Slide 1 of 22

Audit Implications of Integrated Financial Management

Information Systems (IFMISs)

Dr. Paul DorseyDulcian, Inc.May 20, 2009

Slide 2 of 22

Conventional Wisdom

IFMISs reduce audit risk. Audit the IFMIS and the non-IFMIS independently

IT auditors bless the IFMIS. Traditional auditors ignore the IFMIS.

“Auditing” an IFMIS means: Code control Access control Black-box validation

Inputs generate correct outputs.

Slide 3 of 22

Why should we worry?

IFMISs INCREASE exposure.Standard audit techniques will not effectively

assess exposure risks.Standard controls do not protect effectively

against IFMIS impacted exposures.Developed nation companies do not usually

have well controlled environments.

Slide 4 of 22

The Main Problem Manual process flow:

Lots of automatic controls based on many people seeing the transaction.

Lots of controls to avoid manual data entry errors also control fraud.

Separation of duties well understood and controlled. IFMIS process flow:

Single point of failure Vulnerable to anyone with low-level access to system

Slide 5 of 22

Manual Process

Enter transaction Approve transaction Prepare check Approve payment

Slide 6 of 22

IFMIS Process

IFMISPrint Check

Enter transaction

Approve transactionApprove payment

Slide 7 of 22

Why is this problem not widely discussed?

Accountants/Auditors are not Information Technology (IT) trained.

IT audit is a specialty area separated from traditional audit.

Audit culture treats IT as independent.

Slide 8 of 22

Controlling Risk

Control/Exposure Matrix

Invalid Transaction

Data entry error

Coding Error Developer Introduced Fraud

Periodic Audit

Medium Medium High None

Dual Entry High High N/A None

Test Deck Audit

N/A N/A High None

Exposures

Level of Protection High High High None

Slide 9 of 22

Ineffective Controls

Controls that are ignored, bypassed, faked, or not implemented Accountants stay up all night to “sign” documents.

Electronic sign-offs that are not intrusive. Users demand bulk approvals.

Separation of duties Everyone trusts the “system.”

Meaningless validations System auto-calculates footing total.

Slide 10 of 22

New Controls Needed

Artificial separation of dutiesInefficient manual steps

Particularly on cash transfersComprehensive control system auditFunctional controls that go around the system

Slide 11 of 22

Exposure Risks Increased by IFMIS

Data Entry ErrorsFraudulent

Transactions Especially collusion

fraudsSubtle Process ErrorsComputer

Professional Fraud

Total loss of data Physical system

failureHUGE fraudsOutsider access to

system Everyone is virused

System hacking Internet exposure

Slide 12 of 22

Decreasing Risks (1)

Data Entry Errors System validations

Contingent process flows Validation rules Check digits on account codes

Multi-entry (double or triple entry) Review transactions Audit against source documents

Slide 13 of 22

Decreasing Risks (2)

Fraudulent Transactions Same controls as data entry errors More levels of review Random assignment of review Explicitly audit for fraud

Slide 14 of 22

Decreasing Risks (3)

Subtle Process Errors Code review Exhaustive test decks “Test first” philosophy Business Rules approach Manual and automated testing

Slide 15 of 22

Decreasing Risks (4)

Computer Professional Fraud Pair programming Explicit QA of all code Control “around” system

Reports/Controls NOT built/controlled by same team Hire honest people Place manual (non-system dependant) control on all

cash transfers

Slide 16 of 22

Decreasing Risks (5)

Total loss of data Transaction level, off-site back-up Multi-site (out of country) back-up Test back-up strategy

Slide 17 of 22

Decreasing Risks (6)

Huge Frauds Don’t automate cash transfer Don’t automate cash transfer Don’t automate cash transfer Don’t automate cash transfer Don’t automate cash transfer

Slide 18 of 22

Decreasing Risks (7)

Outsider Access to System No administrator rights for users No external data devices for machines

No USB keys No floppy drives

Serious penalty for security violations Real virus, firewall, security software Good security protocol

Passwords Physical access

Slide 19 of 22

Decreasing Risks (7)

System Hacking Get a security audit by leading expert

Slide 20 of 22

Conclusions

IFMISs increase audit risk.Additional controls are necessary to reduce

risks.Most auditors ignore the issue.

Slide 21 of 22

Dulcian’s BRIM® Environment

Full business rules-based development environment

For Demo Write “BRIM” on business card

Slide 22 of 22

Contact Information Dr. Paul Dorsey – paul_dorsey@dulcian.com Dulcian website - www.dulcian.com

Developer AdvancedForms & Reports Designer

Handbook

Latest book Oracle PL/SQL for Dummies

Design Using UMLObject Modeling