VALUE-ADDED IT AUDITINGMARC VAEL, BRUSSELS, MAY 2015

AGENDA▪What does IT audit mean to you?

▪Traditional IT audit

▪Top audit concerns of audit committees

▪The way towards value-added IT audit

▪Some predictions ▪Questions

WHAT DOES IT AUDIT MEAN TO YOU?

Yes, you

TRADITIONAL IT AUDIT

TYPES OF INFORMATION FOR AN IT AUDITOR

• Relevant information : relating to controls, tells the evaluator something meaningful about the operation of the underlying controls or control component. Information that directly confirms the operation of controls is most relevant.

• Reliable information : accurate, verifiable and from an objective source.

• Timely information : produced and used in a timeframe that makes it possible to prevent or detect control deficiencies before they become material to an enterprise.

• Sufficient information : when evaluators have gathered enough of it to form a reasonable conclusion. For information to be sufficient, however, it must first be suitable.

• Suitable information : relevant (i.e., fit for its intended purpose), reliable (i.e., accurate, verifiable and from an objective source) and timely (i.e., produced and used in an appropriate time frame) information.

TRADITIONAL IT AUDIT APPROACH

Identification of Safeguards

Threat Assessment

Asset Identification

Vulnerability Assessment

Risk Determination Reporting Remediation

Planning

Proactive processes that turn policies into awareness programs, IT administration, change management and other activities.

Technologies needed to provide the appropriate protection and support critical processes.

Management strategies for IT and relevant policies, standards, guidelines or directives used to communicate these strategies to the organization.

Reactive processes that enable management to measure how well policies are implemented and followed and when they need to be changed.

TYPICAL IT AUDIT ENGAGEMENTS

A. General control examination or facility audit

B. Application audit

C. System development audit

D. Technical or special topic audit

IT CONTROLS

The plan of organization & the methods a business uses to safeguard IT assets, provide accurate & reliable information, promote & improve operational IT efficiency, and encourage adherence to prescribed IT management policies.

IT control procedure classifications: 1. Preventive / Detective / Corrective / Deterrent IT controls 2. General & Application IT controls

3. Administrative & Accounting IT controls

4. Input – Processing – Output IT controls

GENERAL IT OPERATIONS

1. Change Management

2. System Development Life Cycle (SDLC)

3. Problem & Incident management

4. Back-up and data recovery

5. Project Management

6. Continuity Planning (CBCP and DRP)

INFORMATION SYSTEMS

INDEPENDENT IT CONTROLS ON PERFORMANCE

To ensure that transactions are processed accurately are another important control element.

Types of independent IT controls

–reconciliation of 2 independently maintained sets of records –comparison of actual quantities with recorded amounts –double-entry accounting (debits = credits)

–batch totals

INDEPENDENT IT CONTROLS ON PERFORMANCE

Types of independent IT controls

–batch totals:

5 types:

1 Financial total: sum of a euro field.

2 Hash total: sum of a field that would usually not be added.

3 Record count: number of documents processed by the IT system. 4 Line count: number of lines of data entered in the IT system. 5 Cross-footing: compares grand total of all rows with grand total of all columns to check that they are equal in the IT system.

INDEPENDENT IT CONTROLS ON PERFORMANCE

Auditors must understand the following basic IT controls:

1 How transactions are initiated

2 How data are captured in machine-readable form or converted from source documents

3 How computer files are accessed & updated

4 How data are processed to prepare information

5 How information is reported

All of these items make it possible to have an IT audit trail.

An IT audit trail exists when individual company transactions can be traced end-to-end through the IT system.

TOP AUDIT CONCERNS OF AUDIT COMMITTEES

7

7

8

27

THE WAY TOWARDS VALUE-ADDED IT AUDIT

IT CONTROLS

• IT controls continue to increase in importance to organisations

• Corporate reliance on IT increases

• Compliance requirements increase

• IT control deficiencies can have a significant impact on any organisation

PwC 2014 state of the internal audit profession study

PwC 2014 state of the internal audit profession study

PwC 2014 state of the internal audit profession study

PwC 2014 state of the internal audit profession study

VALUE PROPOSITION

PwC 2014 state of the internal audit profession study

www.isaca.org/cobit

IT AUDIT REPORT WRITING PHASES

TYPES OF IT AUDIT ENGAGEMENTS

Review • provide limited assurance about an assertion. • consists primarily of review work (less emphasis on testing). • can be more process oriented, focusing on the appropriateness of the

tasks and activities that the audit entity performs and the associated controls. The level of evidence that is gathered is less than in an audit, and testing is generally limited or none is performed.

• do not include audit opinions. Conclusions may often be stated negatively. Example: ‘Nothing came to our attention to indicate that the assertion is not true’.

TYPES OF IT AUDIT ENGAGEMENTS

Examination • Systematic process by which a competent, independent person

objectively obtains & evaluates evidence regarding assertions about an entity or event, processes, operations or internal controls, for the purpose of forming an opinion & providing a report on the degree to which the assertions conform to an identified set of standards.

• Attestation process that provides the highest level of assurance about an assertion that an IT auditor can provide.

• Gathering & evaluating sufficient, competent evidence and performing appropriate tests and other procedures to form the opinion about an assertion for presentation in an IT audit report.

TYPES OF IT AUDIT ENGAGEMENTS

Agreed-upon Procedures Engagement Third party & IT auditor agree on specific procedures that will be performed to obtain evidence on which the third party is willing to rely as a basis for a conclusion. Agreed-upon level of evidence may be significantly limited or extensive. The IT auditor may need to obtain a substantial amount of evidence (in some cases, more than that is required for an IT audit). The IT audit report should include a statement that sufficiency of procedures is solely the responsibility of the responsible parties & a disclaimer of responsibility for the sufficiency of those procedures. The report relates only to the elements specified & does not extend beyond them.

CAATS

Computer programs & data that the IT auditor uses

as part of audit procedures to process data of significance

contained in a computer system

CAATS USAGE

· Calculation checks: e.g. program gives total amount of individual entries in purchases day book in a particular period. Auditor then agree this total amount to the amount posted in purchases ledger control. · Detecting system violation rule: e.g. program checks that no customer has balance above specified credit limit. · Detecting unreasonable items: programs checks that no customer has discount of 50% or sales ledger balance is more than the amount of sales made to that customer. · New calculation & analysis: e.g. statistical analysis of inventory movements to identify slow moving items. · Selecting items for audit testing: e.g. obtaining a stratified sample of sales ledger balances to be used as a basis for a circularization of debtors. · Completeness checks: e.g. checking continuity of sales invoices to ensure they are all accounted for.

CAATS ADVANTAGES

· Test programmed controls: in an IT accounting system, there are large volume of transactions which the auditor will have to audit. The auditor will have to check if the programmed controls are functioning correctly. The only effective way of testing programmed controls is through CAAT. · Test on large volume of data: CAAT enable auditors to test large amount of data quickly & accurately and increase the confidence they have in their opinion. · Test on source location of data: CAAT enables auditors to test the accounting systems & its records at its source location rather than testing printouts of what they believe to be a copy of those records. · Cost effective: once set up CAAT are a cost effective way of obtaining audit evidence year after year provided that the client does not change the accounting system. · Comparison: allows results from using CAAT to be compared to traditional testing. Where the two results agree this increase the overall audit confidence.

7

7

7

7

7

37

ISO15504

6

PA2.2 Work Product Management

PA2.1 Performance ManagementLevel 2 - Managed

PA1.1 Process PerformanceLevel 1 - Performed

Level 0 - Incomplete

PA3.2 Deployment

PA3.1 DefinitionLevel 3 - Established

PA4.2 Control

PA4.1 MeasurementLevel 4 - Predictable

PA5.1 Innovation

PA5.2 OptimisationLevel 5 - Optimising

1

L / F

2

L / F

F

F

3

L / F

F

4

L / F

F

F

F

L / F

5

F

F

F

F

L/F = Largely or Fully F= Fully

SOME PREDICTIONS

59

PREDICTIONS INTRODUCTION

• Users want to be provided with more information about business organisations, rather than less.

• Demands for information is driven by business clients, customers, oversight authorities and legislatures:audit plan can change in the middle of the current quarter and sometimes even change on a day-to-day basis

• Trend: better, faster and more comprehensive reporting. • Strong interest in independent assessment & reporting of

organisational compliance with laws & regulations.

PREDICTION: INTEGRATED REPORTING

Objective of integrated reporting = provide a more detailed picture of the organisation’s efforts to: • Produce and sustain value• Identify and manage risk• Employ and develop human capital • Meet legal requirements• Address corporate and social responsibility Audit reports include more in-depth non-financial reporting. Shift from solely lag indicators (as found in traditional reporting) to lead or forward indicators with increased focus on management & performance capabilities.

PREDICTION: USE OF TECHNOLOGY IN REPORTING

Demand is likely to increase for using technology to present audit results in a manner that quickly enables recipients to focus on the key points of the audit. Auditing standards provide a foundation for the auditing profession to develop and issue professional audit reports. Considerations of increased use of technology in the reporting process must be benchmarked against applicable auditing standards.

CONTACT DETAILS

marc@vael.net http://www.linkedin.com/in/marcvael @marcvael

Marc Vael CISA, CISM, CRISC, CGEIT, ITIL SM, Prince2 F, Guberna Certified Director

Chief Audit Executive SMALS vzw Fonsnylaan 20 1060 Brussel

+32 473 99 30 31