Company
LOGO
Auditing Information Technology Financial System Issues
Bruce Headrick
Program Manager
AFAA/FSD
Agenda
1. Objective
2. Background - Criteria
3. The IT Portfolio
4. Financial Info Structure
5. GAAP/GAGAS
6. Enforcement of System Controls
7. Wrap-Up
Audit-Background
Once upon a time the Organization hired
computer programmers and developed the
software they would use ….
But that was once upon a time. Today---
Information system development means the
carefully guided acquisition and
customization of commercial off the shelf
software, often commercial ERP software.
IT Audit - Background
Ensure the right information exists, is accessible, and is
understood and discoverable by all organizational personnel
with on-demand access to appropriate authoritative, reliable,
relevant, and assured information needed to perform their
duties efficiently and effectively.
Provide continuously for the availability, integrity,
confidentiality, nonrepudiation, & authentication of
information and information systems as an essential
element to achieving the Organizations mission.
Areas of Interest
• IT Portfolio
• Financial Information Structure
• Standards
– Generally Accepted Accounting Principals/
– Generally Accepted Government Accounting
Standards
– Government Auditing Standards
• System Controls
– General Controls
– Application Controls
IT Audit - Background
IT Portfolio Management
Other Portfolio Issues
How does management know what they have?
Is there potential duplication in single IT portfolios?
Is there potential duplication between IT portfolios?
Is there redundancies between lines of business?
Is there redundancies between operational
activities?
Is there redundancies between parent-child levels?
Has your xyz performed GAP analysis of activity?
Does your xyz use a corporate activity to review IT
acquisitions?
Financial Info Structure
• How do the systems talk to each other
• Interface’s
• Does x in one system = x in the next
system
• Common languages
Standards
• GAAPs
• GAGAS
• GAO “Yellow Book”
What the Standards say…
AU Section 318
Performing Audit Procedures in Response to Assessed Risks
and Evaluating the Audit Evidence Obtained
Source: SAS No. 110.
.04 The auditor's overall responses to address the
assessed risks of material misstatement at the financial
statement level may include emphasizing to the audit team
the need to maintain professional skepticism in gathering
and evaluating audit evidence, assigning more experienced
staff or those with specialized skills or using specialists,
providing more supervision, or incorporating additional
elements of unpredictability in the selection of further
audit procedures to be performed. Additionally, the
auditor may make general changes to the nature, timing, or
extent of further audit procedures as an overall response,
for example, performing substantive procedures at period
end instead of at an interim date.
What the Standards say… Testing
AU Section 326
Audit Evidence
Source: SAS No. 106.
.22 Tests of controls are necessary in two
circumstances. When the auditor’s risk assessment
includes an expectation of the operating effectiveness of
controls, the auditor should test those controls to support
the risk assessment. In addition, when the substantive
procedures alone do not provide sufficient appropriate
audit evidence, the auditor should perform tests of
controls to obtain audit evidence about their operating
effectiveness.
Looking for both Anticipated and Actual results.
What the Standards say…IT Work in
Financial Audits
AT Section 501
An Examination of an Entity's Internal Control Over Financial
Reporting That Is Integrated With an Audit of Its Financial
Statements
Source: SSAE No. 15.
.18 The examination of internal control should be integrated with an audit of
financial statements. Although the objectives of the engagements are not
the same, the auditor should plan and perform the integrated audit to
achieve the objectives of both engagements simultaneously. The auditor
should design tests of controls
• to obtain sufficient appropriate evidence to support the auditor's opinion
on internal control as of the period end; and
• to obtain sufficient appropriate evidence to support the auditor's control
risk assessments for purposes of the audit of financial statements.
.51 The identification of risks and controls within IT is not a separate
evaluation. Instead, it is an integral part of the top-down approach used to
identify likely sources of misstatement and the controls to test, as well as to
assess risk and allocate audit effort.
Standards that Should be
Referenced When Conducting
IT Work
• SSAE No. 15 - An Examination of an Entity's Internal
Control Over Financial Reporting That Is Integrated With
an Audit of Its Financial Statements
• SAS No. 106 - Audit Evidence
• SAS No. 107 - Audit Risk and Materiality in Conducting
an Audit
• SAS No. 108 - Planning and Supervision
• SAS No. 109 - Understanding the Entity and Its
Environment and Assessing the Risks of Material
Misstatement
• SAS No. 110 - Performing Audit Procedures in
Response to Assessed Risks and Evaluating the Audit
Evidence Obtained
System Controls
• FISCAM – Federal Information System
Controls Audit Manual
– General Controls
– Application Controls
FSD IT Audit - Risks to ICs
Various Internal Controls
• General Controls
–
–
–
–
–
Security Management
Access
Configuration Management
Segregation of Duties
Contingency Planning
• Business Process (Application) Controls
–
–
–
–
–
Completeness
Accuracy
Validity
Confidentiality
Availability
IT Audit - Risk to ICs
General Controls
• Security Management
– controls provide reasonable assurance that security management
is effective.
• Access
– c.p.r.a that access to computer resources (data, equipment, and
facilities) is reasonable and restricted to authorized individuals.
• Configuration Management
– c.p.r.a. that changes to information system resources are authorized
and systems are configured and operated securely as intended.
• Segregation of Duties
– c.p.r.a. that incompatible duties are effectively segregated
• Contingency Planning
– c.p.r.a. that contingency planning (1) protects information and
minimizes the risk of unplanned interruptions (2) provides for
recovery of operations should interruptions occur.
IT Audit - Risk to ICs
Business Process Controls
• Completeness
– c.p.r.a. that all transactions that occurred are input into the system,
accepted for processing, processed once, and only once by the
system, and properly included in the output.
• Accuracy
– c.p.r.a. that transactions are properly recorded, with correct
amount/data, and on a timely basis… data elements are processed
accurately by applications that produce reliable results and output is
accurate.
IT Audit - Risk to ICs
Business Process Controls con’t
• Validity
– c.p.r.a. (1) that all recorded transactions and actually occurred (they
are real), relate to the organization, are authentic, and were properly
approved and (2) that output contains only valid data.
• Confidentiality
– c.p.r.a. that application data and reports and other output are
protected against unauthorized access.
• Availability
– c.p.r.a. that application data and reports and other relevant business
information are readily available to users then needed.
IT Audit - Risk to ICs
Example of a Control
• Control Activity CM3-1. All configuration changes are
properly managed (authorized, tested, approved, and
tracked)
• Control Techniques (19)
– CM-3.1.1 An appropriate formal change management process is
documented
– CM-3.1.2 Configuration changes are authorized .
• Audit Procedure (21)
– Audit Procedure = Audit Step (s)
IT Audit - Risk to ICs
DFAS 7900.4-M
•Comprehensive Compilation of the Federal Financial
Management Improvement Act (FFMIA) and DoD System
requirements
•Currently 20 Volumes
•Example of one in Volume 3, PP&E
–Maintain/Update Property Information
–Requirement ID – 03.01.43
–The property mgmt sys must provide an audit trail for entries to a
property record, including the identification of the individual(s)
entering or approving the information and/or data
–Federal Source: JFMIP SR-00-4, Oct 00, pg 12
http://www.dfas.mil/dfas/fmcoe/bluebook.html
Enforcement of Controls
•
•
•
•
•
Configuration Management Plan
Security Policy/Plan (NIST)
Access Control Process
Transactional Testing
Service Level Agreements
IT Audit - Ideas
Other Audit Ideas
 Software Change Order Requests
 Sanitization of Assets Turned in for Disposal
 Architectures – Enterprise, Systems, Network
 Network Security
 Ports and Protocols
 Wireless Network Security
 Look for economies and efficiencies
 Process on data at rest
 Use of USB drives and portable devices
 Ports and Protocols
 Network Scans
FSD IT Audit – Key Docs
GAO 09-232G FISCAM, 2009
http://www.gao.gov/new.items/d09232g.pdf
DFAS 7900.4-M, 2011 (DFAS Blue Book)
http://www.dfas.mil/dfas/fmcoe/bluebook.html
AICPA Standards, continuous updates
http://www.aicpa.org/Pages/Default.aspx
National Institute of Standards and Technology
http://www.nist.gov/index.html
Carnegie Mellon Software Maturity Model
http://www.sei.cmu.edu/
Carnegie Mellon Software Engineering Process
Institute of Electrical and Electronics Engineers (IEEE)
Financial Integration Systems Office (FSIO)
Department of Defense and Air Force directives
Various Industry Best Practices
Agenda
1. Objective
2. Background - Criteria
3. The IT Portfolio
4. Financial Info Structure
5. GAAP/GAGAS
6. Enforcement of System Controls
7. Wrap-Up
Questions and Comments
Bruce Headrick, Program Manager, 334-416-4241; DSN 596-4241