The IIA toolbox.

Transcription

1 The IIA toolbox

2 Agenda 1. International Professional Practices Framework (IPPF) 2. The Professional Issues Committee (PIC) 3. IIA Guidance 4. The GTAG s! 5. Questions 2

3 Who am I? Background Jobbet med revisjon siden 1997 (Dipl. IR, CIA, CCSA, CISA) Education Master of Management fra BI (m.m) Position Senior Audit Manager i Group Internal Audit (GIA) - Nordea 3

4 International Professional Practices Framework International Professional Practices Framework

5 AUTHORITATIVE Guidance 5

6 The Professional Issues Committee (PIC) Should: 1. Provide thought leadership and timely professional guidance to the members and stakeholders. 2. Comment on or support other matters that impact the internal audit profession.

7 Scope PIC has primary responsibility for: Strongly Recommended guidance of the IPPF Drafting responses on behalf of the IIA to other guidance, standard setting, regulatory, and similar bodies Other guidance or tools not included in the IPPF, but made available to the IIA s global membership. 7

8 IIA Guidance 8

9 Practice Guides 1. Practice Guides General 2. Practice Guides GTAG 3. Practice Guides GAIT 9

10 Practice Guides General 1. Quality Assurance and Improvement Program 2. Coordinating Risk Management and Assurance 3. Reliance by Internal Audit on Other Assurance Providers 4. Independence and Objectivity 5. Interaction with the Board 6. Auditing the Control Environment 7. Assisting Small Internal Audit Activities in Implementing the IPPF 8. Assessing the Adequacy of Risk Management Using ISO Measuring Internal Audit Effectiveness and Efficiency 10.Chief Audit Executives Appointment, Performance, Evaluation, and Termination 11.Auditing Executive Compensation and Benefits 12.Evaluating Corporate Social Responsibility/Sustainable Development - Formulating and Expressing Internal Audit Opinions 13.Auditing External Business Relationships 14.Internal Auditing and Fraud 10

11 Global Technology Audit Guide (GTAG) series Background: Created to provide high-level technology information from a business point of view. Help internal auditors worldwide better understand the different governance, risks and control issues surrounding technology. 11

12 Global Technology Audit Guide (GTAG) series Written in straightforward business language Address a timely issue related to information technology (IT) management, control, and security. 12

13 Who is GTAG target audience? Primary target - Chief Audit Executive (CAE) Many CAEs face the challenge to understand technology, which is necessary to plan and conduct internal audit. Given the broad responsibility of CAEs, GTAG series provide them a high level overview on risk management and control related to IT. GTAG is practically immeasurable to busy executives who need to quickly understand technology issues and evaluate the impact on their organization.

14 GTAG-1 Information Technology Risk and Controls (New edition) Understanding of IT risks and controls Importance of IT controls Organizational roles and responsibilities for ensuring IT controls Analyzing risks Monitoring and techniques IT risk and control assessment

15 GTAG-2 Change and Patch Management Controls: Critical for Organizational Success (New edition) Why IT change and patch management controls are foundational to a healthy IT environment How IT change and patch management controls help manage IT risks and costs What works and doesn t work in practice Describes sources of change and the likely impact on business objectives

16 GTAG-3 (Update Coming Soon) Continuous Auditing: Implications for Assurance, Monitoring, and Risk Assessment Role of continuous auditing in today s internal audit environment Relationship of continuous auditing, continuous monitoring, and continuous assurance The application and implementation of continuous auditing Benefits of a continuous, integrated approach

17 GTAG-4 (Update Coming Soon ) Management of IT Auditing Defining IT IT-related Risks Defining IT Audit Universe Executing IT Auditing Managing IT Auditing Emerging Issues

18 GTAG-5 (Update coming soon) Managing and Auditing Privacy Risks What is Privacy Privacy Principles and Frameworks Privacy Impacts and Risk Model Privacy Controls Good and Bad Performers Internal Auditing's Role Auditing Privacy CAE's Top 10 Privacy Questions

19 GTAG-6 (To be merged with GTAG 4) Managing and Auditing IT Vulnerabilities Define the vulnerability management lifecycle The scope of a vulnerability management audit Organizational maturity Metrics to measure vulnerability management practices Top 10 vulnerability management questions

20 GTAG-7 (Update coming soon) Information Technology Outsourcing How to choose the right IT outsourcing vendor? What are the best ways to manage outsourcing contract agreements? What are the main outsourcing risks and how to mitigate them? What are the key outsourcing control considerations from the standing points of both client operations and service provider operations? Which is the most effective framework for establishing outsourcing controls?

21 GTAG-8 Auditing Application Controls What is application control? What is the relationship between application control and general controls? Why rely on application controls? How to scope a risk-based application control review? What are the steps to conduct an application controls review? A list of key application controls A sample audit program

22 GTAG-9 Identity and Access Management Provide insight into what IAM means to an organization. Suggest internal audit areas for investigation Assist CAEs and other internal auditors to understand, analyze, and monitor their organization's IAM processes Provides a checklist for IAM review

23 GTAG-10 Business Continuity Management Provide help to the CAE in communicating business continuity risk awareness Support management in its development and maintenance of a BCM program. Disaster recovery planning for continuity of critical information technology infrastructure and business application systems.

24 GTAG-11 Developing the IT Audit Plan Understanding the organization and how IT supports it. Define and understand the IT environment. Identify the role of risk assessments in determining the IT audit universe Establishing the annual IT audit plan An example to show how to execute the steps necessary to define the IT audit universe.

25 GTAG-12 Auditing IT projects Key project management risks. How the internal audit activity can actively participate in the review of projects while maintaining independence. Five key components of IT projects for internal auditors to consider when building an audit approach. Types of project audits. A suggested list of questions for use in the IT project assessment.

26 GTAG-13 Fraud Prevention and Detection in an Automated World Guidance to chief audit executives and internal auditors on how to use technology to help prevent, detect, and respond to fraud. A step-by-step process for auditing a fraud prevention program. An explanation of the various types of data analysis to use in detecting fraud A technology fraud risk assessment template

27 GTAG-14 Auditing User-developed Applications (UDAs) Direction on how to scope an internal audit of UDAs. Guidance for how the internal auditor s role as a consultant can be leveraged to assist management with developing an effective UDA control framework. Considerations that internal auditors should address when performing UDA audits. A sample UDA process flow as well as a UDA internal audit program and supporting worksheets to help internal auditors organize and execute an audit.

28 GTAG-15 Information Security Governance (ISG) Defining ISG. a process to assist the CAE in incorporating an audit of information security governance (ISG) into the audit plan Helping internal auditors understand the right questions to ask and know what documentation is required. Describing the internal audit activity s (IAA) role in ISG.

29 GTAG-16 Data Analysis Technologies Understand why data analysis is significant. Know how to provide assurance more efficiently with the use of data analysis technology. implementing data analysis technology within your department. Know how to incorporate data analysis at your organisation. Recognize opportunities, trends, and advantages of making use of data analysis technology.

30 How to get GTAG? Free download electronic copy from IIA website (for members) Or purchase from IIA Bookstore

31 QUESTIONS 31