MPAC 238

Advanced Auditing
Week 7

Christopher Vanover
Information systems and general
computer controls

Tom Wadsworth

2
Auditing and IT 3
Who Am I?
Name: Tom Wadsworth

Title: Director at PwC, in the ‘Risk Assurance’

Practice

Years with PwC: In my 12th year with firm

High-level Job Description: IT Auditor,

specializing in internal controls compliance

4
Agenda

Impact of Technology in Audits 5

IT and Audit – Overview of Process and ITGCs 14

Beyond ITGCs – IT-dependent Control Overview 30

Beyond ITGCs – Automated Application Controls 33

Beyond ITGCs – Key Reports 37

Emerging Risks in IT Audit 42

New ways to think about IT auditing 44

Risk Assurance Career 52

5
Impact of Technology in Audits

6
What percentage of Audits that Involve an IT
element?

1. 0%
2. ~25%
3. ~50%
4. ~75%
5. 100%

7
What percentage of Audits that Involve an IT
element?

1. 0%
2. ~25%
3. ~50%
4. ~75%
5. 100%

8
 Technology & Audit

• The technology landscape is

changing faster than ever before.
Social media, cloud computing,
mobility, big data analytics, and
cybersecurity are all increasing the
complexity and risks of doing
business. Companies are also
increasing dependencies on IT to
increase efficiency of operations,
productivity of employees, and
effectiveness of strategic
management decisions.

• Accordingly, the role of the IT

Auditor needs to evolve to remain
current in today’s business
environment.

9
Professional Standards
PCAOB AS 2110 (AS 12)

10
Professional Standards (continued)

AS 2201.36 (AS 5.36) states:

“The auditor should understand how IT affects the company's flow of transactions.”

AS 2110.B3-.B4 (AS 12) states:

“A company might use automated procedures to initiate, record, process, and report
transactions, in which case records in electronic format would replace paper documents. When IT is used
to initiate, record, process, and report transactions, the IT systems and programs may include
controls related to the relevant assertions of significant accounts and disclosures or may be critical to the
effective functioning of manual controls that depend on IT. The auditor should obtain an understanding
of specific risks to a company's internal control over financial reporting resulting from IT.”

The identification of risks and controls within IT is not a separate evaluation.

Instead, consideration of IT is an integral part of the top-down approach used to
identify significant accounts and disclosures and their relevant assertions and, when
applicable, the controls to test as well as to assess risk and allocate audit effort
(AS 2201.36, AS 2110.29).

11
Professional Standards (continued)

AICPA AU-C 315.19 states:

“The auditor should obtain an understanding of the information system, including the related
business processes relevant to financial reporting including the following areas:
a. The classes of transactions in the entity's operations that are significant to the financial
statements.
b. The procedures within both IT and manual systems by which those transactions are
initiated, authorized, recorded, processed, corrected as necessary, transferred to the general
ledger, and reported in the financial statements.
c. The related accounting records supporting information and specific accounts in the
financial statements that are used to initiate, authorize, record, process, and report transactions.
This includes the correction of incorrect information and how information is transferred to the
general ledger. The records may be in either manual or electronic form.
d. How the information system captures events and conditions, other than transactions, that
are significant to the financial statements.
e. The financial reporting process used to prepare the entity's financial statements, including
significant accounting estimates and disclosures.
f. Controls surrounding journal entries, including nonstandard journal entries used
to record nonrecurring, unusual transactions, or adjustments.”

12
Example PCAOB Inspection Findings

13
Contribution of ITGCs to Audit Evidence

14
IT and Audit –
Overview of Process and ITGCs

15
Understanding key terminology

• Information Technology refers to the different components of

hardware and software, often referred to jointly as ‘information
systems,’ while ITGCs (Information Technology General Controls)
are the internal controls around those components.

• ITGCs are policies and procedures that relate to applications

and support the effective functioning of application controls (ELCs
and transaction-level controls) by helping ensure the continued
proper operation of information systems.

9
 IT Audit Process Overview

Execution
Planning Design Testing Completion Reporting

• Risk • Walkthroughs • Sampling • Deficiency • Communicating

Assessment • Design • Test Plans analysis results to
• Resource Assessment • Audit evidence • Audit impact management,
planning BoD, or Audit
• Timing Committee
• Scoping

Project Management

17
IT General Controls - Overview
Effective IT General Controls (ITGCs) is a key requirement for Sarbanes-Oxley (SOX)
compliance. What are ITGCs, and why are effective ITGCs important to organizations
SOX compliance?

What are Information Technology General Controls (ITGCs)?

• ITGCs are auditable policies and procedures put in place by a business to help ensure
the confidentiality, integrity and availability of its IT systems and data.

Why should organizations implement effective Information Technology General

Controls (ITGCs)?
• Effective ITGCs can help reduce financial audit testing requirements, by leveraging
reliability of system driven data, used in business process controls and ultimately, the
financial statements. Lack of formalized ITGCs requires more substantive testing to
ensure the completeness and accuracy of the data being used in controls or financials.

What are the domains for Information Technology General Controls (ITGCs)?
• Currently, four (4) domains exist for ITGCs: 1) Access to Programs and Data, 2)
Program Changes, 3) Computer Operations, and 4) Program Development. Practical
examples of each are on the next slide.
IT General Controls - Domains

Program development – (Build it) Controls to help ensure that information systems are developed,
configured and implemented to meet financial reporting objectives
Access to programs and data – (Secure it) Controls to help ensure that access to the systems
resources and data is authenticated and authorized
Computer operations – (Run it) Controls to help ensure that production systems are processed as
approved and that processing problems are corrected and systems are restarted in a manner that
ensures errors are not introduced
Program changes – (Change it) Controls to help ensure that modified systems continue to meet
financial reporting objectives

19
IT General Controls – Access to Programs & Data

Security management and monitoring

Appli-
Data
cation

Operating system
Internal network
Network perimeter

User security administration

Privileged accounts
Logical security configuration
Physical security

20
IT General Controls – Access to Programs & Data

Financial
Application
Data
Business
Users

IT Staff

Application ‐ Management should ensure: Database ‐ Management should ensure:

• Only authorized users have access to the
application systems
• Users access levels within applications are
appropriate
• Privileged accounts within the applications are
controlled
• Security over databases, data files and/or
datasets
• Controls around direct access to data using
special system utilities

21
IT General Controls - Practical Examples

• New users require finance appropriate approval before provisioning.

• User’s are removed from the network and applications upon termination or transfer.
• Active Directory password parameters exists and are in-line with company policy.
Access to • System users are reviewed by appropriate individuals periodically for continued appropriateness.
Programs • Superuser access is restricted to limited, appropriate personnel.
and Data

Program
Changes

Computer
Operations
IT General Controls – Program Changes

Overall Management of program changes

Testing & QA

Implementation Construction

Change requests

Segregation of duties

On-going monitoring and maintenance

23
IT General Controls – Program Changes

User
Business
Change initiates Business Change
and IT
Requests change approval specification
prioritization
request

Developer
Construction makes
change

Developer Migration IT performs User performs

Testing & Quality
performs to test Integration UAT and
Assurance Unit testing environment testing signs off

Review for
Migrate to
Implementation appropriate
approvals Production

Ongoing Maintain dev, Periodic

Emergency
monitoring & test & prod review
environments of changes changes
maintenance

24
IT General Controls - Practical Examples

• New users require finance appropriate approval before provisioning.

• User’s are removed from the network and applications upon termination or transfer.
• Active Directory password parameters exists and are in-line with company policy.
Access to • System users are reviewed by appropriate individuals periodically for continued appropriateness.
Programs • Superuser access is restricted to limited, appropriate personnel.
and Data

• Changes to applications are tested by end users (finance users), before deployment.
• Changes are not migrated to production without management’s review and approval.
Program • Users responsible for migrating changes to production are not responsible for developing changes.
Changes

Computer
perations
IT General Controls – Computer Operations

Automated processing of information

Application Application
01001011
A B

(Online Website) (Data Processing) (Sales Order Creation)

Transaction processing activities

Management of
operations

Problem management and resolution

Data center operations

26
IT General Controls - Practical Examples

• New users require finance appropriate approval before provisioning.

• User’s are removed from the network and applications upon termination or transfer.
• Active Directory password parameters exists and are in-line with company policy.
Access to • System users are reviewed by appropriate individuals periodically for continued appropriateness.
Programs • Superuser access is restricted to limited, appropriate personnel.
and Data

• Changes to applications are tested by end users (finance users), before deployment.
• Changes are not migrated to production without management’s review and approval.
Program • Users responsible for migrating changes to production are not responsible for developing changes.
Changes

• Incoming/outgoing data is monitored for errors. Errors are resolved timely.

• Individuals who have access to modify how data flows between systems is restricted.
Computer • Backups are conducted on a periodic basis, and monitored for completion by IT.
Operations
IT General Controls – Program Development
(and difference between Program Changes)
Program Changes Process Program Development Lifecycle

Testing
& QA Testing
Data & QA
conversion

Construction
Implementation Construction
Implementation
VS.
Analysis
& design
Change Project
requests initiation

Segregation of duties
Segregation of duties

Monitoring and maintenance Project Management

28
IT General Controls - Practical Examples, cont’d

The following are examples of ITGCs:

Domain Example of a Risk Example of Control Description
Program New systems/major New systems/major enhancements are tested by
development enhancements are not appropriate personnel prior to being moved to
adequately tested and production.
authorized.
Access to On a periodic basis, management performs a review
Inappropriate access rights
programs and data to applications are not of access entitlements to ensure that access
identified in a timely entitlements are commensurate with job
manner. responsibilities.
Computer Production jobs are not Production jobs are managed and monitored by a
operations completed successfully or production support group which is separate from the
inappropriately modified. development team. Any failures are logged in a
service ticket and resolved in a timely manner.
Program changes Application changes are not Requests for program changes, system changes and
adequately tested and maintenance (including changes to system software)
approved before being are tested by appropriate personnel prior to being
migrated into production. moved to production.

29
IT General Controls - The Complete Picture

IT General Controls

Systems Computer Program

Access to programs and data
development operations changes

Initiation, analysis Specification and Application security Database

Batch processing
and design authorization administration administration

Operating system Direct data access

Construction Interface processing Construction
security via App/Network
administration /OS/Util.
Monitoring of
Testing Testing Network / connection
computer processing Network powerful
security
administration
accounts
Data conversion Backups Implementation
Application logical Operating system
Documentation and security powerful accounts
Computer center
Implementation
operations training
Operating system Application powerful
Documentation and logical security accounts
Segregation of duties
training
Network logical
Physical Security
Segregation of duties Report integrity security
Beyond ITGCs – IT-dependent Control
Overview

31
IT Dependencies

32
Types of IT dependencies

Type Example
Automated controls ▪ Three-way match compares price and quantity between
purchase order, goods receipt and invoice.
Automated ▪ The system calculates price x quantity on an invoice.
calculations
Key Reports ▪ A/R Aging Report used in a control and in our substantive
tests
▪ Disaggregated revenue data (i.e., revenue by customer and
geography) used in a substantive analytic
Segregation of ▪ The ability to create and post journal entries is segregated.
duties and other ▪ The ability to pay cash disbursements to process payables
restricted access and add a vendor is segregated.
objectives
(Security)
Interfaces ▪ Monthly, the revenue subledger automatically posts
transactions to the general ledger system.

33
Beyond ITGCs – Automated
Application Controls (AACs)

34
Truth/Myth – Effectiveness of ITGCs

Since ITGCs are deemed to be effective, we can assume that automated

controls are deemed to be effective and that key reports are complete
and accurate.

Myth

35
Truth/Myth – Effectiveness of ITGCs (continued)

Why
• ITGCs are designed to ensure the proper design and
effectiveness of automated controls and key reports, but
ITGC testing alone does not support a conclusion
that automated controls and key reports are programmed or
configured properly
• Separate tests over automated controls and key reports
are required

36
Testing automated controls – Considerations

• There is no one-size-fits-all approach to testing automated controls. Options could include:

- Running test transactions through the company’s program
- Comparing information processed by the system to underlying supporting documentation
- Examining programming code
• Identify all relevant aspects or iterations that need to be tested

37
Beyond ITGCs – Key Reports

38
System-generated reports or data

• System-generated reports or data are information generated by IT systems,

important to the effective execution of relevant controls or used in
substantive testing procedures – key reports
• When we assess reliability of system-generated information, we are assessing:
- Accuracy and completeness of the information
- Whether the information is appropriate for its intended use. For
example, “Is the information at a sufficient level of detail for the control to
operate as intended?”
• Information designed and produced by third-party service providers (i.e.
service organizations)

39
Reliability of information

When we consider the reliability of the information used, there are two
primary questions we must answer:
• Does the system-generated information (i.e., key report)
accurately and completely reflect the source data in the system?

Data Report
System
System

• Is the source data in the system accurate, complete, and valid?

Testing the logic of the report for accuracy and completeness only provides
comfort that the information in the system is accurately and completely
reflected on the report. It does not provide comfort over the source data in
the system.

40
Types of key reports

Standard Customized Query

Report Report
(“canned”)

• Designed by the • A modified standard • Generated ad hoc or

software developer report or a report on a recurring basis
developed to meet
• Preconfigured • Allows users to
the specific needs of
and/or predefined define a set of
the end-users
in well-established criteria to generate
software packages • Allows an entity to specific results
design the
• Not modified or
information
customized by the
included in the
entity
report and how it is
formatted

41
Persuasiveness of Evidence

Determining the nature and extent of evidence needed to assess the

reliability of system generated reports is a matter of professional
judgment, impacted by several factors, as depicted below.

42
Emerging Risks in IT Audit

43
Emerging Risks in IT Audit
Cybersecurity – It is no longer “IF a hacker accesses your system”, rather, it’s “how will
we know, what do we do, and how do we react, WHEN a hacker gains access to a system”
Privacy – How is your personal data secured? If we were breached or data was lost, how
would that impact the company (financial, reputational, etc.)
Mobile – People want information, and they want it now. How do we secure mobile
devices, to give you what you want, without compromising security?
Social Media – Everyone wants to post everything. How does this affect your company’s
security? Practical example: New employee and photos.
Cloud Computing – Companies are moving from ‘on premise’ data centers, to hosted
environments to cut cost. What are you giving up with that cost-reduction?
AI/BI – Management is making their data work for them. Are you comfortable you are
making strategic decisions using artificial and business intelligence? Practical example:
Hospitals and viruses.
Cultural Differences on Risk – As companies become world-wide, are all countries
aligned on their risk tolerance? Are all industries in agreement on freedom of data?
Practical example: Higher education vs. Financial sectors.
Service Organizations – As companies look to cut cost, outsourcing is a great way to
shed a few dollars. Is that transfer of liability worth it?
44
New ways to think about IT auditing

45
 Leading Audit Practices – Lines of Defense
Leading practice integrated assurance programs can be broken down into 4 levels. Level 1 being the 1st line of defense, where
policies are created and procedures are executed. Level 2 is then tasked with performing monitoring activities over Level 1. Level 3
represents IS Internal Audit, responsible for auditing Level 1 activities, while leveraging level 2 monitoring work. External auditors
and regulators sit at the top of the hierarchy at Level 4. This leading practice hierarchy can be used as a model to better align
disparate IS assurance activities.
 Leading Audit Practices – Lines of Defense
Leading practice integrated assurance programs can be broken down into 4 levels. Level 1 being the 1st line of defense, where
policies are created and procedures are executed. Level 2 is then tasked with performing monitoring activities over Level 1. Level 3
represents IS Internal Audit, responsible for auditing Level 1 activities, while leveraging level 2 monitoring work. External auditors
and regulators sit at the top of the hierarchy at Level 4. This leading practice hierarchy can be used as a model to better align
disparate IS assurance activities.

1st line of defense – Policies are created, control activities are embedded into
Business business, and executed by business functions. The requirements
operations Decentralized Business Units
of controls and procedures to be executed are derived from both
internal and external requirements (e.g., internal P&Ps, SOX,
GxP, etc.)
 Leading Audit Practices – Lines of Defense
Leading practice integrated assurance programs can be broken down into 4 levels. Level 1 being the 1st line of defense, where
policies are created and procedures are executed. Level 2 is then tasked with performing monitoring activities over Level 1. Level 3
represents IS Internal Audit, responsible for auditing Level 1 activities, while leveraging level 2 monitoring work. External auditors
and regulators sit at the top of the hierarchy at Level 4. This leading practice hierarchy can be used as a model to better align
disparate IS assurance activities.

2nd line of defense – Performs monitoring over the IS level controls. Integrated Assurance
Information Systems functions assist in implementing, monitoring, and validating controls
Integrated Information System
Assurance Monitoring embedded in the 1st line of defense.
Assurance Function

1st line of defense – Policies are created, control activities are embedded into
Business business, and executed by business functions. The requirements
operations Decentralized Business Units
of controls and procedures to be executed are derived from both
internal and external requirements (e.g., internal P&Ps, SOX,
GxP, etc.)
 Leading Audit Practices – Lines of Defense
Leading practice integrated assurance programs can be broken down into 4 levels. Level 1 being the 1st line of defense, where
policies are created and procedures are executed. Level 2 is then tasked with performing monitoring activities over Level 1. Level 3
represents IS Internal Audit, responsible for auditing Level 1 activities, while leveraging level 2 monitoring work. External auditors
and regulators sit at the top of the hierarchy at Level 4. This leading practice hierarchy can be used as a model to better align
disparate IS assurance activities.

3rd line of defense – Represents the IS Audit function, with the objective of testing and validating
Corporate Information Systems Audit Centralized successful operation of controls, while taking into account the Integrated Assurance
Information System monitoring results provided by 2nd line of defense
Audit Function

2nd line of defense – Performs monitoring over the IS level controls. Integrated Assurance
Information Systems functions assist in implementing, monitoring, and validating controls
Integrated Information System
Assurance Monitoring embedded in the 1st line of defense.
Assurance Function

1st line of defense – Policies are created, control activities are embedded into
Business business, and executed by business functions. The requirements
operations Decentralized Business Units
of controls and procedures to be executed are derived from both
internal and external requirements (e.g., internal P&Ps, SOX,
GxP, etc.)
 Leading Audit Practices – Lines of Defense
Leading practice integrated assurance programs can be broken down into 4 levels. Level 1 being the 1st line of defense, where
policies are created and procedures are executed. Level 2 is then tasked with performing monitoring activities over Level 1. Level 3
represents IS Internal Audit, responsible for auditing Level 1 activities, while leveraging level 2 monitoring work. External auditors
and regulators sit at the top of the hierarchy at Level 4. This leading practice hierarchy can be used as a model to better align
disparate IS assurance activities.

4th line of defense – External Auditor and Inspectors Represents external auditors and independent
External governmental regulatory inspectors (e.g., E&Y, FDA, MHRA, etc.)
Auditors /
Inspectors

3rd line of defense – Represents the IS Audit function, with the objective of testing and validating
Corporate Information Systems Audit Centralized successful operation of controls, while taking into account the Integrated Assurance
Information System monitoring results provided by 2nd line of defense
Audit Function

2nd line of defense – Performs monitoring over the IS level controls. Integrated Assurance
Information Systems functions assist in implementing, monitoring, and validating controls
Integrated Information System
Assurance Monitoring embedded in the 1st line of defense.
Assurance Function

1st line of defense – Policies are created, control activities are embedded into
Business business, and executed by business functions. The requirements
operations Decentralized Business Units
of controls and procedures to be executed are derived from both
internal and external requirements (e.g., internal P&Ps, SOX,
GxP, etc.)
 Leading Audit Practices – Lines of Defense
Leading practice integrated assurance programs can be broken down into 4 levels. Level 1 being the 1st line of defense, where
policies are created and procedures are executed. Level 2 is then tasked with performing monitoring activities over Level 1. Level 3
represents IS Internal Audit, responsible for auditing Level 1 activities, while leveraging level 2 monitoring work. External auditors
and regulators sit at the top of the hierarchy at Level 4. This leading practice hierarchy can be used as a model to better align
disparate IS assurance activities.

4th line of defense – External Auditor and Inspectors Represents external auditors and independent
External governmental regulatory inspectors (e.g., E&Y, FDA, etc.)
Auditors /
Inspectors

* 3rd line of defense –

Corporate Information Systems Audit Centralized
Represents the IS Audit function, with the objective of testing and validating
successful operation of controls, while taking into account the Integrated Assurance
Information System monitoring results provided by 2nd line of defense
Audit Function

2nd line of defense – Performs monitoring over the IS level controls. Integrated Assurance
Information Systems functions assist in implementing, monitoring, and validating controls
Integrated Information System
Assurance Monitoring embedded in the 1st line of defense.
Assurance Function

1st line of defense – Policies are created, control activities are embedded into
Business business, and executed by business functions. The requirements
operations Decentralized Business Units
of controls and procedures to be executed are derived from both
internal and external requirements (e.g., internal P&Ps, SOX, etc.)

*Opportunity for alignment between the 2nd and 3rd lines of defense can
increase efficiency and reduce cost of 3rd and 4th lines of defense.
Leading Practices for Auditing & Monitoring
Synergies
In order for organizations to
achieve the greatest coverage
over IS controls related to critical
and high-risk applications, a
robust second line of defense
(i.e., IS controls monitoring
function) is often implemented.
Robust IS controls monitoring
allows for more strategic IS
audits, focused on emerging
risks as determined by risk
assessments and objective
oversight of the IS monitoring
function, as opposed to detailed
controls testing.
Auditing
• Take into account the IS controls
monitoring activities performed
by the 2nd line of defense when Monitoring
approaching the audit plan.
• Integrated company-wide controls
• More robust control environment
allowing for more focused audits
framework creates synergies in
the control environment
on emerging risks
• Consistent & continuous
• Potentially more efficient and
monitoring provides greater
non-duplicative audit activities
control coverage across
and audit requests (if regulation
organization
permits)
• Control failures are identified
timely and remediated before 3rd
or 4th line of defense audits
Risk Assurance Career

53
IT Auditor Careers at PwC - Risk Assurance
INTERNAL AUDIT SERVICES
• Preferred provider of major internal audit
outsourcings (including co-sourcing
arrangements
• Sarbanes-Oxley compliance services
• Internal Audit advisory services (i.e., External
Quality Assessments, risk assessments, etc.)
• Potential for supplemental service offerings in
such areas as loss prevention
PROCESS ASSURANCE:
Support in delivery of Core Attest external audit service offerings
IT & PROJECT ASSURANCE
• “Design and recommend” risk and control-
related services associated with major ERP
applications (SAP, Oracle, other EPM),
including pre- and post-implementation
reviews
• Assessment of program/project risks against
desired benefits, and controls outcomes
• Security and privacy-related offerings including
security and vulnerability assessment and
diagnostic reviews and assisting companies in
addressing relevant regulatory requirements
THIRD PARTY ASSURANCE
• Audit and non-audit SSAE16/ SAS 70 and
agreed-upon procedure reporting
• Readiness and reporting associated with
sector-specific requirements (i.e., SEC Custody
Rule, prime broker reporting,
HIPAA/HITRUST)
• Preparedness and reporting associated with
future anticipated regulatory updates (i.e.,
Sustainability, XBRL)
GOVERNANCE, RISK & COMPLIANCE
• Services associated with enterprise risk management
ranging from high level assessments to comprehensive
program development
• Business continuity planning an d process-related
offerings
• Assess, recommend and design of processes associated
with existing and emerging regulation, including
sector-specific requirements, broad regulation (i.e.,
Dodd-Frank) and comprehensive programs (i.e.,
ethics and compliance)
d
Career Opportunities – Public Accounting
INTERNAL AUDIT
SERVICES
• Preferred provider of major internal audit
outsourcings (including co-sourcing
arrangements
• Sarbanes-Oxley compliance services
• Internal Audit advisory services (i.e.,
External Quality Assessments, risk
assessments, etc.)
• Potential for supplemental service offerings
in such areas as loss prevention
IT & PROJECT
ASSURANCE
•“Design and recommend” risk and
control-related services associated
with major ERP applications (SAP,
Oracle, other EPM), including pre-
and post-implementation reviews
•Security and privacy-related
offerings including security and
vulnerability assessment and
diagnostic reviews and assisting
companies in addressing relevant
regulatory requirements
THIRD PARTY ASSURANCE
• Audit and non-audit SSAE16/ SAS 70 and
agreed-upon procedure reporting
• Readiness and reporting associated with
sector-specific requirements (i.e., SEC
Custody Rule, prime broker reporting,
HIPAA/HITRUST)
• Preparedness and reporting associated with
future anticipated regulatory updates (i.e.,
Sustainability, XBRL)
GOVERNANCE, RISK &
COMPLIANCE
•Services associated with enterprise
risk management and ranging from
high level assessments to
comprehensive program development
•Business continuity planning
•Assess, recommend and design of
processes associated with existing and
emerging regulation, including sector-
specific requirements, broad regulation
(i.e., Dodd-Frank) and comprehensive
programs (i.e., ethics and compliance)
PROCESS ASSURANCE
• Support in delivery of Core Attest
external audit service offerings
ADVANCED RISK &
COMPLIANCE ANALYTICS
• Providing analytical insight into the
risk and compliance key factors and the
ability to improve the value of company
data and transform the information
into actionable intelligence
• Data assurance and ‘big data’ auditing
• Continuous auditing and monitoring
CYBERSECURITY & PRIVACY
• Analyzing enterprise IT threats and
risks through governance,
compliance, and identification, while
also providing a range of solutions
(from consulting to attest reporting)
relating to the protection of sensitive
personal information
Career Opportunities - Industry
Finance Functional Analyst
•Supports the initial
implementation, future upgrades
and day-to-day maintenance and
configuration of ERP system. Assist
the Corporate Accounting team with
month end, quarter end and year
end close consolidations efforts
from a systems perspective.
IT Compliance Analyst
• Responsible for IT’s adherence to
all regulatory compliance
requirements, including Sarbanes-
Oxley (SOX) and is responsible for
managing all audit related activities
for the organization. Ensure IT
policies, controls and processes are
sufficient, cost effective, feasible,
reasonable and current with
regulatory requirements.
Business Systems Analyst
•Determines operational objectives by
studying business functions; gathering
information; evaluating output
requirements and formats. Designs new
computer programs by analyzing
requirements; constructing workflow
charts and diagrams; studying system
capabilities; writing specifications.
IT System Administrator
•Responsible for uptime,
performance, resources, and
security of system to meet the needs
of the users. Acquire, install, or
upgrade computer components and
software; automate routine tasks;
troubleshoot; and provide technical
support.
IT Internal Auditor
•Participates in the planning of IT /
integrated audits to include
identification and evaluation of
objectives, inherent risks and
controls
IT Project Manager
•Responsible for overseeing the
process of planning, executing and
delegating responsibilities around
an organization's information
technology (IT) pursuits and goals,
including software development.
 Professional Certifications
Certification Sponsoring Work Experience / Education More Details
Organization
CPA AICPA • Must satisfy state licensure requirements (varies by http://www.aicpa.org/BecomeAC
Professional Certifications
Certified Public American Institute of state) PA/CPAExam/Pages/CPAExam.a
Accountant CPAs • Complete 150 hours (including B.A. degree) and fulfill spx
specific course requirements (CA)
• Pathway 1: 2 years Pathway 2: 1 year Both are general
experience which includes any type of service or
advice involving the use of accounting-related skills
(CA)
• Must pass California Professional Ethics Exam (CA)
CIA IIA CIA candidates with a 4 year post secondary degree must https://na.theiia.org/certification
Certified Internal Auditor Institute of Internal obtain a minimum of 24 months of internal auditing /CIA-
Auditors experience or its equivalent. A Masters degree can Certification/Pages/Eligibility-
substitute for 12 of the required 24 months Requirements.aspx
CISA ISACA Submit verified evidence of five years work experience in http://www.isaca.org/Certificatio
Certified Information Information Systems the fields of Information Systems Auditing, Control, n/CISA-Certified-Information-
Systems Auditor Audit and Control Assurance or Security (substitutions and waivers of such Systems-
Association experience, to a maximum of 3 years) Auditor/Pages/default.aspx
CISM ISACA Submit verified evidence of five (5) years of work http://www.isaca.org/Certificatio
Certified Information Information Systems experience in the field of information security. Three (3) of n/CISM-Certified-Information-
Security Manager Audit and Control the five (5) years of work experience must be gained Security-
Association performing the role of managing information security. Manager/Pages/default.aspx
CISSP (ISC)2 • Candidates must have a minimum of 5 years https://www.isc2.org/cissp/defau
Certified Information International Information cumulative paid full-time work experience lt.aspx
Systems Security Systems Security • Candidates may receive a one year experience waiver
Professional Certification Consortium with a 4-year college degree

57
Thank you!
Group Case #1 Results

High: 152
Low: 124
Average: 135
Median: 132

59
Individual Exam #1 Results

Coming next week!

60
 Feedback Discussion
Response Rate: 22/42 (52%)

61
Life in public accounting

62