connecting the dots: it to business - isaca · connecting the dots: it to business jason ... do...
TRANSCRIPT
Connecting the dots: IT to Business
Jason Wood, CPA, CISA, CIA, CITP, CFF
April 2015
1
Over 18 years of international business experience in
planning, conducting, and quality reviewing complex
information technology audits (inclusive of new
business development, leading diverse teams,
developing people and managing projects).
In-depth understanding of financial, operational and
information technology risks, controls, and
processes; and the implementation of cost-effective
internal controls to minimize risk and maximize
value.
Authored a book titled “IT Auditing and Application
Controls for Small and Mid-Sized Enterprises:
Revenue, Expenditure, Inventory, Payroll, and More”
published by Wiley Publishing in December 2013.
Speaker Bio – Jason Wood
• Who’s in the audience?
• Connecting IT Audit to the
Financial/Operational Processes
• Financial Cycle Risks from an IT Perspective
(Revenue, Expenditure, Inventory, Payroll)
• Management Assertions and the IT Audit
• IT Control Objectives (CIA)
• Illustrative IT Control Deficiencies and
Potential Financial Audit Impact
Agenda
• What companies are represented in the
audience today?
• What role do you play within your
company (IT Auditor, Business Auditor,
Management, etc.)?
• What is your experience level with IT
and Business Auditing?
Who’s in the Audience Today?
Connecting IT Audit to the
Financial / Operational
Processes
RISK IS INEVITABLE
AS AUDITORS, we help our clients/companies manage their
risk by performing audits and other assessments. Our work
helps the client/company understand the nature and extent of
risks that exist in the control environment. Information
technology (IT) controls are a key aspect of that control
environment—albeit one that may be less familiar to the auditor
than the purely accounting and financial dimensions.
Protect the financial and operational data
stored within information systems!
Protect the data!
IT Controls Are Critical
• Enabler of transactions, processes, and
preparation of information for financial
statements
• Affect the reliability of financial data (e.g.,
system reports) and electronic audit
evidence
• Foundation for application controls
including segregation of duties
7
Linking Business and IT Processes
Business Processes IT Environment
Financial Statement Close Process
Flows of Transactions
IT P
roce
ss
Routine Transactions
Estimation Transactions
Non-Routine Transactions
General Ledger
Financial Statements
8
Financial Cycle Risks from
an IT Perspective
Revenue Cycle IT Risks
Sales: Is the order from a valid customer? Does the system contain correct
and up‐to‐date information about the customer? Are there holds or credit
limits on the customer’s account? Has the transaction been properly
authorized? Are recorded transactions valid? Have all valid transactions been
recorded accurately?
Credit approval: Does the credit approval process protect the organization
against excessive credit losses?
Warehouse: How are assets protected against loss or theft? Does the
accounting system provide good detective controls that would bring shrinkage
to the attention of management? How often are inventory counts reconciled to
accounting records? Are ordered goods available in sufficient quantity to
satisfy customer demand? Are backorder processes in place to protect
against customer dissatisfaction from stockouts?.
Revenue Risk Exposures
Shipping: What controls are in place to ensure the accuracy and timeliness
of shipped orders? Are processes in place to manage multiple ship‐to
addresses?
Billing: What controls are in place to ensure the accuracy and timeliness of
billings? Are backorders, partial fills, returns, and other nonroutine
transactions processed in such a way as to ensure accurate and complete
records?
Cash receipts: Does the organization use lockboxes? Do cash receipt
processes provide independent audit trails? What segregation of duties
(SOD) controls are there to prevent one person from exercising incompatible
functions?
Revenue Risk Exposures
Expenditure Cycle IT Risks
Purchases: Is the order made to a valid vendor? Does the
system contain correct and up‐to‐date information about that
vendor?
Credit limit issues: Do credit limit issues occur at both the
purchasing agent level (does the agent have authorization to
initiate the PO) and the vendor level (does the contemplated
purchase exceed the available credit on the account)?
Receiving: Risks include receipt (does the entity receive the
goods that it ordered?), variances of type and/or quantity, and
pricing.
Expenditure Risk Exposures
Invoicing: Risks include the possibility of invoices for goods
and services that were not received, and the possibility that
invoiced prices exceed previously quoted prices beyond some
specified tolerance level.
Cash disbursements: Risk exposures include all possible
concerns relating to unauthorized or inappropriate distribution
of corporate cash.
Expenditure Risk Exposures
Inventory Cycle IT Risks
Warehouse: Are item cards set up appropriately? Are processes in place
to ensure that the company can accurately process orders for replacement
inventory? Are logical access controls to inventory records set up
appropriately? Are the inventory records appropriately updated when raw
material is received? Do the perpetual inventory records represent the
actual amount on hand? Will the system support possible expansion in the
number of types of inventory items? Does the shipping information from the
inventory cycle accurately transfer to the revenue cycle for revenue
recognition purposes?
Manufacturing: If there are multiple stages of manufacturing processes,
are items of work in process correctly classified, insofar as this information
is needed for accounting and operational purposes? Are all costs required
for external reporting processes captured (e.g., in addition to direct
material, other full‐absorption costs such as direct labor and overhead)?
Inventory Risk Exposures
Repair: Does the system require return authorization prior to acceptance of
an item for return, repair, or replacement? Are items transferred to a repair
process accurately classified and tracked? Does the system alert
administrators to potential business exposures such as fraudulent or
defalcatory misclassification of inventory items? Are the inventory records
appropriately updated to reflect the goods received as part of the return,
repair, or replacement process?
Inventory Risk Exposures
Payroll Cycle IT Risks
Setup and maintenance: Are employees set up in the system consistent
with their pay status, pay rates, and other vital information? Who has access
to add, change, or delete payroll master fi le information? What prevents
ghost employees from being set up and subsequently paid?
Calculations: Are tax tables updated appropriately to ensure tax
calculations reflect the current tax rates based on jurisdiction? What ensures
the time was captured and entered into the system appropriately? Was the
time extended to the pay rate so the appropriate pay was calculated? Was
the third‐party payroll processor provided with correct payroll information for
calculations?
Payroll Risk Exposures
Processing: Are there variance tolerance levels set up in the system? What
ensures that the amounts scheduled to be paid are paid? Does segregation
of duties exist in the payroll processing process? Are signature approvals
captured and are digital signatures protected? Is electronic check stock
protected? Was the third‐party payroll processor provided with correct
payroll information for processing?
Disbursements: Are completed checks secured for disbursement? Do
controls exist that ensure that direct deposits were made to the right account
and complete?
Reconciliations: Do reports appropriately reflect the payroll that was
scheduled to be disbursed and that was actually disbursed? What reports
exist in the system for review?
Payroll Risk Exposures
Accruals and adjustments: Are accruals and adjustments to payroll,
benefits, and taxes calculated so the financial records can be updated? Are
payments made to the tax authorities for the tax liability? Are benefit
accounts updated for the benefits liability?
Payroll Risk Exposures
MANAGEMENT’S ASSERTIONS
AND THE IT AUDIT
Many account balances purport to describe quantities that
actually exist (e.g., stocks of inventory or amounts owed
to the company for past sales). Over‐ or understatements
of these balances may result in material errors, and audit
procedures typically rely on a combination of process
analysis and physical counts or sampling approaches to
evaluate the plausibility of a reported balance. The
financial auditor ties information in the system back to
transaction (source) documents (which may be paper or
another electronic file), and, accordingly, he or she needs
to understand the system’s overall design, the flow of
information, and the nature and location of files.
Existence
The completeness assertion refers to the integrity of the
recording process and the ability of the company’s
accounting system to ensure that the effects of all
transactions, balances, accounts, estimates, and so on
have been included in the financial statements. Traditional
audit techniques such as cross‐footing and internal
validity checks of totals and subtotals can help to ensure
that financial information flows correctly (as missing
values may cause the statements and supporting
schedules not to tie). At the IT level, the auditor is
concerned with how the system ensures completeness—
for instance, does the report writer pull all the items from
the chart of accounts?
Completeness
This assertion addresses the legal status of a
company’s assets and liabilities and it can create
exposures and areas of interest from an IT
perspective. As an example, consider a company
that ships merchandise on both a free‐on‐board
(FOB) destination and FOB shipping point basis.
The accounting system should be configured so
as to properly classify these transactions and
support accurate reporting of inventory,
receivables, and sales.
Rights and Obligations
The area of valuation can range from the accuracy of
original costs to complex and esoteric calculations relating
to financial instruments. In order to ensure that account
balances, transactions, fair value estimates, and other
amounts are reported appropriately, the IT auditor may
need to examine things such as links to pricing tables and
lookup tables, the design and accuracy of spreadsheet
models, and the integrity of proprietary data sources. The
widespread use of spreadsheet models for a variety of
valuation‐related activities creates many exposures
related to data transfer and change management.
Valuation
The realm of accounting procedures includes classification and
aggregation procedures, proper cutoffs at the end of each accounting
period, the preparation and posting of adjusting entries, the
preparation of disclosure and supporting schedules, and the final
presentation of the financial statements. In addition, the auditor
should examine the configuration settings in the computer system to
ensure that proper cutoff is achieved. For example, does the
computer system configuration close the accounting period, or does
the accounting period remain open indefinitely? Does the system
have the correct days set for each month? When the financial
statements are being produced, the IT auditor needs to ensure that all
data within the accounting system are being pulled to the financial
statements, confirming, for example, accurate tie‐backs between sub-
ledgers, the general ledger, and the financial statements.
Accounting Procedures
IT Control Objectives
IT Control Objectives
IT controls are designed to meet control objectives related to Information Security
requirements. The core objectives, often referred to as C-I-A, can be depicted as
follows:
Confidentiality:
Protects sensitive
information from being
viewed by unauthorized
users. Examples
include:
- Financial Data
- Credit Card Numbers
- SSN
Note: This objective
directly relates to
internal and external
Privacy requirements.
I
C A
Availability:
Ensures that critical IT
resources (i.e.,
hardware, software,
data) are available
when needed.
Integrity:
Protects the integrity of
critical IT resources like:
- Hardware
- Software
- data repositories
The confidentiality of data refers to both internal
and external users. Internally, the system of
rights and permissions to access and modify data
is an essential building block in the design of
properly segregated duties (or a key feature to
analyze when insufficient personnel make it
impossible to achieve an ideal level of
segregation). Externally, the confidentiality of
data rests on such IT constructs as firewalls,
encryption, and access protocols.
Confidentiality
Change management: Segregation refers to the well‐established principle that
programmers should not have access to data, and that those entrusted with data should not
have programming rights. We define programming broadly so as to encompass the many
methods of altering how software functions and the results it produces. When an IT auditor
tests change management, we would expect to see change control forms with the requested
changes that are approved for each change that is captured in the system.
Operations: Confidentiality concerns in the operations domain include issues such as the
storage location of backup tapes. There’s a difference between a sock drawer and a fireproof
safe! It’s important to remember that the data on the backup tape is confidential and may be
readily converted to useful information without someone having access to the system. With
respect to access control, IT auditor tests should expect the existence of signed forms with
management approval, specifying the access needed.
Security: This intersection includes topics such as passwords, permissions, log-on histories
(detective control), and penetration testing. The auditor should determine whether company
personnel have access only to the data they need—or to more. It is important to understand
and document the business reason for data access protocols.
Confidentiality
In an accounting context, data integrity relates
directly to the other management assertions, and
to the Conceptual Framework’s notion of
representational faithfulness . Thus, accounting
information should represent what it purports to
represent—quantities that actually exist,
calculated from complete records, with due
consideration to appropriate legal rights and
obligations, and correctly valued in accordance
with acceptable accounting procedures.
Integrity
Change management : The IT audit should ensure that
appropriate end‐user testing has occurred and that changes
are working as intended and in a manner that can be relied
upon.
Operations: Concerns in this area include testing of backup
tapes for system restorability. If data cannot be restored, the
company may have incomplete records.
Security: The auditor should understand whether she can
rely on the system’s security. Are there ways in which it
could be bypassed or compromised? What are the
overriding security controls? Are they soft or hard?
Integrity
Data that is not available to users is by
definition useless to them. Relevant
IT concerns include server reliability,
access controls, protocols for
distributing data, and concurrency
issues.
Availability
Change management: Is the source code in a location where it can be
restored? Are there rollback procedures in case of a failed change? Is the
backup tape available in case management needs to access data that is
not currently in the system?
Operations: The IT auditor should consider the ability of the server
system to handle the day‐to‐day load. Does management have all the
needed licenses and are they current? Are there any concerns about the
computer system’s availability? The location and availability of backup
tapes is important. How, if it were necessary, would an employee access
prior‐year information that is no longer kept in the system?
Security: Whereas the primary security concern is unauthorized access,
it’s also important that the system not lock out users who have innocently
lost or forgotten a password. The IT auditor should understand
procedures that ensure, as well as restrict, availability.
Availability
Illustrative IT Control
Deficiencies and Potential
Financial Audit Impact
IT Entity Level
Logical Security
Logical Security
Logical Security
Logical Security
Logical Security
Change Management
Change Management
Change Management
Operations
Operations
Application Controls
Spreadsheets / Reports
SSAE 16 (SOC 1)