Company

LOGOAuditing Information Technology -

Financial System Issues

Bruce HeadrickProgram ManagerAFAA/FSD

Agenda

1. Objective1. Objective

2. Background - Criteria2. Background - Criteria

4. Financial Info Structure 4. Financial Info Structure

5. GAAP/GAGAS5. GAAP/GAGAS

6. Enforcement of System Controls6. Enforcement of System Controls

3. The IT Portfolio 3. The IT Portfolio

7. Wrap-Up 7. Wrap-Up

Audit-Background

Once upon a time the Organization hired computer programmers and developed the software they would use ….

But that was once upon a time. Today---

Information system development means the carefully guided acquisition and customization of commercial off the shelf software, often commercial ERP software.

IT Audit - Background

Ensure the right information exists, is accessible, and is understood and discoverable by all organizational personnel with on-demand access to appropriate authoritative, reliable, relevant, and assured information needed to perform their duties efficiently and effectively.

Provide continuously for the availability, integrity, confidentiality, nonrepudiation, & authentication of information and information systems as an essential element to achieving the Organizations mission.

Areas of Interest

• IT Portfolio• Financial Information Structure• Standards

– Generally Accepted Accounting Principals/– Generally Accepted Government Accounting

Standards– Government Auditing Standards

• System Controls– General Controls– Application Controls

IT Audit - BackgroundIT Portfolio Management

Other Portfolio Issues

How does management know what they have?

Is there potential duplication in single IT portfolios?

Is there potential duplication between IT portfolios?

Is there redundancies between lines of business?

Is there redundancies between operational activities?

Is there redundancies between parent-child levels?

Has your xyz performed GAP analysis of activity?

Does your xyz use a corporate activity to review IT acquisitions?

Financial Info Structure

• How do the systems talk to each other

• Interface’s

• Does x in one system = x in the next system

• Common languages

Standards

• GAAPs

• GAGAS

• GAO “Yellow Book”

What the Standards say…AU Section 318 

Performing Audit Procedures in Response to Assessed Risks and Evaluating the Audit Evidence ObtainedSource: SAS No. 110. 

.04 The auditor's overall responses to address the assessed risks of material misstatement at the financial statement level may include emphasizing to the audit team the need to maintain professional skepticism in gathering and evaluating audit evidence, assigning more experienced staff or those with specialized skills or using specialists, providing more supervision, or incorporating additional elements of unpredictability in the selection of further audit procedures to be performed. Additionally, the auditor may make general changes to the nature, timing, or extent of further audit procedures as an overall response, for example, performing substantive procedures at period end instead of at an interim date.

What the Standards say… TestingAU Section 326 

Audit Evidence Source: SAS No. 106.

.22 Tests of controls are necessary in two circumstances. When the auditor’s risk assessment includes an expectation of the operating effectiveness of controls, the auditor should test those controls to support the risk assessment. In addition, when the substantive procedures alone do not provide sufficient appropriate audit evidence, the auditor should perform tests of controls to obtain audit evidence about their operating effectiveness.

Looking for both Anticipated and Actual results.

What the Standards say…IT Work in Financial Audits

AT Section 501

An Examination of an Entity's Internal Control Over Financial Reporting That Is Integrated With an Audit of Its Financial StatementsSource: SSAE No. 15.

.18 The examination of internal control should be integrated with an audit of financial statements. Although the objectives of the engagements are not the same, the auditor should plan and perform the integrated audit to achieve the objectives of both engagements simultaneously. The auditor should design tests of controls•to obtain sufficient appropriate evidence to support the auditor's opinion on internal control as of the period end; and•to obtain sufficient appropriate evidence to support the auditor's control risk assessments for purposes of the audit of financial statements.

.51 The identification of risks and controls within IT is not a separate evaluation. Instead, it is an integral part of the top-down approach used to identify likely sources of misstatement and the controls to test, as well as to assess risk and allocate audit effort.

Standards that Should be Referenced When Conducting IT Work

• SSAE No. 15 - An Examination of an Entity's Internal Control Over Financial Reporting That Is Integrated With an Audit of Its Financial Statements

• SAS No. 106 - Audit Evidence• SAS No. 107 - Audit Risk and Materiality in Conducting

an Audit• SAS No. 108 - Planning and Supervision• SAS No. 109 - Understanding the Entity and Its

Environment and Assessing the Risks of Material Misstatement

• SAS No. 110 - Performing Audit Procedures in Response to Assessed Risks and Evaluating the Audit Evidence Obtained

System Controls

• FISCAM – Federal Information System Controls Audit Manual

– General Controls

– Application Controls

FSD IT Audit - Risks to ICsVarious Internal Controls

• General Controls– Security Management

– Access

– Configuration Management

– Segregation of Duties

– Contingency Planning

• Business Process (Application) Controls– Completeness

– Accuracy

– Validity

– Confidentiality

– Availability

IT Audit - Risk to ICsGeneral Controls

• Security Management– controls provide reasonable assurance that security management is effective.

• Access– c.p.r.a that access to computer resources (data, equipment, and facilities) is reasonable and restricted to authorized individuals.

• Configuration Management– c.p.r.a. that changes to information system resources are authorized and systems are configured and operated securely as intended.

• Segregation of Duties– c.p.r.a. that incompatible duties are effectively segregated

• Contingency Planning– c.p.r.a. that contingency planning (1) protects information and minimizes the risk of unplanned interruptions (2) provides for recovery of operations should interruptions occur.

IT Audit - Risk to ICs

Business Process Controls• Completeness

– c.p.r.a. that all transactions that occurred are input into the system, accepted for processing, processed once, and only once by the system, and properly included in the output.

• Accuracy

– c.p.r.a. that transactions are properly recorded, with correct amount/data, and on a timely basis… data elements are processed accurately by applications that produce reliable results and output is accurate.

IT Audit - Risk to ICs

Business Process Controls con’t• Validity

– c.p.r.a. (1) that all recorded transactions and actually occurred (they are real), relate to the organization, are authentic, and were properly approved and (2) that output contains only valid data.

• Confidentiality– c.p.r.a. that application data and reports and other output are protected against unauthorized access.

• Availability– c.p.r.a. that application data and reports and other relevant business information are readily available to users then needed.

IT Audit - Risk to ICs

Example of a Control• Control Activity CM3-1. All configuration changes are properly managed (authorized, tested, approved, and tracked)

• Control Techniques (19)– CM-3.1.1 An appropriate formal change management process is documented

– CM-3.1.2 Configuration changes are authorized .

• Audit Procedure (21) – Audit Procedure = Audit Step (s)

IT Audit - Risk to ICs

DFAS 7900.4-M

•Comprehensive Compilation of the Federal Financial Management Improvement Act (FFMIA) and DoD System requirements

•Currently 20 Volumes

•Example of one in Volume 3, PP&E–Maintain/Update Property Information–Requirement ID – 03.01.43–The property mgmt sys must provide an audit trail for entries to a property record, including the identification of the individual(s) entering or approving the information and/or data

–Federal Source: JFMIP SR-00-4, Oct 00, pg 12

http://www.dfas.mil/dfas/fmcoe/bluebook.html

Enforcement of Controls

• Configuration Management Plan

• Security Policy/Plan (NIST)

• Access Control Process

• Transactional Testing

• Service Level Agreements

Other Audit Ideas

Software Change Order RequestsSanitization of Assets Turned in for DisposalArchitectures – Enterprise, Systems, NetworkNetwork SecurityPorts and ProtocolsWireless Network Security Look for economies and efficienciesProcess on data at restUse of USB drives and portable devicesPorts and ProtocolsNetwork Scans

IT Audit - Ideas

FSD IT Audit – Key Docs

GAO 09-232G FISCAM, 2009http://www.gao.gov/new.items/d09232g.pdf

DFAS 7900.4-M, 2011 (DFAS Blue Book)http://www.dfas.mil/dfas/fmcoe/bluebook.html

AICPA Standards, continuous updateshttp://www.aicpa.org/Pages/Default.aspx

National Institute of Standards and Technologyhttp://www.nist.gov/index.html

Carnegie Mellon Software Maturity Modelhttp://www.sei.cmu.edu/

Carnegie Mellon Software Engineering Process

Institute of Electrical and Electronics Engineers (IEEE)

Financial Integration Systems Office (FSIO)

Department of Defense and Air Force directives

Various Industry Best Practices

Agenda

1. Objective1. Objective

2. Background - Criteria2. Background - Criteria

4. Financial Info Structure 4. Financial Info Structure

5. GAAP/GAGAS5. GAAP/GAGAS

6. Enforcement of System Controls6. Enforcement of System Controls

3. The IT Portfolio 3. The IT Portfolio

7. Wrap-Up 7. Wrap-Up

Questions and Comments

Bruce Headrick, Program Manager, 334-416-4241; DSN 596-4241