Comments on: SOx and ERPs – Where Are The IT Auditors? http://retheauditors.com/2008/07/29/sox-and-erps-where-are-the-it-auditors/ The Business of the Big 4 Audit Firms Wed, 08 Feb 2012 21:24:11 +0000 http://wordpress.org/?v=2.9.1 hourly 1 By: re: The Auditors » Blog Archive » Auditing Standard 5: How Now, Brown Cow? http://retheauditors.com/2008/07/29/sox-and-erps-where-are-the-it-auditors/comment-page-1/#comment-70079 re: The Auditors » Blog Archive » Auditing Standard 5: How Now, Brown Cow? Sun, 27 Dec 2009 18:39:54 +0000 http://76.12.174.187/?p=775#comment-70079 [...] Lack of sufficient technical staff at clients as well as on audit teams, [...] [...] Lack of sufficient technical staff at clients as well as on audit teams, [...]

]]> By: Francine McKenna http://retheauditors.com/2008/07/29/sox-and-erps-where-are-the-it-auditors/comment-page-1/#comment-783 Francine McKenna Tue, 12 Aug 2008 17:10:00 +0000 http://76.12.174.187/?p=775#comment-783 @Jeffrey T. hare Thanks so much for your comment and the resources. Get in touch off line. I want to learn more and I love to know CPA, CISA, CIAs that are working for the GRC vendors. How refreshing! @Jeffrey T. hare Thanks so much for your comment and the resources. Get in touch off line. I want to learn more and I love to know CPA, CISA, CIAs that are working for the GRC vendors. How refreshing!

]]> By: Jeffrey T. Hare, CPA CISA CIA http://retheauditors.com/2008/07/29/sox-and-erps-where-are-the-it-auditors/comment-page-1/#comment-782 Jeffrey T. Hare, CPA CISA CIA Tue, 12 Aug 2008 17:01:00 +0000 http://76.12.174.187/?p=775#comment-782 Good post. I work in the compliance space for Oracle Apps and see the same thing. Beyond reducing scope, I also see that IT auditors still are not at a level of expertise in the individual apps to properly assess risks and/or help companies design proper controls. You can request a white paper I have written recently on sub-material fraud risk at www.oubpb.com. <br/><br/>Unfortunately, companies are all too reliant on the Big 4 for IT controls and miss some of the greatest areas of risks. Another white paper that may be of interest would be the one called "Accessing the Oracle Apps Database w/o a Database login." This paper addresses the risks of SQL forms, one of the greatest under-discovered security risks in Oracle Apps.<br/><br/>My two cents... Good post. I work in the compliance space for Oracle Apps and see the same thing. Beyond reducing scope, I also see that IT auditors still are not at a level of expertise in the individual apps to properly assess risks and/or help companies design proper controls. You can request a white paper I have written recently on sub-material fraud risk at http://www.oubpb.com.

Unfortunately, companies are all too reliant on the Big 4 for IT controls and miss some of the greatest areas of risks. Another white paper that may be of interest would be the one called “Accessing the Oracle Apps Database w/o a Database login.” This paper addresses the risks of SQL forms, one of the greatest under-discovered security risks in Oracle Apps.

My two cents…

]]> By: Francine McKenna http://retheauditors.com/2008/07/29/sox-and-erps-where-are-the-it-auditors/comment-page-1/#comment-760 Francine McKenna Wed, 30 Jul 2008 17:01:00 +0000 http://76.12.174.187/?p=775#comment-760 @I JUst Work Here Thanks for the update on PwC SPA. Unfortunately, since PwC Advisory is choking, the switch probably won't do anyone much good. That practice needs more than just an influx of former IT Auditors and partners who've never learned (or seen form anyone in senior management currently at PwC Advisory) how to be real consultants. @I JUst Work Here Thanks for the update on PwC SPA. Unfortunately, since PwC Advisory is choking, the switch probably won’t do anyone much good. That practice needs more than just an influx of former IT Auditors and partners who’ve never learned (or seen form anyone in senior management currently at PwC Advisory) how to be real consultants.

]]> By: Anonymous http://retheauditors.com/2008/07/29/sox-and-erps-where-are-the-it-auditors/comment-page-1/#comment-759 Anonymous Wed, 30 Jul 2008 15:29:00 +0000 http://76.12.174.187/?p=775#comment-759 Your position on the internal fight for revenue as a reason for reduced IT Audit hours is spot on. That in addition to AS5 are resulting in significant reduction in total hours for the IT Audit group (SPA) in PwC. Just in the last few weeks, changes to the SPA practice have been announced. Those individuals in SPA with significant experience in ERP, IA, or general IT consulting, were moved from SPA to Advisory. 60 or so Partners, Senior Managers and Managers moved. This appears to be a move to align SPA more closely with the Accountants while better developing the consulting mindset of others in Advisory. Over the years, SPA has gotten more and more aligned with the financial audit. Eventually the line between Auditor and IT Auditor will get blurred even more.<br/><br/>-IJustWorkHere Your position on the internal fight for revenue as a reason for reduced IT Audit hours is spot on. That in addition to AS5 are resulting in significant reduction in total hours for the IT Audit group (SPA) in PwC. Just in the last few weeks, changes to the SPA practice have been announced. Those individuals in SPA with significant experience in ERP, IA, or general IT consulting, were moved from SPA to Advisory. 60 or so Partners, Senior Managers and Managers moved. This appears to be a move to align SPA more closely with the Accountants while better developing the consulting mindset of others in Advisory. Over the years, SPA has gotten more and more aligned with the financial audit. Eventually the line between Auditor and IT Auditor will get blurred even more.

-IJustWorkHere

]]> By: Francine McKenna http://retheauditors.com/2008/07/29/sox-and-erps-where-are-the-it-auditors/comment-page-1/#comment-758 Francine McKenna Tue, 29 Jul 2008 20:43:00 +0000 http://76.12.174.187/?p=775#comment-758 @Anonymous Thanks for reminding me to make the point even more emphatically.<br/><br/>IT audit and security professionals have a role at all points on the timeline for a major systems implementation:<br/><br/>1)Pre-implementation project plan and budget review to make sure controls priorities are established upfront and controls are given the appropriate amount of time and money.<br/><br/>2)In flight project reviews - Checkpoint reviews to make sure projects are running on time, on budget and issues and changes have been documented. This review, in particular, can make sure that controls are not shortchanged if time and budget gets squeezed due to other problems.<br/><br/>3)Pre-go-live controls review - Make sure everything that needs to get done has been done before go-live.<br/><br/>4)Post-implementation controls reviews - Make sure, in more detail, that what needed to get done before go live was done, and any remaining tasks are on a list and prioritized for next phases. In addition, any issues or problems are also on a list and there is an appropriate plan and process to continue to resolve them, even after the integrator goes home.<br/><br/>5)Runaway project reviews - Assessing where a project has gone off course, documenting gaps in expected results and actual results, and establishing the revised project plan, prioritized, to get gaps filled, in particular with regard to controls<br/><br/>McKenna Partners is able and willing to assist in any or all of these types of projects, in particular if they have a cross-border impact (Hello Levis!).<br/><br/>Advertisement over. @Anonymous Thanks for reminding me to make the point even more emphatically.

IT audit and security professionals have a role at all points on the timeline for a major systems implementation:

1)Pre-implementation project plan and budget review to make sure controls priorities are established upfront and controls are given the appropriate amount of time and money.

2)In flight project reviews – Checkpoint reviews to make sure projects are running on time, on budget and issues and changes have been documented. This review, in particular, can make sure that controls are not shortchanged if time and budget gets squeezed due to other problems.

3)Pre-go-live controls review – Make sure everything that needs to get done has been done before go-live.

4)Post-implementation controls reviews – Make sure, in more detail, that what needed to get done before go live was done, and any remaining tasks are on a list and prioritized for next phases. In addition, any issues or problems are also on a list and there is an appropriate plan and process to continue to resolve them, even after the integrator goes home.

5)Runaway project reviews – Assessing where a project has gone off course, documenting gaps in expected results and actual results, and establishing the revised project plan, prioritized, to get gaps filled, in particular with regard to controls

McKenna Partners is able and willing to assist in any or all of these types of projects, in particular if they have a cross-border impact (Hello Levis!).

Advertisement over.

]]> By: Anonymous http://retheauditors.com/2008/07/29/sox-and-erps-where-are-the-it-auditors/comment-page-1/#comment-757 Anonymous Tue, 29 Jul 2008 20:11:00 +0000 http://76.12.174.187/?p=775#comment-757 Francine,<br/><br/>As usual, you seem to hit the nail right on the head. The quality IT "auditors" have so much more to offer than just audit assistance. They can offer implementation assistance, and other process improvement help, as you mentioned in your article. What blows me away, again as you mentioned, are the IT Audit partners who seem to totally miss these opportunities. I think the problem is that they are so intertwined into the "audit" mentality, that they either don't understand, or don't know how to sell, "consulting" services. I understand that both EY and KPMG are attempting to build "advisory" practices catering to CIO needs, however both are still very early on in their developments. As for Deloitte and PWC, I guess time will tell what happens to their IT Auditors... Francine,

As usual, you seem to hit the nail right on the head. The quality IT “auditors” have so much more to offer than just audit assistance. They can offer implementation assistance, and other process improvement help, as you mentioned in your article. What blows me away, again as you mentioned, are the IT Audit partners who seem to totally miss these opportunities. I think the problem is that they are so intertwined into the “audit” mentality, that they either don’t understand, or don’t know how to sell, “consulting” services. I understand that both EY and KPMG are attempting to build “advisory” practices catering to CIO needs, however both are still very early on in their developments. As for Deloitte and PWC, I guess time will tell what happens to their IT Auditors…

]]>