PresentersRyan McMeekin

Nancy BongScott Murphy

University of ColoradoSAP & ISACAUniversity of Colorado

SAP & ISACA

University of ColoradoSAP & ISACA

University of ColoradoSAP & ISACA

What is Risk Assurance?

What is a Control

Information Technology General Controls

Reporting

Exercise

Modules of SAP

ISACA/CISA

Recruitment

Questions

Agenda/Contents

Table of Contents

• Risk Assurance at PwC• Business Process / IT Controls• Internal Audit Services• Third Party Assurance• IT Project Assurance• Enterprise Risk Management, etc.

• Our Clients:• Financial Audit and External Clients

What is Risk Assurance?

What is Risk Assurance?

• Why are systems and controls important?In accounting and auditing internal control is defined as a process effected by an organization's structure, work and authority flows, people and management information systems designed to help the organization accomplish specific goals or objectives. “COSO” - Committee of Sponsoring Organizations of the Treadway Commission: Internal Control - Integrated Framework (1992)

• Key information system control objectives:• Safeguarding assets• Maintaining data integrity• Operating effectively and efficiently

• Examples of IT Audits:• Financial Statement Audits, public (SOX) and private• Third-Party Assurance• PCI (Payment Card Industry)• Internal Audit

What is Risk Assurance?

What is a Control?

What is Risk Assurance?Information Technology Risk

and Controls Diagram

Perimeter Network

Operating System

Application

Data

What is Risk Assurance?Information Technology Risk

Layers

PwC

Please get in groups of 3 or 4

1) What are examples of IT risk?

2) How does IT risk impact a business?

3) How can IT risk impact Financial Statements?

Exercise

PwC

1) What are examples of IT risk and security?• Restricted Access and Segregation of Duties• Change Management / SDLC• Batch Processing, System Interfaces

2) How does IT risk impact a business?• Safeguarding of assets, data integrity, efficiency of operations• Compliance requirements (SOX, HIPAA, PCI)• Investor Confidence

3) How can IT risk impact Financial Statements?• Indirectly impacting financial statement assertions• Pervasiveness of impact.

Exercise Debrief

Reporting

-Key Reports- Information used in performance of a key

control  - Configurable to Client Environment

-SAP (Customized or Canned)- Changes- Access

- How do we use SQL Statements?• Reporting• Integrity of Data

What are Risks with these Accounting Areas?

-Journal Entries

-Period End Closing

- Foreign Exchange

-New GL

- FI/CO Integration

SAP - Financial General Ledger

Period End Closing

ControlThe standard SAP reports indicating general ledger account metrics are investigated and resolved during period end on a timely basis.

-Create a Test Plan- What are the Key Conditions of this Controls (italicized)- How could we test/verify that the control is operating?

Exercise - Financial General Ledger

How to Test & Interpretationa) Inquire of management to determine whether:

i) SAP reports are relied upon during the period end close process

ii) Report review is performed by a person independent from the transaction processing activities

iii) Exceptions are investigated and resolved on a timely basisa) Evaluate if there is sufficient and appropriate evidence to test the controlb) Inspect / examine a sample of reports to determine whether

evidence existsc) for the timely resolution of exceptions

Exercise – Debrief

-Integrates purchasing department with Account Payables department.

- Business Processes- 3-way Match- Agree Purchase order- Invoice- Receiving

-Automated Process of SAP

-Circumnavigate Business Processes?- Basis and IT Controls

SAP – Procure to Pay & Accounts Payable

• Information Systems Audit & Control Association (ISACA)

• Goal: To expand the knowledge and value of the IT governance and control field

• Members work in:

• Financial and banking, public accounting, government, the public sector, and the private sector

• Chapter Meetings

• Accounting and Information Security focus

• CISA Relationships and Personal Experiences

What is ISACA?

• The Certified Information Systems Auditor (CISA) is ISACA’s cornerstone certification

• Devoted exclusively to IT audit, controls, and security

• Importance

• Good certification for individuals who have audit, control and/or security responsibilities

CISA Description

CISA CPA

IT oriented Financial oriented with IT

One – 4 Hour Test• IT Audit•System Life Cycle Development•Infrastructure•IT Governance•IT Service Delivery & Support•Protection of Info Assets•Business Continuity & Disaster Recovery

4 Parts (3-4 hrs each)AuditFinancialBusinessRegulation

Cost less than CPA Cost more than CISA

Prerequisite for Promotion Prerequisite for Promotion

Compare and Contrast CISA vs. CPA

•Thursday September 8th - Accounting Firm "Roadshow" - 7pm to 9pm - Koelbel Building

•Monday September 12th - BAP Kick-Ball Tournament - 4pm - 6pm - field by Koelbel Building

•Wednesday September 14th - MBSA Meeting Accounting Night - 5:30 p.m. to 7:30 p.m. - Koelbel Building

•Thursday September 15th - Meet the Firms - 6:30 p.m. - 9:00 p.m. - UMC, on campus

•Monday September 19th - Resume deadline

Recruitment Information

Contact Information

Ryan McMeekin Ryan.McMeekin@us.pwc.com

Nancy Bong Nancy.J.Bong@us.pwc.com

Scott Murphy Scott.C.Murphy@us.pwc.com

Questions?