Value-added it auditing
0 likes•638 views
The document outlines the concept and significance of value-added IT auditing, detailing various audit types, concerns, procedures, and the importance of IT controls within organizations. It emphasizes the need for relevant, reliable, timely, and sufficient information in audits, and discusses trends towards integrated reporting and the use of technology in audit processes. Additionally, it highlights the evolving demands for comprehensive reporting and independent assessments in today's business environment.
Value-added it auditing
- 1. VALUE-ADDED IT AUDITING MARC VAEL, BRUSSELS, MAY 2015
- 2. AGENDA ▪ What does IT audit mean to you? ▪ Traditional IT audit ▪ Top audit concerns of audit committees ▪ The way towards value-added IT audit ▪ Some predictions ▪ Questions
- 3. WHAT DOES IT AUDIT MEAN TO YOU?
- 4. Yes, you
- 8. TYPES OF INFORMATION FOR AN IT AUDITOR • Relevant information : relating to controls, tells the evaluator something meaningful about the operation of the underlying controls or control component. Information that directly confirms the operation of controls is most relevant. • Reliable information : accurate, verifiable and from an objective source. • Timely information : produced and used in a timeframe that makes it possible to prevent or detect control deficiencies before they become material to an enterprise. • Sufficient information : when evaluators have gathered enough of it to form a reasonable conclusion. For information to be sufficient, however, it must first be suitable. • Suitable information : relevant (i.e., fit for its intended purpose), reliable (i.e., accurate, verifiable and from an objective source) and timely (i.e., produced and used in an appropriate time frame) information.
- 9. TRADITIONAL IT AUDIT APPROACH Identification of Safeguards Threat Assessment Asset Identification Vulnerability Assessment Risk Determination Reporting Remediation Planning Proactive processes that turn policies into awareness programs, IT administration, change management and other activities. Technologies needed to provide the appropriate protection and support critical processes. Management strategies for IT and relevant policies, standards, guidelines or directives used to communicate these strategies to the organization. Reactive processes that enable management to measure how well policies are implemented and followed and when they need to be changed.
- 10. TYPICAL IT AUDIT ENGAGEMENTS A. General control examination or facility audit B. Application audit C. System development audit D. Technical or special topic audit
- 11. IT CONTROLS The plan of organization & the methods a business uses to safeguard IT assets, provide accurate & reliable information, promote & improve operational IT efficiency, and encourage adherence to prescribed IT management policies. IT control procedure classifications: 1. Preventive / Detective / Corrective / Deterrent IT controls 2. General & Application IT controls 3. Administrative & Accounting IT controls 4. Input – Processing – Output IT controls
- 12. GENERAL IT OPERATIONS 1. Change Management 2. System Development Life Cycle (SDLC) 3. Problem & Incident management 4. Back-up and data recovery 5. Project Management 6. Continuity Planning (CBCP and DRP)
- 14. INDEPENDENT IT CONTROLS ON PERFORMANCE To ensure that transactions are processed accurately are another important control element. Types of independent IT controls –reconciliation of 2 independently maintained sets of records –comparison of actual quantities with recorded amounts –double-entry accounting (debits = credits) –batch totals
- 15. INDEPENDENT IT CONTROLS ON PERFORMANCE Types of independent IT controls –batch totals: 5 types: 1 Financial total: sum of a euro field. 2 Hash total: sum of a field that would usually not be added. 3 Record count: number of documents processed by the IT system. 4 Line count: number of lines of data entered in the IT system. 5 Cross-footing: compares grand total of all rows with grand total of all columns to check that they are equal in the IT system.
- 16. INDEPENDENT IT CONTROLS ON PERFORMANCE Auditors must understand the following basic IT controls: 1 How transactions are initiated 2 How data are captured in machine-readable form or converted from source documents 3 How computer files are accessed & updated 4 How data are processed to prepare information 5 How information is reported All of these items make it possible to have an IT audit trail. An IT audit trail exists when individual company transactions can be traced end-to-end through the IT system.
- 20. 7
- 23. 7
- 26. 8
- 27. 27
- 29. IT CONTROLS • IT controls continue to increase in importance to organisations • Corporate reliance on IT increases • Compliance requirements increase • IT control deficiencies can have a significant impact on any organisation
- 31. PwC 2014 state of the internal audit profession study
- 32. PwC 2014 state of the internal audit profession study
- 33. PwC 2014 state of the internal audit profession study
- 34. PwC 2014 state of the internal audit profession study
- 37. PwC 2014 state of the internal audit profession study
- 40. IT AUDIT REPORT WRITING PHASES
- 41. TYPES OF IT AUDIT ENGAGEMENTS Review • provide limited assurance about an assertion. • consists primarily of review work (less emphasis on testing). • can be more process oriented, focusing on the appropriateness of the tasks and activities that the audit entity performs and the associated controls. The level of evidence that is gathered is less than in an audit, and testing is generally limited or none is performed. • do not include audit opinions. Conclusions may often be stated negatively. Example: ‘Nothing came to our attention to indicate that the assertion is not true’.
- 42. TYPES OF IT AUDIT ENGAGEMENTS Examination • Systematic process by which a competent, independent person objectively obtains & evaluates evidence regarding assertions about an entity or event, processes, operations or internal controls, for the purpose of forming an opinion & providing a report on the degree to which the assertions conform to an identified set of standards. • Attestation process that provides the highest level of assurance about an assertion that an IT auditor can provide. • Gathering & evaluating sufficient, competent evidence and performing appropriate tests and other procedures to form the opinion about an assertion for presentation in an IT audit report.
- 43. TYPES OF IT AUDIT ENGAGEMENTS Agreed-upon Procedures Engagement Third party & IT auditor agree on specific procedures that will be performed to obtain evidence on which the third party is willing to rely as a basis for a conclusion. Agreed-upon level of evidence may be significantly limited or extensive. The IT auditor may need to obtain a substantial amount of evidence (in some cases, more than that is required for an IT audit). The IT audit report should include a statement that sufficiency of procedures is solely the responsibility of the responsible parties & a disclaimer of responsibility for the sufficiency of those procedures. The report relates only to the elements specified & does not extend beyond them.
- 45. CAATS Computer programs & data that the IT auditor uses as part of audit procedures to process data of significance contained in a computer system
- 46. CAATS USAGE · Calculation checks: e.g. program gives total amount of individual entries in purchases day book in a particular period. Auditor then agree this total amount to the amount posted in purchases ledger control. · Detecting system violation rule: e.g. program checks that no customer has balance above specified credit limit. · Detecting unreasonable items: programs checks that no customer has discount of 50% or sales ledger balance is more than the amount of sales made to that customer. · New calculation & analysis: e.g. statistical analysis of inventory movements to identify slow moving items. · Selecting items for audit testing: e.g. obtaining a stratified sample of sales ledger balances to be used as a basis for a circularization of debtors. · Completeness checks: e.g. checking continuity of sales invoices to ensure they are all accounted for.
- 47. CAATS ADVANTAGES · Test programmed controls: in an IT accounting system, there are large volume of transactions which the auditor will have to audit. The auditor will have to check if the programmed controls are functioning correctly. The only effective way of testing programmed controls is through CAAT. · Test on large volume of data: CAAT enable auditors to test large amount of data quickly & accurately and increase the confidence they have in their opinion. · Test on source location of data: CAAT enables auditors to test the accounting systems & its records at its source location rather than testing printouts of what they believe to be a copy of those records. · Cost effective: once set up CAAT are a cost effective way of obtaining audit evidence year after year provided that the client does not change the accounting system. · Comparison: allows results from using CAAT to be compared to traditional testing. Where the two results agree this increase the overall audit confidence.
- 49. 7
- 50. 7
- 51. 7
- 52. 7
- 54. 7
- 55. 37
- 56. ISO15504 6
- 57. PA2.2 Work Product Management PA2.1 Performance Management Level 2 - Managed PA1.1 Process PerformanceLevel 1 - Performed Level 0 - Incomplete PA3.2 Deployment PA3.1 Definition Level 3 - Established PA4.2 Control PA4.1 Measurement Level 4 - Predictable PA5.1 Innovation PA5.2 Optimisation Level 5 - Optimising 1 L / F 2 L / F F F 3 L / F F 4 L / F F F F L / F 5 F F F F L/F = Largely or Fully F= Fully
- 60. PREDICTIONS INTRODUCTION • Users want to be provided with more information about business organisations, rather than less. • Demands for information is driven by business clients, customers, oversight authorities and legislatures: audit plan can change in the middle of the current quarter and sometimes even change on a day-to-day basis • Trend: better, faster and more comprehensive reporting. • Strong interest in independent assessment & reporting of organisational compliance with laws & regulations.
- 63. PREDICTION: INTEGRATED REPORTING Objective of integrated reporting = provide a more detailed picture of the organisation’s efforts to: • Produce and sustain value • Identify and manage risk • Employ and develop human capital • Meet legal requirements • Address corporate and social responsibility Audit reports include more in-depth non-financial reporting. Shift from solely lag indicators (as found in traditional reporting) to lead or forward indicators with increased focus on management & performance capabilities.
- 64. PREDICTION: USE OF TECHNOLOGY IN REPORTING Demand is likely to increase for using technology to present audit results in a manner that quickly enables recipients to focus on the key points of the audit. Auditing standards provide a foundation for the auditing profession to develop and issue professional audit reports. Considerations of increased use of technology in the reporting process must be benchmarked against applicable auditing standards.
- 70. CONTACT DETAILS [email protected] http://www.linkedin.com/in/marcvael @marcvael Marc Vael CISA, CISM, CRISC, CGEIT, ITIL SM, Prince2 F, Guberna Certified Director Chief Audit Executive SMALS vzw Fonsnylaan 20 1060 Brussel +32 473 99 30 31