october, 2003 it competencies for assurance practioners changes to the cica’s education process…

OCTOBER, 2003

IT Competencies for Assurance Practioners

Changes to the CICA’s Education Process….

Copyright ©2002 Deloitte & Touche LLP. All Rights Reserved 2

Discussion Items

The CASE for increased focus on IT Assurance Competencies

Changes to the CICA’s Focus for Education re IT Competencies

The Competencies

An Example….


The CASE for increased focus on IT Assurance Competencies


“I thought I had addressed all controls

necessary during the systems implementation

- turns out, I didn’t.”


Why is IT Assurance Fundamental for Assurance Practioners

Today, most business have an electronic reliance on various internal and third party stakeholder that create security, availability, reliability, maintainability and privacy risks.

Suppliers

Regulators

Employees

Customers

Business to Government

Business to Partner

Business to Consumer

Business to Employee

Business to Business

eBusiness

Telecom & ISP

IT O

uts

ou

rcin

g

Processing

Service Providers

and Partners


IT ServicesOS/ Data/ Telecom/ Continuity/ Networks…

Busi

nes

s Pro

cess

Fina

nce

Busi

nes

s Pro

cess

Man

ufac

turi

ng

Busi

nes

s Pro

cess

Logi

stic

s

Busi

nes

s Pro

cess

Etc…

IT – The Foundation for Reliable Financial Reporting

Businesses require complete and accurate information to make decisions and manage operations

IT systems provide this information Without complete and accurate

information, businesses can not be assured that financial reporting is free from error

General ControlsControls embedded in common services form General Controls. Examples include:• Systems maintenance• Disaster recovery• Physical and logical security• Data management• Incident response

Application Controls

Controls embedded in business process applications, designed to achieve completeness, accuracy, validity and recording assertions, are commonly referred to as application controls. Examples include:• Authorizations• Approvals• Tolerance levels• Reconciliation's• Input edits

Entity Controls

Entity controls set the tone for the organization. Examples include:• Systems planning• Operating style• Enterprise policies• Governance• Collaboration• Information sharing

Executive Management

Enterprise SystemCorporate Reporting


Why Provide IT Assurance??

Revenue assurance and growth –Reduce the risk of subscription fraud, customer credits/ performance penalties, strengthening the trust relationship with business partners/customers

Improve customer service – Reduce customer complaints/call center inquires by improving service levels with better reliability and predictability of system performance.

Differentiate service offering – Position service offering as “best of breed” and eliminate non-compliant competitors from competitive bid process.

Protect reputation and brand - A breach of security or privacy through eavesdropping can impact your reputation and the confidence of subscribers and business partners.

Reduce operational disruptions– Eliminate multiple audits by business partners and customers which require valuable time and resources of operational and service personnel.

Regulatory risks – Reduce the risk of privacy breaches or service interruptions that can attract the attention of industry regulators and privacy advocacy groups.

Reduce stakeholder risks - Address growing concerns among executive management, audit committees and board members about availability and security risks.

Improve operational efficiencies – By improving system utilization and capacity planning through proactive design of controls


"[CIOs] should view their function as if [IT] were a separate company and they were the CEO of it," Fran Dramis CIO Bell South

Putting the systems in place to "ensure compliance with Sarbanes-Oxley will boost investor confidence in the company," says Mattel CIO Joe Eckroth.

CIOs aren't at risk for Enron-like fraud as much as "honest mistakes-systems that malfunction, miscompute or somehow give the wrong answer…the bottom line is that if you develop a system that doesn't work, that's a control problem." John Flaherty, COSO Chairman

“…having a cross-disciplinary project team is a key to ensuring proper implementation of SOA-led initiatives. According to the survey, 68 percent of companies include IT representation on their SOA teams.” –AMR Research

What Leading CIOs are Saying


CICA’s Response


Key Changes…..Out with the Old…

Examination process changing from “knowledge” base to “competency” base…..this has provided for the opportunity to focus on broader IT competencies for Assurance Practioners…..

Previous knowledge base process focused on a narrow range of topics that were mostly Assurance Based……little or no focus provided on the role of IT in the context of running a business….

Level of knowledge previous required was quite low

Amount of integration with other assurance areas was very limited due to the narrow range of focus


Key Changes…..In with the New…

Intro to NEW IT Section of CICA’s Competency Map….

“CAs make a significant contribution to enhancing an entity’s performance by being competent in identifying the entity’s information needs, by assessing the impact of information on its corporate strategies, and by helping to develop specific Information and Information Technology (IT) strategies aligned with the entity’s goals and objectives”

New exam focus on competencies….Levels of competency expectation include: Comprehend Detect Perform

Level of competency in the IT area varies but overall requirements are for a deeper level of competency….

Broad focus across a number of IT competencies allows for the integration of IT in a number of Assurance Practioner Candidate questions….


Key Changes…..The Competencies

VI-1 Assesses Information Technology Strategy

VI-1.1- Identifies the entity’s IT needs – DETECT VI-1.2 - Evaluates the entity’s existing IT strategy – DETECT

VI-2 - Assesses Risk Associated with the Use of Technology VI-2.1 - Evaluates the IT internal audit function – DETECT VI-2.2 - Investigates the dependence of systems on third parties – PERFORM

VI-3 - Assesses IT Relative to the Control Environment VI-3.1 - Understands and documents the role technology plays in a given control –

PERFORM VI-3.2 - Contributes to IT-specific testing – DETECT VI-3.3 - Uses IT to improve an existing control process – DETECT VI-3.4 - Documents the systems development and operational control processes –

DETECT



VI-4 - Improves the Entity’s IT Design

VI-4.1 - Evaluates the business impact of new developments and trends in technology – DETECT

VI-4.2 - Improves the entity’s IT design and development – DETECT VI-4.3 - Designs and sets up IT accounting systems using standard accounting

packages – DETECT VI-4.4 - Develops business case to support IT proposals – DETECT VI-4.5 - Evaluates and decides on IT acquisition and sourcing – DETECT

VI-5 - Designs and Manages System Installations and Upgrades

VI-5.1 - Designs and manages or advises on system installations and upgrades – DETECT



VI-5 - Manages the IT Function - Comprehend

VI-6 - Contributes to Developments in IT

VI-6.1 - Contributes to public debate


Key Changes…..An Example

Scenario:

A small public company is looking to upgrade a number of existing business processes by implementing a new computer system. The company currently has a small Information Technology group which assists the company in supporting its current network environment and a couple of smaller customized business applications. The CA candidate is asked to assess the company’s IT strategy.