Lucas Kowal Jeffrey Saffer

1
Lucas KowalJeffrey Saffer

• PRE-IMPLEMENTATION AUDITS

Presentation to NYSSCPA August 17, 2004
2
Adjust to Pre-Implementation Mode

• Think proactive, not reactive
• Think partner, not auditor
• Think COBIT
• Dont forget your SOX

1
3
What is a Pre-Implementation Audit?

• Audit review of a system currently being
  developed.
• Review conducted to evaluate and test proposed
  control environment in the new system.
• Review concludes when new system is placed into
  production

2
4
What is Not a Pre-Implementation Audit?

• Baby Sitting the project by only attending
  status meetings.
• Compiling mountains of project documentation.
• Judging the competency of the project management
  team.

3
5
Why Do We Perform Pre-Implementation
Audits?(What Are Our Objectives?)

• To ensure that
• Business requirements for the system are clearly
  defined.
• The IT solution meets the business requirements.
• BU and IT are aware of controls needed within the
  system.

4
6
Why Do We Perform Pre-Implementation
Audits?(What Are Our Objectives?)

• To ensure that new systems are
• Designed with an adequate level of built in
  controls.
• Managed effectively and efficiently during
  design, development and implementation.
• Implemented in accordance with established
  policies and best practices.

5
7
Why Do We Perform Pre-Implementation
Audits?(What Are Our Objectives?)

• For our own benefit
• To evidence the control environment in the new
  system for future audit reference
• To increase the knowledge base within the Audit
  Department
• To develop partnership with IT and BU

6
8
New System Development

• Typical SDLC for new systems

Each phase has its own risks and controls that
must be assessed by the auditor.
7
9
The COBIT Approach

• Match the SDLC Phases to COBIT Control Domains
• What is COBIT?

8
10
Control Objectives for Information and Related
Technology (COBIT)

• What it is
• Methodology of Standards and Controls.
• Control model to meet the needs of IT governance
  and ensure the integrity of information.
• Consolidated standards from global sources.

9
11
Control Objectives for Information and Related
Technology (COBIT)

• What it does
• Links information technology and control
  practices.
• Assists IT personnel in the implementation,
  review, administration and monitoring of the IT
  environment.

10
12
CobiT Audit Domains
11
13
Incorporating COBIT Into the SDLC Process
12
14
COBIT CentricPre-Implementation Audit Areas

• Planning and Organization (Governance)
• Project plan
• Management approval and sponsorship
• Staffing and skillsets
• Monitoring and reporting

13
15
COBIT CentricPre-Implementation Audit Areas

• Acquisition and Implementation
• Requirements definition and analysis
• Software development
• Hardware acquisition
• Integration with other systems
• Access security
• Testing
• Document retention (SOX)

14
16
COBIT CentricPre-Implementation Audit Areas

• Delivery and Support
• Implementation schedule
• End user training
• Performance monitoring
• IT Support training
• Documentation
• Program version control

15
17
COBIT CentricPre-Implementation Audit Areas

• Monitoring
• Assessments of progress
• Status reports
• Compliance with standards

16
18
The Audit Approach

• Proactive audit participation
• Membership in project committees
• Membership in project email groups
• Attendance at selected meetings
• Meet with IT project team and BU
• stakeholders

17
19
The Audit Approach

• Function as Control Consultants in system
  development
• Identify where controls are required
• Ensure built in controls are adequate

18
20
The Audit Approach

• Identify control issues and ensure corrective
  action taken
• Record and report issues
• Partner with project team on resolution
• Follow up and verify to ensure resolution
• Reported to project managers and business unit
  managers
• Tracked for future reference

19
21
Pre-Implementation Audit Reports

• Format
• Simple, briefer format than full audit reports
• Limited distribution
• Describe audit work done, issues noted, actions
  taken
• Reports issued during course of
  pre-implementation review
• Issued prior to major project milestone or at
  predefined time intervals depending upon length
  of project
• Final report at end of project

20
22
Audit Method

• Become part of the Project Team
• Attend appropriate meetings
• Be included in project e-mail groups
• Do not lose objectivity!
• Observe, Assess and Evidence
• Adherence to policies and procedures
• Adherence to project plan
• Expected vs actual controls
• Independent testing where appropriate

21
23
Audit Method

• Document
• Critical system functions/processes
• Test results
• Control issues and resolutions
• Report
• Timely reporting of control issues
• Interim reports at various stages during the
• project
• Final report at completion of project

22
24
Audit Deliverables

• Item
• Planning Memo
• Audit Program
• Audit Reports
• Controls Listing

• When Produced
• Start of engagement
• After Planning Memo
• Various times during audit, with final report at
  end of audit
• Completed during audit fieldwork

23
25
Questions?

• ?