Site Search

Loading Results

Digital Audit Services

PwC Singapore’s digital audit professionals help organisations manage risks and build trust through technology audit and controls

As organisations accelerate their digital agenda, technology is increasingly becoming an integral part of day-to-day business operations. While rapid digital transformation brings exciting opportunities, novel risks must be managed carefully.

To manage these new risks, it is imperative that organisations review their technology-related controls to identify gaps for improvement and ensure regulatory compliance. A strong controls and security posture will allow organisations to build trust with their stakeholders at every stage of the value chain.

PwC Singapore’s digital audit team consists of highly experienced and knowledgeable professionals dedicated to helping organisations make the most of their investments in technology. Our team is well-versed in the relevant frameworks and has collaborated with a wide range of clients across industries, allowing them to bring invaluable insight into every engagement.

By managing technology-related risks, organisations can ensure a smoother digital transformation journey, and maintain stakeholder trust and organisational reputation.

Get in touch

Our services

Evidence Act

Third party trust

Technology audit

Controls advisory

Evidence Act

As organisations pursue digital transformation, business and financial records are increasingly being stored in electronic formats rather than hardcopies. The shift from analogue to digital carries legal risks, and organisations should think about the admissibility of electronic records as evidence for use in Singapore courts.

How can electronic records be used as evidence in courts?

The admissibility of electronic records as evidence in Singapore courts is governed by the Evidence Act (Cap 97) (‘the Act’). Section 116A of the Act contains certain presumptions, which a party seeking to use electronic records as evidence in court may rely on. In particular, the court will presume the authenticity of electronic records if certain conditions are met and there is no conflicting evidence to the contrary.

What does Evidence Act certification involve?

One of the conditions necessary for proving the authenticity of electronic records is obtaining Evidence Act certification, which involves using an imaging system that has been certified by a Certifying Authority appointed by the Ministry of Law, known as an “approved process”, to ensure the accurate conversion of physical documents to electronic images.

How will my organisation benefit from Evidence Act certification?

Electronic documents that were produced using an approved process will be presumed by the Court to be accurate representations of the original copies. Furthermore, the certification will help your organisation save storage space and costs, and support your business continuity plan.

Is it mandatory to obtain Evidence Act certification?

No, it is not mandatory for electronic record-keeping systems to be certified as an “approved process” by a Certifying Authority. However, such certificates may be helpful and relevant if your organisation intends to use electronic records as evidence in Singapore courts by relying on the presumptions in Section 116A(6) of the Act.

What is the frequency of certification?

For the first three years, you will need to be certified once annually. Thereafter, Evidence Act certification needs to be renewed once every two years.

Third party trust

In today’s business landscape, outsourcing remains a prevalent practice among organisations, which rely on third party service providers for cost-efficient access to various services and forms of support, including cloud and financial technology services, and human resource management.

Despite the benefits of outsourcing, it also exposes organisations to special risks, such as the potential loss of sensitive data, and possible disruptions to critical business services and financial reporting. Hence, organisations must ensure that third party service providers meet a certain level of governance, rigour and consistency in order to build trust and be able to make outsourcing decisions with confidence.

Controls reporting

1. Third party assurance reports

Through controls assurance reports like OSPAR, SOC 1 and SOC 2, third party service providers can accurately communicate information about their service controls and processes to potential clients.

In preparation for the issuance of these reports, our digital audit team can:

  • Conduct a ‘pre-attestation’ readiness review, where we will work closely with your organisation to evaluate the adequacy of your existing controls with regards to reporting requirements.
  • Assess your organisation’s control posture against relevant frameworks for the issuance of OSPAR and SOC2 reports in accordance with the ISAE3000 assurance standard.
  • Assist your organisation with controls reporting to meet your customers’ financial reporting requirements (internal control over financial reporting) through the issuance of SOC 1 reports in accordance with the ISAE3402 assurance standard.

2. Other reports

Our digital audit professionals can help to evaluate your organisation’s controls design and operations, and communicate the information to specific stakeholders through independent reports issued under the ISAE 300 / SSAE 3000 standard.

Examples of such reporting requirements include:

  • The assessment of banks’ compliance with the Singapore Deposit Insurance Corporation (SDIC) requirements.
  • The assessment of banks’ MAS Electronic Payment System (MEPS+) by the Monetary Authority of Singapore (MAS).

Independent audit of outsourcing arrangements and third party vendors/service providers for banks

To comply with MAS Outsourcing Guidelines, banks are required to assess their outsourcing arrangements at regular time intervals.

PwC’s digital audit professionals can:

  • Assess banks’ outsourcing arrangements using established frameworks, such as ABS OSPAR and AICPA SOC2 Trust Service Criteria, or with any other focus areas as required by your organisation.
  • Assess banks’ third parties and vendors, ensuring they are aligned with the banks’ third party risk management (TPRM) framework.

Technology audit

As your organisation pushes forward with its automation and digitisation agenda, technology and cybersecurity risks will increasingly become significant concerns. Therefore, the impact of these risks on financial reporting must be considered during the audit process.

Our integrated audit approach is tech-enabled, people-powered and scalable, allowing key risks to be thoroughly and accurately identified. At PwC, our digital audit professionals:

  • Develop a deep understanding of the key IT systems supporting your organisation’s financial operations and reporting needs, facilitating adaptation to your technology transformation journey.
  • Collaborate with you to discuss entity-level controls relating to IT and high-level cybersecurity governance.
Technology and cybersecurity risks

Where applicable, we will perform procedures over the controls you have implemented in your organisation’s support systems, followed by a review of the IT General Controls (ITGCs) over these support systems, including a consideration of whether they are hosted on-premise or on cloud.

Controls advisory

Technology is fundamentally and rapidly changing the way businesses operate. PwC’s digital audit professionals are here to help you optimise your technology investments, while proactively managing your business risks.

Technology risks and governance

Whether your company already has an established Enterprise Risk Management (ERM) program or not, it is important that technology risks are assessed against your business environment. Striking the balance between digitisation and effective risk management can help you meet your business objectives and continue to grow.

Taking your systems inventory into account, we can assist your organisation in the following ways:

  • Establishing strong risk governance in key technology areas.
  • Developing policies and procedures to help run your organisation’s own technology risk management processes.
  • Running technology risk workshops with management to facilitate brainstorming and the development of your organisation’s technology risk profile and risk register.

Internal controls compliance

As your organisation grows, the consideration of going public is likely to arise. Prior to listing on the Singapore Exchange, PwC’s digital audit professionals can help you conduct reviews of your organisation’s technology controls to fulfil both financial and non-financial reporting objectives.

If you are looking to list in the US, PwC’s digital audit professionals can help your organisation review its technology and business processes to develop a risk-based, top-down approach to compliance with Section 404 of the Sarbanes-Oxley Act.

To ensure regulatory compliance, we can help your organisation in the following ways:

  • Internal control reviews
  • Management testing of controls
  • Documentation of your business process flows and controls within Risk & Control Matrices relating to technology.

Information technology internal audit

Whether it is to support your existing internal audit team, or to serve as your internal audit function, PwC’s digital audit professionals are here to help your organisation drive a leading-edge internal audit practice in the following ways:

  • Implement our internal audit methodology in collaboration with your organisation on your key risks.
  • Access to an experienced PwC Partner/Director to support the critical needs of your board/ audit committee.
  • Perform IT audits in identified areas of risk with a keen focus on timelines, ensuring an adjustment of the audit plan as new risks emerge.
  • Support your organisation with an optimal resourcing model to ensure the right human capital is brought in for each audit, providing access without the fixed overhead costs.
  • Deliver internal controls training to management and audit committee relating to technology risks.
  • Invest in your existing internal audit team to upskill them to perform the technology audits independently in the future.

Digital transformation risk management

By reviewing your existing processes either during or after implementation, we can help your organisation better leverage your enterprise technologies to automate controls, driving a higher return on investment and improving risk management.

PwC’s digital audit professionals have done this, particularly with SAP systems.

SAP risks and controls

We can evaluate the following areas of your organisation’s SAP landscape:

Security
Supporting the design and implementation of sustainable and scalable access of management roles to secure your SAP systems. From pre- to post-implementation, we can help you:

  • Conduct a review of your SAP role design for the key segregation of duties (SOD) and restriction of data access (including assistance to build SOD access matrix).
  • Maximise SAP Governance, Risk and Compliance (GRC) technology to allow for automated provisioning via workflows and governing access to support compliance.
  • Conduct a review of your SAP access management and role management to simplify maintenance.
  • Conduct reviews relating to end user access to the High-Performance Analytic Appliance (HANA) database and security over the Fiori interface.

Controls integration
Combining security and controls, we make sure your SAP systems are protected and meet compliance requirements. We can help your organisation:

  • Understand the current state of security and controls to develop a sustainable future state of controls.
  • Support SAP implementation by identifying key control requirements with business stakeholders.
  • Verify key security and controls during implementation, and identify controls reconfiguration needs.
  • Review existing manual controls and processes to suggest automation strategies within your SAP landscape.

How PwC’s digital audit stands out

Evidence Act

PwC is a Certifying Authority appointed by the Ministry of Law. This allows us to certify that an electronic record-keeping system is an “approved process” for the purposes of relying on the presumptions in Section 116A(6) of the Act. We have extensive experience in helping organisations across various industries to prepare for and obtain Evidence Act certifications, equipping us with the expertise to guide you through a smooth certification journey.

Third party trust

We have a team of dedicated professionals who are experienced and knowledgeable about third party risks, the relevant frameworks and assurance standards, controls identification and reporting. By identifying and managing key risks related to security, technology and third party relationships, we help your organisation maintain stakeholder trust and its reputation.

Technology audit and controls advisory

Our deep understanding of Information Technology (IT) risks in business contexts allows us to strengthen their controls and security posture to optimise their technology investment. In identifying threats, we consider the client’s business landscape to provide holistic recommendations. We have worked with companies across industries, including the top 50 listed companies in Singapore as well as start-ups, allowing us to bring rich insights to the table.

Contact us

See Hong Pek

Digital Audit and Assurance Leader, PwC Singapore

+65 9638 7021

Email

Nur Ashikin Ahmad

Partner, Digital Audit and Assurance, PwC Singapore

+65 9637 5072

Email

Anthony Dias

Partner, Digital Audit and Assurance, PwC Singapore

+65 9731 1450

Email

Follow us

Required fields are marked with an asterisk(*)

By submitting your email address, you acknowledge that you have read the Privacy Statement and that you consent to our processing data in accordance with the Privacy Statement (including international transfers). If you change your mind at any time about wishing to receive the information from us, you can send us an email message using the Contact Us page.

Hide