52
Aniruddha Neogi, FCA, CISA, CGEIT,CRISC IT Enabled System : Opportunities & Challenges for Assurance Professionals Acknowledgements : - ISACA - ITGI - Wikipedia - The Economist - ICMAB - SCB March 31, 2011; ICAB (Chartered Accountant Bhaban) 1

Aniruddha Neogi, FCA, CISA, CGEIT,CRISC

  • Upload
    alta

  • View
    80

  • Download
    0

Embed Size (px)

DESCRIPTION

IT Enabled System : Opportunities & Challenges for Assurance Professionals. Acknowledgements: ISACA ITGI Wikipedia The Economist ICMAB SCB. March 31, 2011; ICAB (Chartered Accountant Bhaban). Aniruddha Neogi, FCA, CISA, CGEIT,CRISC. Presentation Layout. - PowerPoint PPT Presentation

Citation preview

Page 1: Aniruddha Neogi, FCA, CISA, CGEIT,CRISC

Aniruddha Neogi, FCA, CISA, CGEIT,CRISC

IT Enabled System : Opportunities & Challenges for Assurance Professionals

Acknowledgements:- ISACA- ITGI- Wikipedia- The Economist- ICMAB - SCB

March 31, 2011; ICAB (Chartered Accountant Bhaban) 1

Page 2: Aniruddha Neogi, FCA, CISA, CGEIT,CRISC

Presentation Layout

Understanding Key Terms

Trends in Business and IT

IT Enabled System: Basic Concepts of Auditing

Challenges: Adapting IT Auditing Techniques

Challenges: Auditing in ERP Environment

Opportunity: How Audit Tools help Auditor

Opportunity: ISACA Resources and Business Growth

Shared Learning

2

Page 3: Aniruddha Neogi, FCA, CISA, CGEIT,CRISC

‘Assurance or Audit’

‘Systematic, independent and documented process for obtaining audit evidence and evaluating it objectively to determine the extent to which the audit criteria are fulfilled’. (Audit criteria is set of policies, procedures or requirements)

‘Auditing can be defined as a systematic process by which a competent, independent person objectively obtains and evaluates evidence regarding assertions about an economic entity or event for the purpose of forming an opinion about and reporting on the degree to which the assertion conforms to an identified set of standards’

3

Page 4: Aniruddha Neogi, FCA, CISA, CGEIT,CRISC

‘IT Enabled System’

An information Technology (IT) enabled system can be any organized combination of people, hardware, software, communications networks, and data resources that collect, transforms, and disseminate information in an organization.

4

Page 5: Aniruddha Neogi, FCA, CISA, CGEIT,CRISC

Impact on Business in General

Trends in Business: Globalization & Competition Trends in Business: Globalization & Competition

Impact on the Finance Function

Increased pace of change

Increased importance in strategy

Concentration of Core Competencies

Increased complexity of business risk

Greater volatility : “real-time” information is a necessity

Greater importance of finance in strategic decisions

Need for financial evaluation of strategic alliance

Enhanced responsibility for managing total business risk like: Credit Risk, Technological Risk, etc.

5

Page 6: Aniruddha Neogi, FCA, CISA, CGEIT,CRISC

Drivers

Trends Business: Other Drivers

Impact on the Finance Function

New Organization Structure and Requirements

Emergence of Information Economy; Focus on “Real Time”, accurate data

Increasingly important role of Computers/IT in the Business Processes

Fewer Management Levels; Flatter Organizations

Greater involvement in trend analysis, data interpretation, value-added services

Automation, centralization of accounting & transaction processing; more scopes for outsourcing

6

Page 7: Aniruddha Neogi, FCA, CISA, CGEIT,CRISC

Changing Face of Finance Functions

7

Page 8: Aniruddha Neogi, FCA, CISA, CGEIT,CRISC

8

Changing Face of Information Technology (IT)Changing Face of Information Technology (IT)

Page 9: Aniruddha Neogi, FCA, CISA, CGEIT,CRISC

Singapore

BangladeshVAN/EDIVAN/EDI

Detailsof export documentation

Original Documents

ImporterBank

Exporter’s Bank

Feeds to assistDocument

creation

Electronic Documents

Created

3rd Party Docs e.g. B/L

Electronic Export

DocumentsPayment

Importer

Exporter

LC issued subject to eUCP

Global Paperless Trade

9

Page 10: Aniruddha Neogi, FCA, CISA, CGEIT,CRISC

Straight 2 Bank Product Suite

Cash Management Cash Management (Payments) (Payments)

Payments TIAvailable Instructions Telegraphic Transfer Local and International Bank Cheque Book Transfer Direct Credit Payroll Corporate Cheque Bank to Bank transfer Advice of Cheque MT101 (Request for Transfer)

Trade Trade Trade ReportingAdhoc query reportsTrade Banking LC issuance and amendment

Cash ReportingCash Reporting Adhoc balance and transaction reports

Ad hoc balance & Transaction reports Drill Down Link Acct balance & Acct

Stmt reports. SWIFT Reports for MT940, MT942,

MT950, MT900, MT910, Africa, UK and China cash reports

Cash Management Cash Management (Collection)(Collection)

Collection Reporting

iH2HiH2H Payment, Collection

10

Page 11: Aniruddha Neogi, FCA, CISA, CGEIT,CRISC

Data, data everywhere….Data, data everywhere….

11

Information has gone from scarce to superabundant

That brings huge new benefits, but also big challenges

Data are widely available

What is crucial is to identify relevant data for analysis based on which opinion can be provided

Page 12: Aniruddha Neogi, FCA, CISA, CGEIT,CRISC

Audit of Financial Statement: Basic Structure

Auditing Around the Computer

Auditing Through the Computer

12

IT Enabled System: Basic Concepts of Auditing

Page 13: Aniruddha Neogi, FCA, CISA, CGEIT,CRISC

Audit B. Structure of the Financial

13

Audit of Financial Statement: Basic Structure

Interim Audit

Compliance Testing

Financial Statement Audit Substantive

Testing

Financial Statement Audit Substantive

Testing

Page 14: Aniruddha Neogi, FCA, CISA, CGEIT,CRISC

Auditors perform tests of controls to determine that the control policies, practices, and procedures established by management are functioning as planned.

14

Compliance Testing

Page 15: Aniruddha Neogi, FCA, CISA, CGEIT,CRISC

Substantive testing is the direct verification of financial statement figures. Examples would include reconciling a bank account and confirming accounts receivable.

15

Substantive Testing

Audit Confirmation

To ABC Co. Customer:

Please confirm that the balance of your account

on Dec. 31 is _____ .

Audit Confirmation

To ABC Co. Cuss _____ .

Page 16: Aniruddha Neogi, FCA, CISA, CGEIT,CRISC

The auditor ignores computer processing. Instead, the auditor selects source documents that have been input into the system and summarizes them manually to see if they match the output of computer processing.

16

Auditing Around the Computer

Audit around the computer only when:

(a) the audit trail is complete

(b) processing operations are straightforward

(c) systems documentation is complete and readily available

Page 17: Aniruddha Neogi, FCA, CISA, CGEIT,CRISC

The process of evaluating client’s software and hardware to determine the reliability of operations that is hard for human eye to view and reviewing of the internal controls in an IT enabled system.

17

Auditing Through the Computer

Audit through the computer with:

(i) audit test data

(ii) parallel simulation

(iii) integrated test facility

Page 18: Aniruddha Neogi, FCA, CISA, CGEIT,CRISC

Basic Knowledge and Skills

Auditing Techniques

18

Challenges: Adapting IT Auditing

Techniques

Page 19: Aniruddha Neogi, FCA, CISA, CGEIT,CRISC

Knowledge and Skills

When auditing in a computer environment, the auditor should

obtain a basic understanding of the fundamentals of data

processing and a level of technical computer knowledge and

skills which depending on the circumstances may need to be

extensive.

19

Page 20: Aniruddha Neogi, FCA, CISA, CGEIT,CRISC

Review of Systems Documentation

Test Data and Integrated-Test-Facility (ITF)

Parallel Simulation

GAS

Embedded Audit Routines

Mapping

Extended Records and Snapshots

20

Auditing Techniques/CAATS

Page 21: Aniruddha Neogi, FCA, CISA, CGEIT,CRISC

Review of documentation such as narrative descriptions, flowcharts, and program listings

In desk checking the auditor processes test or real data through the program logic

Interviewing IT Staff

21

Review of Systems Documentation

Page 22: Aniruddha Neogi, FCA, CISA, CGEIT,CRISC

Audit B. Structure of the Financial

22

Test Data and IFT

The auditor prepares input containing both valid and invalid data. Prior to processing the test data, the input is manually processed to determine what the output should look like. The auditor then compares the computer-processed output with the manually processed results.

Page 23: Aniruddha Neogi, FCA, CISA, CGEIT,CRISC

23

Parallel Simulation

The test data and ITF methods both process test data through real programs. With parallel simulation, the auditor processes real client data on an audit program similar to some aspect of the client’s program. The auditor compares the results of this processing with the results of the processing done by the client’s program.

Page 24: Aniruddha Neogi, FCA, CISA, CGEIT,CRISC

Generalized Audit Software (GAS)

24

GAS refers to standard software that has the capability to directly read and access data from various database platforms, flat-file systems and ASCII formats. The following functions are supported in GAS:

File access-enables reading of different record formats and file structures

File reorganization-enables indexing, sorting, merging & linking with another file

Data selection-enables global filtration conditions and selection criteria

Statistical functions-enables sampling, stratification and frequency analysis

Arithmetical functions-enables arithmetic operators and functions

  

Page 25: Aniruddha Neogi, FCA, CISA, CGEIT,CRISC

In-line Code – Application program perform audit data collection while it processes data for normal production purposes

System Control Audit Review File (SCARF)–

Edit tests for audit transaction analysis are included in program

Exceptions are written to a file for audit review

25

Embedded Audit Routines

Page 26: Aniruddha Neogi, FCA, CISA, CGEIT,CRISC

Special software counts the number of times each program statement in a program executes

Helps identify code that is bypassed when the bypass is not readily apparent in the program code and/or documentation

26

Mapping

Page 27: Aniruddha Neogi, FCA, CISA, CGEIT,CRISC

27

Extended Records and Snapshots

Extended Records:

Specific transactions are tagged, and the intervening processing steps that normally would not be saved are added to the extended record, permitting the audit trail to be reconstructed for these transactions.

Snapshot:

A snapshot is similar to an extended record except that the snapshot is a printed audit trail.

Page 28: Aniruddha Neogi, FCA, CISA, CGEIT,CRISC

Key Sectors in Bangladesh

28

CEMENT

RMG

INFRASTRUCTURE

BANK

NGO

DEVELOPMENT

TELECOM

HEALTHCARE

MNC

PHARMECUTICALS

Page 29: Aniruddha Neogi, FCA, CISA, CGEIT,CRISC

ERP Structure and Control Environment

Impact of ERP on the Audit

Audit Risks and Issues

Audit of Purchase and Payable Process in SAP

29

Challenges: Auditing in ERP Environment

Page 30: Aniruddha Neogi, FCA, CISA, CGEIT,CRISC

Enterprise Resource Planning (ERP) SystemEnterprise Resource Planning (ERP) System

Integrates information and business processes to enable information entered once to be shared throughout the organization

ERP had its origins in manufacturing and production planning

ERP automates the tasks involved in performing a business process. If installed correctly, it can have a tremendous payback

Common examples include Common examples include SAP, PeopleSoft, JD SAP, PeopleSoft, JD

Edwards, Navision and Edwards, Navision and Oracle.Oracle.

NeedsAssessment

SoftwareSelection

ProcessReengineering

ConferenceRoom Pilot

Training

PhasedImplementation

ERP ProjectERP Project

30

Page 31: Aniruddha Neogi, FCA, CISA, CGEIT,CRISC

Database server

Application server

Presentationserver

Business Process/ Application Controls

Technical Infrastructure/ General Controls

ERP Structure

ERP Authorizations and

Security

31

Page 32: Aniruddha Neogi, FCA, CISA, CGEIT,CRISC

Business Performance

Reviews

GENERALCONTROLS

Controls related to Segregation of DutiesApplication Development & Maintenance Controls

Access to Equipment, Programs & DataHardware Controls

APPLICATION CONTROLS

32

ERP Control Environment

Output controls

Input controls

Processing controls

Controls of Master File

Application controls must be evaluated

specifically for every audit area

Evaluate the effectiveness of general controls before evaluating application controls

Page 33: Aniruddha Neogi, FCA, CISA, CGEIT,CRISC

Impact of ERP on the Audit

An ERP environment creates many issues an auditor must address . . . . .

The ControlEnvironmentHas Changed Business

ProcessesHave ChangedGeneral IT

Controls MayNot Be Enough

Can All Accountsbe Audited

Substantively

MonitoringControls on ERP

Controls Builtinto ERP

(Inherent & Configured)

33

Page 34: Aniruddha Neogi, FCA, CISA, CGEIT,CRISC

ERP Audit Risks and Issues

ERP allows more comprehensive validation and improves balancing controls, BUT:

Access security further complicated

Mix of Financial and non-financial business processes

Highly Configurable

Configuration consistency required

Segregation of duties harder to achieve

Cut-off risks increases

34

Page 35: Aniruddha Neogi, FCA, CISA, CGEIT,CRISC

ERP Audit Risks and Issues

ERP is process based

integrity of transaction based on process as a whole

cannot be seen as individual transactions

Preventative controls paramount

Programmed procedures

based on contents of various system tables

changes to ERP elements impact control of business processes

Loss of physical audit trail - ERP aims to be paperless

35

Page 36: Aniruddha Neogi, FCA, CISA, CGEIT,CRISC

ERP Audit Risks and Issues

Multiple processing platform dependent

security on all is crucial

Direct dependence on IT environment security

operating system

database

application

Initial system setup

best fit with organization structure

36

Page 37: Aniruddha Neogi, FCA, CISA, CGEIT,CRISC

Purchase and Payables: Process (SAP)

37

AP- Accounts Payable; MM- Material Master ;GR- Goods Receipts; IV- Invoice ReceiptsFI – Final Invoice; GL- General Ledger; PO- Purchase OrderMIRO, MIGO and ME21N- Typical SAP Table Name (Master Table)

Page 38: Aniruddha Neogi, FCA, CISA, CGEIT,CRISC

Process Risk and Financial Statement Impact

38

Page 39: Aniruddha Neogi, FCA, CISA, CGEIT,CRISC

The ‘Three-way Match’ in SAP

39

Page 40: Aniruddha Neogi, FCA, CISA, CGEIT,CRISC

How to audit the SAP Three-way Match

Purchase

• Audit ApproachCustomizing

PO

PO

MatchingEnforced

MatchingChangeable

AutomatedControls

ManualControls

Substantive

40

Page 41: Aniruddha Neogi, FCA, CISA, CGEIT,CRISC

Planning and Data Profiling

Sampling and Analysis

Audit Working Paper

Review of Audit Working Paper

Advantages of CAATs

41

Opportunity: How Audit Tools help Auditor

Page 42: Aniruddha Neogi, FCA, CISA, CGEIT,CRISC

42

Audit Approach

Page 43: Aniruddha Neogi, FCA, CISA, CGEIT,CRISC

Planning and Profile Data

Benefits of using IT tools at Planning Stage:

Can define all activities within audit scope

Easily assign resource against each activities

Track the progress

43

Quick look at millions of transactions and view data in a comprehensive and summarized representation

Page 44: Aniruddha Neogi, FCA, CISA, CGEIT,CRISC

Sampling

IT tool can generate different type of Sample for analysis:

Systematic

Random

Attribute

Momentary

Classical Variable

44

Page 45: Aniruddha Neogi, FCA, CISA, CGEIT,CRISC

Analysis

45

Page 46: Aniruddha Neogi, FCA, CISA, CGEIT,CRISC

Working Paper

46

Page 47: Aniruddha Neogi, FCA, CISA, CGEIT,CRISC

Working Paper Review

47

Page 48: Aniruddha Neogi, FCA, CISA, CGEIT,CRISC

Sample Report

48

Page 49: Aniruddha Neogi, FCA, CISA, CGEIT,CRISC

Reduced level of audit risk

Greater independence from the auditee

Broader and more consistent audit coverage

Faster availability of information

Improved exception identification

Greater flexibility of run times

Greater opportunity to quantify internal control weaknesses

Enhanced sampling

Cost savings over time

Advantages of CAATs

49

Page 50: Aniruddha Neogi, FCA, CISA, CGEIT,CRISC

Area ISACA Resources

IS Auditing ISACA Auditing Standard,ISACA Auditing Guideline, IT Assurance Framework (ITAF), CISA certification.

Risk Assessment Risk IT, CRISC certification

IT Governance & Control IT Governance Framework (ITGF) & CGEIT Certification

Compliance Control Objective on Information & Related Technology (COBIT)

Value Delivery Value IT (Val IT)

Information Security Business Model for Information Security (BMIS)

50

Opportunity: ISACA Resources

Page 51: Aniruddha Neogi, FCA, CISA, CGEIT,CRISC

Opportunity: Business Growth

51

Page 52: Aniruddha Neogi, FCA, CISA, CGEIT,CRISC

52

Shared Learning

Thank you