Đang tải... (xem toàn văn)
MINISTRY OF EDUCATION AND TRAINING HO CHI MINH CITY UNIVERSITY OF BANKING GRADUATION THESIS IMPLEMENTED INFORMATION TECHNOLOGY GENERAL CONTROL AUDIT PERFORMED BY EY VIETNAM AUDIT FIRM IN THE AUDIT OF[.]
MINISTRY OF EDUCATION AND TRAINING HO CHI MINH CITY UNIVERSITY OF BANKING GRADUATION THESIS IMPLEMENTED INFORMATION TECHNOLOGY GENERAL CONTROL AUDIT PERFORMED BY EY VIETNAM AUDIT FIRM IN THE AUDIT OF FINANCIAL STATEMENTS FOR ABC COMPANY NGUYEN HOANG BAO TRAM HO CHI MINH CITY –2023 Tai ngay!!! Ban co the xoa dong chu nay!!! MINISTRY OF EDUCATION AND TRAINING HO CHI MINH CITY UNIVERSITY OF BANKING GRADUATION THESIS IMPLEMENTED INFORMATION TECHNOLOGY GENERAL CONTROL AUDIT PERFORMED BY EY VIETNAM AUDIT FIRM IN THE AUDIT OF FINANCIAL STATEMENTS FOR ABC COMPANY Major: Accounting - Auditing Major code: 7340301 Student name: Nguyen Hoang Bao Tram Student code: 050607190562 Class: HQ7-GE01 Supervisor: Ph.D Tran Thi Thu Thuy HO CHI MINH CITY –2023 i ABSTRACT Due to business’s rapid growth, many companies require a wide range of software, from small-scale to enterprise-class, to match their characteristic business objects ITGC (Information Technology General Control) is commonly referred to as a part of the internal control system of the business, which defines the reliability of the information within the business Therefore, it has a significant importance to financial statement audit This study seeks to evaluate the current state of the ITGC audit process in EY’s financial statement audit process, thereby providing the impact of the ITGC audit results on the financial statement audit and giving recommendations to improve the ITGC audit process for EY audit firm in particular and other auditing firms in general Keywords: ITGC auditing, IT auditing, Financial Audit ii DECLARATION OF AUTHENTICITY This thesis course is the author's research work Therefore, the research results are truthful, in which there is no previously published content except for quotes fully cited in the thesis course I declare that all information contained herein is true, correct, and accurate to the best of my knowledge and belief Ho Chi Minh City, 19th July 2023 Nguyen Hoang Bao Tram iii ACKNOWLEDGEMENTS Firstly, I would like to express my sincerest and most profound thankfulness to Mrs Tran Thi Thu Thuy for her guidance and patience in giving me valuable recommendations during my study period I am happy and fortunate to carry out this study under her supervisor Secondly, I would like to thank the teachers of the Faculty of Accounting and Auditing Department for always accompanying and carrying to give me helpful knowledge and work experiences to have better luggage for the next steps in the future Thirdly, I would also like to express my sincerest thanks to all the brothers and sisters in the Technology Information Risk Assessment (ITRA) team has supported, guided, and provided me with professional knowledge, created opportunities for me to participate in real projects so that I can experience more and directly guided me in the working process to achieve the best results Finally, I would like to express my gratitude to my family for their support during my study and life Without their encouragement and sacrifice, I would not have finished this thesis Warmest regards Nguyen Hoang Bao Tram iv TABLE OF CONTENTS ABSTRACT i DECLARATION OF AUTHENTICITY ii ACKNOWLEDGEMENTS iii LIST OF ACRONYMS vi NOMENCLATURE OF IMAGES ix CHAPTER 1: INTRODUCTION .1 1.1 The significance of research 1.2 The object of research 1.2.1 General objective: 1.2.2 Detailed objective: 1.3 Research questions 1.4 Subject and scope of research 1.4.1 Subject of research 1.4.2 Scopes of research 1.5 Research methodology 1.6 Content of research 1.7 Topic contributions CHAPTER 2: LITERATURE REVIEW 2.1 Literature Review 2.2 Background knowledge of IT Environment and Auditing 10 2.2.1 Components of the Information Technology Environment 10 2.2.2 Relationship between IT and Financial Statements audit 11 2.2.3 Definition of ITGC audit 12 2.2.4 IT Audit Process 13 2.2.5 ITGC audit process in EY 14 CHAPTER 3: IMPLEMENTED ITGC AUDIT PROGRESS AT EY IN ABC COMPANY AND RECOMMENDATION 24 3.1 General Introduction of EY 24 3.1.1 Introduction of EY Global 24 3.1.2 Introduction of Ernst & Young Vietnam (EY Vietnam) 27 v 3.2 Implemented ABC company’s ITGC Audit Progress at EY 29 3.2.1 Planning 29 3.2.2 Execution 31 3.2.3 Reporting 55 3.2.4 Summing up the survey of Auditors on ITGC Audit 56 3.3 Discussion and Recommendation 57 3.3.1 Discussion on ITGC audit process 57 3.3.2 Some recommendations to improve the ITGC audit at EY 58 CHAPTER 4: CONCLUSION 60 4.1 Conclusion 60 4.2 Limitations of the research .60 4.2.1 Limitation 60 4.2.2 Suggest for future study 61 REFERENCES 62 APPENDIX 1: IT AUDIT PROGRESS AT EY 65 APPENDIX 2: ITRA REQUEST FORM (INCLUDING BUDGET) 66 APPENDIX 3: DETAIL TESTING PHASE (BUG CHANGE – MC) 67 APPENDIX 4: DETAIL TESTING PHASE (ENHANCEMENT CHANGE – MC) 68 APPENDIX 5: DETAIL TESTING PHASE (NUS – MA) 69 APPENDIX 6: DETAIL TESTING PHASE (MOD – MA) 73 APPENDIX 7: DETAIL TESTING PHASE (MO) 78 APPENDIX 8: RESEARCH SURVEY QUESTIONS .80 vi LIST OF ACRONYMS Acronym Denotation IT Information Technology ITRA Technology Information Risk Assessment ITGC Information Technology General Control SOX Sarbanes-Oxley Act SDLC Systems Development Life Cycle OS Operating System DB Database TAS Transaction Advisory Service CBS Core Business Services HR Human Resources Department EY Ernst and Young APEA Asia Pacific Enterprise Awards MC Manage Change MA Manage Access MO Manage other IT Operations UAT User Acceptance Testing BA Business Analysis NUS New User Setting Access vii MOD Modify Or Disable Access Right BCP Business Continuity Plan DRP Disaster Recovery Plan BA Business Analyst ECA European Court of Auditors ISACA Information Systems Audit and Control Association UAT User Acceptance Testing viii NOMENCLATURE OF TABLE Table 1: Describe the controls of the change management process 17 Table 2: Describe the controls of the change access process 19 Table 3: Describe the controls of the other IT operation process 22 Table 4: Total population at ABC company 31 Table 5: Evaluate the controls of the change management process at ABC enterprise 39 Table 6: Evaluate the controls of the access management process at ABC enterprise 48 Table 7: Evaluate the controls of the access management process at ABC enterprise 54 Table 8: ITGC process assessment summary results 56 Table 9: Final conclusion on ITGC process 56 69 APPENDIX 5: DETAIL TESTING PHASE (NUS – MA) Image 19: Detail testing phases - MA - NUS testing results (part 1) 70 Image 20: Detail testing phases - MA - NUS testing results (part 2) 71 Image 21: Detail testing phases - MA - NUS testing results (part 3) 72 Image 22: Detail testing phases - MA - NUS controls (Source: ABC company’s IT audit documents at EY’s data warehouse) 73 APPENDIX 6: DETAIL TESTING PHASE (MOD – MA) Resigned user Image 23: Detail testing phases - MA - Resign user testing results (Source: ABC company’s IT audit documents at EY’s data warehouse) 74 Transfer user 75 Image 24: Detail testing phases - MA - Transfer user testing results (part 1) W Q H G F E D C B A Requested for user Executive - Distribution Admin Executive - Distribution Admin Executive - Distribution Admin Executive - Distribution Admin Executive - Distribution Admin Executive - Distribution Admin Executive - Distribution Admin Executive - Distribution Admin Executive - Distribution Admin Executive - Distribution Admin Executive - Distribution Admin IT Service request form Approver 28/4/2022 31/3/2022 31/3/2022 31/3/2022 31/3/2022 31/3/2022 24/02/2022 24/02/2022 24/02/2022 24/02/2022 27/1/2022 Approved date Testing # 10 T 11 Granted by Assistant Manager - IT, Infrastructure Supervisor - IT, Infrastructure Assistant Manager - IT, Infrastructure Supervisor - IT, Infrastructure Assistant Manager - IT, Infrastructure Supervisor - IT, Infrastructure Assistant Manager - IT, Infrastructure Supervisor - IT, Infrastructure Assistant Manager - IT, Infrastructure Supervisor - IT, Infrastructure Assistant Manager - IT, Infrastructure Supervisor - IT, Infrastructure Assistant Manager - IT, Infrastructure Supervisor - IT, Infrastructure Assistant Manager - IT, Infrastructure Supervisor - IT, Infrastructure Assistant Manager - IT, Infrastructure Supervisor - IT, Infrastructure Assistant Manager - IT, Infrastructure Supervisor - IT, Infrastructure Assistant Manager - IT, Infrastructure Supervisor - IT, Infrastructure x x x x x AD647 (system) AD631 (request) x x x x x x x x x x No Exception Noted Exception Noted No Exception Noted Exception Noted No Exception Noted No Exception Noted No Exception Noted No Exception Noted EY Remark x AD226 and AD275 (request) AD679 (system) x Exception Noted Attribute testing/ Testing C x x x No Exception Noted x x AD174 (request) AD681 and AD680 (system) x No Exception Noted B x x x x x x A x 76 Image 25: Detail testing phases - MA - Transfer user testing results (part 2) 23 22 21 20 19 18 17 16 15 14 13 12 K M N V X Z S P O I U Y Executive - Distribution Admin Executive - Distribution Admin Executive - Distribution Admin Executive - Distribution Admin Executive - Distribution Admin Executive - Distribution Admin Executive - Distribution Admin Executive - Distribution Admin Executive - Distribution Admin Executive - Distribution Admin Executive - Distribution Admin Executive - Distribution Admin 29/09/2022 29/09/2022 08/09/2022 01/08/2022 20/07/2022 28/04/2022 09/06/2022 31/3/2022 26/5/2022 26/5/2022 26/5/2022 30/04/2022 Assistant Manager - IT, Infrastructure Supervisor - IT, Infrastructure Assistant Manager - IT, Infrastructure Supervisor - IT, Infrastructure Assistant Manager - IT, Infrastructure Supervisor - IT, Infrastructure Assistant Manager - IT, Infrastructure Supervisor - IT, Infrastructure Assistant Manager - IT, Infrastructure Supervisor - IT, Infrastructure Assistant Manager - IT, Infrastructure Supervisor - IT, Infrastructure Assistant Manager - IT, Infrastructure Supervisor - IT, Infrastructure Assistant Manager - IT, Infrastructure Supervisor - IT, Infrastructure Assistant Manager - IT, Infrastructure Supervisor - IT, Infrastructure Assistant Manager - IT, Infrastructure Supervisor - IT, Infrastructure Assistant Manager - IT, Infrastructure Supervisor - IT, Infrastructure Assistant Manager - IT, Infrastructure Supervisor - IT, Infrastructure x x x x x x x x x x x x x x x AD098 (request) AD525 (system) X X X x x x x x x x x X X X X x x x x x No Exception Noted No Exception Noted No Exception Noted Exception Noted No Exception Noted No Exception Noted No Exception Noted No Exception Noted No Exception Noted No Exception Noted No Exception Noted No Exception Noted 77 Image 26: Detail testing phases - MA - Transfer user testing results (part 3) (Source: ABC company’s IT audit documents at EY’s data warehouse) 78 APPENDIX 7: DETAIL TESTING PHASE (MO) Back up Image 27: Detail testing phases - MO - Back up testing results (Source: ABC company’s IT audit documents at EY’s data warehouse) 79 Restore testing Image 28: Detail testing phases - MO - restore testing results Testing # Item identifier 1/2/2022 1/5/2022 1/8/2022 Performed by Mr G - Manager, IT infrastructure team Mr G - Manager, IT infrastructure team Mr G - Manager, IT infrastructure team Reviewed by Result A Remark Mr D (IT Head) Successfully proceed X No exception noted Mr D (IT Head) Successfully proceed X No exception noted Mr D (IT Head) Successfully proceed X No exception noted Tickmark key: X Attribute satisfied without exception (Source: ABC company’s IT audit documents at EY’s data warehouse) 80 APPENDIX 8: RESEARCH SURVEY QUESTIONS Research Survey Questions Currently, I am a student majoring in Accounting at the Faculty of Accounting Auditing, Banking University of Ho Chi Minh City and am doing my graduation thesis with the topic: “Implemented Information Technology General Control Audit Performed by EY Vietnam Audit Firm in The Audit of Financial Statements for ABC Company” I hope you will spend some of your precious time to help me answer some questions so that I can have a suitable basis for the presentation of the current situation and solutions in the research Thesis Your answers are for research purposes only, so all personal information is kept confidential Please tick the answer that best fits your opinion on each of the issues listed below Part 1: General Information - Name (Optional):………………………………………………………… - Gender:…………………………………………………………………… - Age:……………………………………………………………………… What position are you currently working in EY Vietnam? o Manager o Senior o Staff o Other:………………………………………………………………… How long have you been working in EY? o Below years o – years o – 10 years o Over 10 years Part 2: The following are questions related about IT audit, ITGC audit and its affect on 81 Image 29: Survey questions Questions Quantity Strongly Agree Agree Fully and 75% 100% 100% 100% effectively planned IT Audit Have sufficient resources and timeframes meet to IT Audit goals and scope The auditor understands and follow EY policies about the evaluation process and the purpose of the IT audit IT Audit team members established audit findings based on sufficient appropriate evidence and Neutral Disagree Strongly Disagree 25% 82 In stage, planning 14 100% 14 100% 14 78.5% auditors will more focus to internal control system of new client than old one The results of ineffective ITGC will lead to IT audit ineffective, which will greatly affect the progress of the financial statements audit if planning stage is mistaken In planning stage, in order to save auditors using cost, always auditee’s audit documents results from previous years to analyze decide and on the 21.5% 83 amount of audit work to be performed The IT audit team and financial audit team communicated information timely without mistake in manner any 14 50% 21.4% 14.3% 14.3%