Академический Документы
Профессиональный Документы
Культура Документы
your auditors
Andrei Lepekhin
KPMG IT audit
September 2011
Contents
1. Link between the goals of IT solution implementation:
from the companys viewpoint;
from the auditors viewpoint.
2. What does the auditor look at in terms of IT?
What can you ask your auditor about:
before the audit;
after the audit.
3. How do the results of the work of IT specialists affect the audit approach?
2011 ZAO KPMG, a company incorporated under the Laws of the Russian Federation, a subsidiary of KPMG Europe LLP, and a member firm of the KPMG network of
independent member firms affiliated with KPMG International Cooperative (KPMG International), a Swiss entity. All rights reserved.
Auditor
Automation of the process of
financial statements
preparation;
reconcilability
Automation of the process
of budgeting and
management accounting;
How is the process designed?
What controls are in place?
How effective are they?
ABS implementation
in a bank
Rollout in the regions
$24 mln in
damages
Non-compliance
with 152-FZ
$3 mln
- Implementation
cost
2011 ZAO KPMG, a company incorporated under the Laws of the Russian Federation, a subsidiary of KPMG Europe LLP, and a member firm of the KPMG network of
independent member firms affiliated with KPMG International Cooperative (KPMG International), a Swiss entity. All rights reserved.
$3 mln
$0.8 mln
- Urgent fixes
3
2011 ZAO KPMG, a company incorporated under the Laws of the Russian Federation, a subsidiary of KPMG Europe LLP, and a member firm of the KPMG network of
independent member firms affiliated with KPMG International Cooperative (KPMG International), a Swiss entity. All rights reserved.
1.IT Governance
2.General IT controls
Which?
Which?
4.Additional procedures
Analysis of adjustments
180000
160000 139503
140000
120000
100000
60283
80000
60000
40000
20000
0
36566 35975
40000
35000
30000
25000
20000
15000
10000
5000
0
Subsidiary 1
88018
25679
25016
37
24714 27941
2
37719
Subsidiary 2
21132214508240
50248
60000
161491
146617
Subsidiary 3
36277
50000
40000
30000
20000
8229
1818 236 2742 293277
5166
60
200
10000
2011 ZAO KPMG, a company incorporated under the Laws of the Russian Federation, a subsidiary of KPMG Europe LLP, and a member firm of the KPMG network of
independent member firms affiliated with KPMG International Cooperative (KPMG International), a Swiss entity. All rights reserved.
2011 ZAO KPMG, a company incorporated under the Laws of the Russian Federation, a subsidiary of KPMG Europe LLP, and a member firm of the KPMG network of
independent member firms affiliated with KPMG International Cooperative (KPMG International), a Swiss entity. All rights reserved.
IT planning is performed in
close cooperation with the
business, which is a key factor
in building
and implementing a successful
strategy. However, IT planning
should be undertaken
in a more systematic
Area of planning
Architecture of IT
applications
Infrastructure
IT management
IT personnel
Area dynamics
High
Average
Low
Low
Average
Adopted planning
method
Close
cooperation
between the
business and IT
Medium-term
planning of IT
projects
Short-term planning of
IT projects
No planning is
performed, changes
are introduced
based on ad hoc
decisions
Short-term planning,
the HR department
plays a more
important role than
IT management
High
dependency on
the personal
qualities of
specific directors
and their
communications
skills
Stagnation of IT
processes, leading
progressively to their
inefficiency and
ineffectiveness
Difficulty of
maintaining the
competences of IT
management
Organize close
cooperation
between the HR and
IT in the
management of
training
Recommendations
The human
System
of internal
factor in
controls
losses of
at petroleum
the level ofproducts
business processes
the operator has the ability to distort information on the balances of petroleum
products in tanks in shift reporting through the intentional distortion of the
density level in system A (within the established range of permissible density
levels in the system).
Low
after opening the release valve, the driver may pour some of the petroleum
qualifications of operators, ignorance of the production process
Complexity and
products into a neighboring section of the tank car, which had previously been
45%
inaccuracy of the process for measuring the mass of petroleum products
drained.
20%
the driver may place some kind of storage tank (for example a pot or bucket)
within a section of the tank car, which will prevent the complete draining of the
section.
Bad faith
attitude of the operators of filling stations to employment duties
20%
Stage
Tank farm
Enterprise1
Control over the quantity and quality of the petroleum products accepted from
the oil refinery to the tank farm.
Existence of automated equipment to control the loading of petroleum products
into tank cars.
Control of the introduction of regulatory information and reference data in
system A (list of gasoline tankers, indicating the number of sections, their
capacity, the dates of the last calibration, etc.).
Filling station
Control over the quantity and quality of the petroleum products delivered from
the tank farm to the filling station.
Existence of automated measuring facilities to check the level of petroleum
products at the tank of the filling station.
Existence of automated measuring facilities to measure gasoline consumption at
the time of sale.
Control over disparities between the actual balance and booked balance at the
filling station at the end of the shift.
Routine inventory of the filling station (the level of petroleum products in the
tank, the temperature and density of the petroleum product).
For the filling stations of Enterprise 1 the inventory is performed twice a year.
For the filling stations of Enterprise 2 the inventory is performed once a quarter.
All stages
Enterprise2
(3)
Consolidation
of reporting
(1) Goals
setting
(2)
Goals
reporting
M
review area
Process steps
The slide illustrates the The use of Centralized Goals Management (CGM) system integrated with Centralized HR (CHR) system may reduce number of manual
controls in the area of Goals setting and performance review, allow for transparent monitoring and cost effective process for management
relatively high reliance on reporting over employees performance.
manual controls for goals Applying of standardized bonus fund allocation in CGM system may allow for automated transfer of bonus data to CHR system.
Manual
modification of
employees
position
Manual
reporting on
goals status
A
M
Manual input of
goals
Input of
employees
data in CHR
system
Manual input
of goals
Automated control
Manual control
Manual
reporting on
goals status
Consolidation of
management
goals reporting in
ETWeb
Manual
consolidation of
employees goals
reporting
Consolidation of
management
and employees
goals reporting
(4) Setting
of bonus
fund
M
Adding data
over
standard
bonuses in
management
reports
A Applying
standard
bonuses to
management
reports
(5) Distribution of
bonuses
(6) Bonus
input in HR
system
Bonus data
M
reports transfer
from HR to
management
M
Modification of
employees
bonuses by
management
Manual
A
modification of
employees
bonuses by
management in
CGM (in case of
necessity)
Input of approved
bonus data in HR
systems
1 control
9 controls
on average
9
A
3 controls
4 controls
on average
IT risk assessment
Area
User access
revoking
Segregation of
duties and
monitoring
End-user
awareness of
information
security policies
and procedures
are
overall
effective.
However
medium
high
critical
we
to
financial
low
Impact
critical
medium
major
high
low
low
medium
3
5
4
manageable
remote
possible
Likelihood
likely
5
Source: KPMG audit teams assessment of general controls for the audit
Controls
sk and
Areas of high ri gment
professional jud
Detailed procedures
Detailed proced
ures
Testing of proce sses
2011 ZAO KPMG, a company incorporated under the Laws of the Russian Federation, a subsidiary of KPMG Europe LLP, and a member firm of the KPMG network of
independent member firms affiliated with KPMG International Cooperative (KPMG International), a Swiss entity. All rights reserved.
11
Controls
Detail procedures
Detail procedures
Testing of IT processes
Q&A