Download presentation
Presentation is loading. Please wait.
1
Information Risk Management in the Audit Chapter 9 Presented by Dee Dee Owens, Senior Manager KPMG LLP KPMG LLP
2
© 2009 KPMG LLP, the U.S. member firm of KPMG International, a Swiss cooperative. All rights reserved. Printed in U.S.A. KPMG and the KPMG logo are registered trademarks of KPMG International. 14055ORA May 2009 GAAP Reporting Workshop 2 KPMG Information Risk Management (IRM) Audit Team – Overview of IT Controls IT General Controls –Controls that support the foundation of the system. –Includes 4 components Program Development Program Change Computer Operations Access to Programs and Data Application Controls – are automated controls –Steps, requirements, that a computer system executes to achieve a specific objective—the objective of the automated control to prevent, detect and/or correct the risk of a financial misstatement
3
© 2009 KPMG LLP, the U.S. member firm of KPMG International, a Swiss cooperative. All rights reserved. Printed in U.S.A. KPMG and the KPMG logo are registered trademarks of KPMG International. 14055ORA May 2009 GAAP Reporting Workshop 3 KPMG Information Risk Management (IRM) Audit Team – Scope of Work IT General Controls Review –Please note that the IT Audit scope for 2009 is reduced due to significant deficiencies noted in 2008 –Current year procedures include: PeopleSoft application password configuration settings User access provisioning and de-provisioning of PeopleSoft application access Program change procedures System development lifecycle procedures –Current year procedures do not include: PeopleSoft security controls testing (due to prior year deficiencies)
4
© 2009 KPMG LLP, the U.S. member firm of KPMG International, a Swiss cooperative. All rights reserved. Printed in U.S.A. KPMG and the KPMG logo are registered trademarks of KPMG International. 14055ORA May 2009 GAAP Reporting Workshop 4 KPMG Information Risk Management (IRM) Audit Team – Scope of Work Current year procedures are in the process of being conducted at the following campuses: –East Bay –Los Angeles –Maritime Academy –Monterey Bay –San Bernardino –San Jose –San Luis Obispo –San Marcos
5
© 2009 KPMG LLP, the U.S. member firm of KPMG International, a Swiss cooperative. All rights reserved. Printed in U.S.A. KPMG and the KPMG logo are registered trademarks of KPMG International. 14055ORA May 2009 GAAP Reporting Workshop 5 KPMG Information Risk Management (IRM) Audit Team – Scope of Work Testing is also being conducted at CMS focusing on the following areas: –Program changes –PeopleSoft access rights in production
6
© 2009 KPMG LLP, the U.S. member firm of KPMG International, a Swiss cooperative. All rights reserved. Printed in U.S.A. KPMG and the KPMG logo are registered trademarks of KPMG International. 14055ORA May 2009 GAAP Reporting Workshop 6 KPMG Information Risk Management (IRM) Audit Team – Scope of Work (continued) Application control testing –This testing is not being conducted in 2009 due to the significant deficiencies from the prior year. –In prior years, we have tested the following controls: Department of Education upload to campus Student Information System (PeopleSoft or Legacy) Grade system – user access Interface from grade system to financial aid system (if applicable) Access controls Configuration controls Automated Derivation Control
7
© 2009 KPMG LLP, the U.S. member firm of KPMG International, a Swiss cooperative. All rights reserved. Printed in U.S.A. KPMG and the KPMG logo are registered trademarks of KPMG International. 14055ORA May 2009 GAAP Reporting Workshop 7 Background Information of Prior Year Significant Deficiency Refer to the CSU 2008 report on internal control over financial reporting and on compliance and other matters based on an audit performed in accordance with Government Auditing Standards –Item 08-01 Segregation of Duties Conflicts and System Access ISSUE #1 (CMS Central) –CMS Support Team had: Systems Administrator access to PeopleSoft (i.e. SOSSTECH – user administration) and access to Application Designer in PeopleTools (Developers with access) ISSUE #2 (Campus Level) –Various campus level personnel have access to multiple roles resulting in a segregation of duties conflict: System Administrator; Database Administrator; and Programmer/Development Access Management is currently working to remediate and evaluate status
8
© 2009 KPMG LLP, the U.S. member firm of KPMG International, a Swiss cooperative. All rights reserved. Printed in U.S.A. KPMG and the KPMG logo are registered trademarks of KPMG International. 14055ORA May 2009 GAAP Reporting Workshop 8 IRM Test Work – Key Dates March 12 – 16, 2009 – Campus IT PBC list was sent to campuses March – April, 2009 – Campus PBC were due to KPMG March – July, 2009 – Campus IT general controls test work and specific business process controls test work –To gain efficiencies by working from one location, the IRM team will conduct testing remotely from our Orange County office. Please be prepared to accommodate conference calls during the week our teams are focusing on your campus as the testwork will be conducted via phone interviews and review of requested documents. Project wrap up / Campus close out meetings (June ~ July)
9
© 2009 KPMG LLP, the U.S. member firm of KPMG International, a Swiss cooperative. All rights reserved. Printed in U.S.A. KPMG and the KPMG logo are registered trademarks of KPMG International. 14055ORA May 2009 GAAP Reporting Workshop 9 IRM Deficiency and Communication Impact on Financial Audit Team –As IRM lead in their testwork timing, IRM will report all deficiencies to the financial audit team. –The financial audit team will analyze these deficiencies as they relate to the year-end financial statement audit and modify the audit approach as may be necessary. This may include performing additional substantive procedures, making additional sample selections, etc.
10
© 2009 KPMG LLP, the U.S. member firm of KPMG International, a Swiss cooperative. All rights reserved. Printed in U.S.A. KPMG and the KPMG logo are registered trademarks of KPMG International. 14055ORA May 2009 GAAP Reporting Workshop 10 Questions
Similar presentations
© 2024 SlidePlayer.com. Inc.
All rights reserved.