Connecting the dots: IT to Business - ISACA

Connecting the dots: IT to Business Jason Wood ... •Management Assertions and the IT Audit ... inventory cycle accurately transfer to the revenue cycl...

5 downloads 775 Views 1MB Size
Connecting the dots: IT to Business Jason Wood, CPA, CISA, CIA, CITP, CFF

April 2015 1

Speaker Bio – Jason Wood Over 18 years of international business experience in planning, conducting, and quality reviewing complex information technology audits (inclusive of new business development, leading diverse teams, developing people and managing projects). In-depth understanding of financial, operational and information technology risks, controls, and processes; and the implementation of cost-effective internal controls to minimize risk and maximize value. Authored a book titled “IT Auditing and Application Controls for Small and Mid-Sized Enterprises: Revenue, Expenditure, Inventory, Payroll, and More” published by Wiley Publishing in December 2013.

Agenda • Who’s in the audience? • Connecting IT Audit to the Financial/Operational Processes • Financial Cycle Risks from an IT Perspective (Revenue, Expenditure, Inventory, Payroll) • Management Assertions and the IT Audit • IT Control Objectives (CIA) • Illustrative IT Control Deficiencies and Potential Financial Audit Impact

Who’s in the Audience Today? • What companies are represented in the audience today? • What role do you play within your company (IT Auditor, Business Auditor, Management, etc.)? • What is your experience level with IT and Business Auditing?

Connecting IT Audit to the Financial / Operational Processes

Protect the data! RISK IS INEVITABLE AS AUDITORS, we help our clients/companies manage their risk by performing audits and other assessments. Our work helps the client/company understand the nature and extent of risks that exist in the control environment. Information technology (IT) controls are a key aspect of that control environment—albeit one that may be less familiar to the auditor than the purely accounting and financial dimensions.

Protect the financial and operational data stored within information systems!

IT Controls Are Critical • Enabler of transactions, processes, and preparation of information for financial statements • Affect the reliability of financial data (e.g., system reports) and electronic audit evidence

• Foundation for application controls including segregation of duties

7

Linking Business and IT Processes Business Processes IT Environment

IT Process

Flows of Transactions Routine Transactions

Estimation Transactions

Non-Routine Transactions

General Ledger Financial Statement Close Process

Financial Statements

8

Financial Cycle Risks from an IT Perspective

Revenue Cycle IT Risks

Revenue Risk Exposures Sales: Is the order from a valid customer? Does the system contain correct and up‐to‐date information about the customer? Are there holds or credit limits on the customer’s account? Has the transaction been properly authorized? Are recorded transactions valid? Have all valid transactions been recorded accurately? Credit approval: Does the credit approval process protect the organization against excessive credit losses? Warehouse: How are assets protected against loss or theft? Does the accounting system provide good detective controls that would bring shrinkage to the attention of management? How often are inventory counts reconciled to accounting records? Are ordered goods available in sufficient quantity to satisfy customer demand? Are backorder processes in place to protect against customer dissatisfaction from stockouts?.

Revenue Risk Exposures Shipping: What controls are in place to ensure the accuracy and timeliness of shipped orders? Are processes in place to manage multiple ship‐to addresses?

Billing: What controls are in place to ensure the accuracy and timeliness of billings? Are backorders, partial fills, returns, and other nonroutine transactions processed in such a way as to ensure accurate and complete records? Cash receipts: Does the organization use lockboxes? Do cash receipt processes provide independent audit trails? What segregation of duties (SOD) controls are there to prevent one person from exercising incompatible functions?

Expenditure Cycle IT Risks

Expenditure Risk Exposures Purchases: Is the order made to a valid vendor? Does the system contain correct and up‐to‐date information about that vendor? Credit limit issues: Do credit limit issues occur at both the purchasing agent level (does the agent have authorization to initiate the PO) and the vendor level (does the contemplated purchase exceed the available credit on the account)? Receiving: Risks include receipt (does the entity receive the goods that it ordered?), variances of type and/or quantity, and pricing.

Expenditure Risk Exposures Invoicing: Risks include the possibility of invoices for goods and services that were not received, and the possibility that invoiced prices exceed previously quoted prices beyond some specified tolerance level. Cash disbursements: Risk exposures include all possible concerns relating to unauthorized or inappropriate distribution of corporate cash.

Inventory Cycle IT Risks

Inventory Risk Exposures Warehouse: Are item cards set up appropriately? Are processes in place to ensure that the company can accurately process orders for replacement inventory? Are logical access controls to inventory records set up appropriately? Are the inventory records appropriately updated when raw material is received? Do the perpetual inventory records represent the actual amount on hand? Will the system support possible expansion in the number of types of inventory items? Does the shipping information from the inventory cycle accurately transfer to the revenue cycle for revenue recognition purposes? Manufacturing: If there are multiple stages of manufacturing processes, are items of work in process correctly classified, insofar as this information is needed for accounting and operational purposes? Are all costs required for external reporting processes captured (e.g., in addition to direct material, other full‐absorption costs such as direct labor and overhead)?

Inventory Risk Exposures Repair: Does the system require return authorization prior to acceptance of an item for return, repair, or replacement? Are items transferred to a repair process accurately classified and tracked? Does the system alert administrators to potential business exposures such as fraudulent or defalcatory misclassification of inventory items? Are the inventory records appropriately updated to reflect the goods received as part of the return, repair, or replacement process?

Payroll Cycle IT Risks

Payroll Risk Exposures Setup and maintenance: Are employees set up in the system consistent with their pay status, pay rates, and other vital information? Who has access to add, change, or delete payroll master fi le information? What prevents ghost employees from being set up and subsequently paid? Calculations: Are tax tables updated appropriately to ensure tax calculations reflect the current tax rates based on jurisdiction? What ensures the time was captured and entered into the system appropriately? Was the time extended to the pay rate so the appropriate pay was calculated? Was the third‐party payroll processor provided with correct payroll information for calculations?

Payroll Risk Exposures Processing: Are there variance tolerance levels set up in the system? What ensures that the amounts scheduled to be paid are paid? Does segregation of duties exist in the payroll processing process? Are signature approvals captured and are digital signatures protected? Is electronic check stock protected? Was the third‐party payroll processor provided with correct payroll information for processing? Disbursements: Are completed checks secured for disbursement? Do controls exist that ensure that direct deposits were made to the right account and complete? Reconciliations: Do reports appropriately reflect the payroll that was scheduled to be disbursed and that was actually disbursed? What reports exist in the system for review?

Payroll Risk Exposures Accruals and adjustments: Are accruals and adjustments to payroll, benefits, and taxes calculated so the financial records can be updated? Are payments made to the tax authorities for the tax liability? Are benefit accounts updated for the benefits liability?

MANAGEMENT’S ASSERTIONS AND THE IT AUDIT

Existence Many account balances purport to describe quantities that actually exist (e.g., stocks of inventory or amounts owed to the company for past sales). Over‐ or understatements of these balances may result in material errors, and audit procedures typically rely on a combination of process analysis and physical counts or sampling approaches to evaluate the plausibility of a reported balance. The financial auditor ties information in the system back to transaction (source) documents (which may be paper or another electronic file), and, accordingly, he or she needs to understand the system’s overall design, the flow of information, and the nature and location of files.

Completeness The completeness assertion refers to the integrity of the recording process and the ability of the company’s accounting system to ensure that the effects of all transactions, balances, accounts, estimates, and so on have been included in the financial statements. Traditional audit techniques such as cross‐footing and internal validity checks of totals and subtotals can help to ensure that financial information flows correctly (as missing values may cause the statements and supporting schedules not to tie). At the IT level, the auditor is concerned with how the system ensures completeness— for instance, does the report writer pull all the items from the chart of accounts?

Rights and Obligations This assertion addresses the legal status of a company’s assets and liabilities and it can create exposures and areas of interest from an IT perspective. As an example, consider a company that ships merchandise on both a free‐on‐board (FOB) destination and FOB shipping point basis. The accounting system should be configured so as to properly classify these transactions and support accurate reporting of inventory, receivables, and sales.

Valuation The area of valuation can range from the accuracy of original costs to complex and esoteric calculations relating to financial instruments. In order to ensure that account balances, transactions, fair value estimates, and other amounts are reported appropriately, the IT auditor may need to examine things such as links to pricing tables and lookup tables, the design and accuracy of spreadsheet models, and the integrity of proprietary data sources. The widespread use of spreadsheet models for a variety of valuation‐related activities creates many exposures related to data transfer and change management.

Accounting Procedures The realm of accounting procedures includes classification and aggregation procedures, proper cutoffs at the end of each accounting period, the preparation and posting of adjusting entries, the preparation of disclosure and supporting schedules, and the final presentation of the financial statements. In addition, the auditor should examine the configuration settings in the computer system to ensure that proper cutoff is achieved. For example, does the computer system configuration close the accounting period, or does the accounting period remain open indefinitely? Does the system have the correct days set for each month? When the financial statements are being produced, the IT auditor needs to ensure that all data within the accounting system are being pulled to the financial statements, confirming, for example, accurate tie‐backs between subledgers, the general ledger, and the financial statements.

IT Control Objectives

IT Control Objectives IT controls are designed to meet control objectives related to Information Security requirements. The core objectives, often referred to as C-I-A, can be depicted as follows: Confidentiality: Protects sensitive information from being viewed by unauthorized users. Examples include: - Financial Data - Credit Card Numbers - SSN Note: This objective directly relates to internal and external Privacy requirements.

C

I

Integrity: Protects the integrity of critical IT resources like: - Hardware - Software - data repositories

Availability: Ensures that critical IT resources (i.e., hardware, software, data) are available when needed.

A

Confidentiality The confidentiality of data refers to both internal and external users. Internally, the system of rights and permissions to access and modify data is an essential building block in the design of properly segregated duties (or a key feature to analyze when insufficient personnel make it impossible to achieve an ideal level of segregation). Externally, the confidentiality of data rests on such IT constructs as firewalls, encryption, and access protocols.

Confidentiality Change management: Segregation refers to the well‐established principle that programmers should not have access to data, and that those entrusted with data should not have programming rights. We define programming broadly so as to encompass the many methods of altering how software functions and the results it produces. When an IT auditor tests change management, we would expect to see change control forms with the requested changes that are approved for each change that is captured in the system. Operations: Confidentiality concerns in the operations domain include issues such as the storage location of backup tapes. There’s a difference between a sock drawer and a fireproof safe! It’s important to remember that the data on the backup tape is confidential and may be readily converted to useful information without someone having access to the system. With respect to access control, IT auditor tests should expect the existence of signed forms with management approval, specifying the access needed. Security: This intersection includes topics such as passwords, permissions, log-on histories (detective control), and penetration testing. The auditor should determine whether company personnel have access only to the data they need—or to more. It is important to understand and document the business reason for data access protocols.

Integrity In an accounting context, data integrity relates directly to the other management assertions, and to the Conceptual Framework’s notion of representational faithfulness . Thus, accounting information should represent what it purports to represent—quantities that actually exist, calculated from complete records, with due consideration to appropriate legal rights and obligations, and correctly valued in accordance with acceptable accounting procedures.

Integrity Change management : The IT audit should ensure that appropriate end‐user testing has occurred and that changes are working as intended and in a manner that can be relied upon. Operations: Concerns in this area include testing of backup tapes for system restorability. If data cannot be restored, the company may have incomplete records. Security: The auditor should understand whether she can rely on the system’s security. Are there ways in which it could be bypassed or compromised? What are the overriding security controls? Are they soft or hard?

Availability Data that is not available to users is by definition useless to them. Relevant IT concerns include server reliability, access controls, protocols for distributing data, and concurrency issues.

Availability Change management: Is the source code in a location where it can be restored? Are there rollback procedures in case of a failed change? Is the backup tape available in case management needs to access data that is not currently in the system? Operations: The IT auditor should consider the ability of the server system to handle the day‐to‐day load. Does management have all the needed licenses and are they current? Are there any concerns about the computer system’s availability? The location and availability of backup tapes is important. How, if it were necessary, would an employee access prior‐year information that is no longer kept in the system? Security: Whereas the primary security concern is unauthorized access, it’s also important that the system not lock out users who have innocently lost or forgotten a password. The IT auditor should understand procedures that ensure, as well as restrict, availability.

Illustrative IT Control Deficiencies and Potential Financial Audit Impact

IT Entity Level

Logical Security

Logical Security

Logical Security

Logical Security

Logical Security

Change Management

Change Management

Change Management

Operations

Operations

Application Controls

Spreadsheets / Reports

SSAE 16 (SOC 1)

QUESTIONS?

52