C11-c12.pdf
This document was uploaded by user and they confirmed that they have the permission to share it. If you are author or own the copyright of this book, please report to us by using this DMCA report form. Report DMCA
Overview
Download & View C11-c12.pdf as PDF for free.
More details
- Words: 4,270
- Pages: 76
Intro to IT Auditing for Non‐IT Auditors Steve Shofner, CISA, CGEIT Moss Adams LLP Moss Adams LLP Core Competencies ‐ C11/C12
Learning Objectives Learning Objectives Part 1 (C11): Audit Basics & Automated Part 1 (C11): Audit Basics & Automated Controls – Level‐Set Our Understanding Of Key Term Level Set Our Understanding Of Key Term’ss & & Concepts – Understand The Role Of Automated Controls Understand The Role Of Automated Controls In Business Processes – Audit Process & Required Documentation Audit Process & Required Documentation – Types Of Automated Controls and Automated Control Test Strategy gy 2
Learning Objectives Learning Objectives Part 2 (Session C12) Part 2 (Session C12) – The Relationship between Financial/ Operational Controls and IT General Controls Operational Controls and IT General Controls (a.k.a. “Why IT General Controls Are Important”) – Understanding IT General Control Processes & Related Test Strategies – Knowing When to Bring in ‘The Experts’ (When Things Get Really Technical) 3
Learning Objectives Learning Objectives
KS1
• Explain Explain the Relationship between the Relationship between Financial / Operational Controls and IT General Controls (a.k.a. “Why IT General Controls Are Important”) • Describe Understanding IT General Control Processes • How to Test IT General Controls • Knowing When to Bring in ‘The Experts’ (When Things Get Really Technical) 4
Slide 4 KS1
This slide seems duplicative of the last slide - are both needed? KatieSo, 9/4/2012
Housekeeping Items Housekeeping Items • Please Please turn cell phones off turn cell phones off • Please close laptops unless you are using them for this session them for this session • Excessive absence(s) will affect CPEs provided id d
5
LEVEL‐SET UNDERSTANDING OF KEY TERMS & CONCEPTS
6
What Is An Audit? What Is An Audit? • An An evaluation of business processes evaluation of business processes (including IT processes) to determine their effectiveness • Processes contain risks that the process’s objectives may not be met • Audits are an evaluation of a process to ensure that certain objectives are met • Audits focus on controls in the process, which address the risks 7
Definitions • What Is A Risk? – The potential for loss (financial or operational)
• What Is An Objective? j – The purpose one's efforts or actions are intended to attain or accomplish (to address risks)
• What Is A Control? – A proactive step taken by “management” to accomplish an objective j • Management is any employee of the firm • The term management is used because they are usually responsible for implementing and maintaining effective controls 8
Types Of Objectives Types Of Objectives • Financial Objectives • IT & Operational – Completeness Obj ti Objectives – – – – – –
Accuracy Validity Authorization Real Rights & Obligations Presentation & Presentation & Disclosure
– Security – Availability A il bili – Confidentiality – Integrity I t it – Scalability – Reliability – Effectiveness – Efficiency Compliance Audits Could Include Objectives From Both
9
Types of Controls Types of Controls • Automated Controls – These are programmed financial controls – They are very strong: the programmed logic will function the same way every time, as long as the logic is not changed h d – Test of one versus a statistical test of many
• Partially‐Automated Controls – People‐enabled controls – People rely on information from IT systems (also referred to as Electronic Evidence) for the control to function
• Manual Controls (no IT‐Dependence) – People enable the control – Controls that are 100% independent of IT systems 10
Other Ways To Categorize Controls Other Ways To Categorize Controls • Prevent Controls Prevent Controls – The locks on your car doors
• Detect Controls Detect Controls – Your car alarm
• Correct Controls Correct Controls – Your auto insurance – A LoJack system (a device that transmits a A LoJack system (a device that transmits a signal used by law enforcement to locate your stolen car) 11
More Ways To Categorize Controls More Ways To Categorize Controls • Environmental Controls Environmental Controls – (a.k.a. “Governance”)
• Financial Controls Financial Controls • Operational Controls • IT General Controls IT General Controls – User Administration – Change Management Change Management – IT Operations – Physical Environment Physical Environment 12
Controls: Multidimensional Controls: Multidimensional
IT General
Operationa al
Financ cial
Partially-Automated
Envirronmental
Automated
Manual
13
Classifying Controls Classifying Controls • To ensure that only y authorized payments are made, all checks issued require a issued require a signature.
– Accomplishes the financial p f objective, authorized. b h d – Someone manually signs the check – An unsigned check prevents it f from being cashed b h d
• All user requests (on MAC forms) must have a supervisor’s have a supervisor’s signature authorizing the user’s access.
– Accomplishes the IT General Control objective, authorized. – Someone manually signs the MAC form MAC form – Unsigned MAC forms will not be processed, thereby preventing unauthorized access
(note the different types of ‘transactions’) 14
Quiz #1 Quiz #1 • Classify the controls in the handout Classify the controls in the handout
15
UNDERSTANDING THE ROLE OF AUTOMATED CONTROLS IN BUSINESS PROCESSES BUSINESS PROCESSES
16
Polling Question #1: Polling Question #1: • True or False? True or False? – “IT Controls are too technical – I don’t understand what they do” understand what they do
(Answer will be given at the (Answer will be given at the end of this segment)
17
Introduce Case Study Introduce Case Study • Let’s Let s take a look at the mechanics of a take a look at the mechanics of a process and the related:
P h Purchase T To Pay P
A Made Made-Up Up Illustrative Example p Only y
– Objectives – Risks – Controls
18
Purchase To Pay Process Purchase To Pay Process Someone makes a Purchase Request
Buyer opens Purchase Order
Buyer buys items
• Financial Objectives – Completeness – Accuracy – Validity – Authorization – Real – Rights & Obligations – Presentation & Disclosure
Receive items
Receive Invoice
Pay for items
• IT & Operational Obj ti Objectives – Security – Availability – Confidentiality – Integrity – Scalability S l bilit – Reliability – Effectiveness – Efficiency 19
Purchase To Pay Process Purchase To Pay Process Someone makes a Purchase Request
Buyer opens Purchase Order
Buyer buys items
Receive items
Receive Invoice
Pay for items
• Risks: – Invoice information may not be y correct – Duplicate or missing invoices may be received – Incorrect payment amount Incorrect payment amount • Fictitious order to collect check d ll h k – Payment sent to wrong address • Purchase goods for personal – Wrong payee on check use/gain – Buyer may not use approved – Check may not be signed Ch k tb h db vendor (gaining the benefit of d ( h b f f – Check may not be cashed by payee
– Employee Employee may order too may order too much – Employee may try to misappropriate goods:
negotiated volume discounts) – Duplicate or missing items y may be received
20
Purchase To Pay Process Purchase To Pay Process Someone makes a P h Purchase Request
1
Buyer opens P h Purchase Order
Buyer buys items
Receive items
Receive Invoice
Pay for items
2
• Risks: – Employee may order too much or not enough – Employee may try to misappropriate goods
• Controls: 1. All Purchase Requests must be approved by a Manager or above Manager or above 2. Buyers will only open Purchase Orders upon receipt of an approved Purchase Request 21
Purchase To Pay Process Purchase To Pay Process Someone makes a P h Purchase Request
1
Buyer opens P h Purchase Order
Buyer buys items
2
• Risk: –Buyer may not use approved vendor (gaining the benefit of negotiated volume discounts) l di t)
Receive items
Receive Invoice
Pay for items
3
• Control: 3. Goods can only be purchased from vendors who have been pre‐approved (Assumption: process is in place (A ti i i l to approve vendors, and is operating effectively)
22
Purchase To Pay Process Purchase To Pay Process Someone makes a P h Purchase Request
1
Buyer opens P h Purchase Order
Buyer buys items
2
• Risk: –Duplicate or missing items may be received
Receive items
3
Receive Invoice
Pay for items
4
• Control: 4. Receiving Clerk counts all items received, ties them to shipping slip, and will only receive ill l i complete shipments 23
Purchase To Pay Process Purchase To Pay Process Someone makes a P h Purchase Request
1
Buyer opens P h Purchase Order
Buyer buys items
2
• Risks: –Invoice information may not be correct –Duplicate or missing invoices may be received –Incorrect payment amount
Receive items
3
Receive Invoice
4
Pay for items
5
• Controls: 5 AP 5. AP Clerk prepares a Cl k voucher package, including: – – – –
Purchase Order Shi i Sli Shipping Slip Invoice Check (Payment)
AP Clerk ties out all i f information across ti three documents to ensure completeness & accuracy 24
Purchase To Pay Process Purchase To Pay Process Someone makes a P h Purchase Request
1
Buyer opens P h Purchase Order
Buyer buys items
2
• Risks: –Payment sent to wrong address –Wrong payee on check –Check may not be signed
Receive items
3
Receive Invoice
4
Pay for items
5
6
• Control: 6. VP of Treasury reviews all voucher packages and packages and approves/denies payment (signs checks of approved checks of approved vouchers)
25
Purchase To Pay Process Purchase To Pay Process Someone makes a P h Purchase Request
1
Buyer opens P h Purchase Order
Buyer buys items
2
• Risks: –Check may not be cashed by payee
Receive items
3
Receive Invoice
4
Pay for items
6 7
5
• Control: ???
26
Comparison: Manual vs. Automated d Objective j All Purchase Requests must be approved by a Manager or above
Manual Control Manager signs purchase request form (hardcopy)
Buyers will only open ill l Buyer compares signature to i Purchase Orders upon receipt list of approvers of an approved Purchase Request
Automated Control Manager clicks approval in application Application only allows li i l ll authorized approvers to approve
Goods can only be purchased from vendors who have been pre‐approved
Buyer only purchases from list PO system provides limited of approved vendors options in a drop‐down menu, populated from a list of approved vendors.
Receiving Clerk counts all items received, ties them to shipping slip, and will only receive complete shipments
Receiving Clerk manually performs control
<none>
27
Comparison: Manual vs. Automated d Objective j
Manual Control
Automated Control
AP Clerk prepares a voucher package, including: • Purchase Order • Shipping Slip Shi i Sli • Invoice • Check (Payment) AP Clerk ties out all information across three documents to ensure completeness & accuracy
AP Clerk ties out all information across three sources
Application ties out all information across all three sources, and… (see next control)
VP of Treasury reviews all y voucher packages and approves/denies payment (signs checks of approved vouchers)
VP of Treasury signs checks y g
Application automatically prints pp yp checks for all matching information, using signature block
28
Quiz #2 Quiz #2 • For For each of the objectives in the handout, each of the objectives in the handout create: – A manual or partially‐automated control, and A manual or partially automated control and – An automated control
29
Revisit Polling Question #1: Revisit Polling Question #1: • Q: Q: “IT IT Controls are too technical Controls are too technical – I don I don’tt understand what they do”
• A A: Automated controls don’t A t t d t l d ’t accomplish anything that people weren’t already doing. ’t l d d i
30
AUDIT PROCESS & REQUIRED DOCUMENTATION
31
Testing • Four Basic Steps: Four Basic Steps: – Understand The Process – Perform A Walkthrough g • To exercise process of requesting and gathering evidence • Through review of the evidence, confirm and/or Th h i f th id fi d/ complete your understanding of the process being audited
– Perform Testing – Report Results / Findings 32
Understand The Process Understand The Process • …Through Reviews Of Documentation And Interviews With Related Personnel • Document Your Understanding Of The Process And Related Controls in Narratives – Different than policy, procedure, & standard documents (although, those documents can be leveraged) – At a minimum, Narratives should include: • Background Information • Description of Controls • Information Necessary For Testing Controls (Who, What, Where Why When How) Where, Why, When, How)
– Document for testing purposes only…that is all you want
33
Perform Walkthroughs & Testing Perform Walkthroughs & Testing • Perform Walkthroughs: A Perform Walkthroughs: A “Test Test of One of One” – Confirms Your Understanding Of Controls – Allows you to identify any problems in y y yp pulling populations or samples
• Complete Testing & Document Your Work – Four Basic Sections • • • •
Objective Procedures Results Conclusion 34
Evidence • Four types: Four types: – Reperformance – Examination – Observation – Inquiry I i
Stronger Evidence
Weaker Evidence
35
Report Results / Findings Report Results / Findings • Reporting communicates the results of communicates the results of testing • Typically has three sections: Typically has three sections: – Results: The facts, and just the facts – Implications / Business Risk: Why should the Implications / Business Risk: Why should the company care? – Recommendation: What should the company p y do about it? – Optional 4th Section: Management’s Response 36
The Reperformance Standard The Reperformance Standard • When documenting your work, you should ensure that a reasonably‐skilled auditor would be able to review your workpapers (and related evidence) and: – Understand what you did any why, and – See the same evidence that you saw, and – They should be able to ‘reperform’ your work and reach the same conclusion you did, based on the information presented in your workpapers and supporting evidence presented in your workpapers and supporting evidence only.
• They should not They should not need to: need to: • Ask clarifying questions • Request and review additional information that is not included or specifically identified in your testing documentation p y y g 37
AUTOMATED CONTROL TEST STRATEGY
38
Automated Controls – We LOVE them! h • Automated Controls Automated Controls – These are programmed financial controls – They are very strong: The programmed logic They are very strong: The programmed logic will function the same way every time, as long as the logic is not changed long as the logic is not changed – They are easier to test: a test of one versus a test of manyy
39
Polling Question #2: Polling Question #2: • True or False? True or False? – “Automated Controls are too technical – I don’tt understand all the technical stuff don understand all the technical stuff required to test them”
40
Automated Controls: Test Strategy Automated Controls: Test Strategy • Determine the programmed logic ete e t e p og a ed og c – Usually a configuration setting – Sometimes setting is “unconfigurable” (programmed into the application, and cannot be changed without changing program code)
• Follow Follow one example of each type one example of each type of of transaction – This This confirms that there isn confirms that there isn’tt anything anything ‘upstream’ or ‘downstream’ that may affect the outcome 41
Automated Controls: Test Strategy Automated Controls: Test Strategy • Example: – All Purchase Requests must be Requests must be approved by a Manager or above
1. Get a screen‐shot of the configuration g setup screen showing this control is configured:
42
Automated Controls: Test Strategy Automated Controls: Test Strategy • Example: – All Purchase Requests must be Requests must be approved by a Manager or above
1.
Get a screen‐shot of the configuration setup screen showing g this control is configured.
2.
Observe one completed purchase request and validate that the approver was on the pp authorized approver list.
43
Automated Controls: Test Strategy Automated Controls: Test Strategy • Example: – All Purchase Requests must be Requests must be approved by a Manager or above
1.
2.
Get a screen‐shot of the configuration setup screen showing g this control is configured. Observe one completed purchase request and validate that the approver was on the authorized approver list. li
3. You’re done!
44
Revisit Polling Question #2: Revisit Polling Question #2: • Q: Q: “Automated Automated Controls are too technical Controls are too technical – I don’t understand all the technical stuff required to test them” required to test them • A A: You Y can test these controls, with a little h l i h li l help from your friends (IT Administrators)
45
Checkpoint • Covered so far: – Level‐Set Our Understanding Of Key Term’s & Concepts – Understand The Role Of Automated Controls In Business Processes – Audit Process & Required Documentation – Types Of Automated Controls and Automated Control Test Strategy
• Coming up (next session) – How To Test Common IT General Controls (In A Simple ( p Environment) – Knowing When To Call ‘The Experts’
46
Learning Objectives Learning Objectives • Part 1 (Session C11) Part 1 (Session C11) – Level‐Set Our Understanding Of Key Term’s & Concepts – Understand The Role Of Automated Controls In Business Processes In Business Processes – Audit Process & Required Documentation – Types Of Automated Controls and Types Of Automated Controls and Automated Control Test Strategy
47
Learning Objectives Learning Objectives • Part 2 (Session C12) Part 2 (Session C12) – The Relationship between Financial / Operational Controls and IT General Controls Operational Controls and IT General Controls (a.k.a. “Why IT General Controls Are Important”) – Understanding IT General Control Processes & Related Test Strategies – Knowing When To Bring In ‘The Experts’ (When Things Get Really Technical) 48
THE RELATIONSHIP BETWEEN FINANCIAL/OPERATIONAL CONTROLS AND IT GENERAL CONTROLS AND IT GENERAL CONTROLS (A K A “WHY (A.K.A. WHY IT GENERAL IT GENERAL CONTROLS ARE IMPORTANT”) 49
Automated Controls – We LOVE them! h • Automated Controls Automated Controls – These are programmed financial controls – They are very strong They are very strong – The programmed logic will function the same way every time as long as the logic is same way every time, as long as the logic is not changed – They are easier to test: a test of one versus a They are easier to test: a test of one versus a statistical test of many
50
Expanding Coverage Beyond ‘A Point In Time”” Q1
Q2
Q3
Q4
Application pp ca o Co Control o Test es
• Testing application controls only tell you that the control worked for that transaction on that day. • How can you get coverage for the whole period? p
IT Ge General e a Co Controls t os
51
IT General Controls IT General Controls • • • •
Change Management Change Management User Administration IT Operations O i Physical Environment
52
Effective General Controls Effective General Controls Business Processes
Data/Information used for Partially‐ used for Partially‐ Automated Controls
Automated Controls
General Controls
53
Without Effective General Controls Without Effective General Controls Potential For Significant Problems Exists Automatted Controls 54
Polling Question #3: Polling Question #3: • “IT IT General Controls is all technical General Controls is all technical stuff...completely out of my realm. I don’tt understand the technology, and don understand the technology and therefore am not qualified to test them”
55
UNDERSTANDING IT GENERAL CONTROL PROCESSES & RELATED TESTING STRATEGIES TESTING STRATEGIES
56
IT Change Management IT Change Management • Processes to manage changes to: – Program code – Configurations
• Objective: – Ensure that automated controls aren’t i inappropriately altered i t l lt d – Ensure that data integrity isn’t inappropriately affected
Note: Fraud is not the primary concern; It’s ensuring that good people aren’t making honest mistakes. g p p g 57
Typical Change Management Process Someone reports a problem or requests an improvement
Completed change is evaluated and approved (by requestor)
Requested change is evaluated and approved for development
Change is moved into production
Change is developed in a non-production environment
Change is tested in a nonproduction environment
Post-production testing is performed
It’s a people‐driven process
58
Testing Typical Change Management Controls l • Get Get a system generated list of changes a system generated list of changes (a.k.a. a “population”) • Select a sample Select a sample (usually 20‐50 changes or (usually 20 50 changes or 10‐20%, whichever is smaller) • Obtain and review change request forms Ob i d i h f for evidence of key controls
59
User Administration User Administration • Processes to: Processes to: – Add user access – Modify user access Modify user access – Remove user access
These two are usually the same process
• Objective: – Preventing (or timely detecting of) unauthorized access 60
Typical User Administration Process New/Modifications: User access / modification request is made
Request is evaluated and approved by the user’s manager
IT Administrator sets-up access
List is distributed to various IT Administrators
IT Administrator removes access
User is notified of username and password
Removing: HR provides list of terminated users
They are people‐driven processes
61
Testing Typical User Administration Controls l New Users / Modifications – Get a system‐ generated list (population) of (p p ) change requests – Select a sample ((usually 20‐50 y changes or 10‐20%, whichever is smaller) – Request change q g forms and review them for evidence of key controls
Removals – Get a list (population) of terminated employees – Select a sample (usually S l t l ( ll 20‐50 changes or 10‐ 20%, whichever is smaller)) – Observe system and determine if the user accounts are disabled or removed d
62
Exercise #1 Exercise #1 • Complete the testing document Complete the testing document • Conclude on the results
63
Leading Practice Leading Practice • User User Access Reviews: Regularly re Access Reviews: Regularly re‐ validating all users’ access levels on all systems • This helps prevent: – Excessive levels of access E i l l f – Terminated users – Potential process problems l bl
• It’s a good catch‐all detect control 64
Authentication • Authentication – How do we know that you are you? We use a combination of the following: – Something you know: Passwords – Something you have: ID cards, RSA tokens, etc. – Something you are: Fingerprints, Retinal Scans, etc.
• Passwords are the most common form • Desired password controls: Desired password controls: – Construction (use of alpha, numbers, and special characters) • Example: Esil4&3kc3! p
– Length (six can be okay in some situations; eight is strongly recommended) – History 65
Testing Password Controls Testing Password Controls • They They are automated controls are automated controls • Use ‘test of one’ approach outlined in first session first session – Check the configuration:
66
Testing Password Controls Testing Password Controls • Try changing the password: Try changing the password: – With a weak password (hopefully getting an error message) error message)
– With a strong password 67
Testing Password Controls Testing Password Controls • Try to log onto the system Try to log onto the system – Failed login attempt (hopefully getting an error message)
– Successful login 68
Revisit Polling Question #3: Revisit Polling Question #3: Q: “IT Q: IT General Controls is all technical General Controls is all technical stuff...completely out of my realm. I don’t understand the technology and therefore understand the technology, and therefore am not qualified to test them” A: These processes are people driven and A: These processes are people‐driven and non‐technical. You can test them.
69
UNDERSTANDING WHEN TO CALL IN ‘THE EXPERTS’ (WHEN THINGS GET REALLY TECHNICAL) REALLY TECHNICAL)
70
When To Bring In “The When To Bring In The Experts Experts” PC
Network
Application
Serve er
• There are many layers of technology that users pass on the “access path” to financial and operational p applications and data. • There are different risks at each level. These risks need each level. These risks need to be evaluated at each layer. • Our scope, depth, and Our scope depth and approach are different for each layer.
Database Operating System
Hardware 71
When To Bring In “The Experts:” IT Operations • Main Main Focus Is On Availability Focus Is On Availability of Systems of Systems and Data: – Job Scheduling Job Scheduling – Monitoring – Problem/Incident Management Problem/Incident Management – Business Continuity Planning (BCP) / Disaster Recovery Planning (DRP) Recovery Planning (DRP) • Including Backups & Recovery
– Antivirus / Anti‐Spyware / etc. Antivirus / Anti‐Spyware / etc 72
When To Bring In “The Experts:” Physical Environment h l • Also Focused On Availability Also Focused On Availability Of Systems: Of Systems: – Access Controls (usually Card Keys) – Air Conditioningg – Leak Detection – Fire Suppression pp – Power Conditioning – Uninterrupted Power Supplies (or “UPS,” a Battery Backup) – Backup Generators 73
Resources • Information System Audit & Control Association (ISACA): – www.isaca.org – www.isaca.org/COBIT – www.sfisaca.org
• IT Audit Newsgroups: IT A dit N – http://groups.google.com/group/it‐audit‐forum – http://finance.groups.yahoo.com/group/ITAuditForum
• Central Indiana Info Systems Audit & Control Newsgroup: Central Indiana Info Systems Audit & Control Newsgroup: – https://lists.purdue.edu/mailman/listinfo/cisaca‐l
• Audit Programs and Other Useful Audit Resources: – www.auditnet.org www auditnet org – http://www.auditnet.org/karl.htm
74
Questions? Questions? Steve Shofner, CISA, CGEIT Steve Shofner CISA CGEIT Moss Adams LLP [email protected] h f @ d 415‐677‐8263 www.mossadams.com
75
Learning Objectives Learning Objectives Part 1 (C11): Audit Basics & Automated Part 1 (C11): Audit Basics & Automated Controls – Level‐Set Our Understanding Of Key Term Level Set Our Understanding Of Key Term’ss & & Concepts – Understand The Role Of Automated Controls Understand The Role Of Automated Controls In Business Processes – Audit Process & Required Documentation Audit Process & Required Documentation – Types Of Automated Controls and Automated Control Test Strategy gy 2
Learning Objectives Learning Objectives Part 2 (Session C12) Part 2 (Session C12) – The Relationship between Financial/ Operational Controls and IT General Controls Operational Controls and IT General Controls (a.k.a. “Why IT General Controls Are Important”) – Understanding IT General Control Processes & Related Test Strategies – Knowing When to Bring in ‘The Experts’ (When Things Get Really Technical) 3
Learning Objectives Learning Objectives
KS1
• Explain Explain the Relationship between the Relationship between Financial / Operational Controls and IT General Controls (a.k.a. “Why IT General Controls Are Important”) • Describe Understanding IT General Control Processes • How to Test IT General Controls • Knowing When to Bring in ‘The Experts’ (When Things Get Really Technical) 4
Slide 4 KS1
This slide seems duplicative of the last slide - are both needed? KatieSo, 9/4/2012
Housekeeping Items Housekeeping Items • Please Please turn cell phones off turn cell phones off • Please close laptops unless you are using them for this session them for this session • Excessive absence(s) will affect CPEs provided id d
5
LEVEL‐SET UNDERSTANDING OF KEY TERMS & CONCEPTS
6
What Is An Audit? What Is An Audit? • An An evaluation of business processes evaluation of business processes (including IT processes) to determine their effectiveness • Processes contain risks that the process’s objectives may not be met • Audits are an evaluation of a process to ensure that certain objectives are met • Audits focus on controls in the process, which address the risks 7
Definitions • What Is A Risk? – The potential for loss (financial or operational)
• What Is An Objective? j – The purpose one's efforts or actions are intended to attain or accomplish (to address risks)
• What Is A Control? – A proactive step taken by “management” to accomplish an objective j • Management is any employee of the firm • The term management is used because they are usually responsible for implementing and maintaining effective controls 8
Types Of Objectives Types Of Objectives • Financial Objectives • IT & Operational – Completeness Obj ti Objectives – – – – – –
Accuracy Validity Authorization Real Rights & Obligations Presentation & Presentation & Disclosure
– Security – Availability A il bili – Confidentiality – Integrity I t it – Scalability – Reliability – Effectiveness – Efficiency Compliance Audits Could Include Objectives From Both
9
Types of Controls Types of Controls • Automated Controls – These are programmed financial controls – They are very strong: the programmed logic will function the same way every time, as long as the logic is not changed h d – Test of one versus a statistical test of many
• Partially‐Automated Controls – People‐enabled controls – People rely on information from IT systems (also referred to as Electronic Evidence) for the control to function
• Manual Controls (no IT‐Dependence) – People enable the control – Controls that are 100% independent of IT systems 10
Other Ways To Categorize Controls Other Ways To Categorize Controls • Prevent Controls Prevent Controls – The locks on your car doors
• Detect Controls Detect Controls – Your car alarm
• Correct Controls Correct Controls – Your auto insurance – A LoJack system (a device that transmits a A LoJack system (a device that transmits a signal used by law enforcement to locate your stolen car) 11
More Ways To Categorize Controls More Ways To Categorize Controls • Environmental Controls Environmental Controls – (a.k.a. “Governance”)
• Financial Controls Financial Controls • Operational Controls • IT General Controls IT General Controls – User Administration – Change Management Change Management – IT Operations – Physical Environment Physical Environment 12
Controls: Multidimensional Controls: Multidimensional
IT General
Operationa al
Financ cial
Partially-Automated
Envirronmental
Automated
Manual
13
Classifying Controls Classifying Controls • To ensure that only y authorized payments are made, all checks issued require a issued require a signature.
– Accomplishes the financial p f objective, authorized. b h d – Someone manually signs the check – An unsigned check prevents it f from being cashed b h d
• All user requests (on MAC forms) must have a supervisor’s have a supervisor’s signature authorizing the user’s access.
– Accomplishes the IT General Control objective, authorized. – Someone manually signs the MAC form MAC form – Unsigned MAC forms will not be processed, thereby preventing unauthorized access
(note the different types of ‘transactions’) 14
Quiz #1 Quiz #1 • Classify the controls in the handout Classify the controls in the handout
15
UNDERSTANDING THE ROLE OF AUTOMATED CONTROLS IN BUSINESS PROCESSES BUSINESS PROCESSES
16
Polling Question #1: Polling Question #1: • True or False? True or False? – “IT Controls are too technical – I don’t understand what they do” understand what they do
(Answer will be given at the (Answer will be given at the end of this segment)
17
Introduce Case Study Introduce Case Study • Let’s Let s take a look at the mechanics of a take a look at the mechanics of a process and the related:
P h Purchase T To Pay P
A Made Made-Up Up Illustrative Example p Only y
– Objectives – Risks – Controls
18
Purchase To Pay Process Purchase To Pay Process Someone makes a Purchase Request
Buyer opens Purchase Order
Buyer buys items
• Financial Objectives – Completeness – Accuracy – Validity – Authorization – Real – Rights & Obligations – Presentation & Disclosure
Receive items
Receive Invoice
Pay for items
• IT & Operational Obj ti Objectives – Security – Availability – Confidentiality – Integrity – Scalability S l bilit – Reliability – Effectiveness – Efficiency 19
Purchase To Pay Process Purchase To Pay Process Someone makes a Purchase Request
Buyer opens Purchase Order
Buyer buys items
Receive items
Receive Invoice
Pay for items
• Risks: – Invoice information may not be y correct – Duplicate or missing invoices may be received – Incorrect payment amount Incorrect payment amount • Fictitious order to collect check d ll h k – Payment sent to wrong address • Purchase goods for personal – Wrong payee on check use/gain – Buyer may not use approved – Check may not be signed Ch k tb h db vendor (gaining the benefit of d ( h b f f – Check may not be cashed by payee
– Employee Employee may order too may order too much – Employee may try to misappropriate goods:
negotiated volume discounts) – Duplicate or missing items y may be received
20
Purchase To Pay Process Purchase To Pay Process Someone makes a P h Purchase Request
1
Buyer opens P h Purchase Order
Buyer buys items
Receive items
Receive Invoice
Pay for items
2
• Risks: – Employee may order too much or not enough – Employee may try to misappropriate goods
• Controls: 1. All Purchase Requests must be approved by a Manager or above Manager or above 2. Buyers will only open Purchase Orders upon receipt of an approved Purchase Request 21
Purchase To Pay Process Purchase To Pay Process Someone makes a P h Purchase Request
1
Buyer opens P h Purchase Order
Buyer buys items
2
• Risk: –Buyer may not use approved vendor (gaining the benefit of negotiated volume discounts) l di t)
Receive items
Receive Invoice
Pay for items
3
• Control: 3. Goods can only be purchased from vendors who have been pre‐approved (Assumption: process is in place (A ti i i l to approve vendors, and is operating effectively)
22
Purchase To Pay Process Purchase To Pay Process Someone makes a P h Purchase Request
1
Buyer opens P h Purchase Order
Buyer buys items
2
• Risk: –Duplicate or missing items may be received
Receive items
3
Receive Invoice
Pay for items
4
• Control: 4. Receiving Clerk counts all items received, ties them to shipping slip, and will only receive ill l i complete shipments 23
Purchase To Pay Process Purchase To Pay Process Someone makes a P h Purchase Request
1
Buyer opens P h Purchase Order
Buyer buys items
2
• Risks: –Invoice information may not be correct –Duplicate or missing invoices may be received –Incorrect payment amount
Receive items
3
Receive Invoice
4
Pay for items
5
• Controls: 5 AP 5. AP Clerk prepares a Cl k voucher package, including: – – – –
Purchase Order Shi i Sli Shipping Slip Invoice Check (Payment)
AP Clerk ties out all i f information across ti three documents to ensure completeness & accuracy 24
Purchase To Pay Process Purchase To Pay Process Someone makes a P h Purchase Request
1
Buyer opens P h Purchase Order
Buyer buys items
2
• Risks: –Payment sent to wrong address –Wrong payee on check –Check may not be signed
Receive items
3
Receive Invoice
4
Pay for items
5
6
• Control: 6. VP of Treasury reviews all voucher packages and packages and approves/denies payment (signs checks of approved checks of approved vouchers)
25
Purchase To Pay Process Purchase To Pay Process Someone makes a P h Purchase Request
1
Buyer opens P h Purchase Order
Buyer buys items
2
• Risks: –Check may not be cashed by payee
Receive items
3
Receive Invoice
4
Pay for items
6 7
5
• Control: ???
26
Comparison: Manual vs. Automated d Objective j All Purchase Requests must be approved by a Manager or above
Manual Control Manager signs purchase request form (hardcopy)
Buyers will only open ill l Buyer compares signature to i Purchase Orders upon receipt list of approvers of an approved Purchase Request
Automated Control Manager clicks approval in application Application only allows li i l ll authorized approvers to approve
Goods can only be purchased from vendors who have been pre‐approved
Buyer only purchases from list PO system provides limited of approved vendors options in a drop‐down menu, populated from a list of approved vendors.
Receiving Clerk counts all items received, ties them to shipping slip, and will only receive complete shipments
Receiving Clerk manually performs control
<none>
27
Comparison: Manual vs. Automated d Objective j
Manual Control
Automated Control
AP Clerk prepares a voucher package, including: • Purchase Order • Shipping Slip Shi i Sli • Invoice • Check (Payment) AP Clerk ties out all information across three documents to ensure completeness & accuracy
AP Clerk ties out all information across three sources
Application ties out all information across all three sources, and… (see next control)
VP of Treasury reviews all y voucher packages and approves/denies payment (signs checks of approved vouchers)
VP of Treasury signs checks y g
Application automatically prints pp yp checks for all matching information, using signature block
28
Quiz #2 Quiz #2 • For For each of the objectives in the handout, each of the objectives in the handout create: – A manual or partially‐automated control, and A manual or partially automated control and – An automated control
29
Revisit Polling Question #1: Revisit Polling Question #1: • Q: Q: “IT IT Controls are too technical Controls are too technical – I don I don’tt understand what they do”
• A A: Automated controls don’t A t t d t l d ’t accomplish anything that people weren’t already doing. ’t l d d i
30
AUDIT PROCESS & REQUIRED DOCUMENTATION
31
Testing • Four Basic Steps: Four Basic Steps: – Understand The Process – Perform A Walkthrough g • To exercise process of requesting and gathering evidence • Through review of the evidence, confirm and/or Th h i f th id fi d/ complete your understanding of the process being audited
– Perform Testing – Report Results / Findings 32
Understand The Process Understand The Process • …Through Reviews Of Documentation And Interviews With Related Personnel • Document Your Understanding Of The Process And Related Controls in Narratives – Different than policy, procedure, & standard documents (although, those documents can be leveraged) – At a minimum, Narratives should include: • Background Information • Description of Controls • Information Necessary For Testing Controls (Who, What, Where Why When How) Where, Why, When, How)
– Document for testing purposes only…that is all you want
33
Perform Walkthroughs & Testing Perform Walkthroughs & Testing • Perform Walkthroughs: A Perform Walkthroughs: A “Test Test of One of One” – Confirms Your Understanding Of Controls – Allows you to identify any problems in y y yp pulling populations or samples
• Complete Testing & Document Your Work – Four Basic Sections • • • •
Objective Procedures Results Conclusion 34
Evidence • Four types: Four types: – Reperformance – Examination – Observation – Inquiry I i
Stronger Evidence
Weaker Evidence
35
Report Results / Findings Report Results / Findings • Reporting communicates the results of communicates the results of testing • Typically has three sections: Typically has three sections: – Results: The facts, and just the facts – Implications / Business Risk: Why should the Implications / Business Risk: Why should the company care? – Recommendation: What should the company p y do about it? – Optional 4th Section: Management’s Response 36
The Reperformance Standard The Reperformance Standard • When documenting your work, you should ensure that a reasonably‐skilled auditor would be able to review your workpapers (and related evidence) and: – Understand what you did any why, and – See the same evidence that you saw, and – They should be able to ‘reperform’ your work and reach the same conclusion you did, based on the information presented in your workpapers and supporting evidence presented in your workpapers and supporting evidence only.
• They should not They should not need to: need to: • Ask clarifying questions • Request and review additional information that is not included or specifically identified in your testing documentation p y y g 37
AUTOMATED CONTROL TEST STRATEGY
38
Automated Controls – We LOVE them! h • Automated Controls Automated Controls – These are programmed financial controls – They are very strong: The programmed logic They are very strong: The programmed logic will function the same way every time, as long as the logic is not changed long as the logic is not changed – They are easier to test: a test of one versus a test of manyy
39
Polling Question #2: Polling Question #2: • True or False? True or False? – “Automated Controls are too technical – I don’tt understand all the technical stuff don understand all the technical stuff required to test them”
40
Automated Controls: Test Strategy Automated Controls: Test Strategy • Determine the programmed logic ete e t e p og a ed og c – Usually a configuration setting – Sometimes setting is “unconfigurable” (programmed into the application, and cannot be changed without changing program code)
• Follow Follow one example of each type one example of each type of of transaction – This This confirms that there isn confirms that there isn’tt anything anything ‘upstream’ or ‘downstream’ that may affect the outcome 41
Automated Controls: Test Strategy Automated Controls: Test Strategy • Example: – All Purchase Requests must be Requests must be approved by a Manager or above
1. Get a screen‐shot of the configuration g setup screen showing this control is configured:
42
Automated Controls: Test Strategy Automated Controls: Test Strategy • Example: – All Purchase Requests must be Requests must be approved by a Manager or above
1.
Get a screen‐shot of the configuration setup screen showing g this control is configured.
2.
Observe one completed purchase request and validate that the approver was on the pp authorized approver list.
43
Automated Controls: Test Strategy Automated Controls: Test Strategy • Example: – All Purchase Requests must be Requests must be approved by a Manager or above
1.
2.
Get a screen‐shot of the configuration setup screen showing g this control is configured. Observe one completed purchase request and validate that the approver was on the authorized approver list. li
3. You’re done!
44
Revisit Polling Question #2: Revisit Polling Question #2: • Q: Q: “Automated Automated Controls are too technical Controls are too technical – I don’t understand all the technical stuff required to test them” required to test them • A A: You Y can test these controls, with a little h l i h li l help from your friends (IT Administrators)
45
Checkpoint • Covered so far: – Level‐Set Our Understanding Of Key Term’s & Concepts – Understand The Role Of Automated Controls In Business Processes – Audit Process & Required Documentation – Types Of Automated Controls and Automated Control Test Strategy
• Coming up (next session) – How To Test Common IT General Controls (In A Simple ( p Environment) – Knowing When To Call ‘The Experts’
46
Learning Objectives Learning Objectives • Part 1 (Session C11) Part 1 (Session C11) – Level‐Set Our Understanding Of Key Term’s & Concepts – Understand The Role Of Automated Controls In Business Processes In Business Processes – Audit Process & Required Documentation – Types Of Automated Controls and Types Of Automated Controls and Automated Control Test Strategy
47
Learning Objectives Learning Objectives • Part 2 (Session C12) Part 2 (Session C12) – The Relationship between Financial / Operational Controls and IT General Controls Operational Controls and IT General Controls (a.k.a. “Why IT General Controls Are Important”) – Understanding IT General Control Processes & Related Test Strategies – Knowing When To Bring In ‘The Experts’ (When Things Get Really Technical) 48
THE RELATIONSHIP BETWEEN FINANCIAL/OPERATIONAL CONTROLS AND IT GENERAL CONTROLS AND IT GENERAL CONTROLS (A K A “WHY (A.K.A. WHY IT GENERAL IT GENERAL CONTROLS ARE IMPORTANT”) 49
Automated Controls – We LOVE them! h • Automated Controls Automated Controls – These are programmed financial controls – They are very strong They are very strong – The programmed logic will function the same way every time as long as the logic is same way every time, as long as the logic is not changed – They are easier to test: a test of one versus a They are easier to test: a test of one versus a statistical test of many
50
Expanding Coverage Beyond ‘A Point In Time”” Q1
Q2
Q3
Q4
Application pp ca o Co Control o Test es
• Testing application controls only tell you that the control worked for that transaction on that day. • How can you get coverage for the whole period? p
IT Ge General e a Co Controls t os
51
IT General Controls IT General Controls • • • •
Change Management Change Management User Administration IT Operations O i Physical Environment
52
Effective General Controls Effective General Controls Business Processes
Data/Information used for Partially‐ used for Partially‐ Automated Controls
Automated Controls
General Controls
53
Without Effective General Controls Without Effective General Controls Potential For Significant Problems Exists Automatted Controls 54
Polling Question #3: Polling Question #3: • “IT IT General Controls is all technical General Controls is all technical stuff...completely out of my realm. I don’tt understand the technology, and don understand the technology and therefore am not qualified to test them”
55
UNDERSTANDING IT GENERAL CONTROL PROCESSES & RELATED TESTING STRATEGIES TESTING STRATEGIES
56
IT Change Management IT Change Management • Processes to manage changes to: – Program code – Configurations
• Objective: – Ensure that automated controls aren’t i inappropriately altered i t l lt d – Ensure that data integrity isn’t inappropriately affected
Note: Fraud is not the primary concern; It’s ensuring that good people aren’t making honest mistakes. g p p g 57
Typical Change Management Process Someone reports a problem or requests an improvement
Completed change is evaluated and approved (by requestor)
Requested change is evaluated and approved for development
Change is moved into production
Change is developed in a non-production environment
Change is tested in a nonproduction environment
Post-production testing is performed
It’s a people‐driven process
58
Testing Typical Change Management Controls l • Get Get a system generated list of changes a system generated list of changes (a.k.a. a “population”) • Select a sample Select a sample (usually 20‐50 changes or (usually 20 50 changes or 10‐20%, whichever is smaller) • Obtain and review change request forms Ob i d i h f for evidence of key controls
59
User Administration User Administration • Processes to: Processes to: – Add user access – Modify user access Modify user access – Remove user access
These two are usually the same process
• Objective: – Preventing (or timely detecting of) unauthorized access 60
Typical User Administration Process New/Modifications: User access / modification request is made
Request is evaluated and approved by the user’s manager
IT Administrator sets-up access
List is distributed to various IT Administrators
IT Administrator removes access
User is notified of username and password
Removing: HR provides list of terminated users
They are people‐driven processes
61
Testing Typical User Administration Controls l New Users / Modifications – Get a system‐ generated list (population) of (p p ) change requests – Select a sample ((usually 20‐50 y changes or 10‐20%, whichever is smaller) – Request change q g forms and review them for evidence of key controls
Removals – Get a list (population) of terminated employees – Select a sample (usually S l t l ( ll 20‐50 changes or 10‐ 20%, whichever is smaller)) – Observe system and determine if the user accounts are disabled or removed d
62
Exercise #1 Exercise #1 • Complete the testing document Complete the testing document • Conclude on the results
63
Leading Practice Leading Practice • User User Access Reviews: Regularly re Access Reviews: Regularly re‐ validating all users’ access levels on all systems • This helps prevent: – Excessive levels of access E i l l f – Terminated users – Potential process problems l bl
• It’s a good catch‐all detect control 64
Authentication • Authentication – How do we know that you are you? We use a combination of the following: – Something you know: Passwords – Something you have: ID cards, RSA tokens, etc. – Something you are: Fingerprints, Retinal Scans, etc.
• Passwords are the most common form • Desired password controls: Desired password controls: – Construction (use of alpha, numbers, and special characters) • Example: Esil4&3kc3! p
– Length (six can be okay in some situations; eight is strongly recommended) – History 65
Testing Password Controls Testing Password Controls • They They are automated controls are automated controls • Use ‘test of one’ approach outlined in first session first session – Check the configuration:
66
Testing Password Controls Testing Password Controls • Try changing the password: Try changing the password: – With a weak password (hopefully getting an error message) error message)
– With a strong password 67
Testing Password Controls Testing Password Controls • Try to log onto the system Try to log onto the system – Failed login attempt (hopefully getting an error message)
– Successful login 68
Revisit Polling Question #3: Revisit Polling Question #3: Q: “IT Q: IT General Controls is all technical General Controls is all technical stuff...completely out of my realm. I don’t understand the technology and therefore understand the technology, and therefore am not qualified to test them” A: These processes are people driven and A: These processes are people‐driven and non‐technical. You can test them.
69
UNDERSTANDING WHEN TO CALL IN ‘THE EXPERTS’ (WHEN THINGS GET REALLY TECHNICAL) REALLY TECHNICAL)
70
When To Bring In “The When To Bring In The Experts Experts” PC
Network
Application
Serve er
• There are many layers of technology that users pass on the “access path” to financial and operational p applications and data. • There are different risks at each level. These risks need each level. These risks need to be evaluated at each layer. • Our scope, depth, and Our scope depth and approach are different for each layer.
Database Operating System
Hardware 71
When To Bring In “The Experts:” IT Operations • Main Main Focus Is On Availability Focus Is On Availability of Systems of Systems and Data: – Job Scheduling Job Scheduling – Monitoring – Problem/Incident Management Problem/Incident Management – Business Continuity Planning (BCP) / Disaster Recovery Planning (DRP) Recovery Planning (DRP) • Including Backups & Recovery
– Antivirus / Anti‐Spyware / etc. Antivirus / Anti‐Spyware / etc 72
When To Bring In “The Experts:” Physical Environment h l • Also Focused On Availability Also Focused On Availability Of Systems: Of Systems: – Access Controls (usually Card Keys) – Air Conditioningg – Leak Detection – Fire Suppression pp – Power Conditioning – Uninterrupted Power Supplies (or “UPS,” a Battery Backup) – Backup Generators 73
Resources • Information System Audit & Control Association (ISACA): – www.isaca.org – www.isaca.org/COBIT – www.sfisaca.org
• IT Audit Newsgroups: IT A dit N – http://groups.google.com/group/it‐audit‐forum – http://finance.groups.yahoo.com/group/ITAuditForum
• Central Indiana Info Systems Audit & Control Newsgroup: Central Indiana Info Systems Audit & Control Newsgroup: – https://lists.purdue.edu/mailman/listinfo/cisaca‐l
• Audit Programs and Other Useful Audit Resources: – www.auditnet.org www auditnet org – http://www.auditnet.org/karl.htm
74
Questions? Questions? Steve Shofner, CISA, CGEIT Steve Shofner CISA CGEIT Moss Adams LLP [email protected] h f @ d 415‐677‐8263 www.mossadams.com
75
More Documents from "Javna Prijava"
C11-c12.pdf
May 2020 2