1

Integrated Audit ApproachAn Overview

Monique Garsoux, DexiaQualified Audit Partners

RTM 22/01/2005

2

Presentation Outline

The Need for Enterprises

What is Integrated Auditing

The integrated audit process –Audit methodology

Best practises

Logical security

DB2

Client Accounts

Manage Problems& Incidents

Networks

CardsWhere areMy

BusinessRisks ?

ComplianceOperational risk, Basle II

Banksys BANKS

What is the Businessproblem ?

Bank Statements

Where is the integrated audit approach (IAA)?An example

Batch

Account OrdersManagement

Client OrdersDB

Accounting

Banksys

Branches

Interest calculations

Asynchrone

Synchrone

Dialog Appl

CRICRE

Reconciliation

Operations

SecurityOracleDB2

AccountingApplication

Problemmanagement

NetworkCics

MQM

Compliance

Integrated Audit

6

What is Integrated Auditing

Combines elements of three traditionalaudit types; Information technology(IT), operational and financial.

Provides a broader audit scope in whichto render an opinion on the adequacyand effectiveness of a system ofinternal control to mitigate globalbusiness risks : One report

7

Benefits of IAA

Eliminates redundant or narrow view audits,Duplicated work , Missed opportunities forcontribution, Risk of false assurance

Creates a broad based audit.

Examines global process risks.

Provides Executives with a coherent view

Once adopted, subsequent audits becomehighly efficient, focusing risks

Combines what people do with what thecomputer does (or the contrary)

8

Effects of Technology

Technology makes certain traditionalaudit procedures invalid and/or oflimited value

Transaction processing becomesautomatic & invisible with reducedoversight due to less manualintervention

New products / services / competition

9

Elements of IAA

Examines the combined manual proceduresthat people use with “invisible” proceduresthat computers perform in the following stepsimpacts on:

Planning.

Evaluation.

Testing.

Reporting.

Follow-up.

10

Effect of traditional approach onthe Audit Process

Uncoordinated audit plans

Separate audits

Parallel audits; two or more distinctaudits

Concurrent audits; risk analysisinitiatives, process reegineering,performed around the same timeframe

11

Results of Auditor’s Response

Specialization & Silo Auditing

Staff segregation between IT andFinancial - Operational

“The wall” erected within auditdepartments

12

IAA Audit Planning

IAA critical success factor:

For each critical Potential Process, identify theIT system that supports the activities. Foreach business activity (main businessfunctions), identify critical system, interfaces,key manual procedures, especiallyreconciliations, and General Ledger impact.

Coordinate efforts

13

IAA Planning

IAA pitfall to avoid:

Not identifying IT components.

Not involving/confirming with PotentialAudit Client management.

Not identifying manual “work arounds”;processes that take place outside of thenormal process flow.

Not taking enough time to plan.

14

IAA Planning

IAA planning should also identify foreach Potential Audit Client (Processes)and related IT system: Master Files.

System connectivity.

Sensitive/confidential data.

Information output; reports, computergenerated transactions, and computer-to-computer transmissions.

15

IAA Planning

Based on criticality ranking, select auditmissions

Result is coordinated audit plan whereaudit missions have been documentedby an overview understanding of thesubject

16

IAA Evaluation

Depending on the scope of the auditsselected (entire Potential Audit Client, one ormore business activities), the auditor will“drill down” to obtain more detailedunderstanding of the specific controls relatedto the Potential Audit Client or businessactivity under review.

Where necessary (based on potential risks)

17

IAA Evaluation

IAA evaluation consists of obtaining adetailed understanding of the controlenvironment design; “Do adequatecontrols exist” to mitigate business risks(scope selected based on risks)

18

IAA Evaluation – Risk Assessment

IAA critical success factor – controldesign MUST include operational and ITcontrols.

TOTAL risk assessment incorporatesbusiness/industry risk, operational riskCOMBINED with technology risk to forman opinion on the overall design ofcontrols.

Where are the risks ?

Batch

Account OrdersManagement

Client OrdersDB

Accounting

Banksys

Branches

Interest calculations

Asynchrone

Synchrone

Dialog Appl

CRICRE

Reconciliation

Operations

SecurityOracleDB2

AccountingApplication

Problemmanagement

NetworkCics

MQM

Compliance

Integrated Audit

20

IAA Evaluation

IAA risk assessment guidelines:

A limited number of risk factors

Including Business - Technology specific.

Risk factors should be weighted bycriticality and measurable.

Some factors should be IT specific.

21

IAA - Integrated Risk Assessment

For EACH business unit, identifytechnology platform (PC, LAN, etc)

“What does the system do?”

Interview users, read documentation,look at system menu

“What are you connected to?” -Interfaces

Establishes span of control

22

IAA - Integrated Risk Assessment

What could go wrong?

Establishes the risk

What would happen ?

Establishes the materiality

“How would you know if somethingwent wrong?”

Determines the control

23

Integrated Risk Assessment

Business criticality – degree of reliancea business Unit places on the system

Technological complexity – degree ofcomputer generated transactionsutilized with minimal manualintervention

24

IAA Evaluation

Based upon the information obtainedand confirmed during the planningphase, combined with the combinedrisk assessment, the auditor selects therelevant areas to include in the auditscope and performs a detailed review ofthese areas.

25

IAA Evaluation

Auditors usually perform a walkthroughduring the evaluation to assist inunderstanding the process flow, obtainrelevant sample documentation, spottest the key controls, and observe thegeneral environment.

26

IAA Evaluation

IAA critical success factor – the auditormust flowchart the IT system to obtaina detailed understanding of key systemprocesses, files and controls.

27

IAA Evaluation

The auditor should develop an integratedflow chart that combines manual andcomputer processes, key calculations, masterfile updates, downloads, and uploads.

Examine processes and control design bysplitting them into three categories:

Those that only people perform.

Those that people and computers perform.

Those that only the computer performs.

Batch Journalier

GEKT contrôlefiltres validité

abonnement

Batch

IPDT

Liste des rejetsMessagesd'erreur àexaminer

GEKT Abonnementen attente de

recyclage / examencode rejet

AbonnementOK ?

Rejettemporaire

OU

I

Batch

Génération codesecret

1. DEMANDE D'ABONNEMENT VIA AGENCE

Demanded'abonnement

signée

Online

EncodageGEKT - contrôle

online des filtres etautorisation sur

compte

LettreCode Secret (lelendemain si 2

ième abo)

Lettre N°Abonnement si

pas premierabonnement

OUI

Code secretencrypté

AutorisationConvivialité

IntégrtitéFiabilité

Contrôles :validité des

filtres

Autorisation - AccèsContrôles

Exhaustivité

ConfidentialitéIntégrité

délaiintégrité

intégritéinterception

perte

intégrité

interceptionperte

Algorithme fortSécurité

ConfidentialitéIntégrité

Process

Process

Process

InputInput

Data

Data

Output

Output

Rejet définitif

29

IAA Evaluation Examine the following objectives for each

transaction Completeness of input processing.

Accuracy of input processing.

Completeness of master file updates.

Accuracy of master file updates.

Accuracy and reliability of processing(calculations)

Access to and confidentiality of information.

Authorization of processing.

Reconciliations and verifications.

Monitoring and oversight.

30

IAA Evaluation

Based on the evaluation of the designof the entire control environment (ITand manual), the auditor expresses anopinion on the “adequacy” of controldesign.

31

IAA Evaluation

Audit approach - evaluation

- What does the system do?

- What is it connected to?

- Who has access?

- What type of access do they have?

- What is logged?

32

IAA Evaluation

Evaluation

- Totals (completeness)

- Edits (accuracy)

- System generated calculations/summarization/categorization

- System menu

33

IAA Evaluation

Better evaluation

- Transaction file - input - journal

- Master file - processing - ledger

- “Master file update”

- “How do you know”

34

IAA Testing

The testing phase is the area thatmakes the IAA the most efficient.

Based on the information obtained inplanning and evaluation, the auditorselects which controls require testing.

35

IAA Testing

Better audit tests

- On screen edits

- Batch totals

- Calculations

- Master file updates

- Output

36

IAA Testing

Better audit tests

- System demo

- Access

- Violations

- Computer generated logs/listings

37

IAA Reporting

Although reporting is largely a matter ofpreference and style, IAA reporting hascertain benefits that can beincorporated into any reporting style: asingle report that renders an opinion onthe entire system of risks and control.

Visual = no long narrative texts

38

IAA Reporting

IAA pitfall to avoid - reporting that isdone by a technical auditor and a non-technical auditor and then piecedtogether. This tends to mitigate theconsistency of ideas. Judicious editing isrequired to scrub the report to eliminatejargon and facilitate easy reading.

39

IAA Hitting the High Spots

Application audits

- Transaction processing

- Business critical

- “Bread and butter”

40

EXPECTATIONS

Depends on …

DUE DILIGENCE AUDIT MODEL ?

STAFFING AND DEVELOPEMENT AUDIT MODEL ?

PROFESSIONAL INTERNAL AUDIT MODEL ?

41

WHAT WORKS

Expanding the information technologyknowledge base of each and every auditor

Realistic audit assignments based onknowledge, skill levels and degree ofdifficulty of the subject (planning audits)

Pre-audit of technical aspects (typical ITaudits)

Extensive IT audit tools and support

Effective technical supervision

42

BARRIERS

IT audit is a separate and unique audit discipline

The fundamental internal auditor skill set is accountingand general business oriented with limited ITknowledge required

Specialization is good – only IT auditors should auditIT topics

Generalization is good – It auditors can audit anythingIT related

The board and senior management really understandauditing in an IT environment

No one really cares whether audits are integrated ornot

Auditors are not on staff long enough to justifyextensive training costs

43

IAA Integrated auditor ?

Traditional auditor that addressescomputer audit techniques, rely on themethodology

Specialized IT auditor that addresses bothbusiness flow and Highly automatedsystems

All auditors integrated auditors with somehaving just more skills than others

44

IAA Audit Tools

Reference materials

Cobit (Manage Data)

ISACA Bookstore material (bits and piecesin many books)

Integrated referential a real need …

Audit software ACL, IDEA

MANAGE DATA

PROCESS 1 : Procédures d'introduction des données

Evaluation: Not Assessed RiskRating:

Impact:

Objectif Risques Potentiels Contrôles Risques résiduels et recommandations

Management should establish datapreparation procedures to be followedby user departments. In this context,input form design should help to assurethat errors and omissions are minimised.Error handling procedures during dataorigination should reasonably ensurethat errors and irregularities aredetected, reported and corrected.

Management should ensure that sourcedocuments are properly prepared byauthorised personnel who are actingwithin their authority and that anadequate segregation of duties is inplace regarding the origination andapproval of source documents.

The organisation's procedures shouldensure that all authorised sourcedocuments are complete and accurate,properly accounted for and transmittedin a timely manner for entry.

Error handling procedures during dataorigination should reasonably ensurethat errors and irregularities aredetected, reported and corrected.

Procedures should be in place toensure original source documents areretained or are reproducible by theorganisation for an adequate amount oftime to facilitate retrieval orreconstruction of data as well as tosatisfy legal requirements.

The organisation should establishappropriate procedures to ensure thatdata input is performed only byauthorised staff.

Risque potentiel est l'introduction decrédits ou de placements

mes constatations risque résiduel et recommandations

PROCESS 1 : Caractère complet, correct et autorisé de l'introduction

Evaluation: Not Assessed RiskRating:

Impact:

Objectif Risques Potentiels Contrôles Risques résiduels et recommandations

Les données introduites doivent êtrevalidées le plus près possible dumoment de la saisie

PROCESS 1 : Traitement des erreurs de saisie

Evaluation: Not Assessed RiskRating:

Impact:

Objectif Risques Potentiels Contrôles Risques résiduels et recommandations

Des prcédures doivent être prévues pourla correction et la re-soumission desdonnées incorrectes.

PROCESS 1 : Validation dans le traitement de l'information

Evaluation: Not Assessed RiskRating:

Impact:

Objectif Risques Potentiels Contrôles Risques résiduels et recommandations

The organisation should establishprocedures to ensure that dataprocessing validation, authenticationand editing is performed as close to thepoint of origination as possible. Whenusing Artificial Intelligence systems,these systems should be placed in aninteractive control framework withhuman operators to ensure that vitaldecisions are approved.The organisation should establishprocedures for the processing of datathat ensure separation of duties ismaintained and that work performed isroutinely verified. The proceduresshould ensure adequate update controlssuch as run-to-run control totals andmaster file update controls are in place.

47

IAA Education

On the field but …

Continuing education

- Budget $$$

- Established education vendors $$

- Local IIA/ISACA chapters if…

- In-house training if …

- Partner with other companies on-site… notcommonly used

48

Discussion

Question 1 :The integrated auditor or ateam of competenties ?

Question 2 :How to create or upgradethe competence in integrated auditing