Practical Disaster Recovery

Views:
 
Category: Others/ Misc
     
 

Presentation Description

No description available.

Comments

Presentation Transcript

SAS94 Overview : 

SAS94 Overview Chris M. Luikart Malin, Bergquist & Co., LLP

SAS94 General Statement : 

SAS94 General Statement “The Effect of Information Technology on the Auditor’s Consideration of Internal Control in a Financial Statement Audit”

SAS94 – Coverage : 

SAS94 – Coverage Technology is Used Extensively Increased Technology = Increased Risk Human Mistakes Still Take Place

SAS94 – Since 2001….. : 

SAS94 – Since 2001….. What has taken place since it issuance? SAS99 – Fraud (IT Controls Here) SAS112 – How to communicate IT related control issues to Management

SAS94 – Internal Control : 

SAS94 – Internal Control What is internal control? A process “designed to provide reasonable assurance regarding the achievement of objectives” in the reliability of financial reporting, operational effectiveness and efficiency and compliance with law.

SAS94 – Control Components : 

SAS94 – Control Components Control Environment Risk Assessment Control Activities Information and Communication Monitoring

SAS94 – Control Environment : 

SAS94 – Control Environment Has the tone of control been set by the environment? If it is not stated from the top then it is hard to expect people to follow. Is there structure and dicipline?

SAS94 – Risk Assessment : 

SAS94 – Risk Assessment What are the relevant risks? Will they prevent the organization from achieving their goals? Does the organization know of these risks?

SAS94 – Control Activities : 

SAS94 – Control Activities Are there policy and procedures in place? Better yet, are they being followed? What is their process for creating and educating on their P & Ps?

SAS94 – Info & Communication : 

SAS94 – Info & Communication How does the “systems” process information? Is it timely and reliable? Does it allow for responsiveness?

SAS94 – Monitoring : 

SAS94 – Monitoring Is there a system in place? Does it assess the internal control over time? Is it quantitative in nature?

SAS94 – Matrix : 

SAS94 – Matrix

SAS94 – Quality Audit : 

SAS94 – Quality Audit Is there a need for testing of IT controls? Depends….. Auditor has to consider what testing is needed to satisfy IT controls. Does that require an IT expert or not?

SAS94 – Auditing IT Controls : 

SAS94 – Auditing IT Controls What does IT Auditing Cover? It is NOT a financial audit It is NOT an attestation It IS supporting the Financial Auditor

SAS94 – Auditing IT Controls : 

SAS94 – Auditing IT Controls Determinations: Organization Size Organization Ownership Nature of Business Diversity and Complexity Legal and Regulatory Requirements

SAS94 – Auditing IT Controls : 

SAS94 – Auditing IT Controls What do you do for an IT Audit? Review General Controls 6 Main Areas

SAS94 – Auditing IT Controls : 

SAS94 – Auditing IT Controls Physical & Environmental Controls Physical Controls Power Conditioning Environment (AC, humidity, etc.) Fire Suppression Protection from Water

SAS94 – Auditing IT Controls : 

SAS94 – Auditing IT Controls System Administration Review of system types Security of system Databases User rights and access Policy and Procedures

SAS94 – Auditing IT Controls : 

SAS94 – Auditing IT Controls Application Controls Access controls Exception handling Validation Flow controls Manual controls vs. Automated

SAS94 – Auditing IT Controls : 

SAS94 – Auditing IT Controls Change Control Who can makes significant changes? Request process Testing Implementation

SAS94 – Auditing IT Controls : 

SAS94 – Auditing IT Controls Network Security Internal connections External connections Firewalls and Routers IDS

SAS94 – Auditing IT Controls : 

SAS94 – Auditing IT Controls Disaster Recovery/Business Continuity Test plan Off site storage Failover RTO and RPO Spares

SAS94 – Auditing IT Controls : 

SAS94 – Auditing IT Controls Data Testing Review on screen Review paper Use software like ACL to test data, can even use Excel

SAS94 – Auditing IT Controls : 

SAS94 – Auditing IT Controls Application Testing Input/Output Processing of data Preventive, Detective and Corrective controls

SAS94 – Auditing IT Controls : 

SAS94 – Auditing IT Controls How to Approach Applications What is the app used for Does it do what it is supposed to do What controls are in place How are updates to the app completed Who has access and what can they do

SAS94 – Auditing IT Controls : 

SAS94 – Auditing IT Controls Applications Continued….. Can use software mimic data flow Test data from start to finish

SAS94 – Auditing IT Controls : 

SAS94 – Auditing IT Controls What are some of the IT Risks Access controls is key Internal Users are Highest Risk Hackers Software glitches Improper setup of hardware

SAS94 – Auditing IT Controls : 

SAS94 – Auditing IT Controls Things to look for during IT Audit People Places Equipment Recovery Planning System/Database Administration

SAS94 – Auditing IT Controls : 

SAS94 – Auditing IT Controls Do you need and IT person for IT Audit I think so…. Accountants don’t ask us to do their work Experience and expertise is key Knowledge Respect of peers

Summary : 

Summary SAS94 requires IT support More sophisticated than ever Requires more technology skills than the past IT Auditor needs to be able to communicate effectively the results

Thank You! : 

Thank You! Any Questions: Chris M. Luikart Information Technology Manager Malin, Bergquist & Co., LLP cluikart@malinbergquist.com 412.364.9395

authorStream Live Help