IT Audit

System Risk Management

2010-09-08T07:07:00.000-07:00

Let’s talk today about IT risk assessment. When should we perform such risk assessments and what impact them might have on our business.

The main goal of the IT risk assessment – is to ensure the normal and uninterruptable processing of your business. This involves normal operation of your application systems, operating systems, network equipment, database, etc. That is why the IT risk assessment process should be incorporated in every IT process. For example, let’s look at the change management process. When you plan to make any changes to your IT infrastructure, you should ensure that such changes will not negatively impact your normal operation and your business will continue to opera and generate money for you. The best way to achieve this goal is to perform preliminary IT risk assessment for each changes to IT infrastructure (application systems changes, database changes, network changes, operating system changes).

By performing IT risk assessment you should consider the following questions:

· How this change will affect existing operations?
· Will we need to disrupt our operations? If so, for how long? What would be the cost of disruption?
· What organizational units will be affected?
· How much this change will cost to the business?
· How this change will affect the existing hardware?
· How this change will affect the existing software?
· What actions must be accomplished to ensure normal operations after change implementation?
· Do we have a complete set of backup data for each affected system?
· Can we restore the previous state of the affected systems in case of failure during change implementation?
All these questions must have appropriate answers while performing an IT risk assessment.
Now let’s look at another very important part of our IT processes. It is our Business Continuity strategy. While creating of this strategy you must complete a process called Business Impact Analysis – this is for identifying of all processes and systems which should be included in the Continuity strategy. But also it would be a good practice to complete an IT risk assessment at this stage. By doing so, you need to consider the impact of your current IT systems to your Continuity strategy and the impact of the Continuity strategy to your IT systems. Such IT risk assessment can help identify any potential vulnerabilities in the processes which can be exploited in future and fail the Continuity of operations.

My personal belief is that today’s organizations should always remember about significant impact of modern IT infrastructure on their day-to-day business activities, and they should perform comprehensive IT risk assessment before considering any changes to the existing IT processes and infrastructure.

Your risk assessment procedures must be always formal and you should retain your IT risk assessment reports for future reference and resolution of possible questions.

What is IT Audit?

2010-08-28T09:57:00.000-07:00

An IT audit is different from a financial statement audit. While a financial audit's purpose is to evaluate whether an organization is adhering to standard accounting practices, the purposes of an IT audit are to evaluate the system's internal control design and effectiveness. This includes but is not limited to efficiency and security protocols, development processes, and IT governance or oversight. The goal is to evaluate the organization's ability to protect its information assets and properly dispense information to authorized parties. The IT audit's agenda may be summarized by the following questions:

Will the organization's computer systems be available for the business at all times when required? (Availability)
Will the information in the systems be disclosed only to authorized users? (Confidentiality)
Will the information provided by the system always be accurate, reliable, and timely? (Integrity)
The IT audit focuses on determining risks that are relevant to information assets, and in assessing controls in order to reduce or mitigate these risks. By implementing controls, the effect of risks can be minimized, but it cannot completely eliminate all risks.

Type of SAS-70 Auditing

2010-08-22T02:36:00.000-07:00

Type of SAS 70 Audit: Type I and Type II

TypeI Audit: Type includes an opinion of the presentation of the service organization's descripion of controls that had been placed in operations and the suitability of the design of the controls to achieve the specified objectives.

Type II Audit: It is more through report of a SAS 70 audit because it contains a description of the controls in place and a description of auditor's test of the control effectiveness of minimum testing period( usually period is 6 months).

Type II audit testing add more testing and observing period. It is more common and often the preffered choice of SAS 70 audits because it is a comprehensive analysis of not only what control are in place, but how effective these controls are in meeting Control objective.

Analisys of CISA Salary

2010-08-22T02:23:00.000-07:00

Want more money for your information security skills? Try getting a professional certification. For all the continuing debate about the real value of IT certification programs, the premiums that companies are willing to pay for certified information security professionals is actually trending upwards.

A report released last week by New Canaan, Conn.-based Foote Partners LLC shows that formally certified security professionals on average are still commanding about 10% to 15% higher salaries than noncertified individuals in comparable roles. The numbers were marginally higher than the premiums offered for certified security professionals six months ago. Among the certification programs commanding the highest premiums were Certified Information Systems Security Professional (CISSP) , Certified Information Systems Auditor (CISA) and Certified Information Security Manager (CISM).

In contrast, the premiums being offered for individuals with professional certifications in other IT areas fell by about 2% over the past one year, according to the Foote report. The analysis was based on salary data from 33,800 U.S and Canadian IT professionals.

"Security certifications bucked the overall trend by growing in value from October to April, up an average of 1.7 percent across the entire group of twenty-seven security certifications that we survey," the report said. "This is a very important development, because salaries as well as skills pay for IT security professionals stopped growing and in some cases declined a few years ago following what had been a strong wave of hiring in the wake of Patriot Act, Homeland Security Act, and Sarbanes-Oxley Act legislation," the Foote report said.

That trend has begun reversing itself as demand for qualified security professionals has begun to steadily grow recently, said David Foote, CEO of Foote Partners, in an interview with Computerworld. High-profile breaches, such as the one at TJX earlier this year, have made company executives increasingly nervous about the impact of security breaches on their customer bases, Foote said. As a result many have begun to ramp up their security efforts, resulting in an overall increase in demand for qualified security professionals to their highest levels after 9/11, he said.

This trend in IT security certifications pay is an indication that, finally, there is something other than government regulation that is driving business leaders to invest more in security, Foote said. "The trend is not being driven by compliance and regulations. It is being driven by people saying customers are demanding more security," from the companies they do business with, Foote said.

Also pushing up the premiums for security certification is a new Department of Defense directive which requires over 100,000 security professionals in certain specific job roles to be certified within a five year period, Foote said. The directive affects full- or part-time military service members, contractors, or those with privileged access to DOD information systems who are performing information assurance functions.

The two trends are creating a "perfect storm" in terms of pushing up premiums for IT security certifications at a time when other certification programs are commanding lower premiums than they used to, he added.

Best Practices & Controls-Accounts Recievables-2

2010-08-11T10:17:00.000-07:00

Receivables Monitoring..contd..

CO: The receivables from the customer are managed within the Company’s norms
RS: Information on receivables is not available.
CN: Age analysis report of receivables is generated by each Unit and forwarded to Unit Coordinators.
Days Sales Outstanding (DSO) is presented and discussed in the Monthly Sales Meeting.

CO: Timely collection of accounts receivable is monitored.

RS: Doubtful accounts have not been appropriately identified and considered.
CN: Accounts receivable aging reports are prepared regularly and analyzed by management.
Customer open items reports are prepared and analyzed by management.

6.Collections...

a. CO: Cash receipts are accurately recorded.
RS: The amount of cash receipts are inaccurately recorded.
CN: Accounts Manager approves the amount recorded on review.

b. CO: Cash receipts are accurately recorded.

RS: Cash receipts are recorded in the improper period.
CN: "Accounts Manager approves the amount recorded.
Cut off procedures and close procedure are implemented"

c. CO: Cash receipts are accurately recorded.

RS: The entity's bank statements are inconsistent with that recorded by the bank.
CN: Regularly reconcile recorded balances and activities with balances and activities reported by its banks.

d. CO: Cash receipts are accurately recorded.

RS: Inappropriate access to receive and record cash receipts.
CN: Access levels are pre-defined based on clear job responsibility.

e. CO: Cash receipts are accurately recorded.

RS: Cash receipts are not protected before they are deposited.
CN: Cash receipts are stored in a manner which protects them from physical destruction or manipulation. Backups of cash receipts are made.

f. CO: Cash receipts are recorded in the period in which they are received.

RS: Cash receipts are not recorded in the period in which they are received.
CN: Cash sales are recorded using a cash register. Customers are provided with a copy of the register receipt and total daily receipts per the register are balanced to cash deposited to the bank. 7/7/09 deepti
CO: Cash receipts are accurately recorded.

g. RS: Cash receipts are accurately calculated and recorded
CN: Available cash discounts are automatically calculated by the application system, using standard programmed algorithms and established terms of sale.
Cash receipts should be generated in duplicate a sign off from the recipients should be taken

h. CO: Cash receipts are accurately recorded.

RS: Cash receipts do not relate to sales and/or are not recorded against the correct customer or invoice.
CN: Reconciliation of subsidiary ledger accounts receivable and sales ledger balances to general ledger balances or other control totals on a regularly scheduled basis.

i. CO: Cheques received are deposited promptly.

RS: Cheques and drafts may not be deposited immediately on receipt
CN: "Cheque and draft received are recorded in the collection register and deposited in the Bank the following day.
Deposit slip is reconciled with the days collection register"

j. CO: Cheques received are timely Credited Company's Bank Account

RS: Cheques deposited may not be credited on time.
CN: The AR Team verifies the daily transaction report of the Bank to ensure all cheques deposited by are credited on time.

k. CO: Timely accounting of Sales realizations.

RS: The Sales realization may not be accounted on timely basis.
CN: Sales collections are accounted in the accounting system on receipt of credit in Bank Account based on the daily transaction report.

l. CO: Export Realization are collected and accounted on time.

RS: The Export realization may not be accounted immediately resulting to overstatement of debtors.
CN: "The AR Team will send the documents to the Bank for collections through banking channel. The Executive - AR is maintaining a Excel Control Sheet to ensure that the documents are sent to the Bank on due date.
Based on Excel Control Sheet, the AR Team monitors receipt of credit in Bank on timely basis.
Foreign exchange realization are accounted on receipt of Bank Advice."

7. Sales Return..

CO: Sales Return are authorized and recorded
RS: Acceptance of returned goods may not be authorized
CN: "Customers are instructed to obtain authorization from responsible management prior to returning goods (i.e. RGA number) and affix the RGA number to the packing slip.
Returned goods authorizations are matched to incoming goods prior to acceptance.

b. CO: Sales Return are authorized and recorded

RS: Returned goods transactions may not be recorded, or may not be recorded in a timely manner.
CN: "Authorizations for goods returned are matched with receiving reports and are numerically or otherwise controlled in a manner that ensures all sales returns activity has been recorded.
Returned goods are booked in the general ledger upon receipt.
Returned goods are periodically compared to their related general ledger account balance.
c. CO: Sales Return are authorized and recorded

RS: Returned goods may be mishandled, misappropriated, or damaged. "
CN: Returned goods are physically segregated upon receipt (i.e. returned goods area for product inspection). Further, free issues are made against the returned goods received back in office. (Attempt to be made in issue of Cr Note be avoided)
Access to returned goods is restricted to authorized personnel
Returned goods are adequately protected from adverse environments (i.e. returned goods will not be mistakenly stocked into inventory).

8. Credit/Debit Notes

a. CO: To ensure that the Credit notes are raised after the necessary approval
RS: Unauthroised Discounts may be passed on to the Customer.
CN: Customer eligible to discount and the percentage is decided by a Committee

b. CO: To ensure adequate approval for Credit/ Debit Notes raised
RS: Credit /Debit notes may not be adequately authorized
CN: All credit/debit notes are reviewed by the respective Account Managers and approved by the Head of Accounts

c. CO: Credit notes and adjustments to accounts receivable are accurately calculated and recorded.

RS: Credit notes and adjustments to accounts receivable are not accurately calculated and recorded.
CN:
1. Management approves credit notes, bad-debt write-offs, and other adjustments to accounts receivable.
2. Management monitors the nature, volume and amount of recorded credit notes, write-offs, and other adjustments to accounts receivable.
3. All returned goods are logged when received. The log details items such as customers, goods, defects, inspections and assessment by quality control. Return details per the log are compared to credit notes issued to ensure that credit is issued in the correct period and in accordance with company policy.

d. CO: Credit notes issued are recorded in the appropriate period.

RS:
1. "Goods returned by customers are not recorded in the appropriate period.
2. Credit notes issued are recorded in the wrong period resulting in misstated receivables"
CN: Goods returned by customers at, before, or after the end of an accounting period are scrutinized and/or reconciled to ensure complete and consistent recording in the appropriate accounting period.

9. Bad Debt Provision & Write-off

a. CO: Bad debts are analyzed, minimized and approved.
RS: Bad debts may not be recognized
CN:
1. "Review of the debtor balances and their recoverability is done on a monthly basis by the accounts department and the related Account managers.
2. A Policy should be laid down by the company describing the period after which a debt should be recognized as bad
3. Any amount not recoverable as per such policy is transferred to bad debts which is authorized by Head Accounts"

b. CO: Bad debts are analyzed, minimized and approved.

RS: Bad debts are not formally approved and analyzed.
CN:
1. The request for Bad Debts is prepared by the Sales Team which is signed by the concerned Sales Manager on review
2. The reason/ justification for Bad debts is recorded and documented on the request.
3. The request for Bad Debts should be approved as per the Delegation of Authority Matrix.
4. The copy of approved request is sent to Accounts Department to ensure adjustments in the Books of Accounts.

c. CO: Bad debts are analyzed, minimized and approved.

RS: Account write-offs may be unauthorized or improper
CN: "The controller’s approval is required for all write-offs of uncollectible receivables, and the write-off for uncollectibility is against the reserve for bad debt.
Accounts written off are periodically reviewed for subsequent collectibility."

d. CO: Bad Debts provision are adequate

RS: The provision for uncollectible accounts receivable may be inappropriate.
CN:
1. Specific criteria are used in determining the appropriate level of bad debt reserve (historical trends, specific problems, industry experience, etc.).
2. Accounts receivable are aged and reviewed by Accounting personnel on a regular basis (i.e., Independent of Credit). Overdue accounts are promptly investigated.
3. The adequacy of the bad debt reserve is analyzed at least quarterly and reviewed by management

e. CO: Account write offs are approved by appropriate management

RS: Accounts may be inappropriately written off
CN:
1. Accounts and notes receivable, disputed items& bad debts written off and recoveries of bad debts are reviewed by appropriate management
2. Reports of all provisions and write-offs are reviewed by an appropriate independent employee
3. Access to effect write offs of customer accounts is appropriately restricted to authorized personnel

10. Revenue recognition
a. CO: Corporate Accounting Policies & Procedures for revenue recognition are adhered to.

RS: Revenue may not be recognized in accordance with Corporate Accounting

Policies/Procedures
CN: Detailed policies and procedures exist governing the recognition of revenue and include reference to Indian GAAP and are updated on a timely basis and distributed.

b. CO: New product introduction - Incentives are appropriately considered for revenue recognition implications

RS: Incentives provided for new product introductions are not appropriately considered for revenue recognition implications
Unusual transactions and/or new contracts may not be reviewed for revenue recognition implications
CN: "Procedures exist to ensure review and approval of new or modified sales terms and contracts by commercial, accounting, and legal personnel
New contracts and/or unusual transactions are reviewed by Finance for appropriate accounting treatment. A process to generate exceptional report relating to unusual transactions should be existing."

c. CO: Sales returns provision is recorded in accordance with provisions of Indian GAAP

RS: A provision for sales returns may not be appropriately calculated and recorded.
CN: "A reserve for sales returns is recorded in accordance with Corp. Policy.
Reserve calculations are reviewed and approved by appropriate individuals on a periodic basis using up-to-date information."

c. CO: Promotional/sales incentive programs are approved by Management and reviewed by Finance for revenue recognition implications.

RS: Incentives provided for new product introductions are not appropriately considered for revenue recognition implications
CN: Promotional programs are reviewed and approved by appropriate senior financial, marketing and general management based on designated authority levels prior to implementation (the amount approved is based on total financial impact of discounts, extension offers etc.)

d. CO: Promotional/sales incentive programs are approved by Management and reviewed by Finance for revenue recognition implications.

RS: Incentives provided for new product introductions are not appropriately considered for revenue recognition implications
CN: Promotional programs are reviewed and approved by appropriate senior financial, marketing and general management based on designated authority levels prior to implementation (the amount approved is based on total financial impact of discounts, extension offers etc.)

e. CO: Revenue is only recognized once title and risk of loss have been transferred to the customer.

RS: Revenue may be recognized before title and risk of loss have transferred to the customer
CN: "Shipping terms are clearly defined. (Typically these are FOB Destination or FOB Shipping)
Management has reviewed sales contracts (terms & conditions) to determine when title and risk-of-loss have transferred and revenue is not recognized until the risk & rewards are transferred."

f. CO: Other income is properly recorded and classified

RS: Gains on sales of assets or up front payments received from distributors may be incorrectly recognized and classified
CN: "Procedures exist to record gains on sales of assets net of the asset book value in ""Other Income""
Procedures exist to record up-front payments received as part of distributor agreements as ""Other Income"" over the life of the contract."

g. CO: Revenue is only recognized for sales on credit when collectibility is reasonably assured

RS: Revenue may be recognized when collectibility is not reasonable assured.
CN: Procedures exist for credit & collections personnel to identify customers in bankruptcy and inform finance. The recognition of revenue is deferred until the goods are paid for or collections is otherwise reasonable assured.

h.CO: Sales are periodically evaluated to determine whether they should be accounted for as consignment sales.

RS: Sales which represent consignment sales may be improperly recognized as revenue.
CN: An analysis is periodically performed by the Appropriate Authority to determine whether sales should be accounted for under the consignment method. (Circumstances which should be evaluated include when shipments were a result of incentives, shipments would cause excess inventory levels relative to the wholesaler's ordinary course of business inventory level, where the Company would extend incentives based on levels of excess inventory in connection with future purchases and where incentives would cover substantially all, and vary directly with, the wholesaler's cost of carrying inventory in excess of wholesaler's ordinary course of business inventory level).

Best Practices & Controls-Accounts Recievables

2010-08-11T10:00:00.000-07:00

For All..

In this topic I will try to list the basic Control Objectives (CO) , Risks (RS) and Controls (CN) under an Accounts Receivables Function/Process...

Do share your views also.

1. Customer Master Database Maintenance

a. CO: User access to the database should be appropriately restricted.

RS: Unauthorized access or changes to financial and operational data.

CN: Access to the database is administered by the Database administration group. Forms are required with approvals from the individual's manager and the owner of the data.

b. CO: Changes in the database are approved and input completely and accurately.

RS: Unauthorized changes to the financial and operational data

CN: "An appropriate official approves changes made to data, prior to input. Each change must be supported by sufficient documentation.

A one-to-one check for changes to the data via A comparison between post input/update reports to the change source documents for completeness and accuracy. Discrepancies are resolved and the re entered data is subject to the same control.

Changes in certain type of critical data and or changes outside certain parameters the system produces a report of these changes and is forwarded to management for their review. Acceptance of these changes by the system is dependent upon management review of supporting documentation and approval. "

c. CO: Adequate segregation of duties is maintained

RS: Unauthorized changes to the financial and operational data

CN: Segregation of duties to be maintained between the updation of data and the maintenance of data. Exceptions noted are to be investigated and resolved.

d. CO: Data is kept current and updated.

RS: Incorrect processing of the transactions

CN: System generated report detailing records not accessed over a period to be reviewed periodically by the Database Administrator in consultation with the Process Owner

2. Credit Policy & Credit Control...

a. CO: Credit Policy is in place for all the Customers based on various financial and non financial factors

RS: Credit Policy not defined for various customers

CN: Credit Policy is in place for all the customers. The policy defines the credit period and payment terms for all the domestic and International customers.

b. CO: Credit Policy is Approved

RS: Credit Policy is not approved as per the Delegation of Power

CN: Credit Policy is approved as per Delegation of Power

c. CO: Credit limit revision and extension are approved

RS: Unapproved credit limit resulting in bad debts or delays in collection

CN: "Credit Limit shall be unfreezed as per Delegation of Authority Matrix. Any extension of Credit period is approved as per Delegation of Authority Matrix."

3. Sales Order Generation

a. CO: Customer orders received are duly acknowledged

RS: Non acknowledgment of the receipt of customer order may result in unsatisfied customer

CN: Acknowledgment of receipt of customer order to be sent immediately by Sales Manager on receiving the Customer Order

b. CO: Delivery schedule is finalized and communicated to the customer on a timely basis

RS: Non confirmation of the delivery schedule (dispatches) to the customer may result in cancellation of sales order

CN: Delivery schedule to be confirmed by the Sales Manager within XX days of receipt of Customer Order by the Sales Team.

c. CO: "Customer Order is entered completely and accurately

Sales terms and prices are approved."

RS: The products, quantity, selling price, payment terms or shipping address included in the Customer order are incorrectly entered in the system.

CN: "Sales Order generated from system are reviewed for price, quantity, billing/ delivery address by the Sales Team and Sales Head with Customer Order and Approved Price List.

Further, the Sales orders over a set threshold require approval by management as per SOA before acceptance by the system. In absence of an approval a suspense file is created that is reviewed by management for clearance on a regular basis. (Additional control ensure that the Sales Order input above specific value in correct and accurate)"
d. CO: "Customer Order is entered completely and accurately

Sales terms and prices are approved."

RS: Single customer order may be entered in the system multiple times

CN: "Edit checks exist within the system that reject the input of a customer order number that was already entered.

Rejects are placed into a suspense file where they are researched, reviewed and re-entered (if necessary) on a timely basis."
CO: Customer Order with cash terms are accurately processed

RS: Customer Order may be processed without the receipt of cash

CN: "Sales Team review the cash receipt before approving the processing the Customer Order.

a) In case of manual system Cash payment orders are reconciled with payments received on a regular basis. Management reviews and investigates unrecognized differences that exceed acceptable cash payment cycle deviation.

b) In automated system, no invoice and dispatch document should be issued from the system without generation of Cash Receipt, any deviation is escalated for approval as per SOA"

e. CO: Customers' credit limits are controlled.

RS: Sales Order is processed for customers not entitled to credit limit or who have exceeded their limits

CN: "Credit limits are established as part of accepting new customers.

a) In case of manual system the Sale orders and outstanding receivables are compared to established credit limit before a new order is processed. Orders in excess of credit limit are stored in a suspense file to be resolved on a timely basis.

b) In case of automated system, invoice and dispatch documents shouldn't be generated in the case the sale value exceeds the credit limit. Any deviation to be approved as per SOA. "

f. CO: Sales to fictitious customers (on credit) are prevented and detected.

RS: Order is processed for a Customers outside the Database

CN: "System does not accept Sales Order entry relating to a Customer who does not appear in the Database.

Rejects are placed into a suspense file where they are researched, reviewed and re-entered (if necessary) on a timely basis.

g. CO: Only appropriate users can enter Sales Order.

RS: Inappropriate access to Sales Order systems.

CN: "Access levels are pre-defined based on clear job responsibility.

Independent periodic review by management of ""Access Levels Rights"""

i. CO: All valid orders are processed and recorded.

RS: Back orders are not fulfilled.

CN: Policy and procedures are in place to log, track and monitor back orders.

Sales orders are pre-numbered and sequential order monitored by Sales Team

i. CO:Cancellations of orders are processed and recorded.

RS: Cancellations of orders are input inaccurately.

CN: Cancellation data is matched to the Original Order and approved by the Sales Head

3. Invoice Generation and Dispatch

a. CO: Deliveries are recorded in the proper period.

RS: Backlog orders are not properly monitored.

CN: Unfulfilled orders are monitored on a regular basis by the Sales Executive

b. CO: Deliveries are recorded accurately and completely.

RS: Inventory is incorrectly recorded.

CN: "The shipping system automatically generates work orders or inventory “pick” documents based on feeds from the sales order system. Edit checks against the sales order system ensure that these documents are complete and accurate.

The work orders or inventory “pick” documents are sequentially numbered and accounted for. A manual or system check is performed to ensure that the numerical sequence of these documents is maintained. All rejected, suspense, or missing items are researched, corrected and re-entered on a timely basis.

c. CO: Sales are recorded in the proper period.

RS: Deliveries are recorded prematurely or in the incorrect period.

CN: "Upon transfer of the shipment to the carrier, the shipping document is noted as “released/shipped” in the shipping system.

The systems should also not allow the predating of the shipping documents. (Note all shipments are FOB shipping point.) This notation includes the date and time of release.

Further, periodic physical verification must be undertaken by a team independent of sales, dispatch and shipping to reconcile physical stock as per system stock."

d. CO: Sales are recorded in the proper period.

RS: Delivery is made in an improper reporting period.

CN: Delivery during the period are reconciled to sales on a regular and frequent basis by a team independent of sales, dispatch and shipping to ensure that sales revenue is recognized in the proper period.

e. CO: All work orders or shipments of goods are input for processing.

RS: Work orders are incomplete or missing.

CN: On a daily basis, a system report of all open work orders or inventory “pick” documents is provided to the shipping department manager. All items are investigated and resolved as appropriate.

f. CO: Postings made to cost of sales and/or inventory in the general ledger are correct.

RS: Incorrect posting of COGS and Inventory

CN: Based on the date and time of shipping, the shipping system then appropriately updates inventory/COGS accounting records based on quantities shipped (partial shipment of orders is permitted). If a partial order is shipped, the remaining items are held in the shipping system as an open work orders or inventory “pick” documents.

g. CO: Only appropriate users can enter delivery of goods.

RS: Inappropriate access to delivery systems.

CN:"Access levels are pre-defined based on clear job responsibility.

Independent review by management should also be done."

i. CO: Sales invoice is generated for every approved shipment and recorded in the proper period.

RS: Shipments may not be billed, or may not be billed timely.

CN: Upon approved release of a shipment from the warehouse the system automatically produced invoices with the same date. Shipping dates cannot be modified with out approval by the appropriate levels of management.

"Invoices are sequentially pre-numbered and accounted for. Check is performed to ensure documents are not missing or duplicated or fall outside of a specified range of numbers.

All rejected, suspense, or missing items are researched, corrected and re-entered on a timely basis."

j. CO: Invoices generated represent the actual goods shipped.

RS: Billings may be inaccurate or incomplete.

CN: "A team independent of sales, dispatch and shipping reconcile the invoices generated for the day with the total shipments per the shipping system. A check is performed to ensure data is not duplicated or falls outside a specified range of numbers.

All rejected, suspense or missing items are researched, corrected and re-entered on a timely basis. "

k. CO: Price, amount, and other information on the invoice are correct.

RS: Billings may be inaccurate or incomplete.

CN: "System validate invoice data input (for example, customer name and number, pricing, amounts and other information) against approved data and the sales order input in the system.

Invalid data is rejected for re-entry or stored in a suspense file where it is researched, corrected and re-entered on a timely basis to ensure completeness."

"Management's approval is required for discounts and allowances in excess of predefined limits. Invoicing personnel examine the sales order for evidence of appropriate approval before input.

The lack of approval creates a suspense file that is reviewed by management for clearance on a regular basis. "
l. CO: Duplicate recording of invoices is prevented.

RS: Duplicate sales Invoice are generated and billed

CN: "A system check is performed to ensure invoice numbers are not duplicated or fall outside a specified range of numbers.

All rejected, suspense or missing items are researched, corrected and re-entered on a timely basis."

m. CO: Correct postings, are made to sales and receivables and are recorded in the proper period.

RS: Inaccurate, incomplete and untimely recording of Sales

CN: Upon approved release of a shipment from the warehouse the invoice are approved by Logistic Team in the system. The invoicing system then appropriately updates Sale/receivable accounting records.

o. CO: The calculation and application of tax amounts on invoices is accurate.

RS: Taxes and duties may be incorrectly computed and recorded

CN: The Excise Duty, sales tax, goods and services tax, and / or value added tax tables are updated accurately in the system. The system automatically calculates the tax amounts. Management reviews tax calculations for accuracy.

p. CO: Correct goods are shipped and accurately recorded.

RS: "Incorrect quantities may be shipped
Shipments made may not be properly (accurately & completely) recorded"

CN: "Shipments are subjected to dual counts (picking & packing) and these counts are evidenced in writing

Physical safeguards are in place at the loading dock and at the gate exit points.

Shipments recorded in the system and recorded by a person independent of the picking & packing.

Shipment documents (bills of lading) are signed by carriers indicating acceptance of quantities shipped.

Access to alter shipping information or initiate shipments is restricted to personnel outside of the shipping function"

4. Contract Management

a. CO: Distributor arrangements have to be adequately monitored

RS: Inadequate review of new and modified contracts (including distributor arrangements) resulting in improper revenue recognition

CN: Distributor arrangement should be adequately reviewed by the Finance Manager & monitored regularly for appropriate revenue recognition

q. CO: New sales contracts as well as contract modifications are properly reviewed for appropriate accounting treatment, prior to execution.

RS: Inadequate review of new and modified contracts (including distributor arrangements) resulting in improper revenue recognition

CN: "Standard contracts developed and reviewed by the Finance & Legal function to ensure that they are in accordance with GAAP

Exceptions from standards must be approved by Finance for revenue accounting implications, prior to execution. Factors to consider include: existence of multiple elements, incentives, pricing and discounts, installations, price protection provision, customer acceptance and guarantees.

Establish materiality threshold over which revenue contracts must be reviewed and approved by designated levels of Sr. Management prior to committing the Company

Non-standard contracts terms should be reviewed for administrative feasibility by Operations/Finance and communicated to those responsible for implementation and follow up (e.g. pricing, credit line, terms and conditions etc).

c. CO: Sales Contracts are standardized and must be clear and legally enforceable.

RS: Sales contracts may be unenforceable, resulting in loss to the Company

CN: "Legal counsel should review contracts where appropriate to assure that the contract is correct and appropriate and the Company is not exposed to unnecessary liabilities.

Standardized or clearly defined contract terms and conditions

Approval and communication process for non-standard terms and conditions

Contractual remedies are specified"

d. CO: Only written sales contracts signed between the company and customer is recognized as official.

RS: Side arrangements may result in the original contracts being rendered unenforceable, and may also impact the company's ability to recognize revenue

CN: "Final contract reflects the main points of negotiated customer proposal, including all negotiated terms

Final contracts agreed between customer and the Company should be signed.

Procedures should exist which restrict side arrangements (whether oral or written) from be entered into or recognized by the company

Communicate with sales personnel (i.e.. through training and formal policy) to avoid issuing unauthorized side agreements and similar instruments that undermine the intent of the original contract. e.g. promise of future product, price protection arrangement.

Procedures for disciplinary action taken when side agreement is identified.

f. CO: All new contracts and changes to contracts are reviewed and approved before being executed and input into the contract system.

RS: "Amendments from standard contracts have not been approved.

Sales contracts and pricing may not be adequately evaluated and authorized prior to execution"

CN: "Procedures are in place requiring various levels of approval prior to contract execution and input into the contract system

Formal procedures exist which specify the levels of management that may commit the company to the performance of a contract."

"Access to effect changes to contracts in the contracting system is limited to appropriate personnel (who have no responsibility for order entry or maintenance of customer accounts receivable).

All changes/additions made within the contracting system are subject to independent review through use of numerically or date controlled edit reports.

All contracts with any amendments are forwarded to Legal.

Legal consults with management, external counsel, and external auditors as needed for feasibility of terms."

5. Recievable monitoring
a. CO: The receivables from the customer are managed within the Company’s norms

RS: Collection targets are not determined.

CN: Collection target are prepared by the Sales Team every month by 7th (ideally) based on the previous month close balance and first week sales

The credit period has been kept at XX days for all Customers.

Security Deposit are obtained from all Distributor for minimizing the impact of any default by the distributor. Extent of security deposit to be received is spelt out in the Sales policy document, exceptions are escalated for approval as per SOA.

The Security Deposit is revised every year based on the revised allocation.

b. CO: The receivables from the customer are managed within the Company’s norms

RS: Customers are not encouraged to pay earlier than credit period

CN: The Company provides Early Payment Incentive to its Customers to encourage payment prior to due date. A process to identify and accrue early payment discounts if not adjusted with payment exists.

Delayed payment charges (DPC) is charged to distributor for any delay in receipt of payment. DPC terms are clearly mentioned in the Customer Contract and in the printed copy of Invoices.

Brief information about components of COSO

2010-08-11T09:29:00.000-07:00

Control Environment- sets the tone of an organization, influencing the control consciousness of its people. It is the foundation of all other components of internal control, providing discipline and structure.

Risk Assessment- is the entity’s identification and analysis of effective risks to the achievement of its objectives, forming a basis for determining how the risks should be managed.
Control Activities- are the policies and procedures that help ensure that management’s directives are carried out.
Information and Communication system- support the identification capture and exchange of information in a form and time frame that enable people to carry out their responsibilities.
Monitoring- is the process that assesses the quality of internal control performance over time.

An Overview of the COSO

2010-08-11T09:28:00.000-07:00

Why an internal control framework?

Section 404 of Sarbanes-Oxleyt Act requires management to file an annual internal control report which should include:

A statement identifying the framework used by management as criteria for evaluating the effectiveness of internal control

If you fail to select a control framework, it will be almost impossible for an external auditor to attest to management’s assertion on the effectiveness of the internal controls and procedures for financial reporting.

If the company doesn’t adopt an internal control framework, there is no criteria against which the company or the independent auditor can measure effectiveness.

“You have to pick the set of rules that you want to play by or the independent auditor can’t referee the
game”

Control Frameworks

COSO – Internal control-integrated framework developed by the Committee of Sponsoring Organizations of the Treadway Commission and sponsored by the AICPA, FEI, IIA and others. This is the most dominant control model in the US.

CoCo – The control model developed by the Criteria of Control Committee of the Canadian Institute of Chartered Accountants. CoCo focuses on behavioral values rather than control structure procedures as the fundamental basis for internal control in a company.

Turnbull Report – Internal Control: Guidance for Directors on the Combined Code developed by the Committee on Corporate Governance of the Institute Chartered Accountants in England & Wales, in connection with the London Stock Exchange. The Turnbull Report required companies to identify, evaluate and manage their significant risks and to assess the effectiveness of the related internal control system.

ACC – Australian Criteria of Control developed by the Institute of Internal Auditors – Australia, emphasizes the competency of management and employees to develop and operate the internal control framework.

The King Report – Released by the King Committee on Corporate Governance, promotes high standards of corporate governance in South Africa. The King Report goes beyond the usual financial and regulatory aspects of corporate governance by addressing social, ethical and environmental concerns.

Components of COSO

COSO identifies five components of internal control that need to be in place and integrated to ensure the achievement of each of the objectives. Such components are:

1. Control Environment
2. Risk Assessment
3. Control Activities
4. Information and Communication
5. Monitoring

Components of COSO..Control Environment

Control Environment sets the tone of an organization influencing the control consciousness of its people. It is the foundation for the other COSO Components, providing discipline and structure.

Its main fundamentals and requirments are:

1. Integrity and Ethical Values: Objectives are achieved based on preferences, value judgments and management style. These preferences and judgments, which are translated into standards of behavior, reflect management’s integrity and commitment to ethical values.

2. Commitment to Competence: Knowledge and skills needed to accomplish tasks are critical in defining individual job responsibilities.

3. Board of Directors or Audit Committee: An active and involved Board / Audit Committee is critical to effective internal control.

4. Management Philosophy and Operating Style: Affects the way the enterprise is managed, including the kind and degree of business risks accepted.

5. Organizational Structure: Provides the framework within which its activities for achieving an entity’s objectives are planned, executed, controlled and monitored.

6. Assignment of Authority and Responsibility: The degree to which employees and teams are encouraged to use initiative in addressing issues and solving problems.

7. Human Resource Policies and Practices: Activities and mechanisms for communicating to employees regarding expected levels of integrity, ethical behavior and competence.
Components of COSO..Risk assessment

Risk Assessment involves identification and analysis of relevant risks – internal and external -- for achievement of objectives, forming a basis for how risks should be managed.

1. Objectives: Objective setting is a precondition to assessing risk and provides the measurable targets toward which the entity moves in conducting its activities. Objectives can be explicitly stated or implicitly known, and are established at all levels of an entity.

2. Risks: Identifying and analyzing risk is an ongoing iterative process. Focus on effective risk management should be performed at all levels of an entity.

3. Managing Change: Mechanisms are in place to anticipate, identify and react to changes that may have a dramatic and pervasive effect on the entity, or may affect achievement of entity or process / application-level objectives.

Components of COSO..Control Activities

Control Activities involve policies, procedures and business disciplines that help ensure management directives are carried out, and that necessary actions are taken to address the organization’s risks.

1. Types of Control Activities:

a) Top Level Reviews – Actual vs. budget, tracking of major initiatives, monitoring of new product development, etc.

b) Direct Functional or Activity Management – Management review of performance reports.

c) Information Processing – Checking for accuracy, completeness and authorization of transactions.

d) Physical Controls – Equipment, inventories, securities, cash, etc.

e) Segregation of Duties – Division of duties among different employees to reduce the risk of error or inappropriate activities.

2. Information Systems

a) General Controls – Data center operations, system software, access security, application system development.

b) Application Controls – Application processing, completeness/ accuracy of transaction processing, authorization and validity.

Components of COSO..Information & Comm'n

Information & Communication involves identification, capture and communication of pertinent information in a form and timeframe that enables employees to carry out their duties.

Information: Information is needed at all levels of an organization to support achievement of an entity’s objectives. Quality of Information should be:

a) Appropriate content

b) Timely

c) Current

d) Accurate

e) Accessible

Communication: Communication – internal and external -- takes place in a broader sense than the dissemination of information, and carries with it implicit undertones regarding expectations, importance and responsibilities. Effective Communication should be:

a) Empowered

b) Open and honest

c) Flows up, down and across the entity

Components of COSO..Monitoring

Monitoring assesses the quality of internal control performance over time.

Types of monitoring are:

1) On-going Monitoring: Activities that serve to monitor internal control in the normal course of business. Examples:

Reconciliations and data comparisons

Exception reporting

Communications from internal and external parties

Organizational structure for overseeing normal transaction processing

Components of COSO..Monitoring

Types of monitoring are:

2) Separate Evaluations: Activities that serve to monitor internal control outside the normal course of business.

a) Scope and Frequency – Evaluations of internal control will vary in scope and frequency based on risk significance and importance of the control(s) in managing the risk.

b) Who Evaluates? – The effectiveness of separate evaluations will depend upon “who” is performing the evaluation and what level of support they have.

Components of COSO..Monitoring

Types of monitoring are:

3) Reporting Deficiencies: Conditions within an internal control system worthy of attention. In evaluating an entity’s process for reporting deficiencies, consideration should be given to the sources where information is received, what is being reported and to whom it is being reported.

Life sucks as an auditor

2010-08-11T08:45:00.000-07:00

Given the volume of people leaving the firms for greener pastures, I started thinking about the reasoning behind why people at different levels within the firm leave. So let's give this a shot...
1) First year associate - You go, WTF is this job? You realize that this is not the career or field, let alone the job, for you. You realize your calling is nursing, teaching in an elementary school, running a store, or something on those lines. This is when you leave, or should leave.
2) Second year-third year associate - You complete two years at the firm. You cannot deal with the hours, and your main priority is a good work-life balance. You'd rather be an accountant at a company, and have your own desk and 9-5 hours. This is when you leave, or should leave.
3) First senior associate year- You now have senior year under your belt. You probably have your CPA by now. The offers are pouring in. You hate the salary you're getting paid. You went through a really difficult year and start to hate some of your managers. You want out. You get an offer paying 8-12k more, with something called bonuses given to you on a periodic basis. You don't mind working from 8:30-6:30 or so. More specialized positions like revenue recognition accountant come into play. This is when you leave.
4) Second senior associate year - You put in your time at the firm. You know you do NOT want to be a manager at the firm. You realize that if you stay one more year, you'll end up staying for two. You don't think you can deal with this kinda life anymore. Friends around you are dropping like flies. You think about leaving once a week. You go through a range of emotions, going back and forth between leaving and staying. You give interviewing a shot. You decide that if you don't like any positions out there, you're staying. A combination of a catalyst event happening at work (work till midnight for a couple days) and an intriguing job offer make you leave.
5) Third year senior associate - You're this close to becoming a manager. You are pushed to the limits at work. Your salary is absolutely ridiculous for the amount of work you do. All your friends in the private sector are making more than you doing way less work. You wonder if waiting out a few months to make manager is worth it. Your mind's telling you to wait it out since it will be worth it in the long term. But you get an offer that might be the same as when you make manager, and you do not want to let this slip by. This is when you leave.
6) Manager year (1st and 2nd) - Holy heck, what just happened. You're over-worked, frustrated, and stressed out. But you have the mgr year under your belt. There is no reason to stay, unless you don't know what to do, or you want to be in audit. Assistant controller and controller positions come pouring in. You jet.
7) Manager year (3rd-4th) - You could become a senior manager. Maybe you can wait it out and get that title. But your personal life comes into play. Marriage and kids come into play. Your significant other wants more time if you're a guy, and if you're a girl, kids make staying not worth it. You jet for a good job with decent hours so you have a life and spend time with your family.
8) Senior manager - You realize your chances of making partner are less than 20%. It'll take you time to check your ego, but it hits you finally. This is when you leave. (Except I don't get why you don't leave. I really don't. Don't you know by now you won't make partner. Maybe it's that 20% chance that makes you hang on).
9) Partner - Retire. CFO/Director position. Forced early retirement. That's it. You've hit the holy grail in the accounting field, and are set for life, so why bother leaving.

Reducing risks on big projects

2010-08-10T07:57:00.000-07:00

Big projects (> 1 Million) have too many unknowns. The secret in managing Big projects is to be proactive about knowing what your unknowns are and planning enough room for managing the unknowns. This is the biggest challenge.

Passive management on big projects is a guaranteed recipe for failure.

In the internet startup business this philosophy doesn’t have too many followers. The idea there is to let the business grow organically and let the project be managed based on the demands. Twitter is a good example of that where a concept grew organically very fast and the team behind it had to scale the systems based on the demand.

A canadian company http://localads.org is planning to do the same thing by organically growing a unique concept and taking on the classifieds industry.

How far the concept will be accepted is something to be seen.

Scope Of An Audit

2010-08-09T10:08:00.000-07:00

What does it mean?

The term “scope of an audit” refers to the audit procedures that, in the auditor’s judgment and based on the ISAs, are deemed appropriate in the circumstances to achieve the objective of the audit.

- Audit opinion
- Reasonable assurance
- Sufficient appropriate audit evidence
- Audit procedures (based on ISAs)

Audit-Evidence:

It is obtained by applying necessary audit procedures. Audit procedures should be based on requirements of ISAs, relevant professional bodies, legislation, regulations, and the terms of the audit engagement and reporting requirements.
Auditing is concerned with the verification of accounting date and with determining the accuracy and reliability of accounting statements and reports. Verification does not mean seeking proof or absolute certainty in connection with the data and reports being audited. It means looking for sufficient evidence depends on what experience and knowledge of contemporary auditing standards tells one is satisfactory.

An auditor obtains audit evidence regarding management’s assertions for the following areas:
a. Existence: an asset or liability exists at the Balance Sheet date. This is an obvious assertion with such items as land and buildings, stocks and others
b. Rights and obligations: an asset or liability pertains to the entity at the Balance Sheet date. This means that the enterprise has for example ownership of an asset. Ownership as an idea is not simple and there may be all sorts of rights and obligations connected with a given asset or liability.
c. Occurrence: a transaction or event took place which pertains to the enterprise during the relevant period. It may be possible for false transactions (e.g. sales or purchases) to be recorded. The assertion is that all recorded transactions actually took place.
d. Completeness: there are not unrecorded assets, liabilities, transactions or events or undisclosed items. This is important for all accounts items but is especially important for liabilities.
e. Valuation: an asset or liability is recorded at an appropriate carrying value Appropriate may mean in accordance with generally accepted accounting principles, the companies Act rules, Accounting Standards requirements and consistent with statements of accounting policies consistently applied.
f. Measurement: a transaction or event is recorded at the proper amount and revenue or expense allocated to the proper period.
g. Presentation and disclosure: an item is disclosed, classified and described in accordance with applicable reporting framework. For example fixed assets are subject to the Companies Ordinance rules and to IAS 16.
An example:
We will look at an item in a balance sheet, bank overdraft Rs. 10,250. In reporting this item in the balance sheet, the directors are making these assertions:
a. That there is a liability to the company’s bankers.
b. That at the balance sheet date this liability was Rs. 10,250.
c. That this amount is agreed by the bank
d. That the overdraft was repayable on demand. If this were not so, it would not appear amongst the current liabilities and terms would be stated.
e. That the overdraft was not secured. If it were secured this fact would need to be stated.
f. That the company has the Authority to borrow from its Memorandum and Articles.
g. That a bank reconciliation statement can be prepared.
h. That the bank is willing to let the overdraft continue.

If no item ‘bank overdraft’ appeared in the balance sheet, it would represent an assertion by the directors that no overdraft liability existed at the balance sheet date.

Basic IT Controls

2010-08-09T10:01:00.000-07:00

Key Traits of a Successful IT Auditor

2010-08-09T09:47:00.001-07:00

As you begin your search to build out your audit team, here are some of the key traits of a successful IT auditor:

Ability to dig into technical details without getting lost in those details.

Analytical skills. It is critical for the auditor not only to understand technologies but also to be able to use that knowledge to uncover risk to the business and apply judgment regarding degrees of risk. This often is not a black-and-white job-you need people who can really think through a process or technology and frame up the risk to the company.

Communication skills (both written and oral). This is a huge emphasis for this job. An auditor must be able to help all levels (from the most detailed technical person to the highest level of management) understand exactly why he or she has a concern with something. This means that he or she must be able to lay it out logically in layperson's terms for management but also explain all the technical details of his or her concern to the people who work in the area day to day.

The ability to quickly learn the key concepts of new technologies and identify key risk points within those technologies.

Willingness not to be touching a specific technology daily. It's important for people to understand that while there is a lot of hands-on work when performing audit analyses, they won't be acting as the administrator of a production Unix box, managing routers, etc.

Why Are We Here? (The Internal Audit Department's Mission)

2010-08-09T09:43:00.000-07:00

Before we can develop an effective internal audit department, we must first come to an understanding of the department's purpose. Why does the internal audit department exist? What's the end goal?

Is our purpose to issue reports? To raise issues? To make people look bad? To show how smart we are and how dishonest, incompetent, and corrupt the rest of the company is? To flex our muscles and show that we can do anything and tell on anyone because we report to the board of directors? Hopefully, it's obvious that none of these are the right answer. Sadly, though, you will find that many (perhaps most) internal audit departments function as if one or more of these items are the answer. Many audit departments spend their existence in adversarial relationships with the rest of the company, keeping themselves comfortably removed from and "independent" of everyone else. Unfortunately, such departments are missing the point and failing to realize the potential benefits that they could be providing to their companies.

Most audit departments were formed by the company's audit committee (a subset of the board of directors) for the purpose of providing them with independent assurance that internal controls are in place and functioning effectively. In other words, the audit committee wants a group that it can trust to be objective enough to tell it if there is anything the committee should be worried about. The committee wants to have someone it can trust to tell it what's "really going on" in the company. The committee wants someone it can trust to turn in all the evildoers in the company who refuse to implement internal controls. Internal audit departments usually report directly to the chairman of the audit committee, so they feel protected from blowing the whistle on the hordes of dishonest managers who surely have infested the company.

We cannot lose sight of this very important function. Despite the levity in the preceding paragraph, it is absolutely essential that the audit committee have eyes and ears within the company that can tell it what, if anything, it needs to be worried about. This is critical for the committee's ability to function and serve the company's shareholders. It also should be noted that most companies' audit departments dual report to an executive within the company, such as the chief executive officer (CEO) or the chief financial officer (CFO). We'll discuss later some implications of this reporting relationship, but for now, let's agree that this indicates that senior management is interested in the state of the company's internal controls, just like the audit committee. Therefore, I think we can comfortably establish that one of the internal audit department's key functions is to provide an objective body that the audit committee and senior management can go to, to find out if there's anything bad going on in the company from an internal control perspective. From an IT perspective, this means that audit committee and senior management want to be able to ask such questions as, "Are our firewalls really secure?" and "Is our plan to collaborate and share networks with our biggest rival going to expose us to any security concerns?" and believe that they will get an honest answer.

Therefore, can we say that the function of the internal audit department is to report internal control issues to the audit committee and senior management (or provide them with assurance that there are no issues)? The answer is, "Sort of." This is certainly an important role for the audit department to play. However, if we stop there, we are not getting the whole picture. We haven't totally missed the boat-it's more like we showed up as the boat was pulling away from the dock, jumped to catch it, and currently are hanging from the outside railing, holding on for dear life.

But why are we really here? What's the value of reporting issues? Merely reporting issues accomplishes nothing, except to make people look bad, get them fired, and create additional hatred of auditors. The real value comes when issues are addressed and problems are solved. In other words, reporting the issues is a means to an end. In this context, the end is to improve the state of internal controls at the company. Reporting them provides a mechanism by which the issues are brought to light and therefore receive the resources and attention needed to fix them. If I tell senior management that I discovered a hole in the wall of our most important data center, it may help in my goal of making myself look good at the expense of others, but the hole is still there, meaning that the company is still at risk. It's only when the hole is patched that I've actually done something that adds value to the company (and that's only if the company wasn't already aware of and planning to fix the hole prior to my audit).

Therefore, the real mission of the internal audit department is to help improve the state of internal controls at the company. Admittedly, this is accomplished by performing audits and reporting the results, but we must remember that these acts provide no value in and of themselves. They only provide value when the internal control issues are resolved. This is an important distinction to remember as we develop our approach to auditing and, most important, to dealing with the people who are the "targets" of our audits.

Note The internal audit department's goal should be to promote internal controls and to help the company develop cost-effective solutions for addressing issues.

In summary, the internal audit department's mission is twofold:
To provide independent assurance to the audit committee (and senior management) that internal controls are in place at the company and are functioning effectively.
To improve the state of internal controls at the company by promoting internal controls and by helping the company to identify control weaknesses and develop cost-effective solutions for addressing those weaknesses.

IT Audit issues

2010-08-09T09:33:00.001-07:00

User Access Non-Compliance is Material Weakness

2010-08-05T11:28:00.000-07:00

Given that 60% of CFOs lost their jobs within 3 months of reporting a material weakness, what controls do you have in place? Are they effective?
Q: Was this a one-time deficiency, or was this the result of repeated audits identifying the same deficiency, thus raising it to the level of material weakness?

Most of these are 1st time deficiencies and noted as "New Issues" according to auditors report (see Blog.Veriphyr.com for the report link).

For example, terminated users who continued to have access rights to applications is discussed on p23 and it is specificaly noted as a "New Issue" and not a "Repeat Issue".
At least one was identified as "New Issues" but the weakness had been going on for serveral years. For instance on page 37 it is reported that on one application "recertification of accounts was conducted when the application was acquired and brought online at FEMA in FY 2007 and has not been conducted since."
It appear that it was the number and severity of the deficienies that led them to be "considered a material weakness in IT controls and financial system functionality."
If you have more questions or need more details let me know

Awsome Information on IT Audit

2010-08-05T11:13:00.000-07:00

http://www.4shared.com/dir/S35onu2c/sharing.html
Please download this document in your Pc and equip yourself with IT Auditing best practices.

Risk and Control Matrix

2010-08-05T10:22:00.000-07:00

Hi All,

I would like to start this topic to discuss all fundamentals of RCMs. Do share your thoughts.

RCMs are a fundamental requirement for SOX-404 Complaince.

They are considered as a standard template for SOX purposes to document all Financial Reporting Risks and Controls pertaining to business processes.
Components of RCM are:

1. Control Objective
2. Risks
3. Control Description
4. Control Ref No.
5. Frequency of Control
6. Control Type
7. Control Method
8. Information Processing Objectives
9. Financial Statement Assertions
10. COSO Component
11. Control owner
12. Evidence of control
13. Design Deficiency
14. Remediation Action Plan

Each component to be discussed in detail....
At first, we need to do a scoping of processes agaisnt which we need to prepare RCMs.

Please refer one of our topics on "Procedure of Risk Assessment", wherein we had identified the business cycles and processes agaisnt them.

Refer the same list for doing the scoping. Identify the processes which will have a direct impact on our Financials and Accounts.

The crux of the matter is that RCM needs to be prepared for all the processes which have a financial impact on our books of accounts.

Prepare templates for RCM for each process identified, in an excel sheet, containing al the RCM components in the same chronological order mentioned in my last posts.

Finalize a naming convention for RCM so as to able to keep consistency in the names of all RCM and have a version control over them.

First component of an RCM is Control Objective.

Against this component we identify all the financial control objectives that we need to have in the sub-process.

They mainly constitute of the factors which ensure that any transaction which will be having a financial impact on company's financials are accurate, complete, approved, correctly accounted, approved entry, monitored etc.

Another component to be mapped in RCM is Risks.

Against every Control Objective, we need to assess the possible risks and map them in RCM. These should be the risks which will in any way impact the financials of the company, fo eg. incomplete/inaccurate or unauthorized figures, computations, transactions susceptible to manual interventions, inadequate segregation of duties etc...

All such controls should be mapped which are mitigating the risks identified.

There can be more than one control to mitigate one risk.

While mapping the control, it should be ensured that detailed process is not documented in RCM, but only the control due to which such risk will be mitigated.

Each control should be given a Control Ref No.. Control Ref no should be named in a manner such as:
Location.Process.Sub-process.Control No.

We need to map the frequency or periodicity of the control we have identified under "Control Description".

This could be "Multiple times a Day", "Daily", "Weekly", "Quarterly", "Monthly", "Half-yearly", "Annually" or "Per Occurence".

Against the control mapped, we need to map whether the control type is "Preventive" or "Detective"

Preventive Control:
Preventive controls focus on preventing errors or exceptions. Such preventive controls are:
- Standard policies and procedures
- Proper segregation of duties
- Authorization levels/approvals

Detective Control:
Detective controls are designed to identify an error or exception after it has occurred. Such detective controls are:

- Exception reports
- Reconciliations
- Periodic audits

It is important for every process and RCM to have both Preventive and Detective Controls to ensure a complete set of controls

Information Processing Objectives (CAVR) are needed to be mapped agaisnt the controls identified.

Following are four information processing objectives:

1. Completeness - All transactions that occurred are entered and accepted for processing

2. Accuracy - Transactions are recorded at the correct amount, in the appropriate account, on a timely basis in the proper period

3. Validity - All recorded transactions actually occurred (are real), relate to the
organization, and were approved by designated personnel

4. Restricted access - Data is protected against un-authorized amendments, its
Cnfidentiality is ensured, and physical assets are protected
Eery "application control" needs to be mapped to one or more of these information processing objectives.

What is an Application Control ?

Application controls are procedures designed to ensure the integrity of the accounting records.
Application controls directly support the control objectives of completeness, accuracy, validity and restricted access, as defined earlier.

Example of Application Controls:

1. Completeness:
- Reconciliation of the accounts payable subsidiary ledger to the control account in the general ledger.
- Sequence check - e.g., computerized check of sales invoice numbers to identify missing invoices.
- Reconciliation between general ledger control accounts and other ledgers.

2. Accuracy:
- One-for-one checking a report of changes to standing data to authorized amendment forms - e.g., checking a report of amended selling prices to an authorized list of amended prices. This report should also be reviewed by the authorizer and, if computer generated, relies on automated procedures to ensure its accurate production.
- One for one checking of output to input - e.g., checking a report of hours worked by employees to clock cards.
- Reconciliation between general ledger control accounts and other ledgers.

3. Validity:
- Dual signatures required for payments in excess of a certain amount.
- Authorization of credit memos by a responsible official prior to issuing to customer.
- Review of an exception report, such as a report of discounts given above a set percentage by the sales manager.
4. Restricted access:
- Checkbooks kept in a locked safe to prevent unauthorized use.
- Application access security, which ensures only authorized individuals have access to payment processing functions.
- Stores kept locked/supervised at all times to prevent the theft of inventory.

Financial Statement Assertions

Financial Statement Assertions are representations made by management as to the fair presentation of financial statements. They are mapped against the controls mapped under "Control Description" column, which impact the financial statements. The financial assertions are of 5 types:

1.Existence or Occurence
2. Completeness
3. Valuation or Allocation
4. Rights and Obligations
5. Presentation & Disclosure

Details of Financial Assertions:

1. Existence or Occurence: Assets, liabilities and ownership interests exist at a specific date, and recorded transactions represent events that actually occurred during a certain period.
2. Completeness: All transactions and other events and circumstances that occurred during a specific period, and should have been recognized in that period, have, in fact, been recorded.
3. Valuation or Allocation: Asset, liability, revenue and expense components are recorded at appropriate amounts in conformity with relevant and appropriate accounting principles. Transactions are mathematically correct and appropriately summarized, and recorded in the entity’s books and records.
4. Rights & Obligations: Assets are the rights, and liabilities are the obligations, of the entity at a given date.
5. Presentation & Disclosure: Items in the financial statements are properly described, sorted and classified.

Difference:Financial Assertions & Infmtn Objctves

Assertions applies to All Controls, whereas, CAVR applies to Application Controls (IT & Manual)
Assertions are assessed at Account Balance, whereas, CAVR is assessed at Sub-Process level

How to move a company to SOX Compliance?

2010-08-05T10:08:00.000-07:00

Hi All,

In this topic, I'll be sharing with you some basic requirements which a company shoudl consider when going for SOX Compliance.

Pls share in case you have other tips to add.

Step 1: Embedding compliance firmly in ongoing operations will require:

• an organizational structure with clear accountability,
• an efficient operating structure, and
• an enabling technology structure

Step 2: First-year Section 404 compliance is all about project management, with companies organizing teams to:

• Identify significant business units, financial statement accounts and related processes
• Update or create process-flow documentation
• Assess risks related to financial reporting and identify control activities in place to address those risks
• Validate processes and controls via walkthroughs or other means
• Develop and execute test plans
• Evaluate test results and remediate design and/or operating control deficiencies where necessary

Step 3. A typical company having accomplished this successfully would now have the following areas addressed:

• basic documentation in place,
• key controls identified,
• test plans developed and,
• most importantly, control issues that needed remediation

Step4: How to establish a mechanism that both confirms the evaluation of DC&P (Disclosure Control & Procedures) on a quarterly basis to support the Section 302 certification, and provides for the periodic testing of controls over financial reporting for the annual Section 404 assertion. (Under Section 404, management demonstrates through testing that internal controls over financial reporting operate effectively as of year-end. Under Section 302, management certifies that it has evaluated its DC&P as of quarter-end. Section 302 also requires management to report material changes to its internal control over financial reporting). Given the level of regulatory oversight, this is a decision that should not be taken lightly. Alternatives can be:

• Although testing is not specifically prescribed in order to comply with the requirements of Section 302, executing test plans throughout the year, allowing for timely recognition of control issues, remediation and retesting, if needed, as well as for the updating of the control evaluation at year-end can be an option. Through testing, management attains comfort with regard to quarterly reporting, while at the same time accomplishing the work required for the year-end assertion.
• Perform tests quarterly for higher-risk processes and controls, supplemented by self-assessments for other processes.
• A third possibility is to rely solely on a self-assessment process for quarterly reporting, with no reliance on testing for the evaluation of DC&P.
Complicating consideration of these alternatives are the nature and frequency of the control activities performed, which can dictate the timing and extent of testing. Choosing from among these alternatives is dependent on management’s comfort with the alternatives. Fundamentally, the chosen approach must enable the identification of material changes in internal control over financial reporting and provide reasonable assurance that controls over financial reporting are effective at quarter-end, as well as at the end of each fiscal

Step 5: Several elements must be considered in developing a compliance process that is responsible, cost-efficient and effective. These can be classified into three major categories:

• An accountability structure that ensures the appropriate level of oversight and process ownership and drives the right attitude throughout the business.
• An operating structure that facilitates cost-effective and streamlined processes for execution of Sarbanes-Oxley requirement.
• A technology support structure that supports the efficiency and effectiveness of compliance processes

Step 6: Accountability Structure

The accountability structure needs to:
• Define ownership of the design and operation of controls within the organization
• Create the appropriate tone at the top to reinforce delegation without allowing abdication.
• Define appropriate organizational roles and responsibilities
• Communicate what people are supposed to do and
• Reinforce accountability to ensure that they do it.

How IT Audit Works?

2010-08-05T09:51:00.000-07:00

Audits are a critical component of the regulatory compliance process. In general, it is the auditors who will determine whether your organization is in compliance with the regulations and standards that it must address. For example, in regard to Sarbanes-Oxley (SOX), external auditors will often determine the adequacy of the internal controls in your organization as part of the audit in relation to annual financial reporting. Understanding how the audit process works and how auditors operate is important because it informs IT managers how to establish an environment that is compliant and easy to audit. This topic focuses on how auditors conduct the IT audit process.

It is important to understand what auditors look for during a compliance audit. During the audit, the auditors look for evidence that indicates:

The organization has designed effective controls to address their compliance requirements and that there are no design deficiencies.

The organization consistently applies the controls they have designed and that there are no operational deficiencies.

If the auditors do not find evidence of an effective control program, or they find that the organization is not adhering to the control program, they note these deficiencies in their final audit report. This audit report is generally provided to the organization’s audit committee so that identified issues get the appropriate level of management exposure. Obviously, it is preferable that there be no deficiencies noted in this report.

The following process describes the general activities that auditors conduct during an audit. Your auditor might conduct the audit using a slightly different approach:

Step 1: Plan the audit (auditor)

Step 2: Hold audit kickoff meeting (auditor/organization)

Step 3: Gather data and test IT controls (auditor/organization)

Step 4: Remediate identified deficiencies (organization)

Step 5: Test remediated controls (auditor/organization)

Step 6: Analyze and report findings (auditor)

Step 7: Respond to findings (organization)

Step 8: Issue final report (auditor)

Understanding the steps in the IT audit process positions IT managers to know what to expect from the audit. In this way, you can better achieve your organization's regulatory compliance objectives, and optimize the audit process to complete it more efficiently.

How to Optimize the Audit Process

There are many ways to make the audit process more efficient and less difficult. These include:

Work with the auditor early in the process to understand the key areas on which they plan to focus during the audit. In some cases, you can reprioritize projects to ensure that you address what the auditors see as key risks in the environment, thus avoiding deficiencies in the audit.

Implement automated IT controls whenever possible. These controls are superior to manual ones because auditors can more easily test and validate them. The best way to optimize the efficiency and lower the cost of the IT audit process for your organization is to:

Maintain clean and concise documentation of IT controls and keep it updated.

Organize your IT controls to work with the framework that your auditors use. This will help ensure that you and your auditors communicate clearly about the regulatory objectives.

Take advantage of an IT controls framework. This will help you to more effectively address a variety of regulations with a single set of controls.

Procedure for Risk Assessment

2010-08-04T10:34:00.000-07:00

Step1:
Risk assessment is conducted for all the business cycles of company, for every process and sub-process therein.

The exercise should be started from the Trial Balance of company.

Step 2: How to identify the business cycles of a company?

What is a business cycle?

Business Cycle of a company is basically a functional cycle, which covers a process from its cradle till grave. This consists of many sub-processes. For eg..Purchase to Payable is a business cycle...which includes Planning, Vendor Managment, Requisition, Ordering, Recieving, Invoicing and Payment. Hence all these sub-processes makes a business cycle of Purchase to Payable (P2P).

How to identify the business cycles of a company for the purpose of Risk Assessment (for general purpose/Clause 49 compliance/SOX compliance)?

Business cycles should always be identified through Trial Balance. All the trial balance accounts should get covered in maximum 9-10 business cycles. This will give an assurance to the person doing the risk assessment that none of the accounts (whether material/non-material) has been covered in some or the other process.

Generally the common business cycles which every company has are:

Revenue & Receivables, Purchase to Pay, Payroll, Fixed Assets, Treasury & Risk Management, Taxation, General Ledger & Financial Reporting....so try whether all your TB accounts gets covered under these cycles...

Other business cycles may be dependent upon the industry type..for eg..in case of a manufacturing company...following cycles may get added- Manufacturing,Inventory & Consumption (MIC) Management, Order to Cash (replaced by Revenue & Receivables).

Trial Balance is the mirror of a company which depicts all the activities of a company through financial numbers. And before doing the Risk Assesment, first you need to know that where does the risk lies...so first u need to identify the material accounts which give high risk exposure to the company...after identifying such accounts u need to asceratin that what departments and processes cater to such numbers..then you need to identify the risks underlying such processes....so its all about hitting the bull's eye...

Step3:
After identifying business cycles, we need to identify the sub-processes under each cycle...

for eg..
in Purchase to Payables Cycle: the sub-processes will be Procurement Planning & Budgeting, Vendor Selection, Master & Maintenance, Purchase Requisitioning, Ordering, Advance Payment, Receiving, Quality Check, Invoicing, Payments, Credit Notes and Vendor Reco...

Step4:
Now we need to map the identified sub-processes (corresponding to respective business cycle) to each account of Trial Balance.

For eg...Plant & Machinery Account: will fall under the Fixed Asset Business Cycle and will fall under the sub-processes of Vendor Selection & Maintenance, Requisitioning, Ordering, Receipt of Asset, Caplitalization and Depreciation......
This exercise can prove to be quite cumbersome if one doesn't have the knowledge of the nature of accounts and what impacts wll that account have on financials
However, this exercise can also prove to be useful to identify any suspense or suspicious accounts.

Step5:
After identfying the sub-processes within each cycle, we need to understand and identfy the basic Control Objectives which we need in a process to work smoothly and efficiently..for eg..in Fixed Assets Management...control objectives for Receipt of Assets process can be:

1. To ensure that goods received at the Company's Premises are properly recorded in the Inventory records.
2. To ensure that assets received are recorded completely & accurately in the books of accounts
3. To ensure that duties are adequately segregated for ordering and receiving function
4. To ensure that access to create/ update the data in the Fixed Assets Register is restricted to authorized personnel only.

Hence, in such manner....we need to know and highlight that what are the objectives basis which we need to institute controls in our system...

Step6:
After identifying the Control Objectives, we need to identify the Risks against each sub-process corresponding to the control objectives.

Such risks can be of 4 types:

Strategic, Financial, Operational or Compliance
For eg..risks for sub-process Receipt of Fixed Assets can be:

1. Assets received may not be properly recorded in the Inventory records.
2. Assets received may not be correctly/ completely recorded in the Fixed Assets Register
3. Duties may not be adequately segregated.
4. Data in FA Module may be created/ updated by unauthorized personnel.
In the same way..the risks for all sub-processes identified under each business cycle need to be documented.

Step7;
After identifying all the risks against the sub-proceses, we need to give each risk a likelihood rating..

which means that what is the likelihood that such risk can occur...it can be defined as
Rare, Unlikely, Moderate, Likely and Almost Uncertain....
This rating is given keeping in mind that no controls exist in the company..

Step8:
Agaisnt each risk..depending upon the likelihood rating...we need to give an Impact Rating to each risk..

This means that we need to assess the impact of each risk on 5 parameters: which are Strategic, Financial, Operational, Legal Compliance and Reputation...
Such impacts can be categorized into:
Severe, Major, Moderate, Minor and Insignificant
This exercise will help us assess the impacts on our process, if such risks are not mitigated...

Step9:
After we have assessed the liklihood rating and impact rating of a risk.....we will be able to assess the inherent rating of a risk (the susceptibility of an

account balance or class of transactions to misstatement that could be material...assuming that there were no related internal controls..is called as Inherent Risk(IR)).

Catgorization of risks will be High, Significant, Moderate and Low
For eg. If Likelihood is Almost Certain and Impact is Insignificant or Minor, then IR wil be Moderate, if Impact is Moderate, then IR will be Significant, and if Impact is Major/Severe, the IR will be High.
Similarly the permutation & combination to be made for others...

Step10:
Against each risk, we need to document the As-Is or existing controls which are prevalent in the organization/department.

This would mean that to mitigate a risk what controls are we having in the process..these can be approvals, maker-checker controls, segregation of duties etc...dependent upon the corresponding risks...

Step 11:
After documenting the Existing Controls, we need to identify and assess the Controls Rating, which can be categorized into Poor, Fair, Adequate and Excellent....i.e. we need to categorize the controls into these four parameters...

This would be done..considering the nature of risk and then assessing whether the Existing Control would be able to fully remove the possibility of such risk or would be able to mitigate the risk to some extent or to a great extent...

Though this exercise is judgemental..but if one has the good knowledge of Best Practices, then this exercise would become somewhat easier...

Step 12:
After we have identified the Inherent Risk (IR) and the Controls Rating (CR), we need to assess the Residual Risk (RR) Rating...

This means that we need to ascertain the left over risk (if any) after considering the prevalent controls in a process...

for eg..if the IR was High and CR is Poor/Fair, then the RR will be High
whereas if the IR was high and CR is Adequate, then the RR will be Significant
and if IR-High & CR-Excellent, then RR is Moderate
Similarly..IR-Significant, CR-Poor/Fair, RR-Significant
IR-Significant, CR-Adequate/Excellent, RR-Moderate
In this fashion, all the permutations and combinations can be made..
This will give the management an assurance and an insight to the balance risks that they need to take care of ...

Step 13:
After the residual risks have been identified..company needs to emphasise more upon the High and Significant risks..

Against such risks company needs to identify and document the Remediate Action Plans to mitigate/resolve such Residual Risks..

This was the whole exercise for conducting a Risk Assessment exercise...

In case you have any other tips..pls do share..

2010-08-04T09:24:00.000-07:00

The Internal Audit Process from A to Z: How It Works!

Every successful audit is based on sound planning and an atmosphere of constructive involvement and communication between the client and the auditor. I see quite a few audit organizations that include a Web-based explanation to their clients how the audit process works. The purpose of providing this page is for those audit organizations that have not explained to their clients how, in general, the audit process works. It also is designed to provide a resource for sharing tools and techniques for each of the distinct phases of the audit process. If you have tools or resources that you would like added to these pages please send them to editor@auditnet.org.

Thanks to Terry Radke, Director Indiana University - Internal Audit for allowing AuditNet® to "borrow" the audit process description they use for their customers. I also added links to other sites to help illustrate or clarify the process.

Click here for sample documents used in the audit process.

For a brief overview including a summary of types of audits click here.

Audit Process

Although every audit project is unique, the audit process is similar for most engagements and normally consists of four stages: Planning (sometimes called Survey or Preliminary Review), Fieldwork, Audit Report, and Follow-up Review. Client involvement is critical at each stage of the audit process. As in any special project, an audit results in a certain amount of time being diverted from your department's usual routine. One of the key objectives is to minimize this time and avoid disrupting ongoing activities. Following are some sample flowcharts of the process from other organizations that you may find helpful:

Central Queensland University Internal Audit Process

European Space Components Internal Audit Procedure guide includes a flow chart of the audit process.

University of Illinois Audit Process Flowchart

Top of Page

Planning

During the planning portion of the audit, the auditor notifies the client of the audit, discusses the scope and objectives of the examination in a formal meeting with organization management, gathers information on important processes, evaluates existing controls, and plans the remaining audit steps.

Announcement Letter

The client is informed of the audit through an announcement or engagement letter from the Internal Audit Director. This letter communicates the scope and objectives of the audit, the auditors assigned to the project and other relevant information.

Initial Meeting

During this opening conference meeting, the client describes the unit or system to be reviewed, the organization, available resources (personnel, facilities, equipment, funds), and other relevant information. The internal auditor meets with the senior officer directly responsible for the unit under review and any staff members s/he wishes to include. It is important that the client identify issues or areas of special concern that should be addressed.

Preliminary Survey

In this phase the auditor gathers relevant information about the unit in order to obtain a general overview of operations. S/He talks with key personnel and reviews reports, files, and other sources of information.

Internal Control Review

The auditor will review the unit's internal control structure, a process which is usually time-consuming. In doing this, the auditor uses a variety of tools and techniques to gather and analyze information about the operation. The review of internal controls helps the auditor determine the areas of highest risk and design tests to be performed in the fieldwork section. Click here for an annual internal control review plan.

Audit Program

Preparation of the audit program concludes the preliminary review phase. This program outlines the fieldwork necessary to achieve the audit objectives.

Top of Page

Fieldwork

The fieldwork concentrates on transaction testing and informal communications. It is during this phase that the auditor determines whether the controls identified during the preliminary review are operating properly and in the manner described by the client. The fieldwork stage concludes with a list of significant findings from which the auditor will prepare a draft of the audit report.

Transaction Testing

After completing the preliminary review, the auditor performs the procedures in the audit program. These procedures usually test the major internal controls and the accuracy and propriety of the transactions. Various techniques including sampling are used during the fieldwork phase.

Advice & Informal Communications

As the fieldwork progresses, the auditor discusses any significant findings with the client. Hopefully, the client can offer insights and work with the auditor to determine the best method of resolving the finding. Usually these communications are oral. However, in more complex situations, memos and/or e-mails are written in order to ensure full understanding by the client and the auditor. Our goal: No surprises.

Audit Summary

Upon completion of the fieldwork, the auditor summarizes the audit findings, conclusions, and recommendations necessary for the audit report discussion draft.

Working Papers

Working papers are a vital tool of the audit profession. They are the support of the audit opinion. They connect the client’s accounting records and financials to the auditor’s opinion. They are comprehensive and serve many functions.

Working Paper Documentation

Top of Page

Audit Report

Our principal product is the final report in which we express our opinions, present the audit findings, and discuss recommendations for improvements. To facilitate communication and ensure that the recommendations presented in the final report are practical, Internal Audit discusses the rough draft with the client prior to issuing the final report. For an audit report template including an executive summary click here.

Discussion Draft

At the conclusion of fieldwork, the auditor drafts the report. Audit management thoroughly reviews the audit working papers and the discussion draft before it is presented to the client for comment. This discussion draft is prepared for the unit's operating management and is submitted for the client's review before the exit conference.

Exit Conference

When audit management has approved the discussion draft, Internal Audit meets with the unit's management team to discuss the findings, recommendations, and text of the draft. At this meeting, the client comments on the draft and the group works to reach an agreement on the audit findings.

Formal Draft

The auditor then prepares a formal draft, taking into account any revisions resulting from the exit conference and other discussions. When the changes have been reviewed by audit management and the client, the final report is issued.

Final Report

Internal Audit prints and distributes the final report to the unit's operating management, the unit's reporting supervisor, the Vice President for Administration, the University Chief Accountant, and other appropriate members of senior University management. This report is primarily for internal University management use. The approval of the Internal Audit Director is required for release of the report outside of the University.

Client Response

The client has the opportunity to respond to the audit findings prior to issuance of the final report which can be included or attached to our final report. However, if the client decides to respond after we issue the report, the first page of the final report is a letter requesting the client's written response to the report recommendations.

In the response, the client should explain how report findings will be resolved and include an implementation timetable. In some cases, managers may choose to respond with a decision not to implement an audit recommendation and to accept the risks associated with an audit finding. The client should copy the response to all recipients of the final report if s/he decides not to have their response included/attached to Internal Audit's final report.

Client Comments

Finally, as part of Internal Audit's self-evaluation program, we ask clients to comment on Internal Audit's performance. This feedback has proven to be very beneficial to us, and we have made changes in our procedures as a result of clients' suggestions.

Top of Page

Audit Follow-Up

Within approximately one year of the final report, Internal Audit will perform a follow-up review to verify the resolution of the report findings.

Follow-up Review

The client response letter is reviewed and the actions taken to resolve the audit report findings may be tested to ensure that the desired results were achieved. All unresolved findings will be discussed in the follow-up report.

Follow-up Report

The review will conclude with a follow-up report which lists the actions taken by the client to resolve the original report findings. Unresolved findings will also appear in the follow-up report and will include a brief description of the finding, the original audit recommendation, the client response, the current condition, and the continued exposure to Indiana University. A discussion draft of each report with unresolved findings is circulated to the client before the report is issued. The follow-up review results will be circulated to the original report recipients and other University officials as deemed appropriate.

Top of Page

Internal Audit Annual Report to the Board

In addition to the distribution discussed earlier, the contents of the audit report, client response, and follow-up report may also communicated to the Audit Committee of the Board as part of the Internal Audit Annual Report.

Top of Page

The Process: A Collaborative Effort

As pointed out, during each stage in the audit process--preliminary review, field work, audit reports, and follow-up--clients have the opportunity to participate. There is no doubt that the process works best when client management and Internal Audit have a solid working relationship based on clear and continuing communication.

Many clients extend this working relationship beyond the particular audit. Once the audit department has worked with management on a project, we have an understanding of the unique characteristics of your unit's operations. As a result, we can help evaluate the feasibility of making further changes or modifications in your operations.

--------------------------------------------------------------------------------

Administration

Audit Planning

Audit Fieldwork (Testing)

Audit Sampling

Audit Reporting

Customer Survey

Audit Follow-Up

Read more: http://www.auditnet.org/process.htm#ixzz0vefY1tZG

ITIL

2010-08-04T09:11:00.000-07:00

The Scope of IT Audit.ITIL (IT Infrastructure Library) provides a framework of Best Practice

guidance for IT Service Management and since its creation, ITIL has grown to

become the most widely accepted approach to IT Service Management in the

world.

This pocket guide has been designed as an introductory overview for anyone

who has an interest in or a need to understand more about the objectives,

content and coverage of ITIL. Whilst this guide provides an overview, full

details can be found in the actual ITIL publications themselves.

This guide describes the key principles of IT Service Management and provides

a high-level overview of each of the core publications within ITIL:

Service Strategy

Service Design

Service Transition

Service Operation

Continual Service Improvement.

An overview of the qualifications scheme is also included.

The advice contained within this guide is neither definitive nor prescriptive, but

is based on ITIL Best Practice. The guidance in the ITIL publications is

applicable generically and is of benefit to all IT organizations irrespective of

their size or the technology in use. It is neither bureaucratic nor unwieldy if

utilized sensibly and in full recognition of the business needs of the

organization.