Presentation is loading. Please wait.

Presentation is loading. Please wait.

Internal and external control in an automated environment

Published byClinton Randall Modified over 6 years ago

Similar presentations

Presentation on theme: "Internal and external control in an automated environment"— Presentation transcript:

1 Internal and external control in an automated environment
Dirk Timmerman November 2002

2 Content When involve an IT Auditor in the Audit Process
Audit objectives Overview of external audit process Overview of internal audit process IT Auditor in strategic analysis – external audit IT Auditor in strategic analysis – internal audit IT Auditor in Process Analysis IT Auditor in Remaining Audit Procedures General guidelines to IT Auditor

3 When to involve an IT Auditor
KPMG policy IT auditor involvement is mandatory in the following cases More than 1000 hrs Banks and Insurance companies Quoted on stock exchange Rated as “highly complex” per IT Criticality Scorecard, which measures : IT complexity IT changes IT issues/problems IT auditor involvement is advisable for clients with a “sophisticated” IT environment

4 Audit objectives External audit Internal audit
Provide assurance over the truth and fairness of financial statements Key deliverable : audit opinion By-Product : management letter points Internal audit Independent assessment of the effectiveness of risk management and control Key deliverable : Assist management in identification of risk areas and assessment of residual risks Management letter points By-Products : consulting opportunities

5 Audit objectives (cont’d)
External auditor “What controls can I rely on to reduce substantive testing” Internal auditor “Are these controls appropriate, optimal and how could the company do things differently”

6 Overview of external audit process
Strategic analysis Project Plan Plan Understand entity’s business definition Understand strategic business risks Identify financial statement implications of strategic business risks and identify S.C.O.Ts Classes of Business risks transaction s Select key processes Process analysis Process l evel Residual b usiness r isks b usiness r isk Remaining audit procedures Financial and reporting Business Statement ROSM c ontrols r isks and Perform remaining audit procedures controls Identify & investigate audit differences, & evaluate findings 1. Audit Opinion 2. Report

7 Internal audit process - overview
Stage One Stage Two STEP 1 Engagement initiation STEP 9 Project planning STEP 10 Opening conference STEP 2 Strategic analysis STEP 11 Business process analysis STEP 3 Strategic risk assessment STEP 12 Review & validation program Projects STEP 4 Business process analysis (planning) STEP 13 Business process review Risk assessment STEP 5 Independent assessment STEP 14 Validation STEP 6 Flash report - strategic issues STEP 15 Exit conference STEP 7 Risk management framework STEP 16 Reporting STEP 17 Close out & evaluation STEP 8 Management assurance plan Follow up STEP 18 Audit committee reporting STEP 19

8 IT Auditor in strategic analysis – external audit
Gain understanding of IT organization How key processes are supported by IT applications and on which platforms these are operated IT strategy IT changes : current year – future years Significant IT risks IT Controls (high level understanding)

9 IT Auditor in strategic analysis – external audit (cont’d)
Tools IT Risk Assessment (long form – short form) IT Business Understanding Document (contains template) IT Risks & Controls Questionnaire => IT Traffic Lights Report

10 IT Traffic Lights Report

11 IT Auditor in strategic analysis – external audit (cont’d)
Risk analysis IT Risk that could threaten the entity’s business objectives Determine if impact on financial statements is significant If yes, plan analysis of selected IT processes that reduce the identified risks IT Risk that affect the completeness, existence and accuracy of transactions Take into account when performing process analysis on significant classes of transactions (SCOTs) Tools IT Risk Analysis Document - examples

12 IT Auditor in strategic analysis – internal audit
Similar to external audit but… Control objectives are broader : Effectiveness Efficiency Confidentiality Integrity Availability Compliance Additional tools : COBIT Workshops All significant IT risks are addressed, not only those with a significant financial statement impact

13

14

15 IT Auditor in Process Analysis (external & internal audit )
Perform process analysis for selected IT sub-processes For external audit, this tends to focus on IT security, change management and continuity Potential roles in process analysis of non-IT processes Assist in mapping of process and information flow Assist in identification of process risks Assist in identification of controls Their added value Familiar with structured process analysis Familiar with complex systems and ERP’s Familiar with IT Tools BPA tool + templates SAP Authorizations tool DEMO of BPA tool

16 BPA -Risk & controls matrix

17 BPA - Control Grid

18 BPA – residual risk report

19 IT Auditor in Remaining Audit Procedures
Test of Controls : Access controls Perform system queries Evaluate and test security administration process Evaluate risk of by-passing authorizations Password settings Super users Direct access to data through utilities External communication risk

20 IT Auditor in Remaining Audit Procedures (cont’d)
Test of Controls (cont’d) System configurations First year of reliance + in case of major upgrade : “test of one” Review and evaluated client tests, or Reperform tests in test environment, or Test of detail to confirm effectiveness of control Subsequent years Inquire about nature and extent of changes to key systems Test change management = to ensure that all program changes are properly authorized, tested and approved Review system access to change configuration

21 IT Auditor in Remaining Audit Procedures (cont’d)
Test of controls Exception reports Same as for system configuration Interfaces Gain understanding of interface process Data migration Gain understanding of data migration process Identify key controls and test

22 IT Auditor in Remaining Audit Procedures (cont’d)
Test of details Do not test of details if same result can be obtained by evaluating and testing internal controls Tools Excel Ms Access ACL IDEA

23 General guidelines to IT Auditor
Participate at planning meeting (=before start of audit) Scope of IT audit should fit 100% within the financial audit scope Go for joint teams with financial auditors to perform process analysis Do not deliver separate reports but prepare working papers If your appointments with IT people are going to be arranged by financial audit => highlight that on average there is a time lag of 2 weeks between the request and the interview

Download ppt "Internal and external control in an automated environment"

Similar presentations

Alignment of COBIT to Botswana IT Audit Methodology

Alignment of COBIT to Botswana IT Audit Methodology
Sodexo.com Group Internal Audit. page 2 helps an organization accomplish its objectives by bringing a systematic, disciplined approach to evaluate and.

Sodexo.com Group Internal Audit. page 2 helps an organization accomplish its objectives by bringing a systematic, disciplined approach to evaluate and.
Audit Guidance Using the Federal Information System Controls Audit Manual (FISCAM) to Achieve Audit Objectives in Financial and Performance Audits Mickie.

Audit Guidance Using the Federal Information System Controls Audit Manual (FISCAM) to Achieve Audit Objectives in Financial and Performance Audits Mickie.
5-1 McGraw-Hill/Irwin ©2002 by The McGraw-Hill Companies, Inc. All rights reserved. Chapter 5 Audit Planning.

5-1 McGraw-Hill/Irwin ©2002 by The McGraw-Hill Companies, Inc. All rights reserved. Chapter 5 Audit Planning.
COSO Framework A company should include IT in all five COSO components: –Control Environment –Risk Assessment –Control activities –Information and communication.

COSO Framework A company should include IT in all five COSO components: –Control Environment –Risk Assessment –Control activities –Information and communication.
Auditing A Risk-Based Approach To Conducting A Quality Audit

Auditing A Risk-Based Approach To Conducting A Quality Audit
18- 1 © 2006 The McGraw-Hill Companies, Inc., All Rights Reserved. Chapter 18 Integrated Audits of Internal Control (For Public Companies Under Sarbanes-Oxley.

18- 1 © 2006 The McGraw-Hill Companies, Inc., All Rights Reserved. Chapter 18 Integrated Audits of Internal Control (For Public Companies Under Sarbanes-Oxley.
Quality evaluation and improvement for Internal Audit

Quality evaluation and improvement for Internal Audit
The Information Systems Audit Process

The Information Systems Audit Process
Lecture 8 Understanding entity and its environment

Lecture 8 Understanding entity and its environment
INTERNAL CONTROL OVER FINANCIAL REPORTING

INTERNAL CONTROL OVER FINANCIAL REPORTING
Chapter Nine Conducting the IT Audit. Audit Standards AICPA — Statements of Auditing Standards (SASs) AICPA — Statements of Auditing Standards (SASs)

Chapter Nine Conducting the IT Audit. Audit Standards AICPA — Statements of Auditing Standards (SASs) AICPA — Statements of Auditing Standards (SASs)
Due Diligence - The Regulator’s Perspective ABA Telephone/Webcast Briefing August 14, 2001 Cynthia Bonnette, Assistant Director FDIC Bank Technology Group.

Due Diligence - The Regulator’s Perspective ABA Telephone/Webcast Briefing August 14, 2001 Cynthia Bonnette, Assistant Director FDIC Bank Technology Group.
Audit objectives, Planning The Audit

Audit objectives, Planning The Audit
Planning an Audit The Audit Process consists of the following phases:

Planning an Audit The Audit Process consists of the following phases:
PwC Internal Control Reports: Facts, Myths and Best Practices FIRMA National Risk Management Training Conference – San Francisco, CA Wednesday March 31,

PwC Internal Control Reports: Facts, Myths and Best Practices FIRMA National Risk Management Training Conference – San Francisco, CA Wednesday March 31,
Considering Internal Control

Considering Internal Control
9 - 1 ©2003 Prentice Hall Business Publishing, Essentials of Auditing 1/e, Arens/Elder/Beasley Internal Control and Control Risk Chapter 9.

9 - 1 ©2003 Prentice Hall Business Publishing, Essentials of Auditing 1/e, Arens/Elder/Beasley Internal Control and Control Risk Chapter 9.
©2003 Prentice Hall Business Publishing, Auditing and Assurance Services 9/e, Arens/Elder/Beasley 10 - 1 Internal Control and Control Risk Chapter 10.

©2003 Prentice Hall Business Publishing, Auditing and Assurance Services 9/e, Arens/Elder/Beasley Internal Control and Control Risk Chapter 10.
Evaluation of Internal Control System

Evaluation of Internal Control System

Similar presentations

Ads by Google