Controls automation monitoring & management and general computer controls are key to safeguarding assets, maintaining data integrity, and the operational effectiveness of an organisation.
- IT risk assessment
- IT process and controls audit
- Application / ERP audit
- Compliance audit
- Segregation of duties (SOD) audit
- Security audit
- Pre- / Post-implementation reviews
- Data analytics
- IT project reviews
- IT internal audit
- Related topics
IT risk assessment
Management requests to monitor and report on their risk posture continues to increase. Common questions related to information and technology are:
- Are we at risk? How risk mature are we? How do we compare to our peers from a benchmarking perspective?
- Are we compliant to laws and regulations? Are we prepared to comply with upcoming laws and regulations?
- What is our strategy moving forward? Is our IT strategy aligned to our business and IT risks?
Our IT Audit practice has recognised capabilities and subject matter experience assisting clients in understanding areas of business and industry risk (governance, process, operations, and IT) that translates and aligns IT risk components to the business, with the ability to go beyond a company’s standard areas of IT controls and to ensure business-IT alignment. For these risk assessments we use our internal Deloitte Risk Methodology as well as frameworks like COBIT, ISO, and ITIL.
IT process and controls audit
IT process and IT general computer controls are key to safeguarding assets, maintaining data integrity and the operational effectiveness of an organisation.
We offer services that identify, develop and test internal controls and policies. Our control reviews are created and implemented to address management objectives ranging from business process, to application and technology infrastructure controls.
Invariably, our reviews are in the context of business and/or audit risk. Not only do we seek to highlight significant exposures, we also go the extra mile to recommend potential solutions for risk mitigation.
Application / ERP audit
Excessive controls may impact the bottom line; ineffective controls may leave an organisation exposed. How are applications effectively supporting business processes and how can these processes be controlled by means of application controls? Our IT audit practice can help you to find an answer to these questions:
- Performing a current state assessment of application controls (logical access controls, data entry/field validations, business rules, work flow rules, reporting, automated calculations, …) and operational effectiveness
- Performing an assessment of effectiveness, efficiency, confidentiality, integrity, availability, compliance, reliability
- Leveraging configurations and workflows to more efficiently manage controls within an application or ERP
- Designing and implementing configured controls within an application or ERP solution may help the efficiency of audit reviews and assist in eliminating control deficiencies due to manual intervention
We have deep expertise in auditing SAP, other ERP’s, as well as custom IT applications.
Our IT Audit practice has recognised capabilities and subject matter experience assisting clients in identifying, benchmarking, rationalising and evaluating controls around relevant application systems and related IT infrastructure that support significant flows of financial transactions and business processes that need to be compliant to specific laws and regulations (such as Sarbanes Oxley, FDA, GxP, ISAE, …).
Segregation of duties (SOD) audit
To reduce the risk of fraud and unauthorised transactions, no single individual should have control over initiating and completing business transactions.
Identifying and mitigating key business processes and IT SOD risks should be considered critical to maintaining integrity of data within an organisation.
Security is key to a company’s internal control environment and to ensure availability and reliability of its data. If Application security is not designed carefully, sensitive and confidential information may leak, mission-critical business operations may be interrupted, or fraud may be left undetected. The IT Infrastructure security provides th enhanced secure computing environment and establishes leading practices for logical security across databases, operating systems (OS) and network components like firewalls, routers, etc.
Our IT audit practice performs security audits, cyber security assessments, attack and penetration testing.
Pre- / Post-implementation reviews
Our approach in systems pre-implementation reviews synchronises itself with the project life cycle, focusing on the design, development and testing of internal controls throughout the business process transformation and systems development/stabilisation process. Our post-implementation approach focuses on determining whether the system meets the business requirements effectively.
Our IT Audit practice performs business process & application controls reviews, security reviews, data conversion and interface reviews, project governance reviews, …
Data Analytics can help an organisation to provide insights to the business by developing deeper understanding of business risks and controls effectiveness and industry trends, become adaptive to risks and shift from stagnant or point-in-time reviews to focused implementation of on-going or continuous controls monitoring capabilities.
Our practice has several tools available to perform data analysis, such as our in-house developed tool, Dfact. Dfact also known as Deloitte Fast Audit Control Testing is easy to use and achieves faster and better insights into key internal controls and risks in critical business processes, fraud sensitive matters and process inconsistencies. It downloads mass data and allows testing the full population in a structured and efficient way.
IT project reviews
How often do your IT projects meet the expectations of key stakeholders (on cost, timing and performance) and what has been the impact of failed projects? Our practice can support in following aspects:
- Performing an independent project risk assessment (Predictive Project Analytics)
- Performing follow-up of project execution and delivery (Independent Verification and Validation)
- Reviewing of the project management processes and controls
We refer to our Predictive Project Analytics methodology to support you in identifying project performance shortfalls, realign control measures and improve your projects’ chances for success.
IT internal audit
Deloitte’s Internal Audit Transformation (IAT) services for IT gives boards and senior executives new insights into options that can help to manage enterprise risks by enhancing internal audit’s value, quality and effectiveness. Our understanding of IT risks may help clients’ internal audit functions improve their performance and derived value.
The Risk intelligent IT internal auditor
Information Technology Internal Audit (IT IA) services can help extend internal audit oversight and performance, addressing both IT risks and broader organisation-wide risks. Deloitte has services that can help clients assess these risks.