Audit Implications Of Ifmiss
This document was uploaded by user and they confirmed that they have the permission to share it. If you are author or own the copyright of this book, please report to us by using this DMCA report form. Report DMCA
Overview
Download & View Audit Implications Of Ifmiss as PDF for free.
More details
- Words: 796
- Pages: 22
Audit Implications of Integrated Financial Management Information Systems (IFMISs)
Dr. Paul Dorsey Dulcian, Inc. May 20, 2009 Slide 1 of 22
Conventional Wisdom IFMISs
reduce audit risk. Audit the IFMIS and the non-IFMIS independently
IT auditors bless the IFMIS. Traditional auditors ignore the IFMIS.
“Auditing”
an IFMIS means:
Code control Access control Black-box validation
Inputs generate correct outputs.
Slide 2 of 22
Why should we worry? IFMISs
INCREASE exposure. Standard audit techniques will not effectively assess exposure risks. Standard controls do not protect effectively against IFMIS impacted exposures. Developed nation companies do not usually have well controlled environments.
Slide 3 of 22
The Main Problem Manual
Lots of automatic controls based on many people seeing the transaction. Lots of controls to avoid manual data entry errors also control fraud. Separation of duties well understood and controlled.
IFMIS
process flow:
process flow:
Single point of failure Vulnerable to anyone with low-level access to system
Slide 4 of 22
Manual Process
Enter transaction
Approve transaction
Prepare check
Approve payment
Slide 5 of 22
IFMIS Process
Enter transaction
IFMIS
Print Check
Approve payment Approve transaction Slide 6 of 22
Why is this problem not widely discussed? Accountants/Auditors
are not Information Technology (IT) trained. IT audit is a specialty area separated from traditional audit. Audit culture treats IT as independent.
Slide 7 of 22
Controlling Risk Control/Exposure
Matrix Exposures
Invalid Transaction
Data entry error
Coding Error
Developer Introduced Fraud
Periodic Audit
Medium
Medium
High
None
Dual Entry
High
High
N/A
None
Test Deck Audit
N/A
N/A
High
None
Level of Protection High
High
High
None Slide 8 of 22
Ineffective Controls Controls
that are ignored, bypassed, faked, or not implemented
Accountants stay up all night to “sign” documents.
Electronic
Users demand bulk approvals.
Separation
sign-offs that are not intrusive. of duties
Everyone trusts the “system.”
Meaningless
validations
System auto-calculates footing total.
Slide 9 of 22
New Controls Needed Artificial
separation of duties Inefficient manual steps Particularly
on cash transfers
Comprehensive
control system audit Functional controls that go around the system
Slide 10 of 22
Exposure Risks Increased by IFMIS Data
Entry Errors Fraudulent Transactions Especially
frauds
Subtle
collusion
Process Errors Computer Professional Fraud
Total
loss of data
Physical
failure
system
HUGE
frauds Outsider access to system Everyone
System
is virused
hacking
Internet
exposure Slide 11 of 22
Decreasing Risks (1) Data
Entry Errors
System
validations
Contingent process flows Validation rules Check digits on account codes
Multi-entry
(double or triple entry) Review transactions Audit against source documents
Slide 12 of 22
Decreasing Risks (2) Fraudulent
Transactions
Same
controls as data entry errors More levels of review Random assignment of review Explicitly audit for fraud
Slide 13 of 22
Decreasing Risks (3) Subtle
Process Errors
Code
review Exhaustive test decks “Test first” philosophy Business Rules approach Manual and automated testing
Slide 14 of 22
Decreasing Risks (4) Computer
Professional Fraud
Pair
programming Explicit QA of all code Control “around” system
Reports/Controls NOT built/controlled by same team
Hire
honest people Place manual (non-system dependant) control on all cash transfers
Slide 15 of 22
Decreasing Risks (5) Total
loss of data
Transaction
level, off-site back-up Multi-site (out of country) back-up Test back-up strategy
Slide 16 of 22
Decreasing Risks (6) Huge
Frauds
Don’t
automate cash transfer Don’t automate cash transfer Don’t automate cash transfer Don’t automate cash transfer Don’t automate cash transfer
Slide 17 of 22
Decreasing Risks (7) Outsider
Access to System
No
administrator rights for users No external data devices for machines
No USB keys No floppy drives
Serious
penalty for security violations Real virus, firewall, security software Good security protocol
Passwords Physical access Slide 18 of 22
Decreasing Risks (7) System Get
Hacking
a security audit by leading expert
Slide 19 of 22
Conclusions IFMISs
increase audit risk. Additional controls are necessary to reduce risks. Most auditors ignore the issue.
Slide 20 of 22
Dulcian’s BRIM® Environment Full
business rules-based development environment For Demo Write
“BRIM” on business card
Slide 21 of 22
Contact Information Dr.
Paul Dorsey – [email protected] Dulcian website - www.dulcian.com
Design Using UML Object Modeling
Developer Advanced Forms & Reports
Designer Handbook
Latest book Oracle PL/SQL for Dummies Slide 22 of 22
Dr. Paul Dorsey Dulcian, Inc. May 20, 2009 Slide 1 of 22
Conventional Wisdom IFMISs
reduce audit risk. Audit the IFMIS and the non-IFMIS independently
IT auditors bless the IFMIS. Traditional auditors ignore the IFMIS.
“Auditing”
an IFMIS means:
Code control Access control Black-box validation
Inputs generate correct outputs.
Slide 2 of 22
Why should we worry? IFMISs
INCREASE exposure. Standard audit techniques will not effectively assess exposure risks. Standard controls do not protect effectively against IFMIS impacted exposures. Developed nation companies do not usually have well controlled environments.
Slide 3 of 22
The Main Problem Manual
Lots of automatic controls based on many people seeing the transaction. Lots of controls to avoid manual data entry errors also control fraud. Separation of duties well understood and controlled.
IFMIS
process flow:
process flow:
Single point of failure Vulnerable to anyone with low-level access to system
Slide 4 of 22
Manual Process
Enter transaction
Approve transaction
Prepare check
Approve payment
Slide 5 of 22
IFMIS Process
Enter transaction
IFMIS
Print Check
Approve payment Approve transaction Slide 6 of 22
Why is this problem not widely discussed? Accountants/Auditors
are not Information Technology (IT) trained. IT audit is a specialty area separated from traditional audit. Audit culture treats IT as independent.
Slide 7 of 22
Controlling Risk Control/Exposure
Matrix Exposures
Invalid Transaction
Data entry error
Coding Error
Developer Introduced Fraud
Periodic Audit
Medium
Medium
High
None
Dual Entry
High
High
N/A
None
Test Deck Audit
N/A
N/A
High
None
Level of Protection High
High
High
None Slide 8 of 22
Ineffective Controls Controls
that are ignored, bypassed, faked, or not implemented
Accountants stay up all night to “sign” documents.
Electronic
Users demand bulk approvals.
Separation
sign-offs that are not intrusive. of duties
Everyone trusts the “system.”
Meaningless
validations
System auto-calculates footing total.
Slide 9 of 22
New Controls Needed Artificial
separation of duties Inefficient manual steps Particularly
on cash transfers
Comprehensive
control system audit Functional controls that go around the system
Slide 10 of 22
Exposure Risks Increased by IFMIS Data
Entry Errors Fraudulent Transactions Especially
frauds
Subtle
collusion
Process Errors Computer Professional Fraud
Total
loss of data
Physical
failure
system
HUGE
frauds Outsider access to system Everyone
System
is virused
hacking
Internet
exposure Slide 11 of 22
Decreasing Risks (1) Data
Entry Errors
System
validations
Contingent process flows Validation rules Check digits on account codes
Multi-entry
(double or triple entry) Review transactions Audit against source documents
Slide 12 of 22
Decreasing Risks (2) Fraudulent
Transactions
Same
controls as data entry errors More levels of review Random assignment of review Explicitly audit for fraud
Slide 13 of 22
Decreasing Risks (3) Subtle
Process Errors
Code
review Exhaustive test decks “Test first” philosophy Business Rules approach Manual and automated testing
Slide 14 of 22
Decreasing Risks (4) Computer
Professional Fraud
Pair
programming Explicit QA of all code Control “around” system
Reports/Controls NOT built/controlled by same team
Hire
honest people Place manual (non-system dependant) control on all cash transfers
Slide 15 of 22
Decreasing Risks (5) Total
loss of data
Transaction
level, off-site back-up Multi-site (out of country) back-up Test back-up strategy
Slide 16 of 22
Decreasing Risks (6) Huge
Frauds
Don’t
automate cash transfer Don’t automate cash transfer Don’t automate cash transfer Don’t automate cash transfer Don’t automate cash transfer
Slide 17 of 22
Decreasing Risks (7) Outsider
Access to System
No
administrator rights for users No external data devices for machines
No USB keys No floppy drives
Serious
penalty for security violations Real virus, firewall, security software Good security protocol
Passwords Physical access Slide 18 of 22
Decreasing Risks (7) System Get
Hacking
a security audit by leading expert
Slide 19 of 22
Conclusions IFMISs
increase audit risk. Additional controls are necessary to reduce risks. Most auditors ignore the issue.
Slide 20 of 22
Dulcian’s BRIM® Environment Full
business rules-based development environment For Demo Write
“BRIM” on business card
Slide 21 of 22
Contact Information Dr.
Paul Dorsey – [email protected] Dulcian website - www.dulcian.com
Design Using UML Object Modeling
Developer Advanced Forms & Reports
Designer Handbook
Latest book Oracle PL/SQL for Dummies Slide 22 of 22
Related Documents
Audit Implications Of Ifmiss
May 2020 10
Implications
June 2020 16
Practical Implications Of Preference
May 2020 16
Implications Of Urbanization
June 2020 5
Nursing Implications
October 2019 29More Documents from "Firenze Fil"
