INTEGRATED AUDITING

1. INTEGRATEDAUDITING Carol Rapps CISA, CIA, CCSA, CRMA, GLIT, ACUA Faculty carol.rapps@utsa.edu 210-458-4679 Mark Bigler CPA, CFE, CISA mark.bigler@sanantonio.gov 210- 2013

2. Objectives • Introduction to Integrated Auditing • Definition, Benefits & Shortcomings • Are there Knowledge Gaps? • Areas in Need of Integrated Auditing • Staffing & Skill Requirements • Real World Example (s) • Current: Office of City Auditor’s • Past: If there is time….. Carol Rapps - 2013

3. What is Integrated Auditing? • Adding IT Auditor to every internal audit to look at IT Systems? • Training Internal Auditor to look at IT Systems in every audit? • Training and IT Auditor to perform internal audits? • Training one auditor to do every type of audit, operational, financial, IT, security, compliance? • What hat do you want me to wear today CAE? Carol Rapps - 2013

4. IIA - Practice Guide Integrated AuditingJuly 2012 • Difference between Integrated and Non-integrated Audit Approach • An integrated audit differs from a non-integrated audit in terms of scope and overall complexity • Complexity Directly Related to Broader Nature of Integrated Audit Requires: • Use of Multiple Audit Techniques • Increased use of external resources or increased knowledge of staff • Enhanced project management skills • Balanced approach to risk identification & ratings • Increased oversight & creativity by the auditor • Changes to current staffing model Carol Rapps - 2013

5. Advantages of Integrated Audit • Increase Coverage? • Get An Audit Done Faster? • Increase Audit Activity Credibility? • Increased Auditors Confidence? • Increased Auditors Proficiency Multiple Operations? • Reduce Cost? • Improved Reporting? • More Effective Risk Assessments & Audit Planning? • ?’s For CAEs - • How does this affect traditional internal audit productivity metrics? • How do you measure quality and value of an audit VS how fast it get’s done and how much it costs? Carol Rapps - 2013

6. Advantages of Traditional Audit • Grows knowledge of the organization? • Increases Auditor Knowledge & Skills? • Limited Scope – Done Faster? • Covers what needs to be covered? • Challenge Auditors? • Limited Scope - Cost Less? • ?’s for CAEs • Does this produce quality results? • Does this effectively cover entire organization? Carol Rapps - 2013

7. Key Areas Where Integrated Auditing Is Needed • Operations: • IT – Application Audits • Compliance - Specific regulations & internal policies associated with individual operations • Information Security • Data Integrity (e.g. edit checks, authorization limits) • Calculations • Interface Controls (Balancing) • Security • Financial (Audit Applications / Systems Used to produce financial statements) • IT Application Audit (Data Integrity, Calculations, Authorization Limits) • GAAP Compliance • Security Carol Rapps - 2013

8. Key Areas Where Integrated Auditing Is Needed (Cont’d) • Security (Yes different than IT) • IS Governance • Physical • Logical • IT Operations • IT Governance • Change Management • Departmental Management • Others? • IT Technical Audits • Specialized Skills (out-side expertise) • Security (can use all auditors) Carol Rapps - 2013

9. Office of City Auditor (OCA) • OCA - directed by City Auditor Kevin Barthold CPA, CIA, CISA • 21 auditors in total which includes 3 “IT auditors” • 4 CISAs (2 in management) • 2 additional auditors have passed CISA exam (working on experience) • 3 Audit teams of 5 – 6 auditors; each team headed by a manager • All IT auditors are on my team • OCA is responsible for auditing the City’s 36 Departments (e.g. Police, Fire, Airports, Public Works, Waste Management, Municipal Courts, Parks & Recreation, Health, Library, etc.) • OCA performs IT Audits of the City’s IT Department which provides services to all City Departments, delegate agencies, and various local, state, and federal government entities. Major systems include: SAP, 9-1-1 Dispatch, 3-1-1 CRM, etc. Carol Rapps - 2013

10. OCA’s Approach • OCA’s 2013 audit plan includes 21 performance (operational) audits, 2 IT audits, and 6 follow-up audits • IT Audits • OCA’s overarching IT audit Plan was to first evaluate general controls that apply to all (or a large segment) of the City’s systems, then audit application controls • OCA uses FISCAM and GAGAS (Yellow-Book), NIST, COBIT, ITIL • FISCAM General Control Areas include: Security Management, Contingency Planning, Configuration Management, Segregation of Duties, Access Controls • Access Control audits: identification/authentication systems (e.g. Active Directory), network (e.g. firewalls, web servers, routers), operating systems (server and workstation), infrastructure applications (e.g. database management, email, etc.) • Potential Application Controls Audits: SAP security, 9-1-1 System, 3-1-1 System Carol Rapps - 2013

11. OCA’s Approach • Performance Audits • Most of OCA’s performance audits have an IT controls facet to them • OCA’s “IT auditors” are assigned to perform IT and performance audits but are available for assistance to other audit teams as needed • Non-IT audit teams are developing IT audit skills mainly through taking entry/intermediate level group training courses Carol Rapps - 2013

12. OCA’s Approach • OCA generally grows/hires its own (IT auditors) • Advantages (vs. Contracting): • Internal auditors maintain historical knowledge of the organization’s systems, procedures, players, etc. resulting in a learning curve advantage • Vested interest in the organization; part of the internal audit team • Always there to assist with IT issues and good for interpreting IT geek speak • Disadvantages: • Ongoing and significant investment in training • Salary demands are usually higher than non-IT auditors • May not have required breadth and depth of technology skills • Turnover (demand for IT auditors exceeds supply) Carol Rapps - 2013

13. Other Examples(If Time Allows) • American National Bank • Tokai Limited • Times Mirror Carol Rapps - 2013

14. QUESTIONS Carol Rapps - 2013