IT Enabled System : Opportunities & Challenges for Assurance Professionals Acknowledgements: - ISACA - ITGI - Wikipedia - The Economist - ICMAB - SCB March 31, 2011; ICAB (Chartered Accountant Bhaban) 1 Aniruddha Neogi, FCA, CISA, CGEIT, CRISC
Presentation Layout § Understanding Key Terms § Trends in Business and IT § IT Enabled System: Basic Concepts of Auditing § Challenges: Adapting IT Auditing Techniques § Challenges: Auditing in ERP Environment § Opportunity: How Audit Tools help Auditor § Opportunity: ISACA Resources and Business Growth § Shared Learning 2
‘Assurance or Audit’ ‘Systematic, independent and documented process for obtaining audit evidence and evaluating it objectively to determine the extent to which the audit criteria are fulfilled’. (Audit criteria is set of policies, procedures or requirements) ‘Auditing can be defined as a systematic process by which a competent, independent person objectively obtains and evaluates evidence regarding assertions about an economic entity or event for the purpose of forming an opinion about and reporting on the degree to which the assertion conforms to an identified set of standards’ 3
‘IT Enabled System’ An information Technology (IT) enabled system can be any organized combination of people, hardware, software, communications networks, and data resources that collect, transforms, and disseminate information in an organization. 4
Trends in Business: Globalization & Competition Impact on Business in General Impact on the Finance Function Increased pace of change Greater volatility : “real-time” information is a necessity Increased importance in strategy Concentration of Core Competencies Increased complexity of business risk Greater importance of finance in strategic decisions Need for financial evaluation of strategic alliance Enhanced responsibility for managing total business risk like: Credit Risk, Technological Risk, etc. 5
Trends Business: Other Drivers New Organization Structure and Requirements Emergence of Information Economy; Focus on “Real Time”, accurate data Increasingly important role of Computers/IT in the Business Processes Impact on the Finance Function Fewer Management Levels; Flatter Organizations Greater involvement in trend analysis, data interpretation, value-added services Automation, centralization of accounting & transaction processing; more scopes for outsourcing 6
Changing Face of Finance Functions 7
Changing Face of Information Technology (IT) 8
Importer Bank Global Paperless Trade Original Documents Importer Details of export documentation Payment LC issued subject to e. UCP Electronic Export Documents Bangladesh VAN/EDI Singapore Electronic Documents Created Exporter’s Bank 3 rd Party Docs e. g. B/L Exporte Feeds to assist Document creation 9
Straight 2 Bank Product Suite Cash Management (Payments) Payments TI Available Instructions Telegraphic Transfer Local and International Bank Cheque Book Transfer Direct Credit Payroll Corporate Cheque Bank to Bank transfer Advice of Cheque MT 101 (Request for Transfer) Trade Reporting Adhoc query reports Trade Banking LC issuance and amendment Cash Reporting Adhoc balance and transaction reports Ad hoc balance & Transaction reports Drill Down Link Acct balance & Acct Stmt reports. SWIFT Reports for MT 940, MT 942, MT 950, MT 900, MT 910, Africa, UK and China cash reports Cash Management (Collection) Collection Reporting i. H 2 H Payment, Collection 10
Data, data everywhere…. § Information has gone from scarce to superabundant § That brings huge new benefits, but also big challenges § Data are widely available § What is crucial is to identify relevant data for analysis based on which opinion can be provided 11
IT Enabled System: Basic Concepts of Auditing q Audit of Financial Statement: Basic Structure q Auditing Around the Computer q Auditing Through the Computer 12
Audit of Financial Statement: Basic Structure Audit B. Structure of the Financial Interim Audit Compliance Testing Financial Statement Audit Substantive Testing 13
Compliance Testing Auditors perform tests of controls to determine that the control policies, practices, and procedures established by management are functioning as planned. 14
Substantive Testing Substantive testing is the direct verification of financial statement figures. Examples would include reconciling a bank account and confirming accounts receivable. Audit Confirmation To ABC Co. Customer: Please confirm that the balance of your account on Dec. 31 is _____. Audit Confirmation To ABC Co. Cuss _____. 15
Auditing Around the Computer The auditor ignores computer processing. Instead, the auditor selects source documents that have been input into the system and summarizes them manually to see if they match the output of computer processing. Audit around the computer only when: (a) the audit trail is complete (b) processing operations are straightforward (c) systems documentation is complete and readily available 16
Auditing Through the Computer The process of evaluating client’s software and hardware to determine the reliability of operations that is hard for human eye to view and reviewing of the internal controls in an IT enabled system. Audit through the computer with: (i) audit test data (ii) parallel simulation (iii) integrated test facility 17
Challenges: Adapting IT Auditing Techniques q Basic Knowledge and Skills q Auditing Techniques 18
Knowledge and Skills When auditing in a computer environment, the auditor should obtain a basic understanding of the fundamentals of data processing and a level of technical computer knowledge and skills which depending on the circumstances may need to be extensive. 19
Auditing Techniques/CAATS § Review of Systems Documentation § Test Data and Integrated-Test-Facility (ITF) § Parallel Simulation § GAS § Embedded Audit Routines § Mapping § Extended Records and Snapshots 20
Review of Systems Documentation § Review of documentation such as narrative descriptions, flowcharts, and program listings § In desk checking the auditor processes test or real data through the program logic § Interviewing IT Staff 21
Test Data and IFT Audit B. Structure of the Financial The auditor prepares input containing both valid and invalid data. Prior to processing the test data, the input is manually processed to determine what the output should look like. The auditor then compares the computer-processed output with the manually processed results. 22
Parallel Simulation The test data and ITF methods both process test data through real programs. With parallel simulation, the auditor processes real client data on an audit program similar to some aspect of the client’s program. The auditor compares the results of this processing with the results of the processing done by the client’s program. 23
Generalized Audit Software (GAS) GAS refers to standard software that has the capability to directly read and access data from various database platforms, flat-file systems and ASCII formats. The following functions are supported in GAS: § File access-enables reading of different record formats and file structures § File reorganization-enables indexing, sorting, merging & linking with another file § Data selection-enables global filtration conditions and selection criteria § Statistical functions-enables sampling, stratification and frequency analysis § Arithmetical functions-enables arithmetic operators and functions 24
Embedded Audit Routines § In-line Code – Application program perform audit data collection while it processes data for normal production purposes § System Control Audit Review File (SCARF)– § Edit tests for audit transaction analysis are included in program § Exceptions are written to a file for audit review 25
Mapping § Special software counts the number of times each program statement in a program executes § Helps identify code that is bypassed when the bypass is not readily apparent in the program code and/or documentation 26
Extended Records and Snapshots Extended Records: Specific transactions are tagged, and the intervening processing steps that normally would not be saved are added to the extended record, permitting the audit trail to be reconstructed for these transactions. Snapshot: A snapshot is similar to an extended record except that the snapshot is a printed audit trail. 27
Key Sectors in Bangladesh BANK TELECOM MNC CEMENT HEALTHCARE PHARMECUTICALS DEVELOPMENT INFRASTRUCTURE RMG NGO 28
Challenges: Auditing in ERP Environment q ERP Structure and Control Environment q Impact of ERP on the Audit q Audit Risks and Issues q Audit of Purchase and Payable Process in SAP 29
Enterprise Resource Planning (ERP) System Integrates information and business processes to enable information entered once to be shared throughout the organization ERP had its origins in manufacturing and production planning ERP automates the tasks involved in performing a business process. If installed correctly, it can have a tremendous payback Needs Assessment Phased Implementation Software Selection ERP Project Process Reengineering Training Conference Room Pilot Common examples include SAP, People. Soft, JD Edwards, Navision and Oracle. 30
ERP Structure ERP Authorizations and Security Technical Infrastructure/ General Controls Database server Application server Presentation server Business Process/ Application Controls 31
ERP Control Environment APPLICATION CONTROLS Business Performance Reviews Evaluate the effectiveness of general controls before evaluating application controls Input controls Output controls Application controls must be evaluated specifically for every audit area Processing controls Controls of Master File GENERAL CONTROLS Access to Equipment, Programs & Data Hardware Controls related to Segregation of Duties Application Development & Maintenance Controls 32
Impact of ERP on the Audit An ERP environment creates many issues an auditor must address. . . Can All Accounts be Audited Substantively Monitoring Controls on ERP Controls Built into ERP (Inherent & Configured) The Control Environment Has Changed General IT Controls May Not Be Enough Business Processes Have Changed 33
ERP Audit Risks and Issues ERP allows more comprehensive validation and improves balancing controls, BUT: n Access security further complicated n Mix of Financial and non-financial business processes n Highly Configurable n Configuration consistency required n Segregation of duties harder to achieve n Cut-off risks increases 34
ERP Audit Risks and Issues § ERP is process based Ø integrity of transaction based on process as a whole Ø cannot be seen as individual transactions § Preventative controls paramount § Programmed procedures Ø based on contents of various system tables Ø changes to ERP elements impact control of business processes § Loss of physical audit trail - ERP aims to be paperless 35
ERP Audit Risks and Issues § Multiple processing platform dependent Ø security on all is crucial § Direct dependence on IT environment security Ø operating system Ø database Ø application § Initial system setup Ø best fit with organization structure 36
Purchase and Payables: Process (SAP) AP- Accounts Payable; MM- Material Master ; GR- Goods Receipts; IV- Invoice Receipts FI – Final Invoice; GL- General Ledger; PO- Purchase Order MIRO, MIGO and ME 21 N- Typical SAP Table Name (Master Table) 37
Process Risk and Financial Statement Impact 38
The ‘Three-way Match’ in SAP 39
How to audit the SAP Three-way Match Customizing • Audit Approach Matching Enforced Automated Controls Purchase PO PO Matching Changeable Manual Controls Substantive 40
Opportunity: How Audit Tools help Auditor q Planning and Data Profiling q Sampling and Analysis q Audit Working Paper q Review of Audit Working Paper q Advantages of CAATs 41
Audit Approach 42
Planning and Profile Data Benefits of using IT tools at Planning Stage: §Can define all activities within audit scope §Easily assign resource against each activities §Track the progress Quick look at millions of transactions and view data in a comprehensive and summarized representation 43
Sampling IT tool can generate different type of Sample for analysis: § Systematic § Random § Attribute § Momentary § Classical Variable 44
Analysis 45
Working Paper 46
Working Paper Review 47
Sample Report 48
Advantages of CAATs § Reduced level of audit risk § Greater independence from the auditee § Broader and more consistent audit coverage § Faster availability of information § Improved exception identification § Greater flexibility of run times § Greater opportunity to quantify internal control weaknesses § Enhanced sampling § Cost savings over time 49
Opportunity: ISACA Resources Area ISACA Resources IS Auditing ISACA Auditing Standard, ISACA Auditing Guideline, IT Assurance Framework (ITAF), CISA certification. Risk Assessment Risk IT, CRISC certification IT Governance & Control IT Governance Framework (ITGF) & CGEIT Certification Compliance Control Objective on Information & Related Technology (COBIT) Value Delivery Value IT (Val IT) Information Security Business Model for Information Security (BMIS) 50
Opportunity: Business Growth 51
Shared Learning Thank you 52
Скачать презентацию IT Enabled System Opportunities Challenges for
4b4629e64b212421dc4b5fd88dd2ba9e.ppt