1
RSM McGladrey, Inc. is a member firm of RSM International – an affiliation of separate and independent legal entities.
Integrated Audit
Presented by:
Hussain T. Hasan, CISM, CISSP
Managing Director
Technology Risk Management Services (TRMS)
Hussain.hasan@rsmi.com
IT and Finance - Are We Talking the Same Language?
2
Session Goals
History and background of IT Audit
Try to address the gap that exists between financial audit
and information technology audit
What is involved in IT general controls and automated
application controls
Discuss an approach that will aide in the identification and
testing of IT controls
Roles and responsibilities for IT and financial auditors
2
3
History of IT Audits
First use of a computerized accounting system - 1954 by GE
Use of computer accounting systems became more prevalent
in mid-60s and early 70s
AICPA and the “Big 8” formalize EDP auditing with the
release of the book “Auditing & EDP” - 1968
Electronic Data Processing Auditors Association (EDPAA)
formed -late 1960s
First edition of control objectives was published (now known
as CoBiT) - 1977
EDPAA changes name to ISACA (Information Systems Audit
and Control Association) - 1994
4
Major Events Impacting IT Auditing
Equity Funding Corporation of America fraud (1964 -1973)
AT&T infrastructure failure -1998
September 11th terrorist attacks - 2001
Enron and Arthur Andersen - 2002
3
5
Why is IT Auditing a Challenge?
Unlike the certification of financial statements there is no
“universally accepted principle or standard” for IT audit
The concept of “compliance to best practice”
Rapid change in IT is at times too rapid for best practices to
fully develop or be recognized as such
IT audit has become a separate discipline over time
6
Today’s Business Process Environment
24/7 requirement becoming more common
Focus on early error detection
More highly automated – reducing reliance on manual
controls
Integrated with complex and highly efficient IT systems
Electronic workflow with paperless trails
Increased business partner involvement through direct
access to process – the network extends beyond the
company
4
7
Application A
Financial Applications
Application B Application C
Process A
Business Processes/Classes of Transactions
Balance
Sheet
Significant Financial Transaction Accounts
Income
Statement SCFP Notes Other
Automated Application Controls
•Application Security
•Input Controls
•Process Controls
•Output Controls
•Interface Controls
IT General Controls
•Change/Development
•Security
•Computer Operations
•IT Governance
Source: Adapted from IT Governance Board, ISACA White Paper IT Control Objectives for Sarbanes-Oxley
Network
Operating System
Database
Infrastructure Services
Platform
Process B Class A Class B
IT Control Framework
8
IT General Controls (ITGC)
IT general controls are pervasive controls within the IT
environment and the effectiveness of all automated
application controls across the organization depends on
them.
Security (access to programs and data)
Change / development
Computer operations
IT governance
Primary responsibility of the IT Team
Constant interaction with the Financial Audit Team
5
9
Automated Application Controls
Application controls apply to the business processes they
support.
These controls are embedded within the software
applications to prevent or detect unauthorized transactions.
When combined with manual controls, application controls
ensure completeness, accuracy, authorization and validity
of processing transactions.
10
Automated Application Controls
Automated application-based processes that control
access, input, output and reporting
Typically set up in the software implementation phase, and
can be modified in the maintenance phase. Depending on
the software used, modification may be problematic.
Degree of need for review partially dependent on software
used
Also called IT controls or programmed control