  Inefficient testing  No pressure…But don’t mess up when planning the audit scope! Why is planning the audit scope important in a performance audit? (continued)

 Assignment based on criticality to audit entity  System mission - Create a one-stop shop for individuals or businesses doing business with the State of Michigan  No prior audits  Implemented in 2009  Known costs of $21.3 million to date for development and maintenance Audit Assignment Example #1 Michigan Business One Stop System (MBOS)

 Confidential and critical licensing information in the system.  Operating System Access and Configurations  Database Access and Configurations  Application Access  Monitoring Processes Scope Planning Ideas

 Interviewed project manager, DBA, and system administrators  Reviewed system documentation  Data dictionary  Network diagram  Development contracts  Reviewed policies and procedures for managing the system  Interviewed users/stakeholders Scope Planning Procedures

 Very few customers liked or used MBOS  Process was much more complex for customers  Applicant data must be reentered into secondary systems  New development projects on hold because of uncertainty regarding MBOS’s future  Departments unsure of what license information is available in the system What We Heard

 FROM: Operating System Access and Configurations Database Access and Configurations Application Access  TO: Project Planning - Is there a plan for making the system more effective? Governance - Is there leadership to make decisions on the future of the system? Updating of System - If departments are unsure of licenses in the system, are license applications really up to date in MBOS? Scope U-Turn

 Always interview users of the system during planning.  Keep in mind the future impact.  Be flexible. What We Learned About Planning the Audit Scope

 Findings  No strategic plan for continued development and use of the system.  No post-implementation review to determine if expected benefits were realized.  Lack of an effective governance structure.  No process to periodically review and update the content (out-of-date fees, applications, etc.)  Latest update – DTMB is shutting down the system because it is not providing the expected benefits. Outcome

 System used in branch offices for vehicle registrations, driver licensing, etc.  The Department of State collects approximately $2.2 billion per year through the various systems that process driver and vehicle related transactions.  Audit assignment based on revenue and criticality of system Audit Assignment Example #2 Branch Office System

Branch Office System  Application controls  Access/segregation of Duties  Proper input of licensing and registration data  Change management Scope Planning Ideas

 Interviewed project managers, DBA, and system administrators.  Reviewed system documentation  Data dictionary  Network diagram  Development contracts  System flows  Reviewed policies and procedures for managing the system.  Interviewed system users. Scope Planning Procedures

 Branch Office System scheduled for replacement.  Many systems process driver and vehicle related data on the back end and store confidential data. The Branch Office System is primarily data input.  Complex flow of information between departments for use in processing driver and vehicle-related data.  Prior non-IT audit of fee calculations (audited around systems) but no actual IT audits. What We Found Out

 FROM: Branch Office System Application controls  Access/Segregation of duties  Proper input of licensing, registration data  TO:  Excluding Branch Office System (being replaced)  Security for other driver and vehicle related systems that store confidential data  Operating System  Database  Reviewing actual processing of data outside of Branch Office System  Are matches and input of information proper to ensure no registrations to suspended licenses, deceased, stolen vehicles, etc.  Excluding fee calculations A New Focus

 Consider new development projects  Consider entire process  Understand in detail what has already been audited What We Learned About Planning the Audit Scope

 Security weaknesses  Access issues  Data processing inconsistencies Potential Audit Conclusions

 Be sure to:  Spend sufficient time in planning  Obtain complete understanding of business processes and flow of system data  Listen to what auditee and users think are the problems  Evolve your scope  To ensure:  Audit value  Impact on future processes  An efficient audit Final Suggestions For Planning the Audit Scope