1. Presenters Ryan McMeekin Nancy Bong Scott Murphy University of Colorado SAP & ISACA University of Colorado SAP & ISACA

2. What is Risk Assurance? What is a Control Information Technology General Controls Reporting Exercise Modules of SAP ISACA/CISA Recruitment Questions Agenda/Contents Table of Contents

3. Risk Assurance at PwC Business Process / IT Controls Internal Audit Services Third Party Assurance IT Project Assurance Enterprise Risk Management, etc. Our Clients: Financial Audit and External Clients What is Risk Assurance?

4. Why are systems and controls important? In accounting and auditing internal control is defined as a process effected by an organization's structure, work and authority flows, people and management information systems designed to help the organization accomplish specific goals or objectives. “COSO” - Committee of Sponsoring Organizations of the Treadway Commission: Internal Control - Integrated Framework (1992)Committee of Sponsoring Organizations of the Treadway Commission: Internal Control - Integrated Framework (1992) Key information system control objectives: Safeguarding assets Maintaining data integrity Operating effectively and efficiently Examples of IT Audits: Financial Statement Audits, public (SOX) and private Third-Party Assurance PCI (Payment Card Industry) Internal Audit What is Risk Assurance? What is a Control?

5. What is Risk Assurance? Information Technology Risk and Controls Diagram

6. Perimeter Network Operating System Application Data What is Risk Assurance? Information Technology Risk Layers

7. PwC Please get in groups of 3 or 4 1) What are examples of IT risk? 2) How does IT risk impact a business? 3) How can IT risk impact Financial Statements? Exercise

8. PwC 1)What are examples of IT risk and security? Restricted Access and Segregation of Duties Change Management / SDLC Batch Processing, System Interfaces 2) How does IT risk impact a business? Safeguarding of assets, data integrity, efficiency of operations Compliance requirements (SOX, HIPAA, PCI) Investor Confidence 3) How can IT risk impact Financial Statements? Indirectly impacting financial statement assertions Pervasiveness of impact. Exercise Debrief

9. Reporting -Key Reports -Information used in performance of a key control - Configurable to Client Environment -SAP (Customized or Canned) -Changes -Access - How do we use SQL Statements? Reporting Integrity of Data

10. What are Risks with these Accounting Areas? -Journal Entries -Period End Closing - Foreign Exchange -New GL - FI/CO Integration SAP - Financial General Ledger

11. Period End Closing Control The standard SAP reports indicating general ledger account metrics are investigated and resolved during period end on a timely basis. -Create a Test Plan - What are the Key Conditions of this Controls (italicized) - How could we test/verify that the control is operating? Exercise - Financial General Ledger

12. How to Test & Interpretation a)Inquire of management to determine whether: i)SAP reports are relied upon during the period end close process ii) Report review is performed by a person independent from the transaction processing activities iii) Exceptions are investigated and resolved on a timely basis a) Evaluate if there is sufficient and appropriate evidence to test the control b) Inspect / examine a sample of reports to determine whether evidence exists c) for the timely resolution of exceptions Exercise – Debrief

13. -Integrates purchasing department with Account Payables department. - Business Processes - 3-way Match - Agree Purchase order - Invoice - Receiving -Automated Process of SAP -Circumnavigate Business Processes? - Basis and IT Controls SAP – Procure to Pay & Accounts Payable

14. Information Systems Audit & Control Association (ISACA) Goal: To expand the knowledge and value of the IT governance and control field Members work in: Financial and banking, public accounting, government, the public sector, and the private sector Chapter Meetings Accounting and Information Security focus CISA Relationships and Personal Experiences What is ISACA?

15. The Certified Information Systems Auditor (CISA) is ISACA’s cornerstone certification Devoted exclusively to IT audit, controls, and security Importance Good certification for individuals who have audit, control and/or security responsibilities CISA Description

16. CISACPA IT orientedFinancial oriented with IT One – 4 Hour Test IT Audit System Life Cycle Development Infrastructure IT Governance IT Service Delivery & Support Protection of Info Assets Business Continuity & Disaster Recovery 4 Parts (3-4 hrs each) Audit Financial Business Regulation Cost less than CPACost more than CISA Prerequisite for Promotion Compare and Contrast CISA vs. CPA

17. Thursday September 8th - Accounting Firm "Roadshow" - 7pm to 9pm - Koelbel Building Monday September 12th - BAP Kick-Ball Tournament - 4pm - 6pm - field by Koelbel Building Wednesday September 14th - MBSA Meeting Accounting Night - 5:30 p.m. to 7:30 p.m. - Koelbel Building Thursday September 15th - Meet the Firms - 6:30 p.m. - 9:00 p.m. - UMC, on campus Monday September 19th - Resume deadline Recruitment Information

18. Contact Information Ryan McMeekinRyan.McMeekin@us.pwc.com Nancy BongNancy.J.Bong@us.pwc.com Scott MurphyScott.C.Murphy@us.pwc.com Questions?