Professional Documents
Culture Documents
2011 ISACA
2011 ISACA
2011 ISACA
critical for financial reporting and regulatory compliance. Internal audit should provide assurance over other risks and related processes that are integral to achieving corporate and shareholder objectives.
2011 ISACA
2011 ISACA
2011 ISACA
Overview
Oversight and Governance
Business crisis
Management systems
Business resilience
People, culture and values
Current high profile regulatory activity: Competition Anti-Bribery/FCPA Economic Crime Emissions / Carbon Senior Accounting Officer Industry Regulation
2011 ISACA
Off-shoring
Product lifecycles
Career disintegration
Sustainability risks
Data security Treasury & privacy risks risks Regulatory Business compliance ethics risks risks
2011 ISACA
Pandemic X X
X X Retrenchment of globalisation
Preparedness
Corruption X
Medium
X X Cyber-terrorism X X X
X Regulatory change X X X X X
X X X X
High
Low
Medium
High
Importance
Source: Economic Intelligence Unit, Risk 2018 Planning for an unpredictable decade
2011 ISACA
Quality assurance programs are not robust Stakeholder feedback is not solicited Lack of adequate measurement of return on investment and metrics
Resolving issues with management requires significant time Lack of consistency in determining ratings Recommendations are not impactful 10
Excessive time in the field Routine audits do not fully leverage data analytic tools Lack of standardized programs and procedures
2011 ISACA
Benefits
Provides comfort to the Board that they have made an informed decision on the optimal assurance model for the business Reduced cost of internal audit Integrated assurance across all compliance /monitoring functions Comprehensive risk assessment Greater efficiencies through standardized and simplified processes An audit plan that provides assurance over risks aligned with shareholder value objectives (i.e., strategic, operational, technology, compliance, financial) Staffing model that suits stakeholder and enterprise needs (e.g., subject matter experts, global resources)
13 2011 ISACA
Control Activities
Business Performance Reviews Automated controls and procedures Report generated from IT Manual controls Rights & Obligations Presentation & Disclosure Valuation Existence & Occurrence
IT General Controls Risks arising from the use of IT systems IT applications and infrastructure Financial data
16
2011 ISACA
IT Audit Scope
17
2011 ISACA
18
2011 ISACA
Matters to consider
1. 2. 3.
Team work One team Team knowledge and understanding of each other work Timely communication
19
2011 ISACA
The more that companies grow internationally, the more they need to identify and develop potential leaders, Ideally, internal audit will train high-potential employees in key areas such as business controls, risk management, and IT audit, and then send them back into the field
20
2011 ISACA
Risk Mgmt
Special project
Mgmt review
Board
External Audit
Internal Audit
Financial reporting Financial controls Legal IT Treasury Tax, pensions & insurance Human Resources Fraud Health & Safety
High assurance
Medium assurance
Low assurance
Not applicable
22
2011 ISACA
External audit integrated with internal audit - Planning and scoping performed together Result: Improved efficiency through elimination of duplicated effort
External audit integrated with many assurance providers (e.g. internal audit, compliance, legal) - Share best practice on controls optimisation Result: Improved efficiency through elimination of duplicated effort Improved effectiveness through introduction of best practice
23
2011 ISACA
Agenda
- Integrated Audits - Integrated Audits/ Integrated Auditor - Integrated Audit -
24
2011 ISACA
Core Banking, Mobile devices, Cloud Computing, Social Networking
25
2011 ISACA
ITGC
Applications
Application Controls
IT Infrastructure Services
IT Auditor
Internal Auditing
1. An independent appraisal function established within an organization to examine and evaluate its activities as a service to the organization 2. Perform a wide range of activities on behalf of the organization 3. Done by CPA, CIA, CISA, CISM
27
2011 ISACA
Classification of Audits
Financial audits
To assess the correctness of an organization's financial statements.
Operational audits
To evaluate the internal control structure in a given process or area. IS audits of application controls or logical security systems are some examples of operational audits.
IS audits
To collects and evaluates evidence to determine whether the information systems and related resources adequately safeguard assets, maintain data and system integrity and availability, provide relevant and reliable information, achieve organizational goals effectively, consume resources efficiently, and have, in effect, internal controls that provide reasonable assurance that business, operational and control objectives will be met and that undesired events will be prevented , or detected and corrected, in a timely manner.
Integrated Auditor
To develop an expanded auditor skill set, basically to train financial/operational auditor to be partial IS Auditors. Armed with a basic understanding of computers and general and application controls. All auditors would be able to include IS control considerations in each and every audit, as well as use basic CAATs.
30
2011 ISACA
Organization
Internal Audit Internal Audit
Financial Branch
IT
Operational Follow-up
Financial Audit
IT Audit
9
31 2011 ISACA
Application Systems - Application Controls - IT General Controls IT infrastructure Controls - Database - Operating Systems - Network
IT Audit
Integrated approach
Integrated approach
IT Audit
IT Audit
Integrated approach
Integrated audits
- audit entity
- fieldwork - - - Business Process IT Process
Using an integrated internal audit team ensure that both the functional and technical risks of Source from: GTAG Auditing IT Project the project are included in the scope of the review
33
33 2011 ISACA
Comfort Zone
GAP
IS Auditor
Financial Auditor
Operational Auditor
34
2011 ISACA
- The underlying technologies supporting business components - Threats and vulnerabilities associated with the technology - Specialize technical knowledge
Integrate audit ?
Financial Audit Plan Operational Audit Plan
IT Audit Plan
- Assign Integrated ? IT Audit entities ? - Morale
14
36
2011 ISACA
GAP
IS Auditor
Financial Auditor
Operational Auditor
37
2011 ISACA
38
2011 ISACA