Presentation is loading. Please wait.

Presentation is loading. Please wait.

6 views, 6 expert presenters

Similar presentations

Presentation on theme: "6 views, 6 expert presenters"— Presentation transcript:

1 6 views, 6 expert presenters
British Computer Society NORTH LONDON BRANCH AudIT to BenefIT - 6 sides of the dice Wednesday 16th January 2008, – 20.30 1 topic, 2 hours, 4 sponsors 6 views, 6 expert presenters 1 great audience

2 British Computer Society NORTH LONDON BRANCH
Are You an Auditor?

3 British Computer Society NORTH LONDON BRANCH
4 Sponsors: * Gotham Digital Science * * ISACA London Chapter * *IT Faculty of the Institute of Chartered Accountants in England and Wales * SUPINFO The International Institute of Information Technology *

4 British Computer Society NORTH LONDON BRANCH
6 Views – plus more! [Target start time 18.30] BCS NLB Intro [10 mins.] - Dalim Why audit? Who needs it? [15 mins.] - Justin What does the auditor do? [15 mins.] - Nick What’s audited? [20 mins.] - Fraser IT audit tools and techniques [15 mins.] - Martin How auditors use COBIT & IT Assurance Guide [15] Lynn How to plan to get value from your audits [15] - Steven BCS NLB end of formal event [10 mins.] - Dalim [Target end time 20.30] Informal networking (with food & drink) ALL

5 British Computer Society NORTH LONDON BRANCH
6 Expert Presenters [MC] Dalim Basu, BCS NLB FRASER NICOL, Ernst & Young JUSTIN CLARKE, Gotham Digital Science LYNN LAWTON, ISACA MARTIN ALLEN, PwC NICK FELLOWS, Barclays Plc STEVEN BABB, KPMG & ISACA [Supporting Cast: NLB team for this event] Jude Umeh, Patrick Roberts, Rebecca King

6 Why audit. Who needs it. Justin Clarke, Director CISA, CISM, CISSP, A
Why audit? Who needs it? Justin Clarke, Director CISA, CISM, CISSP, A.Inst.ISP These folks need to make sure proper protections are in place so that the corporate objectives are achieved. It�s not that they are snooping on you; it�s that they are responsible to make sure you aren�t overlooking anything.

7 What is an audit? Anyone? A Definition
An audit is a professional, independent examination of a company's financial statements and accounting documents according to generally accepted accounting principles (Traditional) an evaluation of a person, organization, system, process, project or product. Audits are performed to ascertain the validity and reliability of information, and also provide an assessment of a system's internal control (Wikipedia) Highlighted some key ideas in these definitions WACHOVIA CONFIDENTIAL FOR INTERNAL USE ONLY

8 Understanding your auditor
Internal or External? Assurance or Audit? Key ideas Independence Reasonable assurance Material error Evidence Testing/Sampling Internal – acts as employee of organisation, looking at internal control within company on behalf of management, normally reporting through to audit committee of Board External – external third party, audits on behalf of external stakeholders but normally engaged by audit committee of Board Audit has a specific meaning to Big 4 – normally means an opinion. Many things normally thought of as audit which fall outside of this Independence – will restrict how much concrete assistance your auditor can give you – can’t test what they have been involved in developing Reasonable assurance – not total, 100% - reliance Material error – usually External. Also, not specifically looking for fraud Evidence – some concrete information (filed forms, signoffs, filed workflow) is needed to show a process has taken place Testing/Sampling – not total or 100%, representative sampling often used for testing WACHOVIA CONFIDENTIAL FOR INTERNAL USE ONLY

9 Why audit? Mitigate risk Regulatory/legal - financial
Measurement/management Conformity/Compliance Quality Environmental How are we doing? Mitigate risk – risk based, assess and identify risks, mitigate (address, shift, or accept risk) – solidifying the unknown Regulatory/legal – common example is external financial audit. Sarbanes Oxley Compliance – e.g. Standards certification Quality – e.g. ISO9001 Environmental – e.g. ISO14001 How are we doing – management measurement, performance improvement, process improvement WACHOVIA CONFIDENTIAL FOR INTERNAL USE ONLY

10 Who needs it? Organisations Stakeholders Large and small
Private, public and government Stakeholders Shareholders Management Tax payers WACHOVIA CONFIDENTIAL FOR INTERNAL USE ONLY

11 Types of audit External – ITGC, ITAC, SAS70
Internal – Operational, Business Process, CobIT, COSO Regulatory - Sarbanes Oxley, Basel II, MiFID Conformity/Compliance – ISO17799/27001 Quality – ISO9001 Environmental – ISO14001 ITGC – IT General Controls ITAC – IT Application Controls WACHOVIA CONFIDENTIAL FOR INTERNAL USE ONLY

12 Contact

13 Exploring the world of Internal Audit
What does the auditor do and why? I am an auditor, the people I engage with to carry out an audit are auditees. A possible reaction from an auditee, might be: “Why me? Why now?” To see why this is an unjustified greeting, let’s start at the beginning and look at what I represent. The world of audit – the process that got the internal auditor to your door….. Nick Fellows, CISA - Audit Manager 16 January 2008

14 Agenda The Audit Charter The Audit Universe and the Audit Plan
This audit

15 The Audit Charter This is a document that defines the Internal Audit function Its purpose, responsibility, authority and accountability. What we are there to do How we will maintain our independence and objectivity How we will do it and conduct ourselves whilst doing it The relationship between IA and its stakeholders The KPIs, what they are and how they are measured Standard S1 and Guideline G5 for Audit Charter can be found on the ISACA website Barclays Internal Audit function embraces best practice an in line with best practice has published an Audit Charter. The content of an audit charter should reflect the needs of the organisation so it is not appropriate to copy that of another organisation. An Internal Audit function is expensive, its job is to protect the organisations bottom line and the only way it can do it is by helping line management do its job more effectively. So no surprise that it should be expected to document exactly how it will do this. The Charter reflects the contract between the Internal Audit function and its stakeholders. It sets out the terms of reference under which the function operates including: Its purpose, responsibility, authority and accountability. What we are there to do To provide objective assurance over the effectiveness of the organisations control environment such that risks arfe mitigated in line with the organisations risk appetite. How we will maintain our independence and objectivity Reporting lines to ensure objectivity and independence How we will do it and conduct ourselves whilst doing it identify the stakeholders and define the relationship with them (including such bodies as the Board Audit Committee, the Executive, line management, regulators and external audit). Think in particular what the Board Audit Committee might be expecting of audit – insights that are not available from line management. Joined up thinking, issues that recur in different parts of the organisation, insights from elsewhere in the same sector, insights from regulators and external auditors. The relationship between IA and its stakeholders The KPIs, what they are and how they are measured Go look on your own intranets for the Audit Charter, it will allow you to understand what Audit is about. Otherwise, ISACA has published a Standard and a Guideline that can form the basis of developing an Audit Charter for your organisation freely available (no restriction to members) . So, now that you understand that audit’s job is to protect and enhance the company bottom line – much the same as any line manager, how should you feel? But of course it is all about you, isn’t it, you want to know why the auditor turned up today ?

16 The Audit Universe and the Audit Plan
How does the audit department work out what to do? Populate the audit universe Prioritise based on risk ranking Plan Agree with stakeholders and get sign off from the Board Audit Committee How does the audit department work out what to do? populate the audit universe (all the things that could be looked at) - risk ranking A risk-based approach will see the highest, and emerging risks identified and a series of audits to review how well the organisation is rising to the challenge and how effective the organisation is at designing and operating controls that seek to reduce the risks to a level that the organisation is comfortable with – the organisation’s risk appetite. Areas of the organisation with least risk will see least audit attention, those with the most will see frequent, even on-going audit attention (think of continuous auditing embedded within the applications used by the business as an example). plan matching what could be done to available resources Time horizon of the plan is usually around 3 years Plan revisited at least quarterly Agree with stakeholders and get sign off from the Board Audit Committee The BAC will be looking for insights that are not available from line management. Joined up thinking: issues that recur in different parts of the organisation, insights from elsewhere in the same sector, insights from regulators and external auditors. You can see that, once the audit plan has been put together, the business will know what audits are planned and when in the year they are to fall – and that the schedule should (having been agreed with stakeholders so as to be a practical plan) mean that the auditors arrive when you can physically cope with them!

17 The audit Understanding the processes, working out the key controls.
The ‘intention to audit’. Testing the controls. And the consequence was… The report and follow up actions. Understanding the processes, working out the key controls. In a well run department like yours you will of course understand your business processes, you will have mapped them, including the control steps, have an understanding of what the key controls are and how your management assures itself of the continuing effective operation of those controls. But nonetheless IA will walkthrough those processes with you to confirm their currency and to understand how best to test both the design effectiveness of the set of controls applied to the whole process and the operational effectiveness of the key controls. Once the test strategy is determined, formal notification of the engagement will be issued. This is also the stage where already known weaknesses that are subject to ‘remediation in progress’ will be discussed and documented by IA for inclusion in the report. The intention to audit. Or some such named document will serve formal notice to stakeholders that the audit will take place on the agreed dates. ‘Brace yourselves, we are coming in’ Testing the controls. Is it in the testing of controls that audit may have some surprises for you. CAATS may disclose control weaknesses you were not aware of. IA will also find you out in those cases where you operated a control but kept inadequate trail of the proof. Sampling will be done to assure to an appropriate level of confidence that the controls operate effectively. And the consequence was… Any potential weaknesses identified in the control environment have to be discussed with management to be sure of the consequences and to determine the actions that you agree to take to remediate them will fall to you to implement within a timescale. Anything less than 100% engagement from line management can devalue an observation (Barclays-speak for an audit finding that is material enough for inclusion in an audit report, it contains a description of the weakness, the consequence and management ‘s actions and timescale for remediation). The report and follow up actions. Stakeholders are highly intolerant of observations that are not made with a compelling ‘so what’ justification nor of observations where the agreed remediations are not undertaken within agreed timescales or at all. The report reaches the highest levels of management in the organisation, has to be readily understandable, absolutely accurate and can have career limiting impact on staff held to account.

18 Closing thoughts Risks are mitigated by controls. Whose controls? – yours. An audit is not something that is done to you. It is something that is done with you. The more you prepare, the less painful the review will be.

19 INSTRUCTIONS: This template is designed for projected documents that will be presented to an audience. The one template offers a choice of 5 different colour palettes with either a dark or white background. On presentations projected directly from a computer, it is preferred for the background to be dark blue. How to change colour palette Format > Slide Design > Color Schemes Update the cover page The Service Line flag and Date on the cover page should be updated in the Header & Footer menu at the start of each new presentation. Go to View menu Select Header & Footer... Update the SERVICE LINE and Date 2007 with the appropriate information Select Apply to All What is Audited? Fraser Nicol – Technology Security and Risk Services, Ernst and Young AudIT to BenefIT Presentation to British Computer Society

20 IT audit – who, why, what and how?
Internal auditing – is an independent, objective assurance and consulting activity designed to add value and improve an organisations operations External auditing – is an independent opinion on whether or not financial statements are relevant, accurate, complete, and fairly presented Both approaches are characterised by a systematic approach to the evaluation of risk management, control and governance processes. A common industry standard for IT auditing is: COBIT 4.1 – Control Objectives for Information and Related Technology. Set of leading practises (framework) for information technology (IT) management. Created and governed by Information Systems Audit and Control Association (ISACA). COBIT is organised into 4 domains: Plan and Organise Acquire and Implement Delivery and Support Monitor and Evaluate Discuss who the key customers and stakeholders are in Internal Audits and External Audits. Also the potential impacts on the areas being audited of both types of audits. Talk about some of the differences between the two approaches: Internal Audits tend to be one off, in depth, and focused on the achievement of business objectives, External Audits tend to highly structured, objective and re-performable, focused on key financial applications and data, and repeated on an annual basis. Introduce COBIT as a set of standards and guidelines which IT professionals can use to enhance their control and governance processes. Many external audit and internal audit work plans (especially those which need to be performed to a certain standard or consistently re-performed) utilise COBIT.

21 Who audits what? PO - Plan and Organise Expect Internal Audit Focus
IT Strategic Alignment IT Project Management IT Risk Management Online Sales Application Project AI - Acquire and Implement Expect Internal Audit Focus IT Procurement SDLC Change Management Cross Domain Reviews Third Party Managed Services DS - Delivery and Support Application Review DRP / BCP System Security Network Management Review Expect External Audit Focus Discuss how different Audit Reviews may leverage different areas of COBIT. Internal Audits will focus on standards and practises which support business unit objectives, while External Audits will focus on those which support controls over financial data. Often reviews will cross a number of COBIT domains. Run through each of the reviews and their likely objectives. Discuss the benefits of this review for the business unit being audited and also the likely differences of approach between External and Internal Audit. ME - Monitor and Evaluate IT Control Operation Software Licensing KPI / SLA Review Data Centre Management Review

22 What gets audited and why?
Example IT risk identified IT Infrastructure Scalability Exploitation of Security Vulnerabilities IT Strategy not formulated IT Upgrade Activities lead to loss of service Inappropriate IT User activity Very significant threat 21–25 Significant threat 3 2 16–20 Moderate threat 1 4 5 11–15 Low threat 6–10 Key IT audit approach chart A – Potential Over Control No threat 1–5 B – Low Risk / Mature Controls 1 2 3 4 5 Explain the risk assessment process. Discuss how this underpins the planning of Internal Audits. Emphasis the link between Internal Audit planning, and the identification of actions / improvement opportunities for IT teams. 1. Explain that assurance is sought by three principle stakeholder groups: Business management, Audit committees, External audit. 2. Discuss approaches for assessing risk and control maturity: self assessment, previous audits, etc 3. Discuss outcomes from risk assessment: Audit Review, Control Redesign, Risk Remediation, etc C – Low Risk / Limited Controls Inherent risk / Control maturity Partially controlled D – Higher Risk / Mature Controls No controls Ad hoc Fully controlled Over controlled E – Higher Risk / Limited Controls

23 How – can IT benefit? # Risk (risk owner) Current Control Environment
Governance Strategy Action Owner Completion Date Status Higher Risk / Limited Controls 1 Current IT infrastructure is not scalable to support anticipated service requirements Ad Hoc Controls KPIs between IT and key user groups are in place IT occasional performs capacity and service monitoring IT Management IT Management to perform a full scale assessment with key user groups as to future IT needs IT Management to review current capacity and infrastructure upgrade plans to align to user needs IT Management to continuously monitor the provision of key services and agreed service levels Open Extract from a management action plan – Explain that known risks are often best addressed by the business themselves rather than becoming part of the audit plan. Areas of concern will be entered into the IT Audit Plan - Explain what an audit plan is and the level of detail it goes into (high level) when sent to Audit Committee for the coming year. Management can benefit from keeping (and acting upon) up to date action plans which address their key IT risks. This reduces the amount of audit work required and allows auditors to work at a higher level (ie, by relying on the work of management). Management should also seek to be proactively involved in both the risk assessment and audit planning processes to ensure that planned audits are focused on areas of high risk.

24 Summary Understand who the auditors are, what they are looking for, and what the output of the audit is going to be Understand the risks to your own areas, be proactive in engaging with the auditors to explain your area and align their understanding of key risks with yours Early planning is always performed at a high level, sometimes the principle actions sit with IT or the business. You need to be involved as closely as possible in audit planning to

25 Contact Fraser Nicol, Senior Manager Tel: 020 7951 0748

26 Tools and Techniques Martin Allen FIIA, QiCA, CISA 16 January 2008 PwC

27 Tools and Techniques The Environment Raw goods and services Income
Laws and regulations Competitor Intelligence Social responsibilities Finished goods and services Expenditure Financial Accountants Corporate Reporting Non-financial/regulatory reporting Corporate Entity Computer System Financial Records Management Accounts MIS/ Datawarehouse

28 Tools and Techniques Indicators that computer tools and techniques would help audit process: Requirement to analyse large volumes of data or complex calculations Reliance upon reports generated from computer systems ‘Black box’ style systems where complex processing of data is not transparent Key reconciliation reports regularly highlight differences New or modified systems Interfaces between computer systems poorly controlled

29 Tools and Techniques Tools available on the desktop: Spreadsheets
Databases MS Query

30 Tools and Techniques Tools that can be acquired: IDEA ACL OAK

31 Tools and Techniques Risks:
Can allow the auditor to reach the wrong conclusion Easy for inexperienced auditors to be caught out Data interrogation does not test controls Benefits: Allows 100% sample size Allows quick identification of unusual or required data Allows auditor to use the power of the computer to improve the efficiency and effectiveness of the audit

32 This publication has been prepared for general guidance on matters of interest only, and does not constitute professional advice. You should not act upon the information contained in this publication without obtaining specific professional advice. No representation or warranty (express or implied) is given as to the accuracy or completeness of the information contained in this publication, and, to the extent permitted by law, PricewaterhouseCoopers LLP, its members, employees and agents accept no liability, and disclaim all responsibility, for the consequences of you or anyone else acting, or refraining to act, in reliance on the information contained in this publication or for any decision based on it. © 2008 PricewaterhouseCoopers LLP. All rights reserved. 'PricewaterhouseCoopers' refers to PricewaterhouseCoopers LLP (a limited liability partnership in the United Kingdom) or, as the context requires, other member firms of PricewaterhouseCoopers International Limited, each of which is a separate and independent legal entity. PwC

33 How Auditors use COBIT® and the IT Assurance Guide
Lynn Lawton, International President ISACA, Inc, and The IT Governance Institute, Inc.

34 ISACA and The IT Governance Institute
Over 70,000 members in 140 countries Develop and maintain tools for IT and business management, e.g. COBIT and ValIT Develop and administer certifications, e.g. CISA, CISM, and, coming soon, CGEIT Deliver conferences and educational events around the world Deliver research and thought leadership on topical issues and

COBIT Framework BUSINESS OBJECTIVES AND GOVERNANCE OBJECTIVES INFORMATION C O B I T F R A M E W O R K ME1 Monitor and evaluate IT performance. ME2 Monitor and evaluate internal control. ME3 Ensure compliance with external requirements. ME4 Provide IT governance. PO1 Define a strategic IT plan. PO2 Define the information architecture. PO3 Determine technological direction. PO4 Define the IT processes, organisation and relationships. PO5 Manage the IT investment. PO6 Communicate management aims and direction. PO7 Manage IT human resources. PO8 Manage quality. PO9 Assess and manage IT risks. PO10 Manage projects. Efficiency Integrity Effectiveness Availability MONITOR AND EVALUATE Compliance Confidentiality PLAN AND ORGANISE Reliability IT RESOURCES DS1 Define and manage service levels. DS2 Manage third-party services. DS3 Manage performance and capacity. DS4 Ensure continuous service. DS5 Ensure systems security. DS6 Identify and allocate costs. DS7 Educate and train users. DS8 Manage service desk and incidents. DS9 Manage the configuration. DS10 Manage problems. DS11 Manage data. DS12 Manage the physical environment. DS13 Manage operations. Applications Information Infrastructure People DELIVER AND SUPPORT ACQUIRE AND IMPLEMENT AI1 Identify automated solutions. AI2 Acquire and maintain application software. AI3 Acquire and maintain technology infrastructure. AI4 Enable operation and use. AI5 Procure IT resources. AI6 Manage changes. AI7 Install and accredit solutions and changes.



38 Measuring progress IT Process/Maturity Levels for Process XX Awareness and Communication Policies, Standards and Procedures Tools and Automation Skills and Expertise Responsibility Accountability Goal Setting Measurement 3 Defined Process 2 Repeatable but Intuitive 1 Initial/Ad Hoc 5 Optimised 4 Managed and Measurable This slide highlights the five focus areas of IT governance as defined by ITGI. Start point Interim target status Where you want to be

39 Measuring progress 2007 Q1 2007 Q2 2007 Q3 2007 Q4 2008 Q1 2008 Q2
IT Process/Maturity 2007 Q1 2007 Q2 2007 Q3 2007 Q4 2008 Q1 2008 Q2 Levels for Process XX 5 Optimised 4 Managed and Measurable 3 Defined Process 2 Repeatable but Intuitive This slide highlights the five focus areas of IT governance as defined by ITGI. 1 Initial/Ad Hoc Start point Interim target status Where you want to be

40 ISACA and The IT Governance Institute
For more information, visit:

41 How to plan to get value from your audits
16 January 2008 AUDIT

42 Disclaimer The information contained herein is of a general nature and is not intended to address the circumstances of any particular individual or entity. Although we endeavour to provide accurate and timely information, there can be no guarantee that such information is accurate as of the date it is received or that it will continue to be accurate in the future. No one should act on such information without appropriate professional advice after a thorough examination of the particular situation.

43 Agenda Recap – What is audit? Pre-audit activities During the audit
What happens next?

44 Recap – What is audit? Internal auditing
Internal, yet independent assurance over internal controls Designed to add value and improve an organisations operations External auditing External, independent opinion over financial statements Audit should be viewed as a critical friend rather than a hindrance It can add value to your organisation – so treat it this way An audit is not something that is done to you; It is something that is done with you

45 Pre-audit activities What to do before the audit takes place
Understand who the auditors are, their scope, objectives and deliverables Get involved in audit planning – understand the risks and issues in your own areas You can influence – are there any areas you want covered? Plan – The more you prepare, the less painful the review will be Have a central point of contact Confirm logistical arrangements

46 During the audit Maintain contact with your auditors
The central point of contact will be key in ensuring a smooth audit Arrange regular catch-up meetings Understand what the key findings are Have the auditors got a clear handle on the risks? Are the key findings valid? Is the audit on track? What are the next steps?

47 What happens next? How to reap the benefits for your organisation
Ensure that you get to review findings Draft report stage Be positive about the findings – Don’t take the outcome as personal criticism Prepare a plan to address any issues identified and publish it – make sure the plan is implemented! Roll-out learning points across your organisation, wherever possible Prepare for your next audit!

48 Presenter’s contact details
Steven Babb KPMG LLP (UK) +44 (0)

Download ppt "6 views, 6 expert presenters"

Similar presentations

Ads by Google