Assessment

1
IT Auditing 1 INTRODUCTION Edo Roos
Lindgreen roos.edo_at_kpmg.nl
2
Why this course?

• How important is IT for the auditor?
• Clients consider IT investments of strategic
  importance
• Clients spend a substantial percentage of their
  annual turnover on information technology
• Clients are increasingly dependent on information
  technology for the continuity of their business
  processes
• Total automation of financial administration
• IT is recognized as an essential element of
  postgraduate auditing courses (Nivra,
  universities, auditing firms)

3
What is this course about?

• In this course, you learn about
• Business opportunities and business risks of IT
• Information risk management
• IT and the financial statement and IT-auditing
• Impact on auditors strategy and daily work
• IT issues and trends erp, e-business
• Apply knowledge in practical situations
• Attestation
• Advisory

4
Some practical information

• Class
• Autumn 2001, each Friday, 1300-1500, room A-E
• Course staff
• Dirk Brouwer, Herman van Gils, Jur Huizenga, Rob
  Schouten, Edo Roos Lindgreen
• Guest lecturers
• Jaap Acohen, Jaap van Beek, Carlos Cordeiro,
  André Koet, Carolien Schönfeld, Job Stierman
• Exam
• Exam January and April 2002
• Example questions during classes,
• Summary class in January

5
What should I read?

• Handouts
• Download 1 week before class, www.pdoa.nl
• Books and articles
• Messier
• Overbeek
• Nivra 34
• Compact
• Recommended reading
• Acohen
• Weber
• Nivra

6
Roadmap
Introduction
Information risk management
IT and the financial statement
IT-issues
7
Some basic questions
8
What is IT anyway?

• Hardware and software used to process, store and
  communicate information in order to support one
  or more business processes

9
A simple layered model
network
Computer A
Computer B
10
What are the basic IT components?

• Software
• Application
• Program code offering user functionality
• Middleware
• Generic functions, eg database, mail,
• Operating system
• Controls the hardware and the peripherals
• Network protocols
• Used for communication, often built into OS

• Hardware
• Processor
• Executes instructions in application programs
• Memory
• Used to store application programs and data
• Storage
• Used to store files and databases
• Peripheral equipment
• Used for communication, interaction,
  presentation,

11
Where can I buy this great IT stuff?

• Hardware manufacturers
• IBM, Sun, Hewlett-Packard, Compaq, Cisco, EMC,
• Application suppliers
• Microsoft, SAP, Siebel, Oracle, Peoplesoft, JDE,
  IBM,
• Many specific, tailor-made systems
• Middleware suppliers
• Oracle, IBM, Microsoft, Veritas,
• Operating system suppliers
• Microsoft, IBM, Sun, Hewlett-Packard
• System integrators
• CMG, Cap Gemini Ernst Young, IBM, EDS,
  PinkRoccade, Logica, Getronics, KPMG, Deloitte
  Touche, Accenture,

12
Whats so special about IT?

• Capacity per euro per annum
• processing power, storage capacity, bandwidth
• Capacity per square foot per annum
• organisation, department, desktop, laptop,
  pocket, wrist
• Connectivity
• all is connected to all
• Understandability
• increasing complexity
• Manageability
• increasing management costs
• Securability
• confidentiality, integrity, availability

13
Mega, giga, tera

• Mega (1024)2 huge
• Giga (1024)3 gigantic
• Tera (1024)4 monstrous / to the fourth
• Peta (1024)5 to the fifth
• Exa (1024)6 to the sixth
• Zeta (1024)7 to the seventh
• Yota (1024)8 to the eighth

14
Quality information systems should be

• Correct - accurate, free of errors
• Complete - containing all important facts
• Efficient - yield more than it costs to produce
• Flexible - useable for variety of purposes
• Reliable dependable
• Relevant - important to the decision maker
• Simple - beware of information overload
• Timely - up-to-date and delivered in time
• Verifiable - possible to check correctness and
  completeness
• Accessible - user-friendly
• Secure - protected from access by unauthorized
  users
• Documented for developers, managers and users
  alike

15
Managing information risks
16
Standards of due care

• Minimum level, best practice
• Comprise general and application controls
• Increasingly process-oriented
• Examples
• software development (SDM)
• project management (PRINCE2)
• IT management (ITIL)
• information security (BS 7799)
• IT-auditing (COBIT)

17
Why is IT important for the auditor?

• Legal obligation
• Materiality
• Going concern
• Know thy client
• Your own benefit

18
Why?Legal obligation

• BW, Artikel 393, lid 4
• De accountant brengt omtrent zijn onderzoek
  verslag uit aan de raad van commissarissen en aan
  het bestuur. Hij maakt daarbij tenminste melding
  van zijn bevindingen met betrekking tot de
  betrouwbaarheid en continuïteit van de
  geautomatiseerde gegevensverwerking.

19
Why?Materiality

• Material misstatements may be caused by
• Financial systems producing unreliable
  information
• Activation of substantial investments that fail
  to contribute to turnover and profit
• Inadequate security measures causing
  deterioration of separation of duties
• Failing IT systems scaring off key clients

20
Why?Going concern

• Failing information systems may endanger the
  continuity of your clients business processes.
• A failing IT strategy may endanger your clients
  market position.

21
Why?Know thy client

• As an auditor, you can improve your position as a
  trusted and respected sparring partner by sharing
  your knowledge on issues that are important to
  your client. Information technology is one of
  them.

22
Why?Your own benefit

• The auditor can use information technology as a
  powerful weapon to improve the effectiveness and
  efficiency of his audit approach. Examples
  include knowledge management systems, analysis
  tools, workflow systems and electronic filing
  systems.

23
Its a matter of attitude

• Whats in it for me?
• Whats in it for my clients business?

24
Roadmap
2. Business opportunities 3. Information risk
management
4. Financial mgt and IT organisation 5. System
development 6. IT management 7. Security
13. ERP 14. E-business 15. Forensic
8. and 9. IT and the financial statement 10. Due
diligence 11. Digital durability 12. Knowledge
management
25
Questions
?