Ứng dụng quy trình kiểm toán công nghệ thông tin cho doanh nghiệp tại công ty TNHH kpmg The application of information technology audit process for enterprises at kpmg limited
R ESEARCH R ATIONALE
The increasing significance of information technology (IT) in organizational management, production, and business operations has heightened the need for robust IT risk management to ensure data security, integrity, availability, and reliability Despite this, the role of IT audits in independent auditing engagements in Vietnam and globally remains underexplored Currently, only the Big Four firms in Vietnam, such as KPMG, provide specialized IT consulting and auditing services, leaving smaller auditing firms yet to establish a presence in this crucial area.
This study aims to fill a gap in the literature by exploring the specific role of IT audit within the audit engagement process at KPMG Limited It will investigate how IT audits contribute to overall audit quality and the effectiveness of KPMG's IT auditing procedures in verifying financial statements Furthermore, the research will address challenges faced by the audit team when evaluating data accuracy through complex IT systems, including Enterprise Resource Planning (ERP) solutions, and propose solutions By examining the relationship between audit quality and the roles of KPMG's IT audit amid increasing competitive audit costs, this study will offer new insights and enhance the existing body of knowledge on IT auditing.
O BJECTIVES OF THE S TUDY
This study explores the critical role of IT audits and outlines the specific responsibilities of IT auditors across various levels of KPMG employees engaged in audit activities The primary goals of the research focus on understanding the importance of IT auditing within the organization.
• Analyze the role of the IT Audit
• Examine the research and analysis basis of each IT audit engagement
• Examine the KPMG methodologies to conduct an IT system assessment.
S COPE AND L IMITATIONS OF THE S TUDY
This thesis explores the significance of IT audits and the responsibilities of IT auditors in the financial statement auditing process at KPMG Limited in Vietnam The study involved interviews with a diverse group of participants, including IT consultants, senior solution consultants, managers, and associate directors, conducted in March.
This research focuses exclusively on IT audits and the roles of IT auditors in conducting independent audits of financial statements, intentionally omitting other audit types like state audits or performance audits.
R ESEARCH Q UESTIONS
The author will direct this study to answer the following research questions:
• RQ1: To conduct an IT system assessment, what information does KPMG base on from an organization?
• RQ2: What tools or methodologies that KPMG used to assess the enterprises’
• RQ3: How did KPMG known the assessments are reliable?
LITERATURE REVIEW
D EFINITION AND C ONCEPT OF I NFORMATION T ECHNOLOGY A UDIT
An information technology audit evaluates an organization's IT infrastructure, applications, data management, and operational processes against established standards The primary goal of these audits is to assess the effectiveness of controls in protecting IT assets and ensuring they align with the organization's objectives, thereby maintaining their integrity and security.
The increasing reliance on IT systems is significantly impacting the auditing process, as highlighted in the European Court of Accounts' Guide (2011) to Auditing in IT Environments It emphasizes that when assessing the effectiveness of internal control systems, the legitimacy of transactions, and the precision of accounting, it is crucial to consider IT-related risks.
The IT Audit team enhances its understanding of the client's IT environment and associated risks by identifying potential IT-related issues and relevant controls This process aids the team in evaluating the effectiveness of both automatic and manual controls, particularly those with an automatic component (KPMG, 2023).
ITA conducts audit engagements to assess the systems and IT infrastructure that are crucial for preparing clients' financial statements In the past, before the surge of digital transformation, these evaluations were approached differently.
IT audit was a rather distant concept, after the government's Decree No 13/2023/ND-CP,
IT audit has almost become obligatory (KPMG Experienced Staff, 2023)
P REVIOUS STUDIES RELATED TO IT A UDIT
The Role of IT Audit in the Era of Digital Transformation
• Authors: B R Aditya, R Hartanto1 and L E Nugroho1
This article highlights the critical role of IT audit during digital transformation, emphasizing that IT risk poses significant challenges for top management and can jeopardize both the IT environment and the overall business Due to limited IT knowledge, executives often struggle to assess the effectiveness of IT implementations, making IT audits essential for mitigating unacceptable risks The paper advocates for a prominent role of IT audit in the digital age, as numerous companies are actively transforming their operations through technology.
The article explores the challenges and opportunities faced by IT audits in the digital age, offering insights on enhancing their effectiveness in this evolving landscape.
Information Technology Audit: Systems Alignment and Effectiveness Measures
A qualitative study utilizing multiple case studies demonstrates that IT audit and governance frameworks can scientifically assess the effectiveness of Information System entities Key factors influencing the effectiveness of these frameworks include alignment with organizational goals, the implementation of customized metrics, and active stakeholder involvement This research contributes significantly to the field of IT audit and governance by establishing a framework for measuring IS entity effectiveness, identifying critical influencing factors, and providing empirical evidence to validate their application.
METHODOLOGY
P ROCEDURES AND A UDIT M ETHODS
A typical Information Technology Audit (ITA) project is structured into three key phases: Planning, Test of Controls, and Summarizing and Evaluating Deficiencies These phases are executed by the ITA team, a crucial component of the Audit engagement team, to ensure a comprehensive IT audit process.
The planning phase of IT auditing is crucial as it involves an initial risk assessment aimed at collecting information about the client's information system This phase identifies IT risks related to financial controls, assesses the complexity of the organization's system information, and determines the scope of the audit for both manual and automated controls.
2.1.1.1 IT Audit Orientation a Purpose of the engagement
Prior to each engagement, the Management team, comprising the Partner, Director, and Engagement Manager(s), will assess and identify the relevant risks while scoping the client's IT controls that will be subject to audit.
Clearly defined goals are essential for clients to adhere to KPMG's audit methodology The ITA team will focus on auditing both manual and automated IT controls, ultimately contributing to the comprehensive evaluation of the client's financial statements Understanding the scope and requirements is crucial for achieving effective audit outcomes.
As technology-related risks continue to grow, there is an increasing focus on the implementation of automated controls This project is designed to assist in identifying and testing these Automated Controls, particularly in the context of Application Controls Key areas for ITA review include the identification of Automated Controls, scoping for General IT Controls (GITC) related to Application Controls, and conducting audits at the client’s office The project will culminate in the delivery of final reports to the client, with careful time estimation for each phase.
Audit engagements typically span 1 to 3 months, with the majority occurring during the peak audit season from September to March.
Effective time estimation is crucial for the audit engagement team at KPMG, as it ensures optimal performance both within and between teams Each engagement has a specific estimated timeframe for implementation, requiring auditors to manage their working hours accordingly Exceeding these allocated hours can negatively impact work performance, delay delivery to clients, and harm KPMG's reputation.
In the context of an audit, IT understanding refers to the thorough examination of an organization's information systems, leading to the creation of an "IT understanding profile" that captures the complete IT infrastructure and business processes within the enterprise.
The main goal of an IT audit is to assess the IT business processes that contribute to the creation of financial statements To do this effectively, IT auditors need a deep understanding of the various control layers within the organization's IT system that pertain to the audited processes Properly categorizing these controls is essential, as it allows auditors to prioritize their evaluations and conduct a comprehensive review of all relevant areas This knowledge helps auditors concentrate on the critical IT controls that significantly influence the accuracy, integrity, and reliability of financial statements.
An information technology system for businesses will basically be composed of 4 main layers including:
• Application - The first layer, where users or system operators directly interact with the system Designed to perform one or more functions, which will usually capture,
• Database (DB) - The second layer, where data or information is stored, is designed to be easily accessed, managed, and updated
• Operating System (OS) - The third layer, the OS will directly control the system and provide a software platform to run other software
• Network - The last layer includes both hardware and software for data exchange inside and outside the organization
Figure 2.1 Layers of IT system illustration (Source: KPMG)
This step of defining IT layers will help to identify the risks and controls mentioned in the next sections in a more systematic and logical manner
2.1.1.3 Identify Manual Controls Scoping - General Information Technology Controls (GITC)
The reliability of a company's financial information is significantly influenced by the effectiveness of its internal controls and general IT controls (GITC), which are crucial components of its internal control framework Strong IT oversight enhances confidence in data accuracy, reporting, automated controls, and essential business process functions The significance of comprehensive IT control is growing for key stakeholders, including owners, investors, regulators, audit committees, management, and auditors (KPMG, 2023).
• Owners, investors, and regulators expect financial information to be more specific and transparent Auditors need to address these concerns in order to meet the evolving expectations of stakeholders
• While financial information is not new, the complexity of financial reporting, business models, and supporting technologies continues to evolve
• Daily tasks such as interest calculation, debt classification and access control are being automated today These automated controls rely on IT overview controls to ensure they work efficiently
Therefore, information security, integrity, and reliability must rely on overarching
IT controls including Access Controls, Change Management, Program Development Management, and control of Computer Operations
Figure 2.2 Overall IT Controls illustration (Source: KPMG)
• Application Controls: These controls guarantee the integrity of the information in the system and safeguard the information flow
• General IT Controls: Overall IT controls are established to support critical application controls that can operate continuously
The key aspect of General IT Controls (GITC) is the identification of Control Attributes, which are essential for defining effective controls This process enhances the efficiency, availability, security, accuracy, and ease of monitoring and auditing One crucial component of these controls is Access Controls.
Access control is designed to prevent and detect unauthorized access to an organization's data, systems, and programs
The IT security policy is a written document that demonstrates management's dedication to upholding a secure IT environment through robust internal controls It outlines the objectives, rationale, and requirements for IT security while detailing the rules and procedures necessary for the implementation, maintenance, and monitoring of IT system security.
IT security policies and procedures are essential for ensuring that a company achieves key objectives such as availability, where information is accessible when needed; completeness, which ensures that information is accurate, complete, and approved; and confidentiality, restricting access to sensitive information to authorized personnel only Additionally, fostering a culture of strict control is crucial, alongside management's commitment to protecting company data and assets Finally, adherence to relevant laws and regulations, such as privacy standards, is vital for compliance.
• APD1: IT Privacy Policy o APD1-1: Password Policies
Access to the system is secured through password authentication, ensuring that only authorized users can enter Passwords must adhere to specific standards, including minimum length, complexity, expiration, and account lockout protocols Each user is assigned a unique user ID, and any duplicate or shared accounts require approval and monitoring by system owners Additionally, any deviations from the established password policy must be documented and authorized by designated personnel.
Management is responsible for approving the type and scope of user access privileges for both new and modified user accounts This includes overseeing standard application profiles and roles, as well as access to critical financial reporting transactions, ensuring robust control over sensitive information (KPMG, 2023)
Table 2.1 APD1 Control Attributes (Source: KPMG)
D ATA C OLLECTION M ETHODS
Data collection is a crucial phase in the audit industry, as it involves gathering information from clients that auditors subsequently validate This collected data, known as evidence, plays a vital role in supporting and corroborating the auditor's findings and conclusions.
There are four methods that KPMG uses to collect and audit data from clients:
• Inquiry – The auditors have face-to-face interviews with the person (or people) who are in charge operate and control the system
Auditors review documents provided by the customer while directly supervising the implementation of system controls and procedures by the responsible personnel.
• Observation – The auditors directly look at a process or procedure being performed by others
Reperformance involves auditors re-implementing the operations and control processes of an IT system to verify that the outcomes align with the client's provided documentation This technique is particularly essential in specific scenarios where auditors must gather evidence through methods such as control testing, transaction testing, and data validation.
Before initiating the audit process, clients will receive a set of sample questions and a list of required documents to submit to KPMG These documents serve as crucial evidence, facilitating a more efficient and streamlined audit process.
• Document Provided by Client - The client’s data is required to provide early to serve the later audit process more convenient.
S AMPLING T ECHNIQUES
To determine the sample size, there are two methods to select the sample: a Based on the size of the population, there are two main attributes:
• The relevant Risk Associated with the Control being tested
Table 2.20 Select sample size based on the size of the population (Source: KPMG)
Number of units in population
250+ 15 30 60 120 b Based on the frequency of the control, including two main attributes:
• The frequency of repetition of that control in the enterprise's control process; and
• The relevant Risk Associated with the Control being tested
Table 2.21 Select sample size based on the frequency of the control (Source: KPMG)
Relevant RAWTC Base Elevated Significant Significant+
*When sampling on a quarterly basis, it is mandatory to choose 1 sample for the last quarter of the year and 1 sample for the random quarter to increase reliability
Sampling techniques play a crucial role in GITC audits to evaluate the effectiveness of controls by selecting a representative sample of transactions or activities Common methods include Random Sampling, which ensures each item has an equal chance of selection, thus minimizing bias and providing a statistically valid representation Systematic Sampling follows a defined interval from a sorted list, while Cluster Sampling involves selecting entire groups to simplify audits in geographically dispersed populations Lastly, Judgmental Sampling relies on the auditor's expertise to choose high-risk or significant items, ensuring relevance despite its subjective nature These techniques collectively enhance the efficiency of control assessments in IT audits.
PROCESS APPLICATION
P LANNING FOR ABC I NSURANCE IT A UDIT ENGAGEMENT
To demonstrate and bring a clear look to the real-life on-job IT audit process, an
This article presents a case study of "ABC Insurance Firm," utilizing an audit profile from KPMG To adhere to KPMG's information privacy policy, all names, figures, and sensitive details have been altered The illustrative evidence provided will focus on specific aspects of the audit conducted by the author, offering a comprehensive overview of the process without detailing every element.
The audit engagement team for ABC Insurance has developed a strategic approach plan for the evaluation of General IT Controls (GITC) and IT Application Controls (ITAC) This plan is essential for supporting the audit of ABC Insurance's financial statements for the fiscal year spanning from January 1, 2022, to December 31, 2022.
ABC Insurance utilizes a dual-platform IT system comprising P400 and Oracle The P400 platform serves as the core system, handling the majority of operational processes, while the Oracle platform is dedicated solely to recording and processing financial transactions.
In-scoped Applications for GITC:
Table 3.1 ITAC scoping for ABC Insurance (Source: KPMG working paper)
Systems & Layers Automated Control IDs Description
P400 - OS Layer b GITC scoping for Automated controls
ABC Insurance is currently undergoing an audit of three controls Since there have been no program upgrades or developments in the past year, we will not be testing the program development controls in this instance.
Table 3.2 GITC scoping for ABC Insurance (Source: KPMG working paper)
No ID IT Layer General IT Controls
1 APD1-2 Oracle & P400 Exceptions to the password policy
Access to implement changes into the production environment for P400 & Oracle, including configuration changes is authorized and restricted for use only by appropriate personnel and segregated from the development environment
IT system incidents impacting system jobs, processes and/or programs relevant to the P400
& Oracle systems are tracked and resolved within the defined timeframes
U NDERSTANDING ABC I NSURANCE IT SYSTEM
3.2.1 Inquiry person in-charge/relevant of the IT system
On the second day of the audit engagement at the client's site, the ITA team conducted an interview with the client's IT Manager or IT Operator responsible for the firm's IT system to complete the necessary questionnaire.
The questionnaire was emailed to the client's IT Operator a few days prior to the preparation, allowing for a streamlined interview phase As a result, IT auditors can efficiently progress to the subsequent phases of the audit process.
This table below demonstrated the interview at ABC Insurance office with an IT Operator in charge Officer of ABC Insurance
Table 3.3 Interview ABC Insurance's IT Operator Officer using questionnaire
Does the Organization appoint individuals or committees to its Board of
Management who are primarily in charge of and knowledgeable about cybersecurity issues and risk?
Organization Chart and the charter of Information Security Committee (ISC) of ABC Insurance:
Figure 3.1 Example of an evidence (Source: KPMG working paper)
Do you (IT Operator in charge) consider cyber risks in your risk assessment?
Do you have any cybersecurity risks in your
If yes, what cyber risk scenarios are being included in your assessment?
ABC Insurance consider cyber risks in the risk assessment The threats are being included to assess cyber risks:
(5) Risks (hacker attack, leakage of confidential information, virus transmission, cyber extortion, network downtime…) through online activities, electronic systems and technological networks, storage of personal data
(6) Inadequate IT System Disaster Recovery Plan
(8) Illegal Software Installation & Improper license and software management
Cannot show the evidences for this part
How does your risk assessment process evaluate cybersecurity risk across the organization?
How do you analyze and assess the significance of the cybersecurity risk to financial reporting?
ABC Insurance Vietnam evaluates cybersecurity risk across the organization through annual Cyber Security Self- Assessment The assessment based on the cyber security standards as follows:
- Secure system implementation and operation
Cannot show the evidences for this part
How do you identify, assess, and respond to risks related to attacks perpetrated through business e-mail compromise (BEC) scams or spoofing or phishing routines?
We have security solutions to protect business e-mail For example: M365 email security, FireEye Email security, Sophos Endpoint, Phishing reporting, Symantec, etc
Besides we have Cybersecurity training:
+ Annual training session on cybersecurity (compulsory) + Monthly sharing about cybersecurity related matters + Compulsory cybersecurity quizzes
Do you have any Internet- facing applications?
The list of ABC Insurance’s Internet-facing applications:
1 AAA e-Policy processing and managing e-Policy
2 AAA e-Claim processing and managing e-Claim
9 EEE Audit and assurance expert solutions
10 ABC Insurance ABC Insurance’s homepage
Service for hong leong bank
15 API service API service for co-operating with partner
Table 3.2 Example of The list of client’s Internet-facing applications
Do you have periodic penetration tests for these
Last test is pen test for internet facing service start in Dec
Penetration testing scope: all internet facing service managed by ABC Insurance
Do you have a dedicated team to manage cybersecurity risks and respond to cybersecurity incidents?
Yes ABC Insurance has Cybersecurity Incident Response Team
Do you have the IT Security
Policies published and available for all employees?
If yes, where is stored?
IT Security Policies are published and available for all employees These policies are stored on ABC Insurance Hub where all employees of ABC Insurance can easily access to
Do you provide formal IT
Security training for your employees? If yes, how is the training delivered? How often is it?
IS team provide formal IT Security training for your employees on an annual basis
The IT Security Policies, the IT Security Training topics/agenda, and the training schedules conducted in the last
Information security guidelines related to protection of personal information, computer viruses & spyware, email & internet use, Secure storage, Clear desk & Physical Security, mobile security
Cyber security: training on types of attacks including phishing
To stay informed about potential cybersecurity incidents affecting IT applications, databases, operating systems, or networks that could compromise the integrity of financial information, it is crucial to implement robust monitoring systems Regular security assessments, real-time alerts, and incident response protocols can help identify threats promptly Additionally, maintaining clear communication channels within the organization ensures that all stakeholders are aware of any vulnerabilities or breaches By prioritizing cybersecurity measures, organizations can safeguard their financial reporting processes and protect sensitive data from potential risks.
We are using
Cannot show the evidences for this part
Do you have a formal cybersecurity policy and strategy?
Yes we have a formal cybersecurity policy
Do you have any service organization for your business or IT processes
If yes, do outsourcing vendors have access to your organization’s systems and data? Do you have any controls over the service organization’s personnel accessing your entity’s data?
Do you receive any independent auditor reports over the Service
Software as a Service (SaaS), Infrastructure as a Service (IaaS), Platform as a Service (PaaS)
The outsourcing vendors do not have access to organization’s systems and data
IT outsourcing vendors: EFG IT solutions Inc., XYZ Cloud Computing Services company
3.2.2 ABC Insurance IT System understanding profile
• 2 representative offices in Vietnam: 1 in Hanoi and 1 in Saigon (ABC Insurance VNM)
• ABC Insurance region head office (ABC Insurance Asia): Singapore
ABC Insurance is currently using 02 applications as part of their financial reporting and business processes, including:
Table 3.4 ABC Insurance IT Layer (Source: KPMG working paper)
IT Layer group IT System layer
P400-Application layer, P400-Database layer, P400-Operating System layer Oracle – Accounting Oracle-Application layer
3.2.2.3 Understand the enterprise’s IT organization
Table 3.5 ABC Insurance's IT Department (Source: KPMG working paper)
1 Head of IT Department Hanoi
ABC Insurance has a dedicated IT Department responsible for managing IT strategy, risks, budget, and essential IT projects Additionally, the company boasts a thorough internal audit team that emphasizes business process improvement and IT controls Furthermore, ABC Insurance prioritizes IT compliance, ensuring adherence to IT policies and processes.
Table 3.6 ABC Insurance's IT sites (Source: KPMG working paper)
IT Sites Location Managed by Notes
IT Department Head Office IT team in VN
The Head Office IT team in Vietnam is the sole group authorized to access both the Data Center and the Backup site, ensuring secure management of critical IT resources Additionally, only this team is permitted to enter the Disaster Recovery (DR) site, reinforcing the importance of centralized control over vital data infrastructure.
ABC Insurance lacks a formal cybersecurity policy and strategy, failing to adhere to established best practices from recognized IT and cybersecurity frameworks such as the ISO 27000 series and NIST.
• Client has not yet planned periodic penetration tests
• Client does not have a specific Cyber security team Technology security center is responsible for all IT security matters
• Client has issued IT Security Policies IT Security awareness training is provided in yearly basis
• There is no cyber security incident happened in last 12 months
3.2.2.4 Understand the enterprise’s IT processes
Access to Program and Data a IT Security Policy / User Awareness
The organization has implemented IT security policy A-01-F1, titled "IT Operational and Security Manual," which has been approved by the General Director This policy is communicated to employees through a formal written document and covers various critical areas of IT security.
• Information technology infrastructure security management
Employee acknowledgement of the security policy is required with employees via training at the end of training course, they must pass an exam b Physical Access
Access to the server room is restricted to authorized personnel only, who must have their User ID, User Name, and Card ID registered with the Human Resources Administration Department ABC Insurance employs a magnetic card system to ensure the physical security of its applications server, emphasizing the importance of proper identification and authentication protocols.
The "IT Operational and Security Manual" of ABC Insurance, which has been reviewed and signed by both the Deputy General Manager and the General Director, includes the password policy detailed in Chapter 18.
• Passwords that are used as an authentication mechanism to relevant applications have established standards for composition, management, and syntax
Table 3.7 General IT system access policy (Source: KPMG working paper)
Oracle App Oracle OS - AIX P400
- Duplicate password control/ Password History: Cannot be the same as last 32 (passwords)
- Limit repeating characters in password: Cannot be repeated consecutively
- Require digit in password: Required
- Maximum sign-on attempts allowed: 3
- Inactive job time-out: 15 minutes d Super Users
Administrative accounts on the P400 Application/DB/OS are restricted to authorized personnel only ABC Insurance enforces an Access Control policy for these accounts, detailed in Chapter 21 of the IT Security Baseline within the "IT Operational and Security Manual."
The administrative accounts for the DB & OS layers of P400 are managed by ABC Insurance Head Office, ABC Insurance VNM IT do not have access to these accounts
• Program changes: ABC Insurance follows the "Application Enhancement Procedure" for managing program changes, including authorization, development, testing, and approval The steps involved are:
“1 Enhancement Requirement Register > 2 Pre-feasibility Analysis > 3 Submit ITSC for approval > 4 Business Specification > 5 Functional Specification > 6 Programming >
7 UAT conduction > 8 Implementation > 9 Go live”
• Testing environment: Changes must be tested in a separate testing environment before migration to the production environment
• Migration to production environment: Approved changes are migrated to the production environment by the ABC Insurance VNM IT Department
• Documentation and approval: After development and testing are completed without issues, a request to deploy the change to production must be documented and approved by the IT department's manager
• Configuration changes: System configuration changes follow the same procedure as program changes, including approval, processing, and testing
• Emergency changes: Emergency change requests require verbal communication with
IT Officer and management approval Once completed, these requests are documented
Per confirmation, there was no program development during the year
ABC Insurance utilizes the "ITSP03 - Operation Batch Processing Procedure" to manage daily batch jobs, outlining essential guidelines for job prioritization, routine file transmission, and error monitoring At the end of the day, the System Operator (OPR) distributes EOD reports via designated queues, while local IT support is responsible for printing and disseminating these reports to various business units.
• EOD Procedures: o Prepare EOD checklist o Check the POS signoff o Check metrics before EOD
• Failure during EOD: In case of a failure, the EOD officer contacts ABC Insurance VNM IT, RPC, and VNMP400 units for processing support
ABC Insurance Head Office has a specialized internal audit team that concentrates on enhancing business processes and IT controls Additionally, the office is supported by an IT compliance team that ensures adherence to IT policies and processes.
IT C ONTROLS T ESTING
3.3.1.1 Access Controls a Understand and assess the GITC design and implementation & Understand how the
Control IT Layer Control Attributes Control Operator APD1-2 Oracle & P400 - Application CA-1.1.E IT Manager b Evaluate Design & Implementation
APD1-2 1 Procedures performed to evaluate D&I: Inquiry, Observation, Inspection
2 Design: This control has mentioned in ABC Insurance policy
User needs to have unique account and password in order to gain access to the system
3 Implementation: This procedure was revised and approved to using it by General Director
Figure 3.2 Oracle Database Password setting (Source: KPMG working paper)
Figure 3.3 Oracle Database Password setting (Source: KPMG working paper)
Figure 3.4 P400 Password setting (Source: KPMG Working paper)
5 Perform TOE: Yes c Test of Operating Effectiveness
Table 3.9 Access to Program and Data TOE (Source: KPMG working paper)
Control RAWTC Audit Methods Evaluate & Conclude
APD1-2 Base Inquired IT Manager,
All exception to the policy must be approved by ABC Insurance IT management board
3.3.1.2 Change Management a Understand and assess the GITC design and implementation & understand how the GITC is performed
Table 3.10 Change Management understanding (Source: KPMG working paper)
Control IT Layer Control Attributes Control Operator
IT Manager b Evaluate Design & Implementation
CM5-1 1 Procedures performed to evaluate D&I: Inquiry, Observation, Inspection
2 Design: Only authorized IT personnel which are assigned to perform the systems administration duties are responsible for implementing changes to the production environment
There are two application environment including development and production
3 Implementation: This control exists and is the entity using it as designed
Figure 3.5 Development environment (Source: KPMG working paper)
Figure 3.6 IP address of the people have the access to development environment
Figure 3.7 Production environment (Source: KPMG working paper)
Figure 3.8 IP address of the people have the access to production environment (Source: KPMG working paper)
5 Perform TOE: Yes c Test of Operating Effectiveness
Table 3.11 Change Management TOE (Source: KPMG working paper)
Control RAWTC Audit Methods Evaluate & Conclude
CM5-1 Base Inquired, Inspected and Observed IT Manager performance
Observed IT manager performing the segregated environment
3.3.1.3 Computer Operations a Understand and assess the GITC design and implementation & Understand how the GITC is performed
Table 3.12 Computer Operations understanding (Source: KPMG working paper)
Control IT Layer Control Attributes Control Operator
IT Manager b Evaluate Design & Implementation
CO5-1 1 Procedures performed to evaluate D&I: Inquiry, Observation, Inspection
2 Design & Implementation: ITSP03 – Operation Batch Processing Procedure ABC Insurance utilizes email as the primary method for reporting and managing IT incidents, as outlined in Chapter 9 of the “IT Operational and Security Manual” Last reviewed by General Director on 26 Oct 2022
• Incident reports at ABC Insurance are assigned a priority code based on impact and urgency, with 4 level of priority from Very Low to Critical
• Reporting can be done through email or verbally Closure of resolved issues is communicated either through email or directly to the involved personnel
Figure 3.9 The Incidents classification matrix of ABC Insurance (Source: KPMG working paper)
4 Perform TOE: Yes c Test of Operating Effectiveness
Table 3.13 Computer Operations TOE (Source: KPMG working paper)
Methods Evaluate & Conclude CO5-1 Base Inquired IT
KPMG inspected 12 monthly IT system incident reports and verified that the total incidents of Oracle
• 202201_Incident01 + Incident report: Host server could not start VMs after failed installing monthly Windows security update
+ Requested date: 13 Jan 2022 + Requested by: IT Deputy Manager + Troubleshoot: Re-installed the Jan 2022 patch successfully, then removed that patch Installed Windows OOB update on Jan 17 2022
+ Resolved date: 13 Jan 2022 + Resolved by: IT Manager + Status: Closed
+ Duration: 2 hours + Incident priority rate: 3 + Impact rate: Medium + Urgency rate: Medium + Appropriate: Yes
• 202201_Incident02 + Incident report: Server room in HCM was down due to suspected fire
On December 14, 2022, the General Manager requested troubleshooting for the UPS and storage devices The UPS vendor successfully repaired the mainboard and replaced the battery, while the storage vendor replaced the power supply units The issues were resolved by December 19, 2022.
+ Resolved by: IT Specialist + Status: Closed
+ Duration: 108 hours + Incident priority rate: 3 + Impact rate: Medium + Urgency rate: Medium + Appropriate: Yes
3.3.2.1 Determine the appropriate audit procedures
Table 3.14 Accuracy & Completeness Testing determine the appropriate procedures (Source: KPMG working paper)
AC01 CO5-1 KPMG observed IT Manager, KPMG observed how the list of
Insurance Vietnam/05 Regular IT System Incident Report/2022 to obtain the list of incident reports during the audit period
KPMG analyzed 10 samples, reconciling key data elements such as Count Period, Reporting Date, Incident Definition, Incident Classification, the number of incidents that occurred this month, and the number of incidents resolved within the same timeframe The findings were verified against the IT Manager's screen to ensure consistency and accuracy.
12 monthly reports and 5 incidents during this year The total of incident reports that KPMG received from IT Manager is equal to 12, and the total of incidents is equal to 5
3.3.2.2 Design and perform procedures to directly test the completeness of the information
Table 3.15 Directly test the Accuracy & Completeness of the information (Source: KPMG working paper)
The AC01 procedure involved selecting 10 samples for direct testing, which were subsequently cross-referenced with the IT Manager's incident report list displayed on the computer screen, revealing no recorded incidents.
KPMG analyzed the display of incident reports on the IT Manager's screen and confirmed the presence of 12 monthly reports along with 5 incidents reported this year Overall, KPMG received a total of incident reports for evaluation.
IT Manager is equal to 12, and the total of incidents is equal to 5
3.3.3.1 ITAC-01 – Calculation for unearned premium reserves a Understand and assess the process control activities & it performed
• Control description: Unearned premium calculation is performed automatically by the system based on the hard-coded program logic and the related calculation parameters
Table 3.16 ITAC-03 understanding and assessment (Source: KPMG working paper)
PRP RMM IT Layer Control Attributes
Insurance reserves have not been properly computed and recorded
The unearned premium reserve is not calculated accordingly when the insurer has come to an agreement on installment
• System configuration based on business rule
• Masterdata is defined in the system
• Transaction data is defined in the system
• Access to change system config is restricted to authorized
Operating System payment with the policy holder b Evaluate Design & Implementation
Table 3.17 Audit procedure of ITAC-01 D&I testing (Source: KPMG working paper)
KPMG inquired of Chief accountant and to learn about definition and logic of system calculation for unearned premium
2 Test configuration access Inspect the system configurations for implementation of business rules and account mapping
3 Test program change Inquire people authorized to access to change setting configuration
Inspect the system configurations access
• Unearned premium is the portion of the policy premium that has not yet been
A property or casualty insurer must recognize unearned premiums as liabilities in its financial statements, as these represent the portion of premiums that have not yet been earned due to the remaining term of the policy If a policy is canceled, the insurer is obligated to refund a portion of the original premium, highlighting the importance of accurately accounting for these unearned amounts.
• Unearned premium = Premium per day x number of days
KPMG inquired of IT Manager, IT Division and learned that, Earn/unearned method is set to daily for all type of contract on P400 system
Figure 3.10 Type of Earn/Unearned contract (Source: KPMG working paper)
Figure 3.11 Earn/Unearned method is set to 3 which is daily (Source: KPMG working paper)
KPMG inspected the list of Contract type with their method and learned that all Earn/Unearned method is set to 3 (daily)
Figure 3.12 A screenshot part of List of Contract type exported from P400 (Source: KPMG working paper)
KPMG discovered that ABC Insurance lacks an account for accessing system configuration, with administrative access for modifying P400 configurations being managed exclusively by ABC Insurance Asia.
Conclusion – Test of Design: Based on the test procedures above, KPMG concluded that the control design is effective c Test of Operating Effectiveness
Table 3.18 Audit procedure of ITAC-01 TOE (Source: KPMG working paper)
Steps Objective Procedure Sample Details
4 Ensure the effectiveness of the control during audit period
Select 02 samples including direct policy and reinsurance policy and check the Unearned report on P400 to determine whether system calculate correct unearned amount for each month
Steps 4 - Select 02 samples and check the Unearned report on P400 to determine whether system calculate correct unearned amount for each month
• Insured Customer: CDF Agricultural Machinery
Figure 3.13 General information of Direct premium (Source: KPMG working paper)
Figure 3.14 Gross Original premium of CDF Agricultural Machinery (Source: KPMG working paper)
• Period: 365 days (from 31 Oct 2022 to 31 Oct 2022)
• Unearned Premium per day = 45,600,000.00/365 = 124,931.51 VND
• Unearned Premium on December 2022 = 45,600,000.00/365*31 = 3,827,876.71 VND
KPMG inspected report B4184 of December (Unearned Matrix Calculation Audit trail) and verified that unearned premium matched with system calculation
Conclusion – Test of Operating Effectiveness: Based on the audit procedures above, KPMG concluded that the control is operating effectively. d Overall Test Conclusion
Overall Conclusion - Test of Control: Based on the procedures described above,
KPMG concluded that the control is designed and operating appropriately.
S UMMARIZING AND E VALUATING ABC I NSURANCE ’ S IT S YSTEM C ONTROLS D EFICIENCIES
The review procedures were designed to enhance the financial statement audit by evaluating the effectiveness of controls for the fiscal year Key audit procedures were conducted to ensure comprehensive assessment and compliance.
• Walkthrough the design of key IT/application controls and test for effectiveness
• Documented walkthrough procedures and test results in GITC/Automated Control Walkthrough Memo(s)
3.4.2 IT System controls deficiencies evaluation
KPMG ITA team has concluded the following based on our review:
Table 3.19 Automated Controls summary (Source: KPMG working paper)
The unearned premium reserve is not calculated accordingly when
Insurance reserves have not been properly
Base Unearned premium calculation is performed automatically by the installment payment with the policyholder logic and the related calculation parameters
Recorded liabilities/assets and related expenses/income for inward reinsurance contracts are not completely and accurately recorded
The reinsurance agreement terms and conditions are incorrectly input into the reinsurance administrative system
Premium calculation is performed automatically by the system based on the hard-coded program logic and the related calculation parameters
Table 3.20 GITC Summary (Source: KPMG working paper)
APD Access to program and data
APD1-2 Exceptions to the password policy E E
Access to implement changes into the production environment for P400 & Oracle, including configuration changes is authorized and restricted for use only by appropriate personnel and segregated from the development environment
IT system incidents impacting system jobs, processes and/or programs relevant to the P400
& Oracle systems are tracked and resolved within the defined timeframes
3.4.2.3 Summary of Deficiencies for GITCs and Automated Controls