Upload
doanmien
View
247
Download
3
Embed Size (px)
Citation preview
Integrated Auditing
of (IT) ApplicationEuroCACS 2009 Session 211
Peter R. Bitterli, CISA, CISMhttp://www.bitterli-consulting.ch
Please observe the copyright: You are allowed to use and further
distribute this presentation only with this copyright notice attached. If you
use parts of this documentation in presentations or other diagrams you
have to refer to the source. Any commercial use of this presentation is
only allowed with written consent of the author.
Abstract (I)Integrated Auditing of IT Applications
Of course, all auditors know exactly how to audit any (IT)
application. At least, that is what they keep telling their
superiors and also their clients. Reality, however, shows a
different picture: Although all major audit companies and also
some audit organization (e.g. ISACA) have a specific
approach to auditing (IT) applications, many auditors out
there in the tough world of real auditing have no idea on how
to start. And if they do start, there is often no coordination
and collaboration between the financial auditor and the IT
auditor, making auditing a highly risking task.
Abstract (II)Integrated Auditing of IT Applications
This session shows a step-by-step approach that has been
developed by the IT Standards Board of the Swiss Institute of
Certified Accountants and Tax Consultants. The “new”
approach has been published in German and also in French
but is in general valid for all types of application auditing in
possibly most countries in the world. The audit approach is
consistent with recently published standards and related
information, such as “IT Controls for Sarbanes Oxley”, but
aims to be easily understandable also by less experienced
auditors.
Learning ObjectivesThe participants will learn about …
The participants will learn about …
• why some of the typical approaches to auditing are a
waste of resources.
• how an integrated approach to application audit
works that combines both financial and IT auditing.
• which audit steps are necessary in such a combined
approach.
• why this audit approach usually leads to a lower
overall audit risk.
Introduction
Increasing ChallengesAuditors have a tough job
• Auditing a company’s financial statements
presents financial auditors with an increasing
number of challenges:
– Rapid development in accounting standards
– Increasingly automated “production” of financial
data
– More and more complex information systems
Value-for-money AuditingAuditors have a tough job
• Audit is required to deliver value-for-money
• Apart from the highly proficient performance
expected from audit staff and management
anyhow, risk-orientation during all audit steps
helps:
– to stay focussed on the critical items and thereby
not waste audit resources (i.e. efficiency)
– to (indirectly) ensure adequate controls for high-
risk situations (i.e. effectiveness)
Risk-oriented AuditingAuditors have a tough job
• It is broadly recognized (and sometimes
required by regulatory bodies) that audit
should be risk-oriented, e.g.
– during the annual audit planning
– during the strategic planning phase for an
individual audit
– during each and every activity of an individual
audit
Risk-oriented
Auditing
• Swiss “Handbook for
the auditing of financial
statements” (HWP):
– Currently valid approach
to auditing (1996)
– 4 major audit phases
– Risk assessment
• is part of audit planning
• is mostly performed by
financial auditors
Risk-oriented AuditingAudit risk is never equal zero
Substantive
Testing
Assess-
ment of
Controls
Assess-
ment of
Entity Level
Controls
•Manual Controls
• IT Application
Controls
• ITGC
Source: Andreas Toggwyler, KPMG;
Kammertagung 2007, Bern
Financial Auditors and ITWhere do financial auditors adequately include IT issues in every aspect of auditing?
• Typically, financial auditors
– don’t include IT issues …
• when doing the overall risk analysis
• when planning audits of specific applications
• when performing audits of specific applications
– or – if the do include IT issues – are
• not experienced enough to really understand the
impact of IT on (automated) business applications
• not willing to relinquish a fair share of their budget to
IT audit
Model behind our Audit ApproachA “Creme Slice” with four layers
IT Infrastructure
Applications
Business processes
Basic IT Systems
“Guide to the Audit of IT Applications”Not a standard, instruction or recommendation – just a “professional communication”
• Developed by the“IT Standards Board of theSwiss Institute of CertifiedAccountants and TaxConsultants”
• Written in– German (May ’08)
• Translated into– French (November ’08)
– English (translated byEuropean Court of Auditors;available June ’09)
AuthorsAll authors have been or still are a member of the IT Standards Board
In alphabetic order
• Peter R. Bitterli, Bitterli Consulting
• Jürg Brun, Ernst & Young
• Thomas Bucher, Deloitte & Touche
• Brigitte Christ, Zurich Financial Services, IA
• Bernhard Hamberger, Ernst & Young
• Michel Huissoud, Swiss Federal Audit Office
• Daniel Küng, PWC
• Andreas Toggwyler, KPMG
• Daniel Wyniger, Swisscom IT Services, IA
Coverage of our ApproachThe presented approach to auditing (IT) applications covers the upper two levels
Controls are the policies, procedures,
practices and organizational structures
designed to provide reasonable assurance
that the business objectives will be
achieved and undesired events will be
prevented or detected and corrected.
Definition
Controls
Definition
Internal Control System (ICS)
Entirety of all methods and procedures used
in a company for ensuring the:
– protection of business assets;
– correctness and reliability of bookkeeping;
– efficient management of the company;
– compliance with the business strategy;
– prevention and detection of errors and irregularities.
Objectives of Audit Activity(Source: COBIT)
• To provide reasonable assurance to the management
that the relevant control objectives are achieved
• To identify significant weaknesses in these
controls
• To document the risk connected with such a weakness
• To advise management on the measures to be
implemented
Definition
Controls/Substantive Testing
Controls testing (compliance testing) are
those audit tests which determine if internal
controls are being applied in a manner
described in the documentation and in
accordance with management‘s intents.
Substantive testing are tests of detailedactivities and transactions, or analyticalreview tests, designed to obtain auditevidence on the completeness, accuracy orexistence of those activities or transactionsduring the audit period.
Approach to
Integrated
Auditing
Objectives of our Approach
• For auditing (IT-based) applications:
– Integrated approach of both auditors and
IT auditors
– Adequately taking into consideration all important
aspects – both non-IT as well as IT
– Audit important IT aspects with significant
influence on the audit objectives
– Minimize the audit risk
Our Approach:
8 Recommended Steps
• Analyze financial state-
ments and related risks
– allows to identify the
important applications
• Examine quality of
control system
– design effectiveness
– operational effectiveness
• Audit of general IT
controls not covered!
Step 1:
Analysis of the
balance sheet
Step 1:
Balance Sheet, Profit & Loss
• Objectives
– Establish which items in
the balance sheet and
the ”profit & loss”
account are relevant
– Identify significant trans-
actions (and transaction
classes) that generate
these items
Step 1:
Identify the Relevant Accounts
• Identification of relevant
accounts
– Carry out risk evaluation
– Consider materiality
– Identify risks that may influence the
annual accounts
Major Accounts
Source: Andreas Toggwyler, KPMG;
Kammertagung 2007, Bern
Step 1:
Identify Important Transactions
• Identification of transactions
– Analyse which transactions or
transaction classes have had the
greatest influence, e.g.
• Carry out data analysis for
“interesting” entries to specific
accounts to indirectly identify which
transactions made these entries
• Work back from main accounts via
main transactions to underlying
business operations
Major Accounts
Material Transactions
Business Activities
Source: Andreas Toggwyler, KPMG;
Kammertagung 2007, Bern
• This backward approach will
exclude the analysis of
unimportant transactions (i.e.
supports audit efficiency)
Step 1:
Reasons for “Backward Approach”
Major Accounts
Material Transactions
Business Activities
Step 2:
Identification of
business processes
and data flow
Step 2:
Business Processes and Data Flows
• Objectives:
– Identify the relevant
business process which
are at the origin of the
transactions and
transaction classes
identified in step 1
– I.e., identify processes
that have direct
influence on the
financial flows
Remark:
A process is defined as a series of
manual, semi-manual or automated
tasks that service to create or process
information, products or services.
Step 2:
Identify Relevant Business Processes
• Identify processes that influence identified
transactions
• Acquire sufficiently detailed understanding of
selected processes
– Routine business processes
– Non-routine financial processes
Step 2:
Questions for Understanding Controls
Some clever questions:
• Who performs the control?
• What exactly is done – and what could go
wrong?
• When, how often and where is the control
performed?
• How will exceptions be treated?
• How will auditability/traceability be
ensured?
Step 2:
Audit Documentation (I)
• Base work on existing documentation, but
amend this where necessary
• Where no documentation is available, the
auditor should build the required
documentation
Step 2:
Audit Documentation (III)
• Document in such a way that the following
types of information are available or can be
amended during later steps:
– Risks
– Key controls
• Also document the processes for handling:
– Parameters
– Master data
Transaction data
Standing Data
Personal data
Payment instructions
HR
Application
Input Data:
# Hours
Expenses
Output Data
Bookings
Salary payments
Other Payments
Application Parameters
Hourly wages
Other Rates
2 Repetitive
Errors
3 Singular
Error
1 Systematic
Errors
Step 2:
Parameters and Standing Data
Source: Michel Huissoud,
Swiss Federal Audit Office;
Kammertagung 2007, Bern
Step 2:
Audit Documentation (II)
• Choose a suitable level of detail
• Subdivide complex processes into sub-
processes to reduce complexity
• Remember and accept as fact: There are
many different possibilities for documenting
processes, risks and key controls
Step 2:
Documentation: Tables
Example:
Presentation in table form – suited for simple facts and contexts
Step 2:
Documentation: Processes, Interfaces
Example:
Graphical presentation (process model chart with processes and
interfaces) – suited for complex interactions
Step 2:
Documentation: Processes
Example:
Graphical presentation (process model chart with management,
business and support processes) – suited for complex interactions
Step 2:
Documentation: Processes, Interfaces
Example:
Graphical
presentation (flow
chart) – suited for
complex
interactions
Step 3:
Identification of core
applications and the
most important IT-
related interfaces
Step 3:
Core Applications and IT Interfaces
• Objectives:
– Identification of relevant
IT applications
– Identification of
interfaces of the above
applications
– Establish a detailed
audit scope
– Draw up an audit plan
Step 3:
Core Applications and IT Interfaces
• Draw a map
of the core
applications
Step 3:
Inventory of Financial Applications
• Set up an inventory of financial applications
– Standard applications
– Highly adapted standard applications
– Internally developed applications
• Above distinction is necessary as these
categories have very different risk profiles
Step 3:
Standard Applications
• Standard applications:
– Multitude of relevant inbuilt controls, typically for:
• Validation of input
• Management of processing
• Processing of transactions
• Management of expenditures
– Ensure that the expected checks exist and are
applied
Step 3:
Questions for Standard Applications
• For standard applications, ask the questions:
– What types of standard applications does the
company use?
– Are these standard applications usual in the
sector of activity concerned?
– Are the standard applications certified and by
whom?
– Are these standard applications well-established
in the market?
Step 3:
Questions for Standard Applications
• For standard applications, ask questions
(cont.):
– Do information sources on this application exist,
and, if so, are there known security or other
weaknesses?
– Does the auditor have sufficient personal
knowledge and experience of the application?
Access Control
Source: Michel Huissoud,
Swiss Federal Audit Office;
Kammertagung 2007, Bern
Inventory ClosingMicrosoft® Business Solutions–Axapta® 3.0 and Service Packs
Version: 1.0, published: December, 2004
…”Under certain conditions, Microsoft Axapta 3.0 can return incorrect
inventory values in the general ledger as reported from different modules
within Microsoft Axapta.
Customers may also experience issues with running inventory closing
routines at all, due to one or more code issues that can manifest under
specific conditions.
Finally, the value of the inventory as reported from the Microsoft Axapta
Financial Management module may not match the expected value when
customers perform a physical inventory count.”….
Source: Michel Huissoud,
Swiss Federal Audit Office;
Kammertagung 2007, Bern
Correctness
CorrectnessSource: Michel Huissoud,
Swiss Federal Audit Office;
Kammertagung 2007, Bern
Source: Michel Huissoud,
Swiss Federal Audit Office;
Kammertagung 2007, Bern
Source: Michel Huissoud,
Swiss Federal Audit Office;
Kammertagung 2007, Bern
Step 3:
Adapted Standard Applications
• Highly adapted standard applications:
– Although such “components” could be reliable,
more information is required on …
• interaction of these components as such applications
are individually configured for each client
• additional client-specific programming
Technical Environment
Step 3:
Errors in Standard Applications
Core of Standard
Application
Parameters
Errors in the design or programming of
the core functionality
“Add-
ons”
Missing „must“ Functionality
Incompatibility of core to environment
Incompatibility of parameterization of core
Source: Michel Huissoud, Swiss Federal Audit Office;
Kammertagung 2007, Bern
Errors in user handling?
How resistant to errors
should a standard
application be?
Missing “nice to have“
functionality
Material errors during
parameterization
Errors in the add-ons
Incompatibility of core
and add-ons
?
Step 3:
Audit of “Standard” Applications
• Standard application packages not always
reliable – more so for highly adapted
standard applications
• Therefore get informed about:
– Maturity of software version
– Level of parameterization
– Former audit results (of colleagues?)
– Internet forum
– Release documentation
Step 3:
Internally Developed Applications
• Internally developed applications:
– Generally require (much) more audit work
– To save time, the auditor should base his/her
work (if possible) on documented tests within the
company
• If these tests do not exist or are not usable (i.e. test
design or test documentation lacking, errors not
corrected after tests, no formal acceptance by
users,…), the auditor must perform the necessary
tests himself
Step 3:
Outsourced Business Activities
• Outsourcing of activities or business
processes …
– involves additional inherent and audit risks due
to the …
• shared responsibility
• greater technical complexity
• Consider SAS 70 or other relevant audit
standards
Step 4:
Identification of risks
and key controls
Step 4:
Risks and Key Controls
• Objectives:
– Mark out the audit
universe to be
subsequently analysed
– Establish what key
controls mitigate each
relevant risk
– Analyse the impact of
the assertions in the
financial statements
Step 4:
Risks and Expected (Key) Controls
• Identify risks that could lead to material
errors in the financial statements within the
main processes
• Establish expectations in terms of the typical
and expected controls for the risks identified
• Subdivide the controls into key controls and
others
Definition
Key Controls
Remark:
• Key controls are meant to guarantee the
reliability of the process result and the
financial data.
• Key controls constitute the backbone of the
control system and it is therefore essential
that they be checked by the auditor.
Step 4:
Compare Expected to Actual Controls
• The auditor should compare the expected
key controls to the actual key controls
existing in the process concerned
• All important controls related to applications
that have a direct influence on the process
result must be taken into consideration
Step 4:
Different Types of Controls
• Assess these types of
controls together !
Application ControlsIT-Dependent Manual
Controls
Manual Controls Automated Controls
(Purely) Manual Controls
IT General Controls
Application
dependent
controls
Source: Bernhard Hamberger, E&Y;
Kammertagung 2007, Bern
Step 4:
Risks and Key Controls
Source: Accounting Information Systems;
book written by Gelinas, Sutton, Oram
Step 4:
Risks and Key Controls
Source: Accounting Information Systems;
book written by Gelinas, Sutton, Oram
Risk/control matrix (example)
Step 4:
Risks and Key Controls
Risk/control matrix
Step 4:
Risks and Key Controls
Risk/control matrix (example)Source: Michel Huissoud,
Swiss Federal Audit Office
Step 5:
Walk-through
Step 5:
Walkthrough
• Objectives:
– Verify the auditor’s
understanding of the
processes, the relevant
risks and controls
– Thereby confirm the
analysis carried out
beforehand
Step 5:
Depth of Walkthrough
• The depth/degree of detail of a walkthrough
depends on whether the auditor intends to
rely on the existing control system or not:
– If the auditor intends to rely on the controls,
he/she will analyse the individual controls in
detail
– If the auditor does not intend to rely on the
effectiveness of the controls he/she will carry out
a less detailed walkthrough.
Step 5:
Verify During Walkthroughs
• With walkthroughs, the following are
systematically verified:
– Understanding of flows and processing
– The consistency and significance of existing
documentation and flow charts
– The accuracy and completeness of the
information regarding the relevant controls and
– The existence of relevant controls in the day-to-
day routine
Step 5:
Performing Walkthroughs
• The following questions must be taken into
consideration during the walkthrough:
– Who should be asked for explanations of details,
e.g. concerning the field of activity?
– Who/where do existing documents, reports,
flowcharts, screenshots come from?
– What control activity takes place for the
individual activities?
– Is the control implemented to prevent errors or to
discover them?
Step 5:
Performing Walkthroughs
• The following questions must be taken into
consideration during the walkthrough (cont.):
– How is the control implemented (automated or
manual) and how often?
– Is the automated control really implemented?
– What audit trail does the control leave?
Step 6:
Assessment of
control design
Step 6:
Evaluation of Control Design
• Objectives:
– Verify whether an
adequate control quality
can be achieved with
the lowest number of
controls
– Establish an adequate
audit strategy for the
evaluation of the
implementation of the
controls
Step 6:
Questions for Evaluating Design
• Questions to be posed concerning the
evaluation of control design
– Are the steps of the process and the related
controls arranged in a logical and sensible
order?
– Is the responsibility for the implementation of the
controls clearly established?
– Is it possible to implement the controls in a
correct and meaningful manner?
Step 6:
Questions for Evaluating Design
• Questions to be posed concerning the
evaluation of control design (cont.):
– Are manual or hybrid controls replaced by
automatic controls wherever possible?
– Are upstream (preventative) controls used
instead of downstream (detective) controls
wherever possible?
– Do the controls comply with the requirements of
guidelines and procedural instructions?
Step 6:
Questions for Evaluating Design
• Questions to be posed concerning the
evaluation of control design (cont.):
– Are the inputs needed for the realisation of the
control available?
– Does the implementation of the control enable
the production of a control document that can be
checked?
– Are the controls carried out by a suitable,
qualified and trained operator?
Step 6:
Questions for Evaluating Design
• Questions to be posed concerning the
evaluation of control design (cont.):
– Are the controls carried out within an appropriate
period and sufficiently often?
– Can the design of the controls be implemented at
all within the organisational and financial limits
applicable?
Step 7:
Assessment of control
implementation
Step 7:
Testing Operating Effectiveness
• Objectives:
– Obtain an audit opinion
on the internal control
system
– Evaluate whether each
control
• functions as planned
• was actually and fully
implemented
• was appropriately
qualified
Step 7:
Testing Operating Effectiveness
• TOEs comprise the following steps:
– Selection of controls for audit, if the control
system as a whole is not to be audited;
– Choice of audit strategy;
– Choice of test procedure and sample size;
– Implementation of procedure-oriented/result-
oriented audit procedures;
– Evaluation of discrepancies and the materiality of
errors and weaknesses.
Step 7:
Some Testing Strategies
Audit strategies
• Test-of-one
• Direct testing
• Baselining/benchmarking
• Data analysis
Step 7:
Test of one
Test of one
In principle, programme controls need only
be tested once, after which, given a stable IT
environment and effective general IT controls
during the audit period, they can be
considered to be just as effective thereafter.
Step 7:
Direct Testing
Direct testing
The operation of the control is verified by
means of sampling or the analysis of
transaction data.
Step 7:
Baselining
Baselining/benchmarking:
The aim of this strategy is to reduce the
extent of substantive testing in subsequent
audit periods. To this end, the results of
testing application controls are carried
forward to subsequent audit periods. The
tests conducted during the first audit period
serve as a benchmark.
Step 7:
Data Analysis
Data analysis
The effectiveness of a control is verified by
means of computer-assisted data analysis,
whereby, ideally, all the relevant data in the
analysis are taken into consideration
Step 7:
Evaluating Control Implementation
• Evaluating the control implementation:
– Control frequency - the less frequently a
manual control is performed, the smaller the test
sample;
– Control significance - the more importance the
auditor attaches to an individual control when
forming his/her audit opinion, the more
thoroughly that control should be tested;
Step 7:
Evaluating Control Implementation
• Evaluating the control implementation (cont.):
– Soundness of control evidence – smaller
samples can be taken of controls that generate
direct evidence of effectiveness (traceability,
exhaustiveness, accuracy and time references)
than of controls offering no direct evidence;
– Relative importance of errors and anomalies
– the impact of these varies according to
materiality and the complexity and number of
processed transactions;
Step 7:
Evaluating Control Implementation
• Evaluating the control implementation (cont.):
– Management override – the likelihood that
managers will bypass or override a control;
– Frequency of changes to controls – a control’s
effectiveness may be very significantly affected
by changes to the control itself or to the control
environment.
Step 8:
Overall view and the
determination of the
audit opinion
Step 8:
Overall Assessment & Conclusion
• Objectives:
– Findings of each successive step in the audit are
evaluated for their impact on the financial
reporting
– Compilation of the findings of all preceding audit
steps
– Delivery of a final statement whether the internal
control system is able to provide reasonable
assurance that material errors are avoided in the
annual accounts
Step 8:
Overall Assessment & Conclusion
• There should be a global assessment of:
– the extent to which the audited application
makes an effective contribution to the business
process (control design and implementation);
– whether there are significant control weaknesses
in the application;
– the impact of control weaknesses on the
application’s effectiveness, the overall system
and the corresponding assertions in the
accounts;
Step 8:
Overall Assessment & Conclusion
• There should be a global assessment of
(cont.):
– whether the business process has any
compensatory controls to offset the impact of
control weaknesses in the application, and
whether there is a need for further testing of
controls and additional result-oriented audit
procedures.
Step 8:
Material Control Weaknesses
• Where control weaknesses in the application
are such as to materially compromise the
accuracy of the assertions in the annual
accounts, and where this risk is not offset by
compensatory controls, the impact of those
weaknesses on the year-end reporting must
be evaluated.
Step 8:
Material Control Weaknesses
• This evaluation is tackled from three angles:
1. Does the control weakness have an impact on
the financial statements?
2. Are there legal offences or violations of the
company statutes?
3. Does the weakness affect the audit opinion?
When evaluating the impact on the audit opinion,
the auditor considers whether substantive audit
procedures should be used to assess the
potential impact of ineffective controls.
Wrap up
Wrap-upIntegrated Approach to Auditing (IT) Applications
Wrap-upIntegrated Approach to Auditing (IT) Applications
• Nothing new, but a consistent approach to
integrated auditing
• Taught in Switzerland to all financial auditors
• Available in German, French, English (June)
• Be aware, that this approach (or the
brochure)
– does not replace audit know-how
– does not mean that you can neglect any
applicable audit standards or guidelines
Another Highly Valuable SourceIntegrated Approach to Auditing (IT) Applications
Examples of application dependent controls
IT Control Objectives for Sarbanes Oxley,
IT Governance Institute, ISBN 1-9332284-76-5
For More Information:
Peter R. Bitterli, CISA, CISM
Bitterli Consulting AG & ITACS Training AG
www.bitterli.com / www.itacs.com
Thank you!