Internal Audits Role on LargeScale Projects Peter M' Low

1
Internal Audits Roleon Large-Scale
ProjectsPeter M. Low
February 23, 2005
2
Agenda

• What Projects Should Audit Get Involved In?
• Audits Role(s) and Value Contribution
• Principles of Audit Involvement
• Audit Integration/Communication with Project
  Teams
• Areas of Audit Focus on ERP Projects
• Audit Project Involvement Roadmap
• Audit Challenges and Key Takeaways

3
Projects Audit Should Get Involved In

• Usually Enterprise-wide Scope and Higher Risk
  Impact
• Business Process and/or IT Change Impacting
  Controls
• Processes That Can Impact Financial Reporting
• Job Roles and Responsibilities Changing
  (SOD/Security)
• Significant Resources and Allocated from
  Organization
• Business Process Re-engineering Initiatives
• Systems/Technology Development Projects
• Packaged Software Implementations (ERP)

Focus of Our Discussion Today
4
Audits Role and Responsibilities

• In General
• Identify Risk
• Communicate Risk
• Drive Management to Appropriately Remediate Risk
• On Large-Scale Projects
• Full-time Auditors Working with Project Team
• Audit Director Integrated with Project
  Management Team
• Coaching on Internal Control Designs and S-O-404
  Compliance
• Risk/Controls Feedback on Key Process and/or IT
  Designs
• Drive Project Team Accountability for
  Implementation of Controls
• Review Controls Built into Process and/or
  Systems Designs
• Post-Implementation Reviews
• Provide Counsel to Project Teams Not to Own
  Design of Controls
• Dont Lose Independence Educate, Facilitate,
  Coach and Verify

5
The Art of Being a Consultative AuditorManage
the Balance Between Being a Coach/Consultant and
a Compliance Auditor Its a Dual/Phased Approach
Project Role vs. Traditional Role
6
Evolving Audit Responsibilities
Active Participant on Project Team Designing
Control Solutions
Point in Time Review of Existing Controls
Periodic Reviews of Control Effectiveness
Advisor to Project Team on Risk and Controls
Reactive
Proactive
Audit is Often Stuck Here
S-O-404 Driving Us Here
Its Fundamentally Harder to Audit a Moving
Target
7
Audit Value - General

• Risk Assessment and Management Experience
• Knowledge of Controls and S-O-404 Compliance
  Requirements
• Understanding of Integrated Business Processes
• Possesses The Prove It To Me Discipline
• Objective and Independent Perspective
• Pre-existing Communication Channels to Management

8
Guiding Principles of Audit Involvement

• Proactive Become A Partner Be There Engage
  w/ the Project Early!
• Flexibility Adjust Audit Work To Project
  Schedules As Appropriate
• Business Process Driven Focus On Business
  Process Not Just IT
• Risk Based Focus On Defining Risk/Impact
  First Controls Second
• Solution Oriented Co-develop Actionable
  Controls (Auto. Man.)
• Skate To The Puck Provide Answer Key of The
  Controls End State
• Drive Controls Ownership Project Teams Own
  Controls Not Audit
• Communication Simple/Timely Set Expectations
  Early At All Levels

9
How To Integrate w/ Project Teams

• Build Control Objectives Into Project Teams
  Workplans
• Co-locate Resources w/ Project Teams When
  Appropriate
• Attend Standard Project Status Meetings
• Participate In Business Process Design Sessions
• Participate In Systems and Security Design
  Sessions
• Official Reviewer Of Process, IT and Security
  Designs
• Meet w/ Teams To Validate Risks Co-develop
  Controls
• Consistent Involvement and Real-Time Feedback
  is the Key!

10
Audit Communications Approach

• Must Strive To Be Simple and Timely
• The Nature/Status of Issues Can Change Rapidly
• Different Audiences with Varying Levels of
  Exposure
• Traditional Audit Reports May Not Be The Right
  Vehicle
• Integrate with Project Status Reporting
• Utilize Simple Issue Status Memos via Email
• Develop Controls-relevant Metrics or KPIs
• Define a Stakeholder Communication Requirements
  Map
• More Formal Audit Update Reports by Project
  Phase
• Timely/Verbal Communication of Risks with
  Project Management
• During Frequent Project Status Meetings
• Action Plan Collaboration
• Defined Issue Escalation Channels

11
With S-O-404 A New Thought Process

• Historically, Controls Were Thought as A
  Nice-to-Have
• Dont Hold Up The Project!
• Implementations Can Have an Impact on The
  Control Environment
• Material Changes Must Be Reported
• Controls Cannot Be Neglected During a
  Project/Implementation
• Mgmts Control Assessments Must Be
  Accurate/Timely/Effective
• No Time to (Re)design Controls After
  Implementation
• Retro-fitting Controls Costs More Than Building
  Them Up-front
• Still Need to Test Key Controls Potentially
  Quarterly
• Design and Document (and Implement!) Project,
  Process and IT Controls Critical for S-O-404
  Throughout the Project Lifecycle!

12
Areas of Audit Focus on ERP Projects
Business Objectives (Control Objectives Risk)
Security Controls
Inherent Controls
Configurable Controls
Reporting Controls
Manual Procedural Controls
ERP System
Technology
People
13
Inherent Controls

• Integrated balanced posting
• Real time online data for timely analysis
• Each transaction captured via the Document
  Principle
• Sequential documents
• Duplicate checks
• Capability to monitor questionable postings for
  review and approval
• System retained transaction history including
  date, time, user
• System retained history of program and
  configuration changes
• Internal controls structure monitoring
• Transaction utilization monitoring
• Security / Access monitoring
• Transport Log
• Support Package Log

Business Objectives (Control Objectives Risk)
Reporting Controls
Inherent Controls
Configurable Controls
Security Controls
Manual Procedural Controls
SAP System
14
Configurable Controls

• Edit checks and tolerances
• Required and system populated fields
• Defaulted and predefined master data
• Reason codes
• User defined error/warning messages
• Automatic integrated posting following predefined
  posting keys
• Workflow approvals/authorizations
• Automated three-way match
• Automated order credit checking

Business Objectives (Control Objectives Risk)
Reporting Controls
Inherent Controls
Configurable Controls
Security Controls
Manual Procedural Controls
ERP System
15
Security Controls

• Flexibility to configure an appropriate level of
  user access and permissions to
• programs
• transactions
• tables and fields
• Aids in the detection and prevention of
  unauthorized access or potential attacks
• Efficient, effective creation and maintenance of
  user profiles and assignments
• Identification and mitigation of transactional
  segregation of duties risks

Business Objectives (Control Objectives Risk)
Security Controls
Inherent Controls
Configurable Controls
Reporting Controls
Manual Procedural Controls
SAP System
16
Reporting Controls

• Timely closing process monitoring capabilities
• Delivered standard reports contained in easily
  accessible report tree
• Context sensitive help
• System supplied auditing capabilities
• Audit trails
• Changed document log
• Document flow
• Security restrictions over ad-hoc reporting

Business Objectives (Control Objectives Risk)
Security Controls
Inherent Controls
Configurable Controls
Reporting Controls
Manual Procedural Controls
SAP System
17
Manual Procedural Controls

• Formalized and documented business standard
  operating procedures
• Policy definition, monitoring and enforcement
• Control reports providing data needed to perform
  detective control processes
• Authorization criteria and procedures
• Reconciliations
• Physical and cycle inventory counts
• Functional segregation of duties

Business Objectives (Control Objectives Risk)
Security Controls
Inherent Controls
Configurable Controls
Manual Procedural Controls
SAP System
18
Internal Audit Roadmap
Project Stage
Internal Audit
Audit Approach Synchronized With Projects
Lifecycle
Stage 2 Design
Stage 3 Develop Test
Stage 4 Final Preparation
Control Requirements Design
Validate Test Controls
Validate Controls Readiness
19
Internal Audit Roadmap
Stage 1 Project Preparation
Project Activities
Common Issues

• Project Scope
• Cost / Benefit Analysis
• Business Case
• Obtain Commitment
• Project Workplans
• Assemble Project Team

• Not Incorporating Controls into Project Plans
• Designing Governance Model w/out Audit
• Failing to Educate Team on Controls Importance
• Building Project Methodology Separate from
  Controls and/or S-O-404 Methodologies

IA Activities

• Develop Audit Scope Workplan
• Establish Audit Budget
• Integrate Audit Project Plans/Budgets
• Educate Project Mgmt on Control Objectives
• Incorporate Controls Design, Implementationand
  Testing Activities Into Project Teams Methodology

20
Internal Audit Roadmap
Stage 2 Design
Project Activities
Common Issues

• Develop Detailed Designs
• Develop Detailed Project Plans
• Define Solution Requirements
• Complete Designs of Processes, Controls and
  Systems
• Obtain Design Sign-Off from Owners

• Process Controls Documentation of Poor Quality
  or Not Thorough Enough
• IT-focused Rather than Process Control Focused
• Ineffective Issue Scope Management Processes
• Not Looking for Automated Control Solutions
  (i.e., Staying with Manual/Detect Controls)

IA Activities

• Assess Completeness of Requirements
• Participate in To-Be Functional IT Design
  Activities
• Identify Risks Develop Control Recommendations
• Review Security Design For Segregation of Duties
• Establish IT, Security Process Control
  Recommendations
• Facilitate Design of Controls into
  Processes/Systems
• Obtain Project Team Commitment to Control Designs

21
Internal Audit Roadmap
Stage 3 Develop and Test
Project Activities
Common Issues

• Build Process, IT Control Solutions per
  Designs/Requirements
• Define Testing Scripts
• Test Solutions Verify All is Working as
  Designed
• Obtain Business Owner Sign-Offs

• Agreed-upon Controls Not Developed As Promised
• Incomplete Testing of Business (and Control)
  Requirements
• Poor Follow-up on Issues/Defects/Risks
• Test Production Not In-Synch (Chg. Ctrl.)
• Manual Workarounds Start To Develop

IA Activities

• QA the Test Process Completeness Results
• Reconcile Controls the Project Team Committed
  towith What Was Developed/Implemented
• Jointly Design Controls Test Scripts with Project
  Team
• Test Key Controls Independently
• Assess Security for Segregation of Duties
  Inappropriate Access Risks
• Review IT Infrastructure Controls

22
Internal Audit Roadmap
Stage 4 Final Preparation
Common Issues
Project Activities

• Data Review, Validation and Cleansing Efforts
  Associated with Conversion Are Vastly
  Underestimated
• Master Data Management Control Processes
  Inadequately Designed/Implemented
• Training Not Given in Process-based Format or
  Does Not Adequately Include SOPs or Controls
  (i.e., More Navigation Focused)
• Process Workarounds Now Formalized
• Production Support Organization/Processes Not
  Fully Defined or Planned

• Final User Acceptance Stress Testing
• Data Conversions
• Finalization or Update of Standard Operating
  Procedures
• User Training
• Final Business Owner Sign-Offs
• Complete Design of Production Support
  Organization and Processes

IA Activities

• QA Review of Testing Completeness
• Assist in Designing Controls Over Data
  Validation, Cleansing and Conversion Processes
• Provide Data Analysis Support/Guidance Assess
  Effectiveness of Data Validation/Conversion
  Activity
• Review of Key Manual Control Procedures
• Assess Incorporation of Controls into Training
  Materials/Programs

23
Internal Audit Roadmap
Stage 5 Go Live and Support
Project Activities
Common Issues

• Finalize Execute Cutover Plans
• Assess Compliance with Project Methodology Steps
• Complete Data Conversions
• Assign User Security
• Initiate Production Support Processes

• Vague Definitions of Go-live Criteria
• Go-live Readiness Not Based Upon Risk or Project
  Assessment (More on Date/Budget)
• Inaccurate Converted Data Due To Ineffective Data
  Owner Involvement During Validation
• Support Organization Not Effectively Executing
  Towards Anticipated Service Levels
• Security Deteriorates Because People Cannot Do
  Their Jobs

IA Activities

• Assess Go-live Criteria, Cutover Plan
  Thoroughness and Operational Support Readiness
• Review Data Reconciliation Process Compliance
• Perform Pre-go-live Check of Critical Security
  Profiles
• Post Implementation Audit Assessing Effectiveness
  of Control Environment (within 6-9 Months)
• Facilitate Controls Information into Controls
  Data Repository

24
Key Takeaways

• Audit Involvement Early Impact Decreases as
  Project Progresses
• Learn the Projects Risks Through Being
  Involved
• Drive Change in the Project Through Being
  Involved
• Adopt Change within The Audit Function To
  Support Involvement
• Strive To Create Integrated Auditors Through
  the Process
• IT Auditors and Operational/Financial Auditors
• S-O-404 Must Be Considered Throughout Project
  Lifecycle
• Involvement Differs at Various Stages of the
  Project
• Demand Project Ownership of Controls Provide
  Real-time Feedback

25
Audit Team Member
Before Project
During Project
26
Questions?