IT AUDIT: December 2013

Tuesday, December 31, 2013

IT is a valuable asset for businesses

Information technology (IT) is one of the most valuable, yet often least understood assets in a business. It takes an insightful enterprise to recognise the benefits of information technology and use it to drive stakeholder value.
Moreover, successfully managing information technology in a business also means understanding and mitigating the risks associated with it, including increased regulatory compliance and the critical dependence of many business processes on information technology.
Catherine Berry, senior underwriter: Financial and Professional Lines at Camargue explains further: “IT Governance falls under the mandate of a business’ executives and its board of directors. The King Code on Corporate Governance states that IT risk should form an integral part of an organisation’s risk management plan.”
The role of information technology in the economic and social prosperity of the country is expounded in the Electronic Communications and Transactions Act No. 25 of 2002.
“The Act strives to ensure that electronic transactions in South Africa conform to the highest international standards; and that a safe, secure and effective environment for the consumer, business and government is developed wherein electronic transactions can be conducted and utilised,” Berry explains.
To achieve this, the Act seeks to ensure compliance with accepted international technical standards in the provision and development of electronic communications and transactions.
To this end, the long awaited Protection of Personal Information (POPI) Bill aims to bring South Africa in line with international data protection laws.
Berry predicts that the impact of this legislation will be far reaching, with a significant impact on the manner in which companies collect, store, use and disseminate personal information. In addition, King III recommends that formal disaster recovery and contingency planning should form a vital part of good corporate governance practices.
“As the online environment becomes ever more complex, it has become almost impossible for businesses to address all the risks inherent in operating a computer network. Moreover, as technology evolves, so the crimes associated with it become increasingly complex.
“As such, the importance of prioritising risk management procedures specific to a business’ information technology structures cannot be more highly emphasised,” Berry insists, adding that these procedures are an integral part of combating and mitigating the effects of cybercrimes.
Berry argues that despite the fact that society has adapted quickly to sophisticated technology, a startling majority of small to medium sized enterprises do not have formal disaster recovery or business continuity procedures in place.
“Perhaps this avoidance is due to the complexity of information technology systems. It could also be that smaller businesses are reluctant to hire outside professionals to assist with compiling such contingency plans,” she surmises.
Whatever the reasons, it has become clear that it is no longer sufficient to rely on back-up drives alone – particularly if these are stored on the premises. Indeed, the more reliant an organisation is on its computer network and systems, the more complex its risk management programme is likely to be.
To this end, IT service providers are positioned not only to provide expert advice, but also to assist with the compilation of a comprehensive information technology strategy, including costing analysis and budgeting.
“There is a wealth of information that is freely available and easy to obtain that can be used to assist a business to conduct a risk assessment and prepare an information technology risk management framework,” Berry points out.
For example, the Information Systems Audit and Control Association (ISACA) has compiled a Control Objectives for Information and Related Technology (COBIT) framework which specifically addresses information technology management and IT governance.
Furthermore, the PCI Security Standards Council incorporates and cites a number of methodologies that are available to assist organisations in developing their risk assessment process: International Organisation of Standardisation (IS), The National Institute of Standards and Technology (NIST) and Operationally Critical Threat, Asset and Vulnerability Evaluation (OCTAVE).
“In this climate, business managers who have not implemented sufficiently detailed disaster recovery and business continuity plans are not only in contravention of good corporate governance, but are also placing the business in a precarious position that responsible management would not risk,” she concludes.
Camargue is an underwriter of niche insurance products and a provider of risk management solutions to a broad spectrum of industries in southern Africa. Camargue’s unique M3 approach focuses on managing, mitigating and migrating critical business risks.

Risk appetite – inputs and outcomes

Part two in a three part series by Dr David Hillson and Ian Huntly, CEO of Rifle-Shot Performance Holdings.
We have seen that risk appetite is an internal tendency within an individual or a group and that it cannot be seen or measured directly. It represents a hunger for risk in a given situation, a desire or drive to take on a certain level of risk exposure. But where does this internal tendency comes from? What influences risk appetite?
One obvious input to risk appetite is the situation that is being faced. Risk appetite does not exist in a vacuum or in isolation. It is defined as “tendency of an individual or group to take risk in a given situation”, so clearly that situation is influential.
In fact it is not just the situation in general that influences risk appetite, but the specific objectives that an individual or organisation wishes to achieve in or from that situation. For a project manager, the situation is the project, and the objectives are the project objectives.
In addition to the situation and its associated objectives, there are two other factors that influence risk appetite. Both of these are to do with people, which is unsurprising since risk appetite is an internal tendency. The first factor relates to individuals and the other arises from the group context:
* On the individual side, the appetite for risk in a particular situation is affected by the general tendency of each individual to take risk in any circumstances. This is called risk propensity, and it in turn is driven by a range of risk-related personality traits, or innate motivations, known as risk preferences.
* Another influence on risk appetite is the culture of the group or organisation in relation to risk, describing the set of shared beliefs, values and knowledge that a group has about risk. This is called risk culture, and it results in a set of norms and behaviours that are naturally adopted by the group when situations are faced that are perceived as risky and important.
One interesting fact to notice about these inputs to risk appetite is that they are all internal and they are not chosen by the individuals separately or the group acting together, they just are what they are. The effect of individual risk propensity and corporate risk culture on risk appetite is subtle and invisible, it is essentially unmanaged, and it cannot be seen or measured externally.
The resulting risk appetite therefore arises unconsciously and without the deliberate choice or intentional intervention of the individual or group concerned. That is why we describe risk appetite as a tendency – because it is internal and unmanaged.
As well as considering the inputs that affect risk appetite, we should also look at its outcomes. Just as we have no units to measure or describe physical appetite, the same is true for risk appetite. We also need an external proxy for risk appetite, something that can be seen and measured objectively. This role is taken by risk thresholds, which are external expressions of risk appetite.
And just as risk appetite is defined in terms of the objectives associated with a specific situation, risk thresholds are expressed in the same way. There should be a risk threshold set for each objective, reflecting the overall risk appetite in the situation.
Once we have defined risk thresholds for a given situation (how much risk we are willing to take), we can then compare these with the overall risk capacity of the organisation to bear risk, either in this specific situation or in aggregate. This will tell us whether our risk appetite can be fully satisfied or not. We might find that our appetite for risk leads us to set risk thresholds that exceed our capacity to take risk.
This could lead to a problem if left unmanaged, since we might end up taking on too much risk, exceeding our risk capacity. Alternatively our risk appetite may lead us to be too cautious, setting low risk thresholds which are well within our risk capacity, and which do not stretch or challenge the organisation or make best use of its resources.
Considering inputs first, the chosen risk attitude is influenced by the perception of the degree of risk exposure associated with a given situation, and risk perception in turn is affected by a complex Web of factors, referred to as the “triple strand” of influences (conscious, subconscious and affective factors).
It is common to speak about only a few specific risk attitudes, such as risk-averse, risk-seeking, risk-tolerant or risk-neutral. But in fact risk attitude exists on a continuous spectrum with an infinite number of possible positions. Faced with a given risky situation, a particular individual or group might exhibit a risk attitude anywhere on this spectrum.
Turning to outputs from risk attitude, two things are important in the context of making decisions in risky and important situations. The first is that our attitude to risk affects the degree of risk we are willing to take, as expressed in risk thresholds.
Clearly if we are comfortable with the perceived exposure to risk (i.e. our attitude is risk-seeking) then we will wish to set higher risk thresholds than if we are uncomfortable with the uncertainty (risk-averse).
But the influence of risk attitude is much wider than simply affecting the chosen level for risk thresholds and tolerances – it also affects our risk actions. In fact every action we take in relation to the perceived level of risk exposure is driven by our position on the risk attitude spectrum. Each step in the risk process is affected by the risk attitude we adopt in the situation, including:
* Identifying threats and opportunities;
* Assessing and prioritising identified risks; and
* Selecting and implementing appropriate risk responses.
Our risk actions modify the degree of risk exposure associated with the situation, leading to a revised perception of risk. As a result we may wish to change our risk attitude, to give us the best chance of achieving our objectives in the light of the new risk challenge that we now face. So in fact there should be a cycle between the current level of risk exposure, our chosen risk attitude, and the risk actions we take.
Changing risk attitude is a simple matter of making a different choice. Earlier work (Murray-Webster & Hillson, 2008) has described how applied emotional literacy can be used to modify risk attitude in an intentional way, using a framework called the “Six As” model.
This starts with “awareness” of the existing risk attitude that we have initially chosen in a given situation, together with “appreciation” of the factors that have influenced that choice. Next we “assess” whether the risk attitude is helping us to achieve our goals or not.
If the existing risk attitude is assessed as being “appropriate”, then we “accept” it and continue without change. But if a change in risk attitude is required, then we “assert” the need for change and take “action” to modify our chosen risk attitude.

Why companies need IT to combat fraud

Information technology is an essential tool for combating fraud. Without using the predictive power of analytics, it isn’t possible to prevent fraud before it happens, says Colin Hill, senior solution manager, Financial Crimes and Risk Solutions, SAS South Africa.
The majority of large companies have fraud budgets in place. These budgets are not, as you might expect, for detecting or combating fraud, but rather, simply, for absorbing the costs of fraud when it is committed.
I’ve had risk managers proudly tell me that they are within their fraud budget for the year, which is a disingenuous comment for them to make, considering that a fraud budget that allows for “acceptable” levels of fraud is nothing to be proud of – even if the department comes in under budget.
Of course, anti-fraud measures do exist, but they tend to take the form of careful screening of job applicants and customers, and educational campaigns. None of these are utilising the vast potential of technology to detect – but more importantly to prevent – fraud, and to protect the reputation of the business.
There are three key areas in which technology can make a difference:
Prevention
Fraud perpetrators are becoming more sophisticated. Fraud syndicates have state-of-the-art technology, and the extremely qualified computer programmers and statisticians. In addition, the latest Kroll report published in the United States indicates that 60% of fraud committed has an internal link in the organisation.
If you take all of this into account, its absolute madness that organisations aren’t dedicating the same levels of expertise and technology to preventing and combating internal and external fraud. If a company’s controls and mechanisms are not of the latest design, this could mean that multiple layers of firewalls and authentication layers are not of a high standard.
Hackers could get into the systems, and transact, steal information or even destroy the systems. Antivirus software and detection controls should be in place and should be tested regularly by external parties specialising in hacking prevention.
Only reporting the number of attacks, and having a budget in place to absorb the fraud is leaving the company open to repeated attacks, and doing nothing to solve the ongoing problem.
The impact of fraud on the company is more than just a financial loss it impacts companies much wider than just having the ability to detect the fraud and catching the perpetrator. Impacts to the company strategic objective, customer impact, data handling capability, risk management process, compliance risk etc. should be assessed as well.
Detection
It seems like a no-brainer to say that an organisation should have mechanisms in place to detect fraud. But many organisations still use the outdated model of understanding the modus operandi of a fraudster who has been caught and questioned, and using this set of rules to pick up similar activities.
The chances of another fraudster using the same mechanisms are very slim. Instead, companies should be using advanced statistical methods to scroll through large amounts of data in a short period of time and alert the business to possible acts of fraud. These methods don’t rely on previous incidents of fraud, but rather on detecting behaviour that is out of the ordinary.
The big question here is: can you do this in a big data environment, and at what cost and speed?
Risk management
Many organisations do not show fraud as a line item on their balance sheet – it is often hidden in credit losses or some operational loss. But fraud isn’t only a financial loss or a broken control that needs to be evaluated as part of the operational risk management process.
Any individual customer’s loss due to fraud, as well as any massive company-wide breach is a threat to a company’s reputation. Businesses are failing to measure the impact on their customers, their reputations and their entire business models of leaving themselves open to fraud by budgeting for it rather than detecting and preventing it.
Customers need to feel safe, and they need to be confident that their information is protected.
Simply put, not having the proper technology in place to detect and prevent fraud before it happens is leaving companies vulnerable, allowing fraudulent activities to continue and fraudulent employees to keep their jobs, and leaving customers feeling insecure about their assets and personal information.

Risk-based internal auditing best practices

In designing risk-based auditing and monitoring activities, it is important that the internal auditor works closely with the organisation’s senior leadership and the board, or committee of the board, to gain a clear understanding of auditing and monitoring expectations and how these activities can be leveraged together to help minimise and mitigate risks for the organisation.
These discussions should also include leadership from the legal, compliance and risk management functions, if they are not already a part of the senior leadership team.
This is according to Sheryl Vacca, senior VP and chief compliance and audit officer at the University of California (UC), and Ian Huntly, CEO of Rifle-Shot Performance Holdings, representatives in sub-Saharan Africa of SoftExpert, a market leader in software and services for enterprise-wide business.
This process should include performing periodic audits to determine compliance with respect to applicable regulatory and legal requirements and to provide assurance that management controls are in place for the detection and/or prevention of noncompliant behaviour.
Additionally, risk-based auditing and monitoring should include mechanisms to determine that management has implemented corrective action through an on-going performance management process to address any noncompliance.
Once the common framework for the risk-based auditing and monitoring program has been established, four key tasks must be performed:
* Assessment and prioritisation of risks, conducted enterprise-wide;
* Development of a risk-based auditing and monitoring plan;
* Execution of a corrective action plan developed by management to mitigate risks and/or resolve risks; and
* Periodic assessment of the overall process for effectiveness.
Risk assessment
The Committee of Sponsoring Organisations of the Treadway Commission (COSO) helped to define “risk” as any event that can keep an organisation from achieving its objectives. According to the COSO model, risk is viewed in four major areas:
* Operational (processes and procedures);
* Financial (data rolling up to internal/external statements);
* Regulatory (federal, state, local, organisational policy); and
* Reputation (institutional).
There are several ways in which risk assessments in these areas can be conducted. These include the use of:
* Focus groups to assist in the identification of risks;
* Interviews of key leadership and the board;
* Surveys; and
* Reviews of previous audit findings, external audits conducted in the organisation, and identifying what is occurring within the industry and the local market.
Once risks have been identified, a prioritisation process is needed to identify the likelihood of the risk occurring, the ability of management to mitigate risk (that is, are there controls in place for risk, regardless of the likelihood of those risks of occurring), and the impact of risk on the organisation.
Risk prioritisation is an on-going process and should include periodic reviews during the year to ensure that previous prioritisation methods, when applied in real time, are still applicable for the risk.
It is important that senior leadership participate in, and agree with, the determination of the high-risk priorities for the audit and monitoring plan. This will ensure management buy-in and focus on risk priorities. Also, with managers involved at the development stage of the plan, they will be educated as to the type of activities being planned and the resources needed to conduct these activities.
Hence, during the plan year, if there are changes, management will understand the need for additional resources or a change in focus in the plan as the business environment and priorities may change.
Developing the plan
Risk assessments and prioritisation are important elements in the development of a risk-based auditing and monitoring plan. Considerations related to the plan should also include:
* Review of other business areas in the organisation which may be conducting an audit or monitoring activity in this area;
* Resources available to implement plan;
* Hours needed to complete the plan;
* Projected timeframes;
* Defined auditing or monitoring activities and determination as to whether they are outcomes or process oriented; and
* Flexibility incorporated into the plan to address changes in risk priorities and possibly unplanned compliance risks/crises which may need an immediate audit or monitoring to occur.
The process of risk assessment continues through the execution of the plan where the engagement objectives would reflect the results of the risk assessment. Risk-based auditing and monitoring is on-going and dynamic with the needs of the organisation.
Execution of the plan
Each activity should have a defined framework which will provide management with an understanding of the overall expectations and approach as users execute the plan. The framework for these activities should include the following actions:
* Set the purpose and goal for the activity (audit or monitoring);
* Conduct initial discussion with the business area for input related to audit attributes, timing and process;
* Finalise the approach and attributes;
* Conduct the activity;
* Identify preliminary findings and observations;
* Provide an opportunity for findings and observations to be validated by the business area;
* Finalise the report;
* Identify processes for the follow-up after management has taken corrective action related to activity findings and observations;
* Data collection and tracking are critical because they provide trend analysis and measurement of progress; and
* Determine the key points of activity that may be provided to leadership and/or in reporting to the board.
The overall process of developing the audit and monitoring plan should be documented. This would include a description of how the risk assessment was conducted and the methodology for prioritisation of risks. Working papers to support the audit findings, reports, and corrective action plans should be documented and filed appropriately.
Prior to the audit activity, be sure to define and document what should be considered as part of the working papers.
At the end of each plan year, it is important to conduct an evaluation of the overall effectiveness of the plan. Questions to consider may include:
* Was the plan fully executed?
* Were appropriate resources utilised for the plan’s execution?
* Were the activities conducted in a timely manner?
* Did the plan “make a difference” in regard to the organisation’s strategy and business?
* Did the plan reach the goal of detecting, deterring, and/or preventing compliance research risks from occurring?
Annual evaluations may be conducted through self-reviews or independently of the internal audit function by a third party, that is a peer review conducted with auditors from other organisations, Quality Assessment Review conducted according to IIA standards (every five years), etc.
However, while self-reviews are less resource intensive, it is recommended that an independent review be conducted at least every other year to assess the effectiveness of auditing and monitoring efforts.

How to move a company to SOX Compliance?

In this topic, I'll be sharing with you some basic requirements which a company shoudl consider when going for SOX Compliance.

Pls share in case you have other tips to add.

Step 1: Embedding compliance firmly in ongoing operations will require:

• an organizational structure with clear accountability,
• an efficient operating structure, and
• an enabling technology structure

Step 2: First-year Section 404 compliance is all about project management, with companies organizing teams to:

• Identify significant business units, financial statement accounts and related processes
• Update or create process-flow documentation
• Assess risks related to financial reporting and identify control activities in place to address those risks
• Validate processes and controls via walkthroughs or other means
• Develop and execute test plans
• Evaluate test results and remediate design and/or operating control deficiencies where necessary

Step 3. A typical company having accomplished this successfully would now have the following areas addressed:

• basic documentation in place,
• key controls identified,
• test plans developed and,
• most importantly, control issues that needed remediation

Step4: How to establish a mechanism that both confirms the evaluation of DC&P (Disclosure Control & Procedures) on a quarterly basis to support the Section 302 certification, and provides for the periodic testing of controls over financial reporting for the annual Section 404 assertion. (Under Section 404, management demonstrates through testing that internal controls over financial reporting operate effectively as of year-end. Under Section 302, management certifies that it has evaluated its DC&P as of quarter-end. Section 302 also requires management to report material changes to its internal control over financial reporting). Given the level of regulatory oversight, this is a decision that should not be taken lightly. Alternatives can be:

• Although testing is not specifically prescribed in order to comply with the requirements of Section 302, executing test plans throughout the year, allowing for timely recognition of control issues, remediation and retesting, if needed, as well as for the updating of the control evaluation at year-end can be an option. Through testing, management attains comfort with regard to quarterly reporting, while at the same time accomplishing the work required for the year-end assertion.
• Perform tests quarterly for higher-risk processes and controls, supplemented by self-assessments for other processes.
• A third possibility is to rely solely on a self-assessment process for quarterly reporting, with no reliance on testing for the evaluation of DC&P.
Complicating consideration of these alternatives are the nature and frequency of the control activities performed, which can dictate the timing and extent of testing. Choosing from among these alternatives is dependent on management’s comfort with the alternatives. Fundamentally, the chosen approach must enable the identification of material changes in internal control over financial reporting and provide reasonable assurance that controls over financial reporting are effective at quarter-end, as well as at the end of each fiscal

Step 5: Several elements must be considered in developing a compliance process that is responsible, cost-efficient and effective. These can be classified into three major categories:

• An accountability structure that ensures the appropriate level of oversight and process ownership and drives the right attitude throughout the business.
• An operating structure that facilitates cost-effective and streamlined processes for execution of Sarbanes-Oxley requirement.
• A technology support structure that supports the efficiency and effectiveness of compliance processes

Step 6: Accountability Structure

The accountability structure needs to:
• Define ownership of the design and operation of controls within the organization
• Create the appropriate tone at the top to reinforce delegation without allowing abdication.
• Define appropriate organizational roles and responsibilities
• Communicate what people are supposed to do and
• Reinforce accountability to ensure that they do it.

Key Traits of a Successful IT Auditor

As you begin your search to build out your audit team, here are some of the key traits of a successful IT auditor:

Ability to dig into technical details without getting lost in those details.

Analytical skills. It is critical for the auditor not only to understand technologies but also to be able to use that knowledge to uncover risk to the business and apply judgment regarding degrees of risk. This often is not a black-and-white job-you need people who can really think through a process or technology and frame up the risk to the company.

Communication skills (both written and oral). This is a huge emphasis for this job. An auditor must be able to help all levels (from the most detailed technical person to the highest level of management) understand exactly why he or she has a concern with something. This means that he or she must be able to lay it out logically in layperson's terms for management but also explain all the technical details of his or her concern to the people who work in the area day to day.

The ability to quickly learn the key concepts of new technologies and identify key risk points within those technologies.

Willingness not to be touching a specific technology daily. It's important for people to understand that while there is a lot of hands-on work when performing audit analyses, they won't be acting as the administrator of a production Unix box, managing routers, etc.

The Internal Audit Process from A to Z: How It Works!

Every successful audit is based on sound planning and an atmosphere of constructive involvement and communication between the client and the auditor. I see quite a few audit organizations that include a Web-based explanation to their clients how the audit process works. The purpose of providing this page is for those audit organizations that have not explained to their clients how, in general, the audit process works. It also is designed to provide a resource for sharing tools and techniques for each of the distinct phases of the audit process. If you have tools or resources that you would like added to these pages please send them to editor@auditnet.org.

Thanks to Terry Radke, Director Indiana University - Internal Audit for allowing AuditNet® to "borrow" the audit process description they use for their customers. I also added links to other sites to help illustrate or clarify the process.

Click here for sample documents used in the audit process.

For a brief overview including a summary of types of audits click here.

Audit Process

Although every audit project is unique, the audit process is similar for most engagements and normally consists of four stages: Planning (sometimes called Survey or Preliminary Review), Fieldwork, Audit Report, and Follow-up Review. Client involvement is critical at each stage of the audit process. As in any special project, an audit results in a certain amount of time being diverted from your department's usual routine. One of the key objectives is to minimize this time and avoid disrupting ongoing activities. Following are some sample flowcharts of the process from other organizations that you may find helpful:

Central Queensland University Internal Audit Process

European Space Components Internal Audit Procedure guide includes a flow chart of the audit process.

University of Illinois Audit Process Flowchart

Top of Page

Planning

During the planning portion of the audit, the auditor notifies the client of the audit, discusses the scope and objectives of the examination in a formal meeting with organization management, gathers information on important processes, evaluates existing controls, and plans the remaining audit steps.

Announcement Letter

The client is informed of the audit through an announcement or engagement letter from the Internal Audit Director. This letter communicates the scope and objectives of the audit, the auditors assigned to the project and other relevant information.

Initial Meeting

During this opening conference meeting, the client describes the unit or system to be reviewed, the organization, available resources (personnel, facilities, equipment, funds), and other relevant information. The internal auditor meets with the senior officer directly responsible for the unit under review and any staff members s/he wishes to include. It is important that the client identify issues or areas of special concern that should be addressed.

Preliminary Survey

In this phase the auditor gathers relevant information about the unit in order to obtain a general overview of operations. S/He talks with key personnel and reviews reports, files, and other sources of information.

Internal Control Review

The auditor will review the unit's internal control structure, a process which is usually time-consuming. In doing this, the auditor uses a variety of tools and techniques to gather and analyze information about the operation. The review of internal controls helps the auditor determine the areas of highest risk and design tests to be performed in the fieldwork section. Click here for an annual internal control review plan.

Audit Program

Preparation of the audit program concludes the preliminary review phase. This program outlines the fieldwork necessary to achieve the audit objectives.

Top of Page

Fieldwork

The fieldwork concentrates on transaction testing and informal communications. It is during this phase that the auditor determines whether the controls identified during the preliminary review are operating properly and in the manner described by the client. The fieldwork stage concludes with a list of significant findings from which the auditor will prepare a draft of the audit report.

Transaction Testing

After completing the preliminary review, the auditor performs the procedures in the audit program. These procedures usually test the major internal controls and the accuracy and propriety of the transactions. Various techniques including sampling are used during the fieldwork phase.

Advice & Informal Communications

As the fieldwork progresses, the auditor discusses any significant findings with the client. Hopefully, the client can offer insights and work with the auditor to determine the best method of resolving the finding. Usually these communications are oral. However, in more complex situations, memos and/or e-mails are written in order to ensure full understanding by the client and the auditor. Our goal: No surprises.

Audit Summary

Upon completion of the fieldwork, the auditor summarizes the audit findings, conclusions, and recommendations necessary for the audit report discussion draft.

Working Papers

Working papers are a vital tool of the audit profession. They are the support of the audit opinion. They connect the client’s accounting records and financials to the auditor’s opinion. They are comprehensive and serve many functions.

Working Paper Documentation

Top of Page

Audit Report

Our principal product is the final report in which we express our opinions, present the audit findings, and discuss recommendations for improvements. To facilitate communication and ensure that the recommendations presented in the final report are practical, Internal Audit discusses the rough draft with the client prior to issuing the final report. For an audit report template including an executive summary click here.

Discussion Draft

At the conclusion of fieldwork, the auditor drafts the report. Audit management thoroughly reviews the audit working papers and the discussion draft before it is presented to the client for comment. This discussion draft is prepared for the unit's operating management and is submitted for the client's review before the exit conference.

Exit Conference

When audit management has approved the discussion draft, Internal Audit meets with the unit's management team to discuss the findings, recommendations, and text of the draft. At this meeting, the client comments on the draft and the group works to reach an agreement on the audit findings.

Formal Draft

The auditor then prepares a formal draft, taking into account any revisions resulting from the exit conference and other discussions. When the changes have been reviewed by audit management and the client, the final report is issued.

Final Report

Internal Audit prints and distributes the final report to the unit's operating management, the unit's reporting supervisor, the Vice President for Administration, the University Chief Accountant, and other appropriate members of senior University management. This report is primarily for internal University management use. The approval of the Internal Audit Director is required for release of the report outside of the University.

Client Response

The client has the opportunity to respond to the audit findings prior to issuance of the final report which can be included or attached to our final report. However, if the client decides to respond after we issue the report, the first page of the final report is a letter requesting the client's written response to the report recommendations.

In the response, the client should explain how report findings will be resolved and include an implementation timetable. In some cases, managers may choose to respond with a decision not to implement an audit recommendation and to accept the risks associated with an audit finding. The client should copy the response to all recipients of the final report if s/he decides not to have their response included/attached to Internal Audit's final report.

Client Comments

Finally, as part of Internal Audit's self-evaluation program, we ask clients to comment on Internal Audit's performance. This feedback has proven to be very beneficial to us, and we have made changes in our procedures as a result of clients' suggestions.

Top of Page

Audit Follow-Up

Within approximately one year of the final report, Internal Audit will perform a follow-up review to verify the resolution of the report findings.

Follow-up Review

The client response letter is reviewed and the actions taken to resolve the audit report findings may be tested to ensure that the desired results were achieved. All unresolved findings will be discussed in the follow-up report.

Follow-up Report

The review will conclude with a follow-up report which lists the actions taken by the client to resolve the original report findings. Unresolved findings will also appear in the follow-up report and will include a brief description of the finding, the original audit recommendation, the client response, the current condition, and the continued exposure to Indiana University. A discussion draft of each report with unresolved findings is circulated to the client before the report is issued. The follow-up review results will be circulated to the original report recipients and other University officials as deemed appropriate.

Top of Page

Internal Audit Annual Report to the Board

In addition to the distribution discussed earlier, the contents of the audit report, client response, and follow-up report may also communicated to the Audit Committee of the Board as part of the Internal Audit Annual Report.

Top of Page

The Process: A Collaborative Effort

As pointed out, during each stage in the audit process--preliminary review, field work, audit reports, and follow-up--clients have the opportunity to participate. There is no doubt that the process works best when client management and Internal Audit have a solid working relationship based on clear and continuing communication.

Many clients extend this working relationship beyond the particular audit. Once the audit department has worked with management on a project, we have an understanding of the unique characteristics of your unit's operations. As a result, we can help evaluate the feasibility of making further changes or modifications in your operations.

--------------------------------------------------------------------------------

Administration

Audit Planning

Audit Fieldwork (Testing)

Audit Sampling

Audit Reporting

Customer Survey

Audit Follow-Up

Read more: http://www.auditnet.org/process.htm#ixzz0vefY1tZG

How to move a company to SOX Compliance?

Why Are We Here? (The Internal Audit Department's Mission)

Before we can develop an effective internal audit department, we must first come to an understanding of the department's purpose. Why does the internal audit department exist? What's the end goal?

Is our purpose to issue reports? To raise issues? To make people look bad? To show how smart we are and how dishonest, incompetent, and corrupt the rest of the company is? To flex our muscles and show that we can do anything and tell on anyone because we report to the board of directors? Hopefully, it's obvious that none of these are the right answer. Sadly, though, you will find that many (perhaps most) internal audit departments function as if one or more of these items are the answer. Many audit departments spend their existence in adversarial relationships with the rest of the company, keeping themselves comfortably removed from and "independent" of everyone else. Unfortunately, such departments are missing the point and failing to realize the potential benefits that they could be providing to their companies.

Most audit departments were formed by the company's audit committee (a subset of the board of directors) for the purpose of providing them with independent assurance that internal controls are in place and functioning effectively. In other words, the audit committee wants a group that it can trust to be objective enough to tell it if there is anything the committee should be worried about. The committee wants to have someone it can trust to tell it what's "really going on" in the company. The committee wants someone it can trust to turn in all the evildoers in the company who refuse to implement internal controls. Internal audit departments usually report directly to the chairman of the audit committee, so they feel protected from blowing the whistle on the hordes of dishonest managers who surely have infested the company.

We cannot lose sight of this very important function. Despite the levity in the preceding paragraph, it is absolutely essential that the audit committee have eyes and ears within the company that can tell it what, if anything, it needs to be worried about. This is critical for the committee's ability to function and serve the company's shareholders. It also should be noted that most companies' audit departments dual report to an executive within the company, such as the chief executive officer (CEO) or the chief financial officer (CFO). We'll discuss later some implications of this reporting relationship, but for now, let's agree that this indicates that senior management is interested in the state of the company's internal controls, just like the audit committee. Therefore, I think we can comfortably establish that one of the internal audit department's key functions is to provide an objective body that the audit committee and senior management can go to, to find out if there's anything bad going on in the company from an internal control perspective. From an IT perspective, this means that audit committee and senior management want to be able to ask such questions as, "Are our firewalls really secure?" and "Is our plan to collaborate and share networks with our biggest rival going to expose us to any security concerns?" and believe that they will get an honest answer.

Therefore, can we say that the function of the internal audit department is to report internal control issues to the audit committee and senior management (or provide them with assurance that there are no issues)? The answer is, "Sort of." This is certainly an important role for the audit department to play. However, if we stop there, we are not getting the whole picture. We haven't totally missed the boat-it's more like we showed up as the boat was pulling away from the dock, jumped to catch it, and currently are hanging from the outside railing, holding on for dear life.

But why are we really here? What's the value of reporting issues? Merely reporting issues accomplishes nothing, except to make people look bad, get them fired, and create additional hatred of auditors. The real value comes when issues are addressed and problems are solved. In other words, reporting the issues is a means to an end. In this context, the end is to improve the state of internal controls at the company. Reporting them provides a mechanism by which the issues are brought to light and therefore receive the resources and attention needed to fix them. If I tell senior management that I discovered a hole in the wall of our most important data center, it may help in my goal of making myself look good at the expense of others, but the hole is still there, meaning that the company is still at risk. It's only when the hole is patched that I've actually done something that adds value to the company (and that's only if the company wasn't already aware of and planning to fix the hole prior to my audit).

Therefore, the real mission of the internal audit department is to help improve the state of internal controls at the company. Admittedly, this is accomplished by performing audits and reporting the results, but we must remember that these acts provide no value in and of themselves. They only provide value when the internal control issues are resolved. This is an important distinction to remember as we develop our approach to auditing and, most important, to dealing with the people who are the "targets" of our audits.

Note The internal audit department's goal should be to promote internal controls and to help the company develop cost-effective solutions for addressing issues.

In summary, the internal audit department's mission is twofold:
To provide independent assurance to the audit committee (and senior management) that internal controls are in place at the company and are functioning effectively.
To improve the state of internal controls at the company by promoting internal controls and by helping the company to identify control weaknesses and develop cost-effective solutions for addressing those weaknesses.

User Access Non-Compliance is Material Weakness

Given that 60% of CFOs lost their jobs within 3 months of reporting a material weakness, what controls do you have in place? Are they effective?
Q: Was this a one-time deficiency, or was this the result of repeated audits identifying the same deficiency, thus raising it to the level of material weakness?

Most of these are 1st time deficiencies and noted as "New Issues" according to auditors report (see Blog.Veriphyr.com for the report link).

For example, terminated users who continued to have access rights to applications is discussed on p23 and it is specificaly noted as a "New Issue" and not a "Repeat Issue".
At least one was identified as "New Issues" but the weakness had been going on for serveral years. For instance on page 37 it is reported that on one application "recertification of accounts was conducted when the application was acquired and brought online at FEMA in FY 2007 and has not been conducted since."
It appear that it was the number and severity of the deficienies that led them to be "considered a material weakness in IT controls and financial system functionality."
If you have more questions or need more details let me know

Key Traits of a Successful IT Auditor

Reducing risks on big projects

Big projects (> 1 Million) have too many unknowns. The secret in managing Big projects is to be proactive about knowing what your unknowns are and planning enough room for managing the unknowns. This is the biggest challenge.

Passive management on big projects is a guaranteed recipe for failure.

In the internet startup business this philosophy doesn’t have too many followers. The idea there is to let the business grow organically and let the project be managed based on the demands. Twitter is a good example of that where a concept grew organically very fast and the team behind it had to scale the systems based on the demand.

A canadian company http://localads.org is planning to do the same thing by organically growing a unique concept and taking on the classifieds industry.

How far the concept will be accepted is something to be seen.

Scope Of An Audit

What does it mean?

The term “scope of an audit” refers to the audit procedures that, in the auditor’s judgment and based on the ISAs, are deemed appropriate in the circumstances to achieve the objective of the audit.

- Audit opinion
- Reasonable assurance
- Sufficient appropriate audit evidence
- Audit procedures (based on ISAs)

Audit-Evidence:

It is obtained by applying necessary audit procedures. Audit procedures should be based on requirements of ISAs, relevant professional bodies, legislation, regulations, and the terms of the audit engagement and reporting requirements.
Auditing is concerned with the verification of accounting date and with determining the accuracy and reliability of accounting statements and reports. Verification does not mean seeking proof or absolute certainty in connection with the data and reports being audited. It means looking for sufficient evidence depends on what experience and knowledge of contemporary auditing standards tells one is satisfactory.

An auditor obtains audit evidence regarding management’s assertions for the following areas:
a. Existence: an asset or liability exists at the Balance Sheet date. This is an obvious assertion with such items as land and buildings, stocks and others
b. Rights and obligations: an asset or liability pertains to the entity at the Balance Sheet date. This means that the enterprise has for example ownership of an asset. Ownership as an idea is not simple and there may be all sorts of rights and obligations connected with a given asset or liability.
c. Occurrence: a transaction or event took place which pertains to the enterprise during the relevant period. It may be possible for false transactions (e.g. sales or purchases) to be recorded. The assertion is that all recorded transactions actually took place.
d. Completeness: there are not unrecorded assets, liabilities, transactions or events or undisclosed items. This is important for all accounts items but is especially important for liabilities.
e. Valuation: an asset or liability is recorded at an appropriate carrying value Appropriate may mean in accordance with generally accepted accounting principles, the companies Act rules, Accounting Standards requirements and consistent with statements of accounting policies consistently applied.
f. Measurement: a transaction or event is recorded at the proper amount and revenue or expense allocated to the proper period.
g. Presentation and disclosure: an item is disclosed, classified and described in accordance with applicable reporting framework. For example fixed assets are subject to the Companies Ordinance rules and to IAS 16.
An example:
We will look at an item in a balance sheet, bank overdraft Rs. 10,250. In reporting this item in the balance sheet, the directors are making these assertions:
a. That there is a liability to the company’s bankers.
b. That at the balance sheet date this liability was Rs. 10,250.
c. That this amount is agreed by the bank
d. That the overdraft was repayable on demand. If this were not so, it would not appear amongst the current liabilities and terms would be stated.
e. That the overdraft was not secured. If it were secured this fact would need to be stated.
f. That the company has the Authority to borrow from its Memorandum and Articles.
g. That a bank reconciliation statement can be prepared.
h. That the bank is willing to let the overdraft continue.

If no item ‘bank overdraft’ appeared in the balance sheet, it would represent an assertion by the directors that no overdraft liability existed at the balance sheet date.

System Risk Management

The main goal of the IT risk assessment – is to ensure the normal and uninterruptable processing of your business. This involves normal operation of your application systems, operating systems, network equipment, database, etc. That is why the IT risk assessment process should be incorporated in every IT process. For example, let’s look at the change management process. When you plan to make any changes to your IT infrastructure, you should ensure that such changes will not negatively impact your normal operation and your business will continue to opera and generate money for you. The best way to achieve this goal is to perform preliminary IT risk assessment for each changes to IT infrastructure (application systems changes, database changes, network changes, operating system changes).

By performing IT risk assessment you should consider the following questions:

· How this change will affect existing operations?
· Will we need to disrupt our operations? If so, for how long? What would be the cost of disruption?
· What organizational units will be affected?
· How much this change will cost to the business?
· How this change will affect the existing hardware?
· How this change will affect the existing software?
· What actions must be accomplished to ensure normal operations after change implementation?
· Do we have a complete set of backup data for each affected system?
· Can we restore the previous state of the affected systems in case of failure during change implementation?
All these questions must have appropriate answers while performing an IT risk assessment.
Now let’s look at another very important part of our IT processes. It is our Business Continuity strategy. While creating of this strategy you must complete a process called Business Impact Analysis – this is for identifying of all processes and systems which should be included in the Continuity strategy. But also it would be a good practice to complete an IT risk assessment at this stage. By doing so, you need to consider the impact of your current IT systems to your Continuity strategy and the impact of the Continuity strategy to your IT systems. Such IT risk assessment can help identify any potential vulnerabilities in the processes which can be exploited in future and fail the Continuity of operations.

My personal belief is that today’s organizations should always remember about significant impact of modern IT infrastructure on their day-to-day business activities, and they should perform comprehensive IT risk assessment before considering any changes to the existing IT processes and infrastructure.

Your risk assessment procedures must be always formal and you should retain your IT risk assessment reports for future reference and resolution of possible questions.

Type of SAS-70 Auditing

Type of SAS 70 Audit: Type I and Type II

TypeI Audit: Type includes an opinion of the presentation of the service organization's descripion of controls that had been placed in operations and the suitability of the design of the controls to achieve the specified objectives.

Type II Audit: It is more through report of a SAS 70 audit because it contains a description of the controls in place and a description of auditor's test of the control effectiveness of minimum testing period( usually period is 6 months).

Type II audit testing add more testing and observing period. It is more common and often the preffered choice of SAS 70 audits because it is a comprehensive analysis of not only what control are in place, but how effective these controls are in meeting Control objective.

Procedure for Risk Assessment

Step1:
Risk assessment is conducted for all the business cycles of company, for every process and sub-process therein.

The exercise should be started from the Trial Balance of company.

Step 2: How to identify the business cycles of a company?

What is a business cycle?

Business Cycle of a company is basically a functional cycle, which covers a process from its cradle till grave. This consists of many sub-processes. For eg..Purchase to Payable is a business cycle...which includes Planning, Vendor Managment, Requisition, Ordering, Recieving, Invoicing and Payment. Hence all these sub-processes makes a business cycle of Purchase to Payable (P2P).

How to identify the business cycles of a company for the purpose of Risk Assessment (for general purpose/Clause 49 compliance/SOX compliance)?

Business cycles should always be identified through Trial Balance. All the trial balance accounts should get covered in maximum 9-10 business cycles. This will give an assurance to the person doing the risk assessment that none of the accounts (whether material/non-material) has been covered in some or the other process.

Generally the common business cycles which every company has are:

Revenue & Receivables, Purchase to Pay, Payroll, Fixed Assets, Treasury & Risk Management, Taxation, General Ledger & Financial Reporting....so try whether all your TB accounts gets covered under these cycles...

Other business cycles may be dependent upon the industry type..for eg..in case of a manufacturing company...following cycles may get added- Manufacturing,Inventory & Consumption (MIC) Management, Order to Cash (replaced by Revenue & Receivables).

Trial Balance is the mirror of a company which depicts all the activities of a company through financial numbers. And before doing the Risk Assesment, first you need to know that where does the risk lies...so first u need to identify the material accounts which give high risk exposure to the company...after identifying such accounts u need to asceratin that what departments and processes cater to such numbers..then you need to identify the risks underlying such processes....so its all about hitting the bull's eye...

Step3:
After identifying business cycles, we need to identify the sub-processes under each cycle...

for eg..
in Purchase to Payables Cycle: the sub-processes will be Procurement Planning & Budgeting, Vendor Selection, Master & Maintenance, Purchase Requisitioning, Ordering, Advance Payment, Receiving, Quality Check, Invoicing, Payments, Credit Notes and Vendor Reco...

Step4:
Now we need to map the identified sub-processes (corresponding to respective business cycle) to each account of Trial Balance.

For eg...Plant & Machinery Account: will fall under the Fixed Asset Business Cycle and will fall under the sub-processes of Vendor Selection & Maintenance, Requisitioning, Ordering, Receipt of Asset, Caplitalization and Depreciation......
This exercise can prove to be quite cumbersome if one doesn't have the knowledge of the nature of accounts and what impacts wll that account have on financials
However, this exercise can also prove to be useful to identify any suspense or suspicious accounts.

Step5:
After identfying the sub-processes within each cycle, we need to understand and identfy the basic Control Objectives which we need in a process to work smoothly and efficiently..for eg..in Fixed Assets Management...control objectives for Receipt of Assets process can be:

1. To ensure that goods received at the Company's Premises are properly recorded in the Inventory records.
2. To ensure that assets received are recorded completely & accurately in the books of accounts
3. To ensure that duties are adequately segregated for ordering and receiving function
4. To ensure that access to create/ update the data in the Fixed Assets Register is restricted to authorized personnel only.

Hence, in such manner....we need to know and highlight that what are the objectives basis which we need to institute controls in our system...

Step6:
After identifying the Control Objectives, we need to identify the Risks against each sub-process corresponding to the control objectives.

Such risks can be of 4 types:

Strategic, Financial, Operational or Compliance
For eg..risks for sub-process Receipt of Fixed Assets can be:

1. Assets received may not be properly recorded in the Inventory records.
2. Assets received may not be correctly/ completely recorded in the Fixed Assets Register
3. Duties may not be adequately segregated.
4. Data in FA Module may be created/ updated by unauthorized personnel.
In the same way..the risks for all sub-processes identified under each business cycle need to be documented.

Step7;
After identifying all the risks against the sub-proceses, we need to give each risk a likelihood rating..

which means that what is the likelihood that such risk can occur...it can be defined as
Rare, Unlikely, Moderate, Likely and Almost Uncertain....
This rating is given keeping in mind that no controls exist in the company..

Step8:
Agaisnt each risk..depending upon the likelihood rating...we need to give an Impact Rating to each risk..

This means that we need to assess the impact of each risk on 5 parameters: which are Strategic, Financial, Operational, Legal Compliance and Reputation...
Such impacts can be categorized into:
Severe, Major, Moderate, Minor and Insignificant
This exercise will help us assess the impacts on our process, if such risks are not mitigated...

Step9:
After we have assessed the liklihood rating and impact rating of a risk.....we will be able to assess the inherent rating of a risk (the susceptibility of an

account balance or class of transactions to misstatement that could be material...assuming that there were no related internal controls..is called as Inherent Risk(IR)).

Catgorization of risks will be High, Significant, Moderate and Low
For eg. If Likelihood is Almost Certain and Impact is Insignificant or Minor, then IR wil be Moderate, if Impact is Moderate, then IR will be Significant, and if Impact is Major/Severe, the IR will be High.
Similarly the permutation & combination to be made for others...

Step10:
Against each risk, we need to document the As-Is or existing controls which are prevalent in the organization/department.

This would mean that to mitigate a risk what controls are we having in the process..these can be approvals, maker-checker controls, segregation of duties etc...dependent upon the corresponding risks...

Step 11:
After documenting the Existing Controls, we need to identify and assess the Controls Rating, which can be categorized into Poor, Fair, Adequate and Excellent....i.e. we need to categorize the controls into these four parameters...

This would be done..considering the nature of risk and then assessing whether the Existing Control would be able to fully remove the possibility of such risk or would be able to mitigate the risk to some extent or to a great extent...

Though this exercise is judgemental..but if one has the good knowledge of Best Practices, then this exercise would become somewhat easier...

Step 12:
After we have identified the Inherent Risk (IR) and the Controls Rating (CR), we need to assess the Residual Risk (RR) Rating...

This means that we need to ascertain the left over risk (if any) after considering the prevalent controls in a process...

for eg..if the IR was High and CR is Poor/Fair, then the RR will be High
whereas if the IR was high and CR is Adequate, then the RR will be Significant
and if IR-High & CR-Excellent, then RR is Moderate
Similarly..IR-Significant, CR-Poor/Fair, RR-Significant
IR-Significant, CR-Adequate/Excellent, RR-Moderate
In this fashion, all the permutations and combinations can be made..
This will give the management an assurance and an insight to the balance risks that they need to take care of ...

Step 13:
After the residual risks have been identified..company needs to emphasise more upon the High and Significant risks..

Against such risks company needs to identify and document the Remediate Action Plans to mitigate/resolve such Residual Risks..

This was the whole exercise for conducting a Risk Assessment exercise...

In case you have any other tips..pls do share..