Presentation is loading. Please wait.

Presentation is loading. Please wait.

IT auditing in practice Marc Verdonk Eindhoven, November 27 th 2008.

Published byAbraham Herbert Dixon Modified over 8 years ago

Similar presentations

Presentation on theme: "IT auditing in practice Marc Verdonk Eindhoven, November 27 th 2008."— Presentation transcript:

1 IT auditing in practice Marc Verdonk Eindhoven, November 27 th 2008

2 - 1 - Agenda Introduction Typical activities Client case OnLine Auditing Tool

3 Introduction - Background mverdonk@deloitte.nl +31652615027 Education  Computer Science, Utrecht University (M.Sc) Thesis: Continuous Assurance  Post master IT auditing, VU Amsterdam (RE)  Certified Information System Auditors (CISA)  Certified Information System Security Professional (CISSP) Work  Deloitte Enterprise Risk Services  Senior Manager  Consumer Business Industry, but seen most industries over past few years … and of course AIO at TU/e

4 The two lies of the profession....

5 Typical activities  Audit / Assurance:  Integrated Audit  Internal Audit  Operational Audit  Project Audit / Quality Assurance  Pré- or post implementation review  Special audit assignments  Advise / Implementation  Security & Controls  Identity Management  Risk Management  Governance, Risk and Compliance ……  Forensic – fraud detection

6 - 5 - Agenda Introduction Typical activities Client case OnLine Auditing Tool

7 `Client Case – Our Assignment  Integrated Audit  Financial Auditor & IT Auditor  IT auditor provides assurances to financial auditor  Financial auditor provides assurance to the clients’ stakeholders  Standard question of the financial auditor to the IT auditor: Can we rely on the information processed in the clients’ systems?  Why do they ask this question?  After we answered this questions, there may be additional questions

8 `Client Case – Description of the Client Business Perspective  Consumer Business – Food sector  Many strong brands  Annual turnover € 8Bn  Multinational,  Headquarter in The Netherlands  Strong in Europe, Middle East, Africa (EMEA) and Asia Pacific (APAC)  Local market strategy translated into a ‘decentral, unless…’-policy  Organized in a corporate organization and many Operating Companies (OpCo) with different product and market focus.

9 `Client Case – Description of the Client IT perspective  Highly automated processes, complex landscape  IT classification: dominant  Main ERP: SAP  Corporate ICT  Shared ICT  The Netherlands (100 fte) SAP EMEA, Global infrastructure operations  Thailand (20 fte): SAP APAC  Getronics/KPN providing hosting services for all IT  Business Information Managers at the OpCo level  Customer Council: organize supply and demand

10 `Client Case – Scoping Going back to the initial question: Can we rely on the information processed in the clients’ systems? 1.Understand which information is relevant for the financial auditors’ scope Balance Sheet / Profit & Loss Materiality 2.Determine systems in scope SAP and HR system (outsourced) 3.Determine landscape SAP Oracle Database Unix server Network infrastructure

11 `Client Case – Phased Approach Start with audit of the General Computer Controls (GCC) Operations Information Security Change Management Audit selected Application Controls

12 `Client Case – General Computer Controls Audit of the General Computer Controls (GCC) Operations Information Security Change Management 1.Create control framework and tailor to specific situation 2.Perform tests of Design and Implementation techniques: review documentation, interviews, perform walkthroughs 3.Perform tests of Operating Effectiveness techniques: systematic sampling 4.Document findings, factual approval, judgment  go / no go decision

13 `Client Case –General Computer Controls – Typical Findings In general: No policies available Processes and procedures not documented Information security Uncontrolled use of super users, administrators, developers Default passwords External parties on system Group policies override for individual users Failing user provisioning Change management Testing of changes Changes processed directly in production Lack of impact analysis Operations: Testing of backup and restore

14 `Client Case – Application Controls Relevance for audit if GCC’s are unreliable?

15 14 AN/bs/08-554 ©2008 Deloitte. All rights reserved ©Deloitte 2008 Deloitte refers to one or more of Deloitte Touche Tohmatsu, a Swiss Verein, and its network of member firms, each of which is a legally separate and independent entity. Please see www.deloitte.com/about for a detailed description of the legal structure of Deloitte Touche Tohmatsu and its Member Firms. www.deloitte.com/about

Download ppt "IT auditing in practice Marc Verdonk Eindhoven, November 27 th 2008."

Similar presentations

Auditing Research: Past, Present & Future Arnie Wright.

Auditing Research: Past, Present & Future Arnie Wright.
Managing Outsourced Service Providers By: Philip Romero, CISSP, CISA.

Managing Outsourced Service Providers By: Philip Romero, CISSP, CISA.
All Rights Reserved, Duke Medicine 2007 IT Security Presented by: Trisha Craig and Don Elsner Principal Auditors – IT Audit Duke University 1.

All Rights Reserved, Duke Medicine 2007 IT Security Presented by: Trisha Craig and Don Elsner Principal Auditors – IT Audit Duke University 1.
So You Want to Break Into the Industry… SAS No. 94 Requirements and Issues Related to IT Audits for Not-for-Profit Organizations.

So You Want to Break Into the Industry… SAS No. 94 Requirements and Issues Related to IT Audits for Not-for-Profit Organizations.
STRATEGIC PLANNING FOR Post-Clearance Audit (PCA)

STRATEGIC PLANNING FOR Post-Clearance Audit (PCA)
The Corporate Laws Amendment Bill, B6/2006. © 2006 Deloitte Touche Tohmatsu Corporate Laws Amendment Bill, B6/2006 – 29 May 2006 Introduction Presenting.

The Corporate Laws Amendment Bill, B6/2006. © 2006 Deloitte Touche Tohmatsu Corporate Laws Amendment Bill, B6/2006 – 29 May 2006 Introduction Presenting.
© 2010 Deloitte Touche Tohmatsu Sustainable Business Australia Counting the beans - retro-fitted commercial buildings Chris Leach Partner, National Leader.

© 2010 Deloitte Touche Tohmatsu Sustainable Business Australia Counting the beans - retro-fitted commercial buildings Chris Leach Partner, National Leader.
Security and Personnel

Security and Personnel
1 1 Horwath InternationalCopyright 2006 Crowe Chizek and Company LLC 1 IT Audits – Understanding the Standards Illinois Digital Government Summit September.

1 1 Horwath InternationalCopyright 2006 Crowe Chizek and Company LLC 1 IT Audits – Understanding the Standards Illinois Digital Government Summit September.
PwC Role of Internal Audit in Corporate Governance September 2010 Tumin Gültekin, Partner.

PwC Role of Internal Audit in Corporate Governance September 2010 Tumin Gültekin, Partner.
Risk Intelligence Map – Board level output

Risk Intelligence Map – Board level output
The Information Systems Audit Process

The Information Systems Audit Process
Learning Objectives LO1 Explain the importance of auditing. LO2 Distinguish auditing from accounting. LO3 Explain the role of auditing in information risk.

Learning Objectives LO1 Explain the importance of auditing. LO2 Distinguish auditing from accounting. LO3 Explain the role of auditing in information risk.
Financial structure, management, and IFRS Reporting Creating value for growth Presenter: John Robinson Partner.

Financial structure, management, and IFRS Reporting Creating value for growth Presenter: John Robinson Partner.
Introduction to ICANN’s new gTLD program. A practical example: the Dot Deloitte case. Jan Corstens, Partner, Deloitte WIPO Moscow, 9 Dec 2011.

Introduction to ICANN’s new gTLD program. A practical example: the Dot Deloitte case. Jan Corstens, Partner, Deloitte WIPO Moscow, 9 Dec 2011.
0 Career Opportunities in Public Accounting. Introduction to Deloitte & Touche 1 Deloitte Touche Tohmatsu u Over 100,000 people worldwide u Over 30,000.

0 Career Opportunities in Public Accounting. Introduction to Deloitte & Touche 1 Deloitte Touche Tohmatsu u Over 100,000 people worldwide u Over 30,000.
Internal Auditing and Outsourcing

Internal Auditing and Outsourcing
Chapter 20 20-1 © 2012 Pearson Education, Inc. Publishing as Prentice Hall.

Chapter © 2012 Pearson Education, Inc. Publishing as Prentice Hall.
2nd Global ABC Conference and Exhibition October 2013

2nd Global ABC Conference and Exhibition October 2013
Planning an Audit The Audit Process consists of the following phases:

Planning an Audit The Audit Process consists of the following phases:

Similar presentations

Ads by Google