With the pace at which changes occur globally, with the advent of newer technologies at various domains of business, increased compliance requirements and with the varied cultures in which the company operates, a company is exposed to higher amount of risks than it used to be earlier.
The role of internal audit is to provide independent assurance that an organization’s risk management, governance and internal control processes are operating effectively. Thus it is a professional service offered to add value and improve organizations operations. Internal auditors deal with issues that are fundamentally important to the survival and prosperity of any organization. Unlike external auditors, they look beyond financial risks and statements to consider wider issues such as the organization’s reputation, growth, its impact on the environment and the way it treats its employees. It can help an organization accomplish its strategic objectives by bringing a systematic, disciplined approach to evaluating and improving the effectiveness of risk management, control, and governance processes.
The pace at which the things are changing have a significant impact in Internal audit function. Internal Audit has to help organization address the risks it faces, anticipate risks and mitigate them.
Internal Audit has been mandated in Companies Act 2013 for companies beyond threshold limits. As a result it is prerogative for these companies to lay down a structured internal audit approach and execute the same. However the need for internal audit should be taken as being partners for improvements. Internal Audit function should be drivers or catalysts for
Implementation of ERP revolves around the timeliness of go-Live date. More often than not, controls; to some extent; are diluted to achieve the business continuity through new ERP. Post implementation review ensures that either General computer controls or specific module level application controls are strengthened; management gets an positive assurance on the success of the ERP implementation and adequacy of the control environment.
Ankekshan expertise in SAP and Oracle ERPs. We also offer support to custom developed ERPs for manufacturing and service sector including banking.
Typical scope of any Post implementation covers following:
The audit team relies on a good number of reports generated from the ERP system during the conduct of the audit in an automated environment. In order to rely on the computer generated information, it is necessary to understand, evaluate and validate the reports for its integrity from a completeness and accuracy perspective.
Reports generated from the ERP systems can be categorized into following four type for the purpose of our understanding from a testing perspective.
Ankekshan Uses following Validations for testing reports
The following are few ways by which the integrity of the reports could be validated
Data is the essence of any ERP. Volume of data and sensitivity of data involved requires management to take utmost care in planning and migrating the data from legacy systems to ERP. Master data and transaction data accuracy and completeness ensures smooth transitions and uninterrupted business.
We at Ankekshan provides following services:
Unsecured information or data in any organization is the highest business risk. With the cloud databases and computing making its footsteps stronger, organizations should be more vigilant.
An information security management system (ISMS) is a set of policies and procedures for systematically managing an organization's sensitive data. The goal of an ISMS is to minimize risk and ensure business continuity by pro-actively limiting the impact of a security breach.
Ankekshan supports in preparing and implementing various information security policies based business requirements. An ISMS typically addresses employee behavior and processes as well as data and technology. It can be targeted towards a particular type of data, such as customer data, or it can be implemented in a comprehensive way that becomes part of the company's culture.
ISO 27001:2013 is an ISO standard for information security. Implementation and obtaining certification under this standard will increase the confidence of customers. Ankekshan supports in readiness and facilitation for certification of 27001 certification. The steps in implementation of ISO 27001 are:
SSAE 16 is a standard for reporting on Controls at the Service Organization. There are 3 types of SSAE 16 reports
|Type||What it reports on||Users|
|SOC 1||Internal Controls processes which affect the financials of the User organization||User organization’s Statutory Auditors and CFO|
|SOC 2||Security, Availability, Processing Integrity, Confidentiality, and Privacy||User Organization, regulators and others. (restrictive use). Report is shared under NDA|
|SOC 3||Security, Availability, Processing Integrity, Confidentiality, and Privacy||Publicly available to anyone|
Further each type is divided in to Type 1 and Type 2. In Type 1, the auditor reports whether controls are designed to meet the Control Objectives as on a specified date and in Type 2, the auditor reports on design as well as operative effectiveness of the controls.
Ankekshan supports in building capabilities for certification of any of the above certifications.