Segregation of duties in SAP @ ISACA Pune presentation on 18.4.2015
Presenters Ryan McMeekin Nancy Bong Scott Murphy University of Colorado SAP & ISACA University of...
-
Upload
robert-woolstenhulme -
Category
Documents
-
view
218 -
download
0
Transcript of Presenters Ryan McMeekin Nancy Bong Scott Murphy University of Colorado SAP & ISACA University of...
PresentersRyan McMeekin
Nancy BongScott Murphy
University of ColoradoSAP & ISACAUniversity of Colorado
SAP & ISACA
University of ColoradoSAP & ISACA
University of ColoradoSAP & ISACA
What is Risk Assurance?
What is a Control
Information Technology General Controls
Reporting
Exercise
Modules of SAP
ISACA/CISA
Recruitment
Questions
Agenda/Contents
Table of Contents
• Risk Assurance at PwC• Business Process / IT Controls• Internal Audit Services• Third Party Assurance• IT Project Assurance• Enterprise Risk Management, etc.
• Our Clients:• Financial Audit and External Clients
What is Risk Assurance?
What is Risk Assurance?
• Why are systems and controls important?In accounting and auditing internal control is defined as a process effected by an organization's structure, work and authority flows, people and management information systems designed to help the organization accomplish specific goals or objectives. “COSO” - Committee of Sponsoring Organizations of the Treadway Commission: Internal Control - Integrated Framework (1992)
• Key information system control objectives:• Safeguarding assets• Maintaining data integrity• Operating effectively and efficiently
• Examples of IT Audits:• Financial Statement Audits, public (SOX) and private• Third-Party Assurance• PCI (Payment Card Industry)• Internal Audit
What is Risk Assurance?
What is a Control?
What is Risk Assurance?Information Technology Risk
and Controls Diagram
Perimeter Network
Operating System
Application
Data
What is Risk Assurance?Information Technology Risk
Layers
PwC
Please get in groups of 3 or 4
1) What are examples of IT risk?
2) How does IT risk impact a business?
3) How can IT risk impact Financial Statements?
Exercise
PwC
1) What are examples of IT risk and security?• Restricted Access and Segregation of Duties• Change Management / SDLC• Batch Processing, System Interfaces
2) How does IT risk impact a business?• Safeguarding of assets, data integrity, efficiency of operations• Compliance requirements (SOX, HIPAA, PCI)• Investor Confidence
3) How can IT risk impact Financial Statements?• Indirectly impacting financial statement assertions• Pervasiveness of impact.
Exercise Debrief
Reporting
-Key Reports- Information used in performance of a key
control - Configurable to Client Environment
-SAP (Customized or Canned)- Changes- Access
- How do we use SQL Statements?• Reporting• Integrity of Data
What are Risks with these Accounting Areas?
-Journal Entries
-Period End Closing
- Foreign Exchange
-New GL
- FI/CO Integration
SAP - Financial General Ledger
Period End Closing
ControlThe standard SAP reports indicating general ledger account metrics are investigated and resolved during period end on a timely basis.
-Create a Test Plan- What are the Key Conditions of this Controls (italicized)- How could we test/verify that the control is operating?
Exercise - Financial General Ledger
How to Test & Interpretationa) Inquire of management to determine whether:
i) SAP reports are relied upon during the period end close process
ii) Report review is performed by a person independent from the transaction processing activities
iii) Exceptions are investigated and resolved on a timely basisa) Evaluate if there is sufficient and appropriate evidence to test the controlb) Inspect / examine a sample of reports to determine whether
evidence existsc) for the timely resolution of exceptions
Exercise – Debrief
-Integrates purchasing department with Account Payables department.
- Business Processes- 3-way Match- Agree Purchase order- Invoice- Receiving
-Automated Process of SAP
-Circumnavigate Business Processes?- Basis and IT Controls
SAP – Procure to Pay & Accounts Payable
• Information Systems Audit & Control Association (ISACA)
• Goal: To expand the knowledge and value of the IT governance and control field
• Members work in:
• Financial and banking, public accounting, government, the public sector, and the private sector
• Chapter Meetings
• Accounting and Information Security focus
• CISA Relationships and Personal Experiences
What is ISACA?
• The Certified Information Systems Auditor (CISA) is ISACA’s cornerstone certification
• Devoted exclusively to IT audit, controls, and security
• Importance
• Good certification for individuals who have audit, control and/or security responsibilities
CISA Description
CISA CPA
IT oriented Financial oriented with IT
One – 4 Hour Test• IT Audit•System Life Cycle Development•Infrastructure•IT Governance•IT Service Delivery & Support•Protection of Info Assets•Business Continuity & Disaster Recovery
4 Parts (3-4 hrs each)AuditFinancialBusinessRegulation
Cost less than CPA Cost more than CISA
Prerequisite for Promotion Prerequisite for Promotion
Compare and Contrast CISA vs. CPA
•Thursday September 8th - Accounting Firm "Roadshow" - 7pm to 9pm - Koelbel Building
•Monday September 12th - BAP Kick-Ball Tournament - 4pm - 6pm - field by Koelbel Building
•Wednesday September 14th - MBSA Meeting Accounting Night - 5:30 p.m. to 7:30 p.m. - Koelbel Building
•Thursday September 15th - Meet the Firms - 6:30 p.m. - 9:00 p.m. - UMC, on campus
•Monday September 19th - Resume deadline
Recruitment Information
Contact Information
Ryan McMeekin [email protected]
Nancy Bong [email protected]
Scott Murphy [email protected]
Questions?