Analisis Pengaruh Economic Value Added, Market Value Added ...
Value-added it auditing
-
Upload
marc-vael -
Category
Technology
-
view
57 -
download
1
Transcript of Value-added it auditing
![Page 1: Value-added it auditing](https://reader030.fdocuments.net/reader030/viewer/2022032700/55d15d7bbb61ebf9228b4608/html5/thumbnails/1.jpg)
VALUE-ADDED IT AUDITINGMARC VAEL, BRUSSELS, MAY 2015
![Page 2: Value-added it auditing](https://reader030.fdocuments.net/reader030/viewer/2022032700/55d15d7bbb61ebf9228b4608/html5/thumbnails/2.jpg)
AGENDA▪What does IT audit mean to you?
▪Traditional IT audit
▪Top audit concerns of audit committees
▪The way towards value-added IT audit
▪Some predictions ▪Questions
![Page 3: Value-added it auditing](https://reader030.fdocuments.net/reader030/viewer/2022032700/55d15d7bbb61ebf9228b4608/html5/thumbnails/3.jpg)
WHAT DOES IT AUDIT MEAN TO YOU?
![Page 4: Value-added it auditing](https://reader030.fdocuments.net/reader030/viewer/2022032700/55d15d7bbb61ebf9228b4608/html5/thumbnails/4.jpg)
Yes, you
![Page 5: Value-added it auditing](https://reader030.fdocuments.net/reader030/viewer/2022032700/55d15d7bbb61ebf9228b4608/html5/thumbnails/5.jpg)
![Page 6: Value-added it auditing](https://reader030.fdocuments.net/reader030/viewer/2022032700/55d15d7bbb61ebf9228b4608/html5/thumbnails/6.jpg)
![Page 7: Value-added it auditing](https://reader030.fdocuments.net/reader030/viewer/2022032700/55d15d7bbb61ebf9228b4608/html5/thumbnails/7.jpg)
TRADITIONAL IT AUDIT
![Page 8: Value-added it auditing](https://reader030.fdocuments.net/reader030/viewer/2022032700/55d15d7bbb61ebf9228b4608/html5/thumbnails/8.jpg)
TYPES OF INFORMATION FOR AN IT AUDITOR
• Relevant information : relating to controls, tells the evaluator something meaningful about the operation of the underlying controls or control component. Information that directly confirms the operation of controls is most relevant.
• Reliable information : accurate, verifiable and from an objective source.
• Timely information : produced and used in a timeframe that makes it possible to prevent or detect control deficiencies before they become material to an enterprise.
• Sufficient information : when evaluators have gathered enough of it to form a reasonable conclusion. For information to be sufficient, however, it must first be suitable.
• Suitable information : relevant (i.e., fit for its intended purpose), reliable (i.e., accurate, verifiable and from an objective source) and timely (i.e., produced and used in an appropriate time frame) information.
![Page 9: Value-added it auditing](https://reader030.fdocuments.net/reader030/viewer/2022032700/55d15d7bbb61ebf9228b4608/html5/thumbnails/9.jpg)
TRADITIONAL IT AUDIT APPROACH
Identification of Safeguards
Threat Assessment
Asset Identification
Vulnerability Assessment
Risk Determination Reporting Remediation
Planning
Proactive processes that turn policies into awareness programs, IT administration, change management and other activities.
Technologies needed to provide the appropriate protection and support critical processes.
Management strategies for IT and relevant policies, standards, guidelines or directives used to communicate these strategies to the organization.
Reactive processes that enable management to measure how well policies are implemented and followed and when they need to be changed.
![Page 10: Value-added it auditing](https://reader030.fdocuments.net/reader030/viewer/2022032700/55d15d7bbb61ebf9228b4608/html5/thumbnails/10.jpg)
TYPICAL IT AUDIT ENGAGEMENTS
A. General control examination or facility audit
B. Application audit
C. System development audit
D. Technical or special topic audit
![Page 11: Value-added it auditing](https://reader030.fdocuments.net/reader030/viewer/2022032700/55d15d7bbb61ebf9228b4608/html5/thumbnails/11.jpg)
IT CONTROLS
The plan of organization & the methods a business uses to safeguard IT assets, provide accurate & reliable information, promote & improve operational IT efficiency, and encourage adherence to prescribed IT management policies.
IT control procedure classifications: 1. Preventive / Detective / Corrective / Deterrent IT controls 2. General & Application IT controls
3. Administrative & Accounting IT controls
4. Input – Processing – Output IT controls
![Page 12: Value-added it auditing](https://reader030.fdocuments.net/reader030/viewer/2022032700/55d15d7bbb61ebf9228b4608/html5/thumbnails/12.jpg)
GENERAL IT OPERATIONS
1. Change Management
2. System Development Life Cycle (SDLC)
3. Problem & Incident management
4. Back-up and data recovery
5. Project Management
6. Continuity Planning (CBCP and DRP)
![Page 13: Value-added it auditing](https://reader030.fdocuments.net/reader030/viewer/2022032700/55d15d7bbb61ebf9228b4608/html5/thumbnails/13.jpg)
INFORMATION SYSTEMS
![Page 14: Value-added it auditing](https://reader030.fdocuments.net/reader030/viewer/2022032700/55d15d7bbb61ebf9228b4608/html5/thumbnails/14.jpg)
INDEPENDENT IT CONTROLS ON PERFORMANCE
To ensure that transactions are processed accurately are another important control element.
Types of independent IT controls
–reconciliation of 2 independently maintained sets of records –comparison of actual quantities with recorded amounts –double-entry accounting (debits = credits)
–batch totals
![Page 15: Value-added it auditing](https://reader030.fdocuments.net/reader030/viewer/2022032700/55d15d7bbb61ebf9228b4608/html5/thumbnails/15.jpg)
INDEPENDENT IT CONTROLS ON PERFORMANCE
Types of independent IT controls
–batch totals:
5 types:
1 Financial total: sum of a euro field.
2 Hash total: sum of a field that would usually not be added.
3 Record count: number of documents processed by the IT system. 4 Line count: number of lines of data entered in the IT system. 5 Cross-footing: compares grand total of all rows with grand total of all columns to check that they are equal in the IT system.
![Page 16: Value-added it auditing](https://reader030.fdocuments.net/reader030/viewer/2022032700/55d15d7bbb61ebf9228b4608/html5/thumbnails/16.jpg)
INDEPENDENT IT CONTROLS ON PERFORMANCE
Auditors must understand the following basic IT controls:
1 How transactions are initiated
2 How data are captured in machine-readable form or converted from source documents
3 How computer files are accessed & updated
4 How data are processed to prepare information
5 How information is reported
All of these items make it possible to have an IT audit trail.
An IT audit trail exists when individual company transactions can be traced end-to-end through the IT system.
![Page 17: Value-added it auditing](https://reader030.fdocuments.net/reader030/viewer/2022032700/55d15d7bbb61ebf9228b4608/html5/thumbnails/17.jpg)
TOP AUDIT CONCERNS OF AUDIT COMMITTEES
![Page 18: Value-added it auditing](https://reader030.fdocuments.net/reader030/viewer/2022032700/55d15d7bbb61ebf9228b4608/html5/thumbnails/18.jpg)
![Page 19: Value-added it auditing](https://reader030.fdocuments.net/reader030/viewer/2022032700/55d15d7bbb61ebf9228b4608/html5/thumbnails/19.jpg)
![Page 20: Value-added it auditing](https://reader030.fdocuments.net/reader030/viewer/2022032700/55d15d7bbb61ebf9228b4608/html5/thumbnails/20.jpg)
7
![Page 21: Value-added it auditing](https://reader030.fdocuments.net/reader030/viewer/2022032700/55d15d7bbb61ebf9228b4608/html5/thumbnails/21.jpg)
![Page 22: Value-added it auditing](https://reader030.fdocuments.net/reader030/viewer/2022032700/55d15d7bbb61ebf9228b4608/html5/thumbnails/22.jpg)
![Page 23: Value-added it auditing](https://reader030.fdocuments.net/reader030/viewer/2022032700/55d15d7bbb61ebf9228b4608/html5/thumbnails/23.jpg)
7
![Page 24: Value-added it auditing](https://reader030.fdocuments.net/reader030/viewer/2022032700/55d15d7bbb61ebf9228b4608/html5/thumbnails/24.jpg)
![Page 25: Value-added it auditing](https://reader030.fdocuments.net/reader030/viewer/2022032700/55d15d7bbb61ebf9228b4608/html5/thumbnails/25.jpg)
![Page 26: Value-added it auditing](https://reader030.fdocuments.net/reader030/viewer/2022032700/55d15d7bbb61ebf9228b4608/html5/thumbnails/26.jpg)
8
![Page 27: Value-added it auditing](https://reader030.fdocuments.net/reader030/viewer/2022032700/55d15d7bbb61ebf9228b4608/html5/thumbnails/27.jpg)
27
![Page 28: Value-added it auditing](https://reader030.fdocuments.net/reader030/viewer/2022032700/55d15d7bbb61ebf9228b4608/html5/thumbnails/28.jpg)
THE WAY TOWARDS VALUE-ADDED IT AUDIT
![Page 29: Value-added it auditing](https://reader030.fdocuments.net/reader030/viewer/2022032700/55d15d7bbb61ebf9228b4608/html5/thumbnails/29.jpg)
IT CONTROLS
• IT controls continue to increase in importance to organisations
• Corporate reliance on IT increases
• Compliance requirements increase
• IT control deficiencies can have a significant impact on any organisation
![Page 30: Value-added it auditing](https://reader030.fdocuments.net/reader030/viewer/2022032700/55d15d7bbb61ebf9228b4608/html5/thumbnails/30.jpg)
![Page 31: Value-added it auditing](https://reader030.fdocuments.net/reader030/viewer/2022032700/55d15d7bbb61ebf9228b4608/html5/thumbnails/31.jpg)
PwC 2014 state of the internal audit profession study
![Page 32: Value-added it auditing](https://reader030.fdocuments.net/reader030/viewer/2022032700/55d15d7bbb61ebf9228b4608/html5/thumbnails/32.jpg)
PwC 2014 state of the internal audit profession study
![Page 33: Value-added it auditing](https://reader030.fdocuments.net/reader030/viewer/2022032700/55d15d7bbb61ebf9228b4608/html5/thumbnails/33.jpg)
PwC 2014 state of the internal audit profession study
![Page 34: Value-added it auditing](https://reader030.fdocuments.net/reader030/viewer/2022032700/55d15d7bbb61ebf9228b4608/html5/thumbnails/34.jpg)
PwC 2014 state of the internal audit profession study
![Page 35: Value-added it auditing](https://reader030.fdocuments.net/reader030/viewer/2022032700/55d15d7bbb61ebf9228b4608/html5/thumbnails/35.jpg)
VALUE PROPOSITION
![Page 36: Value-added it auditing](https://reader030.fdocuments.net/reader030/viewer/2022032700/55d15d7bbb61ebf9228b4608/html5/thumbnails/36.jpg)
![Page 37: Value-added it auditing](https://reader030.fdocuments.net/reader030/viewer/2022032700/55d15d7bbb61ebf9228b4608/html5/thumbnails/37.jpg)
PwC 2014 state of the internal audit profession study
![Page 38: Value-added it auditing](https://reader030.fdocuments.net/reader030/viewer/2022032700/55d15d7bbb61ebf9228b4608/html5/thumbnails/38.jpg)
![Page 39: Value-added it auditing](https://reader030.fdocuments.net/reader030/viewer/2022032700/55d15d7bbb61ebf9228b4608/html5/thumbnails/39.jpg)
www.isaca.org/cobit
![Page 40: Value-added it auditing](https://reader030.fdocuments.net/reader030/viewer/2022032700/55d15d7bbb61ebf9228b4608/html5/thumbnails/40.jpg)
IT AUDIT REPORT WRITING PHASES
![Page 41: Value-added it auditing](https://reader030.fdocuments.net/reader030/viewer/2022032700/55d15d7bbb61ebf9228b4608/html5/thumbnails/41.jpg)
TYPES OF IT AUDIT ENGAGEMENTS
Review • provide limited assurance about an assertion. • consists primarily of review work (less emphasis on testing). • can be more process oriented, focusing on the appropriateness of the
tasks and activities that the audit entity performs and the associated controls. The level of evidence that is gathered is less than in an audit, and testing is generally limited or none is performed.
• do not include audit opinions. Conclusions may often be stated negatively. Example: ‘Nothing came to our attention to indicate that the assertion is not true’.
![Page 42: Value-added it auditing](https://reader030.fdocuments.net/reader030/viewer/2022032700/55d15d7bbb61ebf9228b4608/html5/thumbnails/42.jpg)
TYPES OF IT AUDIT ENGAGEMENTS
Examination • Systematic process by which a competent, independent person
objectively obtains & evaluates evidence regarding assertions about an entity or event, processes, operations or internal controls, for the purpose of forming an opinion & providing a report on the degree to which the assertions conform to an identified set of standards.
• Attestation process that provides the highest level of assurance about an assertion that an IT auditor can provide.
• Gathering & evaluating sufficient, competent evidence and performing appropriate tests and other procedures to form the opinion about an assertion for presentation in an IT audit report.
![Page 43: Value-added it auditing](https://reader030.fdocuments.net/reader030/viewer/2022032700/55d15d7bbb61ebf9228b4608/html5/thumbnails/43.jpg)
TYPES OF IT AUDIT ENGAGEMENTS
Agreed-upon Procedures Engagement Third party & IT auditor agree on specific procedures that will be performed to obtain evidence on which the third party is willing to rely as a basis for a conclusion. Agreed-upon level of evidence may be significantly limited or extensive. The IT auditor may need to obtain a substantial amount of evidence (in some cases, more than that is required for an IT audit). The IT audit report should include a statement that sufficiency of procedures is solely the responsibility of the responsible parties & a disclaimer of responsibility for the sufficiency of those procedures. The report relates only to the elements specified & does not extend beyond them.
![Page 44: Value-added it auditing](https://reader030.fdocuments.net/reader030/viewer/2022032700/55d15d7bbb61ebf9228b4608/html5/thumbnails/44.jpg)
![Page 45: Value-added it auditing](https://reader030.fdocuments.net/reader030/viewer/2022032700/55d15d7bbb61ebf9228b4608/html5/thumbnails/45.jpg)
CAATS
Computer programs & data that the IT auditor uses
as part of audit procedures to process data of significance
contained in a computer system
![Page 46: Value-added it auditing](https://reader030.fdocuments.net/reader030/viewer/2022032700/55d15d7bbb61ebf9228b4608/html5/thumbnails/46.jpg)
CAATS USAGE
· Calculation checks: e.g. program gives total amount of individual entries in purchases day book in a particular period. Auditor then agree this total amount to the amount posted in purchases ledger control. · Detecting system violation rule: e.g. program checks that no customer has balance above specified credit limit. · Detecting unreasonable items: programs checks that no customer has discount of 50% or sales ledger balance is more than the amount of sales made to that customer. · New calculation & analysis: e.g. statistical analysis of inventory movements to identify slow moving items. · Selecting items for audit testing: e.g. obtaining a stratified sample of sales ledger balances to be used as a basis for a circularization of debtors. · Completeness checks: e.g. checking continuity of sales invoices to ensure they are all accounted for.
![Page 47: Value-added it auditing](https://reader030.fdocuments.net/reader030/viewer/2022032700/55d15d7bbb61ebf9228b4608/html5/thumbnails/47.jpg)
CAATS ADVANTAGES
· Test programmed controls: in an IT accounting system, there are large volume of transactions which the auditor will have to audit. The auditor will have to check if the programmed controls are functioning correctly. The only effective way of testing programmed controls is through CAAT. · Test on large volume of data: CAAT enable auditors to test large amount of data quickly & accurately and increase the confidence they have in their opinion. · Test on source location of data: CAAT enables auditors to test the accounting systems & its records at its source location rather than testing printouts of what they believe to be a copy of those records. · Cost effective: once set up CAAT are a cost effective way of obtaining audit evidence year after year provided that the client does not change the accounting system. · Comparison: allows results from using CAAT to be compared to traditional testing. Where the two results agree this increase the overall audit confidence.
![Page 48: Value-added it auditing](https://reader030.fdocuments.net/reader030/viewer/2022032700/55d15d7bbb61ebf9228b4608/html5/thumbnails/48.jpg)
![Page 49: Value-added it auditing](https://reader030.fdocuments.net/reader030/viewer/2022032700/55d15d7bbb61ebf9228b4608/html5/thumbnails/49.jpg)
7
![Page 50: Value-added it auditing](https://reader030.fdocuments.net/reader030/viewer/2022032700/55d15d7bbb61ebf9228b4608/html5/thumbnails/50.jpg)
7
![Page 51: Value-added it auditing](https://reader030.fdocuments.net/reader030/viewer/2022032700/55d15d7bbb61ebf9228b4608/html5/thumbnails/51.jpg)
7
![Page 52: Value-added it auditing](https://reader030.fdocuments.net/reader030/viewer/2022032700/55d15d7bbb61ebf9228b4608/html5/thumbnails/52.jpg)
7
![Page 53: Value-added it auditing](https://reader030.fdocuments.net/reader030/viewer/2022032700/55d15d7bbb61ebf9228b4608/html5/thumbnails/53.jpg)
![Page 54: Value-added it auditing](https://reader030.fdocuments.net/reader030/viewer/2022032700/55d15d7bbb61ebf9228b4608/html5/thumbnails/54.jpg)
7
![Page 55: Value-added it auditing](https://reader030.fdocuments.net/reader030/viewer/2022032700/55d15d7bbb61ebf9228b4608/html5/thumbnails/55.jpg)
37
![Page 56: Value-added it auditing](https://reader030.fdocuments.net/reader030/viewer/2022032700/55d15d7bbb61ebf9228b4608/html5/thumbnails/56.jpg)
ISO15504
6
![Page 57: Value-added it auditing](https://reader030.fdocuments.net/reader030/viewer/2022032700/55d15d7bbb61ebf9228b4608/html5/thumbnails/57.jpg)
PA2.2 Work Product Management
PA2.1 Performance ManagementLevel 2 - Managed
PA1.1 Process PerformanceLevel 1 - Performed
Level 0 - Incomplete
PA3.2 Deployment
PA3.1 DefinitionLevel 3 - Established
PA4.2 Control
PA4.1 MeasurementLevel 4 - Predictable
PA5.1 Innovation
PA5.2 OptimisationLevel 5 - Optimising
1
L / F
2
L / F
F
F
3
L / F
F
4
L / F
F
F
F
L / F
5
F
F
F
F
L/F = Largely or Fully F= Fully
![Page 58: Value-added it auditing](https://reader030.fdocuments.net/reader030/viewer/2022032700/55d15d7bbb61ebf9228b4608/html5/thumbnails/58.jpg)
![Page 59: Value-added it auditing](https://reader030.fdocuments.net/reader030/viewer/2022032700/55d15d7bbb61ebf9228b4608/html5/thumbnails/59.jpg)
SOME PREDICTIONS
59
![Page 60: Value-added it auditing](https://reader030.fdocuments.net/reader030/viewer/2022032700/55d15d7bbb61ebf9228b4608/html5/thumbnails/60.jpg)
PREDICTIONS INTRODUCTION
• Users want to be provided with more information about business organisations, rather than less.
• Demands for information is driven by business clients, customers, oversight authorities and legislatures:audit plan can change in the middle of the current quarter and sometimes even change on a day-to-day basis
• Trend: better, faster and more comprehensive reporting. • Strong interest in independent assessment & reporting of
organisational compliance with laws & regulations.
![Page 61: Value-added it auditing](https://reader030.fdocuments.net/reader030/viewer/2022032700/55d15d7bbb61ebf9228b4608/html5/thumbnails/61.jpg)
![Page 62: Value-added it auditing](https://reader030.fdocuments.net/reader030/viewer/2022032700/55d15d7bbb61ebf9228b4608/html5/thumbnails/62.jpg)
![Page 63: Value-added it auditing](https://reader030.fdocuments.net/reader030/viewer/2022032700/55d15d7bbb61ebf9228b4608/html5/thumbnails/63.jpg)
PREDICTION: INTEGRATED REPORTING
Objective of integrated reporting = provide a more detailed picture of the organisation’s efforts to: • Produce and sustain value• Identify and manage risk• Employ and develop human capital • Meet legal requirements• Address corporate and social responsibility Audit reports include more in-depth non-financial reporting. Shift from solely lag indicators (as found in traditional reporting) to lead or forward indicators with increased focus on management & performance capabilities.
![Page 64: Value-added it auditing](https://reader030.fdocuments.net/reader030/viewer/2022032700/55d15d7bbb61ebf9228b4608/html5/thumbnails/64.jpg)
PREDICTION: USE OF TECHNOLOGY IN REPORTING
Demand is likely to increase for using technology to present audit results in a manner that quickly enables recipients to focus on the key points of the audit. Auditing standards provide a foundation for the auditing profession to develop and issue professional audit reports. Considerations of increased use of technology in the reporting process must be benchmarked against applicable auditing standards.
![Page 65: Value-added it auditing](https://reader030.fdocuments.net/reader030/viewer/2022032700/55d15d7bbb61ebf9228b4608/html5/thumbnails/65.jpg)
![Page 66: Value-added it auditing](https://reader030.fdocuments.net/reader030/viewer/2022032700/55d15d7bbb61ebf9228b4608/html5/thumbnails/66.jpg)
![Page 67: Value-added it auditing](https://reader030.fdocuments.net/reader030/viewer/2022032700/55d15d7bbb61ebf9228b4608/html5/thumbnails/67.jpg)
![Page 68: Value-added it auditing](https://reader030.fdocuments.net/reader030/viewer/2022032700/55d15d7bbb61ebf9228b4608/html5/thumbnails/68.jpg)
![Page 69: Value-added it auditing](https://reader030.fdocuments.net/reader030/viewer/2022032700/55d15d7bbb61ebf9228b4608/html5/thumbnails/69.jpg)
![Page 70: Value-added it auditing](https://reader030.fdocuments.net/reader030/viewer/2022032700/55d15d7bbb61ebf9228b4608/html5/thumbnails/70.jpg)
CONTACT DETAILS
[email protected] http://www.linkedin.com/in/marcvael @marcvael
Marc Vael CISA, CISM, CRISC, CGEIT, ITIL SM, Prince2 F, Guberna Certified Director
Chief Audit Executive SMALS vzw Fonsnylaan 20 1060 Brussel
+32 473 99 30 31