140 likes | 644 Views
Information Risk Management in the Audit Chapter 9 Presented by Dee Dee Owens, Senior Manager KPMG LLP KPMG LLP. KPMG Information Risk Management (IRM) Audit Team – Overview of IT Controls. IT General Controls Controls that support the foundation of the system. Includes 4 components
E N D
Information Risk Management in the AuditChapter 9Presented by Dee Dee Owens, Senior ManagerKPMG LLPKPMG LLP
KPMG Information RiskManagement (IRM) Audit Team – Overview of IT Controls • IT General Controls • Controls that support the foundation of the system. • Includes 4 components • Program Development • Program Change • Computer Operations • Access to Programs and Data • Application Controls – are automated controls • Steps, requirements, that a computer system executes to achieve a specific objective—the objective of the automated control to prevent, detect and/or correct the risk of a financial misstatement
KPMG Information RiskManagement (IRM) Audit Team – Scope of Work • IT General Controls Review • Please note that the IT Audit scope for 2009 is reduced due to significant deficiencies noted in 2008 • Current year procedures include: • PeopleSoft application password configuration settings • User access provisioning and de-provisioning of PeopleSoft application access • Program change procedures • System development lifecycle procedures • Current year procedures do not include: • PeopleSoft security controls testing (due to prior year deficiencies)
KPMG Information RiskManagement (IRM) Audit Team – Scope of Work • Current year procedures are in the process of being conducted at the following campuses: • East Bay • Los Angeles • Maritime Academy • Monterey Bay • San Bernardino • San Jose • San Luis Obispo • San Marcos
KPMG Information RiskManagement (IRM) Audit Team – Scope of Work • Testing is also being conducted at CMS focusing on the following areas: • Program changes • PeopleSoft access rights in production
KPMG Information RiskManagement (IRM) Audit Team – Scope of Work(continued) • Application control testing • This testing is not being conducted in 2009 due to the significant deficiencies from the prior year. • In prior years, we have tested the following controls: • Department of Education upload to campus Student Information System (PeopleSoft or Legacy) • Grade system – user access • Interface from grade system to financial aid system (if applicable) • Access controls • Configuration controls • Automated Derivation Control
Background Information of Prior Year Significant Deficiency • Refer to the CSU 2008 report on internal control over financial reporting and on compliance and other matters based on an audit performed in accordance with Government Auditing Standards • Item 08-01 Segregation of Duties Conflicts and System Access • ISSUE #1 (CMS Central) • CMS Support Team had: Systems Administrator access to PeopleSoft (i.e. SOSSTECH – user administration) and access to Application Designer in PeopleTools (Developers with access) • ISSUE #2 (Campus Level) • Various campus level personnel have access to multiple roles resulting in a segregation of duties conflict: System Administrator; Database Administrator; and Programmer/Development Access • Management is currently working to remediate and evaluate status
IRM Test Work – Key Dates • March 12 – 16, 2009 – Campus IT PBC list was sent to campuses • March – April, 2009 – Campus PBC were due to KPMG • March – July, 2009 – Campus IT general controls test work and specific business process controls test work • To gain efficiencies by working from one location, the IRM team will conduct testing remotely from our Orange County office. Please be prepared to accommodate conference calls during the week our teams are focusing on your campus as the testwork will be conducted via phone interviews and review of requested documents. • Project wrap up / Campus close out meetings(June ~ July)
IRM Deficiency and Communication • Impact on Financial Audit Team • As IRM lead in their testwork timing, IRM will report all deficiencies to the financial audit team. • The financial audit team will analyze these deficiencies as they relate to the year-end financial statement audit and modify the audit approach as may be necessary. This may include performing additional substantive procedures, making additional sample selections, etc.