University of Colorado
University
University
ofColorado
Colorado
University of of
Colorado
SAP & ISACA
SAP
&
ISACA
SAP
SAP&
&ISACA
ISACA
Presenters
Ryan McMeekin
Nancy Bong
Scott Murphy
Agenda/Contents
Table of Contents
What is Risk Assurance?
What is a Control
Information Technology General Controls
Reporting
Exercise
Modules of SAP
ISACA/CISA
Recruitment
Questions
What is Risk
Assurance?
What is Risk Assurance?
• Risk Assurance at PwC
•
•
•
•
•
Business Process / IT Controls
Internal Audit Services
Third Party Assurance
IT Project Assurance
Enterprise Risk Management, etc.
• Our Clients:
• Financial Audit and External Clients
What is Risk
Assurance?
What is a Control?
• Why are systems and controls important?
In accounting and auditing internal control is defined as a process effected by an
organization's structure, work and authority flows, people and management
information systems designed to help the organization accomplish specific goals or
objectives. “COSO” - Committee of Sponsoring Organizations of the Treadway Commission: Internal Control Integrated Framework (1992)
• Key information system control objectives:
• Safeguarding assets
• Maintaining data integrity
• Operating effectively and efficiently
• Examples of IT Audits:
• Financial Statement Audits, public (SOX) and private
• Third-Party Assurance
• PCI (Payment Card Industry)
• Internal Audit
Information Technology Risk and
Controls Diagram
What is Risk
Assurance?
Information Technology Risk
Layers
What is Risk
Assurance?
Perimeter
Network
Operating
System
Application
Data
Exercise
Please get in groups of 3 or 4
1) What are examples of IT risk?
2) How does IT risk impact a business?
3) How can IT risk impact Financial Statements?
PwC
Exercise Debrief
1) What are examples of IT risk and security?
•
•
•
Restricted Access and Segregation of Duties
Change Management / SDLC
Batch Processing, System Interfaces
2) How does IT risk impact a business?
•
•
•
Safeguarding of assets, data integrity, efficiency of operations
Compliance requirements (SOX, HIPAA, PCI)
Investor Confidence
3) How can IT risk impact Financial Statements?
•
•
Indirectly impacting financial statement assertions
Pervasiveness of impact.
PwC
Reporting
-Key Reports
-Information used in performance of a key
control
- Configurable to Client Environment
-SAP (Customized or Canned)
-Changes
-Access
- How do we use SQL Statements?
• Reporting
• Integrity of Data
SAP - Financial General Ledger
What are Risks with these Accounting Areas?
-Journal Entries
-Period End Closing
- Foreign Exchange
-New GL
- FI/CO Integration
Exercise - Financial General Ledger
Period End Closing
Control
The standard SAP reports indicating general ledger account metrics
are investigated and resolved during period end on a timely basis.
- Create a Test Plan
- What are the Key Conditions of this Controls
(italicized)
- How could we test/verify that the control is operating?
Exercise – Debrief
How to Test & Interpretation
a) Inquire of management to determine whether:
i)
SAP reports are relied upon during the period end close process
ii) Report review is performed by a person independent from the transaction
processing activities
iii) Exceptions are investigated and resolved on a timely basis
a) Evaluate if there is sufficient and appropriate evidence to test the
control
b) Inspect / examine a sample of reports to determine whether
evidence exists
c) for the timely resolution of exceptions
SAP – Procure to Pay & Accounts Payable
-Integrates purchasing department with Account Payables
department.
- Business Processes
- 3-way Match
- Agree Purchase order
- Invoice
- Receiving
-Automated Process of SAP
-Circumnavigate Business Processes?
- Basis and IT Controls
What is ISACA?
• Information Systems Audit & Control Association (ISACA)
• Goal: To expand the knowledge and value of the IT
governance and control field
• Members work in:
• Financial and banking, public accounting, government, the
public sector, and the private sector
• Chapter Meetings
• Accounting and Information Security focus
• CISA Relationships and Personal Experiences
CISA Description
• The Certified Information Systems Auditor (CISA) is
ISACA’s cornerstone certification
• Devoted exclusively to IT audit, controls, and security
• Importance
• Good certification for individuals who have audit, control
and/or security responsibilities
Compare and Contrast CISA vs. CPA
CISA
CPA
IT oriented
Financial oriented with IT
One – 4 Hour Test
• IT Audit
•System Life Cycle
Development
•Infrastructure
•IT Governance
•IT Service Delivery & Support
•Protection of Info Assets
•Business Continuity &
Disaster Recovery
4 Parts (3-4 hrs each)
Audit
Financial
Business
Regulation
Cost less than CPA
Cost more than CISA
Prerequisite for Promotion
Prerequisite for Promotion
Recruitment Information
•Thursday September 8th - Accounting Firm
"Roadshow" - 7pm to 9pm - Koelbel Building
•Monday September 12th - BAP Kick-Ball
Tournament - 4pm - 6pm - field by Koelbel
Building
•Wednesday September 14th - MBSA Meeting
Accounting Night - 5:30 p.m. to 7:30 p.m. Koelbel Building
•Thursday September 15th - Meet the Firms 6:30 p.m. - 9:00 p.m. - UMC, on campus
•Monday September 19th - Resume deadline
Questions?
Contact Information
Ryan McMeekin
Ryan.McMeekin@us.pwc.com
Nancy Bong
Nancy.J.Bong@us.pwc.com
Scott Murphy
Scott.C.Murphy@us.pwc.com