Add to collection(s) Add to saved
  1. Engineering & Technology
  2. Computer Science
  3. Data Management

(IT) Audit - The California State University

advertisement 
.
CHAPTER 17
INFORMATION TECHNOLOGY (IT) AUDIT
OVERVIEW
As part of the California State University (CSU) financial audit, KPMG performs general and
application controls testing over the Common Financial System (CFS) and Finance Data
Warehouse (DW). The Common Financial System was implemented to consolidate the
individual PeopleSoft® finance application instances that support individual campuses and the
CSU Office of the Chancellor into a single centralized application instance (excluding the San
Diego campus).
The Finance Data Warehouse was implemented along with the Common Financial System to
maintain a centrally-managed, robust, enterprise financial reporting environment for all
campuses and the Chancellor’s Office.
The purpose of the IT audit is to gain assurance over the internal controls in place in connection
with the above-mentioned IT systems and to confirm their adequacy in limiting the risk of
material misstatement to the financial statements. Reliance on IT system controls over
computerized output reduces the substantive procedures required for financial statement audits.
IT GENERAL CONTROLS
IT general controls are policies and procedures that relate to one or more IT applications and
support the effective functioning of application controls by helping to ensure the continued
proper operation of information systems. Four components of IT general controls are tested: (1)
access to programs and data, (2) program changes, (3) program development, if applicable and
(4) computer operations. The following lists the review areas for each component:
1. Access to program and data controls:
 IT security policies
 Passwords
 Privileged access (including administrator, superuser, and DBA level access)
 Granting / modifying access
 Terminating access
 Physical access (UNISYS)
 Annual user access and segregation of duties (SOD) reviews
 Relevant access monitoring controls
2. Program change controls:


Change management policies and procedures
Change management request and approval
17.00-1
GAAP Manual | IT Audit | June 30, 2015
.
 Change management testing
 Access to migrate changes
3. Program development controls:
 System development lifecycle
 System and acceptance testing
 Data validation
 Production cutover checklist
4. Computer operations controls:






Job processing
Backup procedures
Restoration testing
Access to backup tapes
Incident management
Unisys SOC1 report review
IT APPLICATION CONTROLS
IT application controls apply to the processing of transactions by individual IT applications.
These controls help ensure that transactions occurred, are authorized, and/or are completely and
accurately recorded and processed. IT application controls are manual or automated procedures
that typically operate at a business process level and apply to the processing of transactions by
individual IT applications. IT application controls may be automated controls or manual controls
with an automated component. The objective of the automated control is to prevent, detect
and/or correct a misstatement of financial data. Types of IT application controls include:
 System configuration/account mapping;
 Generation and review of exception/edit reports;
 Interface controls;
 System access, including enforcement of segregation of duties policies.
Relevant IT application controls are linked to specific IT applications at the process level.
Additionally, each relevant IT application is identified with the relevant IT general control
environment(s) and related IT general control elements. As such, if the IT environment is found
to be operating effectively as a result of the IT general controls test procedures, KPMG IT will
conduct testing over select IT application controls as determined by the KPMG financial audit
team.
The auditors review and test the automated IT general and IT application controls by performing
walkthroughs (i.e. performing interviews and observations of the processes with IT and business
process owners), system tests (e.g. observing and reviewing configurations established within the
IT application), and selecting one representative sample (e.g. observing a sample transaction
flowing through the entire process). For relevant manual controls, the auditors will obtain an
understanding of the process and select appropriate samples based on the frequency of
17.00-2
GAAP Manual | IT Audit | June 30, 2015
.
occurrence of the control (e.g. daily frequency equates to a minimum of 15 samples, based on the
risk of failure of the control).
ROLL-FORWARD PROCEDURES
Roll-forward procedures may include performing corroborative inquiry of appropriate CSU
personnel regarding any IT environment and control changes that may have occurred since
testing, obtaining additional samples for review, and obtaining 4th quarter reports prepared after
the June 30 year end. These procedures are performed to determine whether there have been
significant changes or modifications to the existing IT control environment, IT processes, control
descriptions and activities, and process owners since the original testing of the controls (i.e.
during interim testing) through June 30. During the roll-forward period, the auditors will
consider the following matters that might affect the conclusions reached during interim testing
for control operating effectiveness:
 Individuals responsible for the oversight and operation of the controls and ensuring the same
people are not assigned to both.
 The sufficiency of the evidence of effectiveness obtained at the interim date.
 New or significant modifications to client IT systems.
 Significant modifications to existing processes, including process reengineering.
 Significant new positions or changes in job roles or responsibilities, including employee
turnover.
 Indicators of fraudulent activity or errors.
 Changes in the client’s regulatory environment.
TIMING
Fieldwork generally occurs in the months of April through June. Roll-forward procedures are
conducted after June 30, generally in July.
17.00-3
GAAP Manual | IT Audit | June 30, 2015
.
REVISION CONTROL
Document Title:
CHAPTER 17 – IT AUDIT
REVISION AND APPROVAL HISTORY
Section(s)
Revised
Summary of Revisions
None.
17.00-4
GAAP Manual | IT Audit | June 30, 2015
Revision Date
Related documents
Big Data As Complementary Audit Evidence
Big Data As Complementary Audit Evidence
Evolution of an Automated Internal Audit Management System
Evolution of an Automated Internal Audit Management System
Marketing Plan Rubric
Marketing Plan Rubric
Ms. Whitney F. Barton`s Curriculum VITAE
Ms. Whitney F. Barton`s Curriculum VITAE
manager internal tax
manager internal tax
Audit Poster - BSG Colonoscopy Audit
Audit Poster - BSG Colonoscopy Audit
system audit - Study Channel
system audit - Study Channel
As the 2nd largest business support solutions (BSS) provider, CSG
As the 2nd largest business support solutions (BSS) provider, CSG
KPMG IT Audit
KPMG IT Audit
Accounting II January 2012
Accounting II January 2012
What is a Single Audit?
What is a Single Audit?
Download
advertisement