Presentation is loading. Please wait.

Presentation is loading. Please wait.

Company LOGO Auditing Information Technology - Financial System Issues Bruce Headrick Program Manager AFAA/FSD.

Similar presentations


Presentation on theme: "Company LOGO Auditing Information Technology - Financial System Issues Bruce Headrick Program Manager AFAA/FSD."— Presentation transcript:

1 Company LOGO Auditing Information Technology - Financial System Issues Bruce Headrick Program Manager AFAA/FSD

2 Agenda 1. Objective 2. Background - Criteria 4. Financial Info Structure 5. GAAP/GAGAS 6. Enforcement of System Controls 3. The IT Portfolio 7. Wrap-Up

3 Audit-Background Once upon a time the Organization hired computer programmers and developed the software they would use …. But that was once upon a time. Today--- Information system development means the carefully guided acquisition and customization of commercial off the shelf software, often commercial ERP software.

4 IT Audit - Background Ensure the right information exists, is accessible, and is understood and discoverable by all organizational personnel with on-demand access to appropriate authoritative, reliable, relevant, and assured information needed to perform their duties efficiently and effectively. Provide continuously for the availability, integrity, confidentiality, nonrepudiation, & authentication of information and information systems as an essential element to achieving the Organizations mission.

5 Areas of Interest IT Portfolio Financial Information Structure Standards –Generally Accepted Accounting Principals/ –Generally Accepted Government Accounting Standards –Government Auditing Standards System Controls –General Controls –Application Controls

6 IT Audit - Background IT Portfolio Management

7 Other Portfolio Issues How does management know what they have? Is there potential duplication in single IT portfolios? Is there potential duplication between IT portfolios? Is there redundancies between lines of business? Is there redundancies between operational activities? Is there redundancies between parent-child levels? Has your xyz performed GAP analysis of activity? Does your xyz use a corporate activity to review IT acquisitions?

8 Financial Info Structure How do the systems talk to each other Interface’s Does x in one system = x in the next system Common languages

9 Standards GAAPs GAGAS GAO “Yellow Book”

10 What the Standards say… AU Section 318 Performing Audit Procedures in Response to Assessed Risks and Evaluating the Audit Evidence Obtained Source: SAS No. 110..04 The auditor's overall responses to address the assessed risks of material misstatement at the financial statement level may include emphasizing to the audit team the need to maintain professional skepticism in gathering and evaluating audit evidence, assigning more experienced staff or those with specialized skills or using specialists, providing more supervision, or incorporating additional elements of unpredictability in the selection of further audit procedures to be performed. Additionally, the auditor may make general changes to the nature, timing, or extent of further audit procedures as an overall response, for example, performing substantive procedures at period end instead of at an interim date.

11 What the Standards say… Testing AU Section 326 Audit Evidence Source: SAS No. 106..22 Tests of controls are necessary in two circumstances. When the auditor’s risk assessment includes an expectation of the operating effectiveness of controls, the auditor should test those controls to support the risk assessment. In addition, when the substantive procedures alone do not provide sufficient appropriate audit evidence, the auditor should perform tests of controls to obtain audit evidence about their operating effectiveness. Looking for both Anticipated and Actual results.

12 What the Standards say…IT Work in Financial Audits AT Section 501 An Examination of an Entity's Internal Control Over Financial Reporting That Is Integrated With an Audit of Its Financial Statements Source: SSAE No. 15..18 The examination of internal control should be integrated with an audit of financial statements. Although the objectives of the engagements are not the same, the auditor should plan and perform the integrated audit to achieve the objectives of both engagements simultaneously. The auditor should design tests of controls to obtain sufficient appropriate evidence to support the auditor's opinion on internal control as of the period end; and to obtain sufficient appropriate evidence to support the auditor's control risk assessments for purposes of the audit of financial statements..51 The identification of risks and controls within IT is not a separate evaluation. Instead, it is an integral part of the top-down approach used to identify likely sources of misstatement and the controls to test, as well as to assess risk and allocate audit effort.

13 Standards that Should be Referenced When Conducting IT Work SSAE No. 15 - An Examination of an Entity's Internal Control Over Financial Reporting That Is Integrated With an Audit of Its Financial Statements SAS No. 106 - Audit Evidence SAS No. 107 - Audit Risk and Materiality in Conducting an Audit SAS No. 108 - Planning and Supervision SAS No. 109 - Understanding the Entity and Its Environment and Assessing the Risks of Material Misstatement SAS No. 110 - Performing Audit Procedures in Response to Assessed Risks and Evaluating the Audit Evidence Obtained

14 System Controls FISCAM – Federal Information System Controls Audit Manual –General Controls –Application Controls

15 FSD IT Audit - Risks to ICs Various Internal Controls General Controls – Security Management – Access – Configuration Management – Segregation of Duties – Contingency Planning Business Process (Application) Controls – Completeness – Accuracy – Validity – Confidentiality – Availability

16 IT Audit - Risk to ICs General Controls Security Management – controls provide reasonable assurance that security management is effective. Access – c.p.r.a that access to computer resources (data, equipment, and facilities) is reasonable and restricted to authorized individuals. Configuration Management – c.p.r.a. that changes to information system resources are authorized and systems are configured and operated securely as intended. Segregation of Duties – c.p.r.a. that incompatible duties are effectively segregated Contingency Planning – c.p.r.a. that contingency planning (1) protects information and minimizes the risk of unplanned interruptions (2) provides for recovery of operations should interruptions occur.

17 IT Audit - Risk to ICs Business Process Controls Completeness – c.p.r.a. that all transactions that occurred are input into the system, accepted for processing, processed once, and only once by the system, and properly included in the output. Accuracy – c.p.r.a. that transactions are properly recorded, with correct amount/data, and on a timely basis… data elements are processed accurately by applications that produce reliable results and output is accurate.

18 IT Audit - Risk to ICs Business Process Controls con’t Validity – c.p.r.a. (1) that all recorded transactions and actually occurred (they are real), relate to the organization, are authentic, and were properly approved and (2) that output contains only valid data. Confidentiality – c.p.r.a. that application data and reports and other output are protected against unauthorized access. Availability – c.p.r.a. that application data and reports and other relevant business information are readily available to users then needed.

19 IT Audit - Risk to ICs Example of a Control Control Activity CM3-1. All configuration changes are properly managed (authorized, tested, approved, and tracked) Control Techniques (19) – CM-3.1.1 An appropriate formal change management process is documented – CM-3.1.2 Configuration changes are authorized. Audit Procedure (21) – Audit Procedure = Audit Step (s)

20 IT Audit - Risk to ICs DFAS 7900.4-M Comprehensive Compilation of the Federal Financial Management Improvement Act (FFMIA) and DoD System requirements Currently 20 Volumes Example of one in Volume 3, PP&E –Maintain/Update Property Information –Requirement ID – 03.01.43 –The property mgmt sys must provide an audit trail for entries to a property record, including the identification of the individual(s) entering or approving the information and/or data –Federal Source: JFMIP SR-00-4, Oct 00, pg 12 http://www.dfas.mil/dfas/fmcoe/bluebook.html http://www.dfas.mil/dfas/fmcoe/bluebook.html

21 Enforcement of Controls Configuration Management Plan Security Policy/Plan (NIST) Access Control Process Transactional Testing Service Level Agreements

22 Other Audit Ideas  Software Change Order Requests  Sanitization of Assets Turned in for Disposal  Architectures – Enterprise, Systems, Network  Network Security  Ports and Protocols  Wireless Network Security  Look for economies and efficiencies  Process on data at rest  Use of USB drives and portable devices  Ports and Protocols  Network Scans IT Audit - Ideas

23 FSD IT Audit – Key Docs GAO 09-232G FISCAM, 2009 http://www.gao.gov/new.items/d09232g.pdf DFAS 7900.4-M, 2011 (DFAS Blue Book) http://www.dfas.mil/dfas/fmcoe/bluebook.html AICPA Standards, continuous updates http://www.aicpa.org/Pages/Default.aspx National Institute of Standards and Technology http://www.nist.gov/index.html Carnegie Mellon Software Maturity Model http://www.sei.cmu.edu/ Carnegie Mellon Software Engineering Process Institute of Electrical and Electronics Engineers (IEEE) Financial Integration Systems Office (FSIO) Department of Defense and Air Force directives Various Industry Best Practices

24 Agenda 1. Objective 2. Background - Criteria 4. Financial Info Structure 5. GAAP/GAGAS 6. Enforcement of System Controls 3. The IT Portfolio 7. Wrap-Up

25 Questions and Comments Bruce Headrick, Program Manager, 334-416-4241; DSN 596-4241


Download ppt "Company LOGO Auditing Information Technology - Financial System Issues Bruce Headrick Program Manager AFAA/FSD."

Similar presentations


Ads by Google