3. Place Logo Here
Session Objectives
• Overview of IT Audit
– Areas of IT Audit
– Importance of IT Audit
– Top IT challenges
• Understanding and Maximizing IT Audit
– Planning
– Executing the IT audit
– Evaluating results
3
7. Place Logo Here
What is IT Audit?
• Examination of controls within an IT infrastructure
• Process of collecting and evaluating evidence of an
organization's information systems, practices, and
operations
– Evaluation determines if information systems are
safeguarding assets, maintaining integrity of
information, and operating effectively to achieve the
organization's goals or objectives
– May be performed in conjunction with a financial
statement audit, internal audit, or other form of
attestation engagement
7
8. Place Logo Here
What is IT Audit?
• IT audit's agenda may be summarized by the
following questions:
– Will the information in the systems be disclosed only to
authorized users? (Confidentiality)
– Will the information provided by the system always be
accurate, reliable, and timely? (Integrity)
– Will the organization's computer systems be available
for the business at all times when required?
(Availability)
8
9. Place Logo Here
IT Audit to support Financial Audit
• Most business use multiple IT systems to support
their business processes
– Includes different systems for financial accounting,
procurement, research & development, business
intelligence, customer relationship management, sales,
etc
– Enterprise Resource Planning (ERP) systems, which
integrate various such IT systems and provides one
system to manage all important business processes
– Commonly used ERP systems include SAP, Oracle
Applications, PeopleSoft, IFS, JDE Edwards, etc.
9
10. Place Logo Here
IT Audit to support Financial Audit
– Most banks use core banking system as a back-end
system that processes daily banking transactions, and
posts updates to accounts and other financial records
– Include deposit, loan and credit-processing capabilities,
with interfaces to general ledger systems and reporting
tools
– Enables banks to interconnect different branches by
means of communication lines and allows the customers
to operate accounts from any branch
– Commonly used core banking systems include iFlex,
TEMENOS, Finacle, BaNCS, Equation, FinnOne, etc
10
11. Place Logo Here
IT Audit to support Financial Audit
• A financial audit, or more accurately, an audit of
financial statements
– Review of financial statements of a company or any
other legal entity (including governments)
– Resulting in publication of an independent opinion on
whether or not those financial statements are relevant,
accurate, complete, and fairly presented
• Substantive tests of detail
– Selecting a sample of items from major account
balances, and finding hard evidence (e.g., invoices, bank
statements) for those items
11
12. Place Logo Here
IT Audit to support Financial Audit
• Risk based approach
– Includes combination of internal controls testing and
substantive testing
– Internal controls testing allow financial auditors to
assess operating effectiveness of internal controls (e.g.
authorization of transactions, account reconciliations,
segregation of duties) including IT General Controls
– If internal controls are assessed as effective, this will
reduce (but not entirely eliminate) amount of
'substantive test of detail’
12
13. Place Logo Here
IT Audit to support Financial Audit
– If internal controls are strong, auditors typically rely
more on substantive analytical procedures (the
comparison of sets of financial information, and financial
with non-financial information, to see if the numbers
'make sense' and that unexpected movements can be
explained)
– If internal controls are assessed as ineffective or weak,
financial auditors need to rely on traditional substantive
tests of detail
13
14. Place Logo Here
Areas of IT Audit
• There are broadly 2 areas of IT audits, which covers
the following:
– IT General Controls (ITGC)
– IT Application/ Automated Controls (ITAC)
14
16. Place Logo Here
WCGW
• Activity: Invoice Receipt
• What Can Go Wrong?
– Receive Invoice without PO or GR
– Invoice amount is more than PO amount
– Vendor bank details in Invoice is different from vendor
master record
– Invoice is entered twice in the system
– Unauthorized person enters invoice in the system
16
17. Place Logo Here
WCGW
• How Can ‘IT’ Go Wrong
– IT system is not ‘configured’ correctly
• Reference to PO/ GR is not mandatory
• GR and invoice tolerance limits (i.e., 3-way match) is
not appropriate
• Field status is not appropriately configured
• Double invoice check is not used
– Access control is not restrictive
• Unauthorized person have access to enter invoice
17
18. Place Logo Here
WCGW
• Which ‘IT CONTROLS’ can prevent these from going
wrong
– System settings are appropriately configured to prevent
the following:
• Invoice without PO/ GR reference
• Invoice posting if invoice does not match PO and GR
• Change of vendor in invoice
• Duplicate entry of invoice
– User access controls are appropriate
– Only authorized person have access to enter invoice
18
20. Place Logo Here
WCGW – IT Controls
• For these IT automated/ application controls to work,
certain other IT controls should be effective
– Without strong change controls, unauthorized changes
may be made to the system settings
– Without access controls, unauthorized users may have
access to enter invoice
• Basically, without these IT controls, the IT automated/
application controls may not remain effective over a
period of time and therefore, may not be relied upon!
20
22. Place Logo Here
IT Controls (Looking Another Way)
• There are broadly two categories of IT controls:
– Manual
– Automated
• Manual controls – Management, procedural and
operational controls. For example, security policies,
operational procedures, personnel security, etc.
– For example, approval of user access or review of
duplicate invoice report
22
23. Place Logo Here
IT Controls (Looking Another Way)
• Automated controls – Incorporated into systems (i.e.,
computer hardware, software, or firmware). For
example, access control mechanisms, identification
and authentication mechanisms, encryption methods,
etc.
– Case in point, access controls are AUTOMATICALLY enforced by
the system and users cannot access information which they
are not granted explicitly in the system. Therefore, they are
referred as automated control.
23
26. Place Logo Here
Areas of IT Audit
• The ITGCs are broadly classified as follows:
– Information security policies and procedures
– Access Management
– Change Management
– System Development
– IT Operations Management
– End-User Computing
26
27. Place Logo Here
Interdependence
27
ITGC exceptions do not necessarily mean
we cannot rely on automated controls –
there are many strategies to resolve
them!
28. Place Logo Here
Importance of IT Audit
• Reduced sample size
• Focus on areas of higher risks
• Reliance on system generated reports
• Understanding of risks due to use of IT systems
28
29. Place Logo Here
Top IT Challenges
• Access and Segregation of Duties
• Risks arising due to use of IT systems
– 3-way match is not a “match” but “tolerance of
differences”
– PO release workflow may not always work
– Reports output (e.g., ageing report, duplicate invoices)
depends on system settings
• Business Continuity/ Disaster Recovery
29
32. Place Logo Here
Deciding Audit Approach
• Total audit time
• Regulatory/ compliance requirements
• Criticality of IT to the business
– How will it affect the business if the critical systems are
down?
– Are critical business transactions performed using IT
systems?
– Are critical controls performed by IT systems?
32
33. Place Logo Here
Identifying ITAC
• Activity: Invoice Receipt
• What Can Go Wrong?
– Receive Invoice without PO or GR
– Invoice amount is more than PO amount
– Vendor bank details in Invoice is different from vendor
master record
– Invoice is entered twice in the system
– Unauthorized person enters invoice in the system
33
34. Place Logo Here
Identifying ITAC
• How Can ‘IT’ Go Wrong
– IT system is not ‘configured’ correctly
• Reference to PO/ GR is not mandatory
• GR and invoice tolerance limits (i.e., 3-way match) is
not appropriate
• Field status is not appropriately configured
• Double invoice check is not used
– Access control is not restrictive
• Unauthorized person have access to enter invoice
34
35. Place Logo Here
Identifying ITAC
• IT control vs Manual Control
• Which ‘IT CONTROLS’ can prevent these from going
wrong
– System settings are appropriately configured to prevent
the following:
• Invoice without PO/ GR reference
• Invoice posting if invoice does not match PO and GR
• Change of vendor in invoice
• Duplicate entry of invoice
– User access controls are appropriate
• Only authorized person have access to enter invoice
35
36. Place Logo Here
Which ITGCs to Test?
• Depends on the ITAC
• At a minimum, should test controls over the following:
– Logical access
– Program change
36
37. Place Logo Here
Testing Frequency
• ITAC
– Every year, if it relates to a significant risk
– Every 3 years otherwise
• ITGC
– If audit procedures can demonstrate that changes
were minimal, limited tests can be performed
• Logical access – depends on employee attrition,
changes in system access, changes in roles &
responsibilities, etc
• Program changes – depends on magnitude of changes,
major changes, new functionalities/ reports, etc
– Changes in key personnel (IT or non-IT)
– New system implementation/ system upgrade
37
38. Place Logo Here
Executing IT Audits
• Test of Design (TOD)
– Evaluation of design effectiveness is critical because only
properly designed controls are capable of operating
effectively. A control deficiency exists when the design
or operation of a control, or group of controls, does not
allow management or employees to prevent or detect
failures on a timely basis. A walkthrough is usually
performed to assess design effectiveness
• Test of Operating Effectiveness (TOE)
– The purpose of test of operating effectiveness is to
gather sufficient documented evidence to enable a
conclusion as to whether or not the controls as
documented are operating in practice
38
39. Place Logo Here
Executing IT Audits
• Testing techniques include the following:
– Inquiry: In itself, not sufficient to support a conclusion
about the effectiveness of a specific control
– Observation: Appropriate if there is no documentation
of the operation of a control
– Inspection: Often used for manual controls, like the
follow-up of exception reports
– Re-performance: Generally provides better evidence
than other techniques and is therefore used when a
combination of inquiry, observation and examination of
evidence does not provide sufficient assurance that a
control is operating effectively
39
40. Place Logo Here
Executing IT Audits
• ITAC
– Perform on “Production” environment
– If “Quality/ Testing” environment is used, ensure that
there are controls to keep it synched with “Production”
environment
• Sample selection
– Based on the frequency and/ or risks
– ITAC: “Test of One” is acceptable, but should encompass
all “scenarios”
40
41. Place Logo Here
Analyzing Results
• ITAC deficiencies
– Often more serious than manual control deficiencies due
to reliance on systems within financial reporting
– Is it a “key” risk?
– Are there other automated/ manual controls addressing
same risk?
– Is the exposure “substantive”?
– Typically extending sample size does not help for ITAC
deficiencies
41
42. Place Logo Here
Analyzing Results
• ITGC deficiencies
– There are no ‘blanket’ reliance or non-reliance on IT
automated controls
– Assess the individual impact of ineffective IT general
controls on various IT automated controls
– Example
• Ineffective IT general controls – developer has access to
production system
• IT automated control – Access to enter invoice is restricted
to authorized users
42
43. Place Logo Here
Analyzing Results
• IT automated control: Access to change bank details
of vendors is restricted to authorized users.
– IT automated control testing result: EFFECTIVE
• IT general control: There are procedures in place for
the management of users and user privileges. The
management procedures require formal approvals for
the establishment of users and granting of privileges
– IT general control testing result: INEFFECTIVE
43
44. Place Logo Here
Analyzing Results
• Are there alternative controls?
– IT automated control: Bank details is defined as
sensitive field for dual control
– IT manual control:
• All changes to vendor master records are required to be
approved by an authorized personnel.
• All changes to vendor are reviewed monthly for
appropriateness and approvals by an independent person.
• Which control should be relied upon?
– IT automated control is preferred but reliance depends
on other IT automated and IT general controls
44
45. Place Logo Here
Analyzing Results
• Let’s assume, we rely on the manual controls
– Select samples based on sample selection methodology
and perform tests to determine adherence to the defined
procedures – both for approval and review of changes
• What if this manual control is not effective?
– Perform data analytics to list all changes to bank details
and determine the following
• Whether users performing these changes are appropriate
• Whether changes are appropriate
45
47. Place Logo Here
Recap
• Overview of IT Audit
– Areas of IT Audit
– Importance of IT Audit
– Top IT challenges
• Understanding and Maximizing IT Audit
– Planning
– Executing the IT audit
– Evaluating results
47
48. Place Logo Here
Q & A
Mantran Consulting Pte Ltd
14 Robinson Road #13-00
Far East Finance Building
Singapore 048545
Tel. +65 6401 5160
Fax. +65 6323 1839
Web. www.mantranconsulting.com
Email. info@mantranconsulting.com
Barun Kumar, Director
Mob. +65 8118 9972
Email. barunkumar@mantranconsulting.com
Jesus Lava III, Manager
Mob. +65 9026 3812
Email. jesuslava@mantranconsulting.com
Contact Details: