Transcript No Slide Title

IT Competencies for Assurance Practioners
OCTOBER, 2003
Changes to the CICA’s Education Process….
Discussion Items

The CASE for increased focus on IT Assurance Competencies

Changes to the CICA’s Focus for Education re IT Competencies

The Competencies

An Example….
Copyright ©2002 Deloitte & Touche LLP. All Rights Reserved 1
The CASE for increased focus
on IT Assurance Competencies
Copyright ©2002 Deloitte & Touche LLP. All Rights Reserved 2
“I thought I had addressed all controls
necessary during the systems implementation
- turns out, I didn’t.”
Copyright ©2002 Deloitte & Touche LLP. All Rights Reserved 3
Why is IT Assurance Fundamental
for Assurance Practioners
Today, most business have an electronic reliance on various internal and third party
stakeholder that create security, availability, reliability, maintainability and privacy risks.
Suppliers
Customers
Regulators
Business to
Consumer
Business to
Business
Business to
Government
eBusiness
Service
Providers
and Partners
Employees
Business to
Employee
IT Outsourcing
Business to
Partner
Copyright ©2002 Deloitte & Touche LLP. All Rights Reserved 4
IT – The Foundation for Reliable
Financial Reporting
Application
Controls
Logistics
Enterprise
System
Corporate Reporting
Etc…
Business Process
Business Process
Executive
Management
Manufacturing
Entity controls
set the tone for
the organization.
Examples
include:
• Systems
planning
• Operating style
• Enterprise
policies
• Governance
• Collaboration
• Information
sharing
Business Process

Entity
Controls
Finance

Businesses require
complete and
accurate information
to make decisions
and manage
operations
IT systems provide
this information
Without complete and
accurate information,
businesses can not
be assured that
financial reporting is
free from error
Business Process

IT Services
OS/ Data/ Telecom/ Continuity/ Networks…
General Controls
Controls embedded in common services
form General Controls. Examples include:
• Systems maintenance
• Disaster recovery
• Physical and logical security
• Data management
• Incident response
Controls embedded in
business process
applications, designed
to achieve
completeness,
accuracy, validity and
recording assertions,
are commonly referred
to as application
controls. Examples
include:
• Authorizations
• Approvals
• Tolerance levels
• Reconciliation's
• Input edits
Copyright ©2002 Deloitte & Touche LLP. All Rights Reserved 5
Why Provide IT Assurance??

Revenue assurance and growth –Reduce the risk of subscription fraud, customer credits/
performance penalties, strengthening the trust relationship with business partners/customers

Improve customer service – Reduce customer complaints/call center inquires by improving
service levels with better reliability and predictability of system performance.

Differentiate service offering – Position service offering as “best of breed” and eliminate
non-compliant competitors from competitive bid process.

Protect reputation and brand - A breach of security or privacy through eavesdropping can
impact your reputation and the confidence of subscribers and business partners.

Reduce operational disruptions– Eliminate multiple audits by business partners and
customers which require valuable time and resources of operational and service personnel.

Regulatory risks – Reduce the risk of privacy breaches or service interruptions that can
attract the attention of industry regulators and privacy advocacy groups.

Reduce stakeholder risks - Address growing concerns among executive management, audit
committees and board members about availability and security risks.

Improve operational efficiencies – By improving system utilization and capacity planning
through proactive design of controls
Copyright ©2002 Deloitte & Touche LLP. All Rights Reserved 6
What Leading CIOs are Saying

"[CIOs] should view their function as if [IT] were a separate company and they
were the CEO of it," Fran Dramis CIO Bell South

Putting the systems in place to "ensure compliance with Sarbanes-Oxley will
boost investor confidence in the company," says Mattel CIO Joe Eckroth.

CIOs aren't at risk for Enron-like fraud as much as "honest mistakes-systems
that malfunction, miscompute or somehow give the wrong answer…the bottom
line is that if you develop a system that doesn't work, that's a control problem."
John Flaherty, COSO Chairman

“…having a cross-disciplinary project team is a key to ensuring proper
implementation of SOA-led initiatives. According to the survey, 68 percent of
companies include IT representation on their SOA teams.” –AMR Research
Copyright ©2002 Deloitte & Touche LLP. All Rights Reserved 7
CICA’s Response
Copyright ©2002 Deloitte & Touche LLP. All Rights Reserved 8
Key Changes…..Out with the Old…

Examination process changing from “knowledge” base to “competency”
base…..this has provided for the opportunity to focus on broader IT
competencies for Assurance Practioners…..

Previous knowledge base process focused on a narrow range of topics that were
mostly Assurance Based……little or no focus provided on the role of IT in the
context of running a business….

Level of knowledge previous required was quite low

Amount of integration with other assurance areas was very limited due to the
narrow range of focus
Copyright ©2002 Deloitte & Touche LLP. All Rights Reserved 9
Key Changes…..In with the New…
Intro to NEW IT Section of CICA’s Competency Map….
“CAs make a significant contribution to enhancing an entity’s performance
by being competent in identifying the entity’s information needs, by
assessing the impact of information on its corporate strategies, and by
helping to develop specific Information and Information Technology (IT)
strategies aligned with the entity’s goals and objectives”

New exam focus on competencies….Levels of competency expectation include:
 Comprehend
 Detect
 Perform

Level of competency in the IT area varies but overall requirements are for a deeper level of
competency….

Broad focus across a number of IT competencies allows for the integration of IT in a
number of Assurance Practioner Candidate questions….
Copyright ©2002 Deloitte & Touche LLP. All Rights Reserved 10
Key Changes…..The Competencies
VI-1 Assesses Information Technology Strategy


VI-1.1- Identifies the entity’s IT needs – DETECT
VI-1.2 - Evaluates the entity’s existing IT strategy – DETECT
VI-2 - Assesses Risk Associated with the Use of Technology
 VI-2.1 - Evaluates the IT internal audit function – DETECT
 VI-2.2 - Investigates the dependence of systems on third parties – PERFORM
VI-3 - Assesses IT Relative to the Control Environment
 VI-3.1 - Understands and documents the role technology plays in a given
control – PERFORM
 VI-3.2 - Contributes to IT-specific testing – DETECT
 VI-3.3 - Uses IT to improve an existing control process – DETECT
 VI-3.4 - Documents the systems development and operational control
processes – DETECT
Copyright ©2002 Deloitte & Touche LLP. All Rights Reserved 11
Key Changes…..The Competencies
VI-4 - Improves the Entity’s IT Design





VI-4.1 - Evaluates the business impact of new developments and trends in
technology – DETECT
VI-4.2 - Improves the entity’s IT design and development – DETECT
VI-4.3 - Designs and sets up IT accounting systems using standard accounting
packages – DETECT
VI-4.4 - Develops business case to support IT proposals – DETECT
VI-4.5 - Evaluates and decides on IT acquisition and sourcing – DETECT
VI-5 - Designs and Manages System Installations and Upgrades

VI-5.1 - Designs and manages or advises on system installations and upgrades
– DETECT
Copyright ©2002 Deloitte & Touche LLP. All Rights Reserved 12
Key Changes…..The Competencies
VI-5 - Manages the IT Function - Comprehend
VI-6 - Contributes to Developments in IT

VI-6.1 - Contributes to public debate
Copyright ©2002 Deloitte & Touche LLP. All Rights Reserved 13
Key Changes…..An Example
Scenario:
A small public company is looking to upgrade a number of existing
business processes by implementing a new computer system. The
company currently has a small Information Technology group which assists
the company in supporting its current network environment and a couple of
smaller customized business applications. The CA candidate is asked to
assess the company’s IT strategy.
Copyright ©2002 Deloitte & Touche LLP. All Rights Reserved 14