Audit questions

12 posts / 0 new
Last post
camdeboo_ito
camdeboo_ito's picture
Offline
Last seen: 3 years 9 months ago
Joined: 2011-03-04 15:28
Audit questions

Hi all
My first municipal audit is comming up and I was wondering what type of questions to expect from the auditors.
Can anyone help?
Thank in advance
Chris

douglasc
douglasc's picture
Offline
Last seen: 4 years 6 months ago
Joined: 2011-02-23 15:38
Re: Audit questions

Hi Chris

I am also going to ask Niall from Emakhazeni (niall@emakhazenilm.co.za) to comment.

But from a high-level there is a "check-list" which sort of covers all your policies (email, security, disaster recover etc) and includes the following:

 

IT Governance, Controls and Information systems risks

Aim:

  • Accounting officers / with the support if ICT professionals ensure that their institutions use and maintain information systems that are appropriate to facilitate the preparation of accurate financial statements.
  • Good governance of the business therefore must include IT governance, a fact which is recognised in the King III report.

In terms of information system risks ISA audits focus on the following areas

  • Business Continuity
  • Service level agreements
  • Physical and environmental controls
  • IT Governance
  • Change control
  • Operating system and logical security
  • Segregation of duties

In terms of user account management reviews:

  • User account management procedures
  • Access request forms
  • Users’ access reviewed to ensure that it remained commensurate with their job responsibilities
  • Activities of the system administrators /  controllers reviewed by an independent person 

General assessment of adequacy of information systems:

  • The administration of the information systems
  • The use of multiple financial systems (which poses a challenge for the provincial treasury and Accounting  Standards Board and makes the provision of guidance very difficult)
  • Higher risk of errors when data needs to be drawn and consolidated from more than one system
  • The systems that are vulnerable to errors and unauthorised changes to records
  •  Systems do not provide proper audit/management trails
  •  The information systems do not produce schedules and listings in support of account balances
  •  Systems need to enable transition to GRAP/incompatibility with GRAP
  •  Staff experience in executing their financial management and accounting responsibilities in terms of periodic reconciliations and verification of the accuracy of captured data / transactions / make-up of general ledger and subsidiary ledger / modules account.   

Douglas Cohen
SALGA National office
Specialist: Economic Development (ICT)
Tel: 012 369 8012
Email: dcohen@salga.org.za
 

camdeboo_ito
camdeboo_ito's picture
Offline
Last seen: 3 years 9 months ago
Joined: 2011-03-04 15:28
Re: Audit questions

Thanks
Looks like it is going to be a very fun audit.
Esp considering that the bulk of the answers are going to be "no" or "wtf"
Chris

Christopher Nash

Camdeboo Municipality | Cacadu District | Eastern Cape
Tel:        049 807 5859 | Cell:       076 099 0163 | Skype:&n

douglasc
douglasc's picture
Offline
Last seen: 4 years 6 months ago
Joined: 2011-02-23 15:38
Re: Audit questions

Douglas Cohen
SALGA National office
Specialist: Economic Development (ICT)
Tel: 012 369 8012
Email: dcohen@salga.org.za
 

camdeboo_ito
camdeboo_ito's picture
Offline
Last seen: 3 years 9 months ago
Joined: 2011-03-04 15:28
Re: Audit questions

Maybe I am just super ignorant, but what is King III?
And what would/should an auditor look for to prove proper IT governance?
Thanks in advance.
Chris

Christopher Nash

Camdeboo Municipality | Cacadu District | Eastern Cape
Tel:        049 807 5859 | Cell:       076 099 0163 | Skype:&n

douglasc
douglasc's picture
Offline
Last seen: 4 years 6 months ago
Joined: 2011-02-23 15:38
Re: Audit questions

King III is the standard on Governance Practice. One difference between King II and III, is the focus on IT. King III highlights the need for a IT or CIO or information officer, and also the need a IT governance committee to name a few

Its good practice, but not mandatory.

http://lgict.org.za/document/dti-it-governance-framework

http://lgict.org.za/document/summary-king-3

http://lgict.org.za/document/king-iii-it-governance-internal-controls

http://lgict.org.za/document/role-information-protection-officer

Douglas Cohen
SALGA National office
Specialist: Economic Development (ICT)
Tel: 012 369 8012
Email: dcohen@salga.org.za
 

douglasc
douglasc's picture
Offline
Last seen: 4 years 6 months ago
Joined: 2011-02-23 15:38
Re: Audit questions

The PDF is quite useful from PWC

 

Remember these apply to massive corporate organisations, sometimes difficult to really make sence of in smaller organisations or worse local government

 

 

Douglas Cohen
SALGA National office
Specialist: Economic Development (ICT)
Tel: 012 369 8012
Email: dcohen@salga.org.za
 

Anonymous
Anonymous's picture
Re: Audit questions

As a start, get your basic security policy and user policy and procedures for the financial system, hr and salaries system and your IT domain system approved and implemented.  make sure there are not dead users still in the system, ensure that the passwords are changed monthly. make sure the backups are up-todate and done regularly in line with the policy and that they are restored and tested that are working. also ensure that logs are audited and change management is managed through a tracking system.  all critical errors, backup, user accounts locked out etc are all logged and check and resolved.  review all users access controls annually with users having access to only relevant access rights.
have proof of everything, from contracts/ sla for especially critical IT systems, monthly management minutes of meeting where ict issues are informed to top management, third party vendor meetings, the list goes on....must be accurate and in place.
DONT LIE ABOUT ANYTHING, IT WILL COME BACK TO BITE YOU - rather tell them what you can realistically do and set practical deadlines as they will be visiting you more often than your girlfriend.
drp/bc is an issue - tell them you will budget and do it.  keep your bosses updated otherwise they get kaked and you will lambasted.  make sure you do the critical things necessary to get an unqualified audit otherwise they will replace you with your sister.
sometimes some dumb interns from the AG will ptich up asking you what a backup procedure is - tell them everything and the next day, they will grill you on exactly what you told him.  so dont give them ammo to strip you and grill you.  they are not friends so keep things professional.
otherwise it is fun - you will get used to it, first time it is like learning to ride a bike, afterwards you start thinking and working on the same wavelength. 
 
 
 
 

douglasc
douglasc's picture
Offline
Last seen: 4 years 6 months ago
Joined: 2011-02-23 15:38
Re: Audit questions

Copy of the Audit Qeustions thanks to Niall:

The attached may help. It is from last years audit.

Regards
Niall

Niall Carroll
Deputy Manager ICT
Office of the Municipal Manager

Douglas Cohen
SALGA National office
Specialist: Economic Development (ICT)
Tel: 012 369 8012
Email: dcohen@salga.org.za
 

camdeboo_ito
camdeboo_ito's picture
Offline
Last seen: 3 years 9 months ago
Joined: 2011-03-04 15:28
Re: Audit questions

my answer is "no" to all the questions.
Management will be thrilled.

Christopher Nash

Camdeboo Municipality | Cacadu District | Eastern Cape
Tel:        049 807 5859 | Cell:       076 099 0163 | Skype:&n

Nino
Nino's picture
Offline
Last seen: 2 years 7 months ago
Joined: 2011-06-01 20:29
Re: Audit questions

With my first audit I was terrified as well, and also didn't do to well. Go through the audit motions, but the important thing is the results/report of the audit.
Even if you do bad on this one, use the results to plan your IT strategies for the next year or two and become compliant, also ensuring good IT governance.
So, don't be threatend by the audit, but embrace it as a tool that can help you measure your environment. It's far better to have a positive attidute towards an audit, rather than be negative.
I know this year they are focussing on 7 key areas. The audit formation is also different from the previous years and they will also introduce quarterly audits.
The one piece of good advice I can give to anyone facing an audit...MAKE SURE YOU HAVE EVIDENCE. Furthermore, DON'T LIE and be HELPFULL... Remember, they are just doing their job. 
Good luck and enjoy the experience!

Nino
Nino's picture
Offline
Last seen: 2 years 7 months ago
Joined: 2011-06-01 20:29
Just thought I would update

Just thought I would update this with a simple comment:

The AG is changing the way in which the will be addressing audits.

Nino
http://ictjurist.canblog.co.za

Log in or register to post comments