nsaa information technology conference planning the scope of your it audit...

NSAA Information Technology Conference

Planning the Scope of Your IT Audit_____________________________________

October 1, 2014

Jennifer Schreck, Audit Director

Strategic Risk Management

Auditor of Public Accounts

Planning the Scope of your IT Audit

What we are going to discuss

• Case studies (Michigan)• Frame of reference for IT audits at the

APA• Where we want to be (Auditor Planning

Utopia)• How do we get there - Our keys to

Success

http://www.apa.virginia.gov


Quick reminder of who we are . . . The APA

• Serves as the external auditor for the executive and legislative branches of the Commonwealth

• Performs financial statement and performance audits

• Manages the Commonwealth’s transparency website, Data Point




• Works with local, agency and institutional internal audit shops investigating fraud

• Reviews the entire court system from the Supreme Court to each local court

• Examines the state accounts and records of every locality handling state funds




• Maintains oversight responsibility for local government audits performed by public accounting firms.

• Provides systems development and public private partnership project monitoring where risk dictates.

• Performs technology-related vulnerability and penetration testing when requested.



Our teams work together to support

our Projects

Acquisition & Contract

Mgmt Budgeting & Performance Management

Capital Asset Management

Compliance Assurance

Data Analysis

Higher Education Programs

IT Project Management

Systems Security

Local Government and Judicial

Systems

Strategic Risk

Management

Reporting & Standards

Quick reminder of who we are . . .

• Divided into areas of expertise to support our mission and audit projects


Human Resources & Business Operations


Auditor IT Planning Utopia

• You know which systems are the key systems . . . • You know the delineation of responsibility if part of the

system is outsourced . . .• You easily identify the controls within your system . . .• You can easily determine what has been audited by other

groups• Its easy to define the scope of your audit . . .• You know the data elements you need to do your work . . . • You have the various types of resources you need to do the

audit . . . • Every auditor is an “integrated” auditor . . .



Auditor IT Planning Utopia

Reality can bring things to a crashing halt

But it doesn’t have to. . . .



Quick reminder of who we are . . .

• Most of our “trained” IT knowledge lies within three of our specialty teams



our Projects





Data Analysis


IT Project Mgmt

Systems Security


Systems

Strategic Risk

Management



To achieve Auditor Planning Utopia . . .

• All of our teams need to have an IT mindset because all of our audit clients use Information Technology to support what they do.



our Projects





Data Analysis


IT Project Management

Systems Security


Systems

Strategic Risk

Management



Perspective . . .

• The APA performs financial statement and performance audits of executive branch entities

• The majority of our performance audits still have a financial related slant

• Our IT audit work generally supports broader financially driven objectives.



Keys to Success

• Setting the “Tone at the Top”

• Challenging our staff to think innovatively

• Making the connections



Setting the “Tone at the Top”

Refocused Strategic Planning Initiatives


Project Processes

Innovative Audit Approaches

Reporting Results

Methods of

Office Structure

Focus on Staff

Staffing and Workplan

Communication




Shift in planning mindset

Plan10%

Execute80%

Report10%

10/80/10




Shift in planning mindset

Plan10%

Execute80%

Report10%

10/80/10

Plan40%

Execute40%

Report20%

40/40/20


Challenging our staff to think Innovatively




Application Controls (What are they?)

Validity, Completeness, and Accuracy: Management Assertions?


Green Book: 11.08

Application controls, sometimes referred to as business process controls, are those controls that are incorporated directly into computer applications to achieve validity, completeness, accuracy, and confidentiality of transactions and data during application processing.



Management’s Use of Application Controls

1. Does management have applications to process business transactions?

2. How should management use application controls to achieve validity, completeness, and accuracy of their business transactions?




Management’s Use of Application Controls

3. How is management using its applications to enforce the business rules?

4. What information will I need to validate that business rules were working?




• Example – Time and Effort Applications– Business Rule: Employees should NOT

approve their own time sheet.– Application Control: Employee cannot view

or select their timesheet within the approval screen.

– Auditors Test: Does the employee id equal the approval id on any timesheets?

(Caveat: Assumes that Application is operating in an environment with sound general controls.)




• We host Brown Bag lunches, to informally discuss issues around implementing innovative approaches and share new ideas





• Systems Security

• Data Analysis

• IT Project Management

• Acquisition & Contract Mgmt

• Budgeting & Performance Mgmt

• Capital Asset Management

• Compliance Assurance

• Higher Education Programs

• Local Government & Judicial Systems

• Strategic Risk Management

• Reporting & Standards


Making the Connections

• Building contact points into our audit programs




• Creating audit tools that help our IT staff think like our other staff and vice versa


Exe

cutiv

e D

ash

bo

ard

Internal Control Worksheet

Fraud Assessment

ISS Financial Statement Integration Tool


Making the Connections – IS Planning Tools

• Supports a Risk-based approach• Provides a clearer view of technical

testwork (infrastructure, software, etc.)• Encourages an iterative planning process

involving both IS and Financial auditors• Addresses all major areas of data security

(integrity, confidentiality, reliability




• Highlighting success



Auditor Planning Utopia


nsaa information technology conference planning the scope of your it audit...

Documents