Internal and external control in an automated environment

Internal and external control in an automated environment Dirk Timmerman November 2002 Information Risk Management Page - 1 Ó All Rights Reserved

Content n n n n n When involve an IT Auditor in the Audit Process Audit objectives Overview of external audit process Overview of internal audit process IT Auditor in strategic analysis – external audit IT Auditor in strategic analysis – internal audit IT Auditor in Process Analysis IT Auditor in Remaining Audit Procedures General guidelines to IT Auditor Information Risk Management Page - 2 Ó All Rights Reserved

When to involve an IT Auditor n KPMG policy IT auditor involvement is mandatory in the following cases § More than 1000 hrs § Banks and Insurance companies § Quoted on stock exchange § Rated as “highly complex” per IT Criticality Scorecard, which measures : • IT complexity • IT changes • IT issues/problems IT auditor involvement is advisable for clients with a “sophisticated” IT environment Information Risk Management Page - 3 Ó All Rights Reserved

Audit objectives n External audit § Provide assurance over the truth and fairness of financial statements § Key deliverable : audit opinion § By-Product : management letter points n Internal audit § Independent assessment of the effectiveness of risk management and control § Key deliverable : • Assist management in identification of risk areas and assessment of residual risks • Management letter points § By-Products : consulting opportunities Information Risk Management Page - 4 Ó All Rights Reserved

Audit objectives (cont’d) n External auditor § “What controls can I rely on to reduce substantive testing” n Internal auditor § “Are these controls appropriate, optimal and how could the company do things differently” Information Risk Management Page - 5 Ó All Rights Reserved

Overview of external audit process Strategic analysis Project definition Plan • Understand entity’s business • Understand strategic business risks • Identify financial statement implications of strategic business risks and identify S. C. O. Ts Classes of transaction s Business risks Select key processes Process analysis Process level business risks Residual business risk Business controls Financial Statement risks and controls Remaining audit procedures and reporting ROSM • Perform remaining audit procedures • Identify & investigate audit differences, & evaluate findings 1. Audit Opinion Information Risk Management Page - 6 2. Report Ó All Rights Reserved

Internal audit process - overview Stage Two Stage One STEP 9 Engagement initiation Project planning STEP 10 STEP 1 Opening conference STEP 11 Business process analysis STEP 12 Review & validation program STEP 13 Business process review Strategic analysis STEP 3 Strategic risk assessment STEP 4 Business process analysis (planning) STEP 5 Independent assessment STEP 14 Validation STEP 6 Flash report - strategic issues STEP 15 Exit conference STEP 7 Risk management framework STEP 16 Reporting STEP 17 Close out & evaluation STEP 18 Follow up STEP 19 Audit committee reporting STEP 8 Management assurance plan Information Risk Management Page - 7 Projects Risk assessment STEP 2 Ó All Rights Reserved

IT Auditor in strategic analysis – external audit n Gain understanding of § IT organization § How key processes are supported by IT applications and on which platforms these are operated § IT strategy § IT changes : current year – future years § Significant IT risks § IT Controls (high level understanding) Information Risk Management Page - 8 Ó All Rights Reserved

IT Auditor in strategic analysis – external audit (cont’d) n Tools § IT Risk Assessment (long form – short form) § IT Business Understanding Document (contains template) § IT Risks & Controls Questionnaire => IT Traffic Lights Report Information Risk Management Page - 9 Ó All Rights Reserved

IT Traffic Lights Report Information Risk Management Page - 10 Ó All Rights Reserved

IT Auditor in strategic analysis – external audit (cont’d) n Risk analysis § IT Risk that could threaten the entity’s business objectives ÞDetermine if impact on financial statements is significant ÞIf yes, plan analysis of selected IT processes that reduce the identified risks § IT Risk that affect the completeness, existence and accuracy of transactions ÞTake into account when performing process analysis on significant classes of transactions (SCOTs) n Tools § IT Risk Analysis Document - examples Information Risk Management Page - 11 Ó All Rights Reserved

IT Auditor in strategic analysis – internal audit n Similar to external audit but… § Control objectives are broader : • Effectiveness • Efficiency • Confidentiality • Integrity • Availability • Compliance § Additional tools : • COBIT • Workshops § All significant IT risks are addressed, not only those with a significant financial statement impact Information Risk Management Page - 12 Ó All Rights Reserved

Information Risk Management Page - 13 Ó All Rights Reserved

Information Risk Management Page - 14 Ó All Rights Reserved

IT Auditor in Process Analysis (external & internal audit ) n Perform process analysis for selected IT sub-processes § For external audit, this tends to focus on IT security, change management and continuity n Potential roles in process analysis of non-IT processes § Assist in mapping of process and information flow § Assist in identification of process risks § Assist in identification of controls n Their added value § Familiar with structured process analysis § Familiar with complex systems and ERP’s § Familiar with IT n Tools § BPA tool + templates § SAP Authorizations tool n DEMO of BPA tool Information Risk Management Page - 15 Ó All Rights Reserved

BPA -Risk & controls matrix Information Risk Management Page - 16 Ó All Rights Reserved

BPA - Control Grid Information Risk Management Page - 17 Ó All Rights Reserved

BPA – residual risk report Information Risk Management Page - 18 Ó All Rights Reserved

IT Auditor in Remaining Audit Procedures n Test of Controls : § Access controls • Perform system queries • Evaluate and test security administration process • Evaluate risk of by-passing authorizations – – Password settings Super users Direct access to data through utilities External communication risk Information Risk Management Page - 19 Ó All Rights Reserved

IT Auditor in Remaining Audit Procedures (cont’d) n Test of Controls (cont’d) § System configurations • First year of reliance + in case of major upgrade : “test of one” – Review and evaluated client tests, or – Reperform tests in test environment, or – Test of detail to confirm effectiveness of control • Subsequent years – Inquire about nature and extent of changes to key systems – Test change management = to ensure that all program changes are properly authorized, tested and approved – Review system access to change configuration Information Risk Management Page - 20 Ó All Rights Reserved

IT Auditor in Remaining Audit Procedures (cont’d) n Test of controls § Exception reports • Same as for system configuration § Interfaces • Gain understanding of interface process • Same as for system configuration § Data migration • Gain understanding of data migration process • Identify key controls and test Information Risk Management Page - 21 Ó All Rights Reserved

IT Auditor in Remaining Audit Procedures (cont’d) n Test of details § Do not test of details if same result can be obtained by evaluating and testing internal controls § Tools • Excel • Ms Access • ACL • IDEA Information Risk Management Page - 22 Ó All Rights Reserved

General guidelines to IT Auditor n Participate at planning meeting (=before start of audit) n Scope of IT audit should fit 100% within the financial audit scope n Go for joint teams with financial auditors to perform process analysis n Do not deliver separate reports but prepare working papers n If your appointments with IT people are going to be arranged by financial audit => highlight that on average there is a time lag of 2 weeks between the request and the interview Information Risk Management Page - 23 Ó All Rights Reserved