1
Opportunities for CA’s in Information Technology
Sunil BAKSHI
Rajendra PONKSHE
Shirish PADEY
ICAI-Pune Branch
Mar 27, 2015
3
Statutory/Internal Audit
1. Introduction to Controls based Audit
2. Review of IT General Controls
3. Validation of Automated Controls
4. Segregation of Duties
5. Data Migration
6. ERP Upgrade
7. Report Validation
8. JE Extraction and Analysis
9. Other Challenges in ERPs
4
1.1 Standards on Auditing
SA315 – Identifying and Assessing the Risk of Material Misstatement Through Understanding of the Entity and its Environment• The auditor shall
- Obtain understanding of Internal Controls
- Obtain understanding of Information Systems, including related business processes
- Obtain understanding of how the entity has responded to risks arising from IT
- Obtain an understanding of the entity’s controls over risk of inaccurate or incomplete recording of transactions in highly automated processing environment
5
1.1 Standards on Auditing
SA330 – The Auditor’s Responses to Assessed Risk
• The auditor shall
- Consider effectiveness of General IT Controls
SA265 – Communicating Deficiencies in Internal Control to Those Charged with Governance and Management.
6
1.2 Reporting on Internal Financial Controls
Mandated from 2015-16 for ALL Companies
Preparedness Review
Integrated Audit
7
1.3 Accounting in ERPs
All entries are Journal Entries
There are NO Primary or Secondary Books of Account –only data stored in Tables
8
1.4 Difficulty in Substantive Audit for ERPs
Absence of Printouts
Voluminous data
Difficulty in Ledger Scrutiny
Difficulty in audit of “manual” journal entries
9
1.5 Alternative?
Reliance on IT General Controls
• Relying on Automated Controls and Automated Accounting Procedures
• Reliance on the logic of Reports and System-Dependent Manual Controls
• Reliance on Underlying Data
10
2.1 IT General Controls
ITGCs cover 5 domains-
– IT Governance,
– Access to Programs and Data,
– Change Management,
– Program Development,
– Computer Operations
11
2.3 ITGC - Impact on Audit
In case ITGCs are adequate, the auditor will be able to rely on – System-generated data
– Standard Reports and
– Automated Controls
– Automated Accounting Procedures
A Controls-Based audit approach can be followed.
Specially for MNCs, in case servers are hosted abroad, ITGC Report may have to be obtained from Central Teams
12
3.1. Automated Controls
Automated Controls
Automated Accounting Procedures
System-Dependent Manual Controls
13
3.2. Automated Controls
Very ERP-Specific
Identification through understanding and walkthroughs
For most ERPs, walkthroughs could mean validations
One sample may be enough for validation
14
Other Opportunities
1. SSAE16/IEAE3402 Reports
2. ERP Implementation and Support
3. Software Testing
4. Data Warehousing and Data Mining
5. Forensics
15
Suggested Knowledgebase
Hardware
Databases
Data Warehouse
Operating Systems
Networks
Programming Language
16
Suggested Certifications
GNIIT
CISA – www.isacapune.org
DISA
CISSP
Software Testing
Certified Fraud Examiner
SAP Certification
18
In the wonderful world of IT
-- Experiences of a CA
CA Rajendra Ponkshe
FCA,LL.B.,CISA,CIA,CGEIT,ISO 27001LA, COBIT(F)
3/26/2015
23
ROADMAP ?
START SMALL
3/26/2015
INVEST IN LEARNING ? NEW IT CONCEPTS.
UPDATE YOUR KNOWLEDGE
READY TO TAKE RISK ?
GO EXTRA MILES
26
New trends in IT
Sunil BakshiMCA,AMIIB,CISA,CISM,CISSP,CGEIT,CRISC,PMP, SO27001:2005 LA, BS25999:LI, CEHv6, ISO14001:2004LA
3/26/2015
27
I Keep Six Honest Serving-Men
I keep six honest serving-men(They taught me all I knew);Their names are What and Why and When And How and Where and Who.
Rudyard Kipling
http://www.kipling.org.uk/poems_serving.htm
3/26/2015
30
Top ten trends in IT
Big Data and Data Analytics
Mobile
Cloud
Machine Learning
Internet of things
Massive open online courses
Social Networking (Media)
Digital Business Models
Cyber security
Digital Currency
3/26/2015
33
Technology helps in growing but…….
3/26/2015
In Hours, Thieves Took $45 Million in A.T.M. Scheme
It was a brazen bank heist, but a 21st-century version in
which the criminals never wore ski masks, threatened a
teller or set foot in a vault.
employees of a call center in Pune, India, were arrested
this week on charges of defrauding four Citibank
account holders in New York, to the tune of $300,000, a
police official said.
The three former employees of Mphasis BPO, the
business process outsourcing operation of Bangalore
software and services company Mphasis BFL Group,
are charged with collecting and misusing account
information from customers they dealt with as part of
their work at the call center,
34
Security
“In order to set the king’s mind at rest and direct the publicaffairs, to seek hegemony and lord it over nearbyprincipalities and then distant ones, it is necessary to buildcastle walls as a defence against enemies, fill up depots andwork out proper measures according to local conditions.”
3/26/2015
35
What a CA should do?
IT : one is always a student … learning never stops.
One cannot master everything in IT.
Every new trend has two sides ……… Beware of darker side.
• Adopt new technology ……. But never forget Associated risk
You may choose to specialize ……. Decide what you want.
• IS Audit
• System Consultancy with respect to business opportunities
• Business analyst with special focus on IT Controls
3/26/2015