IT Enabled System : Opportunities & Challenges for Assurance Professionals Acknowledgements: - ISACA - ITGI - Wikipedia - The Economist - ICMAB - SCB March 31, 2011; ICAB (Chartered Accountant Bhaban) Aniruddha Neogi, FCA, CISA, CGEIT,CRISC1
Presentation Layout Understanding Key Terms Information System used in Business Concepts of IT Enabled System Auditing IT Enabled System Auditing Techniques Auditing in ERP Environment How Audit Tools help Auditor Knowledge & Skills Question and Answer 2
Definition: Assurance or Audit Auditing can be defined as a systematic process by which a competent, independent person objectively obtains and evaluates evidence regarding assertions about an economic entity or event for the purpose of forming an opinion about and reporting on the degree to which the assertion conforms to an identified set of standards Systematic, independent and documented process for obtaining audit evidence and evaluating it objectively to determine the extent to which the audit criteria are fulfilled. (Audit criteria is set of policies, procedures or requirements) 3
Definition: IT Enabled System An information Technology (IT) enabled system can be any organized combination of people, hardware, software, communications networks, and data resources that collect, transforms, and disseminate information in an organization. 4
IT Enabled System 5
IT Mandate 6
Trends in IT Enabled System 7
Data, data everywhere Information has gone from scarce to superabundant That brings huge new benefits, but also big challenges Data are widely available What is crucial is to identify relevant data for analysis based on which opinion can be provided 8
Changing Face of Finance Functions More Partnering Fill In Tax Planning - Outsourced Outsourcing Embed in the whole orgn. FSS: Financial Shared Services Centralization 9
Changing Face of Finance Functions 10
Key Sectors in Bangladesh BANK TELECOM MNC RMG CEMENT HEALTHCARE PHARMECUTICALS NGO DEVELOPMENT INFRASTRUCTURE 13
Paperless Trade Importer Bank Original Documents Importer Details of export documentation Payment LC issued subject to eucp Electronic Export Documents VAN/EDI Bangladesh Exporter s Bank Electronic Documents Created Singapore Exporter Feeds to assist Document creation 3rd Party Docs e.g. B/L 14
Straight 2 Bank Product Suite Cash Management (Payments) Payments TI Available Instructions Telegraphic Transfer Local and International Bank Cheque Book Transfer Direct Credit Payroll Corporate Cheque Bank to Bank transfer Advice of Cheque MT101 (Request for Transfer) Trade Trade Reporting Adhoc query reports Trade Banking LC issuance and amendment Cash Reporting Adhoc balance and transaction reports Ad hoc balance & Transaction reports Drill Down Link Acct balance & Acct Stmt reports. SWIFT Reports for MT940, MT942, MT950, MT900, MT910, Africa, UK and China cash reports Cash Management (Collection) Collection Reporting ih2h Payment, Collection 15
IT Enabled System: Concepts of Auditing Structure of the Financial Statement Audit Auditing Around the Computer Auditing Through the Computer 16
Structure of the Financial Statement Audit Audit B. Structure of the Financial Interim Audit Compliance Testing Financial Statement Audit Substantive Testing 17
Compliance Testing Auditors perform tests of controls to determine that the control policies, practices, and procedures established by management are functioning as planned. This is known as compliance testing. 18
Substantive Testing Substantive testing is the direct verification of financial statement figures. Examples would include reconciling a bank account and confirming accounts receivable. Audit Confirmation To ABC Co. Customer: Please confirm that the balance of your account on Dec. 31 is. Audit Confirmation To ABC Co. Cuss. 19
Auditing Around the Computer The auditor ignores computer processing. Instead, the auditor selects source documents that have been input into the system and summarizes them manually to see if they match the output of computer processing 20
Auditing Through the Computer The process of evaluating client s software and hardware to determine the reliability of operations that is hard for human eye to view and reviewing of the internal controls in an electronic data processing system. 21
IT Enabled System: Auditing Techniques/CAATS Review of Systems Documentation Test Data Integrated-Test-Facility (ITF) Approach Parallel Simulation GAS Embedded Audit Routines Mapping Extended Records and Snapshots 22
Review of Systems Documentation The auditor reviews documentation such as narrative descriptions, flowcharts, and program listings In desk checking the auditor processes test or real data through the program logic 23
Test Data Audit B. Structure of the Financial The auditor prepares input containing both valid and invalid data. Prior to processing the test data, the input is manually processed to determine what the output should look like. The auditor then compares the computer-processed output with the manually processed results. 24
Parallel Simulation The test data and ITF methods both process test data through real programs. With parallel simulation, the auditor processes real client data on an audit program similar to some aspect of the client s program. The auditor compares the results of this processing with the results of the processing done by the client s program. 25
Generalized Audit Software (GAS) GAS refers to standard software that has the capability to directly read and access data from various database platforms, flat-file systems and ASCII formats. The following functions are supported in GAS: File access-enables the reading of different record formats and file structures File reorganization-enables indexing, sorting, merging & linking with another file Data selection-enables global filtration conditions and selection criteria Statistical functions-enables sampling, stratification and frequency analysis Arithmetical functions-enables arithmetic operators and functions 26
Embedded Audit Routines In-line Code Application program perform audit data collection while it processes data for normal production purposes System Control Audit Review File (SCARF) Edit tests for audit transaction analysis are included in program Exceptions are written to a file for audit review 27
Mapping Special software counts the number of times each program statement in a program executes Helps identify code that is bypassed when the bypass is not readily apparent in the program code and/or documentation 28
Extended Records and Snapshots Extended Records Specific transactions are tagged, and the intervening processing steps that normally would not be saved are added to the extended record, permitting the audit trail to be reconstructed for these transactions. Snapshot A snapshot is similar to an extended record except that the snapshot is a printed audit trail. 29
Auditing in ERP Environment 30
What is ERP? An ERP or Enterprise Resource Planning system integrates information and business processes to enable information entered once to be shared throughout the organization. ERP had its origins in manufacturing and production planning. ERP automates the tasks involved in performing a business process. If installed correctly, it can have a tremendous payback Phased Implementation Training Needs Assessment ERP Project Conference Room Pilot Common examples include SAP, PeopleSoft, JD Edwards and Oracle. Software Selection Process Reengineering 31
ERP Structure & Controls ERP Authorizations and Security Technical Infrastructure/ General Controls Database server Application server Presentation server Business Process/ Application Controls 32
Control Environment Business Performance Reviews APPLICATION CONTROLS IT GENERAL CONTROLS Access to Programs & Data Computer Operations Program Change Program Development 33
Control Options Master Data Authorizations Detective Configurable Reporting Preventive Inherent User Procedures Corrective 34
Impact of ERP on the Audit An ERP environment creates many issues an auditor must address..... Can All Accounts be Audited Substantively Monitoring Controls on ERP Controls Built into ERP (Inherent & Configured) The Control Environment Has Changed General IT Controls May Not Be Enough Business Processes Have Changed 35
Why Auditing ERP is different ERP has great flexibility and breadth of functionality Total business solution Financial and non-financial business processes Highly configurable - validations, overrides and calculations (switches) Spans industries - chemical, manufacturing, financial, public sector, automotive 36
Why Auditing ERP is different An ERP allows more comprehensive validation and improves balancing controls BUT: Access security further complicated Configuration consistency required Segregation of duties harder to achieve Cut-off risks increases 37
ERP Audit Risks and Issues ERP is process based integrity of transaction based on process as a whole cannot be seen as individual transactions Preventative controls paramount Programmed procedures based on contents of various system tables changes to ERP elements impact control of business processes Loss of physical audit trail - ERP aims to be paperless 38
ERP Audit Risks and Issues Multiple processing platform dependent security on all is crucial Direct dependence on IT environment security operating system database application Initial system setup best fit with organization structure 39
ERP Audit Risks and Issues Implementation risk standard product but "vanilla" implementations are rare long implementation cycle piecemeal - necessitating interfaces with legacy systems interfaces - reliant on controls in "feeder" system same on line validation rules applicable SAP and Oracle already have built-in audit tool 40
Purchase & Payables: Process (SAP) 41
The Three-way Match in SAP 42
How to audit the SAP Three-way Match Purchase Customizing Audit Approach PO Matching Enforced Automated Controls PO Matching Changeable Manual Controls Substantive 43
3 way match configuration at PO 44
Process Risk and Financial Statement Impact 45
What determines whether SAP ensures matching? 46
How Auditing tools help auditor at different stages of audit 47
Audit Approach 48
Planning Few benefits of using IT tools at Planning Stage Can define all activities within audit scope Easily assign resource against each activities Track the progress 49
Profile Data Quick look at millions of transactions and view data in a comprehensive and summarized representation 50
Sampling IT tool can generate different type of Sample for analysis: Systematic Random Attribute Momentary Classical Variable 51
Analysis 52
Working Paper 53
Working Paper Review 54
Sample Report 55
Benefits of using Audit Tools CAATs offer the following advantages: Reduced level of audit risk Greater independence from the audited Broader and more consistent audit coverage Faster availability of information Improved exception identification Greater flexibility of run times Greater opportunity to quantify internal control weaknesses Enhanced sampling Cost savings over time 56
Business Opportunities 57
IT Enabled System: Knowledge and Skills When auditing in a computer environment, the auditor should obtain a basic understanding of the fundamentals of data processing and a level of technical computer knowledge and skills which depending on the circumstances may need to be extensive. 58
IT Enable System : Skill & ISACA Resources Skill IS Auditing ISACA Resources ISACA Auditing Standard, ISACA Auditing Guideline, IT Assurance Framework (ITAF), CISA certification. Risk Assessment IT Governance & Control Compliance Value Delivery Information Security Risk IT, CRISC certification IT Governance Framework (ITGF) & CGEIT Certification Control Objective on Information & Related Technology (COBIT) Value IT (Val IT) Business Model for Information Security (BMIS) 59
Questions & Answer Thank you 60