From The Womb To The Tomb. Managing The Audit Universe

From The Womb To The Tomb Managing The Audit Universe Session # 232 - ISACA CACS Conference April 26, 2005 John Paul Withington - Vice President - Information Systems Audit Parmanand (Sat) Jagerdeo - Audit Programmer / Analyst Lead NASD Rockville, MD

Agenda About NASD NASD Audit Management Information System (NAMIS) and Automated Workpapers (AutoWPS) Annual Risk Assessment and Audit Planning Project Scheduling and Tracking (Link to AutoWPS) Automated Workpapers (AutoWPS) Issue Reporting and Tracking Electronic Issue Processing Standard Reporting Summary Questions? 2

About NASD 1929 - Stock market crash - Congress passes: Securities Act of 1933 Securities Exchange Act of 1934 1939 - NASD founded - 1938 Maloney Act Amendment to the Securities Exchange Act of 1934 All registered U.S. broker/dealers are required to be members of NASD and to be regulated by NASD 3

NASD Mission NASD's mission is to bring integrity to the markets and confidence to investors. Market integrity and investor confidence are at the core of NASD's purpose and at the heart of our industry's unwritten contract with investors. That's why the duty to be a tough and fair regulator is more than our statutory responsibility. It is the polestar by which we will always navigate. "But while our mission will never change, our means of pursuing it must never fail to change with the times. NASD is constantly honing its techniques and technology, modernizing its rules and meeting new challenges to remain the world's most effective and innovative provider of market integrity services." Robert Glauber NASD Chairman and CEO 4

NASD Today Largest securities-industry self-regulatory organization in the world Membership 5,200 Member Firms 96,000 Branch Offices 659,000 Registered Representatives Provides Regulatory Services for: Nasdaq American Stock Exchange International Securities Exchange Chicago Climate Exchange 5

Key Regulatory Responsibilities Regulating broker/dealer profession Testing and qualification of new members Examination of member firms Enforcement Discipline of members Preventive compliance and continuing education Rulemaking Market surveillance 6

NASD District Offices Seattle Boston New York San Francisco Chicago Cleveland Philadelphia Long Island Denver Los Angeles Kansas City Woodbridge Dallas Atlanta New Orleans 7

NASD Internal Audit Bob Glauber Chief Exective Officer Michael Jones Chief Administrative Officer James Burton Audit Committee Chairman Brazella Robinson Office Coordinator Daniel Shook Senior Vice President Sherry Meadors Administrative Assistant Michael Hourigan BA Audit Director (6 Staff) Tim Pupo BA Audit Director (5 Staff) John Withington IS Audit Director (7 Staff) 8

NASD Internal Audit 2005 budget: $5.47M Total staff: 24 (plus 7+ contract FTEs) Professional audit staff: 20 Attorney: 1 Analyst/Programmer: 1 Support staff: 2 Total audits scheduled in 2004: 51 Total audits scheduled in 2005: 61 Integrated Business Process: 40 Information Technology: 16 Development Reviews: 5 9

NAMIS and AutoWPS Developed over several years Most Enhancements were implemented between 2001 and 2003 Based on MS Access NAMIS incorporates Excel, Word, and Outlook Visual Basic Coding Used MS Access VBA functionality Centrally hosted This is a client server application Offline read-only usage Currently, only Management can work offline to do analysis 10

NASD Audit Management Information System (NAMIS) 11

Annual Risk Assessment and Audit Planning Define Audit Entities Create an entity and capture: Categories (Level 0 and Level 1) Location Scope Description Comments Budgeted Hours Audit Type Contacts Links to Laws and Rules, G/L Accounts, Departments Impacted, and Applications Links to History (Engagement, Regulatory Oversight, Risk Assessment, Audit Plan Cycle) 12

Annual Risk Assessment and Audit Planning 13

Annual Risk Assessment and Audit Planning 14

Annual Risk Assessment and Audit Planning 15

Annual Risk Assessment and Audit Planning 16

Annual Risk Assessment and Audit Planning 17

Annual Risk Assessment and Audit Planning Risk Assessment Business Risk is inherent to the fact that the enterprise performs the particular business activities in which it engages Performance Risk has to do with how well the enterprise performs the business activities in which it engages and manages the inherent business risk of the business activity 18

Annual Risk Assessment and Audit Planning Business Area Audits Technology Area Audits Business Risk Performance Risk Business Risk Performance Risk Stakeholder Risk Results of Prior Internal Audits, IPA Management Letters, or SEC Examinations Mission Criticality Results of Prior Internal Audits, IPA Management Letters, or SEC Examinations) Regulatory / Legal Risk Time Since Last Internal Audit (or Development Review1) External Visibility and Impact Time Since Last Internal Audit (or Development Review2) Financial Risk Control Environment Complexity, Stability, and Experience with the Technology or Process Control Environment Total Business Risk Total Performance Risk Total Business Risk Total Performance Risk + / - IA (Audit Risk) Adjustment (- 4.0 to + 4.0) + / - IA (Audit Risk) Adjustment (- 4.0 to + 4.0) Total Risk Score Total Risk Score 1 If the prior audit is a development review, discount the Plan Year by 1 year; i.e., a DR in PY-2 would get he same risk score as an audit in PY-3, etc. 2 If the prior audit is a development review, discount the Plan Year by 1 year; i.e., a DR in PY-2 would get he same risk score as an audit in PY-3, etc. 19

Annual Risk Assessment and Audit Planning 20

Annual Risk Assessment and Audit Planning Four-year Audit Risk-Frequency Planning Cycle [L ow -R isk A udits (R isk Score < 4.4) not in P lan] B U S I N E S S R I S K S C O R E 5.0 3.0 1.0 Tri-annual Quadannual N ot in P lan Cycle 2.8 (36 42) (42 48) 3.6 4.4 Bi-annual (30 36) 5.2 1.0 3.0 5.0 6.0 (D iscretion ary) M oderate R isk Low Risk (24 30) (18 24) 6.8 PERFORMANCE RISK SCORE 7.6 Medium Risk Annual (12 18) 9.2 Very High 8.4 Risk High Risk 21

Annual Risk Assessment and Audit Planning 22

Annual Risk Assessment and Audit Planning 23

Annual Risk Assessment and Audit Planning 24

Annual Risk Assessment and Audit Planning 25

Annual Risk Assessment and Audit Planning 26

Project Scheduling and Tracking Create A New Project Annual projects from planning are automatically loaded Ability to add new projects during the year Schedule and Update Existing Audit Projects Maintain planned dates, project comments, and estimates to complete Project master record and key to project workpapers Schedule Projects and Staff for the Year Initial schedule is done based on quarter start dates Dates are tweaked to hit interim goals for fieldwork completion and audit report issuance Projects and staff assignments are load-balanced Time Capture (Staff Input and Support Staff Maintenance) Captures time charges for measuring performance and for charge back 27

Project Scheduling and Tracking 28

Project Scheduling and Tracking 29

Project Scheduling and Tracking 30

Project Scheduling and Tracking 31

Project Scheduling and Tracking 32

Project Scheduling and Tracking 33

Project Scheduling and Tracking 34

Project Scheduling and Tracking 35

Project Scheduling and Tracking 36

Project Scheduling and Tracking 37

Project Scheduling and Tracking 38

Automated Workpapers (AutoWPS) Linkage provided from Audit Schedule Screen Entry point from NAMIS to individual project database Risk and Control Analysis (RCA) Driven (COSO model) Business Objectives, Risk Factors, Control Techniques, Audit Tests Risk Factor Conclusions Assists in determining Business Objective/Process Control Rating Hyperlinked Documents All documentation (except hardcopy) contained in file folder Offline Review Functions Offline WPS Review Synchronization allows users to create offline Review Notes and upload it when they come back online 39

Automated Workpapers (AutoWPS) 40

Automated Workpapers (AutoWPS) 41

Automated Workpapers (AutoWPS) 42

Automated Workpapers (AutoWPS) 43

Automated Workpapers (AutoWPS) 44

Automated Workpapers (AutoWPS) 45

Automated Workpapers (AutoWPS) 46

Automated Workpapers (AutoWPS) CONTROL RATINGS DEFINITIONS RATING DEFINITION / CRITERIA Well Controlled Adequately Controlled Needs Improvement Controls are operating effectively and can be relied on to support the achievement of management's business objectives. Typically, there are no issues rated greater than Level 3, with all Business Objectives rated as Adequately or Well Controlled. Controls are generally operating effectively; however, recommended control enhancements would improve the reliability of controls to support achievement of management's business objectives. Typically, all issues are rated Level 2 and 3, with no more than one Business Objective rated Needs Improvement. Significant control weaknesses exist, reducing the effectiveness and reliability of controls to support the achievement of management's business objectives. Typically, issues are rated Level 1 and 2, with one or more Business Objectives rated as Needs Improvement; OR there are numerous issues rated Level 2 (but no Level 1), with two or more Business Objectives rated as Needs Improvement. Unsatisfactory An effective control structure has not been established and controls do not support the achievement of management s business objectives. Typically, there are one or more Level 1 issues, with significant adverse impact on a major Business Objective, with one or more Business Objectives rated as Unsatisfactory. 47

Issue Reporting and Tracking Input Issues and Management s Responses Issues and responses summarized from the audit report Target Completion Dates for Corrective action completion Update Follow-up Status of Open Issues Quarterly Updates on issue status Automated Interfacce Auditor validation before closing an issue View All Audit Issues Ability to view issues status update history Ability to view issues that have closed Audit Issue Maintenance Ability to change various issue elements (responsible person, department, etc.) 48

Issue Reporting and Tracking 49

Issue Reporting and Tracking 50

Issue Reporting and Tracking 51

Issue Reporting and Tracking 52

Issue Reporting and Tracking 53

Issue Reporting and Tracking 54

Issue Reporting and Tracking 55

Issue Reporting and Tracking 56

Electronic Issue Processing Send Quarterly Open Issues to All Departments Mini-Databases of issues e-mailed to each issue owner Audit Customer Input screen for entry of update data Updates are e-mailed to an Internal Audit Mailbox and then automatically posted to NAMIS E-mail notification to appropriate Audit Director Did Not Receive Update Status Report - Control reporting for dunning Send Ad Hoc Database to Respective Department Provides the ability to refresh/update outside of normal quarterly cycle 57

Electronic Issue Processing 58

Electronic Issue Processing 59

Electronic Issue Processing 60

Electronic Issue Processing 61

Electronic Issue Processing 62

Electronic Issue Processing 63

Electronic Issue Processing 64

Electronic Issue Processing 65

Electronic Issue Processing 66

Electronic Issue Processing (Adhoc Database) 67

Standard Reporting Audit Universe / Annual Planning Project Planning / Tracking Issues Reporting / Tracking Miscellaneous Reports Exception Queries Charts 68

Standard Reporting 69

Standard Reporting 70

Standard Reporting 71

Standard Reporting 72

Standard Reporting 73

Standard Reporting 74

Standard Reporting 75

Standard Reporting 76

Standard Reporting 77

Standard Reporting 78

Standard Reporting 79

Summary Managing your audit universe is an integral part of complying with audit standards Spreadsheets alone aren t enough to make the process efficient and effective Investing in COTS is not always necessary Start with the basics and build incrementally Clone Sat 80

Questions? Thank you for attending this session. Any questions? 81

For More Information: John Paul Withington - Vice President - Information Systems Audit john.withington@nasd.com 240.386.4936 Parmanand (Sat) Jagerdeo - Audit Programmer / Analyst Lead parmanand.jagerdeo@nasd.com 240.386.4944 NASD Rockville, Maryland 82

Thank you!