mall map




visit our web sites

auditing web sites

other web sites

job opportunities

benchmark with us
tek shak
other web sites

There is a plethora of assurance software already developed and available in the marketplace. While not fulfilling all particular needs, this software addresses most requirements of an audit function.
  • Staff Scheduling
  • Time Keeping/Expense Reporting
  • Risk Analyses
  • Workpaper Systems
  • Report Writing

It is important that assurance technology be used where it adds value to a company, rather than to simply be used for the enrichment of the auditor. Any investment in assurance technology should be used to enhance management's assurance.

The development of assurance technology is still relatively new to the marketplace. As a starting point, ensure such technology is responsive to contemporary assurance theory such as that embodied in COSO, COCO, or Cadbury. Also, design of your automated assurance system should be closely aligned with your company's framework of internal control.


Auditing has undergone a number of theoretical cycles over the past several years and is currently oriented towards providing assurance based upon "racked and stacked" risk factors. Consequently, the principal aim in using assurance technology should be as a basis for building a repository of risk knowledge concerning the integrated framework of internal control, and as a means for evaluating the degree of assurance held against a fluid framework of risks that are continuously monitored by your company's management. Some useful automated tools that may apply include:

Automated Audit Tools

Listed below are some of the solutions utilized by VF Internal Audit in providing assurance to our customers:
SHARPE DECISIONS® EXECUTIVE WORKSHOP®. SHARPE DECISIONS® EXECUTIVE WORKSHOP® is a Group Decision support system which uses wireless keypads to collect opinions from groups on various issues and subjects in a totally anonymous format. Questions are displayed for the group and participants are prompted to enter their answers by pressing the appropriate key on their wireless keypad. A histogram or pie chart is then displayed showing the votes cast and the Average result for the group. Results can then be analyzed in various ways through SHARPE DECISIONS® EXECUTIVE WORKSHOP®, by exporting to Spreadsheet Format or by using Sharpe Decisions® Reporter to create web pages.
AutoAudit software takes the paperwork out of work papers. It's a comprehensive, fully integrated audit automation system that lets audit departments complete all of their work in a single database. With modules for risk assessment, planning, scheduling, work papers, reporting, issue tracking, time and expenses, quality assurance and personnel records, AutoAudit is the most complete way to update an audit department.
Risk Navigator™ was designed to help companies comply with Sarbanes-Oxley and establish long-term corporate governance and risk management practices. It's an immediate solution today, with the ability for full enterprise risk and control management for tomorrow. Risk Navigator™ is one solution that provides total enterprise risk management control.
ACL is the preferred software tool of audit and other professionals for data extraction, data analysis, fraud detection, and continuous monitoring. Robust yet easy-to-use, ACL expands the depth and breadth of your analysis, increases your personal productivity and gives you confidence in your findings. With ACL, organizations can achieve fast payback, reduce risk, assure compliance, minimize loss and enhance profitability.
SAP® Compliance Calibrator by Virsa™

Exposures to fraud, identity theft and data tampering have become costly, and unfortunately, commonplace events within corporations worldwide. Such events have created an onslaught of legislative mandates, such as the Sarbanes-Oxley Act (SOX), more stringent corporate governance policies, and privacy regulations to force companies to conduct a more careful analysis of business risk and implement internal controls.

Many companies expose themselves to severe risks when testing the proper authorization controls of complex ERP systems. Some assess risk "after-the-fact" through the use of detection solutions that operate on downloaded data; while others invest in incomplete segregation of duties (SoD) solutions that focus on the obvious and overlook the subtleties of ERP systems, fraud or motivated perpetrators. Worse yet, some make changes before conducting cross-systems analysis to test for violations created by conflicting access across systems.

SAP Compliance Calibrator by Virsa is the only solution that delivers real-time, 24/7 Continuous Compliance by preventing authorization violations before they occur. It sits inside SAP and brings years of SAP security domain expertise into a product package with the largest set of validated rules and detailed SoD analysis.

PowerLock SecurityAudit is the solution that audits your iSeries systems at the object level to provide a complete history and instant view of changes since your last audit. Internal and external auditors around the world use PowerLock SecurityAudit to conduct comprehensive security analysis and obtain meaningful and accurate results.

eTrust CA-Examine Auditing performs an automated review and auditing for z/OS operating system integrity and verification. In addition, the tool provides important information about system security, integrity and control mechanisms, which are extremely difficult to obtain from other sources.
SAP® Audit Information System

SAP's R/3 System's Audit Information System (AIS) is an auditing tool built into the SAP ERP. We incorporate AIS into our auditing methodology to improve the quality of the audit process through direct access to SAP transactions and master data. AIS consists of the Audit Report Tree structure that provides the auditor with logically organized access to standard SAP reporting and inquiry functions.

Putting Technology to Work

In VF Internal Audit we use literally hundreds of canned and customized automated routines to enhance the efficiency of our work, detect questionable activity and to prevent certain business risks from occurring. To this end, we have resources embedded within our Global Business Technology group who work seamlessly to execute automated testing for us.

 

Evaluating Technology Controls
VF Internal Audit uses the Institute of Internal Audit's (IIA) Global Technology Audit Guide (GTAG) as another tool in our arsenal to remain abreast and knowledgeable of the risk, control, and governance issues within the everchanging and complex world of information technology.  The IIA's Advanced Technology Committee (ATC) is responsible for the development of the guides and its content.  In this effort, ATC partners with other professional organizations such as: American Institute of Certified Public Accountants (AICPA), National Association of Corporate Directors (NACD), Center for Internet Security (CIS), Financial Executives International (FEI), Information System Security Association (ISSA), Systems Administration and Network Security (SANS), Carnegie Mellon University, and Software Engineering Institute (SEI).

The GTAG series of publications issued by the IIA consists of the following:
  • GTAG-1: IT Controls
  • GTAG-2: Change and Patch Management Controls
  • GTAG-3: Continuous Auditing
  • GTAG-4: Management of IT Auditing
  • GTAG-5: Managing and Auditing Privacy Risks
  • GTAG-6: Managing and Auditing IT Vulnerability
  • GTAG-7: Information Technology Outsourcing
  • GTAG-8: Auditing Application Controls
  • GTAC-9: Identify and Access Management


In evaluating the effectiveness of internal controls related to Information Technology, VF Internal Audit has adopted a hybrid version of the Control Objectives for Information and Related Technology (CoBIT), which is linked to the Committee of Sponsoring Organizations of the Treadway Commission's (COSO's) Internal Control Integrated Framework. CoBIT, issued by the IT Governance Institute, is increasingly accepted, on an international level, as good practice for control over information technology and related risks. Its guidance enables an enterprise to implement effective governance over the IT environment that is pervasive and intrinsic throughout the enterprise. There are 34 IT control practices broken into four domains, which are shown below.

A. Plan and Organize
  • Define a strategic IT plan
  • Define the information architecture
  • Determine technological direction
  • Define the IT processes, organization and relationships
  • Manage the IT investment
  • Communicate management aims and direction
  • Manage IT human resources
  • Manage quality
  • Assess and manage IT risks
  • Manage projects

B. Acquire and Implement
  • Identify automated solutions
  • Acquire and maintain application software
  • Acquire and maintain technology infrastructure
  • Enable operation and use
  • Procure IT resources
  • Manage changes
  • Install and accredit solutions and changes

C. Deliver and Support
  • Define and manage service levels
  • Manage third-party services
  • Manage performance and capacity
  • Ensure continuous service
  • Ensure systems security
  • Identify and allocate costs
  • Educate and train users
  • Manage service desk and incidents
  • Manage the configuration
  • Manage problems
  • Manage data
  • Manage the physical environment
  • Manage operations

D. Monitor and Evaluate
  • Monitor and evaluate IT performance
  • Monitor and evaluate internal control
  • Ensure compliance with external requirements
  • Provide IT governance