a broader view of internal audit for nsis
DESCRIPTION
A broader view of internal audit for NSIs. - application in Ireland and issues to consider Keith McSweeney, Central Statistics Office (CSO), Ireland Q2008 Conference, Rome, 11July08. Introduction - context for presentation. Internal Audit - useful for NSIs - PowerPoint PPT PresentationTRANSCRIPT
![Page 1: A broader view of internal audit for NSIs](https://reader035.vdocuments.site/reader035/viewer/2022081603/56814db3550346895dbb0a43/html5/thumbnails/1.jpg)
1
Q2008 Conference, Rome, 11July08
A broader view of internal audit for NSIs
- application in Ireland and issues to consider
Keith McSweeney,
Central Statistics Office (CSO),
Ireland
Q2008 Conference, Rome, 11July08
![Page 2: A broader view of internal audit for NSIs](https://reader035.vdocuments.site/reader035/viewer/2022081603/56814db3550346895dbb0a43/html5/thumbnails/2.jpg)
2
Q2008 Conference, Rome, 11July08
Introduction - context for presentation
• Internal Audit - useful for NSIs
• Gap in IT Controls and End-User Computing ?
User Confidence in Data quality
SOX
Public corporations NSIs
ESS Code of Practice
![Page 3: A broader view of internal audit for NSIs](https://reader035.vdocuments.site/reader035/viewer/2022081603/56814db3550346895dbb0a43/html5/thumbnails/3.jpg)
3
Q2008 Conference, Rome, 11July08
Modern IA - what is it?
• IA development
• TOTALITY OF RISKS that an organisation faces in the achievement of its objectives
• Risk-based auditing• Reputational risk (particularly important for
NSIs)
Financial only All risks
![Page 4: A broader view of internal audit for NSIs](https://reader035.vdocuments.site/reader035/viewer/2022081603/56814db3550346895dbb0a43/html5/thumbnails/4.jpg)
4
Q2008 Conference, Rome, 11July08
CSO - our IA/Quality structure
• Risk-based auditing (Corporate Risk Register)
• Q: What other developments are out there in the IA world and what are the implications for NSIs?
Strategic Reputational Operational Financial
Data quality
Quality & Audit function
Private sector Civil Service
![Page 5: A broader view of internal audit for NSIs](https://reader035.vdocuments.site/reader035/viewer/2022081603/56814db3550346895dbb0a43/html5/thumbnails/5.jpg)
5
Q2008 Conference, Rome, 11July08
SOX (Sarbanes-Oxley)• Why SOX ? - User Confidence (ENRON, WORLDCOM)
Auditorindependence
Corporateresponsibility
Internalcontrols
Fraudaccountability
White collarcrime penalty
Accountingpolicies
Anti-fraud programmes
IT controls Overall control
environment
IT controlenvironment
Programmedevelopment
& change by end-users
Computeroperations
Access to systems& data
![Page 6: A broader view of internal audit for NSIs](https://reader035.vdocuments.site/reader035/viewer/2022081603/56814db3550346895dbb0a43/html5/thumbnails/6.jpg)
6
Q2008 Conference, Rome, 11July08
End User computing (EUC) - what risks to NSIs?
• The IT issues to manage are common to all types of systems. More prevalent with EUC ? Question to ponder.
Testing / peer review before ‘go live’?
Documentation ?
Change & version control?
Access control?
System development done to standard?
Staff trained to set up and maintain systems?
![Page 7: A broader view of internal audit for NSIs](https://reader035.vdocuments.site/reader035/viewer/2022081603/56814db3550346895dbb0a43/html5/thumbnails/7.jpg)
7
Q2008 Conference, Rome, 11July08
Implications for NSIs of End-User Computing
Questions NSIs should answer:• Scale of EUC issue - what and where• What controls are in place to manage EUC?• Testing of systems before ‘go live’?• Code written to standard?• Systems documented? • EUC - may be necessary in some cases but it is
still a RISK that needs careful management
![Page 8: A broader view of internal audit for NSIs](https://reader035.vdocuments.site/reader035/viewer/2022081603/56814db3550346895dbb0a43/html5/thumbnails/8.jpg)
8
Q2008 Conference, Rome, 11July08
Implications for ESS Code of Practice
• 2 main inputs to produce results - staff (Principle 7- Sound Methodology) & IT (where explicitly?)
• No explicit mention that our IT systems need to be to standard
• P12 (Accuracy) “Data…outputs are assessed and validated”
• How can results be validated without reference to the systems used to produce them?
![Page 9: A broader view of internal audit for NSIs](https://reader035.vdocuments.site/reader035/viewer/2022081603/56814db3550346895dbb0a43/html5/thumbnails/9.jpg)
9
Q2008 Conference, Rome, 11July08
Conclusion
• IT systems - critical input for our work • IT systems need to be to standard • Can we use the Code of Practice to help drive
improvements in this area?• Need to make explicit what standard we expect
our IT systems to be at - implications for any future self-assessment/peer review exercise
![Page 10: A broader view of internal audit for NSIs](https://reader035.vdocuments.site/reader035/viewer/2022081603/56814db3550346895dbb0a43/html5/thumbnails/10.jpg)
10
Q2008 Conference, Rome, 11July08
Where is your organisation regarding IT Systems & Controls?
Positive
• EUC Central IT
Negative
Controls in place?
Flexibility Standards
Standards Flexibility
![Page 11: A broader view of internal audit for NSIs](https://reader035.vdocuments.site/reader035/viewer/2022081603/56814db3550346895dbb0a43/html5/thumbnails/11.jpg)
11
Q2008 Conference, Rome, 11July08
What do you think? Is it an issue?
![Page 12: A broader view of internal audit for NSIs](https://reader035.vdocuments.site/reader035/viewer/2022081603/56814db3550346895dbb0a43/html5/thumbnails/12.jpg)
12
Q2008 Conference, Rome, 11July08
Thank you
• Thank you for your attention
• Any questions or comments?
• Email: [email protected]