• No results found

Top 10 System Implementation Audit Considerations

N/A
N/A
Info
Download
Protected

Academic year: 2021

Share "Top 10 System Implementation Audit Considerations"

Copied!
28
0
0

Loading.... (view fulltext now)

Download now ( 28 Page )

Full text

(1)

Top 10 System Implementation

Audit Considerations

(2)

Auditing standards place specific requirements on the auditor to understand how a Client has

responded to risks arising from their major IT implementations by obtaining an understanding of control activities

Obtaining an understanding of controls means evaluating the design of the controls and determining whether they have been implemented:

Project lifecycle control considerations

 Are the revised automated and manual processes effective in supporting financial reporting? (business process risk)

 Does the underlying IT control environment provide comfort that such controls operate consistently? (ITGC risk)

 Was data migration and cutover from the legacy to the new systems completed completely and accurately? (cut-over risk)

(3)

Why do auditors care about the company’s system

implementation?

PwC Slide 3

(4)

Top 10 System Implementation Audit

Consideration

(5)

Scope your audit correctly

PwC Slide 5

(6)

(1) Scope your audit correctly

Approach– No single template

Selecting the right audit approach to evaluate your company’s move to a new system depends on their business objectives and evolving needs.

Low Low-medium High

Transformational scale

Upgrade Upgrade with New implementation Upgrade Upgrade with

process refinement

New implementation

Description Straight migration of current applications & existing

customization to new target release

Upgrade applications and refine targeted process improvement areas e.g. Upgrade with P2P Centralization or adding new modules e.g. Service

Re-implement and redesign processes and system Ground-up e.g. restructure every process along with org. structure

Goal Vendor Support Compliance Support Compliance & added functionality

Business value

Business Model Changes Transform processes

Time Fastest Medium Longest

Cost Lowest Moderate Highest

(7)

Impact of new system functionality

PwC Slide 7

(8)

2. Impact of new system functionality

• Be prepared to answer the question around whether or not the company has considered and assessed some of the new functionalities within the system and if not, why not?

• If some have been leveraged, be able to articulate how the functionality was tested and any accompanying impact to the control environment

(9)

Security, sensitive access &

segregation of duties

PwC Slide 9

(10)

3. Security, sensitive access, & segregation of

duties

• What was the approach for designing roles and responsibilities?

• If upgrading, what was done to evaluate new menu’s/ screens & functions in the new system?

• How did you ensure appropriate segregation of duties prior to go-live?

 If known conflicts are present upon go-live, what mitigating controls are  If known conflicts are present upon go-live, what mitigating controls are

there to reduce the risk?

 Has your security been loaded timely or is it a last minute exercise? • Is the system administration team reduced upon go-live?

(11)

User acceptance testing

PwC Slide 11

(12)

4. User acceptance testing

• Have test cases been designed for the new system or rolled forward from the legacy system?

• Do the end users understand the technology enough to perform testing? • Are testers true company employees or are SI (System Implementer) resources performing the tests? Are both?

• What was the overall UAT approach?

 How many rounds of UAT will be complete?

• Examples of test results—printouts, screenshots, web-based UAT tracking, and/or stored in a centralized repository for audit reference…..

• Tie-out to bug/defect log

• Are users leveraging the roles and responsibilities they will have in production while performing the UAT testing?

(13)

Data conversion/migration

PwC Slide 13

(14)

5. Data conversion/migration

Understand what the data conversion/migration strategy is • What data is being converted/migrated?

• How is it being converted/migrated? • How much is being converted/migrated?

• What controls are in place to detect any errors? • What controls are in place to detect any errors? • Retention of data conversion evidence

 Detailed tie outs

 Clearance of reconciling items  Reports used

(15)

Reports

PwC Slide 15

(16)

6. Reports

• Reporting methods will likely change in new system for your organization • How can you confirm that reports are complete & accurate?

 Standard Canned Reports

• Identify your “Key” report inventory early • Leveraging UAT of reports for Audit purposes • Leveraging UAT of reports for Audit purposes

(17)

Key control impact assessment

PwC Slide 17

(18)

7. Key control impact assessment

• Have internal controls (business and IT) over financial reporting been contemplated and incorporated in the process design?

 “As Is” controls have been mapped to “To Be” controls?

 How much has the new system impacted the overall control environment? • Have end users been adequately trained on how to perform their job and

• Have end users been adequately trained on how to perform their job and execute controls upon go-live?

• Is there potential to leverage automated controls to reduce manual controls?  Increased opportunities in the new system to avail of new functionalities

(19)

Business requirements & design

documentation

PwC Slide 19

(20)

8. Business requirements & design documentation

• Processes are appropriately designed to meet the business requirements in advance of development occurring

 Functional design documents are approved  Configuration design documents are approved

 The technical design documents meet those requirements  The technical design documents meet those requirements

• Audit is involved at each completed milestone and should review the documents for appropriateness

• Ensure a change control process is in place to manage updates business requirements and design

(21)

Issues log and defect tracking

PwC Slide 21

(22)

9. Issues log & defect tracking

• How are project issues/risks and defects being logged? • What is the process for risk ranking?

• Can you as the auditor transparently observe how issues have been resolved? • What is the process for tracking resolution and retesting?

 Evaluating show stoppers and the impact on a ‘go’ decision  Evaluating show stoppers and the impact on a ‘go’ decision

(23)

Project governance & status

reporting to support the go-live

decision

PwC Slide 23

(24)

10. Project governance & status reporting to

support go-live decision

• Is the level of communication at the right level for the process owners and steering committee?

• Is the status reporting accurate?  Reporting is metrics driven

 Issues are transparent and being bubbled up correctly  Issues are transparent and being bubbled up correctly

• Are timelines and deadlines shifting without reference nor an action plan in place?

• What is the go/no-go criteria and does it consider relevant key risks? • Are the appropriate individuals involved?

 An independent assessment is performed by the PMO • What is the contingency plan for a ‘no’ decision?

(25)

Summary of the top 10 considerations:

(1) Scope your audit correctly

(2) Impact of new system functionality

(3) Security, sensitive access & segregation of duties

(4) User acceptance testing

(5) Data conversion/migration

(6) Reports

PwC Slide 25

2012

(6) Reports

(7) Key control impact assessment

(8) Business requirements & design documentation

(9) Issues log and defect tracking

(10) Project governance & status reporting to support the go-live

decision

(26)

Getting prepared for a systems implementation

audit

• Include a controls focus throughout the project life cycle • Take credit for work the project team is already doing

(27)

Benefits of embedding a control’s focus into the

upgrade/implementation Project plan

Risks if controls are not embedded from the start

 Potential inefficiencies arising from issues reported to management after go-live, requiring remediation activities whhich are costly and possibly disruptive to steady-state.

 Potential that control design may not be suitable for a controls reliance based audit, reducing efficiencies which can be gained.

Benefits of including a controls focus from the start

 Year end audit planning process will be more efficient as a consequence of knowledge and visibility gained.

 Sharing of knowledge and experience to make sure that the most effective controls are implemented in the new systems that meet the external auditors requirements.

PwC

Slide 27 2012

efficiencies which can be gained.

 Work will be concentrated at the year end, resulting in a greater burden on management time.

 Potential that management will not be able to benefit from Auditor viewpoint on key controls.

requirements.

 Early review of controls design will enable the implementation team to build Auditor’s

recommendations into the system processes,

reducing the cost of having to retrofit configuration in the system.

 Issues will be reported in a more timely manner, allowing management to undertake remediation activities well in advance of the year end audit.  Work together in a collaborative manner to achieve

a successful implementation and reduce the potential for “surprises”.

(28)

Questions

Contacts:

Aaron Johnson, Manager

PwC, Irvine

Ph: (949) 437-5563

Email: [email protected]

Leah Pascua, Senior Associate

PwC, Los Angeles Ph: (213) 356-6936

References

Download now ( PDF - 28 Page - 572.49 KB )

Related documents

Short Production Run Control Charts to Monitor Process Variances

The parameter values we used in setting up EWMA and CUSUM scheme charts are based on the results reported in the literature on short-run control charts to

NSSE16 High-Impact Practices (UNO)

Preparing for class (studying, reading, writing, doing homework or lab work, analyzing data, rehearsing, and other academic activities) tmprephrs (Recoded version of

Material Safety Data Sheet

Other Toxic Effects on Humans: Slightly hazardous in case of skin contact (irritant), of ingestion, of inhalation.. Special Remarks on Toxicity to Animals:

Impact of RMG Sector on Standard of Living of Garment Workers in Bangladesh: Determinants and Workers’ Perception

The present study was conducted to assess the impact of RMG sector on standard of living of garment workers of Bangladesh and to discover the impact of RMG sector employees’

Universal's Grad Bash 3 $255. Universal's Grad Bash 2 $222. Universal's Grad Bash 4 $305

◆ 1 free double occupancy chaperone package per every 10 paid students.. ◆ All taxes and gratuities

Infusing Technology: A Study of the Influence of Professional Development on How Teachers Use Technology

This study examined whether a quality professional development course, Infusing Technology, influenced teachers‘ integration of technology, their knowledge of digital tools

Measuring Decent Work in Development: A Balancing Act

The global endorsement of the Decent Work Agenda has facilitated the bilateral dialogue and cooperation on employment and social issues with partner countries and within

Transformative learning and the 4-H camp counselor experience

This study examines the extent to which 4-H camp results in transformative learning for 4-H members who serve as camp counselors, examines the perceived changes that occur