1 RSM McGladrey, Inc. is a member firm of RSM International – an affiliation of separate and independent legal entities. Integrated Audit Presented by: Hussain T. Hasan, CISM, CISSP Managing Director Technology Risk Management Services (TRMS) Hussain.hasan@rsmi.com IT and Finance - Are We Talking the Same Language? 2 Session Goals • History and background of IT Audit • Try to address the gap that exists between financial audit and information technology audit • What is involved in IT general controls and automated application controls • Discuss an approach that will aide in the identification and testing of IT controls • Roles and responsibilities for IT and financial auditors 2 3 History of IT Audits • First use of a computerized accounting system - 1954 by GE • Use of computer accounting systems became more prevalent in mid-60s and early 70s • AICPA and the “Big 8” formalize EDP auditing with the release of the book “Auditing & EDP” - 1968 • Electronic Data Processing Auditors Association (EDPAA) formed -late 1960s • First edition of control objectives was published (now known as CoBiT) - 1977 • EDPAA changes name to ISACA (Information Systems Audit and Control Association) - 1994 4 Major Events Impacting IT Auditing • Equity Funding Corporation of America fraud (1964 -1973) • AT&T infrastructure failure -1998 • September 11 th terrorist attacks - 2001 • Enron and Arthur Andersen - 2002 3 5 Why is IT Auditing a Challenge? • Unlike the certification of financial statements there is no “universally accepted principle or standard” for IT audit • The concept of “compliance to best practice” • Rapid change in IT is at times too rapid for best practices to fully develop or be recognized as such • IT audit has become a separate discipline over time 6 Today’s Business Process Environment • 24/7 requirement becoming more common • Focus on early error detection • More highly automated – reducing reliance on manual controls • Integrated with complex and highly efficient IT systems • Electronic workflow with paperless trails • Increased business partner involvement through direct access to process – the network extends beyond the company 4 7 Application A Financial Applications Application B Application C Process A Business Processes/Classes of Transactions Balance Sheet Significant Financial Transaction Accounts Income Statement SCFP Notes Other Automated Application Controls •Application Security •Input Controls •Process Controls •Output Controls •Interface Controls IT General Controls •Change/Development •Security •Computer Operations •IT Governance Source: Adapted from IT Governance Board, ISACA White Paper IT Control Objectives for Sarbanes-Oxley Network Operating System Database Infrastructure Services Platform Process B Class A Class B IT Control Framework 8 IT General Controls (ITGC) • IT general controls are pervasive controls within the IT environment and the effectiveness of all automated application controls across the organization depends on them. – Security (access to programs and data) – Change / development – Computer operations – IT governance • Primary responsibility of the IT Team • Constant interaction with the Financial Audit Team 5 9 Automated Application Controls • Application controls apply to the business processes they support. • These controls are embedded within the software applications to prevent or detect unauthorized transactions. • When combined with manual controls, application controls ensure completeness, accuracy, authorization and validity of processing transactions. 10 Automated Application Controls • Automated application-based processes that control access, input, output and reporting • Typically set up in the software implementation phase, and can be modified in the maintenance phase. Depending on the software used, modification may be problematic. • Degree of need for review partially dependent on software used • Also called IT controls or programmed control 6 11 Automated Application Controls • Identify application controls for each business process during walk-throughs • Types of application controls – Application security controls – Input controls – Processing controls – Output controls – Interface controls 12 • Account balance: –Trade A\R, sales • Classes of Transactions: – Invoices, sales orders • Business Process: – A\R, sales order processes • Process Stages: – Initiate, record, process • Application Controls: – Access controls – Built in limits for credit approval • ITGC Controls: – Security (access to programs/ data) – Change / development – Computer operations – IT governance Link Accounts and Assertions to IT: An Example Customer order entry SAP, Oracle, Other Applications IT general controls cover security access, change management, operations, systems and network support, data retention, etc. Order & supplier controls Customer controls IT Infrastructure Networks System Software Databases and Information Security Automated application controls cover authorized changes, segregation of duties, validity, completeness and timeliness of reporting of financial information . Accounts Receivable Order Processing Sales Sub-Process 7 13 • Account balance: – Mortgage loans, loan fees, servicing fees • Classes of Transactions: – Loan Disbursement, receipt of payments, loan origination fees • Business Process: – Loan origination, payment processing • Process Stages: – Initiate, record, process • Application Controls: – Access controls – Delinquent payment report – Interest rate adjustment (ARM) – Automatic PMI check • ITGC Controls: – Security (access to programs/ data) – Change / development – Computer operations – IT governance Link Accounts and Assertions to IT: Mortgage Loans Customer loan entry Core and other applications IT general controls cover security access, change management, operations, systems and network support, data retention, etc. Order & supplier controls Customer controls IT Infrastructure Networks System Software Databases and Information Security Automated application controls cover authorized changes, segregation of duties, validity, completeness and timeliness of reporting of financial information. Receipt of Payment Loan Prep System Loan Process 14 • Account balance: – Transaction based (checking) – Non-Transaction based (CDs, savings) • Classes of Transactions: – New accounts, CDs, Interest fee, disbursement, ACH, ATM • Business Process: – Cash due from, deposit, proof, wires • Process Stages: – Initiate, record, process • Application Controls: – Access controls – Various edit checks • ITGC Controls: – Security (access to programs/ data) – Change / development – Computer operations – IT governance Link Accounts and Assertions to IT: Deposits IT general controls cover security access, change management, operations, systems and network support, data retention, etc. IT Infrastructure Networks System Software Databases and Information Security Automated application controls cover authorized changes, segregation of duties, validity, completeness and timeliness of reporting of financial information. Customer Inquiry Core and other applications Order & supplier controls Customer controls Receipt of Payment Account Entry System New Account Process 8 15 • The PCAOB rules are clear - auditors must understand how transactions flow through the system… not around it (paragraph 47) “The auditor should obtain an understanding of the design of specific controls by applying procedures that include… tracing transactions through the information system relevant to financial reporting” (paragraph 73) “Most processes involve a series of tasks such as capturing input data, sorting and merging data, making calculations, updating transactions and master files, generating transactions, and summarizing and displaying or reporting data. The processing procedures relevant for the auditor to understand the flow of transactions generally are those activities required to initiate, authorize, record, process and report transactions.” Impact of SOX on IT Audit 16 (paragraph 69) “The auditor should identify each significant process over each major class of transactions affecting significant accounts or groups of accounts and… • Understand the flow of transactions, including how transactions are initiated, authorized, recorded, processed, and reported. • Identify the points within the process at which a misstatement – including a misstatement due to fraud – related to each relevant financial statement assertion could arise. • Identify the controls that management has implemented over the prevention or timely detection of unauthorized acquisition, use, or disposition of the company's assets. Impact of SOX on IT Audit – Application Controls 9 17 • PCAOB statements applicable to IT general controls: (paragraph 40) “Determining which controls should be tested… Generally, such controls include… information technology general controls, on which other controls are dependent” (paragraph 50) “Some controls have a pervasive effect on the achievement of many objectives… for example, information technology general controls over program development, program changes, computer operations, and access to programs and data” Impact of SOX on IT Audit - ITGC 18 Dispelling the Myth Automated application controls do not require an IT expert or programmer for identification and testing. Interpreting source code is generally not included in the process. 10 19 The Confusion • Some say that IT auditors should address application controls because a computer/system is involved. • Some say that financial auditors should address application controls because the processes are related to the business side of the objectives. 20 The Truth Be Told… • The task of addressing application controls is a joint team effort between financial auditors and IT auditors. – They complement one another – Each brings to the table different expertise [...]... for identifying and testing automated application controls reside with the financial audit team • IT auditors to provide front-end training, as requested, and support in identification, testing and results interpretation as necessary 26 13 Automated Application Controls Specific Tasks – Financial Auditors • Financial Auditors – Materiality assessment – enterprise level; may include link to applications... accounts/relevant assertions 27 Automated Application Controls Specific Tasks Together • IT auditors along with financial auditors – Map key business cycles to applications – Should include application owners at both the business and IT levels 28 14 Automated Application Controls Specific Tasks IT Auditors • IT auditors – Map IT applications to infrastructure – Identify system interface(s) – Identify...Joint Team Effort • Financial auditors – Business process – Segregation of duties – Significance of the accounts and processes • IT auditors – Operating platform – Database structure – Infrastructure 21 IT GC – High-Impact Areas / Security IT Auditors SOX focus on applications that impact financials and supporting infrastructure thereof... infrastructure Financial Auditors Review for propriety of access rights; sufficient segregation of duties; adequate approval of access; adequate notification of changes Sufficient controls “around the system” that impact application use/ entry 22 11 IT GC – High-Impact Areas – Change / Development IT Auditors Procedures are sufficient for proper approval of changes to production environment Financial Auditors Evaluate... • IT auditors – As needed • Financial auditors – Verification against product code defaults – Verification against ceiling/floor values – Verification against duplicate entries – Sequence checking – Verification of secondary approver requirement 32 16 Automated Application Controls • Processing controls All transactions are processed by the application programs accurately and completely • IT auditors... Financial auditors – Transactions processed once – Accurately calculated and recorded – Internal checks are performed to ensure that transaction data being processed has been edited and validated 33 Automated Application Controls • Output controls All output is complete and is delivered (standard or customized) to the appropriate parties in an appropriate manner • IT auditors – As needed • Financial auditors... have access to production • IT controls not integrated into key business processes (e.g SDLC, change control, compliance, testing and data conversion procedures) • No long-term strategy/methodology to evaluate and address risks 42 21 Summary • Not a new problem • Education and awareness • Joint team effort – Audit planning – Business process walk-throughs (IT auditors as needed) – Key control identification... controls 30 15 Automated Application Controls • Application security controls Controls to ensure that minimum access to applications is allowed for individuals to perform their job • Financial auditors • IT auditors – Password controls – Segregation of duties within business process – Time of day – Access to screens and modules restrictions – Cross reference of user access between – Database access... various reports 34 17 Automated Application Controls • Interface controls All transactions between multiple systems are secure and integrity of the information transmitted is maintained • IT auditors • Financial auditors – Interface configuration (mapping) – Pre-/post-transmission – Security – transmission method verification – Security – temporary data holding areas – Manual data manipulation 35 Developing... controls before a new system or system changes go in the production environment 23 IT GC – High-Impact Areas / Operations IT Auditors – Focus on basic backup and recoverability of financial data – Physical security/computer operations 24 12 IT GC – High-Impact Areas / Governance IT Auditors – Focus on confirming existence of clear policies, procedures, and communications within IT – Clear segregation of . History and background of IT Audit • Try to address the gap that exists between financial audit and information technology audit • What is involved in. and the “Big 8” formalize EDP auditing with the release of the book “Auditing & EDP” - 1968 • Electronic Data Processing Auditors Association (EDPAA)