Add to collection(s) Add to saved
  1. Business
  2. Accounting
  3. Financial Accounting

KPMG IT Audit

advertisement 
IT Audit
Amy Vuong, Director
KPMG LLP
April 14, 2015
KPMG IT Audit FY 2013-14 Results
• In Scope Systems
• Common Financial System (CFS) – Effective
• Data Warehouse (DW) – Effective
• Findings
• 4 total IT deficiencies
April 2014
Year-End GAAP Training (webcast)
2
Prior Year IT Findings (1 of 4)
Finding Description
Exists as of
6/30/14
Management
Response
Root Cause for the
Finding
Recommendation
Password Policy:
The San Marcos campus did not
have a formal password policy
documented.
Password Configuration:
The password policy configurations
set at the campus level did not
adhere to their campus password
policies. 1) Chancellor's Office:
Maximum failed password attempts
(policy denoted 3 maximum
attempts, configuration set at 5
maximum attempts)
2) Channel Islands: Password aging
schedule (policy denoted 180 days,
configuration set to 200 days)
3) Dominguez Hills: Maximum failed
password attempts (policy denoted
5 maximum attempts, configuration
set at 10 maximum attempts)
4) San Francisco: Minimum
password length (policy denoted 8
characters, configuration set at 0)
April 2014
No
All campuses have
remediated the noted
issues.
Year-End GAAP Training (webcast)
The password
configurations established
at each campus should be
reviewed/updated to reflect
Non-adherence to policies
the requirements stated in
and procedures
the Access Control
Standards document and
the campus password
policies.
3
Prior Year IT Findings (2 of 4)
Finding Description
Windows Administration:
KPMG noted 11 CSU employees
with domain administrator privileges
on the Windows network. Although
these access rights were once
appropriate and necessary for the
installation of network applications,
these users no longer require these
privileges, and domain administrator
access rights should be restricted to
Unisys personnel.
April 2014
Exists as of
6/30/14
Yes
Management
Response
Root Cause for the
Finding
Recommendation
Windows domain access
has been removed for CSU
A periodic review of users
personnel. This was
Lack of user access review with privileged access
reviewed and validated by
should be performed.
CO Information Security.
Year-End GAAP Training (webcast)
4
Prior Year IT Findings (3 of 4)
Finding Description
Granting/Modifying Access:
KPMG noted that the Dominguez
Hills campus was not able to
provide user access request forms
for 3 sampled users. We noted that
they experienced a change in the
personnel responsible for
overseeing the CFS access
provisioning and de-provisioning
process beginning January 2014. In
addition, they were in the process of
transitioning their recordkeeping of
user access forms from hardcopies
to softcopies. As a result, they were
unable to locate evidence of access
approvals for 3 of our sampled
users.
April 2014
Exists as of
6/30/14
Yes
Management
Response
Root Cause for the
Finding
The Chancellor's Office will
disseminate a memo
directing campuses to
Non-adherence to policies
implement appropriate
and procedures
business practices to track
and retain CMS user
access records.
Year-End GAAP Training (webcast)
Recommendation
Policies and procedures
must be followed in order
for processes to be
deemed effective. Review
the established process
and ensure that campuses
are following the
procedures as
documented.
5
Prior Year IT Findings (4 of 4)
Finding Description
Terminating Access:
KPMG noted that campuses did not
remove terminated users' access
rights in a timely manner.
1) Dominguez Hills: Access for 4
users was not removed until 11, 26,
41, and 46 days after they were
terminated
2) San Francisco: Access for 1 user
was not removed until 16 days after
they were terminated
3) San Luis Obispo: Access for 3
users was not removed until 10, 11,
and 18 days after they were
terminated
4) San Jose: Access for 4 users was
not removed until 11, 12, 21, and 23
days after they were terminated
5) San Marcos: Access for 4 users
was not removed until 19 days, 34
days, 4 months, 6 months, and 8
months after they were terminated
April 2014
Exists as of
6/30/14
Yes
Management
Response
Root Cause for the
Finding
Recommendation
A general timeline should
be implemented on how
quickly a terminated user
should be removed from
the system. KPMG will be
testing the
removal/disabling of
The Chancellor's Office will
access for terminations
disseminate a memo
within a one week
directing the campus to
timeframe after the
Non-adherence to policies
terminate CMS user
termination date.
and procedures
access rights within 10
days of an employee's last
The majority of campuses
active day of employment.
do not conduct a regular
review over terminated
users. Campuses should
implement a regular review
process to catch
terminated users that were
not disabled within one
week.
Year-End GAAP Training (webcast)
6
KPMG IT Audit – Approach
• Perform IT Audit for FY 2014 -15
• IT General Controls
• IT Application Controls
• Purpose
• Gain assurance over internal controls in place over IT
systems to limit the risk of material misstatement to the
financial statements
• Reliance on IT system controls over computerized output
reduces substantive procedures required for financial
statement audits
April 2014
Year-End GAAP Training (webcast)
7
KPMG IT Audit – Scope of Work
• In Scope Systems
• Common Financial System (CFS)
• Data Warehouse (DW)
• Current year procedures are in the process of being
conducted at the following locations:
Chancellor’s Office
Northridge
San Jose
Fullerton
Sacramento
San Luis Obispo
Long Beach
San Francisco
April 2014
Year-End GAAP Training (webcast)
8
KPMG IT Audit – Overview of IT General
Controls
• IT General Controls
• Controls that support the foundation of the system.
• Includes 4 components:
• Access to Programs and Data
• Program Changes
• Program Development
• Computer Operations
April 2014
Year-End GAAP Training (webcast)
9
KPMG IT Audit – IT General Controls
Procedures
• Access to Programs and Data
•
•
•
•
•
•
•
•
April 2014
IT Security Policies
Passwords
Security Access Rights / Privileged Access
DBA Access
Granting / Modifying Access
Terminating Access
Physical Access
Annual User Access and SOD Review
Year-End GAAP Training (webcast)
10
KPMG IT Audit – IT General Controls
Procedures (continued)
• Program Changes
•
•
•
•
April 2014
Change Management Policies and Procedures
Change Management Request and Approval
Change Management Testing
Change Management Security Access Rights
Year-End GAAP Training (webcast)
11
KPMG IT Audit – IT General Controls
Procedures (continued)
• Computer Operations
•
•
•
•
•
April 2014
Job Processing
Backup Procedures
Restoration Testing
Access to Backup Tapes
Incident Management
Year-End GAAP Training (webcast)
12
KPMG IT Audit – Overview of IT
Application Controls
• Application Controls – are automated controls or manual controls with an
automated component
• Steps, requirements, that a computer system executes to achieve a
specific objective—the objective of the automated control to prevent,
detect and/or correct the risk of a financial misstatement
• Types of IT Application controls include:
• system configuration/account mapping
• exception/edit reports, including review of these reports
• interface controls, and
• system access, including enforcing segregation of duties.
• If the IT General Controls are operating effectively  KPMG IT will
conduct testing over select IT Application Controls
April 2014
Year-End GAAP Training (webcast)
13
KPMG IT Audit – IT Application Controls
Procedures
• IT Application Controls
• Current year procedures include:
• Journal Entries Completeness testing
• Access to enter/post Journal Entries
• GAAP Derivation process
• Access to the GAAP Override feature
April 2014
Year-End GAAP Training (webcast)
14
KPMG IT Audit – Deficiency and
Communication
• Control deficiencies
• Confirm deficiencies with control owners before finalizing and
reporting
• Perform additional testwork/identify compensating controls to
mitigate the risk
• Perform remediation procedures
April 2014
Year-End GAAP Training (webcast)
15
KPMG IT Audit – Deficiency and
Communication (continued)
• Impact on Financial Audit Team
• As the IT team leads in their testwork timing, KPMG IT will
report all deficiencies to the financial audit team.
• The financial audit team will analyze these deficiencies as
they relate to the year-end financial statement audit and
modify the audit approach as may be necessary. This may
include performing additional substantive procedures, making
additional sample selections, etc.
April 2014
Year-End GAAP Training (webcast)
16
KPMG IT Audit – Key Dates
Task
Day
Date
KPMG to provide PBC Request Lists to CSU
Friday
April 10th, 2015
CMS and Campus to provide PBC items to KPMG
Monday
April 27th, 2015
On-site fieldwork begins
Monday
April 27th, 2015
KPMG will perform testwork over IT General Controls and IT
Application Controls
April 27th, 2015 – June 30, 2015
Rollforward Testing / Project Wrap up / Close out Meeting
July 2015
April 2014
Year-End GAAP Training (webcast)
17
www.calstate.edu
April 2014
Year-End GAAP Training (webcast)
18
Related documents
Abdul Nasar
Abdul Nasar
(IT) Audit - The California State University
(IT) Audit - The California State University
Tim Bentsen Bio
Tim Bentsen Bio
Ms. Whitney F. Barton`s Curriculum VITAE
Ms. Whitney F. Barton`s Curriculum VITAE
Big 4 - WordPress.com
Big 4 - WordPress.com
GENERALLY ACCEPTED ACCOUNTING PRINCIPLES (GAAP)
GENERALLY ACCEPTED ACCOUNTING PRINCIPLES (GAAP)
Download
advertisement