1 / 52

Aniruddha Neogi, FCA, CISA, CGEIT,CRISC

IT Enabled System : Opportunities & Challenges for Assurance Professionals. Acknowledgements: ISACA ITGI Wikipedia The Economist ICMAB SCB. March 31, 2011; ICAB (Chartered Accountant Bhaban). Aniruddha Neogi, FCA, CISA, CGEIT,CRISC. Presentation Layout.

alta
Télécharger la présentation

Aniruddha Neogi, FCA, CISA, CGEIT,CRISC

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. IT Enabled System : Opportunities & Challenges for Assurance Professionals • Acknowledgements: • ISACA • ITGI • Wikipedia • The Economist • ICMAB • SCB March 31, 2011; ICAB (Chartered Accountant Bhaban) Aniruddha Neogi, FCA, CISA, CGEIT,CRISC

  2. Presentation Layout • Understanding Key Terms • Trends in Business and IT • IT Enabled System: Basic Concepts of Auditing • Challenges: Adapting IT Auditing Techniques • Challenges: Auditing in ERP Environment • Opportunity: How Audit Tools help Auditor • Opportunity: ISACA Resources and Business Growth • Shared Learning

  3. ‘Assurance or Audit’ ‘Auditing can be defined as a systematic process by which a competent, independent person objectively obtains and evaluates evidence regarding assertions about an economic entity or event for the purpose of forming an opinion about and reporting on the degree to which the assertion conforms to an identified set of standards’ ‘Systematic, independent and documented process for obtaining audit evidence and evaluating it objectively to determine the extent to which the audit criteria are fulfilled’. (Audit criteria is set of policies, procedures or requirements)

  4. ‘IT Enabled System’ An information Technology (IT) enabled system can be any organized combination of people, hardware, software, communications networks, and data resources that collect, transforms, and disseminate information in an organization.

  5. Trends in Business: Globalization & Competition Impact on Business in General Impact on the Finance Function Increased pace of change Greater volatility : “real-time” information is a necessity Increased importance in strategy Greater importance of finance in strategic decisions Concentration of Core Competencies Need for financial evaluation of strategic alliance Enhanced responsibility for managing total business risk like: Credit Risk, Technological Risk, etc. Increased complexity of business risk

  6. Trends Business: Other Drivers Drivers Impact on the Finance Function New Organization Structure and Requirements Fewer Management Levels; Flatter Organizations Emergence of Information Economy; Focus on “Real Time”, accurate data Greater involvement in trend analysis, data interpretation, value-added services Increasingly important role of Computers/IT in the Business Processes Automation, centralization of accounting & transaction processing; more scopes for outsourcing

  7. Changing Face of Finance Functions

  8. Changing Face of Information Technology (IT)

  9. Original Documents Exporter Importer Details of export documentation VAN/EDI Electronic Export Documents Payment LC issued subject to eUCP Electronic Documents Created 3rd Party Docs e.g. B/L Scotland Feeds to assist Document creation Importer Bank Global Paperless Trade Bangladesh Singapore Exporter’s Bank

  10. Straight 2 Bank Product Suite

  11. Data, data everywhere…. • Information has gone from scarce to superabundant • That brings huge new benefits, but also big challenges • Data are widely available • What is crucial is to identify relevant data for analysis based on which opinion can be provided

  12. IT Enabled System: Basic Concepts of Auditing • Audit of Financial Statement: Basic Structure • Auditing Around the Computer • Auditing Through the Computer

  13. Audit of Financial Statement: Basic Structure • Audit • B. Structure of the Financial Financial Statement Audit Substantive Testing Financial Statement Audit Substantive Testing Interim Audit Compliance Testing

  14. Compliance Testing Auditors perform tests of controls to determine that the control policies, practices, and procedures established by management are functioning as planned.

  15. Substantive Testing • Substantive testing is the direct verification of financial statement figures. Examples would include reconciling a bank account and confirming accounts receivable. Audit Confirmation To ABC Co. Customer: Please confirm that the balance of your account on Dec. 31 is _____ . Audit Confirmation To ABC Co. Cuss _____ .

  16. Auditing Around the Computer The auditor ignores computer processing. Instead, the auditor selects source documents that have been input into the system and summarizes them manually to see if they match the output of computer processing. Audit around the computer only when: (a) the audit trail is complete (b) processing operations are straightforward (c) systems documentation is complete and readily available

  17. Auditing Through the Computer The process of evaluating client’s software and hardware to determine the reliability of operations that is hard for human eye to view and reviewing of the internal controls in an IT enabled system. Audit through the computer with: (i) audit test data (ii) parallel simulation (iii) integrated test facility

  18. Challenges: Adapting IT Auditing Techniques • Basic Knowledge and Skills • Auditing Techniques

  19. Knowledge and Skills When auditing in a computer environment, the auditor should obtain a basic understanding of the fundamentals of data processing and a level of technical computer knowledge and skills which depending on the circumstances may need to be extensive.

  20. Auditing Techniques/CAATS • Review of Systems Documentation • Test Data and Integrated-Test-Facility (ITF) • Parallel Simulation • GAS • Embedded Audit Routines • Mapping • Extended Records and Snapshots

  21. Review of Systems Documentation • Review of documentation such as narrative descriptions, flowcharts, and program listings • In desk checking the auditor processes test or real data through the program logic • Interviewing IT Staff

  22. Test Data and IFT • Audit • B. Structure of the Financial The auditor prepares input containing both valid and invalid data. Prior to processing the test data, the input is manually processed to determine what the output should look like. The auditor then compares the computer-processed output with the manually processed results.

  23. Parallel Simulation The test data and ITF methods both process test data through real programs. With parallel simulation, the auditor processes real client data on an audit program similar to some aspect of the client’s program. The auditor compares the results of this processing with the results of the processing done by the client’s program.

  24. Generalized Audit Software (GAS) • GAS refers to standard software that has the capability to directly read and access data from various database platforms, flat-file systems and ASCII formats. The following functions are supported in GAS: • File access-enables reading of different record formats and file structures • File reorganization-enables indexing, sorting, merging & linking with another file • Data selection-enables global filtration conditions and selection criteria • Statistical functions-enables sampling, stratification and frequency analysis • Arithmetical functions-enables arithmetic operators and functions

  25. Embedded Audit Routines • In-line Code – Application program perform audit data collection while it processes data for normal production purposes • System Control Audit Review File (SCARF)– • Edit tests for audit transaction analysis are included in program • Exceptions are written to a file for audit review

  26. Mapping • Special software counts the number of times each program statement in a program executes • Helps identify code that is bypassed when the bypass is not readily apparent in the program code and/or documentation

  27. Extended Records and Snapshots Extended Records: Specific transactions are tagged, and the intervening processing steps that normally would not be saved are added to the extended record, permitting the audit trail to be reconstructed for these transactions. Snapshot: A snapshot is similar to an extended record except that the snapshot is a printed audit trail.

  28. Key Sectors in Bangladesh TELECOM BANK MNC RMG CEMENT HEALTHCARE PHARMECUTICALS NGO DEVELOPMENT INFRASTRUCTURE

  29. Challenges: Auditing in ERP Environment • ERP Structure and Control Environment • Impact of ERP on the Audit • Audit Risks and Issues • Audit of Purchase and Payable Process in SAP

  30. Enterprise Resource Planning (ERP) System • Integrates information and business processes to enable information entered once to be shared throughout the organization • ERP had its origins in manufacturing and production planning • ERP automates the tasks involved in performing a business process. If installed correctly, it can have a tremendous payback Needs Assessment Phased Implementation Software Selection ERP Project Process Reengineering Training Conference Room Pilot Common examples include SAP, PeopleSoft, JD Edwards, Navision and Oracle.

  31. ERP Structure ERP Authorizations and Security Technical Infrastructure/ General Controls Database server Application server Presentation server Business Process/ Application Controls

  32. ERP Control Environment APPLICATION CONTROLS Business Performance Reviews Application controls must be evaluated specifically for every audit area Evaluate the effectiveness of general controls before evaluating application controls Input controls Output controls Processing controls Controls of Master File Access to Equipment, Programs & Data GENERAL CONTROLS Hardware Controls Controls related to Segregation of Duties Application Development & Maintenance Controls

  33. Impact of ERP on the Audit An ERP environment creates many issues an auditor must address . . . . . Can All Accounts be Audited Substantively Monitoring Controls on ERP Controls Built into ERP (Inherent & Configured) The Control Environment Has Changed Business Processes Have Changed General IT Controls May Not Be Enough

  34. ERP Audit Risks and Issues ERP allows more comprehensive validation and improves balancing controls, BUT: • Access security further complicated • Mix of Financial and non-financial business processes • Highly Configurable • Configuration consistency required • Segregation of duties harder to achieve • Cut-off risks increases

  35. ERP Audit Risks and Issues • ERP is process based • integrity of transaction based on process as a whole • cannot be seen as individual transactions • Preventative controls paramount • Programmed procedures • based on contents of various system tables • changes to ERP elements impact control of business processes • Loss of physical audit trail - ERP aims to be paperless

  36. ERP Audit Risks and Issues • Multiple processing platform dependent • security on all is crucial • Direct dependence on IT environment security • operating system • database • application • Initial system setup • best fit with organization structure

  37. Purchase and Payables: Process (SAP) AP- Accounts Payable; MM- Material Master ;GR- Goods Receipts; IV- Invoice Receipts FI – Final Invoice; GL- General Ledger; PO- Purchase Order MIRO, MIGO and ME21N- Typical SAP Table Name (Master Table)

  38. Process Risk and Financial Statement Impact

  39. The ‘Three-way Match’ in SAP

  40. How to audit the SAP Three-way Match • Audit Approach Customizing Purchase Matching Enforced PO Automated Controls PO Matching Changeable Manual Controls Substantive

  41. Opportunity: How Audit Tools help Auditor • Planning and Data Profiling • Sampling and Analysis • Audit Working Paper • Review of Audit Working Paper • Advantages of CAATs

  42. Audit Approach

  43. Planning and Profile Data • Benefits of using IT tools at Planning Stage: • Can define all activities within audit scope • Easily assign resource against each activities • Track the progress Quick look at millions of transactions and view data in a comprehensive and summarized representation

  44. Sampling • IT tool can generate different type of Sample for analysis: • Systematic • Random • Attribute • Momentary • Classical Variable

  45. Analysis

  46. Working Paper

  47. Working Paper Review

  48. Sample Report

  49. Advantages of CAATs • Reduced level of audit risk • Greater independence from the auditee • Broader and more consistent audit coverage • Faster availability of information • Improved exception identification • Greater flexibility of run times • Greater opportunity to quantify internal control weaknesses • Enhanced sampling • Cost savings over time

  50. Opportunity: ISACA Resources

More Related