Add to collection(s) Add to saved
  1. Business

CPD Seminar Paper of 31 March 2011 on

advertisement 
IT Enabled System : Opportunities & Challenges for
Assurance Professionals
Acknowledgements:
- ISACA
- ITGI
- Wikipedia
- The Economist
- ICMAB
- SCB
March 31, 2011; ICAB (Chartered Accountant Bhaban)
Aniruddha Neogi, FCA, CISA, CGEIT,CRISC1
Presentation Layout
 Understanding Key Terms
 Trends in Business and IT
 IT Enabled System: Basic Concepts of Auditing
 Challenges: Adapting IT Auditing Techniques
 Challenges: Auditing in ERP Environment
 Opportunity: How Audit Tools help Auditor
 Opportunity: ISACA Resources and Business Growth
 Shared Learning
2
‘Assurance or Audit’
‘Systematic, independent and documented process for
obtaining audit evidence and evaluating it objectively to
determine the extent to which the audit criteria are fulfilled’.
(Audit criteria is set of policies, procedures or requirements)
‘Auditing can be defined as a systematic process by which a
competent, independent person objectively obtains and
evaluates evidence regarding assertions about an economic
entity or event for the purpose of forming an opinion about
and reporting on the degree to which the assertion conforms to
an identified set of standards’
3
‘IT Enabled System’
An information
Technology (IT) enabled
system can be any
organized combination
of people, hardware,
software,
communications
networks, and data
resources that collect,
transforms, and
disseminate information
in an organization.
4
Trends in Business: Globalization & Competition
Impact on Business in
General
Impact on the Finance
Function
Increased pace of change
Greater volatility : “real-time”
information is a necessity
Increased importance in strategy
Concentration of Core Competencies
Increased complexity of business
risk
Greater importance of finance in
strategic decisions
Need for financial evaluation of
strategic alliance
Enhanced responsibility for
managing total business risk like:
Credit Risk, Technological Risk,
etc.
5
Trends Business: Other Drivers
Drivers
New Organization Structure and
Requirements
Emergence of Information Economy;
Focus on “Real Time”, accurate
data
Increasingly important role of
Computers/IT in the Business
Processes
Impact on the Finance
Function
Fewer Management Levels; Flatter
Organizations
Greater involvement in trend analysis,
data interpretation, value-added
services
Automation, centralization of
accounting & transaction
processing; more scopes for
outsourcing
6
Changing Face of Finance Functions
7
Changing Face of Information Technology (IT)
8
Importer
Bank
Original
Documents
Global
Paperless
Trade
Importer
Details
of export documentation
Payment
LC issued
subject to eUCP
Electronic
Export
Documents
Bangladesh
VAN/EDI
Singapore
Electronic
Documents
Created
Exporter’s Bank
3rd Party
Docs e.g. B/L
Exporter
Feeds to assist
Document
creation
9
Straight 2 Bank Product Suite
Cash Management
(Payments)
Payments TI
Available Instructions
 Telegraphic Transfer
 Local and International Bank Cheque
 Book Transfer
 Direct Credit
 Payroll
 Corporate Cheque
 Bank to Bank transfer
 Advice of Cheque
 MT101 (Request for Transfer)
Trade
Trade Reporting
Adhoc query reports
Trade Banking
 LC issuance and amendment
Cash Reporting
Adhoc balance and transaction reports
 Ad hoc balance & Transaction reports
 Drill Down Link Acct balance & Acct Stmt
reports.
 SWIFT Reports for MT940, MT942, MT950,
MT900, MT910, Africa, UK and China cash
reports
Cash Management
(Collection)
Collection Reporting
iH2H
Payment, Collection
10
Data, data everywhere….
 Information has gone from
scarce to superabundant
 That brings huge new
benefits, but also big challenges
 Data are widely available
 What is crucial is to identify
relevant data for analysis based
on which opinion can be
provided
11
IT Enabled System: Basic Concepts of Auditing
 Audit of Financial Statement: Basic Structure
 Auditing Around the Computer
 Auditing Through the Computer
12
Audit of Financial Statement: Basic Structure
Audit
B. Structure of the Financial
Interim Audit
Financial Statement
Audit Substantive
Testing
Compliance Testing
13
Compliance Testing
Auditors perform tests of controls to determine that the
control policies, practices, and procedures established by
management are functioning as planned.
14
Substantive Testing
Substantive testing is the direct verification of financial
statement figures. Examples would include reconciling a bank
account and confirming accounts receivable.
Audit Confirmation
To ABC Co. Customer:
Please confirm that the
balance of your account
on Dec. 31 is _____ .
Audit Confirmation
To ABC Co. Cuss _____ .
15
Auditing Around the Computer
The auditor ignores computer processing. Instead, the auditor
selects source documents that have been input into the system
and summarizes them manually to see if they match the
output of computer processing.
Audit around the computer only when:
(a) the audit trail is complete
(b) processing operations are straightforward
(c) systems documentation is complete and readily available
16
Auditing Through the Computer
The process of evaluating client’s software and hardware to
determine the reliability of operations that is hard for human
eye to view and reviewing of the internal controls in an IT
enabled system.
Audit through the computer with:
(i) audit test data
(ii) parallel simulation
(iii) integrated test facility
17
Challenges: Adapting IT Auditing Techniques
 Basic Knowledge and Skills
 Auditing Techniques
18
Knowledge and Skills
When auditing in a computer environment, the auditor should
obtain a basic understanding of the fundamentals of data
processing and a level of technical computer knowledge and
skills which depending on the circumstances may need to be
extensive.
19
Auditing Techniques/CAATS
 Review of Systems Documentation
 Test Data and Integrated-Test-Facility (ITF)
 Parallel Simulation
 GAS
 Embedded Audit Routines
 Mapping
 Extended Records and Snapshots
20
Review of Systems Documentation
 Review of documentation such as narrative descriptions,
flowcharts, and program listings
 In desk checking the auditor processes test or real data
through the program logic
 Interviewing IT Staff
21
Test Data and IFT
Audit
B. Structure of the Financial
The auditor prepares input containing both valid and invalid data. Prior to processing the
test data, the input is manually processed to determine what the output should look like. The
auditor then compares the computer-processed output with the manually processed results.
22
Parallel Simulation
The test data and ITF methods both process test data through real programs. With
parallel simulation, the auditor processes real client data on an audit program similar
to some aspect of the client’s program. The auditor compares the results of this
processing with the results of the processing done by the client’s program.
23
Generalized Audit Software (GAS)
GAS refers to standard software that has the capability to directly read and
access data from various database platforms, flat-file systems and ASCII
formats. The following functions are supported in GAS:
 File access-enables reading of different record formats and file structures
 File reorganization-enables indexing, sorting, merging & linking with
another file
 Data selection-enables global filtration conditions and selection criteria
 Statistical functions-enables sampling, stratification and frequency analysis
 Arithmetical functions-enables arithmetic operators and functions
24
Embedded Audit Routines
 In-line Code – Application program perform audit data
collection while it processes data for normal production
purposes
 System Control Audit Review File (SCARF)–
 Edit tests for audit transaction analysis are included in
program
 Exceptions are written to a file for audit review
25
Mapping
 Special software counts the number of times each
program statement in a program executes
 Helps identify code that is bypassed when the bypass
is not readily apparent in the program code and/or
documentation
26
Extended Records and Snapshots
Extended Records:
Specific transactions are tagged, and the intervening
processing steps that normally would not be saved are added
to the extended record, permitting the audit trail to be
reconstructed for these transactions.
Snapshot:
A snapshot is similar to an extended record except that the
snapshot is a printed audit trail.
27
Key Sectors in Bangladesh
BANK
TELECOM
MNC
CEMENT
HEALTHCARE
PHARMECUTICALS
DEVELOPMENT
INFRASTRUCTURE
RMG
NGO
28
Challenges: Auditing in ERP Environment
 ERP Structure and Control Environment
 Impact of ERP on the Audit
 Audit Risks and Issues
 Audit of Purchase and Payable Process in SAP
29
Enterprise Resource Planning (ERP) System
Integrates information and
business processes to enable
information entered once to be
shared throughout the
organization
ERP had its origins in
manufacturing and production
planning
ERP automates the tasks
involved in performing a
business process. If installed
correctly, it can have a
tremendous payback
Needs
Assessment
Phased
Implementation
Software
Selection
ERP Project
Process
Reengineering
Training
Conference
Room
Pilot
Common examples include
SAP, PeopleSoft, JD
Edwards, Navision and
Oracle.
30
ERP Structure
ERP
Authorizations and
Security
Technical Infrastructure/
General Controls
Database
server
Application
server
Presentation
server
Business Process/
Application Controls
31
ERP Control Environment
APPLICATION CONTROLS
Business Performance
Reviews
Evaluate the effectiveness
of general controls before
evaluating application
controls
Input controls
Output controls
Application controls
must be evaluated
specifically for every
audit area
Processing controls
Controls of Master File
GENERAL
CONTROLS
Access to Equipment, Programs & Data
Hardware Controls
Controls related to Segregation of Duties
Application Development & Maintenance Controls
32
Impact of ERP on the Audit
An ERP environment creates many issues an auditor must address . . . . .
Can All Accounts
be Audited
Substantively
Monitoring
Controls on ERP
Controls Built
into ERP
(Inherent & Configured)
The Control
Environment
Has Changed
General IT
Controls May
Not Be Enough
Business
Processes
Have Changed
33
ERP Audit Risks and Issues
ERP allows more comprehensive validation and improves
balancing controls, BUT:
 Access security further complicated
 Mix of Financial and non-financial business processes
 Highly Configurable
 Configuration consistency required
 Segregation of duties harder to achieve
 Cut-off risks increases
34
ERP Audit Risks and Issues
 ERP is process based
 integrity of transaction based on process as a whole
 cannot be seen as individual transactions
 Preventative controls paramount
 Programmed procedures
 based on contents of various system tables
 changes to ERP elements impact control of business
processes
 Loss of physical audit trail - ERP aims to be paperless
35
ERP Audit Risks and Issues
 Multiple processing platform dependent
 security on all is crucial
 Direct dependence on IT environment security
 operating system
 database
 application
 Initial system setup
 best fit with organization structure
36
Purchase and Payables: Process (SAP)
AP- Accounts Payable; MM- Material Master ;GR- Goods Receipts; IV- Invoice Receipts
FI – Final Invoice; GL- General Ledger; PO- Purchase Order
MIRO, MIGO and ME21N- Typical SAP Table Name (Master Table)
37
Process Risk and Financial Statement Impact
38
The ‘Three-way Match’ in SAP
39
How to audit the SAP Three-way Match
Customizing
• Audit Approach
Matching
Enforced
Automated
Controls
Purchase
PO
PO
Matching
Changeable
Manual
Controls
Substantive
40
Opportunity: How Audit Tools help Auditor
 Planning and Data Profiling
 Sampling and Analysis
 Audit Working Paper
 Review of Audit Working Paper
 Advantages of CAATs
41
Audit Approach
42
Planning and Profile Data
Benefits of using IT tools at Planning Stage:
Can define all activities within audit scope
Easily assign resource against each activities
Track the progress
Quick look at millions of
transactions and view data
in a comprehensive and
summarized representation
43
Sampling
IT tool can generate different type of Sample for analysis:
 Systematic
 Random
 Attribute
 Momentary
 Classical Variable
44
Analysis
45
Working Paper
46
Working Paper Review
47
Sample Report
48
Advantages of CAATs
 Reduced level of audit risk
 Greater independence from the auditee
 Broader and more consistent audit coverage
 Faster availability of information
 Improved exception identification
 Greater flexibility of run times
 Greater opportunity to quantify internal control weaknesses
 Enhanced sampling
 Cost savings over time
49
Opportunity: ISACA Resources
Area
ISACA Resources
IS Auditing
ISACA Auditing Standard,
ISACA Auditing Guideline, IT Assurance
Framework (ITAF), CISA certification.
Risk Assessment
Risk IT, CRISC certification
IT Governance & Control
IT Governance Framework (ITGF) &
CGEIT Certification
Compliance
Control Objective on Information &
Related Technology (COBIT)
Value Delivery
Value IT (Val IT)
Information Security
Business Model for Information Security
(BMIS)
50
Opportunity: Business Growth
51
Shared Learning
Thank you
52
Related documents
Evolution of an Automated Internal Audit Management System
Evolution of an Automated Internal Audit Management System
Audit Poster - BSG Colonoscopy Audit
Audit Poster - BSG Colonoscopy Audit
LGFMA Presentation - Internal Audit Program Model
LGFMA Presentation - Internal Audit Program Model
Hungary - Internal Audit Manual -_NE201106
Hungary - Internal Audit Manual -_NE201106
QUALITY ASSURANCE: Obstetrics Auditing, Records & Reports
QUALITY ASSURANCE: Obstetrics Auditing, Records & Reports
The Antecedents of Internal Auditors* Adoption of
The Antecedents of Internal Auditors* Adoption of
Getting to Know Internal Auditing - The Institute of Internal Auditors
Getting to Know Internal Auditing - The Institute of Internal Auditors
Electronic Data Processing * Audit Sistem Informasi
Electronic Data Processing * Audit Sistem Informasi
Download
advertisement