IS Audit and Internal Control
Implementation and continuous review of effectiveness of Internal Controls has always been a challenge for enterprises. Internal Controls can be compared to the chassis of a vehicle – without the chassis, the engine is rendered useless. Internal Controls are most needed in a corporate environment to prevent fraud incidence and to manage risk of loss to assets and profits. In recent years, enterprises have become more enterprising and competitive and along with help of technology, they have succeeded in increasing their size of services, produces and presence. Enterprises are now having their locations all over the world. Thus the need of having correct Internal Controls is more than ever.
A CA provided the following services until the effect of technology struck business. As a professional, he used to provide services such as Audit, Tax, Company Matters, Legal Compliances, and Accounting etc. Specifically as an Audit Professional, he used to render services of conducting audit engagements such as Statutory Audit, Tax Audits (both Direct and Indirect Taxes), Special Audits (as prescribed under various Acts), Bank Audits, and Internal Audits etc. There is a paradigm shift in the expectations from Chartered Accountants in the new scenario.
A CA as an audit professional can provide more services that relate to technology such as IS Audits, Implementation of ERP and GRC (Governance, Risk Management and Compliance), Design of Access and Process Controls, Forensic Audits etc.
A CA is expected to know and review implementation of new regulations and standards like The Sarbanes – Oxley Act of 2002 – Section 302 and 404, The Companies Act 2013 – Section 134 and 143, Clause 49 of SEBI’s Listing Agreement, Privacy Acts of various Countries and Standards like ISO 27000 Family, ISO 22301, BSI (British Standards Institute) Standards, and PAS (Public Available Standards) Standards etc., not forgetting Frameworks like COBIT 5 (Control Objectives for Information and Related Technology) and COSO (Committee of Sponsoring Organizations) Framework for Internal Controls.
One such greenfield service is the engagement of conducting IS Audits or Information Systems Audit. An IS Audit is related to Internal Audit. Internal Controls that are present in the enterprise are completely relevant while conducting an IS Audit.
These are some keywords that would be repeating in this study and is important to understand them.
1. Control: It literally means Internal Controls that is present in a business environment. It can be IT Controls or non IT Controls.
2. Risk: It is the rate at which there is a threat to the business which has arisen from a specific happening/non happening.
3. Process: A set of tasks make a work flow. A set of work flows make a process. A process is controlled by a “Process owner” or “Function head”. E.g. HR Process, Procurement Process.
Internal Control simply means “Policies framed by the management in order to have stronger and adequate control of affairs within the enterprise, and which can be checked by the Internal or Statutory Auditor in order to ensure that the goals and objectives of the enterprise are duly met”. They are practices and processes enforced on the employees of an enterprise to prevent fraud and to maintain integrity of the data.
Internal Controls is said to be a sum of General Controls and IS Controls. IS controls is said to be a sum of IT Application Controls and IT General Controls. General Controls refers to Internal controls that are not enforced through the IT System unlike the IS Controls. IS Controls are controls that are present on the enterprise’s IT Infrastructure. IT Infrastructure includes hardware and software.
IT Application Controls: They vary depending on the applications that have been installed by the enterprise for its revenue generation. Application software is the software that processes business transactions. The Application software could be a retail banking system, an Inventory system or possibly an integrated ERP. Controls which relate to business applications leading to judicial use of the application and enforced through the application itself to the end user are called IT Application Controls. IT Application Controls can be broadly classified into five categories:
- Input Controls: Controls that are enforced during the input of data by a user. E.g. Data Checks and variations
- Processing Controls: Controls that are enforced during the processing of data that have been input. E.g. duplicate checks, File Identifications and Validations etc.
- Output Controls: Controls that are enforced during display of output of the processed data. E.g. Update Authorizations etc.
- Integrity Controls: These controls are used to preserve the genuineness and accuracy of data. E.g. Data Encryption, Input Validations etc. These controls can be enforced during input and processing and storage of data.
- Management Trails: These controls are for the management to find out the audit trail of a transaction. E.g. Time stamps and snapshots of application.
IT General Controls: They may also be referred as General Computer controls. These are controls other than IT Application Controls, which relate to the environment within which computer-based application systems are developed, maintained and operated and are therefore applicable to all applications These are policies and procedures that relate to many applications and support the effective functioning of application controls by helping to ensure the continued proper operation of information systems.
IT General Controls can be broadly classified into the following areas:
- Physical Access Controls: These controls are enforced at protecting the physical locations of the IT Infrastructure. E.g. Security Personnel, Physical Locks, Bio Metric Locks, CCTV etc.
- . Data Center Controls: These controls are enforced specifically at the data centers of an enterprise. A data center is treated as an extremely sensitive area and thus a higher risk would be present. E.g. Biometric Locks, Presence of Server Racks, Presence of Air Conditioners, Fire Extinguishers, Weather Controls, Log Register of people etc.
- IS Security: These controls are enforced at every level of IT Infrastructure. The objectives of these controls are protection of Information Assets. The CIA triad is enforced i.e. Confidentiality, Integrity and Availability of Data and information security is maintained. E.g. Firewall, Antivirus, Anti Spyware, Timely updating of software and antivirus updates and patches etc.
- System Development Life Cycle and Change Management Controls: These controls are enforced to ensure that the correct process of software development/procurement and release management is followed. E.g. Documented Process for procuring software, Documented Process of incorporating changes to the acquired software etc.
- Logical Controls: These are controls which provide access restrictions to the employees who use the IT Infrastructure. The motive of these controls is to protect the identities of the employees and to prevent misuse. E.g. User Account Passwords, Access Removal upon termination, screen locks etc.
- Backup and Recovery: These controls are present to ensure proper backup and recovery processes of the data of the organization. E.g. Daily Backup of data and environment (OS), Restoration Practice trial etc.
- End user computing: These controls are enforced directly on the employees. These controls are enforced with an objective of prevention of IT Infrastructure Abuse by the employees. E.g. Logging of user activity and Review, Disabling of USB Ports etc.
An IS Audit is performed to provide assurance that all of the above mentioned controls are adequate and satisfactory to the nature of the enterprise and effectively operational in the functions of the enterprise. An IS Audit is typically divided into two sections i.e. Review of IT Application Controls (ITAC) and Review of IT General Controls (ITGC). An IS Audit would have the following process:-
- An IS Auditor would begin his audit engagement by having conversation with the IT Administrator/CIO of an enterprise. The IS auditor would review all the documented policies and processes that are being enforced within the organization. Documented policies would include a IS Security Policy, Bring Your Own Device Policy (BYOD), Password Policy, BCP etc. The IS Auditor would be gaining an understanding of the overall level of the Internal Controls.
- An IS Auditor would then gain an understanding of the applications that have been implemented in the IT Infrastructure. It would be a base for him to decide the plan of action of the Audit.
- The next step would be to collect a list of all the types of logs that can be generated by the applications.
- After collecting the above information, the auditor the auditor identifies the risks that are applicable for the enterprise. The approach that would be followed is to create a matrix for each application and area (for ITAC and ITGC respectively) and would identify the controls that are enforced in the enterprise. All the identification and Review of controls would be performed by sampling, observations or any other method.
- Testing of Design Effectiveness and testing of operating effectiveness would be performed by the IS Auditor on every identified control. Testing of Design Effectiveness refers to the working design of the control as documented. It is a blue print of the control. Testing of Operating Effectiveness refers to actual performance of the Control in the IT Environment.
- It is important for the IS Auditor to collect sufficient evidence while identifying the controls. Evidences can be in the form of Screenshots, Email threads, Scanned documents, photographs, Minutes of Meetings etc.
- A Risk Rating exercise is then performed to the identified controls to see whether the identified control is sufficient to mitigate the identified risk.
- Based on the Risk Ratings and the evidences collected, suitable recommendations would be suggested and accordingly an IS Audit report would be drafted and shared to the enterprise.
Thus the ultimate test of IT Internal Controls can be performed in an IS Audit. Based on the findings and observations, an IS Auditor would be able to provide sufficient assurance whether the incorporated controls are adequate or not to the nature and size of the IT Infrastructure of the enterprise.
Bharath Rao B
What we provide
Quadrisk comprises of Chartered Accountants and security professionals with background in audit, business process design, GRC tool Implementation, Forensic Investigations and security projects.
Quadrisk gives clients the confidence that their compliance program is managed by a company that has the necessary experience and skills.
Quadrisk provides globally bench-marked risk and compliance solutions that enables companies to build a more resilient business. Our mission is to help our customers to adopt mature risk management practices in their day-to-day operations and thereby:
- Reduce risk of litigation and penalties with effective internal controls
- Secure their businesses with better visibility of their risks across geographies and business units
- Reduce the cost of compliance through automation and outsourcing.
Quadrisk provides services across Asia, US and Europe. Our offices are present in Chicago, US and Bangalore, India
Collectively, the founders have executed projects for 11 out of the top 100 global companies. We have led and executed large and complex compliance projects across more than fifty countries.
We collaborate with academia and industry forums to bring to our customers new methodology, tools and technology. We focus on continuous learning that is re-affirmed through recognized certifications. We have specialized teams for each of the domains and technology areas.
Domain and Technology Expertise
We bring deep knowledge in the subject of compliance that is complemented by our expertise in technology. Our project team comprises of a combination of subject-matter experts and technical consultants. With our in-depth knowledge and global experience in this field, we provide innovative, high-quality and practicable solutions.The Lego Batman Movie (2017)
Risk, Compliance and Decision Solutions using Machine Learning
Non-compliance and Revenue leakage in Shared Services operations using big data analytics
The Client – Indian subsidiary of one of the multinational companies located in Bangalore for their Shared services organization
The Scope – The Company uses shared services for operations across India. It wanted to track frauds, revenue leakage and process inefficiencies. The data volume was in millions of records.
The Solution –
Identification of cases of revenue leakages like duplicate payment to vendors
Identification of non-compliance issues – e.g. revenue recognition
Early identification of instances of fraud and corruption
Identify collusion with Vendor during contract award using pattern analysis
The Client – The client is a well-known infrastructure company headquartered in New Delhi.
The Scope – The company awards about 1000 contracts a month across all business units. They wanted to identify suspicious transactions so that in-depth investigation can be done for about 5% of all transactions.
The Solution –
Our analysis included
- Detection of related-party transactions and conflict of interest during Contract award
Detection of information leakage during Contract award process by looking at bidding pattern
Identification of split contracts and purchase orders (Multiple orders to a Vendor within a short period of time)
Contract awarded to Vendors with past quality issues (in another location or unit)
Identification of suspicious transactions through a group of indicators. For e.g : Big order awarded to small Vendor
The Outcome –
Early Identification of potential fraud of significant value using data analytics (Use to take 1.5 years instead of weeks)
Proactive investigation of suspicious cases instead of re-active investigation
Fraud and Revenue leakage in AP using AI
The Client – One of world’s largest consumer goods company.
The Scope – The client wanted to set up a system to proactively monitor frauds. It wanted to harness the power of data analytics to detect and prevent fraud and corruption.
The Solution –
Identified suspicious transactions
Identified process and data gaps
Defined key fraud indicators
Provided inputs for technology requirements.
Anti-money laundering in India
Two articles published by Quadrisk team in Rediff about state of Anti-money laundering in India and what steps are taken to prevent it
Beyond GRC tools – Analytics for internal audit and fraud discovery
In a sense SOX, was a landmark legislation. It altered audit and internal control landscape forever. It is not as if internal controls did not exist prior to SOX. But SOX brought internal controls in fore front.
First couple of years of SOX compliance was nightmare for companies. Every company setup a project office, reporting to CFO. If we look back in time, both the consultants and the companies were bit unsure on SOX compliance. Most companies were uncertain about extent of controls to be monitored. Gradually, the controls were rationalized as in the count of control to be monitored were reduced. Similarly, controls were optimized i.e. redundant controls were removed from the process. This improved process efficiency.
In terms of automation, first came various document management tools, which helped companies to save all documentation in single repository instead of spreadsheets scattered in desktops. Some web based GRC tools were introduced to manage entire compliance functions. It stored all process, risk and control documentation besides test plans and results. Workflows enabled tasks were introduced. The focus was on automation of compliance process.
Then came GRC tools, that performed automated testing. It significantly reduced the effort required for testing controls and also improved quality of testing. It fetched data from source ERP system and performed analysis. Thus, the automation shifted to controls monitoring.
Now there is focus on automating control execution. If the control is automated, it can be tested by GRC tools, thereby automating testing.
While GRC usage has resulted in significant improvement over manual testing of controls, technology is now available to look beyond GRC tools. Most of the GRC tools cannot process huge transaction data. Even if it could, there is limitation on type of analysis it can do.
As with other areas, analytics can greatly enhance efficacy of audit, particularly internal audit. There are many sophisticated tools available today to analyze of millions of records. Combination of results can be analyzed to eliminate false positives. The technology available is not restricted to Fortune 500 companies. For e.g. an open PO used for a dormant vendor.
Auditors can audit the entire data instead of sampling, that too, in quick time. Over a period of time, when the data is sufficiently large, predictive analysis can also be performed. For e.g., when a particular vendor will delay on supply or which customer is likely to default on payment. Such analysis is not confined only to financial data or data within ERP. One of the powerful features can be to analyze data in light of third party data which is publically available in various government websites, third party maps or even social media!!! Both structured and unstructured data can be analyzed.
Another area where analytics can help is fraud. World over significant revenue is lost due to frauds. Since it is possible to analyze huge amount of data, the auditor can dissect anomalies using different parameters to identify suspicious transactions. Of course, some amount of field work may be required to confirm fraudulent transaction. For e.g. you need to approach your banker to identify who was the ultimate beneficiary of the manual check payment or the account where the money was transferred.
With advancement in technology, using analytics for audit does not require huge investment. As mentioned earlier, it is no longer limited to Fortune 500 companies. It also calls for compliance professionals and auditors to embrace the technology. While they may not be required to code or write scripts, it is imperative that they are well versed with features and limitations.
In the next series, I will discuss on key technology features where analytics can help consultants and auditors.