october, 2003 it competencies for assurance practioners changes to the cica’s education process…
Post on 19-Dec-2015
214 views
TRANSCRIPT
OCTOBER, 2003
IT Competencies for Assurance Practioners
Changes to the CICA’s Education Process….
Copyright ©2002 Deloitte & Touche LLP. All Rights Reserved 2
Discussion Items
The CASE for increased focus on IT Assurance Competencies
Changes to the CICA’s Focus for Education re IT Competencies
The Competencies
An Example….
Copyright ©2002 Deloitte & Touche LLP. All Rights Reserved 3
The CASE for increased focus on IT Assurance Competencies
Copyright ©2002 Deloitte & Touche LLP. All Rights Reserved 4
“I thought I had addressed all controls
necessary during the systems implementation
- turns out, I didn’t.”
Copyright ©2002 Deloitte & Touche LLP. All Rights Reserved 5
Why is IT Assurance Fundamental for Assurance Practioners
Today, most business have an electronic reliance on various internal and third party stakeholder that create security, availability, reliability, maintainability and privacy risks.
Suppliers
Regulators
Employees
Customers
Business to Government
Business to Partner
Business to Consumer
Business to Employee
Business to Business
eBusiness
Telecom & ISP
IT O
uts
ou
rcin
g
Processing
Service Providers
and Partners
Copyright ©2002 Deloitte & Touche LLP. All Rights Reserved 6
IT ServicesOS/ Data/ Telecom/ Continuity/ Networks…
Busi
nes
s Pro
cess
Fina
nce
Busi
nes
s Pro
cess
Man
ufac
turi
ng
Busi
nes
s Pro
cess
Logi
stic
s
Busi
nes
s Pro
cess
Etc…
IT – The Foundation for Reliable Financial Reporting
Businesses require complete and accurate information to make decisions and manage operations
IT systems provide this information Without complete and accurate
information, businesses can not be assured that financial reporting is free from error
General ControlsControls embedded in common services form General Controls. Examples include:• Systems maintenance• Disaster recovery• Physical and logical security• Data management• Incident response
Application Controls
Controls embedded in business process applications, designed to achieve completeness, accuracy, validity and recording assertions, are commonly referred to as application controls. Examples include:• Authorizations• Approvals• Tolerance levels• Reconciliation's• Input edits
Entity Controls
Entity controls set the tone for the organization. Examples include:• Systems planning• Operating style• Enterprise policies• Governance• Collaboration• Information sharing
Executive Management
Enterprise SystemCorporate Reporting
Copyright ©2002 Deloitte & Touche LLP. All Rights Reserved 7
Why Provide IT Assurance??
Revenue assurance and growth –Reduce the risk of subscription fraud, customer credits/ performance penalties, strengthening the trust relationship with business partners/customers
Improve customer service – Reduce customer complaints/call center inquires by improving service levels with better reliability and predictability of system performance.
Differentiate service offering – Position service offering as “best of breed” and eliminate non-compliant competitors from competitive bid process.
Protect reputation and brand - A breach of security or privacy through eavesdropping can impact your reputation and the confidence of subscribers and business partners.
Reduce operational disruptions– Eliminate multiple audits by business partners and customers which require valuable time and resources of operational and service personnel.
Regulatory risks – Reduce the risk of privacy breaches or service interruptions that can attract the attention of industry regulators and privacy advocacy groups.
Reduce stakeholder risks - Address growing concerns among executive management, audit committees and board members about availability and security risks.
Improve operational efficiencies – By improving system utilization and capacity planning through proactive design of controls
Copyright ©2002 Deloitte & Touche LLP. All Rights Reserved 8
"[CIOs] should view their function as if [IT] were a separate company and they were the CEO of it," Fran Dramis CIO Bell South
Putting the systems in place to "ensure compliance with Sarbanes-Oxley will boost investor confidence in the company," says Mattel CIO Joe Eckroth.
CIOs aren't at risk for Enron-like fraud as much as "honest mistakes-systems that malfunction, miscompute or somehow give the wrong answer…the bottom line is that if you develop a system that doesn't work, that's a control problem." John Flaherty, COSO Chairman
“…having a cross-disciplinary project team is a key to ensuring proper implementation of SOA-led initiatives. According to the survey, 68 percent of companies include IT representation on their SOA teams.” –AMR Research
What Leading CIOs are Saying
Copyright ©2002 Deloitte & Touche LLP. All Rights Reserved 9
CICA’s Response
Copyright ©2002 Deloitte & Touche LLP. All Rights Reserved 10
Key Changes…..Out with the Old…
Examination process changing from “knowledge” base to “competency” base…..this has provided for the opportunity to focus on broader IT competencies for Assurance Practioners…..
Previous knowledge base process focused on a narrow range of topics that were mostly Assurance Based……little or no focus provided on the role of IT in the context of running a business….
Level of knowledge previous required was quite low
Amount of integration with other assurance areas was very limited due to the narrow range of focus
Copyright ©2002 Deloitte & Touche LLP. All Rights Reserved 11
Key Changes…..In with the New…
Intro to NEW IT Section of CICA’s Competency Map….
“CAs make a significant contribution to enhancing an entity’s performance by being competent in identifying the entity’s information needs, by assessing the impact of information on its corporate strategies, and by helping to develop specific Information and Information Technology (IT) strategies aligned with the entity’s goals and objectives”
New exam focus on competencies….Levels of competency expectation include: Comprehend Detect Perform
Level of competency in the IT area varies but overall requirements are for a deeper level of competency….
Broad focus across a number of IT competencies allows for the integration of IT in a number of Assurance Practioner Candidate questions….
Copyright ©2002 Deloitte & Touche LLP. All Rights Reserved 12
Key Changes…..The Competencies
VI-1 Assesses Information Technology Strategy
VI-1.1- Identifies the entity’s IT needs – DETECT VI-1.2 - Evaluates the entity’s existing IT strategy – DETECT
VI-2 - Assesses Risk Associated with the Use of Technology VI-2.1 - Evaluates the IT internal audit function – DETECT VI-2.2 - Investigates the dependence of systems on third parties – PERFORM
VI-3 - Assesses IT Relative to the Control Environment VI-3.1 - Understands and documents the role technology plays in a given control –
PERFORM VI-3.2 - Contributes to IT-specific testing – DETECT VI-3.3 - Uses IT to improve an existing control process – DETECT VI-3.4 - Documents the systems development and operational control processes –
DETECT
Copyright ©2002 Deloitte & Touche LLP. All Rights Reserved 13
Key Changes…..The Competencies
VI-4 - Improves the Entity’s IT Design
VI-4.1 - Evaluates the business impact of new developments and trends in technology – DETECT
VI-4.2 - Improves the entity’s IT design and development – DETECT VI-4.3 - Designs and sets up IT accounting systems using standard accounting
packages – DETECT VI-4.4 - Develops business case to support IT proposals – DETECT VI-4.5 - Evaluates and decides on IT acquisition and sourcing – DETECT
VI-5 - Designs and Manages System Installations and Upgrades
VI-5.1 - Designs and manages or advises on system installations and upgrades – DETECT
Copyright ©2002 Deloitte & Touche LLP. All Rights Reserved 14
Key Changes…..The Competencies
VI-5 - Manages the IT Function - Comprehend
VI-6 - Contributes to Developments in IT
VI-6.1 - Contributes to public debate
Copyright ©2002 Deloitte & Touche LLP. All Rights Reserved 15
Key Changes…..An Example
Scenario:
A small public company is looking to upgrade a number of existing business processes by implementing a new computer system. The company currently has a small Information Technology group which assists the company in supporting its current network environment and a couple of smaller customized business applications. The CA candidate is asked to assess the company’s IT strategy.