It Consulting Services | Information & Communication Technology Audits | Advisory Services | Forensic Investigations | Corporate Governance

IT CONSULTING SERVICES

Relevance of Information Technology in the world Information Technology (IT) systems contain critical information that is key to the financial and operational success of the organisation through efficient information management and reporting.

The amount of data we produce worldwide is growing—and there’s no sign of it slowing (Galvanize).

As part of our integrated audit approach, some of the IT components will be tested on an ongoing basis as part of the assurance reviews.

Based on our understanding of the IT environment, the organisation is likely to be exposed to the following risks:

  • Security of network from external threats;
  • Confidentiality of personal information;
  • Availability of systems;
  • Integration/interface issues
  • Completeness of data in sources systems
  • System validation controls
  • System support with external IT service providers
  • IT skills on legacy systems
  • Processing controls
  • Timeliness of management reporting information and reliability there of System reporting of information in compliance with Companies Act/King IV/PFMA/MFMA and any other relevant legislation and regulation.

Throughout our engagement with various clients, we have noted the importance of technology in most business processes hence we have deliberately and intentionally ensured an audit design process that cohesively combines business process and IT auditing into a single, coordinated effort.

Information & Communication Technology audits

Through our experience in similar industries and specialist skills in IT reviews we have a vast knowledge of industry practices, compliance with regulatory issues, benchmarking with good/best practices and implementation of automated controls that will enhance the overall IT control environment.

 

Our methodology is based on the standard and proven frameworks that guide the information processes and infrastructure assessment. We subscribe to frameworks such

as:

 

  • CoBIT – (Control Objectives for IT and Related Technologies). CoBIT provides good practices for the management of IT and also enables the development of clear policy and good practices for IT control and assessment.
  • ITIL – (IT Infrastructure Library) ITIL is the most widely accepted approach to IT service management in the world. ITIL provides a cohesive set of best practice, drawn from the public and private sectors internationally.
  • ISO/IEC 27001 and 27002 – The code of practice for information security management is an international standard formerly known as ISO17799. It is presented as best practice for implementing information security management.

 

In conducting our reviews, we subscribe to the Information Systems Auditing and Control

Association (ISACA) code of professional conduct. ISACA is the international body that

regulates the Information System Audit practice globally.

With the ever-increasing technological advancement, IT environments have continued to increase in complexity and inter operate ability with ever greater reliance on the information produced by IT systems and processes. The General Control Review will assess the controls around the IT infrastructure and process deployed in the local government environment. Based on our understanding of your environment and risks that are likely, we will cover the following IT general controls focus areas:

 

  • IT and network security
  • User account management (covering main authentication systems and applications)
  • Physical security and environmental controls
  • Change management
  • Backup
  • Disaster recovery plan and backup processes
  • IT operations (capacity management and job scheduling)
  • Incidents and service desk

IT governance refers to the structures, oversight and management processes in place which ensures the delivery of the expected benefit of IT investments in a controlled way to help enhance the long-term sustainable success of an organisation. IT governance is a subset of an organization’s corporate governance. As the utilization of IT grows in an organization, it presents risks which must be mitigated. IT governance focuses specifically on information technology investments and assets, their performance and risk management. The primary goals of IT governance are to ensure that the investments in IT generate business value, and to mitigate the risks that are associated with IT.

 

Our IT governance approach is underpinned on national and international standards as well as compliance to regulatory and statutory bodies as noted below:

 

  • Public Service Corporate of Information Communication Technology Policy Framework
  • ISO/IEC 38500
  • ISAE 3000 Guidelines
  • King III
  • IT Governance Institute
  • COBIT 5
  • ITIL

In addition to jointly auditing manual and automated controls, we will also make use of data analysis tools (ACL) to perform recalculations and determine the integrity of transactions and master data, contributions, benefits, appearances and disappearances. We also make use of security audit tools and authorization and segregation of duties tools. The tools help us increase our audit testing coverage to 100% of the population. Our approach ensures a high level of collaboration and interaction between business process and IT audit staff. The resultant audit report will address both manual and IT related areas of improvement within the business cycles.

In addition to these, manual and application level tests highlighted above, we also perform data analysis to confirm accuracy, completeness and validity of system and data input, processing and output. We will use one of our data analytics tools, which is ACL.

“ Proactive data monitoring was associated with 52% lower losses and frauds detected in half the time.” (Association of Certified Fraud Examiners, 2018 Report to the nations on occupational fraud and abuse)

With the right data analysis technology, you can:

  • Automatically search 100% of your transactions for indicators of fraud.
  • Easily merge, normalize, and compare data from different systems and sources.
  • Quickly identify fraud before it becomes material (or front-page news).
  • Strategically realign resources to focus detection efforts on suspicious transactions.
  • More accurately calculate the impacts of fraud.
  • Significantly reduce sampling errors and improve internal controls.
  • Save time by automating repetitive tests. 

We can assist your organisation to detect irregularities that would otherwise be undetected using the conventional sampling methods an techniques. We can utilize a variety of analytical tools such as:

  • Trend analysis & time series analysis- Analysis of trends across years, or across departments, divisions, etc. can be very useful in detecting fraud
  • Ratio analysis
  • Duplicate transactions- Duplicates testing is one of the more common fraud tests because it can indicate fraud as well as inefficiency and inaccuracies in transactions.

The use of ACL (Audit Command Language) enables us to get a full view of all business transactions rather than the traditional sampling which had the inherent shortcomings of sampling error;

We can conduct automated Audit Command Language (ACL) testing to analyse a wide range of transactions such as:

  • Order-to-Cash Analytics
  • Payroll Analytics
  • Purchase-to-Pay Analytics
  • Tax Compliance
  • Travel & Entertainment
  • Budget Management
  • Credit Card Management
  • General Accounting
  • General Ledger
  • Asset Management

Advisory Services

AVC Corporate Advisory Services believes in the value of internal auditing in providing
assurance and advisory services through our teams of certified and experienced internal
audit practitioners.

Risk based audits are the cornerstone of modern internal auditing. The higher the risk to the organisation the greater the impact to the achievement of goals and objectives. Risk is also viewed in the form of risk and opportunity. 

We will use our methodology which is aligned to the International Professional Practices Framework (IPPF) of the Institute of Internal auditors (IIA).

Each assignment should at least consist of the following: 

  • Pre-audit survey,
  • Audit planning memorandum,
  • Minutes of entrance meeting,
  • Risk assessment document,
  • Control Adequacy assessment document,
  • System descriptions,
  • Audit programmes,
  • Record of work performed,
  • Audit of work performed,
  • Audit finding and recommendations,
  • Sampling methodology,
  • Mechanisms for follow up on matters previously reported and feedback to the Audit
  • and Risk Committee,
  • Mechanism to ensure that working papers are reviewed at the appropriate level,
  • Reporting (draft internal audit report and final internal audit report); and
  • Follow up of previous audit findings.

We comply with the quality control standards as laid down by the Institute of Internal Auditors, and we also have a process of internal quality review within our company. 

Our internal audit service is subject to constant internal quality assurance and peer reviews. We regularly conduct extensive quality reviews within our firm. In addition, at project/process level, each individual process/project will be subject to a review by a manager and director. Their responsibility will be to ensure that the project/process audit meets the IIA standards and that: 

The terms and conditions of the contract are adhered to;

  • Individual projects are appropriately staffed at director/manager level;
  • Staff was appropriately supervised and working papers properly reviewed;
  • The project scope is appropriately set and communicated with management;
  • The reporting deadlines and standards are consistently met.
  • Our staff was assessed at the end of each project. 

It must be noted that our methodology has built in steps and templates that ensure the adherence to IIA standards.

Enterprise Risk Management (ERM)

Enterprise risk management encompasses:

  1. Aligning risk appetite and strategy – Management considers the organisation’s risk appetite in evaluating strategic alternatives, setting related objectives, and developing tools to manage related risks.
  2. Enhancing risk response decisions – ERM provides the rigor to identify and select risk responses – risk treatment, transfer, tolerance and termination.
  3. Reducing operational losses – the organisation gains enhanced capability to identify potential events and establish responses, reducing associated costs or losses.
  4. Identifying and managing multiple and cross-enterprise risks – Every enterprise faces a myriad of risks affecting different parts of the organization, and ERM facilitates effective response to the interrelated impacts, and integrated responses to multiple risks.
  5. Seizing opportunities – By considering a full range of potential events, management is positioned to identify and proactively realise opportunities.
  6. Improving deployment of capital – Obtaining robust risk information allows management to effectively assess overall capital needs and enhance capital allocation.

Determining whether risk management processes are effective is a judgment resulting from the internal auditor’s assessment that: 

  • Organizational objectives support and align with the organization’s mission
  • Significant risks are identified and assessed
  • Appropriate risk responses are selected that align risks with the organization’s risk appetite 
  • Relevant risk information is captured and communicated in a timely manner across the organization, enabling staff, management, and the board to carry out their responsibilities. 

It is important that an organization obtains assurance on its risk management process. This assurance must accommodate the possibility that the internal auditor might not be functionally independent of the risk management function. In this case, assurance may be sought from an external party. 

Our approach to giving assurance on the effectiveness of risk management at the organisation is based on the IPPF Practice Guide –Assessing the adequacy of Risk Management using ISO 31000. The assurance approach (Process Elements, Key Principles, or Maturity Model) to be used will be discussed with organisation’s internal Audit based on the level of appliance of risk managementat the organisation and agreed before commencement. 

Based on our knowledge, general areas of concern include establishing whether: 

  • The risk management process has been applied appropriately and all elements of the process are suitable and sufficient.
  • The risk management process is in keeping with the strategic needs and intent of the organization.
  • All significant risks have been identified and are being treated.
  • Controls are being correctly designed in keeping with the objectives of the risk management process.
  • Critical controls are adequate and effective. 

The expanded scope of the review of the adequacy and the effectiveness of Risk Management process will look into the following areas: 

  • Whether organisation operates within the terms of a risk management policy and Strategy approved by the Accounting Authority.
  • Whether NRR’s risk management philosophy has been communicated in the context of how risk management is expected to support the achievement of objectives.
  • The roles and responsibilities of the key players has been clearly articulated and delegated in a manner that ensures effective co-ordination and synergy of risk management activities.
  • The implementation of organisation’s risk management policy is guided by a strategy approved by the Accounting Authority.
  • Internal processes have been established to sensitize all employees of the relevance of risk management to the achievement of their performance goals.
  • Training and support should be provided to everyone involved in risk management activities to equip them to optimally execute their responsibilities for risk management.
  • Organisation has adopted a rigorous and ongoing process of risk identification that also includes mechanisms to identify new and emerging risks timeously.
  • Formal channels of communication and co-operation exist within the Institution to facilitate synergy between the Risk Management Unit and Risk Management Committee, and internal formations concerned with risk mitigation. There is proper delegation of responsibilities relating to risk management to Management and internal formations such as the Risk Management Committee, Fraud Prevention Committee, Finance Committee, Information and Communication Technology Committee.
  • Whether management is held accountable for designing, implementing, monitoring and integrating risk management into their day-to-day activities.
  • Organisation’s risk appetite and risk tolerance has been set and thus approved.
  • Personal attention has been devoted to overseeing management of the significant risks.

Forensic Investigations

At AVC Corporate Advisory Services, we can partner with you to help with the investigation of cases of non-compliance, fraud, corruption or any other corporate irregularities. Forensic investigation involves an examination and evaluation of an organisation’s or individual’s financial information by application of accounting and audit methods for use as evidence in disciplinary actions, court or other stakeholders. 

A Forensic audit can be conducted in order to prosecute a party for fraud, embezzlement or other financial claims. In addition, an audit may be conducted to determine negligence. Forensic audit involves efforts to resolve allegations or signs of fraud when the full facts are unknown or unclear; therefore, it seek to obtain facts and evidence to help establish what happened, identify the responsible party, and provide recommendations where applicable. 

When conduction the forensic audit to resolve signs or allegations of fraud, the forensic auditor should; 

  • Assume litigation will follow
  • Act on prediction
  • Approach cases form two perspectives
  • Move from the general to the specific
  • Use the fraud theory approach
  • Financial Statement
  • Computer forensic
  • Electronic Discovery
  • Bankruptcies, insolvencies, and reorganizations
  • Workplace fraud investigations
  • Calculation of economic losses
  • Business valuations
  • Professional negligence 

Forensic investigations are therefore critical in establishing the facts of the matter, the legislation/regulations not followed, and the culpability of officials. The results of the forensic investigation also enable the organisation to institute consequence management and also act as a deterrent of such behaviour.

  • We make use of a variety of forensic audit procedures depending on the nature of the investigation such as:

    a) Data Analysis
    b) Analytical Procedures
    c) Inspection
    d) Observation
    e) External Confirmation
    f) Recalculation
    g) Re-Performance
    h) Inquiry
    i) Interviews

Corporate Governance

Corporate Governance is the overarching set of policies, procedures, and relationships that enable an organisation to establish objectives, set ethical boundaries to the acceptable means with which those objectives will be met, monitor the achievement of objectives, reward successful achievements, and discipline unsuccessful or inappropriate attempts to meet objectives, in order to keep the organisation aligned with the needs and interests of its primary stakeholders.

Good corporate governance helps to build an environment of trust, transparency and accountability necessary for fostering long-term investment, financial stability and business integrity, thereby supporting stronger growth and more inclusive societies (OECD). We cannot over-emphasise the importance of a functional governance environment for any company such. Customised policies, procedures and frameworks help to make companies unique in its operations and for it to maximise its potential based on its own DNA.

In recent times, corporate governance in South Africa has been dominated by the King reports on corporate governance. The latest report, King IV provides a comprehensive guide on the standards for governance and its application. The corporate governance framework will also take into consideration other governance prescripts such as OECD in benchmarking best practice for this section.

Ethical leadership is one of the latest buzz words to come out of King IV; “Good corporate governance is essentially about effective ethical leadership. While leadership starts with each individual director, it finds its expression through the Board as a collective, setting the appropriate example and tone which is referred to as ethical governance. King IV explains the governance of ethics as the role of the Board in ensuring that the ethical culture within the organisation is aligned to the tone set by the Board through the implementation of appropriate policies and practices.” (King IV Report)

The code of ethics therefore plays an integral part in the setting of the organisation’s ethical culture and providing a means to measure effectiveness.

Overview

The objectives during any crisis are to protect any individual (employee or public) who may be endangered by the crisis. If the crisis could potentially impact the health or wellbeing of customers, the general public or employees, it may attract media attention. To ensure your company speaks with one voice and delivers a clear consistent message, a spokesperson must be identified as well as prepared to answer media questions and participate in interviews.

Nothing generates more negative media coverage than a lack of honesty and transparency. Therefore, being as open and transparent as possible can help stop rumours and defuse a potential media frenzy. Maintaining an informed workforce helps ensure that business continues to flow as smoothly as possible. It also minimizes the internal rumour mill that may lead to employees posting false reports on social media. You do not want customers and suppliers to learn about your crisis through the media. Information on any crisis pertaining to your organization should come from you first.

It is better to over-communicate than to allow rumours to fill the void. Issue summary statements, updated action plans and new developments as early and as often as possible. The Ebola crisis, COVID-19 and other recent major news events have all confirmed that social media is one of the most important channels of communications. Be sure to establish a social media team to monitor, post and react to social media activity throughout the crisis.

  • Business Continuity Management ensures that the organisation can meet its objectives – whatever the cause or impact of disruption may be;
  • Protects your ability to supply key products and services;
  • No longer the recovery of IT systems only – (Disaster Recovery);
  • BCM focuses on identifying choices available to protect delivery of products and services following a disruption to operations; and
  • The long-term goal of the BCM programme is to improve organizational resilience
    • Absorb – Capability to bounce back from disruptive and damaging incident(s); failover capability;
    • Respond – To have a tested plan in place to ensure recovery;
    • Recover – To have an alternative site where operations can be recovered if the organisation has lost office space or IT infrastructure.

    (Ensuring minimal disruption to the organisation’s most urgent activities supporting the supply of services).