Presentation is loading. Please wait.

Presentation is loading. Please wait.

Expect the Unexpected Planning the Scope of an IT Performance Audit Robin Garity, C.P.A., C.I.S.A. October 2014.

Published byPeter Clement McKinney Modified over 9 years ago

Similar presentations

Presentation on theme: "Expect the Unexpected Planning the Scope of an IT Performance Audit Robin Garity, C.P.A., C.I.S.A. October 2014."— Presentation transcript:

1 Expect the Unexpected Planning the Scope of an IT Performance Audit Robin Garity, C.P.A., C.I.S.A. October 2014

2  Standards  Importance  Audit Assignment #1 – Michigan Business One Stop System  Audit Assignment #2 – Branch Office System Agenda

3  Generally Accepted Governmental Auditing Standards (GAGAS) states  6.07 Auditors must plan the audit to reduce audit risk to an appropriate level for the auditors to obtain reasonable assurance that the evidence is sufficient and appropriate to support the auditors’ findings and conclusions.  6.09 The scope defines the subject matter that the auditors will assess and report on, such as a particular program or aspect of a program, the necessary documents or records, the period of time review, and the locations that will be included. What do the standards say about Performance Audit Planning?

4  Determines direction of audit (many possibilities)  Security  Accurate processing  Efficiency of system  Governance  Determines audit value  What will change if the conclusion is that the auditee/system is not effective?  Will recommendations be useful? Why is planning the audit scope important in a performance audit?

5  Ensures that all significant risks are identified and addressed during the audit  Poor scope planning can result in a stressful audit  Inadequate resources  Inefficient testing  No pressure…But don’t mess up when planning the audit scope! Why is planning the audit scope important in a performance audit? (continued)

6  Assignment based on criticality to audit entity  System mission - Create a one-stop shop for individuals or businesses doing business with the State of Michigan  No prior audits  Implemented in 2009  Known costs of $21.3 million to date for development and maintenance Audit Assignment Example #1 Michigan Business One Stop System (MBOS)

7  Confidential and critical licensing information in the system.  Operating System Access and Configurations  Database Access and Configurations  Application Access  Monitoring Processes Scope Planning Ideas

8  Interviewed project manager, DBA, and system administrators  Reviewed system documentation  Data dictionary  Network diagram  Development contracts  Reviewed policies and procedures for managing the system  Interviewed users/stakeholders Scope Planning Procedures

9  Very few customers liked or used MBOS  Process was much more complex for customers  Applicant data must be reentered into secondary systems  New development projects on hold because of uncertainty regarding MBOS’s future  Departments unsure of what license information is available in the system What We Heard

10  FROM: Operating System Access and Configurations Database Access and Configurations Application Access  TO: Project Planning - Is there a plan for making the system more effective? Governance - Is there leadership to make decisions on the future of the system? Updating of System - If departments are unsure of licenses in the system, are license applications really up to date in MBOS? Scope U-Turn

11  Always interview users of the system during planning.  Keep in mind the future impact.  Be flexible. What We Learned About Planning the Audit Scope

12  Findings  No strategic plan for continued development and use of the system.  No post-implementation review to determine if expected benefits were realized.  Lack of an effective governance structure.  No process to periodically review and update the content (out-of-date fees, applications, etc.)  Latest update – DTMB is shutting down the system because it is not providing the expected benefits. Outcome

13  System used in branch offices for vehicle registrations, driver licensing, etc.  The Department of State collects approximately $2.2 billion per year through the various systems that process driver and vehicle related transactions.  Audit assignment based on revenue and criticality of system Audit Assignment Example #2 Branch Office System

14 Branch Office System  Application controls  Access/segregation of Duties  Proper input of licensing and registration data  Change management Scope Planning Ideas

15  Interviewed project managers, DBA, and system administrators.  Reviewed system documentation  Data dictionary  Network diagram  Development contracts  System flows  Reviewed policies and procedures for managing the system.  Interviewed system users. Scope Planning Procedures

16  Branch Office System scheduled for replacement.  Many systems process driver and vehicle related data on the back end and store confidential data. The Branch Office System is primarily data input.  Complex flow of information between departments for use in processing driver and vehicle-related data.  Prior non-IT audit of fee calculations (audited around systems) but no actual IT audits. What We Found Out

17  FROM: Branch Office System Application controls  Access/Segregation of duties  Proper input of licensing, registration data  TO:  Excluding Branch Office System (being replaced)  Security for other driver and vehicle related systems that store confidential data  Operating System  Database  Reviewing actual processing of data outside of Branch Office System  Are matches and input of information proper to ensure no registrations to suspended licenses, deceased, stolen vehicles, etc.  Excluding fee calculations A New Focus

18  Consider new development projects  Consider entire process  Understand in detail what has already been audited What We Learned About Planning the Audit Scope

19  Security weaknesses  Access issues  Data processing inconsistencies Potential Audit Conclusions

20  Be sure to:  Spend sufficient time in planning  Obtain complete understanding of business processes and flow of system data  Listen to what auditee and users think are the problems  Evolve your scope  To ensure:  Audit value  Impact on future processes  An efficient audit Final Suggestions For Planning the Audit Scope

Download ppt "Expect the Unexpected Planning the Scope of an IT Performance Audit Robin Garity, C.P.A., C.I.S.A. October 2014."

Similar presentations

Program Management Office (PMO) Design

Program Management Office (PMO) Design
Presented by YOUR NAME THE DATE

Presented by YOUR NAME THE DATE
Financial Statements Audit

Financial Statements Audit
Auditing Concepts.

Auditing Concepts.
Learning Objectives LO5 Document an accounting system to identify key controls and weaknesses in order to assess control risk. LO6 Write key control tests.

Learning Objectives LO5 Document an accounting system to identify key controls and weaknesses in order to assess control risk. LO6 Write key control tests.
Learning Objectives LO1 Distinguish between management and auditor’s responsibilities regarding an auditee organization’s internal controls. LO2 Explain.

Learning Objectives LO1 Distinguish between management and auditor’s responsibilities regarding an auditee organization’s internal controls. LO2 Explain.
The Islamic University of Gaza

The Islamic University of Gaza
© Grant Thornton UK LLP. All rights reserved. Review of Sickness Absence Vale of Glamorgan Council Final Report- November 2009.

© Grant Thornton UK LLP. All rights reserved. Review of Sickness Absence Vale of Glamorgan Council Final Report- November 2009.
Audit Guidance Using the Federal Information System Controls Audit Manual (FISCAM) to Achieve Audit Objectives in Financial and Performance Audits Mickie.

Audit Guidance Using the Federal Information System Controls Audit Manual (FISCAM) to Achieve Audit Objectives in Financial and Performance Audits Mickie.
Review Questions List and describe the purpose of the four phases of Systems Analysis. The preliminary investigation phase quickly determines whether or.

Review Questions List and describe the purpose of the four phases of Systems Analysis. The preliminary investigation phase quickly determines whether or.
Pertemuan 11-12 Matakuliah: A0214/Audit Sistem Informasi Tahun: 2007.

Pertemuan Matakuliah: A0214/Audit Sistem Informasi Tahun: 2007.
Purpose of the Standards

Purpose of the Standards
AUDIT PROCEDURES. Commonly used Audit Procedures Analytical Procedures Analytical Procedures Basic Audit Approaches - Basic Audit Approaches - System.

AUDIT PROCEDURES. Commonly used Audit Procedures Analytical Procedures Analytical Procedures Basic Audit Approaches - Basic Audit Approaches - System.
Information Technology Audit

Information Technology Audit
Fundamentals of ISO.

Fundamentals of ISO.
Internal Auditing and Outsourcing

Internal Auditing and Outsourcing
Certification of Market Values STEB PROGRAM Briefing Points 2011 Pennsylvania Department of the Auditor General Thomas E. Marks, CPA Deputy Auditor General.

Certification of Market Values STEB PROGRAM Briefing Points 2011 Pennsylvania Department of the Auditor General Thomas E. Marks, CPA Deputy Auditor General.
Compliance System Validation - An Audit Based Approach December 2012 Uday Gulvadi, CPA, CIA, CISA, CAMS Director - Internal Audit, Risk and Compliance.

Compliance System Validation - An Audit Based Approach December 2012 Uday Gulvadi, CPA, CIA, CISA, CAMS Director - Internal Audit, Risk and Compliance.
Introduction to Information System Development.

Introduction to Information System Development.
© The HPO 2003 Overview of ‘on-line’ process auditing ‘ the future of auditing… …is here’

© The HPO 2003 Overview of ‘on-line’ process auditing ‘ the future of auditing… …is here’

Similar presentations

Ads by Google