You are on page 1of 38

IIAT Annual Meeting 2554

CEO Integrated Management - Audit

Integrated Audit in Practice

ISACA Bangkok Chapter Swissotel Le Concorde

2011 ISACA

Integrated Audit in practice

Why Integrated Audit ? What is Integrated Audit?
Integrated Audit in external Audit practice Integrated Audit in internal Audit practice

2011 ISACA

Why Integrated Audit

More expectations from Management
and Boards greater value reduced or comparable cost Emerging risks IA practices

2011 ISACA

Why Integrated Audit

Management and boards expect assurance over the core processes and systems that are

critical for financial reporting and regulatory compliance. Internal audit should provide assurance over other risks and related processes that are integral to achieving corporate and shareholder objectives.

2011 ISACA

Why Integrated Audit

Does Internal Audit provide assurance in the areas that the Board needs? The demand for assurance covering IT risks is not being met. The top risk today is large projects with a significant IT component Internal Audit is failing to assure IT risk at both strategic and detailed level. Top six IT risks that organisations must deal with today, identified by both senior managers and Heads of Internal Audit

2011 ISACA

Why Integrated Audit

Key Trends Reshaping Internal Audit Participants anticipated deployment of IT strategies:
Increase IT skill level of general internal audit staff Increase use of third-party experts Deploy higher level more experienced IT auditors 76% 60% 54% Acquire more sophisticated IT tools to address IT risks 68% More integration of IT audit resources into non-IT teams 57%

2011 ISACA

The Risk Resilient Organisation

From business crisis to business resilience

Oversight and Governance

Business crisis
Management systems

Business resilience
People, culture and values

Current high profile risk areas:

Business Ethics and Integrity Data Security Projects and Contract Risk Treasury Sustainability Business interruption Regulation

Current high profile regulatory activity: Competition Anti-Bribery/FCPA Economic Crime Emissions / Carbon Senior Accounting Officer Industry Regulation

2011 ISACA

Risk in business: the next 20 years

Global systemic issues
Demography Environment Technology Regulation & role of government

Increasing business complexity

Outsourcing Cost cutting


Complex supply chains New channels

Product lifecycles

Career disintegration

Specific risk issues The Pain

Project & contract risks

Business interruption risks

Sustainability risks

Data security Treasury & privacy risks risks Regulatory Business compliance ethics risks risks

2011 ISACA

The emerging risk landscape

X Climate change X

X Instability in Middle East X International terrorism

Pandemic X X

X X Retrenchment of globalisation


Corruption X

X Oil price shock X

X X Cyber-terrorism X X X

X Regulatory change X X X X X






Source: Economic Intelligence Unit, Risk 2018 Planning for an unpredictable decade

2011 ISACA

Why Integrated Audit

Audit committees, CEOs and CFOs continue to raise their expectations of internal audit. Many are seeking greater value at a reduced or comparable cost, however, the challenges that internal audit must overcome are numerous and varied and impact both value and the cost Risk assessments and audit to deliver it.
Financial constraints Use of technology is limited Travel and administration is burdensome Lack of diverse skills plans do not adequately address all risks Internal audit activities focus on low value, routine projects Audit scope is generic and lacks focus on most critical issues

Quality assurance programs are not robust Stakeholder feedback is not solicited Lack of adequate measurement of return on investment and metrics

Resolving issues with management requires significant time Lack of consistency in determining ratings Recommendations are not impactful 10

Excessive time in the field Routine audits do not fully leverage data analytic tools Lack of standardized programs and procedures

2011 ISACA

What is Integrated Audit?

An outcome not a solution in itself - a company and its Board needs to have a robust process for identifying and assessing risks and the controls over those risks. They must then determine the sources and effectiveness of assurance provided over those risks and controls and optimise this assurance About assurance providers working more closely together to ensure: the right amount of assurance in the right areas from people with the best and most relevant skills as cost effectively as possible The right amount of assurance depends on the risk appetite of the company
11 2011 ISACA

What Integrated Assurance looks like in practice

1. Ensure an appropriate overall risk assessment process is in place which is effective and understood by the Company and the Board. 2. Identify existing sources of assurance identify each of the functional or risk areas of the business and determine all the sources of assurance for each of these. This enables a picture to be built up of the nature, quantity and quality of assurance across the business. 3. Determine aggregate assurance obtained from all sources for an individual functional or risk area (including assessing whether all assurance objectives are adequately addressed) to show the overall assurance level in that area. 4. Determine the relative strength of the assurance review and discuss the terms of reference with the assurance provider and assess the quality and quantity of work performed and the output of their reviews. 5. Engage with the Board and the Audit Committee to determine the desired level of assurance required in each area. This will enable the development of an action plan to move from the current to the desired, optimised assurance framework. This may, in turn, lead to a rearrangement of existing assurance provision.
12 2011 ISACA

Provides comfort to the Board that they have made an informed decision on the optimal assurance model for the business Reduced cost of internal audit Integrated assurance across all compliance /monitoring functions Comprehensive risk assessment Greater efficiencies through standardized and simplified processes An audit plan that provides assurance over risks aligned with shareholder value objectives (i.e., strategic, operational, technology, compliance, financial) Staffing model that suits stakeholder and enterprise needs (e.g., subject matter experts, global resources)
13 2011 ISACA

The role of Internal Audit*

Engaging with key stakeholders to agree the assurance required from the function - IA provides a key component of an effective assurance framework Taking the lead in assisting management in the development of a fully tailored Integrated Assurance framework there is no one size fits all solution Helping define the roles and terms of reference for each of the assurance functions Providing or arranging training for other assurance functions in the provision of effective assurance including quality considerations and documentation standards Monitoring the performance of the various assurance functions over time Reviewing the assurance framework regularly in order to make any adjustments necessary to address the changing needs of the business *the role taken by IA depends on the experience, skills and resources available in IA and in the wider business.
14 2011 ISACA

Integrated Audit in external Audit practice

1. Team Financial auditor IT auditor Specialists ( e.g. Tax, actuarial) 2. Audit Planning Scoping Coverage - Business cycle (automated and manual controls, IT General Controls (ITGC) 3. Execution Timing & staffing Communication - continuously from start work, complete ITGC , complete Application Control review and substantive work 4. Completion Report Meeting Management & AC
15 2011 ISACA

Contribution of controls to audit evidence

Significant financial statement line items Major classes of transaction Financial reporting
Accuracy Completeness Financial Statement Assertions

Significant automated and manual business processes

Risks arising from processing transactions


Control Activities
Business Performance Reviews Automated controls and procedures Report generated from IT Manual controls Rights & Obligations Presentation & Disclosure Valuation Existence & Occurrence

IT General Controls Risks arising from the use of IT systems IT applications and infrastructure Financial data


2011 ISACA

IT Audit Scope


2011 ISACA

Risk and control linkage - Illustration of Revenue

Example only Not inclusive of all risks to be considered


2011 ISACA

Matters to consider
1. 2. 3.

Team work One team Team knowledge and understanding of each other work Timely communication


2011 ISACA

Integrated Assurancehelping us deliver Value without Compromise

The more that companies grow internationally, the more they need to identify and develop potential leaders, Ideally, internal audit will train high-potential employees in key areas such as business controls, risk management, and IT audit, and then send them back into the field


2011 ISACA

Working effectively with Internal Audit

The division of labour between internal and external audit does need to be carefully scoped and agreed in an Integrated Assurance framework There is a clear potential overlap between the financial controls work which external auditors may need to perform (depending on the audit approach) and that which internal audit may choose to perform BUT the extent of that overlap is often less than it appears at first sight it is important to explain the different types of work undertaken by the two audit functions to management to avoid misunderstandings It is reasonable that External auditors perform more extensive financial controls work, but caution is needed before venturing beyond this to ensure that EA do not perform the role of management or do work not normally performed by the external auditor which they need to rely on for purposes of the external audit.
21 2011 ISACA

Simple Example Assurance Map

Management based assurance Independent assurance Current Overall Assurance Future Assurance Objective

Control self assessment

Risk Mgmt

Special project

Mgmt review

Legal / Company secretariat


External Audit

Internal Audit

Financial reporting Financial controls Legal IT Treasury Tax, pensions & insurance Human Resources Fraud Health & Safety

High assurance

Medium assurance

Low assurance

No assurance but should be assurance in this area

Not applicable


2011 ISACA

The Integrated Assurance Benefit Curve

Stand alone external audit no integration with IA or other assurance providers External audit scope further extended to Include internal audit s operational audit coverage Too many eggs in one basket Independence and ethical risks Dilutes management responsibility for control environment High cost

External audit integrated with internal audit - Planning and scoping performed together Result: Improved efficiency through elimination of duplicated effort

External audit integrated with many assurance providers (e.g. internal audit, compliance, legal) - Share best practice on controls optimisation Result: Improved efficiency through elimination of duplicated effort Improved effectiveness through introduction of best practice

External audit scope

ISA based statutory audit Integrated assurance Maximum scope Inc audit, financial controls business controls


2011 ISACA

- Integrated Audits - Integrated Audits/ Integrated Auditor - Integrated Audit -


2011 ISACA

Core Banking, Mobile devices, Cloud Computing, Social Networking


2011 ISACA

IT Environment in business context

The Value Chain of the Business Activities Business Processes

Financial/ Operational Auditor



Application Controls

IT Infrastructure Services

IT Auditor

Source from: IT Governance Institute

26 2011 ISACA

External auditing Versus Internal Auditing

External Auditing
1. Done by CPA 2. Represent the interests of third-party stakeholders in the organization (stockholders, creditors, and government agencies) 3. Focus on Financial statements

Internal Auditing
1. An independent appraisal function established within an organization to examine and evaluate its activities as a service to the organization 2. Perform a wide range of activities on behalf of the organization 3. Done by CPA, CIA, CISA, CISM

Source from: Information Systems Auditing and Assurance by James A. Hall


2011 ISACA

Classification of Audits
Financial audits
To assess the correctness of an organization's financial statements.

Operational audits
To evaluate the internal control structure in a given process or area. IS audits of application controls or logical security systems are some examples of operational audits.

Integrated audits (Combine financial and operational audit steps)

To assess the overall objectives within an organization, related to financial information and assets safeguarding, efficiency and compliance. An integrated audit can be performed by external or internal auditors and would include compliance tests of internal controls and substantive audit steps.

IS audits
To collects and evaluates evidence to determine whether the information systems and related resources adequately safeguard assets, maintain data and system integrity and availability, provide relevant and reliable information, achieve organizational goals effectively, consume resources efficiently, and have, in effect, internal controls that provide reasonable assurance that business, operational and control objectives will be met and that undesired events will be prevented , or detected and corrected, in a timely manner.

Source from: CISA Review Manual 2011 (ISACA)

28 2011 ISACA

Integrated IS Auditor & Integrated Audit

Integrated Audit
Assembling an audit team including IS Audit-trained as well as financial/operationally trained auditors working together.

Integrated Auditor
To develop an expanded auditor skill set, basically to train financial/operational auditor to be partial IS Auditors. Armed with a basic understanding of computers and general and application controls. All auditors would be able to include IS control considerations in each and every audit, as well as use basic CAATs.

Source from: Auditors Guide to Information Systems Auditing by Richard Cascarino

29 2011 ISACA


2011 ISACA

Internal Audit Internal Audit

Financial Branch


Operational Follow-up

Financial Audit

IT Audit

31 2011 ISACA

Level of integrated audit planning

Audit Universe
Low-integrated audit plan Non-IT Audit Partially integrated audit plan Non-IT Audit Highly integrated audit plan Integrated approach

Business Process - Operational - Financial - Compliance

Application Systems - Application Controls - IT General Controls IT infrastructure Controls - Database - Operating Systems - Network

IT Audit

Integrated approach

Integrated approach

IT Audit

IT Audit

Integrated approach

Source from: GTAG Developing the IT Audit Plan

32 2011 ISACA

Integrated audits
- audit entity
- fieldwork - - - Business Process IT Process

Using an integrated internal audit team ensure that both the functional and technical risks of Source from: GTAG Auditing IT Project the project are included in the scope of the review
33 2011 ISACA

Comfort Zone


IS Auditor

- Comfort Zone - - Attitude Plus

Financial Auditor

Operational Auditor


2011 ISACA

Three categories of IT knowledge for Internal audit

Category 1: All professional auditors - Software use in applications from new recruits up to CAE
- Networks - Basic IT Security (perimeter defenses, authentication, application system controls) - Threats and vulnerabilities associated with automated business processes - Business controls and risk mitigation that provided by IT - Ensure the effective use of IT tools in audit assessments and testing - Operating systems and systems software

Category 2: Supervisor level of auditing

Category 3: Technical IT audit specialists

- The underlying technologies supporting business components - Threats and vulnerabilities associated with the technology - Specialize technical knowledge

Source from: TheIIA

35 2011 ISACA

Integrate audit ?
Financial Audit Plan Operational Audit Plan

IT Audit Plan
- Assign Integrated ? IT Audit entities ? - Morale

Branch Audit Plan



2011 ISACA

IS Auditor

Financial Auditor

Operational Auditor

- integrate IT Non-IT (Partial/Highly) - CAATs - IT IT - Financial/ Operational Application Control, - IT NonIT


2011 ISACA


2011 ISACA