60 likes | 349 Views
Information Risk Management in the Audit Chapter 9 Presented by Julie Flaiz-Windham, Senior Manager KPMG LLP KPMG LLP. KPMG Information Risk Management (IRM) Audit Team – Scope of Work. IT General Controls Review
E N D
Information Risk Management in the AuditChapter 9Presented by Julie Flaiz-Windham, Senior ManagerKPMG LLPKPMG LLP
KPMG Information RiskManagement (IRM) Audit Team – Scope of Work • IT General Controls Review • Please note that General Control Reviews Include Program Development Program Development • In-Scope Campuses that implemented PS FIN in 2008: • Fullerton • In-Scope Campuses that implemented PS SA in 2008: • Los Angeles • Sacramento • The program development review will include analysis of System Development Life Cycle Policies; Business Requirement Documents (project charters); management approvals; Integration, IT, and End-User testing performed prior to go-live; testing sign offs by appropriate IT, management, and end users; and data migration testing performed by management and end users from the impacted business areas.
KPMG Information RiskManagement (IRM) Audit Team – Scope of Work(continued) • Enterprise Resource Planning review • Access controls • Configuration controls • New Automated Derivation Control Added in 2008 • Financial aid system controls at selected campuses (8 higher scope A-133 campuses) • Department of Education upload to campus Student Information System (PeopleSoft or Legacy) • Grade system – user access • Interface from grade system to financial aid system (if applicable)
IRM Test Work – Key Dates • March 26, 2008 – Campus IT PBC list was sent to campuses • April 18, 2008 – Campus PBC were due to KPMG • April - July, 2008 – Campus IT general controls test work and specific business process controls test work • To gain efficiencies by working from one location, the IRM team will conduct testing remotely from our Orange County office. Please be prepared to accommodate conference calls during the week our teams are focusing on your campus as the testwork will be conducted via phone interviews and review of requested documents. • UNISYS Data Center review(May 12 – 16, 2008) • Project wrap up / Campus close out meetings(April ~ July)
IRM Deficiency and Communication • Impact on Financial Audit Team • As IRM lead in their testwork timing, IRM will report all deficiencies to the financial audit team. The financial audit team will analyze these deficiencies as they relate to their year-end financial statement audit. This may or may not have an impact on their audit procedures and sample sizes. • Control deficiencies • There is a focus on prior year deficiencies, as un-remediated issues are of more concern and high risk as management needs to be sure the prior issues are acknowledged and resolved. • Pervasive issues have an impact on the progress of the IRM audit. If we find a pervasive deficiency preliminary to detailed testwork, we will not be testing all controls as testwork over alternative controls will not mitigate the risk of a such pervasive deficiencies. • Close out meetings / deficiency meetings will be conducted after each campus has been properly analyzed and reviewed by KPMG management. This meeting will be conducted prior to KPMG’s formal notification to the Chancellor’s Office. We will invite all GAAP and IT contacts associated with the respective campus noted within the Chancellor’s Office contact listing. We ask that each campus review the listing to help us ensure the appropriate contacts are notified of deficiencies for each campus.