integrated audit 2011 ppt

© 2011 ISACA1

IIAT Annual Meeting 2554

“CEO Integrated Management - Audit”

Integrated Audit in Practice7 กันยายน 2554

วรางคณา มุสิกะสังข CISA CRISC

เสนีย วัชรศิริธรรม CISA CGEIT CRISC

ISACA Bangkok Chapter

Swissotel Le Concorde

© 2011 ISACA2

Integrated Audit in practiceIntegrated Audit in practice

• Why Integrated Audit ?

• What is Integrated Audit?

• Integrated Audit in external Auditpractice

• Integrated Audit in internal Auditpractice

© 2011 ISACA3

Why Integrated AuditWhy Integrated Audit

• More expectations from Managementand Boards

• greater value

• reduced or comparable cost

• Emerging risks

• IA practices

© 2011 ISACA4

Why Integrated AuditWhy Integrated Audit• Management and boards expect assurance over the core processes and systems that are

critical for financial reporting and regulatory compliance.

• Internal audit should provide assurance over other risks and related processes that areintegral to achieving corporate and shareholder objectives.

© 2011 ISACA5

The demand for assurance covering IT risks is not being met.

• The top risk today is large projects with a significant IT component

• Internal Audit is failing to assure IT risk at both strategic and detailedlevel.

• Top six IT risks that organisations must deal with today, identified by bothsenior managers and Heads of Internal Audit

Does Internal Audit provide assurance in the areas that the Board needs?


© 2011 ISACA6

Key Trends Reshaping Internal AuditKey Trends Reshaping Internal Audit


Participants’ anticipated deployment of IT strategies:

• Increase IT skill level of general internal audit staff 76%

• Acquire more sophisticated IT tools to address IT risks 68%

• Increase use of third-party experts 60%

• More integration of IT audit resources into non-IT teams 57%

• Deploy higher level more experienced IT auditors 54%

© 2011 ISACA7

Business resilienceBusiness crisis

TheThe Risk Resilient OrganisationRisk Resilient OrganisationFrom business crisis to business resilienceFrom business crisis to business resilience

Management systems People, culture and values

Oversightand Governance

Current high profile risk areas:

Business Ethics and Integrity Treasury Business interruption

Data Security Sustainability Regulation

Projects and Contract Risk

Current high profile regulatory activity:

Competition Anti-Bribery/FCPA Economic Crime

Senior Accounting Officer Industry Regulation Emissions / Carbon

Overview

© 2011 ISACA8

RiskRisk in business: the nextin business: the next 2020 yearsyears

Specificrisk issues

“The Pain”

Data security& privacy

risks

Businessinterruption

risks

Project &contract risks

Treasuryrisks

Sustainabilityrisks

Businessethics risks

Regulatorycompliance

risks

Globalsystemic

issuesDemography Environment Technology

Regulation &role of

government

Increasingbusiness

complexity

Outsourcing Off-shoring

New channelsCost

cutting

Productlifecycles

Complex supplychains

Careerdisintegration

© 2011 ISACA9

TheThe emerging risk landscapeemerging risk landscape

Source: Economic Intelligence Unit, Risk 2018 “Planning for an unpredictable decade”

X Retrenchment of globalisation

X Oil price shock

X Instability in Middle East

X International terrorism

XClimate change

X

X

X

X

X

X

XX

X

X

X

XX

X XX

X

Low Medium High

Medium

High

Low

Importance

Pre

par

edn

ess

XCyber-terrorism

X Regulatory change

XPandemic X

XCorruption

© 2011 ISACA10

Audit committees, CEOs and CFOs continue to raise their expectationsof internal audit. Many are seeking greater value at a reduced orcomparable cost, however, the challenges that internal audit mustovercome are numerous and varied and impact both value and the costto deliver it.

• Financial constraints

• Use of technology is limited

• Travel and administrationis burdensome

• Lack of diverse skills

• Risk assessments and auditplans do not adequatelyaddress all risks

• Internal audit activitiesfocus on low value, routineprojects

• Audit scope is generic andlacks focus on most criticalissues

• Excessive time in the field

• Routine audits do not fullyleverage data analytic tools

• Lack of standardizedprograms and procedures

• Resolving issues with managementrequires significant time

• Lack of consistency in determiningratings

• Recommendations are notimpactful

• Quality assuranceprograms are not robust

• Stakeholder feedback isnot solicited

• Lack of adequatemeasurement of returnon investment andmetrics


© 2011 ISACA11

What isWhat is Integrated Audit?Integrated Audit? An outcome not a solution in itself - a company and its Board

needs to have a robust process for identifying and assessingrisks and the controls over those risks. They must thendetermine the sources and effectiveness of assurance providedover those risks and controls and optimise this assurance

About assurance providers working more closely together toensure:

• the right amount of assurance

• in the right areas

• from people with the best and most relevant skills

• as cost effectively as possible

The “right amount of assurance” depends on the risk appetiteof the company

© 2011 ISACA12

What Integrated Assurance looks like in practiceWhat Integrated Assurance looks like in practice

1. Ensure an appropriate overall risk assessment process is inplace which is effective and understood by the Company and the Board.

2. Identify existing sources of assurance – identify each of thefunctional or risk areas of the business and determine all the sources ofassurance for each of these. This enables a picture to be built up of thenature, quantity and quality of assurance across the business.

3. Determine aggregate assurance obtained from all sources for anindividual functional or risk area (including assessing whether allassurance objectives are adequately addressed) to show the overallassurance level in that area.

4. Determine the relative strength of the assurance – review anddiscuss the terms of reference with the assurance provider and assess thequality and quantity of work performed and the output of their reviews.

5. Engage with the Board and the Audit Committee to determine thedesired level of assurance required in each area. This will enable thedevelopment of an action plan to move from the current to the desired,optimised assurance framework. This may, in turn, lead to a re-arrangement of existing assurance provision.

© 2011 ISACA13

BenefitsBenefits• Provides comfort to the Board that they have made an informed

decision on the optimal assurance model for the business

• Reduced cost of internal audit

• Integrated assurance across all compliance /monitoring functions

• Comprehensive risk assessment

• Greater efficiencies through standardized and simplified processes

• An audit plan that provides assurance over risks aligned withshareholder value objectives (i.e., strategic, operational, technology,compliance, financial)

• Staffing model that suits stakeholder and enterprise needs (e.g.,subject matter experts, global resources)

© 2011 ISACA14

The role of Internal Audit*The role of Internal Audit* Engaging with key stakeholders to agree the assurance required from the

function - IA provides a key component of an effective assuranceframework

Taking the lead in assisting management in the development of a fullytailored Integrated Assurance framework – there is no “one size fits all”solution

Helping define the roles and terms of reference for each of the assurancefunctions

Providing or arranging training for other assurance functions in theprovision of effective assurance including quality considerations anddocumentation standards

Monitoring the performance of the various assurance functions over time

Reviewing the assurance framework regularly in order to make anyadjustments necessary to address the changing needs of the business

*the role taken by IA depends on the experience, skills and resourcesavailable in IA and in the wider business.

© 2011 ISACA15

Integrated Audit in external Audit practiceIntegrated Audit in external Audit practice

1. Team• Financial auditor

• IT auditor

• Specialists ( e.g. Tax, actuarial)

2. Audit Planning• Scoping

• Coverage - Business cycle (automated and manual controls,IT General Controls (ITGC)

3. Execution• Timing & staffing

• Communication - continuously from start work, completeITGC , complete Application Control review and substantivework

4. Completion• Report

• Meeting – Management & AC

© 2011 ISACA16

FinancialStatementAssertions

• Accuracy

• Completeness

• Cut-off

• Existence &Occurrence

• Rights &Obligations

• Presentation &Disclosure

• Valuation

Significant financial statement line items

Major classes of transaction

Significant automated and manual business processesFinancialreporting

IT applicationsand infrastructure

Financial data

Contribution of controls to audit evidence

Risks arising from the use of IT systems

Risks arising from processing transactions

Control Activities

Automated controls andprocedures

Report generated from IT Manual controls

Business Performance Reviews

IT General Controls

© 2011 ISACA17

IT Audit Scope

© 2011 ISACA18

RiskRisk and controland control linkagelinkage -- IllustrationIllustration of Revenueof Revenue

Example only – Not inclusive of all risks to be considered

© 2011 ISACA19

Matters to considerMatters to consider

1. Team work – One team

2. Team knowledge and understanding of each otherwork

3. Timely communication

© 2011 ISACA20

Integrated Assurance…helping usdeliver Value without Compromise

The more that companies growinternationally, the more they needto identify and develop potentialleaders, “ Ideally, internal audit willtrain high-potential employees inkey areas such as business controls,risk management, and IT audit, andthen send them back into the field”

© 2011 ISACA21

Working effectively with Internal AuditWorking effectively with Internal Audit

The division of labour between internal and external audit doesneed to be carefully scoped and agreed in an Integrated Assuranceframework

There is a clear potential overlap between the financial controlswork which external auditors may need to perform (depending onthe audit approach) and that which internal audit may choose toperform

BUT the extent of that overlap is often less than it appears at firstsight – it is important to explain the different types of workundertaken by the two audit functions to management to avoidmisunderstandings

It is reasonable that External auditors perform more extensivefinancial controls work, but caution is needed before venturingbeyond this to ensure that EA do not perform the role ofmanagement or do work not normally performed by the externalauditor which they need to rely on for purposes of the externalaudit.

© 2011 ISACA22

Management based assuranceIndependent

assurance

Controlself assess-

ment

RiskMgmt

Specialproject

Mgmtreview

Legal /Company

secretariatBoard

ExternalAudit

InternalAudit

CurrentOverall

Assurance

FutureAssuranceObjective

Financial reporting

Financial controls

Legal

IT

Treasury

Tax, pensions & insurance

Human Resources

Fraud

Health & Safety

High assurance Medium assurance Low assuranceNo assurance – butshould be assurance

in this area

Not applicable

Simple Example Assurance MapSimple Example Assurance Map

© 2011 ISACA23

TheThe Integrated Assurance BenefitIntegrated Assurance Benefit CurveCurveValue

Externalaudit scope

Stand alone external audit– no integration with

IA or other assuranceproviders

External audit integratedwith internal audit

- Planning and scopingperformed together

Result:Improved efficiency throughelimination of duplicated effort

External audit integratedwith many assurance providers(e.g. internal audit, compliance, legal)

- Share best practice oncontrols optimisation

Result:Improved efficiency throughelimination of duplicated effortImproved effectiveness through

introduction of best practice

External audit scope further extended toInclude internal audit’ s operational audit

coverage

Too many eggs in one basketIndependence and ethical risksDilutes management responsibility

for control environmentHigh cost

ISA basedstatutory audit

Maximum scopeInc audit, financial controlsbusiness controls

Integrated assurance

© 2011 ISACA24

AgendaAgenda

- Integrated Audits

- Integrated Audits/ Integrated Auditor

- ปจจัยท่ีควรพิจารณาในการทํา Integrated Audit

- สรุป

© 2011 ISACA25

สภาพแวดลอมของการตรวจสอบในปจจุบันสภาพแวดลอมของการตรวจสอบในปจจุบันมีความเสี่ยงใหมๆเกิดข้ึนเนื่องจากมีการนําระบบงานและเทคโนโลยี เขามาใชในการใหบริการมากข้ึน เชน ระบบงาน Core Banking, การใหบริการผาน Mobile devices,การใช Cloud Computing, Social Networking

รูปแบบการดําเนินธุรกิจมีการเปล่ียนแปลงเพ่ือตอบสนองความตองการลูกคา การดําเนนิธุรกิจใหมๆจึงมีความซับซอน มีกฏเกณฑ ขอบังคับ กฏหมายท่ีตองปฏิบัติตามมากข้ึน

ข้ันตอนการปฏิบัติงานภายในองคกรมีการปรับปรุงเปล่ียนแปลง

เพ่ือใหรองรับกับธุรกิจและบริการใหมๆ และสามารถใหบริการไดอยางรวดเร็ว การควบคุมภายในมีการเปล่ียนแปลงและอาจทําใหเกิดความเสีย่งในกระบวนการทํางาน

© 2011 ISACA26

IT Environment in businessIT Environment in businesscontextcontext

Source from: IT Governance Institute

Business Processes

Applications

IT Infrastructure Services

ITGCApplication

Controls

Financial/ Operational Auditor

IT Auditor

The Value Chain of the Business Activities

© 2011 ISACA27

External auditing Versus Internal AuditingExternal auditing Versus Internal Auditing

External Auditing

1. Done by CPA

2. Represent the interests of third-party stakeholders in the organization(stockholders, creditors, and government agencies)

3. Focus on Financial statements

Internal Auditing

1. An independent appraisal function established within an organization toexamine and evaluate its activities as a service to the organization

2. Perform a wide range of activities on behalf of the organization

3. Done by CPA, CIA, CISA, CISM

Source from: Information Systems Auditing and Assurance by James A. Hall

© 2011 ISACA28

Classification of AuditsClassification of Audits

Financial auditsTo assess the correctness of an organization's financial statements.

Operational auditsTo evaluate the internal control structure in a given process or area. IS audits of application controlsor logical security systems are some examples of operational audits.

Integrated audits (Combine financial and operational audit steps)

To assess the overall objectives within an organization, related to financial information and assets’safeguarding, efficiency and compliance. An integrated audit can be performed by external or internalauditors and would include compliance tests of internal controls and substantive audit steps.

IS auditsTo collects and evaluates evidence to determine whether the information systems and relatedresources adequately safeguard assets, maintain data and system integrity and availability, providerelevant and reliable information, achieve organizational goals effectively, consume resourcesefficiently, and have, in effect, internal controls that provide reasonable assurance that business,operational and control objectives will be met and that undesired events will be prevented , ordetected and corrected, in a timely manner.

Source from: CISA Review Manual 2011 (ISACA)

© 2011 ISACA29

Integrated IS Auditor & Integrated AuditIntegrated IS Auditor & Integrated Audit

Integrated AuditorTo develop an expanded auditor skill set, basically to trainfinancial/operational auditor to be “partial” IS Auditors. Armed with abasic understanding of computers and general and applicationcontrols. All auditors would be able to include IS controlconsiderations in each and every audit, as well as use basic CAATs.

Integrated AuditAssembling an audit team including IS Audit-trained as well asfinancial/operationally trained auditors working together.

Source from: Auditor’s Guide to Information Systems Auditing

by Richard Cascarino

© 2011 ISACA31

OrganizationOrganization

Internal Audit

Financial Audit IT Audit

Internal Audit

ITFinancial Operational

Branch Follow-up

9

© 2011 ISACA32

Level of integrated audit planningLevel of integrated audit planning

Audit Universe Low-integratedaudit plan

Partially integratedaudit plan

Highly integratedaudit plan

Business Process- Operational- Financial- Compliance

Non-IT Audit Non-IT Audit Integratedapproach

Application Systems- Application Controls- IT General Controls

IT Audit Integrated approach Integratedapproach

IT infrastructure Controls- Database- Operating Systems- Network

IT Audit IT Audit Integratedapproach

Source from: GTAG Developing the IT Audit Plan

© 2011 ISACA3333

ประโยชนจากการทําประโยชนจากการทํา Integrated auditsIntegrated audits

- สามารถระบุความเส่ียงรวมถึงการควบคุมภายในของ audit entity และ สภาพแวดลอม ไดอยางครอบคลุม

- การปฏิบัติงานตรวจสอบใน fieldwork สามารถประเมินการควบคุมไดอยางมีประสิทธิภาพมากกวา

- พนักงานมีโอกาสไดเรียนรู และพัฒนาทักษะความรูในงานการตรวจสอบดานอื่นๆ และสามารถนํามาใชกับงานในความรับผิดชอบของตนเองได

- ไมรบกวนเวลาการทํางานของผูรับการตรวจสอบมาก

- ผูบริหารของหนวยงานผูรับการตรวจสอบทราบผลการตรวจสอบและการประเมินการควบคุมภายในทั้ง BusinessProcess และ IT Process ในรายงานการตรวจสอบ

“Using an integrated internal audit team ensure that both the functional and technical risks ofthe project are included in the scope of the review” Source from: GTAG Auditing IT Project

© 2011 ISACA34

Comfort ZoneComfort Zone

- ออกมาจาก Comfort Zone

- ผสมผสานความรู ความชํานาญ และประสบการณ การตรวจสอบในแตละดานเขาดวยกัน

- Attitude Plus

IS Auditor

Financial

Auditor

Operational

Auditor

GAP

© 2011 ISACA35

Three categories of ITThree categories of IT knowledge forknowledge for Internal auditInternal audit

- Software use in applications

- Operating systems and systems software

- Networks

- Basic IT Security (perimeter defenses,

authentication, application system controls)

Category 1: All professional auditorsfrom new recruits up to CAE

Category 2: Supervisor level ofauditing

- Threats and vulnerabilities associated with automated

business processes

- Business controls and risk mitigation that provided byIT

- Ensure the effective use of IT tools in auditassessments and testing

Category 3: Technical IT auditspecialists

- The underlying technologies supporting business

components

- Threats and vulnerabilities associated with the

technology

- Specialize technical knowledge

Source from: TheIIA

© 2011 ISACA36

ควรจะทาํควรจะทาํ Integrate auditIntegrate audit ทุกงานทุกงาน ??

IT Audit Plan

Financial Audit Plan Operational Audit Plan

Branch Audit Plan

- Assign ผูตรวจสอบในการเขารวมทีมตรวจสอบIntegrated ? แลวงานท่ีเปน IT Audit

entities ?

- Morale ของพนักงาน

14

© 2011 ISACA37

สรุปสรุป - แนวโนมท่ีผูตรวจสอบจะมีการ integrate งานการตรวจสอบIT และ Non-IT จะมีมากข้ึนเนื่องจากเห็นประโยชน

(Partial/Highly)

- เทคนคิการตรวจสอบ CAATs จะเปนสิ่งจําเปนท่ีผูตรวจสอบภายในทุกคนตองเรียนรู

- ผูตรวจสอบดาน IT จําเปนจะตองมีความรูในกระบวนการทางธุรกิจท่ีจะตรวจสอบนอกจากความรูดาน IT

- ผูตรวจสอบดาน Financial/ Operational ควรจะมีความรูเก่ียวกับ Application Control, ความรูพ้ืนฐานเก่ียวกับการรักษาความปลอดภัยเทคโนโลยีสารสนเทศ

- ผูตรวจสอบภายในมีทักษะในการตรวจสอบไดท้ัง IT และ Non-

IT

IS Auditor

Financial

Auditor

Operational

Auditor

GAP

integrated audit 2011 ppt

Documents