Technology audit and controls advisory

Whether your company already has an established Enterprise Risk Management (ERM) program or not, it is important that technology risks are assessed against your business environment. Striking the balance between digitisation and effective risk management can help you meet your business objectives and continue to grow.

Taking your systems inventory into account, we can assist your organisation in the following ways:

• Establishing strong risk governance in key technology areas.
  
• Developing policies and procedures to help run your organisation’s own technology risk management processes.
  
• Running technology risk workshops with management to facilitate brainstorming and the development of your organisation’s technology risk profile and risk register.
  

As your organisation grows, the consideration of going public is likely to arise. Prior to listing on the Singapore Exchange, PwC’s digital audit professionals can help you conduct reviews of your organisation’s technology controls to fulfil both financial and non-financial reporting objectives.

If you are looking to list in the US, PwC’s digital audit professionals can help your organisation review its technology and business processes to develop a risk-based, top-down approach to compliance with Section 404 of the Sarbanes-Oxley Act.

To ensure regulatory compliance, we can help your organisation in the following ways:

• Internal control reviews
  
• Management testing of controls
  
• Documentation of your business process flows and controls within Risk & Control Matrices relating to technology.
  

Whether it is to support your existing internal audit team, or to serve as your internal audit function, PwC’s digital audit professionals are here to help your organisation drive a leading-edge internal audit practice in the following ways:

• Implement our internal audit methodology in collaboration with your organisation on your key risks.
• Access to an experienced PwC Partner/Director to support the critical needs of your board/ audit committee.
• Perform IT audits in identified areas of risk with a keen focus on timelines, ensuring an adjustment of the audit plan as new risks emerge.
• Support your organisation with an optimal resourcing model to ensure the right human capital is brought in for each audit, providing access without the fixed overhead costs.
• Deliver internal controls training to management and audit committee relating to technology risks.
• Invest in your existing internal audit team to upskill them to perform the technology audits independently in the future.
  

Governance over digital transformation

Governance over your digital transformation is key to ensuring your new systems operate as intended. Our digital audit professionals are experienced in supporting you to ensure the following areas of risks are covered, across all types of system implementations:

• New systems/ enhancements are sufficiently tested.
• Data migration is performed completely and accurately from your legacy system to the new system.
• Problems identified during the development and/or implementation are appropriately resolved.
• Users are appropriately trained in the functionality and maintenance of the system.

Leveraging your investment for higher performance and risk management

By reviewing your existing processes either during or after implementation, we can help your organisation better leverage your enterprise technologies to automate controls, driving a higher return on investment and improving risk management.

PwC’s digital audit professionals have done this, particularly with SAP systems (including upgrades from SAP ECC to SAP S/4 HANA).

SAP risks and controls

We can evaluate the following areas of your organisation’s SAP landscape:

• Security – supporting the design and implementation of sustainable and scalable access of management roles to secure your SAP systems. From pre- to post-implementation, we can help you:
  • Conduct a review of your SAP role design for the key segregation of duties (SOD) and restriction of data access (including assistance to build SOD access matrix).
  • Maximise SAP Governance, Risk and Compliance (GRC) technology to allow for automated provisioning via workflows and governing access to support compliance.
  • Conduct a review of your SAP access management and role management to simplify maintenance.
  • Conduct reviews relating to end user access to the High-Performance Analytic Appliance (HANA) database and security over the Fiori interface.
• Controls integration – combining security and controls, we make sure your SAP systems are protected and meet compliance requirements. We can help your organisation:
  • Understand the current state of security and controls to develop a sustainable future state of controls.
  • Support SAP implementation by identifying key control requirements with business stakeholders.
  • Verify key security and controls during implementation, and identify controls reconfiguration needs.
  • Review existing manual controls and processes to suggest automation strategies within your SAP landscape.