1 / 25

Lucas Kowal Jeffrey Saffer

Lucas Kowal Jeffrey Saffer. Presentation to NYSSCPA August 17, 2004. PRE-IMPLEMENTATION AUDITS. Adjust to Pre-Implementation Mode. Think proactive , not reactive Think partner , not auditor Think COBIT Don’t forget your SOX. 1. What is a Pre-Implementation Audit?.

kaspar
Download Presentation

Lucas Kowal Jeffrey Saffer

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Lucas KowalJeffrey Saffer Presentation to NYSSCPA August 17, 2004 PRE-IMPLEMENTATION AUDITS

  2. Adjust to Pre-Implementation Mode • Think proactive, not reactive • Think partner, not auditor • Think COBIT • Don’t forget your SOX 1

  3. What is a Pre-Implementation Audit? • Audit review of a system currently being developed. • Review conducted to evaluate and test proposed control environment in the new system. • Review concludes when new system is placed into production 2

  4. What is Not a Pre-Implementation Audit? • “Baby Sitting” the project by only attending status meetings. • Compiling mountains of project documentation. • Judging the competency of the project management team. 3

  5. Why Do We Perform Pre-Implementation Audits?(What Are Our Objectives?) • To ensure that: • Business requirements for the system are clearly defined. • The IT solution meets the business requirements. • BU and IT are aware of controls needed within the system. 4

  6. Why Do We Perform Pre-Implementation Audits?(What Are Our Objectives?) • To ensure that new systems are: • Designed with an adequate level of built in controls. • Managed effectively and efficiently during design, development and implementation. • Implemented in accordance with established policies and best practices. 5

  7. Why Do We Perform Pre-Implementation Audits?(What Are Our Objectives?) • For our own benefit: • To evidence the control environment in the new system for future audit reference • To increase the knowledge base within the Audit Department • To develop partnership with IT and BU 6

  8. New System Development Typical SDLC for new systems Each phase has its own risks and controls that must be assessed by the auditor. 7

  9. The COBIT Approach Match the SDLC Phases to COBIT Control Domains What is COBIT? 8

  10. Control Objectives for Information and Related Technology (COBIT) What it is: • Methodology of Standards and Controls. • Control model to meet the needs of IT governance and ensure the integrity of information. • Consolidated standards from global sources. 9

  11. Control Objectives for Information and Related Technology (COBIT) What it does: • Links information technology and control practices. • Assists IT personnel in the implementation, review, administration and monitoring of the IT environment. 10

  12. CobiT Audit Domains 11

  13. Incorporating COBIT Into the SDLC Process 12

  14. COBIT CentricPre-Implementation Audit Areas • Planning and Organization (Governance) • Project plan • Management approval and sponsorship • Staffing and skillsets • Monitoring and reporting 13

  15. COBIT CentricPre-Implementation Audit Areas • Acquisition and Implementation • Requirements definition and analysis • Software development • Hardware acquisition • Integration with other systems • Access security • Testing • Document retention (SOX) 14

  16. COBIT CentricPre-Implementation Audit Areas • Delivery and Support • Implementation schedule • End user training • Performance monitoring • IT Support training • Documentation • Program version control 15

  17. COBIT CentricPre-Implementation Audit Areas • Monitoring • Assessments of progress • Status reports • Compliance with standards 16

  18. The Audit Approach • Proactive audit participation • Membership in project committees • Membership in project email groups • Attendance at selected meetings • Meet with IT project team and BU stakeholders 17

  19. The Audit Approach • Function as “Control Consultants” in system development • Identify where controls are required • Ensure built in controls are adequate 18

  20. The Audit Approach • Identify control issues and ensure corrective action taken • Record and report issues • Partner with project team on resolution • Follow up and verify to ensure resolution • Reported to project managers and business unit managers • Tracked for future reference 19

  21. Pre-Implementation Audit Reports • Format • Simple, briefer format than full audit reports • Limited distribution • Describe audit work done, issues noted, actions taken • Reports issued during course of pre-implementation review • Issued prior to major project milestone or at predefined time intervals – depending upon length of project • Final report at end of project 20

  22. Audit Method • Become part of the Project Team • Attend appropriate meetings • Be included in project e-mail groups • Do not lose objectivity! • Observe, Assess and Evidence • Adherence to policies and procedures • Adherence to project plan • Expected vs actual controls • Independent testing where appropriate 21

  23. Audit Method • Document • Critical system functions/processes • Test results • Control issues and resolutions • Report • Timely reporting of control issues • Interim reports at various stages during the project • Final report at completion of project 22

  24. Item Planning Memo Audit Program Audit Reports Controls Listing When Produced Start of engagement After Planning Memo Various times during audit, with final report at end of audit Completed during audit fieldwork Audit Deliverables 23

  25. Questions? ?

More Related