integrated audit 2011 ppt
DESCRIPTION
noneTRANSCRIPT
© 2011 ISACA1
IIAT Annual Meeting 2554
“CEO Integrated Management - Audit”
Integrated Audit in Practice7 กันยายน 2554
วรางคณา มุสิกะสังข CISA CRISC
เสนีย วัชรศิริธรรม CISA CGEIT CRISC
ISACA Bangkok Chapter
Swissotel Le Concorde
© 2011 ISACA2
Integrated Audit in practiceIntegrated Audit in practice
• Why Integrated Audit ?
• What is Integrated Audit?
• Integrated Audit in external Auditpractice
• Integrated Audit in internal Auditpractice
© 2011 ISACA3
Why Integrated AuditWhy Integrated Audit
• More expectations from Managementand Boards
• greater value
• reduced or comparable cost
• Emerging risks
• IA practices
© 2011 ISACA4
Why Integrated AuditWhy Integrated Audit• Management and boards expect assurance over the core processes and systems that are
critical for financial reporting and regulatory compliance.
• Internal audit should provide assurance over other risks and related processes that areintegral to achieving corporate and shareholder objectives.
© 2011 ISACA5
The demand for assurance covering IT risks is not being met.
• The top risk today is large projects with a significant IT component
• Internal Audit is failing to assure IT risk at both strategic and detailedlevel.
• Top six IT risks that organisations must deal with today, identified by bothsenior managers and Heads of Internal Audit
Does Internal Audit provide assurance in the areas that the Board needs?
Why Integrated AuditWhy Integrated Audit
© 2011 ISACA6
Key Trends Reshaping Internal AuditKey Trends Reshaping Internal Audit
Why Integrated AuditWhy Integrated Audit
Participants’ anticipated deployment of IT strategies:
• Increase IT skill level of general internal audit staff 76%
• Acquire more sophisticated IT tools to address IT risks 68%
• Increase use of third-party experts 60%
• More integration of IT audit resources into non-IT teams 57%
• Deploy higher level more experienced IT auditors 54%
© 2011 ISACA7
Business resilienceBusiness crisis
TheThe Risk Resilient OrganisationRisk Resilient OrganisationFrom business crisis to business resilienceFrom business crisis to business resilience
Management systems People, culture and values
Oversightand Governance
Current high profile risk areas:
Business Ethics and Integrity Treasury Business interruption
Data Security Sustainability Regulation
Projects and Contract Risk
Current high profile regulatory activity:
Competition Anti-Bribery/FCPA Economic Crime
Senior Accounting Officer Industry Regulation Emissions / Carbon
Overview
© 2011 ISACA8
RiskRisk in business: the nextin business: the next 2020 yearsyears
Specificrisk issues
“The Pain”
Data security& privacy
risks
Businessinterruption
risks
Project &contract risks
Treasuryrisks
Sustainabilityrisks
Businessethics risks
Regulatorycompliance
risks
Globalsystemic
issuesDemography Environment Technology
Regulation &role of
government
Increasingbusiness
complexity
Outsourcing Off-shoring
New channelsCost
cutting
Productlifecycles
Complex supplychains
Careerdisintegration
© 2011 ISACA9
TheThe emerging risk landscapeemerging risk landscape
Source: Economic Intelligence Unit, Risk 2018 “Planning for an unpredictable decade”
X Retrenchment of globalisation
X Oil price shock
X Instability in Middle East
X International terrorism
XClimate change
X
X
X
X
X
X
XX
X
X
X
XX
X XX
X
Low Medium High
Medium
High
Low
Importance
Pre
par
edn
ess
XCyber-terrorism
X Regulatory change
XPandemic X
XCorruption
© 2011 ISACA10
Audit committees, CEOs and CFOs continue to raise their expectationsof internal audit. Many are seeking greater value at a reduced orcomparable cost, however, the challenges that internal audit mustovercome are numerous and varied and impact both value and the costto deliver it.
• Financial constraints
• Use of technology is limited
• Travel and administrationis burdensome
• Lack of diverse skills
• Risk assessments and auditplans do not adequatelyaddress all risks
• Internal audit activitiesfocus on low value, routineprojects
• Audit scope is generic andlacks focus on most criticalissues
• Excessive time in the field
• Routine audits do not fullyleverage data analytic tools
• Lack of standardizedprograms and procedures
• Resolving issues with managementrequires significant time
• Lack of consistency in determiningratings
• Recommendations are notimpactful
• Quality assuranceprograms are not robust
• Stakeholder feedback isnot solicited
• Lack of adequatemeasurement of returnon investment andmetrics
Why Integrated AuditWhy Integrated Audit
© 2011 ISACA11
What isWhat is Integrated Audit?Integrated Audit? An outcome not a solution in itself - a company and its Board
needs to have a robust process for identifying and assessingrisks and the controls over those risks. They must thendetermine the sources and effectiveness of assurance providedover those risks and controls and optimise this assurance
About assurance providers working more closely together toensure:
• the right amount of assurance
• in the right areas
• from people with the best and most relevant skills
• as cost effectively as possible
The “right amount of assurance” depends on the risk appetiteof the company
© 2011 ISACA12
What Integrated Assurance looks like in practiceWhat Integrated Assurance looks like in practice
1. Ensure an appropriate overall risk assessment process is inplace which is effective and understood by the Company and the Board.
2. Identify existing sources of assurance – identify each of thefunctional or risk areas of the business and determine all the sources ofassurance for each of these. This enables a picture to be built up of thenature, quantity and quality of assurance across the business.
3. Determine aggregate assurance obtained from all sources for anindividual functional or risk area (including assessing whether allassurance objectives are adequately addressed) to show the overallassurance level in that area.
4. Determine the relative strength of the assurance – review anddiscuss the terms of reference with the assurance provider and assess thequality and quantity of work performed and the output of their reviews.
5. Engage with the Board and the Audit Committee to determine thedesired level of assurance required in each area. This will enable thedevelopment of an action plan to move from the current to the desired,optimised assurance framework. This may, in turn, lead to a re-arrangement of existing assurance provision.
© 2011 ISACA13
BenefitsBenefits• Provides comfort to the Board that they have made an informed
decision on the optimal assurance model for the business
• Reduced cost of internal audit
• Integrated assurance across all compliance /monitoring functions
• Comprehensive risk assessment
• Greater efficiencies through standardized and simplified processes
• An audit plan that provides assurance over risks aligned withshareholder value objectives (i.e., strategic, operational, technology,compliance, financial)
• Staffing model that suits stakeholder and enterprise needs (e.g.,subject matter experts, global resources)
© 2011 ISACA14
The role of Internal Audit*The role of Internal Audit* Engaging with key stakeholders to agree the assurance required from the
function - IA provides a key component of an effective assuranceframework
Taking the lead in assisting management in the development of a fullytailored Integrated Assurance framework – there is no “one size fits all”solution
Helping define the roles and terms of reference for each of the assurancefunctions
Providing or arranging training for other assurance functions in theprovision of effective assurance including quality considerations anddocumentation standards
Monitoring the performance of the various assurance functions over time
Reviewing the assurance framework regularly in order to make anyadjustments necessary to address the changing needs of the business
*the role taken by IA depends on the experience, skills and resourcesavailable in IA and in the wider business.
© 2011 ISACA15
Integrated Audit in external Audit practiceIntegrated Audit in external Audit practice
1. Team• Financial auditor
• IT auditor
• Specialists ( e.g. Tax, actuarial)
2. Audit Planning• Scoping
• Coverage - Business cycle (automated and manual controls,IT General Controls (ITGC)
3. Execution• Timing & staffing
• Communication - continuously from start work, completeITGC , complete Application Control review and substantivework
4. Completion• Report
• Meeting – Management & AC
© 2011 ISACA16
FinancialStatementAssertions
• Accuracy
• Completeness
• Cut-off
• Existence &Occurrence
• Rights &Obligations
• Presentation &Disclosure
• Valuation
Significant financial statement line items
Major classes of transaction
Significant automated and manual business processesFinancialreporting
IT applicationsand infrastructure
Financial data
Contribution of controls to audit evidence
Risks arising from the use of IT systems
Risks arising from processing transactions
Control Activities
Automated controls andprocedures
Report generated from IT Manual controls
Business Performance Reviews
IT General Controls
© 2011 ISACA18
RiskRisk and controland control linkagelinkage -- IllustrationIllustration of Revenueof Revenue
Example only – Not inclusive of all risks to be considered
© 2011 ISACA19
Matters to considerMatters to consider
1. Team work – One team
2. Team knowledge and understanding of each otherwork
3. Timely communication
© 2011 ISACA20
Integrated Assurance…helping usdeliver Value without Compromise
The more that companies growinternationally, the more they needto identify and develop potentialleaders, “ Ideally, internal audit willtrain high-potential employees inkey areas such as business controls,risk management, and IT audit, andthen send them back into the field”
© 2011 ISACA21
Working effectively with Internal AuditWorking effectively with Internal Audit
The division of labour between internal and external audit doesneed to be carefully scoped and agreed in an Integrated Assuranceframework
There is a clear potential overlap between the financial controlswork which external auditors may need to perform (depending onthe audit approach) and that which internal audit may choose toperform
BUT the extent of that overlap is often less than it appears at firstsight – it is important to explain the different types of workundertaken by the two audit functions to management to avoidmisunderstandings
It is reasonable that External auditors perform more extensivefinancial controls work, but caution is needed before venturingbeyond this to ensure that EA do not perform the role ofmanagement or do work not normally performed by the externalauditor which they need to rely on for purposes of the externalaudit.
© 2011 ISACA22
Management based assuranceIndependent
assurance
Controlself assess-
ment
RiskMgmt
Specialproject
Mgmtreview
Legal /Company
secretariatBoard
ExternalAudit
InternalAudit
CurrentOverall
Assurance
FutureAssuranceObjective
Financial reporting
Financial controls
Legal
IT
Treasury
Tax, pensions & insurance
Human Resources
Fraud
Health & Safety
High assurance Medium assurance Low assuranceNo assurance – butshould be assurance
in this area
Not applicable
Simple Example Assurance MapSimple Example Assurance Map
© 2011 ISACA23
TheThe Integrated Assurance BenefitIntegrated Assurance Benefit CurveCurveValue
Externalaudit scope
Stand alone external audit– no integration with
IA or other assuranceproviders
External audit integratedwith internal audit
- Planning and scopingperformed together
Result:Improved efficiency throughelimination of duplicated effort
External audit integratedwith many assurance providers(e.g. internal audit, compliance, legal)
- Share best practice oncontrols optimisation
Result:Improved efficiency throughelimination of duplicated effortImproved effectiveness through
introduction of best practice
External audit scope further extended toInclude internal audit’ s operational audit
coverage
Too many eggs in one basketIndependence and ethical risksDilutes management responsibility
for control environmentHigh cost
ISA basedstatutory audit
Maximum scopeInc audit, financial controlsbusiness controls
Integrated assurance
© 2011 ISACA24
AgendaAgenda
- Integrated Audits
- Integrated Audits/ Integrated Auditor
- ปจจัยท่ีควรพิจารณาในการทํา Integrated Audit
- สรุป
© 2011 ISACA25
สภาพแวดลอมของการตรวจสอบในปจจุบันสภาพแวดลอมของการตรวจสอบในปจจุบันมีความเสี่ยงใหมๆเกิดข้ึนเนื่องจากมีการนําระบบงานและเทคโนโลยี เขามาใชในการใหบริการมากข้ึน เชน ระบบงาน Core Banking, การใหบริการผาน Mobile devices,การใช Cloud Computing, Social Networking
รูปแบบการดําเนินธุรกิจมีการเปล่ียนแปลงเพ่ือตอบสนองความตองการลูกคา การดําเนนิธุรกิจใหมๆจึงมีความซับซอน มีกฏเกณฑ ขอบังคับ กฏหมายท่ีตองปฏิบัติตามมากข้ึน
ข้ันตอนการปฏิบัติงานภายในองคกรมีการปรับปรุงเปล่ียนแปลง
เพ่ือใหรองรับกับธุรกิจและบริการใหมๆ และสามารถใหบริการไดอยางรวดเร็ว การควบคุมภายในมีการเปล่ียนแปลงและอาจทําใหเกิดความเสีย่งในกระบวนการทํางาน
© 2011 ISACA26
IT Environment in businessIT Environment in businesscontextcontext
Source from: IT Governance Institute
Business Processes
Applications
IT Infrastructure Services
ITGCApplication
Controls
Financial/ Operational Auditor
IT Auditor
The Value Chain of the Business Activities
© 2011 ISACA27
External auditing Versus Internal AuditingExternal auditing Versus Internal Auditing
External Auditing
1. Done by CPA
2. Represent the interests of third-party stakeholders in the organization(stockholders, creditors, and government agencies)
3. Focus on Financial statements
Internal Auditing
1. An independent appraisal function established within an organization toexamine and evaluate its activities as a service to the organization
2. Perform a wide range of activities on behalf of the organization
3. Done by CPA, CIA, CISA, CISM
Source from: Information Systems Auditing and Assurance by James A. Hall
© 2011 ISACA28
Classification of AuditsClassification of Audits
Financial auditsTo assess the correctness of an organization's financial statements.
Operational auditsTo evaluate the internal control structure in a given process or area. IS audits of application controlsor logical security systems are some examples of operational audits.
Integrated audits (Combine financial and operational audit steps)
To assess the overall objectives within an organization, related to financial information and assets’safeguarding, efficiency and compliance. An integrated audit can be performed by external or internalauditors and would include compliance tests of internal controls and substantive audit steps.
IS auditsTo collects and evaluates evidence to determine whether the information systems and relatedresources adequately safeguard assets, maintain data and system integrity and availability, providerelevant and reliable information, achieve organizational goals effectively, consume resourcesefficiently, and have, in effect, internal controls that provide reasonable assurance that business,operational and control objectives will be met and that undesired events will be prevented , ordetected and corrected, in a timely manner.
Source from: CISA Review Manual 2011 (ISACA)
© 2011 ISACA29
Integrated IS Auditor & Integrated AuditIntegrated IS Auditor & Integrated Audit
Integrated AuditorTo develop an expanded auditor skill set, basically to trainfinancial/operational auditor to be “partial” IS Auditors. Armed with abasic understanding of computers and general and applicationcontrols. All auditors would be able to include IS controlconsiderations in each and every audit, as well as use basic CAATs.
Integrated AuditAssembling an audit team including IS Audit-trained as well asfinancial/operationally trained auditors working together.
Source from: Auditor’s Guide to Information Systems Auditing
by Richard Cascarino
© 2011 ISACA31
OrganizationOrganization
Internal Audit
Financial Audit IT Audit
Internal Audit
ITFinancial Operational
Branch Follow-up
9
© 2011 ISACA32
Level of integrated audit planningLevel of integrated audit planning
Audit Universe Low-integratedaudit plan
Partially integratedaudit plan
Highly integratedaudit plan
Business Process- Operational- Financial- Compliance
Non-IT Audit Non-IT Audit Integratedapproach
Application Systems- Application Controls- IT General Controls
IT Audit Integrated approach Integratedapproach
IT infrastructure Controls- Database- Operating Systems- Network
IT Audit IT Audit Integratedapproach
Source from: GTAG Developing the IT Audit Plan
© 2011 ISACA3333
ประโยชนจากการทําประโยชนจากการทํา Integrated auditsIntegrated audits
- สามารถระบุความเส่ียงรวมถึงการควบคุมภายในของ audit entity และ สภาพแวดลอม ไดอยางครอบคลุม
- การปฏิบัติงานตรวจสอบใน fieldwork สามารถประเมินการควบคุมไดอยางมีประสิทธิภาพมากกวา
- พนักงานมีโอกาสไดเรียนรู และพัฒนาทักษะความรูในงานการตรวจสอบดานอื่นๆ และสามารถนํามาใชกับงานในความรับผิดชอบของตนเองได
- ไมรบกวนเวลาการทํางานของผูรับการตรวจสอบมาก
- ผูบริหารของหนวยงานผูรับการตรวจสอบทราบผลการตรวจสอบและการประเมินการควบคุมภายในทั้ง BusinessProcess และ IT Process ในรายงานการตรวจสอบ
“Using an integrated internal audit team ensure that both the functional and technical risks ofthe project are included in the scope of the review” Source from: GTAG Auditing IT Project
© 2011 ISACA34
Comfort ZoneComfort Zone
- ออกมาจาก Comfort Zone
- ผสมผสานความรู ความชํานาญ และประสบการณ การตรวจสอบในแตละดานเขาดวยกัน
- Attitude Plus
IS Auditor
Financial
Auditor
Operational
Auditor
GAP
© 2011 ISACA35
Three categories of ITThree categories of IT knowledge forknowledge for Internal auditInternal audit
- Software use in applications
- Operating systems and systems software
- Networks
- Basic IT Security (perimeter defenses,
authentication, application system controls)
Category 1: All professional auditorsfrom new recruits up to CAE
Category 2: Supervisor level ofauditing
- Threats and vulnerabilities associated with automated
business processes
- Business controls and risk mitigation that provided byIT
- Ensure the effective use of IT tools in auditassessments and testing
Category 3: Technical IT auditspecialists
- The underlying technologies supporting business
components
- Threats and vulnerabilities associated with the
technology
- Specialize technical knowledge
Source from: TheIIA
© 2011 ISACA36
ควรจะทาํควรจะทาํ Integrate auditIntegrate audit ทุกงานทุกงาน ??
IT Audit Plan
Financial Audit Plan Operational Audit Plan
Branch Audit Plan
- Assign ผูตรวจสอบในการเขารวมทีมตรวจสอบIntegrated ? แลวงานท่ีเปน IT Audit
entities ?
- Morale ของพนักงาน
14
© 2011 ISACA37
สรุปสรุป - แนวโนมท่ีผูตรวจสอบจะมีการ integrate งานการตรวจสอบIT และ Non-IT จะมีมากข้ึนเนื่องจากเห็นประโยชน
(Partial/Highly)
- เทคนคิการตรวจสอบ CAATs จะเปนสิ่งจําเปนท่ีผูตรวจสอบภายในทุกคนตองเรียนรู
- ผูตรวจสอบดาน IT จําเปนจะตองมีความรูในกระบวนการทางธุรกิจท่ีจะตรวจสอบนอกจากความรูดาน IT
- ผูตรวจสอบดาน Financial/ Operational ควรจะมีความรูเก่ียวกับ Application Control, ความรูพ้ืนฐานเก่ียวกับการรักษาความปลอดภัยเทคโนโลยีสารสนเทศ
- ผูตรวจสอบภายในมีทักษะในการตรวจสอบไดท้ัง IT และ Non-
IT
IS Auditor
Financial
Auditor
Operational
Auditor
GAP