Presentation on theme: "6 views, 6 expert presenters"— Presentation transcript:
16 views, 6 expert presenters British Computer Society NORTH LONDON BRANCH AudIT to BenefIT - 6 sides of the dice Wednesday 16th January 2008, – 20.301 topic, 2 hours, 4 sponsors6 views, 6 expert presenters1 great audience
2British Computer Society NORTH LONDON BRANCH Are You an Auditor?
3British Computer Society NORTH LONDON BRANCH 4 Sponsors:* Gotham Digital Science ** ISACA London Chapter **IT Faculty of the Institute of Chartered Accountants in England and Wales* SUPINFO The International Institute of Information Technology *
4British Computer Society NORTH LONDON BRANCH 6 Views – plus more![Target start time 18.30]BCS NLB Intro [10 mins.] - DalimWhy audit? Who needs it? [15 mins.] - JustinWhat does the auditor do? [15 mins.] - NickWhat’s audited? [20 mins.] - FraserIT audit tools and techniques [15 mins.] - MartinHow auditors use COBIT & IT Assurance Guide  LynnHow to plan to get value from your audits  - StevenBCS NLB end of formal event [10 mins.] - Dalim[Target end time 20.30]Informal networking (with food & drink) ALL
5British Computer Society NORTH LONDON BRANCH 6 Expert Presenters[MC] Dalim Basu, BCS NLBFRASER NICOL, Ernst & YoungJUSTIN CLARKE, Gotham Digital ScienceLYNN LAWTON, ISACAMARTIN ALLEN, PwCNICK FELLOWS, Barclays PlcSTEVEN BABB, KPMG & ISACA[Supporting Cast: NLB team for this event] Jude Umeh, Patrick Roberts, Rebecca King
6Why audit. Who needs it. Justin Clarke, Director CISA, CISM, CISSP, A Why audit? Who needs it? Justin Clarke, Director CISA, CISM, CISSP, A.Inst.ISPThese folks need to make sure proper protections are in place so that the corporate objectives are achieved. It�s not that they are snooping on you; it�s that they are responsible to make sure you aren�t overlooking anything.
7What is an audit? Anyone? A Definition An audit is a professional, independent examination of a company's financial statements and accounting documents according to generally accepted accounting principles (Traditional)an evaluation of a person, organization, system, process, project or product. Audits are performed to ascertain the validity and reliability of information, and also provide an assessment of a system's internal control (Wikipedia)Highlighted some key ideas in these definitionsWACHOVIA CONFIDENTIAL FOR INTERNAL USE ONLY
8Understanding your auditor Internal or External?Assurance or Audit?Key ideasIndependenceReasonable assuranceMaterial errorEvidenceTesting/SamplingInternal – acts as employee of organisation, looking at internal control within company on behalf of management, normally reporting through to audit committee of BoardExternal – external third party, audits on behalf of external stakeholders but normally engaged by audit committee of BoardAudit has a specific meaning to Big 4 – normally means an opinion. Many things normally thought of as audit which fall outside of thisIndependence – will restrict how much concrete assistance your auditor can give you – can’t test what they have been involved in developingReasonable assurance – not total, 100% - relianceMaterial error – usually External. Also, not specifically looking for fraudEvidence – some concrete information (filed forms, signoffs, filed workflow) is needed to show a process has taken placeTesting/Sampling – not total or 100%, representative sampling often used for testingWACHOVIA CONFIDENTIAL FOR INTERNAL USE ONLY
9Why audit? Mitigate risk Regulatory/legal - financial Measurement/managementConformity/ComplianceQualityEnvironmentalHow are we doing?Mitigate risk – risk based, assess and identify risks, mitigate (address, shift, or accept risk) – solidifying the unknownRegulatory/legal – common example is external financial audit. Sarbanes OxleyCompliance – e.g. Standards certificationQuality – e.g. ISO9001Environmental – e.g. ISO14001How are we doing – management measurement, performance improvement, process improvementWACHOVIA CONFIDENTIAL FOR INTERNAL USE ONLY
10Who needs it? Organisations Stakeholders Large and small Private, public and governmentStakeholdersShareholdersManagementTax payersWACHOVIA CONFIDENTIAL FOR INTERNAL USE ONLY
11Types of audit External – ITGC, ITAC, SAS70 Internal – Operational, Business Process, CobIT, COSORegulatory - Sarbanes Oxley, Basel II, MiFIDConformity/Compliance – ISO17799/27001Quality – ISO9001Environmental – ISO14001ITGC – IT General ControlsITAC – IT Application ControlsWACHOVIA CONFIDENTIAL FOR INTERNAL USE ONLY
13Exploring the world of Internal Audit What does the auditor do and why?I am an auditor, the people I engage with to carry out an audit are auditees.A possible reaction from an auditee, might be:“Why me? Why now?”To see why this is an unjustified greeting, let’s start at the beginning and look at what I represent.The world of audit – the process that got the internal auditor to your door…..Nick Fellows, CISA - Audit Manager16 January 2008
14Agenda The Audit Charter The Audit Universe and the Audit Plan This audit
15The Audit CharterThis is a document that defines the Internal Audit functionIts purpose, responsibility, authority and accountability.What we are there to doHow we will maintain our independence and objectivityHow we will do it and conduct ourselves whilst doing itThe relationship between IA and its stakeholdersThe KPIs, what they are and how they are measuredStandard S1 and Guideline G5 for Audit Charter can be found on the ISACA websiteBarclays Internal Audit function embraces best practice an in line with best practice has published an Audit Charter.The content of an audit charter should reflect the needs of the organisation so it is not appropriate to copy that of another organisation. An Internal Audit function is expensive, its job is to protect the organisations bottom line and the only way it can do it is by helping line management do its job more effectively. So no surprise that it should be expected to document exactly how it will do this.The Charter reflects the contract between the Internal Audit function and its stakeholders. It sets out the terms of reference under which the function operates including:Its purpose, responsibility, authority and accountability.What we are there to doTo provide objective assurance over the effectiveness of the organisations control environment such that risks arfe mitigated in line with the organisations risk appetite.How we will maintain our independence and objectivityReporting lines to ensure objectivity and independenceHow we will do it and conduct ourselves whilst doing itidentify the stakeholders and define the relationship with them (including such bodies as the Board Audit Committee, the Executive, line management, regulators and external audit).Think in particular what the Board Audit Committee might be expecting of audit – insights that are not available from line management. Joined up thinking, issues that recur in different parts of the organisation, insights from elsewhere in the same sector, insights from regulators and external auditors.The relationship between IA and its stakeholdersThe KPIs, what they are and how they are measuredGo look on your own intranets for the Audit Charter, it will allow you to understand what Audit is about.Otherwise, ISACA has published a Standard and a Guideline that can form the basis of developing an Audit Charter for your organisation freely available (no restriction to members) .So, now that you understand that audit’s job is to protect and enhance the company bottom line – much the same as any line manager, how should you feel?But of course it is all about you, isn’t it, you want to know why the auditor turned up today ?
16The Audit Universe and the Audit Plan How does the audit department work out what to do?Populate the audit universePrioritise based on risk rankingPlanAgree with stakeholders and get sign off from the Board Audit CommitteeHow does the audit department work out what to do?populate the audit universe(all the things that could be looked at)- risk rankingA risk-based approach will see the highest, and emerging risks identified and a series of audits to review how well the organisation is rising to the challenge and how effective the organisation is at designing and operating controls that seek to reduce the risks to a level that the organisation is comfortable with – the organisation’s risk appetite.Areas of the organisation with least risk will see least audit attention, those with the most will see frequent, even on-going audit attention (think of continuous auditing embedded within the applications used by the business as an example).planmatching what could be done to available resourcesTime horizon of the plan is usually around 3 yearsPlan revisited at least quarterlyAgree with stakeholders and get sign off from the Board Audit CommitteeThe BAC will be looking for insights that are not available from line management. Joined up thinking: issues that recur in different parts of the organisation, insights from elsewhere in the same sector, insights from regulators and external auditors.You can see that, once the audit plan has been put together, the business will know what audits are planned and when in the year they are to fall – and that the schedule should (having been agreed with stakeholders so as to be a practical plan) mean that the auditors arrive when you can physically cope with them!
17The audit Understanding the processes, working out the key controls. The ‘intention to audit’.Testing the controls.And the consequence was…The report and follow up actions.Understanding the processes, working out the key controls.In a well run department like yours you will of course understand your business processes, you will have mapped them, including the control steps, have an understanding of what the key controls are and how your management assures itself of the continuing effective operation of those controls. But nonetheless IA will walkthrough those processes with you to confirm their currency and to understand how best to test both the design effectiveness of the set of controls applied to the whole process and the operational effectiveness of the key controls. Once the test strategy is determined, formal notification of the engagement will be issued. This is also the stage where already known weaknesses that are subject to ‘remediation in progress’ will be discussed and documented by IA for inclusion in the report.The intention to audit.Or some such named document will serve formal notice to stakeholders that the audit will take place on the agreed dates. ‘Brace yourselves, we are coming in’Testing the controls.Is it in the testing of controls that audit may have some surprises for you. CAATS may disclose control weaknesses you were not aware of. IA will also find you out in those cases where you operated a control but kept inadequate trail of the proof. Sampling will be done to assure to an appropriate level of confidence that the controls operate effectively.And the consequence was…Any potential weaknesses identified in the control environment have to be discussed with management to be sure of the consequences and to determine the actions that you agree to take to remediate them will fall to you to implement within a timescale. Anything less than 100% engagement from line management can devalue an observation (Barclays-speak for an audit finding that is material enough for inclusion in an audit report, it contains a description of the weakness, the consequence and management ‘s actions and timescale for remediation).The report and follow up actions.Stakeholders are highly intolerant of observations that are not made with a compelling ‘so what’ justification nor of observations where the agreed remediations are not undertaken within agreed timescales or at all. The report reaches the highest levels of management in the organisation, has to be readily understandable, absolutely accurate and can have career limiting impact on staff held to account.
18Closing thoughtsRisks are mitigated by controls. Whose controls? – yours.An audit is not something that is done to you. It is something that is done with you.The more you prepare, the less painful the review will be.
19INSTRUCTIONS:This template is designed for projected documents that will be presented to an audience.The one template offers a choice of 5 different colour palettes with either a dark or white background. On presentations projected directly from a computer, it is preferred for the background to be dark blue.How to change colour paletteFormat > Slide Design > Color SchemesUpdate the cover pageThe Service Line flag and Date on the cover page should be updated in the Header & Footer menu at the start of each new presentation.Go to View menuSelect Header & Footer...Update the SERVICE LINE and Date 2007 with the appropriate informationSelect Apply to AllWhat is Audited?Fraser Nicol – Technology Security and Risk Services, Ernst and YoungAudIT to BenefITPresentation to British Computer Society
20IT audit – who, why, what and how? Internal auditing – is an independent, objective assurance and consulting activity designed to add value and improve an organisations operationsExternal auditing – is an independent opinion on whether or not financial statements are relevant, accurate, complete, and fairly presentedBoth approaches are characterised by a systematic approach to the evaluation of risk management, control and governance processes. A common industry standard for IT auditing is:COBIT 4.1 – Control Objectives for Information and Related Technology. Set of leading practises (framework) for information technology (IT) management. Created and governed by Information Systems Audit and Control Association (ISACA). COBIT is organised into 4 domains:Plan and OrganiseAcquire and ImplementDelivery and SupportMonitor and EvaluateDiscuss who the key customers and stakeholders are in Internal Audits and External Audits. Also the potential impacts on the areas being audited of both types of audits.Talk about some of the differences between the two approaches: Internal Audits tend to be one off, in depth, and focused on the achievement of business objectives, External Audits tend to highly structured, objective and re-performable, focused on key financial applications and data, and repeated on an annual basis.Introduce COBIT as a set of standards and guidelines which IT professionals can use to enhance their control and governance processes. Many external audit and internal audit work plans (especially those which need to be performed to a certain standard or consistently re-performed) utilise COBIT.
21Who audits what? PO - Plan and Organise Expect Internal Audit Focus IT Strategic AlignmentIT Project ManagementIT Risk ManagementOnline Sales Application ProjectAI - Acquire and ImplementExpect Internal Audit FocusIT ProcurementSDLCChange ManagementCross DomainReviewsThird Party Managed ServicesDS - Delivery and SupportApplication ReviewDRP /BCPSystem SecurityNetwork Management ReviewExpect External Audit FocusDiscuss how different Audit Reviews may leverage different areas of COBIT. Internal Audits will focus on standards and practises which support business unit objectives, while External Audits will focus on those which support controls over financial data. Often reviews will cross a number of COBIT domains.Run through each of the reviews and their likely objectives. Discuss the benefits of this review for the business unit being audited and also the likely differences of approach between External and Internal Audit.ME - Monitor and EvaluateIT Control OperationSoftware LicensingKPI / SLA ReviewData Centre Management Review
22What gets audited and why? Example IT risk identifiedIT Infrastructure ScalabilityExploitation of Security VulnerabilitiesIT Strategy not formulatedIT Upgrade Activities lead to loss of serviceInappropriate IT User activityVery significant threat21–25Significant threat3216–20Moderate threat14511–15Low threat6–10Key IT audit approach chartA – Potential Over ControlNo threat1–5B – Low Risk / Mature Controls12345Explain the risk assessment process. Discuss how this underpins the planning of Internal Audits. Emphasis the link between Internal Audit planning, and the identification of actions / improvement opportunities for IT teams.1. Explain that assurance is sought by three principle stakeholder groups: Business management, Audit committees, External audit.2. Discuss approaches for assessing risk and control maturity: self assessment, previous audits, etc3. Discuss outcomes from risk assessment: Audit Review, Control Redesign, Risk Remediation, etcC – Low Risk / Limited ControlsInherent risk / Control maturityPartially controlledD – Higher Risk / Mature ControlsNo controlsAd hocFully controlledOver controlledE – Higher Risk / Limited Controls
23How – can IT benefit? # Risk (risk owner) Current Control Environment Governance StrategyAction OwnerCompletion DateStatusHigher Risk / Limited Controls1Current IT infrastructure is not scalable to support anticipated service requirementsAd Hoc ControlsKPIs between IT and key user groups are in placeIT occasional performs capacity and service monitoringIT ManagementIT Management to perform a full scale assessment with key user groups as to future IT needsIT Management to review current capacity and infrastructure upgrade plans to align to user needsIT Management to continuously monitor the provision of key services and agreed service levelsOpenExtract from a management action plan – Explain that known risks are often best addressed by the business themselves rather than becoming part of the audit plan.Areas of concern will be entered into the IT Audit Plan - Explain what an audit plan is and the level of detail it goes into (high level) when sent to Audit Committee for the coming year.Management can benefit from keeping (and acting upon) up to date action plans which address their key IT risks. This reduces the amount of audit work required and allows auditors to work at a higher level (ie, by relying on the work of management). Management should also seek to be proactively involved in both the risk assessment and audit planning processes to ensure that planned audits are focused on areas of high risk.
24SummaryUnderstand who the auditors are, what they are looking for, and what the output of the audit is going to beUnderstand the risks to your own areas, be proactive in engaging with the auditors to explain your area and align their understanding of key risks with yoursEarly planning is always performed at a high level, sometimes the principle actions sit with IT or the business. You need to be involved as closely as possible in audit planning to
26Tools and TechniquesMartin Allen FIIA, QiCA, CISA16 January 2008PwC
27Tools and Techniques The Environment Raw goods and services Income Laws and regulationsCompetitor IntelligenceSocial responsibilitiesFinished goods and servicesExpenditureFinancial AccountantsCorporate ReportingNon-financial/regulatory reportingCorporate EntityComputer SystemFinancial RecordsManagementAccountsMIS/ Datawarehouse
28Tools and TechniquesIndicators that computer tools and techniques would help audit process:Requirement to analyse large volumes of data or complex calculationsReliance upon reports generated from computer systems‘Black box’ style systems where complex processing of data is not transparentKey reconciliation reports regularly highlight differencesNew or modified systemsInterfaces between computer systems poorly controlled
29Tools and Techniques Tools available on the desktop: Spreadsheets DatabasesMS Query
30Tools and Techniques Tools that can be acquired: IDEA ACL OAK Datanomic
31Tools and Techniques Risks: Can allow the auditor to reach the wrong conclusionEasy for inexperienced auditors to be caught outData interrogation does not test controlsBenefits:Allows 100% sample sizeAllows quick identification of unusual or required dataAllows auditor to use the power of the computer to improve the efficiency and effectiveness of the audit
33How Auditors use COBIT® and the IT Assurance Guide Lynn Lawton, International PresidentISACA, Inc, and The IT Governance Institute, Inc.
34ISACA and The IT Governance Institute Over 70,000 members in 140 countriesDevelop and maintain tools for IT and business management, e.g. COBIT and ValITDevelop and administer certifications, e.g. CISA, CISM, and, coming soon, CGEITDeliver conferences and educational events around the worldDeliver research and thought leadership on topical issuesand
35BUSINESS OBJECTIVES AND GOVERNANCE OBJECTIVES COBIT FrameworkBUSINESS OBJECTIVES ANDGOVERNANCE OBJECTIVESINFORMATIONC O B I TF R A M E W O R KME1 Monitor and evaluate IT performance.ME2 Monitor and evaluate internal control.ME3 Ensure compliance with external requirements.ME4 Provide IT governance.PO1 Define a strategic IT plan.PO2 Define the information architecture.PO3 Determine technological direction.PO4 Define the IT processes, organisation and relationships.PO5 Manage the IT investment.PO6 Communicate management aims and direction.PO7 Manage IT human resources.PO8 Manage quality.PO9 Assess and manage IT risks.PO10 Manage projects.EfficiencyIntegrityEffectivenessAvailabilityMONITORANDEVALUATEComplianceConfidentialityPLANANDORGANISEReliabilityITRESOURCESDS1 Define and manage service levels.DS2 Manage third-party services.DS3 Manage performance and capacity.DS4 Ensure continuous service.DS5 Ensure systems security.DS6 Identify and allocate costs.DS7 Educate and train users.DS8 Manage service desk and incidents.DS9 Manage the configuration.DS10 Manage problems.DS11 Manage data.DS12 Manage the physical environment.DS13 Manage operations.ApplicationsInformationInfrastructurePeopleDELIVERANDSUPPORTACQUIREANDIMPLEMENTAI1 Identify automated solutions.AI2 Acquire and maintain application software.AI3 Acquire and maintain technology infrastructure.AI4 Enable operation and use.AI5 Procure IT resources.AI6 Manage changes.AI7 Install and accredit solutions and changes.
38Measuring progressIT Process/MaturityLevels for Process XXAwarenessandCommunicationPolicies, Standardsand ProceduresTools andAutomationSkills andExpertiseResponsibilityAccountabilityGoal SettingMeasurement3 Defined Process2 Repeatable butIntuitive1 Initial/Ad Hoc5 Optimised4 Managed andMeasurableThis slide highlights the five focus areas of IT governance as defined by ITGI.Start pointInterim target statusWhere you want to be
39Measuring progress 2007 Q1 2007 Q2 2007 Q3 2007 Q4 2008 Q1 2008 Q2 IT Process/Maturity2007Q12007Q22007Q32007Q42008Q12008Q2Levels for Process XX5 Optimised4 Managed andMeasurable3 Defined Process2 Repeatable butIntuitiveThis slide highlights the five focus areas of IT governance as defined by ITGI.1 Initial/Ad HocStart pointInterim target statusWhere you want to be
40ISACA and The IT Governance Institute For more information, visit:
41How to plan to get value from your audits 16 January 2008AUDIT
42DisclaimerThe information contained herein is of a general nature and is not intended to address the circumstances of any particular individual or entity. Although we endeavour to provide accurate and timely information, there can be no guarantee that such information is accurate as of the date it is received or that it will continue to be accurate in the future. No one should act on such information without appropriate professional advice after a thorough examination of the particular situation.
43Agenda Recap – What is audit? Pre-audit activities During the audit What happens next?
44Recap – What is audit? Internal auditing Internal, yet independent assurance over internal controlsDesigned to add value and improve an organisations operationsExternal auditingExternal, independent opinion over financial statementsAudit should be viewed as a critical friend rather than a hindranceIt can add value to your organisation – so treat it this wayAn audit is not something that is done to you; It is something that is done with you
45Pre-audit activities What to do before the audit takes place Understand who the auditors are, their scope, objectives and deliverablesGet involved in audit planning – understand the risks and issues in your own areasYou can influence – are there any areas you want covered?Plan – The more you prepare, the less painful the review will beHave a central point of contactConfirm logistical arrangements
46During the audit Maintain contact with your auditors The central point of contact will be key in ensuring a smooth auditArrange regular catch-up meetingsUnderstand what the key findings areHave the auditors got a clear handle on the risks?Are the key findings valid?Is the audit on track?What are the next steps?
47What happens next? How to reap the benefits for your organisation Ensure that you get to review findingsDraft report stageBe positive about the findings – Don’t take the outcome as personal criticismPrepare a plan to address any issues identified and publish it – make sure the plan is implemented!Roll-out learning points across your organisation, wherever possiblePrepare for your next audit!
48Presenter’s contact details Steven BabbKPMG LLP (UK)+44 (0)