Embed Size (px)
Citation preview
Chairman’s Introduction and Keynote
Paul WilliamsChair ISACA/ITGI Strategic Advisory Group
IT Governance Adviser Protiviti
Audit Technology ConferenceLondon, 20/21 November 2007
Audit Technology Evolution
An Historical Perspective
‘The modern computer can become an extremely capable assistant to both the general auditor and the
EDP auditor, by performing the repetitive, boring, labour intensive work of an audit with phenomenal speed and accuracy. With the introduction of computer languages that are easier to use for the non-programmer layman, the power of this assistant is available to anyone willing
to invest a modest amount of time to learn to communicate with the computer in a very structured,
non-flowery language.’
Joseph Pleier, EDP Auditor Journal, 1984
Mainframe to Mini
• Mainframe interrogations (from 1967)– Generalised - CARS, ASK360, Auditape,
PanAudit etc.– Utilities – FileTab, Easytrieve– Special Programs
• Test Data
Errrrr……..that was about it until………
Commodore Pet (1977)
……the arrival of the PC
Or more specifically for auditors……..
Extract from Datawatch 1983‘A new portable (or almost portable) micro seemingly is announced every month and some audit firms reportedly are acquiring them in large numbers…….
Arthur Young (UK) has commenced its own field test based on the use of the IBM PC Micro. Much progress has been made in extracting data from client files and putting it into the IBM PC in one of three ways:
Physical diskette transportation
Link over telephone lines
Direct coupling of the PC with the client’s computer
Methods of manipulating the data have been developed but remain an area for further work.
The cost is £7,000 per unit. This may be the shape of things to come. In no time no auditor will be complete without his ‘breakout box’ or ‘fox box’. ‘
First Laptop?
Changing Culture
Audit Technology Evolution
• PC Audit Retrieval Software
Audit Technology Evolution• PC Audit Retrieval Software• Flowcharting (Visio etc.)• Spreadsheets (from Visicalc through Supercalc and Lotus, to Excel)• Trial Balance Management and Accounts Production (Fast, Solution
6, Caseware etc.)• Word Processing (Wordstar, Word Perfect, Word)• Presentation Graphics (Harvard, Freelance, Powerpoint)• Audit File Management – the paperless audit?• Risk and Control Assessment• Security Analysers• Data Mining• Fraud Detection and Forensics• And then there were………..
Topics from 1996 ACE Conference• Introduction to the Internet• How to set up a www internet site (sic)• Spreadsheets as a planning tool• Audit working papers• Use of voice recognition• Document imaging• Using Lotus Notes• Automated checklists• Print report translators• Downloading data• Automating security audits • Homeworking• Audit automation – a thing of the past or a CSF for the
future?
The Age of the Internet
Collaborative Working
Information Access 24/7 (eg KNet, Google etc.)
But………Spam!
Personal Networking
eg. LinkedIn
Viruses and other threats
What is the internet? Why is it hyped so much? Why have many companies banned its use? Will it catch on?
ACE Conference Brochure 1996
Other bad news!
Then along came……...
……and the world changed!
Then along came………….
And…………
Welcome to the new world of regulation and compliance as
exemplified by the Sarbanes-Oxley Act
‘For every complex problem there is a solution that is neat, plausible and wrong.’H.L. Mencken US Journalist
‘Proof of the wisdom of this remark can be seen in the US legislative attempt to restore confidence in the system, the Sarbanes-Oxley Act of 2002, which is a mixture of the sensible, the hasty, and the ill-conceived.’Going Off The Rails, John Plender 2003
….and a new emphasis
Audit Technology
Audit and ComplianceTechnology
Accelerated by SOX and software vendors identifying opportunity!
Continuous Monitoring: The Vision
Application
Database
Network
O/S
Business Systems
Supporting Riskand control matrix
ACTIVITY BRM RISK BRM RISK DEFINITION RISK POTENTIAL ROOT CAUSE IMPACT INFO. REQUESTS
Purchasing1. Cycle Time Elapsed time between the start and
completion of a business process (or activity within a process) is too long
because of redundant, unnecessary and irrelevant steps. Cycle time can be
measured for all operations, e.g., order entry, production, delivery, product
design, etc.
Requisition is not
completed and forwarded to purchasing in a timely
manner.
Inefficient processes,
manual transactions, lack of controls
Premium freight
charges, material shortages. Slow
reaction to changing customer demands
1. Process Maps,
Policies & Procedures
2. Efficiency The process is inefficient in satisfying valid customer requirements resulting in
higher than competitive costs, e.g., significant gaps are identified when the
cost of process activities is compared
with costs incurred by world class performers.
Preferred agreements or vendors with volume
discounts are not utilized
Inefficient processes, manual transactions, lack
of controls to ensure material is sourced from
preferred suppliers.
Buyers are not validating suggested sources of
supply as requested by the requisitioner
Excessive costs 2. Performance Measures (Cost,
Qual i ty, Time)
3. Data Integrity All of the risks associated with the
authorization, completeness and
accuracy of transactions as they are entered into, processed by, summarized
by and reported by the various application systems deployed by the organization.
Requisition not completed
accurately, requirements
not communicated accurately to purchasing
Lack of training,
processes not clearly
defined, no standardized forms/procedures
Delayed processing,
premium freight charges,
material shortages, excessive costs
3. Summary of IT
Systems, System Maps,
Systems Narratives
4. Employee Fraud
Fraudulent activities perpetrated by employees, customers, suppliers, agents,
brokers or third-party administrators against the organization for personal gain
(e.g., misappropriation of physical,
financial or information assets) expose the organization to financial loss.
Employee completes a requisition not approved
by the cost center manager
Inappropriate system access, lack of controls
and no segregation of duties. Purchasing not
validating requisition
authorization
Financial loss or unauthorized use of
physical, financial or information assets.
4. Business & Procurement Strategy
Requisitioning
Continuous Monitoring
Custom Scripts, Applimation,GRC, ICM, Logical Apps
Guardium, Lumigent
ESM, ECM
Tripwire
Policy Management
System
ControlsIntelligence TM
Repository
Change Management
• Service Desk/Help desk• Change Management• Testing and Release Mgmt
Copyright, Protiviti 2007
Finance GRC Management Software Magic Quadrant
challengers leaders
niche players visionaries
completeness of vision
abili
ty to
exe
cute
(From "Magic Quadrant for Finance Governance, Risk and Compliance Management Software, 2007," 1 February 2007)
As of January 2007
Paisley Consulting
OpenPagesIBMOracle
AxentisQumasProtivitiBWiseSAP
Movaris80-20 Software
CuraMethodware
CertusonProject
BI International
RuleBurst RVR SystemsAchiever Business Solutions
Note: onProject has been acquired by DoubleCheck; Certus has been acquired
by Securac
Compliance Technologies Hype Cycle
Technology Trigger
Peak ofInflated
ExpectationsTrough of
Disillusionment Slope of Enlightenment Plateau of Productivity
time
visibility
Years to mainstream adoption:less than 2 years 2 to 5 years 5 to 10 years
more than 10 years
obsoletebefore plateau
As of July 2007
Password Management
User Interfaces for Disabled Persons
User ProvisioningE-Mail Archiving
Records Management
Database Encryption
SOD for ERP
Finance GRCManagement
IT Change Management Tools
SIEM (Information Management)
Configuration Auditing
CPM and Financial Controls
Case Management
Role Managementfor Enterprises
Content Monitoring and Filteringand Data Loss Prevention
Identity AuditingForensic Tools
E-Discovery Software
Stronger Authentication Anti-Money -Laundering
IT GRCM
Digital SignatureControls Automation
and Monitoring
Spreadsheet Control
Copyright, Gartner 2007
Gartner Conclusions on Audit and Compliance Technology
ü Be proactive when putting controls in placeü Develop a good relationship with your auditorsü Strive for reasonable and appropriate controls to address reasonably
anticipated risksü Above all, put your organization in a defensible position against all
audiencesü Push back against unreasonable findingsü Negotiate from a position of power, not reactively and defensivelyü Technology is not the answer — it automates good processü Select reasonable and appropriate controls to address reasonably
anticipated riskü Investigate technologies as part of your strategic planning …
applicability will varyü Choose technology based on a good requirements analysis process
(stop asking us which technology you should buy)ü Technology is not the answer …
Conference Topics
Governance, Risk and Compliance Audit Workflow
XBRL Illicit Image Abuse Spreadsheet Risks Continuous Audit Direct Tax Audit
Electronic Discovery Fraud Detection
If all else fails……..
Chairman’s Introduction and Keynote
Paul WilliamsChair ISACA/ITGI Strategic Advisory Group
IT Governance Adviser Protiviti
Audit Technology ConferenceLondon, 20/21 November 2007
