Presentation is loading. Please wait.

Presentation is loading. Please wait.

IT internal audit update

Published byKenneth Bell Modified over 5 years ago

Similar presentations

Presentation on theme: "IT internal audit update"— Presentation transcript:

1 IT internal audit update
PCC Precision Castparts Corp. Justin Fox Taylor Luell KPMG LLP PCC FIT Conference September 2017

2 Presentation overview
CY17 IT internal audit plan IT implementation policy reviews Lessons learned IT implementation audit timeline Steering Committee coordination IT control reviews Common findings in CY16 Baseline security controls desktop audit Questions

3 CY17 IT internal audit plan
Implementation policy audits Pre-implementation ( 6) Interim ( 2) Go-live ( 26) Post-implementation ( 8) IT control audits 19 IT control audits are scheduled Auditing compliance with selected corporate IT policies and standards Recent updates to the IT Policy and Standards Manual will be in scope IT SOX audits Similar approach as CY16 2 random IT SOX controls are tested in each audit, instead of all the IT controls at only a few of locations

4 IT implementation lessons learned
Lessons learned/common findings Costing methodology review and approval (e.g., division and corporate) JAOA requirements around changes in costing methodology Inventory physical requirements (pre- and post-go-live) Full physical 90 days before go-live Quarterly physicals following go-live Weekly cycle counts End-user training and retention of results (nontrack lead) Key operational and management report testing (e.g., TOC and daily flex analysis) Data validation procedures Compliance requirements, such as quality, ITAR, NADCAP, ISO9000, etc. SOD analysis at go-live should be evidenced, approved, and retained

5 Audit timeline Pre-implementation  Before spending
Interim assessments  +/- CRP II Go-live  2 Weeks before Post-implementation  3 Months after Assessment of organization’s readiness to begin a large project: Recent IA findings Inventory tracking Verify physical inventory results Track lead time allocation Validate resources against CAR commitments Project plan Current data integrity Current costing method Current system access Current daily oversight Early stage review of process mapping “as-is” and “to-be”, often only high level maps available since development has not started Based on the duration of the project, one or more Interim Assessments could be performed: Ahead/behind schedule assessment based on commitments made to the Steering Committee Validate track lead time commitments are being met Review accuracy of revised process maps “as is” and “to be” Review issues log items in detail Observe end-to-end transaction testing Observe track leads and users processing test transactions, logging issues, identifying new gaps, and using documentation prepared for the system Verify standard solution template and reporting toolkit is utilized Verify all data converted and reconciled Assessment of readiness for go-live: Review open issues and issues deferred post go-live Assess management’s understanding using the system Assess implementation process documentation, conversion testing and approvals, CRP results, interface testing, and training attendance Assess accuracy and functionality of the system transaction processing within new business cycles User access, SOD Review pro forma SOX narratives and controls, and input controls Evaluation of user training Review required reports Confirm readiness assessment Review inventory change (FCA) Review results and adjustments from required “pre go-live” full physical inventory Assessment of post implementation activities: Daily Data entry Daily reports Shipping/Receiving proc. Mgmt oversight Direct feedback to users Weekly Weekly PCC reports Cycle counts Review exception reports Monthly/Quarterly Close, large correcting JEs Quarterly physicals until Steering Committee approves results SOX updates

6 Steering Committee coordination
Exceptions from IT implementation policy Required in attachment 5 as a part of the CAR approval process Remote audits Remote and limited audits (for minor upgrades, etc.) Schedule meetings early Contact Internal Audit 4 to 6 weeks in advance for an audit Schedule go-live Steering Committee meeting the week before cut-over. A preliminary review of readiness should occur with the Steering Committee 4-6 weeks prior to go-live.

7 Common IT controls audit findings – CY16
Total findings and observations: 62 findings and 26 observations (15 reports) Employee terminations (ITP021) 12 locations – Employees were not removed from the system within 2 days of notification of termination (IT vs HR) System-level account password policy (ITP017) 10 locations – Corporate password policy not followed/updates needed Asset tracking (ITP002) 7 locations – Assets are not tagged and are not properly included on the asset listing Disaster recovery plan (ITP005) 7 locations – Disaster recovery plan not in place or not tested/updates needed Account naming conventions (ITP021) 3 locations – Naming convention does not comply with policy

8 Baseline security controls desktop review
There was a 50%–80% exception rate for baseline security controls out of the 40 locations tested. Key area exception rates include: WSUS/SCCM 32 of 40 plants (80%) had workstations and servers that were identified that did not have WSUS/SCCM installed and a reconciliation was not being performed. BitLocker 28 of 40 plants (70%) had workstations that were identified that did not have BitLocker installed and a reconciliation was not being performed. Splunk 26 of 40 plants (65%) had workstations or servers that were identified that did not have Splunk installed and a reconciliation was not being performed. Antivirus 25 of 40 plants (63%) had workstations or servers that were identified that did not have anti-virus installed and a reconciliation was not being performed. DDPE 23 of 40 plants (58%) had workstations that were identified that did not have DDPE installed and a reconciliation was not being performed. FireAMP 23 of 40 plants (58%) had workstations that were identified that did not have FireAMP installed and a reconciliation was not being performed.

9 Questions? Call or email with any questions during the year.
Our PCC number is

10 Contact information Justin Fox, CISA Advisory Director Risk Consulting KPMG LLP C: E: Taylor Luell, CISA Advisory Manager Risk Consulting KPMG LLP C: E:

11 kpmg.com/socialmedia The information contained herein is of a general nature and is not intended to address the circumstances of any particular individual or entity. Although we endeavor to provide accurate and timely information, there can be no guarantee that such information is accurate as of the date it is received or that it will continue to be accurate in the future. No one should act on such information without appropriate professional advice after a thorough examination of the particular situation. © 2017 KPMG LLP, a Delaware limited liability partnership and the U.S. member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights reserved. NDPPS The KPMG name and logo are registered trademarks or trademarks of KPMG International.

12 2017 PCC Finance & IT Conference
Please silence phones

Download ppt "IT internal audit update"

Similar presentations

© 2007 KPMG LLP, a Canadian limited liability partnership and a member firm of the KPMG network of independent member firms affiliated with KPMG International,

© 2007 KPMG LLP, a Canadian limited liability partnership and a member firm of the KPMG network of independent member firms affiliated with KPMG International,
AUDIT INTERREG LP Seminar on Financial Management and Auditing: Financial Reporting from auditors perspective Kirsi Toivanen Manager, Audit Turku, Finland.

AUDIT INTERREG LP Seminar on Financial Management and Auditing: Financial Reporting from auditors perspective Kirsi Toivanen Manager, Audit Turku, Finland.
Els Hostyn Partner Internal Audit, Risk & Compliance Services Forensic 13 October 2009 FORENSIC ADVISORY Internal Audit and other assurance providers.

Els Hostyn Partner Internal Audit, Risk & Compliance Services Forensic 13 October 2009 FORENSIC ADVISORY Internal Audit and other assurance providers.
© 2005 KPMG IFRG Limited, a UK registered company, limited by guarantee, and a member firm of KPMG International, a Swiss cooperative. All rights reserved.

© 2005 KPMG IFRG Limited, a UK registered company, limited by guarantee, and a member firm of KPMG International, a Swiss cooperative. All rights reserved.
Driving change in information risk within the financial services industry Subtitle Date.

Driving change in information risk within the financial services industry Subtitle Date.
Views on TRAC and the UWE workload model 12 th December 2013.

Views on TRAC and the UWE workload model 12 th December 2013.
A clear and compelling business case… …for the individual

A clear and compelling business case… …for the individual
Russia’s Hotel Projects and Investments Sven Osmers Head of KPMG’s Real Estate practice Russia & CIS April 10, 2014.

Russia’s Hotel Projects and Investments Sven Osmers Head of KPMG’s Real Estate practice Russia & CIS April 10, 2014.
CIP Cyber Security – Security Management Controls

CIP Cyber Security – Security Management Controls
Trending Topics in Contract Auditing Presenters: Allen Devine, Senior Manager Dan Smith, Manager Government Contracts.

Trending Topics in Contract Auditing Presenters: Allen Devine, Senior Manager Dan Smith, Manager Government Contracts.
©2009 KPMG LLP, the U.S. member firm of KPMG International, a Swiss cooperative. All rights reserved. 1 Business Combinations: What you need to know about.

©2009 KPMG LLP, the U.S. member firm of KPMG International, a Swiss cooperative. All rights reserved. 1 Business Combinations: What you need to know about.
Start-ups & big business Competition or competitive advantage? Imperial Business Insights Lecture 13 February 2014.

Start-ups & big business Competition or competitive advantage? Imperial Business Insights Lecture 13 February 2014.
Institute of Operational Risk Breakout Session - Operational Risk Nirvana KPMG Giles Triffitt Peter Watson Peter Docherty 1 November 2013.

Institute of Operational Risk Breakout Session - Operational Risk Nirvana KPMG Giles Triffitt Peter Watson Peter Docherty 1 November 2013.
Presentation to EACUBO Tax Update October 16, 2012 Presentation by Donald E. “Dee” Rich, Jr. Partner, KPMG LLP Exempt Organizations Tax Practice

Presentation to EACUBO Tax Update October 16, 2012 Presentation by Donald E. “Dee” Rich, Jr. Partner, KPMG LLP Exempt Organizations Tax Practice
2012 Trends in Inventory Auditing WIS Customer Forum Oct 2012 KPMG LLP.

2012 Trends in Inventory Auditing WIS Customer Forum Oct 2012 KPMG LLP.
Increasing customer value through effective security risk management

Increasing customer value through effective security risk management
Internal Control Concepts Knowledge. Best Practices for IT Governance IT Governance Structure of Relationship Audit Role in IT Governance.

Internal Control Concepts Knowledge. Best Practices for IT Governance IT Governance Structure of Relationship Audit Role in IT Governance.
Information Risk Management in the Audit Chapter 9 Presented by Julie Flaiz-Windham, Senior Manager KPMG LLP KPMG LLP.

Information Risk Management in the Audit Chapter 9 Presented by Julie Flaiz-Windham, Senior Manager KPMG LLP KPMG LLP.
External auditors’ perspective

External auditors’ perspective
Actuaries in China 2 nd December 2011. 1 © 2010 KPMG LLP, a UK limited liability partnership, is a subsidiary of KPMG Europe LLP and a member firm of.

Actuaries in China 2 nd December © 2010 KPMG LLP, a UK limited liability partnership, is a subsidiary of KPMG Europe LLP and a member firm of.

Similar presentations

Ads by Google