Integrated Audit Approach An Overview

1 1 Integrated Audit ApproachAn OverviewMoniqueGarsoux,DexiaQualified Audit PartnersRTM 22/01/20052 Presentation Outline The Need for Enterprises What is Integrated Auditing The Integrated Audit process Audit methodology Best practisesLogicalsecurityDB2 ClientAccountsManageProblems& IncidentsNetworksCardsWhereareMyBusiness Risks?ComplianceOperationalrisk,BasleIIB anksysBANKSW hatisthe Businessproblem?BankStatementsWhereisthe integratedauditapproach(IAA)?AnexampleBa tchAccountOrdersManagementClientOrdersDB AccountingBanksysBranchesInterestcalcula tionsAsynchroneSynchroneDialogApplCRICRE R econciliationOperationsSecurityOracleDB2 AccountingApplicationProblemmanagementNe tworkCicsMQMC omplianceIntegrated Audit6 What is Integrated Auditing Combines elements of three traditionalaudit types; Information technology(IT), operational and financial. Provides a broader Audit scope in whichto render an opinion on the adequacyand effectiveness of a system ofinternal control to mitigate globalbusiness risks : One report7 Benefits of IAA Eliminates redundant or narrow view audits,Duplicated work , Missed opportunities forcontribution, Risk of false assurance Creates a broad based Audit .

2 Examines global process risks. Provides Executives with a coherent view Once adopted, subsequent audits becomehighly efficient, focusing risks Combines what people do with what thecomputer does (or the contrary)8 Effects of Technology Technology makes certain traditionalaudit procedures invalid and/or oflimited value Transaction processing becomesautomatic & invisible with reducedoversight due to less manualintervention New products / services / competition9 Elements of IAA Examines the combined manual proceduresthat people use with invisible proceduresthat computers perform in the following stepsimpacts on: Planning. Evaluation. Testing. Reporting. of traditional Approach onthe Audit Process Uncoordinated Audit plans Separate audits Parallel audits; two or more distinctaudits Concurrent audits; risk analysisinitiatives, processreegineering,performed around the same timeframe11 Results of Auditor s Response Specialization & Silo Auditing Staff segregation between IT andFinancial-Operational The wall erected within auditdepartments12 IAA Audit Planning IAA critical success factor:For each critical Potential Process, identify theIT system that supports the activities.

3 Foreach business activity (main businessfunctions), identify critical system, interfaces,key manual procedures, especiallyreconciliations, and General Ledger impact. Coordinate efforts13 IAA Planning IAA pitfall to avoid: Not identifying IT components. Not involving/confirming with PotentialAudit Client management. Not identifying manual workarounds ;processes that take place outside of thenormal process flow. Not taking enough time to Planning IAA planning should also identify foreach Potential Audit Client (Processes)and related IT system: Master Files. System connectivity. Sensitive/confidential data. Information output; reports, computergenerated transactions, and computer-to-computer Planning Basedoncriticalityranking, select auditmissions Resultiscoordinatedaudit planwhereaudit missions have beendocumentedby anoverviewunderstandingof thesubject16 IAA Evaluation Depending on the scope of the auditsselected (entire Potential Audit Client, one ormore business activities), the auditor will drill down to obtain more detailedunderstanding of the specific controls relatedto the Potential Audit Client or businessactivity under review.

4 Where necessary (based on potential risks)17 IAA Evaluation IAA evaluation consists of obtaining adetailed understanding of the controlenvironment design; Do adequatecontrols exist to mitigate business risks(scope selected based on risks)18 IAA Evaluation Risk Assessment IAA critical success factor controldesign MUST include operational and ITcontrols. TOTAL risk assessment incorporatesbusiness/industry risk, operational riskCOMBINED with technology risk to forman opinion on the overall design therisks?BatchAccountOrdersManagementCli entOrdersDBAccountingBanksysBranchesInte restcalculationsAsynchroneSynchroneDialo gApplCRICRER econciliationOperationsSecurityOracleDB2 AccountingApplicationProblemmanagementNe tworkCicsMQMC omplianceIntegrated Audit20 IAA Evaluation IAA risk assessment guidelines: A limited number of risk factors Including Business-Technology specific.

5 Risk factors should be weighted bycriticality and measurable. Some factors should be IT Risk Assessment For EACH business unit, identifytechnology platform (PC, LAN, etc) What does the system do? Interview users, read documentation,look at system menu What are you connected to? -Interfaces Establishes span of control22 IAA- Integrated Risk Assessment What could go wrong? Establishes the risk What would happen ? Establishes the materiality How would you know if somethingwent wrong? Determines the control23 Integrated Risk Assessment Businesscriticality degreeofreliancea business Unit places onthesystem Technological complexity degreeofcomputergeneratedtransactionsuti lized withminimalmanualintervention24 IAA Evaluation Based upon the information obtainedand confirmed during theplanningphase, combined with thecombinedrisk assessment, the auditor selects therelevant areasto include in the auditscope and performs a detailed review ofthese Evaluation Auditors usually perform a walkthroughduring the evaluation to assist inunderstanding theprocess flow, obtainrelevant sample documentation, spottest the key controls, and observe thegeneral Evaluation IAA critical success factor the auditormust flowchartthe IT system to obtaina detailed understanding of key systemprocesses.

6 Files and Evaluation The auditor should develop anintegratedflow chartthat combines manual andcomputer processes, key calculations, masterfile updates, downloads, and uploads. Examine processes and control design bysplitting them into three categories: Those that only people perform. Those that people and computers perform. Those that only the computer JournalierGEKT contr lefiltres validit abonnementBatchIPDTL iste des rejetsMessagesd'erreur examinerGEKT Abonnementen attente derecyclage / examencode rejetAbonnementOK ?RejettemporaireOUIB atchG n ration codesecret1. DEMANDE D'ABONNEMENT VIA AGENCED emanded'abonnementsign eOnlineEncodageGEKT - contr leonline des filtres etautorisation surcompteLettreCode Secret (lelendemain si 2i me abo)Lettre N Abonnement sipas premierabonnementOUICode secretencrypt AutorisationConvivialit Int grtit Fiabilit Contr les :validit desfiltresAutorisation - Acc sContr lesExhaustivit Confidentialit Int grit d laiint grit int grit interceptionperteint grit interceptionperteAlgorithme fortS curit Confidentialit Int grit ProcessProcessProcessInputInputDataDataO utputOutputRejet d finitif29 IAA Evaluation Examine the following objectives for eachtransaction Completeness of input processing.

7 Accuracy of input processing. Completeness of master file updates. Accuracy of master file updates. Accuracy and reliability of processing(calculations) Access to and confidentiality of information. Authorization of processing. Reconciliations and verifications. Monitoring and Evaluation Based on the evaluation of thedesignof the entire control environment(ITand manual), the auditor expresses anopinion on the adequacy of Evaluation Audit Approach -evaluation-What does the system do?-What is it connected to?-Who has access?-What type of access do they have?-What is logged?32 IAA Evaluation Evaluation-Totals (completeness)-Edits (accuracy)-System generated calculations/summarization/categorizatio n-System menu33 IAA Evaluation Better evaluation-Transaction file-input-journal-Master file-processing-ledger- Master file update - How do you know 34 IAA Testing The testing phase is the area thatmakes the IAA the most efficient.

8 Based on the information obtained inplanning and evaluation, the auditorselects which controls require Testing Better Audit tests-On screen edits-Batch totals-Calculations-Master file updates-Output36 IAA Testing Better Audit tests-System demo-Access-Violations-Computer generated logs/listings37 IAA Reporting Although reporting is largely a matter ofpreference and style, IAA reporting hascertain benefits that can beincorporated into any reporting style: asingle report that renders an opinion onthe entire system of risks and control. Visual = no long narrative texts38 IAA Reporting IAA pitfall to avoid-reporting that isdone by a technical auditor and a non-technical auditor and then piecedtogether. This tends to mitigate theconsistency of ideas. Judicious editing isrequired to scrub the report to eliminatejargon and facilitate easy the High Spots Application audits-Transaction processing-Business critical- Bread and butter 40 EXPECTATIONS Depends DUE DILIGENCE Audit MODEL?

9 STAFFING AND DEVELOPEMENT Audit MODEL? PROFESSIONAL INTERNAL Audit MODEL?41 WHAT WORKS Expanding the information technologyknowledge base of each and every auditor Realistic Audit assignments based onknowledge, skill levels and degree ofdifficulty of the subject (planning audits) Pre- Audit of technical aspects (typical ITaudits) Extensive IT Audit tools and support Effective technical supervision42 BARRIERS IT Audit is a separate and unique Audit discipline The fundamental internal auditor skill set is accountingand general business oriented with limited ITknowledge required Specialization is good only IT auditors should auditIT topics Generalization is good It auditors can Audit anythingIT related The board and senior management really understandauditing in an IT environment No one really cares whether audits are Integrated ornot Auditors are not on staff long enough to justifyextensive training costs43 IAAI ntegrated auditor ?

10 Traditional auditor that addressescomputer Audit techniques, rely on themethodology Specialized IT auditor that addresses bothbusiness flow and Highly automatedsystems All auditorsintegrated auditors with somehaving just more skills than others44 IAAA udit Tools Reference materials Cobit(Manage Data) ISACA Bookstore material (bits and piecesin many books) Integrated referentiala Audit software ACL, IDEAMANAGE DATAPROCESS 1 : Proc dures d'introduction des donn esEvaluation:Not AssessedRiskRating:Impact:ObjectifRisque s PotentielsContr lesRisques r siduels et recommandations Management should establish datapreparation procedures to be followedby user departments. In this context,input form design should help to assurethat errors and omissions are handling procedures during dataorigination should reasonably ensurethat errors and irregularities aredetected, reported and corrected.