Audit Implications of

Integrated Financial Management

Information Systems (IFMISs)

Dr. Paul Dorsey

Dulcian, Inc.
May 20, 2009
Slide 1 of 22
 Conventional Wisdom

 IFMISs reduce audit risk.

 Audit the IFMIS and the non-IFMIS independently
 IT auditors bless the IFMIS.
 Traditional auditors ignore the IFMIS.
 “Auditing” an IFMIS means:
 Code control
 Access control
 Black-box validation
 Inputs generate correct outputs.

Slide 2 of 22
 Why should we worry?

 IFMISs INCREASE exposure.

 Standard audit techniques will not effectively
assess exposure risks.
 Standard controls do not protect effectively
against IFMIS impacted exposures.
 Developed nation companies do not usually
have well controlled environments.

Slide 3 of 22
 The Main Problem
 Manual process flow:
 Lots of automatic controls based on many people seeing the
transaction.
 Lots of controls to avoid manual data entry errors also control
fraud.
 Separation of duties well understood and controlled.
 IFMIS process flow:
 Single point of failure
 Vulnerable to anyone with low-level access to system

Slide 4 of 22
 Manual Process

Enter transaction Approve transaction Prepare check Approve payment

Slide 5 of 22
 IFMIS Process

Enter transaction

Print
IFMIS Check

Approve payment
Approve transaction

Slide 6 of 22
 Why is this problem not widely
discussed?

 Accountants/Auditors are not Information

Technology (IT) trained.
 IT audit is a specialty area separated from
traditional audit.
 Audit culture treats IT as independent.

Slide 7 of 22
 Controlling Risk
 Control/Exposure Matrix
Exposures
Invalid Data entry Coding Error Developer
Transaction error Introduced
Fraud
Periodic Medium Medium High None
Audit

Dual Entry High High N/A None

Test Deck N/A N/A High None

Audit

Level of Protection High High High None

Slide 8 of 22
 Ineffective Controls

 Controls
that are ignored, bypassed, faked, or not
implemented
 Accountants stay up all night to “sign” documents.
 Electronic sign-offs that are not intrusive.
 Users demand bulk approvals.
 Separation of duties
 Everyone trusts the “system.”
 Meaningless validations
 System auto-calculates footing total.

Slide 9 of 22
 New Controls Needed

 Artificialseparation of duties
 Inefficient manual steps
 Particularly on cash transfers
 Comprehensive control system audit
 Functional controls that go around the system

Slide 10 of 22
 Exposure Risks Increased
by IFMIS
 Data Entry Errors  Total loss of data
 Fraudulent  Physical system
Transactions failure
 Especially collusion  HUGE frauds
frauds  Outsider access to
 Subtle Process Errors system
 Computer  Everyone is virused
Professional Fraud  System hacking
 Internet exposure

Slide 11 of 22
 Decreasing Risks (1)

 Data Entry Errors

 System validations
 Contingent process flows
 Validation rules
 Check digits on account codes
 Multi-entry(double or triple entry)
 Review transactions
 Audit against source documents

Slide 12 of 22
 Decreasing Risks (2)

 Fraudulent Transactions
 Same controls as data entry errors
 More levels of review
 Random assignment of review
 Explicitly audit for fraud

Slide 13 of 22
 Decreasing Risks (3)

 Subtle Process Errors

 Code review
 Exhaustive test decks
 “Test first” philosophy
 Business Rules approach
 Manual and automated testing

Slide 14 of 22
 Decreasing Risks (4)

 Computer Professional Fraud

 Pairprogramming
 Explicit QA of all code
 Control “around” system
 Reports/Controls NOT built/controlled by same team
 Hire honest people
 Place manual (non-system dependant) control on all
cash transfers

Slide 15 of 22
 Decreasing Risks (5)

 Total loss of data

 Transaction level, off-site back-up
 Multi-site (out of country) back-up
 Test back-up strategy

Slide 16 of 22
 Decreasing Risks (6)

 Huge Frauds
 Don’t automate cash transfer
 Don’t automate cash transfer
 Don’t automate cash transfer
 Don’t automate cash transfer
 Don’t automate cash transfer

Slide 17 of 22
 Decreasing Risks (7)

 Outsider Access to System

 No administrator rights for users
 No external data devices for machines
 No USB keys
 No floppy drives
 Serious penalty for security violations
 Real virus, firewall, security software
 Good security protocol
 Passwords
 Physical access

Slide 18 of 22
 Decreasing Risks (7)

 System Hacking
 Get a security audit by leading expert

Slide 19 of 22
 Conclusions

 IFMISs increase audit risk.

 Additional controls are necessary to reduce
risks.
 Most auditors ignore the issue.

Slide 20 of 22
 Dulcian’s BRIM® Environment

 Fullbusiness rules-based development

environment
 For Demo
 Write “BRIM” on business card

Slide 21 of 22
 Contact Information
 Dr.Paul Dorsey – paul_dorsey@dulcian.com
 Dulcian website - www.dulcian.com

Design Using UML Developer Advanced

Object Modeling Forms & Reports Designer
Handbook

Latest book
Oracle PL/SQL for Dummies

Slide 22 of 22