Download presentation
Presentation is loading. Please wait.
IT internal audit update
PCC Precision Castparts Corp. Justin Fox Taylor Luell KPMG LLP PCC FIT Conference September 2017
Presentation overview
CY17 IT internal audit plan IT implementation policy reviews Lessons learned IT implementation audit timeline Steering Committee coordination IT control reviews Common findings in CY16 Baseline security controls desktop audit Questions
CY17 IT internal audit plan
Implementation policy audits Pre-implementation ( 6) Interim ( 2) Go-live ( 26) Post-implementation ( 8) IT control audits 19 IT control audits are scheduled Auditing compliance with selected corporate IT policies and standards Recent updates to the IT Policy and Standards Manual will be in scope IT SOX audits Similar approach as CY16 2 random IT SOX controls are tested in each audit, instead of all the IT controls at only a few of locations
IT implementation lessons learned
Lessons learned/common findings Costing methodology review and approval (e.g., division and corporate) JAOA requirements around changes in costing methodology Inventory physical requirements (pre- and post-go-live) Full physical 90 days before go-live Quarterly physicals following go-live Weekly cycle counts End-user training and retention of results (nontrack lead) Key operational and management report testing (e.g., TOC and daily flex analysis) Data validation procedures Compliance requirements, such as quality, ITAR, NADCAP, ISO9000, etc. SOD analysis at go-live should be evidenced, approved, and retained
Audit timeline Pre-implementation Before spending
Interim assessments +/- CRP II Go-live 2 Weeks before Post-implementation 3 Months after Assessment of organization’s readiness to begin a large project: Recent IA findings Inventory tracking Verify physical inventory results Track lead time allocation Validate resources against CAR commitments Project plan Current data integrity Current costing method Current system access Current daily oversight Early stage review of process mapping “as-is” and “to-be”, often only high level maps available since development has not started Based on the duration of the project, one or more Interim Assessments could be performed: Ahead/behind schedule assessment based on commitments made to the Steering Committee Validate track lead time commitments are being met Review accuracy of revised process maps “as is” and “to be” Review issues log items in detail Observe end-to-end transaction testing Observe track leads and users processing test transactions, logging issues, identifying new gaps, and using documentation prepared for the system Verify standard solution template and reporting toolkit is utilized Verify all data converted and reconciled Assessment of readiness for go-live: Review open issues and issues deferred post go-live Assess management’s understanding using the system Assess implementation process documentation, conversion testing and approvals, CRP results, interface testing, and training attendance Assess accuracy and functionality of the system transaction processing within new business cycles User access, SOD Review pro forma SOX narratives and controls, and input controls Evaluation of user training Review required reports Confirm readiness assessment Review inventory change (FCA) Review results and adjustments from required “pre go-live” full physical inventory Assessment of post implementation activities: Daily Data entry Daily reports Shipping/Receiving proc. Mgmt oversight Direct feedback to users Weekly Weekly PCC reports Cycle counts Review exception reports Monthly/Quarterly Close, large correcting JEs Quarterly physicals until Steering Committee approves results SOX updates
Steering Committee coordination
Exceptions from IT implementation policy Required in attachment 5 as a part of the CAR approval process Remote audits Remote and limited audits (for minor upgrades, etc.) Schedule meetings early Contact Internal Audit 4 to 6 weeks in advance for an audit Schedule go-live Steering Committee meeting the week before cut-over. A preliminary review of readiness should occur with the Steering Committee 4-6 weeks prior to go-live.
Common IT controls audit findings – CY16
Total findings and observations: 62 findings and 26 observations (15 reports) Employee terminations (ITP021) 12 locations – Employees were not removed from the system within 2 days of notification of termination (IT vs HR) System-level account password policy (ITP017) 10 locations – Corporate password policy not followed/updates needed Asset tracking (ITP002) 7 locations – Assets are not tagged and are not properly included on the asset listing Disaster recovery plan (ITP005) 7 locations – Disaster recovery plan not in place or not tested/updates needed Account naming conventions (ITP021) 3 locations – Naming convention does not comply with policy
Baseline security controls desktop review
There was a 50%–80% exception rate for baseline security controls out of the 40 locations tested. Key area exception rates include: WSUS/SCCM 32 of 40 plants (80%) had workstations and servers that were identified that did not have WSUS/SCCM installed and a reconciliation was not being performed. BitLocker 28 of 40 plants (70%) had workstations that were identified that did not have BitLocker installed and a reconciliation was not being performed. Splunk 26 of 40 plants (65%) had workstations or servers that were identified that did not have Splunk installed and a reconciliation was not being performed. Antivirus 25 of 40 plants (63%) had workstations or servers that were identified that did not have anti-virus installed and a reconciliation was not being performed. DDPE 23 of 40 plants (58%) had workstations that were identified that did not have DDPE installed and a reconciliation was not being performed. FireAMP 23 of 40 plants (58%) had workstations that were identified that did not have FireAMP installed and a reconciliation was not being performed.
Questions? Call or email with any questions during the year.
Our PCC number is
Contact information Justin Fox, CISA Advisory Director Risk Consulting KPMG LLP C: E: Taylor Luell, CISA Advisory Manager Risk Consulting KPMG LLP C: E:
11 The information contained herein is of a general nature and is not intended to address the circumstances of any particular individual or entity. Although we endeavor to provide accurate and timely information, there can be no guarantee that such information is accurate as of the date it is received or that it will continue to be accurate in the future. No one should act on such information without appropriate professional advice after a thorough examination of the particular situation. © 2017 KPMG LLP, a Delaware limited liability partnership and the U.S. member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights reserved. NDPPS The KPMG name and logo are registered trademarks or trademarks of KPMG International.
2017 PCC Finance & IT Conference
Please silence phones
Similar presentations
© 2025 Inc.
All rights reserved.