RELEVANCE EXCELLENCE RESULTS

Financial Auditing for Internal Auditors

Unit 5: Technology and Accounting
Objectives
Discuss how Enterprise Resource Planning
(ERP) supports and automates the business
processes.
Discuss the risks and control breakdowns of
User-developed Applications (UDAs) and
best practices for controls over UDAs.
Describe how to minimize risk and limit
exposure in using spreadsheets.
Identify audit techniques to use in performing
an application review of a financial audit.
Enterprise Resource Planning (ERP)
Enterprise Resource Planning:
Any software system designed to support
and automate the business processes of
medium and large businesses. This may
include manufacturing, distribution,
personnel, project management, payroll, and
financials.

Webster Dictionary
List of ERP
ERP Modules – SAP
ERP Modules – SAP (Cont’d)
ERP Modules – SAP (Cont’d)
Organization IT PMO System
Procurement System
Architecture

ERP

Payment Gateway
Taxation System
ERP Resources

Many ERP systems have associated user

groups. Almost all of these user groups
have an audit and security subgroup. For
example: www.asug.com is SAP user’s
group.
Benefit of ERP

Enhanced Better Improved

Business Customer Inventory
Reporting Service Costs

Better Data &

Boosted
Cost Savings Cloud
Cash Flows
Security

Business
Supply Chain
Process
Management
Improvement
User-Developed Applications (UDAs)
What are UDAs?
Spreadsheets and databases created and
used by end users to extract, sort, calculate,
and compile organizational data to analyze
trends, make business decisions, or
summarize operational and financial data
and reporting results.
User-Developed Apps (Examples)

Sistem Catatan Atas Sistem Informasi

Laporan Keuangan (CaLK) Manajemen Daerah

Procurement System

Sistem Informasi
Sistem Aplikasi Pengelolaan Keuangan
Keuangan Tingkat Daerah (SIPKD)
Instansi (SAKTI)
Benefits of UDAs

Quicker to
develop and
use

Readily
Configurable available
and flexible tools at a
lower cost
UDA Risks

Data integrity Availability

risks risks

Confidentiality Regulatory
risks risks
BREAKOUT: Audit of User-Developed
Applications
Work individually.
Read the excerpt from “GTAG 14: Auditing
User-developed Applications.”
Be prepared to discuss.
Spreadsheets
Frequent uses:
Support of journal entries
Management reporting
Calculating bonuses and incentive
compensation
Spreadsheet Characteristics

Easy to
use

Easy to Easy to
share change
IT Organizational Chart

CEO

CIO

Security and Applications Technical

Data Operations
Quality and Systems Support
Security Systems Database Data center Help desk
administration analysts administration Information Telecommunications
Quality Programmers Data center network administration
assurance Testers administration Network Web operation
Business administration Change control
continuity Web librarian
planning administration Data entry
User training End users
Critical IT Processes

Processes Descriptions
(Layers)
IT management The set of people, policies, procedures,
and processes that manage IT services
and facilities
Technical infrastructure The technology that underlies, supports,
and enables primary business applications
Applications Programs that perform specific tasks
related to business operations
External connections The corporate network connections to
other external networks
Internal Audit Role in IT Auditing

Understand organization’s IT control environment.

Be aware of all legal and regulatory requirements.
Assess if roles related to IT controls are appropriate.
Develop and implement risk assessment process.
Identify internal and external monitoring processes.
Establish metrics and communication processes.
Communicate IT risks and controls
 Type of Controls

Manual Controls
Manual

IT Dependent
Type of Control Manual Controls

Application Controls IT General

Automated Controls

Support the continued functioning

Prevent Detect of automated aspects of prevent
and detect controls

Objective of Control
IT Control Classifications

Source: Practice Guide “Information Technology Risks and Controls,” second edition
IT Internal Control Objectives

❑ Protect assets/owners’ ❑ Protect employees’

equity. jobs.
❑ Ensure that data is ❑ Ensure system
available, reliable, and integrity.
restricted. ❑ Control automated
❑ Users accountable. processes.
❑ Audit trail exists for all
❑ Protect privacy and
transactions.
identity.
Hierarchy of IT Controls
Reference – COBIT 5 Framework

Principles, policies, and frameworks

Processes

Organizational structures
7 enablers
Culture, ethics, and behavior

Information

Services, infrastructure, and applications

People, skills, and competencies

Reference – COBIT 5 Framework (Cont’d)

5 key principles
1. Meeting
stakeholder
needs

5. Separating
2. Covering
governance
the enterprise
from
end-to-end
management

3. Applying a
4. Enabling a
single
holistic
integrated
approach
framework
Goals of IT Controls and Control
Frameworks

Provide:
Compliance with
regulations and legislation.
Consistency with business
objectives.
Practice Guide
Continuity with governance
(Previously GTAG 1) policies and risk appetite.
Testing Processes
Test of Design Effectiveness
Walkthrough

Test of Operating Effectiveness

Source: The Institute of Internal Auditor

IT General Controls (ITGCs)

• Apply to all system components, processes,

organizational data
• Classification:
— Logical access controls (see next topic)
— Systems development life cycle controls (see
Section III)
— Program change management controls
— Physical security controls
— System and data backup and recovery controls
— IT operational controls
Application Testing

Type of Test Test Description

Debugging Looking for bugs causing odd behavior or worse
Load testing System performance running under heavy load
Throughput testing Ability to process transactions in specified time
Alpha testing Conducted by developers
Beta testing Conducted by users
Pilot testing Preliminary and focused test of system function
Regression testing Revisions fixed issues, didn’t add new problems
Sociability testing In intended environment (hardware, applications)
Security testing Validating ability to control vulnerabilities
Application Audit – Basics

Data
Data input
origination

Processing Output
Data Origination and Input

❑ Procedures
❑ Input Edits
❑ Balancing
❑ Batching
❑ Authorization
❑ Segregation of Duties
❑ Retention
Processing Controls

System
Documentation

Processing
Audit Trails
Logs
Output Controls

Output
Distribution
Integrity

Record
Destruction
Retention
Interface Controls

❑ Controls that monitor the transfer of data

from one system to another or from a
subsidiary ledger to a master ledger
account.
Access and Password Controls

❑ Security Administration
- Access (logical)
- Access (physical)
- User awareness
❑ Authenticity
WIIFM
Record any new ideas you picked up.
How will you use what you learned on
the job?
Q&A?

Questions?
 End-of-Unit-5- - - -

THANK YOU!