IT what to ask from

your auditors

Andrei Lepekhin
KPMG IT audit
September 2011

IT what to ask from your auditors

Contents
1. Link between the goals of IT solution implementation:
from the companys viewpoint;
from the auditors viewpoint.
2. What does the auditor look at in terms of IT?
What can you ask your auditor about:
before the audit;
after the audit.
3. How do the results of the work of IT specialists affect the audit approach?

2011 ZAO KPMG, a company incorporated under the Laws of the Russian Federation, a subsidiary of KPMG Europe LLP, and a member firm of the KPMG network of
independent member firms affiliated with KPMG International Cooperative (KPMG International), a Swiss entity. All rights reserved.

IT what to ask from your auditors

Purposes of implementing IT solutions
Company

Automation of business processes;

Cost reduction;
Increasing work efficiency;
Accelerating report preparation
and improving their reliability;
Reduction in the risk of fraud
and human error;
Improved business manageability;
Improved business transparency;
;
Increase in market
capitalization, shareholder
value.

Auditor
Automation of the process of
financial statements
preparation;
reconcilability
Automation of the process
of budgeting and
management accounting;
How is the process designed?
What controls are in place?
How effective are they?

IT what to ask from your auditors

Goals of IT solution implementation from the auditors viewpoint

Insufficient attention to controls during implementation phase examples:
Foreign telecoms operator in Russia.
No SOD (segregation of duties) in billing.
2 employees

ABS implementation
in a bank
Rollout in the regions

$24 mln in

damages

Russian top-manager dismissed,

direct management
SOD
matrix

Non-compliance
with 152-FZ

$3 mln
- Implementation
cost

2011 ZAO KPMG, a company incorporated under the Laws of the Russian Federation, a subsidiary of KPMG Europe LLP, and a member firm of the KPMG network of
independent member firms affiliated with KPMG International Cooperative (KPMG International), a Swiss entity. All rights reserved.

$3 mln
$0.8 mln
- Urgent fixes
3

$0.05 0.1 mln - QA

2011 ZAO KPMG, a company incorporated under the Laws of the Russian Federation, a subsidiary of KPMG Europe LLP, and a member firm of the KPMG network of
independent member firms affiliated with KPMG International Cooperative (KPMG International), a Swiss entity. All rights reserved.

IT what to ask from your auditors

What can you ask your auditor about?
Prior to
the audit

1.IT Governance

2.General IT controls
Which?
Which?

3.Application level controls

4.Additional procedures

After the audit

Analysis of adjustments

Number of entries after the close of the period

This slide shows the results of

an analysis of the number of
entries related to a period that
had already been closed at the
time when the entries were
made

180000
160000 139503
140000
120000
100000
60283
80000
60000
40000
20000
0

36566 35975
40000
35000
30000
25000
20000
15000
10000
5000
0

Subsidiary 1
88018

25679

25016
37

24714 27941
2

37719

Subsidiary 2

21132214508240

50248
60000

161491
146617

Subsidiary 3
36277

50000
40000
30000
20000

8229
1818 236 2742 293277

5166
60

200

10000

2011 ZAO KPMG, a company incorporated under the Laws of the Russian Federation, a subsidiary of KPMG Europe LLP, and a member firm of the KPMG network of
independent member firms affiliated with KPMG International Cooperative (KPMG International), a Swiss entity. All rights reserved.

2011 ZAO KPMG, a company incorporated under the Laws of the Russian Federation, a subsidiary of KPMG Europe LLP, and a member firm of the KPMG network of
independent member firms affiliated with KPMG International Cooperative (KPMG International), a Swiss entity. All rights reserved.

Management of IT and information security

Structure of IT strategic planning

IT planning is performed in
close cooperation with the
business, which is a key factor
in building
and implementing a successful
strategy. However, IT planning
should be undertaken
in a more systematic

Area of planning

Link with the

business

Architecture of IT
applications

Infrastructure

IT management

IT personnel

Area dynamics

High

Average

Low

Low

Average

Adopted planning
method

Close
cooperation
between the
business and IT

Medium-term
planning of IT
projects

Short-term planning of
IT projects

No planning is
performed, changes
are introduced
based on ad hoc
decisions

Short-term planning,
the HR department
plays a more
important role than
IT management

Main risks in the

current situation

High
dependency on
the personal
qualities of
specific directors
and their
communications
skills

Constant work at the

limit of computer
capabilities

Stagnation of IT
processes, leading
progressively to their
inefficiency and
ineffectiveness

Difficulty of
maintaining the
competences of IT
management

Implement a threeyear planning process

for capacity and
infrastructure

Organize the audit

of IT processes and
planning for their
development

Organize close
cooperation
between the HR and
IT in the
management of
training

way, with due account

for the specifics of IT
processes.

Recommendations

Organization of a group selling petroleum products on the domestic market

The human
System
of internal
factor in
controls
losses of
at petroleum
the level ofproducts
business processes

In our opinion, the human

Factors resulting in the emergence of losses of

petroleum products at filling stations (the
results of anonymous poll of employees)

factor is one of the

Examples of losses incurred as a result of fraud perpetrated by employees

(Other on the diagram)
operators have the ability to distort information on the balance of petroleum
products in system A through the intentional misstatement of information on
the amount of petroleum products delivered/accepted during the shift.

underlying factors for losses

at filling stations
Other
15%

the operator has the ability to distort information on the balances of petroleum
products in tanks in shift reporting through the intentional distortion of the
density level in system A (within the established range of permissible density
levels in the system).

Low
after opening the release valve, the driver may pour some of the petroleum
qualifications of operators, ignorance of the production process
Complexity and
products into a neighboring section of the tank car, which had previously been
45%
inaccuracy of the process for measuring the mass of petroleum products
drained.
20%

the driver may place some kind of storage tank (for example a pot or bucket)
within a section of the tank car, which will prevent the complete draining of the
section.
Bad faith
attitude of the operators of filling stations to employment duties
20%

if there is any increase in the temperature of the gasoline during

transportation, the level of gasoline may exceed the established bar. The
driver may then pour out the gasoline up to the bar.
the driver may close the valve before the section is drained.
unauthorized side branches from the drain connections of the gasoline tanker
are possible, which would make it possible to divert some of the fuel into a
prepared storage tank.
During the audit we identified a number
of controls used to account for the
movement of petroleum products at the
main stages of the process. We
identified a high degree of reliance on
manual controls
In our opinion, it would be possible to
optimize a number of processes in

order to reduce the

likelihood of the loss of
petroleum products

Stage
Tank farm

Parameter for assessment

Enterprise1

Control over the quantity and quality of the petroleum products accepted from
the oil refinery to the tank farm.
Existence of automated equipment to control the loading of petroleum products
into tank cars.
Control of the introduction of regulatory information and reference data in
system A (list of gasoline tankers, indicating the number of sections, their
capacity, the dates of the last calibration, etc.).

Filling station

Control over the quantity and quality of the petroleum products delivered from
the tank farm to the filling station.
Existence of automated measuring facilities to check the level of petroleum
products at the tank of the filling station.
Existence of automated measuring facilities to measure gasoline consumption at
the time of sale.
Control over disparities between the actual balance and booked balance at the
filling station at the end of the shift.
Routine inventory of the filling station (the level of petroleum products in the
tank, the temperature and density of the petroleum product).
For the filling stations of Enterprise 1 the inventory is performed twice a year.
For the filling stations of Enterprise 2 the inventory is performed once a quarter.

All stages

Minimization of the manual input of information.

The permissible gauging error (according to the opinion of the employees that
we surveyed, it may be reduced for the purpose of more stringent control over
the losses of petroleum products).
Legend:In general good
There is room for improvement

Enterprise2

Improvements are essential

Reliance on manual controls Goals setting, performance review and bonus

payment

(3)
Consolidation
of reporting

(1) Goals
setting
(2)
Goals
reporting
M

Current Control Mix

review area

Typical Control Mix

setting and performance

Process steps

The slide illustrates the The use of Centralized Goals Management (CGM) system integrated with Centralized HR (CHR) system may reduce number of manual
controls in the area of Goals setting and performance review, allow for transparent monitoring and cost effective process for management
relatively high reliance on reporting over employees performance.
manual controls for goals Applying of standardized bonus fund allocation in CGM system may allow for automated transfer of bonus data to CHR system.

Manual
modification of
employees
position

Manual
reporting on
goals status

A
M

Manual input of
goals

Input of
employees
data in CHR
system
Manual input
of goals

Automated control

Manual control

Manual
reporting on
goals status

Consolidation of
management
goals reporting in
ETWeb
Manual
consolidation of
employees goals
reporting

Consolidation of
management
and employees
goals reporting

(4) Setting
of bonus
fund
M

Adding data
over
standard
bonuses in
management
reports

A Applying
standard
bonuses to
management
reports

(5) Distribution of
bonuses

(6) Bonus
input in HR
system

Bonus data
M
reports transfer
from HR to
management
M
Modification of
employees
bonuses by
management

Bonus data reports

transfer from
management to HR

Manual
A
modification of
employees
bonuses by
management in
CGM (in case of
necessity)

Approved bonus data

transfer from CGM
system to CHR

Input of approved
bonus data in HR
systems

1 control

9 controls
on average

9
A

3 controls

4 controls
on average

Source: Observation from audit process walkthroughs

General IT Controls observations

In our view

IT risk assessment

Our view of the key IT risks

Area

Key risks to consider

User access
revoking

Retarded termination of accounts of discharged

employees increases the risk of unauthorized or
otherwise inappropriate access to the financial
reporting data, its unauthorized disclosure,
distortion and other misuse

Segregation of
duties and
monitoring

End-user
awareness of
information
security policies
and procedures

Lack in configuration of access rules and lack of

monitoring procedures over users roles in
information systems may ultimately lead to
unauthorized or otherwise inappropriate use or
modification of information critical to financial
reporting
Lack of the formal communication of end-user
information security policy to employees
increases the risk of violation of the information
security requirements, which may ultimately lead
to inappropriate use or modification of data
critical to financial reporting

General IT Controls of the

Group

are

overall

effective.

However

medium

high

critical

we

noted a number of issues critical

which may ultimately lead
to modification of data
reporting

to

financial

low

Impact

critical

medium

major

high

low

low

medium
3

5
4

manageable
remote

possible

Likelihood

likely
5

Weak password configuration settings increase

Password
the risk of unauthorized access to the information
settings and
password policy systems and, as a result, possible distortion,
unauthorized disclosure or other misuse of the
financial reporting data
of
monitoring
procedure
over
Monitoring over Absence
administrative activities increases the risk of
administrators
untraceable modifications to the financial
activities
reporting data, its unauthorized disclosure,
distortion and other misuse
Authorization of Absence of authorization of changes by IT
program changes management in information systems increases
the risk of unauthorized or low-quality changes
to the information system, which may lead to
unstable operation of the information system or
its operation in a way not consistent with
business needs

Source: KPMG audit teams assessment of general controls for the audit

IT what to ask from your auditors

Impact of IT specialists work on audit approach
Detailed
Areas of high risk and
professional
judgment

Controls
sk and
Areas of high ri gment
professional jud

Detailed procedures
Detailed proced
ures
Testing of proce sses

2011 ZAO KPMG, a company incorporated under the Laws of the Russian Federation, a subsidiary of KPMG Europe LLP, and a member firm of the KPMG network of
independent member firms affiliated with KPMG International Cooperative (KPMG International), a Swiss entity. All rights reserved.

11

IT what to ask from your auditors

Impact of IT specialists work on audit
approach Detailed
Areas of high risk and
professional
judgment

Controls

Areas of high risk and

professional judgment

Detail procedures
Detail procedures
Testing of IT processes

IT what to ask from your auditors

Q&A

 2011 ZAO KPMG, a company incorporated under the Laws of the

Russian Federation, a subsidiary of KPMG Europe LLP, and a member
firm of the KPMG network of independent member firms affiliated with
KPMG International Cooperative (KPMG International), a Swiss entity.
All rights reserved.
The KPMG name, logo and cutting through complexity are
registered trademarks or trademarks of KPMG International
Cooperative (KPMG International).