aniruddha neogi, fca, cisa, cgeit,crisc
DESCRIPTION
IT Enabled System : Opportunities & Challenges for Assurance Professionals. Acknowledgements: ISACA ITGI Wikipedia The Economist ICMAB SCB. March 31, 2011; ICAB (Chartered Accountant Bhaban). Aniruddha Neogi, FCA, CISA, CGEIT,CRISC. Presentation Layout. - PowerPoint PPT PresentationTRANSCRIPT
Aniruddha Neogi, FCA, CISA, CGEIT,CRISC
IT Enabled System : Opportunities & Challenges for Assurance Professionals
Acknowledgements:- ISACA- ITGI- Wikipedia- The Economist- ICMAB - SCB
March 31, 2011; ICAB (Chartered Accountant Bhaban) 1
Presentation Layout
Understanding Key Terms
Trends in Business and IT
IT Enabled System: Basic Concepts of Auditing
Challenges: Adapting IT Auditing Techniques
Challenges: Auditing in ERP Environment
Opportunity: How Audit Tools help Auditor
Opportunity: ISACA Resources and Business Growth
Shared Learning
2
‘Assurance or Audit’
‘Systematic, independent and documented process for obtaining audit evidence and evaluating it objectively to determine the extent to which the audit criteria are fulfilled’. (Audit criteria is set of policies, procedures or requirements)
‘Auditing can be defined as a systematic process by which a competent, independent person objectively obtains and evaluates evidence regarding assertions about an economic entity or event for the purpose of forming an opinion about and reporting on the degree to which the assertion conforms to an identified set of standards’
3
‘IT Enabled System’
An information Technology (IT) enabled system can be any organized combination of people, hardware, software, communications networks, and data resources that collect, transforms, and disseminate information in an organization.
4
Impact on Business in General
Trends in Business: Globalization & Competition Trends in Business: Globalization & Competition
Impact on the Finance Function
Increased pace of change
Increased importance in strategy
Concentration of Core Competencies
Increased complexity of business risk
Greater volatility : “real-time” information is a necessity
Greater importance of finance in strategic decisions
Need for financial evaluation of strategic alliance
Enhanced responsibility for managing total business risk like: Credit Risk, Technological Risk, etc.
5
Drivers
Trends Business: Other Drivers
Impact on the Finance Function
New Organization Structure and Requirements
Emergence of Information Economy; Focus on “Real Time”, accurate data
Increasingly important role of Computers/IT in the Business Processes
Fewer Management Levels; Flatter Organizations
Greater involvement in trend analysis, data interpretation, value-added services
Automation, centralization of accounting & transaction processing; more scopes for outsourcing
6
Changing Face of Finance Functions
7
8
Changing Face of Information Technology (IT)Changing Face of Information Technology (IT)
Singapore
BangladeshVAN/EDIVAN/EDI
Detailsof export documentation
Original Documents
ImporterBank
Exporter’s Bank
Feeds to assistDocument
creation
Electronic Documents
Created
3rd Party Docs e.g. B/L
Electronic Export
DocumentsPayment
Importer
Exporter
LC issued subject to eUCP
Global Paperless Trade
9
Straight 2 Bank Product Suite
Cash Management Cash Management (Payments) (Payments)
Payments TIAvailable Instructions Telegraphic Transfer Local and International Bank Cheque Book Transfer Direct Credit Payroll Corporate Cheque Bank to Bank transfer Advice of Cheque MT101 (Request for Transfer)
Trade Trade Trade ReportingAdhoc query reportsTrade Banking LC issuance and amendment
Cash ReportingCash Reporting Adhoc balance and transaction reports
Ad hoc balance & Transaction reports Drill Down Link Acct balance & Acct
Stmt reports. SWIFT Reports for MT940, MT942,
MT950, MT900, MT910, Africa, UK and China cash reports
Cash Management Cash Management (Collection)(Collection)
Collection Reporting
iH2HiH2H Payment, Collection
10
Data, data everywhere….Data, data everywhere….
11
Information has gone from scarce to superabundant
That brings huge new benefits, but also big challenges
Data are widely available
What is crucial is to identify relevant data for analysis based on which opinion can be provided
Audit of Financial Statement: Basic Structure
Auditing Around the Computer
Auditing Through the Computer
12
IT Enabled System: Basic Concepts of Auditing
Audit B. Structure of the Financial
13
Audit of Financial Statement: Basic Structure
Interim Audit
Compliance Testing
Financial Statement Audit Substantive
Testing
Financial Statement Audit Substantive
Testing
Auditors perform tests of controls to determine that the control policies, practices, and procedures established by management are functioning as planned.
14
Compliance Testing
Substantive testing is the direct verification of financial statement figures. Examples would include reconciling a bank account and confirming accounts receivable.
15
Substantive Testing
Audit Confirmation
To ABC Co. Customer:
Please confirm that the balance of your account
on Dec. 31 is _____ .
Audit Confirmation
To ABC Co. Cuss _____ .
The auditor ignores computer processing. Instead, the auditor selects source documents that have been input into the system and summarizes them manually to see if they match the output of computer processing.
16
Auditing Around the Computer
Audit around the computer only when:
(a) the audit trail is complete
(b) processing operations are straightforward
(c) systems documentation is complete and readily available
The process of evaluating client’s software and hardware to determine the reliability of operations that is hard for human eye to view and reviewing of the internal controls in an IT enabled system.
17
Auditing Through the Computer
Audit through the computer with:
(i) audit test data
(ii) parallel simulation
(iii) integrated test facility
Basic Knowledge and Skills
Auditing Techniques
18
Challenges: Adapting IT Auditing
Techniques
Knowledge and Skills
When auditing in a computer environment, the auditor should
obtain a basic understanding of the fundamentals of data
processing and a level of technical computer knowledge and
skills which depending on the circumstances may need to be
extensive.
19
Review of Systems Documentation
Test Data and Integrated-Test-Facility (ITF)
Parallel Simulation
GAS
Embedded Audit Routines
Mapping
Extended Records and Snapshots
20
Auditing Techniques/CAATS
Review of documentation such as narrative descriptions, flowcharts, and program listings
In desk checking the auditor processes test or real data through the program logic
Interviewing IT Staff
21
Review of Systems Documentation
Audit B. Structure of the Financial
22
Test Data and IFT
The auditor prepares input containing both valid and invalid data. Prior to processing the test data, the input is manually processed to determine what the output should look like. The auditor then compares the computer-processed output with the manually processed results.
23
Parallel Simulation
The test data and ITF methods both process test data through real programs. With parallel simulation, the auditor processes real client data on an audit program similar to some aspect of the client’s program. The auditor compares the results of this processing with the results of the processing done by the client’s program.
Generalized Audit Software (GAS)
24
GAS refers to standard software that has the capability to directly read and access data from various database platforms, flat-file systems and ASCII formats. The following functions are supported in GAS:
File access-enables reading of different record formats and file structures
File reorganization-enables indexing, sorting, merging & linking with another file
Data selection-enables global filtration conditions and selection criteria
Statistical functions-enables sampling, stratification and frequency analysis
Arithmetical functions-enables arithmetic operators and functions
In-line Code – Application program perform audit data collection while it processes data for normal production purposes
System Control Audit Review File (SCARF)–
Edit tests for audit transaction analysis are included in program
Exceptions are written to a file for audit review
25
Embedded Audit Routines
Special software counts the number of times each program statement in a program executes
Helps identify code that is bypassed when the bypass is not readily apparent in the program code and/or documentation
26
Mapping
27
Extended Records and Snapshots
Extended Records:
Specific transactions are tagged, and the intervening processing steps that normally would not be saved are added to the extended record, permitting the audit trail to be reconstructed for these transactions.
Snapshot:
A snapshot is similar to an extended record except that the snapshot is a printed audit trail.
Key Sectors in Bangladesh
28
CEMENT
RMG
INFRASTRUCTURE
BANK
NGO
DEVELOPMENT
TELECOM
HEALTHCARE
MNC
PHARMECUTICALS
ERP Structure and Control Environment
Impact of ERP on the Audit
Audit Risks and Issues
Audit of Purchase and Payable Process in SAP
29
Challenges: Auditing in ERP Environment
Enterprise Resource Planning (ERP) SystemEnterprise Resource Planning (ERP) System
Integrates information and business processes to enable information entered once to be shared throughout the organization
ERP had its origins in manufacturing and production planning
ERP automates the tasks involved in performing a business process. If installed correctly, it can have a tremendous payback
Common examples include Common examples include SAP, PeopleSoft, JD SAP, PeopleSoft, JD
Edwards, Navision and Edwards, Navision and Oracle.Oracle.
NeedsAssessment
SoftwareSelection
ProcessReengineering
ConferenceRoom Pilot
Training
PhasedImplementation
ERP ProjectERP Project
30
Database server
Application server
Presentationserver
Business Process/ Application Controls
Technical Infrastructure/ General Controls
ERP Structure
ERP Authorizations and
Security
31
Business Performance
Reviews
GENERALCONTROLS
Controls related to Segregation of DutiesApplication Development & Maintenance Controls
Access to Equipment, Programs & DataHardware Controls
APPLICATION CONTROLS
32
ERP Control Environment
Output controls
Input controls
Processing controls
Controls of Master File
Application controls must be evaluated
specifically for every audit area
Evaluate the effectiveness of general controls before evaluating application controls
Impact of ERP on the Audit
An ERP environment creates many issues an auditor must address . . . . .
The ControlEnvironmentHas Changed Business
ProcessesHave ChangedGeneral IT
Controls MayNot Be Enough
Can All Accountsbe Audited
Substantively
MonitoringControls on ERP
Controls Builtinto ERP
(Inherent & Configured)
33
ERP Audit Risks and Issues
ERP allows more comprehensive validation and improves balancing controls, BUT:
Access security further complicated
Mix of Financial and non-financial business processes
Highly Configurable
Configuration consistency required
Segregation of duties harder to achieve
Cut-off risks increases
34
ERP Audit Risks and Issues
ERP is process based
integrity of transaction based on process as a whole
cannot be seen as individual transactions
Preventative controls paramount
Programmed procedures
based on contents of various system tables
changes to ERP elements impact control of business processes
Loss of physical audit trail - ERP aims to be paperless
35
ERP Audit Risks and Issues
Multiple processing platform dependent
security on all is crucial
Direct dependence on IT environment security
operating system
database
application
Initial system setup
best fit with organization structure
36
Purchase and Payables: Process (SAP)
37
AP- Accounts Payable; MM- Material Master ;GR- Goods Receipts; IV- Invoice ReceiptsFI – Final Invoice; GL- General Ledger; PO- Purchase OrderMIRO, MIGO and ME21N- Typical SAP Table Name (Master Table)
Process Risk and Financial Statement Impact
38
The ‘Three-way Match’ in SAP
39
How to audit the SAP Three-way Match
Purchase
• Audit ApproachCustomizing
PO
PO
MatchingEnforced
MatchingChangeable
AutomatedControls
ManualControls
Substantive
40
Planning and Data Profiling
Sampling and Analysis
Audit Working Paper
Review of Audit Working Paper
Advantages of CAATs
41
Opportunity: How Audit Tools help Auditor
42
Audit Approach
Planning and Profile Data
Benefits of using IT tools at Planning Stage:
Can define all activities within audit scope
Easily assign resource against each activities
Track the progress
43
Quick look at millions of transactions and view data in a comprehensive and summarized representation
Sampling
IT tool can generate different type of Sample for analysis:
Systematic
Random
Attribute
Momentary
Classical Variable
44
Analysis
45
Working Paper
46
Working Paper Review
47
Sample Report
48
Reduced level of audit risk
Greater independence from the auditee
Broader and more consistent audit coverage
Faster availability of information
Improved exception identification
Greater flexibility of run times
Greater opportunity to quantify internal control weaknesses
Enhanced sampling
Cost savings over time
Advantages of CAATs
49
Area ISACA Resources
IS Auditing ISACA Auditing Standard,ISACA Auditing Guideline, IT Assurance Framework (ITAF), CISA certification.
Risk Assessment Risk IT, CRISC certification
IT Governance & Control IT Governance Framework (ITGF) & CGEIT Certification
Compliance Control Objective on Information & Related Technology (COBIT)
Value Delivery Value IT (Val IT)
Information Security Business Model for Information Security (BMIS)
50
Opportunity: ISACA Resources
Opportunity: Business Growth
51
52
Shared Learning
Thank you