GoldSRD Audit 101 Table of Contents & Resource Listing

Transcription

1 Au GoldSRD Audit 101 Table of Contents & Resource Listing I. IIA Standards II. GTAG I (Example Copy of the Contents of the GTAG Series) III. Example Audit Workprogram IV. Audit Test Workpaper Example V. Example Audit Sampling Policy (see below) VI. Audit Report Example VII. Audit Follow-Up Spreadsheet VIII. Example Flowchart IX. Example Risk Matrix and Risk Planning Spreadsheet (see Excel workbook, available separately) Audit Leading Practices Websites: (sharing site) (or other industry-specific sites) IT Audit Resources: Technology.aspx (GTAG AND GAIT) Audit Sampling Policy: Working Paper Guidance Example: Working%20Papers.pdf PLEASE NOTE: THE EXAMPLES AND RESOURCES CONTAINED IN THIS DOCUMENT ARE NOT AN ENDORSEMENT BY GOLDSRD ON WHAT ANY ORGANIZATION SHOULD UTILIZE NOR ARE THEY ORIGINAL DOCUMENTS CREATED BY GOLDSRD. THEY ARE GOOD WORKING EXAMPLES THAT CAN BE UTILIZED TO CREATE THE MOST EFFECTIVE DOCUMENTS FOR YOUR ORGANIZATION.

2 INTERNATIONAL STANDARDS FOR THE PROFESSIONAL PRACTICE OF INTERNAL AUDITING (STANDARDS) Issued: October 2008 Revised: October The Institute of Internal Auditors i

3 International Standards for the Professional Practice of Internal Auditing (Standards) Table of contents Attribute Standards Purpose, Authority, and Responsibility Recognition of the Definition of Internal Auditing, the Code of Ethics, and the Standards in the Internal Audit Charter Independence and Objectivity Organizational Independence Direct Interaction with the Board Individual Objectivity Impairment to Independence or Objectivity Proficiency and Due Professional Care Proficiency Due Professional Care Continuing Professional Development Quality Assurance and Improvement Program Requirements of the Quality Assurance and Improvement Program Internal Assessments External Assessments Reporting on the Quality Assurance and Improvement Program Use of Conforms with the International Standards for the Professional Practice of Internal Auditing Disclosure of Nonconformance... 8 Performance Standards Managing the Internal Audit Activity Planning Communication and Approval Resource Management Policies and Procedures Coordination Reporting to Senior Management and the Board External Service Provider and Organizational Responsibility for Internal Auditing Nature of Work Governance Risk Management Control Engagement Planning Planning Considerations Engagement Objectives Engagement Scope Engagement Resource Allocation Issued: October 2008 Revised: October The Institute of Internal Auditors ii

4 International Standards for the Professional Practice of Internal Auditing (Standards) 2240 Engagement Work Program Performing the Engagement Identifying Information Analysis and Evaluation Documenting Information Engagement Supervision Communicating Results Criteria for Communicating Quality of Communications Errors and Omissions Use of Conducted in Conformance with the International Standards for the Professional Practice of Internal Auditing Engagement Disclosure of Nonconformance Disseminating Results Overall Opinions Monitoring Progress Communicating the Acceptance of Risks Issued: October 2008 Revised: October The Institute of Internal Auditors iii

5 INTERNATIONAL STANDARDS FOR THE PROFESSIONAL PRACTICE OF INTERNAL AUDITING (STANDARDS) Introduction to the International Standards Internal auditing is conducted in diverse legal and cultural environments; within organizations that vary in purpose, size, complexity, and structure; and by persons within or outside the organization. While differences may affect the practice of internal auditing in each environment, conformance with The IIA s International Standards for the Professional Practice of Internal Auditing (Standards) is essential in meeting the responsibilities of internal auditors and the internal audit activity. If internal auditors or the internal audit activity is prohibited by law or regulation from conformance with certain parts of the Standards, conformance with all other parts of the Standards and appropriate disclosures are needed. If the Standards are used in conjunction with standards issued by other authoritative bodies, internal audit communications may also cite the use of other standards, as appropriate. In such a case, if inconsistencies exist between the Standards and other standards, internal auditors and the internal audit activity must conform with the Standards, and may conform with the other standards if they are more restrictive. The purpose of the Standards is to: 1. Delineate basic principles that represent the practice of internal auditing. 2. Provide a framework for performing and promoting a broad range of value-added internal auditing. 3. Establish the basis for the evaluation of internal audit performance. 4. Foster improved organizational processes and operations. The Standards are principles-focused, mandatory requirements consisting of: Statements of basic requirements for the professional practice of internal auditing and for evaluating the effectiveness of performance, which are internationally applicable at organizational and individual levels. Interpretations, which clarify terms or concepts within the Statements. The Standards employ terms that have been given specific meanings that are included in the Glossary. Specifically, the Standards use the word must to specify an unconditional requirement and the word should where conformance is expected unless, when applying professional judgment, circumstances justify deviation. It is necessary to consider the Statements and their Interpretations as well as the specific meanings from the Glossary to understand and apply the Standards correctly. The structure of the Standards is divided between Attribute and Performance Standards. Attribute Standards address the attributes of organizations and individuals performing internal auditing. The Performance Standards describe the nature of internal auditing and provide quality criteria against which the performance of these services can be measured. The Attribute and Performance Standards are also provided to apply to all internal audit services. Implementation Standards are also provided to expand upon the Attribute and Performance standards, by providing the requirements applicable to assurance (A) or consulting (C) activities. Assurance services involve the internal auditor s objective assessment of evidence to provide an independent opinion or conclusions regarding an entity, operation, function, process, system, or other subject matter. The nature and scope of the assurance engagement are determined by Issued: October 2008 Page 1 of 26 Revised: October The Institute of Internal Auditors

6 International Standards for the Professional Practice of Internal Auditing (Standards) the internal auditor. There are generally three parties involved in assurance services: (1) the person or group directly involved with the entity, operation, function, process, system, or other subject matter the process owner, (2) the person or group making the assessment the internal auditor, and (3) the person or group using the assessment the user. Consulting services are advisory in nature, and are generally performed at the specific request of an engagement client. The nature and scope of the consulting engagement are subject to agreement with the engagement client. Consulting services generally involve two parties: (1) the person or group offering the advice the internal auditor, and (2) the person or group seeking and receiving the advice the engagement client. When performing consulting services the internal auditor should maintain objectivity and not assume management responsibility. The Standards apply to individual internal auditors and internal audit activities. All internal auditors are accountable for conforming with the Standards related to individual objectivity, proficiency, and due professional care. In addition, internal auditors are accountable for conforming with the Standards, which are relevant to the performance of their job responsibilities. Chief audit executives are accountable for overall conformance with the Standards. The review and development of the Standards is an ongoing process. The International Internal Audit Standards Board engages in extensive consultation and discussion prior to issuing the Standards. This includes worldwide solicitation for public comment through the exposure draft process. All exposure drafts are posted on The IIA s Web site as well as being distributed to all IIA institutes. Suggestions and comments regarding the Standards can be sent to: The Institute of Internal Auditors Standards and Guidance 247 Maitland Avenue Altamonte Springs, FL , USA guidance@theiia.org Web: *** Issued: October 2008 Revised: October The Institute of Internal Auditors

7 International Standards for the Professional Practice of Internal Auditing (Standards) INTERNATIONAL STANDARDS FOR THE PROFESSIONAL PRACTICE OF INTERNAL AUDITING (STANDARDS) Attribute Standards 1000 Purpose, Authority, and Responsibility The purpose, authority, and responsibility of the internal audit activity must be formally defined in an internal audit charter, consistent with the Definition of Internal Auditing, the Code of Ethics, and the Standards. The chief audit executive must periodically review the internal audit charter and present it to senior management and the board for approval. Interpretation: The internal audit charter is a formal document that defines the internal audit activity's purpose, authority, and responsibility. The internal audit charter establishes the internal audit activity's position within the organization, including the nature of the chief audit executive s functional reporting relationship with the board; authorizes access to records, personnel, and physical properties relevant to the performance of engagements; and defines the scope of internal audit activities. Final approval of the internal audit charter resides with the board A1 The nature of assurance services provided to the organization must be defined in the internal audit charter. If assurances are to be provided to parties outside the organization, the nature of these assurances must also be defined in the internal audit charter C1 The nature of consulting services must be defined in the internal audit charter Recognition of the Definition of Internal Auditing, the Code of Ethics, and the Standards in the Internal Audit Charter The mandatory nature of the Definition of Internal Auditing, the Code of Ethics, and the Standards must be recognized in the internal audit charter. The chief audit executive should discuss the Definition of Internal Auditing, the Code of Ethics, and the Standards with senior management and the board Independence and Objectivity The internal audit activity must be independent, and internal auditors must be objective in performing their work. Interpretation: Independence is the freedom from conditions that threaten the ability of the internal audit activity to carry out internal audit responsibilities in an unbiased manner. To achieve the degree of independence necessary to effectively carry out the responsibilities of the internal audit activity, the chief audit executive has direct and unrestricted access to senior management and the board. This can be achieved through a dual-reporting relationship. Threats to independence must be managed at the individual auditor, engagement, functional, and organizational levels. Issued: October 2008 Revised: October The Institute of Internal Auditors

8 International Standards for the Professional Practice of Internal Auditing (Standards) Objectivity is an unbiased mental attitude that allows internal auditors to perform engagements in such a manner that they believe in their work product and that no quality compromises are made. Objectivity requires that internal auditors do not subordinate their judgment on audit matters to others. Threats to objectivity must be managed at the individual auditor, engagement, functional, and organizational levels Organizational Independence The chief audit executive must report to a level within the organization that allows the internal audit activity to fulfill its responsibilities. The chief audit executive must confirm to the board, at least annually, the organizational independence of the internal audit activity. Interpretation: Organizational independence is effectively achieved when the chief audit executive reports functionally to the board. Examples of functional reporting to the board involve the board: Approving the internal audit charter; Approving the risk based internal audit plan; Approving the internal audit budget and resource plan; Receiving communications from the chief audit executive on the internal audit activity s performance relative to its plan and other matters; Approving decisions regarding the appointment and removal of the chief audit executive; Approving the remuneration of the chief audit executive; and Making appropriate inquiries of management and the chief audit executive to determine whether there are inappropriate scope or resource limitations A1 The internal audit activity must be free from interference in determining the scope of internal auditing, performing work, and communicating results Direct Interaction with the Board The chief audit executive must communicate and interact directly with the board Individual Objectivity Internal auditors must have an impartial, unbiased attitude and avoid any conflict of interest. Interpretation: Conflict of interest is a situation in which an internal auditor, who is in a position of trust, has a competing professional or personal interest. Such competing interests can make it difficult to fulfill his or her duties impartially. A conflict of interest exists even if no unethical or improper act results. A conflict of interest can create an appearance of impropriety that can undermine confidence in the internal auditor, the internal audit activity, and the profession. A conflict of interest could impair an individual's ability to perform his or her duties and responsibilities objectively. Issued: October 2008 Revised: October The Institute of Internal Auditors

9 International Standards for the Professional Practice of Internal Auditing (Standards) 1130 Impairment to Independence or Objectivity If independence or objectivity is impaired in fact or appearance, the details of the impairment must be disclosed to appropriate parties. The nature of the disclosure will depend upon the impairment. Interpretation: Impairment to organizational independence and individual objectivity may include, but is not limited to, personal conflict of interest, scope limitations, restrictions on access to records, personnel, and properties, and resource limitations, such as funding. The determination of appropriate parties to which the details of an impairment to independence or objectivity must be disclosed is dependent upon the expectations of the internal audit activity s and the chief audit executive s responsibilities to senior management and the board as described in the internal audit charter, as well as the nature of the impairment A1 Internal auditors must refrain from assessing specific operations for which they were previously responsible. Objectivity is presumed to be impaired if an internal auditor provides assurance services for an activity for which the internal auditor had responsibility within the previous year A2 Assurance engagements for functions over which the chief audit executive has responsibility must be overseen by a party outside the internal audit activity C1 Internal auditors may provide consulting services relating to operations for which they had previous responsibilities C2 If internal auditors have potential impairments to independence or objectivity relating to proposed consulting services, disclosure must be made to the engagement client prior to accepting the engagement Proficiency and Due Professional Care Engagements must be performed with proficiency and due professional care Proficiency Internal auditors must possess the knowledge, skills, and other competencies needed to perform their individual responsibilities. The internal audit activity collectively must possess or obtain the knowledge, skills, and other competencies needed to perform its responsibilities. Interpretation: Knowledge, skills, and other competencies is a collective term that refers to the professional proficiency required of internal auditors to effectively carry out their professional responsibilities. Internal auditors are encouraged to demonstrate their proficiency by obtaining appropriate professional certifications and qualifications, such as the Certified Internal Auditor designation and other designations offered by The Institute of Internal Auditors and other appropriate professional organizations A1 The chief audit executive must obtain competent advice and assistance if the internal auditors lack the knowledge, skills, or other competencies needed to perform all or part of the engagement. Issued: October 2008 Revised: October The Institute of Internal Auditors

10 International Standards for the Professional Practice of Internal Auditing (Standards) 1210.A2 Internal auditors must have sufficient knowledge to evaluate the risk of fraud and the manner in which it is managed by the organization, but are not expected to have the expertise of a person whose primary responsibility is detecting and investigating fraud A3 Internal auditors must have sufficient knowledge of key information technology risks and controls and available technology-based audit techniques to perform their assigned work. However, not all internal auditors are expected to have the expertise of an internal auditor whose primary responsibility is information technology auditing C1 The chief audit executive must decline the consulting engagement or obtain competent advice and assistance if the internal auditors lack the knowledge, skills, or other competencies needed to perform all or part of the engagement Due Professional Care Internal auditors must apply the care and skill expected of a reasonably prudent and competent internal auditor. Due professional care does not imply infallibility A1 Internal auditors must exercise due professional care by considering the: Extent of work needed to achieve the engagement s objectives; Relative complexity, materiality, or significance of matters to which assurance procedures are applied; Adequacy and effectiveness of governance, risk management, and control processes; Probability of significant errors, fraud, or noncompliance; and Cost of assurance in relation to potential benefits A2 In exercising due professional care internal auditors must consider the use of technology-based audit and other data analysis techniques A3 Internal auditors must be alert to the significant risks that might affect objectives, operations, or resources. However, assurance procedures alone, even when performed with due professional care, do not guarantee that all significant risks will be identified C1 Internal auditors must exercise due professional care during a consulting engagement by considering the: Needs and expectations of clients, including the nature, timing, and communication of engagement results; Relative complexity and extent of work needed to achieve the engagement s objectives; and Cost of the consulting engagement in relation to potential benefits. Issued: October 2008 Revised: October The Institute of Internal Auditors

11 International Standards for the Professional Practice of Internal Auditing (Standards) 1230 Continuing Professional Development Internal auditors must enhance their knowledge, skills, and other competencies through continuing professional development Quality Assurance and Improvement Program The chief audit executive must develop and maintain a quality assurance and improvement program that covers all aspects of the internal audit activity. Interpretation: A quality assurance and improvement program is designed to enable an evaluation of the internal audit activity s conformance with the Definition of Internal Auditing and the Standards and an evaluation of whether internal auditors apply the Code of Ethics. The program also assesses the efficiency and effectiveness of the internal audit activity and identifies opportunities for improvement Requirements of the Quality Assurance and Improvement Program The quality assurance and improvement program must include both internal and external assessments Internal Assessments Internal assessments must include: Ongoing monitoring of the performance of the internal audit activity; and Periodic self-assessments or assessments by other persons within the organization with sufficient knowledge of internal audit practices. Interpretation: Ongoing monitoring is an integral part of the day-to-day supervision, review, and measurement of the internal audit activity. Ongoing monitoring is incorporated into the routine policies and practices used to manage the internal audit activity and uses processes, tools, and information considered necessary to evaluate conformance with the Definition of Internal Auditing, the Code of Ethics, and the Standards. Periodic assessments are conducted to evaluate conformance with the Definition of Internal Auditing, the Code of Ethics, and the Standards. Sufficient knowledge of internal audit practices requires at least an understanding of all elements of the International Professional Practices Framework External Assessments External assessments must be conducted at least once every five years by a qualified, independent assessor or assessment team from outside the organization. The chief audit executive must discuss with the board: The form and frequency of external assessment; and The qualifications and independence of the external assessor or assessment team, including any potential conflict of interest. Issued: October 2008 Revised: October The Institute of Internal Auditors

12 International Standards for the Professional Practice of Internal Auditing (Standards) Interpretation: External assessments can be in the form of a full external assessment, or a self-assessment with independent external validation. A qualified assessor or assessment team demonstrates competence in two areas: the professional practice of internal auditing and the external assessment process. Competence can be demonstrated through a mixture of experience and theoretical learning. Experience gained in organizations of similar size, complexity, sector or industry, and technical issues is more valuable than less relevant experience. In the case of an assessment team, not all members of the team need to have all the competencies; it is the team as a whole that is qualified. The chief audit executive uses professional judgment when assessing whether an assessor or assessment team demonstrates sufficient competence to be qualified. An independent assessor or assessment team means not having either a real or an apparent conflict of interest and not being a part of, or under the control of, the organization to which the internal audit activity belongs Reporting on the Quality Assurance and Improvement Program The chief audit executive must communicate the results of the quality assurance and improvement program to senior management and the board. Interpretation: The form, content, and frequency of communicating the results of the quality assurance and improvement program is established through discussions with senior management and the board and considers the responsibilities of the internal audit activity and chief audit executive as contained in the internal audit charter. To demonstrate conformance with the Definition of Internal Auditing, the Code of Ethics, and the Standards, the results of external and periodic internal assessments are communicated upon completion of such assessments and the results of ongoing monitoring are communicated at least annually. The results include the assessor s or assessment team s evaluation with respect to the degree of conformance Use of Conforms with the International Standards for the Professional Practice of Internal Auditing The chief audit executive may state that the internal audit activity conforms with the International Standards for the Professional Practice of Internal Auditing only if the results of the quality assurance and improvement program support this statement. Interpretation: The internal audit activity conforms with the Standards when it achieves the outcomes described in the Definition of Internal Auditing, Code of Ethics, and Standards. The results of the quality assurance and improvement program include the results of both internal and external assessments. All internal audit activities will have the results of internal assessments. Internal audit activities in existence for at least five years will also have the results of external assessments Disclosure of Nonconformance When nonconformance with the Definition of Internal Auditing, the Code of Ethics, or the Standards impacts the overall scope or operation of the internal audit activity, the chief audit executive must disclose the nonconformance and the impact to senior management and the board. Issued: October 2008 Revised: October The Institute of Internal Auditors

13 International Standards for the Professional Practice of Internal Auditing (Standards) Performance Standards 2000 Managing the Internal Audit Activity The chief audit executive must effectively manage the internal audit activity to ensure it adds value to the organization. Interpretation: The internal audit activity is effectively managed when: The results of the internal audit activity s work achieve the purpose and responsibility included in the internal audit charter; The internal audit activity conforms with the Definition of Internal Auditing and the Standards; and The individuals who are part of the internal audit activity demonstrate conformance with the Code of Ethics and the Standards. The internal audit activity adds value to the organization (and its stakeholders) when it provides objective and relevant assurance, and contributes to the effectiveness and efficiency of governance, risk management, and control processes Planning The chief audit executive must establish a risk-based plan to determine the priorities of the internal audit activity, consistent with the organization s goals. Interpretation: The chief audit executive is responsible for developing a risk-based plan. The chief audit executive takes into account the organization s risk management framework, including using risk appetite levels set by management for the different activities or parts of the organization. If a framework does not exist, the chief audit executive uses his/her own judgment of risks after consideration of input from senior management and the board. The chief audit executive must review and adjust the plan, as necessary, in response to changes in the organization s business, risks, operations, programs, systems, and controls A1 The internal audit activity s plan of engagements must be based on a documented risk assessment, undertaken at least annually. The input of senior management and the board must be considered in this process A2 The chief audit executive must identify and consider the expectations of senior management, the board, and other stakeholders for internal audit opinions and other conclusions C1 The chief audit executive should consider accepting proposed consulting engagements based on the engagement s potential to improve management of risks, add value, and improve the organization s operations. Accepted engagements must be included in the plan. Issued: October 2008 Revised: October The Institute of Internal Auditors

14 International Standards for the Professional Practice of Internal Auditing (Standards) 2020 Communication and Approval The chief audit executive must communicate the internal audit activity s plans and resource requirements, including significant interim changes, to senior management and the board for review and approval. The chief audit executive must also communicate the impact of resource limitations Resource Management The chief audit executive must ensure that internal audit resources are appropriate, sufficient, and effectively deployed to achieve the approved plan. Interpretation: Appropriate refers to the mix of knowledge, skills, and other competencies needed to perform the plan. Sufficient refers to the quantity of resources needed to accomplish the plan. Resources are effectively deployed when they are used in a way that optimizes the achievement of the approved plan Policies and Procedures The chief audit executive must establish policies and procedures to guide the internal audit activity. Interpretation: The form and content of policies and procedures are dependent upon the size and structure of the internal audit activity and the complexity of its work Coordination The chief audit executive should share information and coordinate activities with other internal and external providers of assurance and consulting services to ensure proper coverage and minimize duplication of efforts Reporting to Senior Management and the Board The chief audit executive must report periodically to senior management and the board on the internal audit activity s purpose, authority, responsibility, and performance relative to its plan. Reporting must also include significant risk exposures and control issues, including fraud risks, governance issues, and other matters needed or requested by senior management and the board. Interpretation: The frequency and content of reporting are determined in discussion with senior management and the board and depend on the importance of the information to be communicated and the urgency of the related actions to be taken by senior management or the board External Service Provider and Organizational Responsibility for Internal Auditing When an external service provider serves as the internal audit activity, the provider must make the organization aware that the organization has the responsibility for maintaining an effective internal audit activity. Issued: October 2008 Revised: October The Institute of Internal Auditors

15 International Standards for the Professional Practice of Internal Auditing (Standards) Interpretation This responsibility is demonstrated through the quality assurance and improvement program which assesses conformance with the Definition of Internal Auditing, the Code of Ethics, and the Standards Nature of Work The internal audit activity must evaluate and contribute to the improvement of governance, risk management, and control processes using a systematic and disciplined approach Governance The internal audit activity must assess and make appropriate recommendations for improving the governance process in its accomplishment of the following objectives: Promoting appropriate ethics and values within the organization; Ensuring effective organizational performance management and accountability; Communicating risk and control information to appropriate areas of the organization; and Coordinating the activities of and communicating information among the board, external and internal auditors, and management A1 The internal audit activity must evaluate the design, implementation, and effectiveness of the organization s ethics-related objectives, programs, and activities A2 The internal audit activity must assess whether the information technology governance of the organization supports the organization s strategies and objectives Risk Management The internal audit activity must evaluate the effectiveness and contribute to the improvement of risk management processes. Interpretation: Determining whether risk management processes are effective is a judgment resulting from the internal auditor s assessment that: Organizational objectives support and align with the organization s mission; Significant risks are identified and assessed; Appropriate risk responses are selected that align risks with the organization s risk appetite; and Relevant risk information is captured and communicated in a timely manner across the organization, enabling staff, management, and the board to carry out their responsibilities. The internal audit activity may gather the information to support this assessment during multiple engagements. The results of these engagements, when viewed together, provide an understanding of the organization s risk management processes and their effectiveness. Issued: October 2008 Revised: October The Institute of Internal Auditors

16 International Standards for the Professional Practice of Internal Auditing (Standards) Risk management processes are monitored through ongoing management activities, separate evaluations, or both A1 The internal audit activity must evaluate risk exposures relating to the organization s governance, operations, and information systems regarding the: Achievement of the organization s strategic objectives; Reliability and integrity of financial and operational information; Effectiveness and efficiency of operations and programs; Safeguarding of assets; and Compliance with laws, regulations, policies, procedures, and contracts A2 The internal audit activity must evaluate the potential for the occurrence of fraud and how the organization manages fraud risk C1 During consulting engagements, internal auditors must address risk consistent with the engagement s objectives and be alert to the existence of other significant risks C2 Internal auditors must incorporate knowledge of risks gained from consulting engagements into their evaluation of the organization s risk management processes C3 When assisting management in establishing or improving risk management processes, internal auditors must refrain from assuming any management responsibility by actually managing risks Control The internal audit activity must assist the organization in maintaining effective controls by evaluating their effectiveness and efficiency and by promoting continuous improvement A1 The internal audit activity must evaluate the adequacy and effectiveness of controls in responding to risks within the organization s governance, operations, and information systems regarding the: Achievement of the organization s strategic objectives; Reliability and integrity of financial and operational information; Effectiveness and efficiency of operations and programs; Safeguarding of assets; and Compliance with laws, regulations, policies, procedures, and contracts C1 Internal auditors must incorporate knowledge of controls gained from consulting engagements into evaluation of the organization s control processes. Issued: October 2008 Revised: October The Institute of Internal Auditors

17 International Standards for the Professional Practice of Internal Auditing (Standards) 2200 Engagement Planning Internal auditors must develop and document a plan for each engagement, including the engagement s objectives, scope, timing, and resource allocations Planning Considerations In planning the engagement, internal auditors must consider: The objectives of the activity being reviewed and the means by which the activity controls its performance; The significant risks to the activity, its objectives, resources, and operations and the means by which the potential impact of risk is kept to an acceptable level; The adequacy and effectiveness of the activity s governance, risk management, and control processes compared to a relevant framework or model; and The opportunities for making significant improvements to the activity s governance, risk management, and control processes A1 When planning an engagement for parties outside the organization, internal auditors must establish a written understanding with them about objectives, scope, respective responsibilities, and other expectations, including restrictions on distribution of the results of the engagement and access to engagement records C1 Internal auditors must establish an understanding with consulting engagement clients about objectives, scope, respective responsibilities, and other client expectations. For significant engagements, this understanding must be documented Engagement Objectives Objectives must be established for each engagement A1 Internal auditors must conduct a preliminary assessment of the risks relevant to the activity under review. Engagement objectives must reflect the results of this assessment A2 Internal auditors must consider the probability of significant errors, fraud, noncompliance, and other exposures when developing the engagement objectives A3 Adequate criteria are needed to evaluate governance, risk management, and controls. Internal auditors must ascertain the extent to which management and/or the board has established adequate criteria to determine whether objectives and goals have been accomplished. If adequate, internal auditors must use such criteria in their evaluation. If inadequate, internal auditors must work with management and/or the board to develop appropriate evaluation criteria C1 Consulting engagement objectives must address governance, risk management, and control processes to the extent agreed upon with the client C2 Consulting engagement objectives must be consistent with the organization's values, strategies, and objectives. Issued: October 2008 Revised: October The Institute of Internal Auditors

18 International Standards for the Professional Practice of Internal Auditing (Standards) 2220 Engagement Scope The established scope must be sufficient to achieve the objectives of the engagement A1 The scope of the engagement must include consideration of relevant systems, records, personnel, and physical properties, including those under the control of third parties A2 If significant consulting opportunities arise during an assurance engagement, a specific written understanding as to the objectives, scope, respective responsibilities, and other expectations should be reached and the results of the consulting engagement communicated in accordance with consulting standards C1 In performing consulting engagements, internal auditors must ensure that the scope of the engagement is sufficient to address the agreed-upon objectives. If internal auditors develop reservations about the scope during the engagement, these reservations must be discussed with the client to determine whether to continue with the engagement C2 During consulting engagements, internal auditors must address controls consistent with the engagement s objectives and be alert to significant control issues Engagement Resource Allocation Internal auditors must determine appropriate and sufficient resources to achieve engagement objectives based on an evaluation of the nature and complexity of each engagement, time constraints, and available resources Engagement Work Program Internal auditors must develop and document work programs that achieve the engagement objectives A1 Work programs must include the procedures for identifying, analyzing, evaluating, and documenting information during the engagement. The work program must be approved prior to its implementation, and any adjustments approved promptly C1 Work programs for consulting engagements may vary in form and content depending upon the nature of the engagement Performing the Engagement Internal auditors must identify, analyze, evaluate, and document sufficient information to achieve the engagement s objectives Identifying Information Internal auditors must identify sufficient, reliable, relevant, and useful information to achieve the engagement s objectives. Issued: October 2008 Revised: October The Institute of Internal Auditors

19 International Standards for the Professional Practice of Internal Auditing (Standards) Interpretation: Sufficient information is factual, adequate, and convincing so that a prudent, informed person would reach the same conclusions as the auditor. Reliable information is the best attainable information through the use of appropriate engagement techniques. Relevant information supports engagement observations and recommendations and is consistent with the objectives for the engagement. Useful information helps the organization meet its goals Analysis and Evaluation Internal auditors must base conclusions and engagement results on appropriate analyses and evaluations Documenting Information Internal auditors must document relevant information to support the conclusions and engagement results A1 The chief audit executive must control access to engagement records. The chief audit executive must obtain the approval of senior management and/or legal counsel prior to releasing such records to external parties, as appropriate A2 The chief audit executive must develop retention requirements for engagement records, regardless of the medium in which each record is stored. These retention requirements must be consistent with the organization s guidelines and any pertinent regulatory or other requirements C1 The chief audit executive must develop policies governing the custody and retention of consulting engagement records, as well as their release to internal and external parties. These policies must be consistent with the organization s guidelines and any pertinent regulatory or other requirements Engagement Supervision Engagements must be properly supervised to ensure objectives are achieved, quality is assured, and staff is developed. Interpretation: The extent of supervision required will depend on the proficiency and experience of internal auditors and the complexity of the engagement. The chief audit executive has overall responsibility for supervising the engagement, whether performed by or for the internal audit activity, but may designate appropriately experienced members of the internal audit activity to perform the review. Appropriate evidence of supervision is documented and retained Communicating Results Internal auditors must communicate the results of engagements Criteria for Communicating Communications must include the engagement s objectives and scope as well as applicable conclusions, recommendations, and action plans. Issued: October 2008 Revised: October The Institute of Internal Auditors

20 International Standards for the Professional Practice of Internal Auditing (Standards) 2410.A1 - Final communication of engagement results must, where appropriate, contain the internal auditors opinion and/or conclusions. When issued, an opinion or conclusion must take account of the expectations of senior management, the board, and other stakeholders and must be supported by sufficient, reliable, relevant, and useful information. Interpretation: Opinions at the engagement level may be ratings, conclusions, or other descriptions of the results. Such an engagement may be in relation to controls around a specific process, risk, or business unit. The formulation of such opinions requires consideration of the engagement results and their significance A2 Internal auditors are encouraged to acknowledge satisfactory performance in engagement communications A3 When releasing engagement results to parties outside the organization, the communication must include limitations on distribution and use of the results C1 Communication of the progress and results of consulting engagements will vary in form and content depending upon the nature of the engagement and the needs of the client Quality of Communications Communications must be accurate, objective, clear, concise, constructive, complete, and timely. Interpretation: Accurate communications are free from errors and distortions and are faithful to the underlying facts. Objective communications are fair, impartial, and unbiased and are the result of a fairminded and balanced assessment of all relevant facts and circumstances. Clear communications are easily understood and logical, avoiding unnecessary technical language and providing all significant and relevant information. Concise communications are to the point and avoid unnecessary elaboration, superfluous detail, redundancy, and wordiness. Constructive communications are helpful to the engagement client and the organization and lead to improvements where needed. Complete communications lack nothing that is essential to the target audience and include all significant and relevant information and observations to support recommendations and conclusions. Timely communications are opportune and expedient, depending on the significance of the issue, allowing management to take appropriate corrective action Errors and Omissions If a final communication contains a significant error or omission, the chief audit executive must communicate corrected information to all parties who received the original communication Use of Conducted in Conformance with the International Standards for the Professional Practice of Internal Auditing Internal auditors may report that their engagements are conducted in conformance with the International Standards for the Professional Practice of Internal Auditing, only if the results of the quality assurance and improvement program support the statement. Issued: October 2008 Revised: October The Institute of Internal Auditors

21 International Standards for the Professional Practice of Internal Auditing (Standards) 2431 Engagement Disclosure of Nonconformance When nonconformance with the Definition of Internal Auditing, the Code of Ethics or the Standards impacts a specific engagement, communication of the results must disclose the: Principle or rule of conduct of the Code of Ethics or Standard(s) with which full conformance was not achieved; Reason(s) for nonconformance; and Impact of nonconformance on the engagement and the communicated engagement results Disseminating Results The chief audit executive must communicate results to the appropriate parties. Interpretation: The chief audit executive is responsible for reviewing and approving the final engagement communication before issuance and for deciding to whom and how it will be disseminated. When the chief audit executive delegates these duties, he or she retains overall responsibility A1 The chief audit executive is responsible for communicating the final results to parties who can ensure that the results are given due consideration A2 If not otherwise mandated by legal, statutory, or regulatory requirements, prior to releasing results to parties outside the organization the chief audit executive must: Assess the potential risk to the organization; Consult with senior management and/or legal counsel as appropriate; and Control dissemination by restricting the use of the results C1 The chief audit executive is responsible for communicating the final results of consulting engagements to clients C2 During consulting engagements, governance, risk management, and control issues may be identified. Whenever these issues are significant to the organization, they must be communicated to senior management and the board Overall Opinions When an overall opinion is issued, it must take into account the expectations of senior management, the board, and other stakeholders and must be supported by sufficient, reliable, relevant, and useful information. Interpretation: The communication will identify: The scope, including the time period to which the opinion pertains; Scope limitations; Consideration of all related projects including the reliance on other assurance providers; Issued: October 2008 Revised: October The Institute of Internal Auditors

22 International Standards for the Professional Practice of Internal Auditing (Standards) The risk or control framework or other criteria used as a basis for the overall opinion; and The overall opinion, judgment, or conclusion reached. The reasons for an unfavorable overall opinion must be stated Monitoring Progress The chief audit executive must establish and maintain a system to monitor the disposition of results communicated to management A1 The chief audit executive must establish a follow-up process to monitor and ensure that management actions have been effectively implemented or that senior management has accepted the risk of not taking action C1 The internal audit activity must monitor the disposition of results of consulting engagements to the extent agreed upon with the client Communicating the Acceptance of Risks When the chief audit executive concludes that management has accepted a level of risk that may be unacceptable to the organization, the chief audit executive must discuss the matter with senior management. If the chief audit executive determines that the matter has not been resolved, the chief audit executive must communicate the matter to the board. Interpretation: The identification of risk accepted by management may be observed through an assurance or consulting engagement, monitoring progress on actions taken by management as a result of prior engagements, or other means. It is not the responsibility of the chief audit executive to resolve the risk. Issued: October 2008 Revised: October The Institute of Internal Auditors

23 International Standards for the Professional Practice of Internal Auditing (Standards) Glossary Add Value The internal audit activity adds value to the organization (and its stakeholders) when it provides objective and relevant assurance, and contributes to the effectiveness and efficiency of governance, risk management, and control processes. Adequate Control Present if management has planned and organized (designed) in a manner that provides reasonable assurance that the organization s risks have been managed effectively and that the organization s goals and objectives will be achieved efficiently and economically. Assurance Services An objective examination of evidence for the purpose of providing an independent assessment on governance, risk management, and control processes for the organization. Examples may include financial, performance, compliance, system security, and due diligence engagements. Board The highest level of governing body charged with the responsibility to direct and/or oversee the activities and management of the organization. Typically, this includes an independent group of directors (e.g., a board of directors, a supervisory board, or a board of governors or trustees). If such a group does not exist, the board may refer to the head of the organization. Board may refer to an audit committee to which the governing body has delegated certain functions. Charter The internal audit charter is a formal document that defines the internal audit activity s purpose, authority, and responsibility. The internal audit charter establishes the internal audit activity s position within the organization; authorizes access to records, personnel, and physical properties relevant to the performance of engagements; and defines the scope of internal audit activities. Chief Audit Executive Chief audit executive describes a person in a senior position responsible for effectively managing the internal audit activity in accordance with the internal audit charter and the Definition of Internal Auditing, the Code of Ethics, and the Standards. The chief audit executive or others reporting to the chief audit executive will have appropriate professional certifications and qualifications. The specific job title of the chief audit executive may vary across organizations. Code of Ethics The Code of Ethics of The Institute of Internal Auditors (IIA) are Principles relevant to the profession and practice of internal auditing, and Rules of Conduct that describe behavior expected of internal auditors. The Code of Ethics applies to both parties and entities that provide internal audit services. The purpose of the Code of Ethics is to promote an ethical culture in the global profession of internal auditing. Compliance Adherence to policies, plans, procedures, laws, regulations, contracts, or other requirements. Issued: October 2008 Revised: October The Institute of Internal Auditors

24 International Standards for the Professional Practice of Internal Auditing (Standards) Conflict of Interest Any relationship that is, or appears to be, not in the best interest of the organization. A conflict of interest would prejudice an individual s ability to perform his or her duties and responsibilities objectively. Consulting Services Advisory and related client service activities, the nature and scope of which are agreed with the client, are intended to add value and improve an organization s governance, risk management, and control processes without the internal auditor assuming management responsibility. Examples include counsel, advice, facilitation, and training. Control Any action taken by management, the board, and other parties to manage risk and increase the likelihood that established objectives and goals will be achieved. Management plans, organizes, and directs the performance of sufficient actions to provide reasonable assurance that objectives and goals will be achieved. Control Environment The attitude and actions of the board and management regarding the importance of control within the organization. The control environment provides the discipline and structure for the achievement of the primary objectives of the system of internal control. The control environment includes the following elements: Integrity and ethical values. Management s philosophy and operating style. Organizational structure. Assignment of authority and responsibility. Human resource policies and practices. Competence of personnel. Control Processes The policies, procedures (both manual and automated), and activities that are part of a control framework, designed and operated to ensure that risks are contained within the level that an organization is willing to accept. Engagement A specific internal audit assignment, task, or review activity, such as an internal audit, control self-assessment review, fraud examination, or consultancy. An engagement may include multiple tasks or activities designed to accomplish a specific set of related objectives. Engagement Objectives Broad statements developed by internal auditors that define intended engagement accomplishments. Issued: October 2008 Revised: October The Institute of Internal Auditors

25 International Standards for the Professional Practice of Internal Auditing (Standards) Engagement Opinion The rating, conclusion, and/or other description of results of an individual internal audit engagement, relating to those aspects within the objectives and scope of the engagement. Engagement Work Program A document that lists the procedures to be followed during an engagement, designed to achieve the engagement plan. External Service Provider A person or firm outside of the organization that has special knowledge, skill, and experience in a particular discipline. Fraud Any illegal act characterized by deceit, concealment, or violation of trust. These acts are not dependent upon the threat of violence or physical force. Frauds are perpetrated by parties and organizations to obtain money, property, or services; to avoid payment or loss of services; or to secure personal or business advantage. Governance The combination of processes and structures implemented by the board to inform, direct, manage, and monitor the activities of the organization toward the achievement of its objectives. Impairment Impairment to organizational independence and individual objectivity may include personal conflict of interest, scope limitations, restrictions on access to records, personnel, and properties, and resource limitations (funding). Independence The freedom from conditions that threaten the ability of the internal audit activity to carry out internal audit responsibilities in an unbiased manner. Information Technology Controls Controls that support business management and governance as well as provide general and technical controls over information technology infrastructures such as applications, information, infrastructure, and people. Information Technology Governance Consists of the leadership, organizational structures, and processes that ensure that the enterprise s information technology supports the organization s strategies and objectives. Internal Audit Activity A department, division, team of consultants, or other practitioner(s) that provides independent, objective assurance and consulting services designed to add value and improve an organization s operations. The internal audit activity helps an organization accomplish its objectives by bringing a systematic, disciplined approach to evaluate and improve the effectiveness of governance, risk management and control processes. Issued: October 2008 Revised: October The Institute of Internal Auditors

26 International Standards for the Professional Practice of Internal Auditing (Standards) International Professional Practices Framework The conceptual framework that organizes the authoritative guidance promulgated by The IIA. Authoritative Guidance is comprised of two categories (1) mandatory and (2) strongly recommended. Must The Standards use the word must to specify an unconditional requirement. Objectivity An unbiased mental attitude that allows internal auditors to perform engagements in such a manner that they believe in their work product and that no quality compromises are made. Objectivity requires that internal auditors do not subordinate their judgment on audit matters to others. Overall Opinion The rating, conclusion, and/or other description of results provided by the chief audit executive addressing, at a broad level, governance, risk management, and/or control processes of the organization. An overall opinion is the professional judgment of the chief audit executive based on the results of a number of individual engagements and other activities for a specific time interval. Risk The possibility of an event occurring that will have an impact on the achievement of objectives. Risk is measured in terms of impact and likelihood. Risk Appetite The level of risk that an organization is willing to accept. Risk Management A process to identify, assess, manage, and control potential events or situations to provide reasonable assurance regarding the achievement of the organization s objectives. Should The Standards use the word should where conformance is expected unless, when applying professional judgment, circumstances justify deviation. Significance The relative importance of a matter within the context in which it is being considered, including quantitative and qualitative factors, such as magnitude, nature, effect, relevance, and impact. Professional judgment assists internal auditors when evaluating the significance of matters within the context of the relevant objectives. Standard A professional pronouncement promulgated by the Internal Audit Standards Board that delineates the requirements for performing a broad range of internal audit activities, and for evaluating internal audit performance. Issued: October 2008 Revised: October The Institute of Internal Auditors

27 International Standards for the Professional Practice of Internal Auditing (Standards) Technology-based Audit Techniques Any automated audit tool, such as generalized audit software, test data generators, computerized audit programs, specialized audit utilities, and computer-assisted audit techniques (CAATs). *** Issued: October 2008 Revised: October The Institute of Internal Auditors

28 IPPF Practice Guide Information Technology Risk and Controls 2nd Edition

29

30 Global Technology Audit Guide (GTAG ) 1 Information Technology Risk and Controls 2nd Edition March 2012

31

32 GTAG Table of Contents Executive Summary Introduction Introduction to the Basis of IT-related Business Risks and Controls Internal Stakeholders and IT Responsibilities Analyzing Risks Assessing IT An Overview Understanding the Importance of IT Controls IT Audit Competencies and Skills Use of control Framework Conclusion Authors & Reviewers Appendix: IT Control Framework Checklist

33 GTAG Executive Summary Executive Summary This GTAG helps chief auditing executives (CAEs) and internal auditors keep pace with the ever-changing and sometimes complex world of IT by providing resources written for business executives not IT executives. Both management and the Board have an expectation that the internal audit activity provides assurance around all-important risks, including those introduced or enabled by the implementation of IT. The GTAG series helps the CAE and internal auditors become more knowledgeable of the risk, control, and governance issues surrounding technology. The goal of this GTAG is to help internal auditors become more comfortable with general IT controls so they can talk with their Board and exchange risk and control ideas with the chief information officer (CIO) and IT management. This GTAG describes how members of governing bodies, executives, IT professionals, and internal auditors address significant IT-related risk and control issues as well as presents relevant frameworks for assessing IT risk and controls. Moreover, it sets the stage for other GTAGs that cover in greater detail specific IT topics and associated business roles and responsibilities. This guide is the second edition of the first installment in the GTAG series GTAG 1: Information Technology Controls which was published in March Its goal was, and is, to provide an overview of the topic of IT-related risks and controls. 2

34 GTAG Introduction 1. Introduction The purpose of this GTAG is to explain IT risks and controls in a format that allows CAEs and internal auditors to understand and communicate the need for strong IT controls. It is organized to enable the reader to move through the framework for assessing IT controls and to address specific topics based on need. This GTAG provides an overview of the key components of IT control assessment with an emphasis on the roles and responsibilities of key constituents within the organization who can drive governance of IT resources. Some readers already may be familiar with some aspects of this GTAG, but some segments will provide new perspectives on how to approach IT risks and controls. One goal of this GTAG, and others in the series, is that IT control assessment components can be used to educate others about what IT risk and controls are and why management and internal audit should ensure proper attention is paid to fundamental IT risks and controls to enable and sustain an effective IT control environment. Although technology provides opportunities for growth and development, it also represents threats, such as disruption, deception, theft, and fraud. Research shows that outside attackers threaten organizations, yet trusted insiders are a far greater threat. Fortunately, technology also can provide protection from threats, as this guide will demonstrate. Executives should know the right questions to ask and what the answers mean. For example: Why should I understand IT risks and controls? Two words: assurance and reliability. Executives play a key role in assuring information reliability. Assurance comes primarily from an interdependent set of business controls as well as from evidence that controls are continuous and sufficient. Management must weigh the evidence provided by controls and audits and conclude that it provides reasonable assurance. What is to be protected? Trust should be protected because it ensures business and efficiency. Controls provide the basis for trust, although they often are unseen. Technology provides the foundation for many perhaps most business controls. Reliability of financial information and processes now mandated for many organizations is all about trust. Where are IT controls applied? Everywhere. IT includes technology components, processes, people, organization, and architecture, as well as the information itself. Many IT controls are technical in nature, and IT supplies the tools for many business controls. Who is responsible? Everyone. However, control ownership and responsibilities must be defined and disseminated by management. Otherwise, no one is responsible, and results could be quite severe. When should IT risks and controls be assessed? Always. IT is a rapidly changing environment that promotes process and organizational change. New risks emerge at a rapid pace. Controls must present continuous evidence of their effectiveness, and that evidence must be assessed and evaluated constantly. How much control is enough? Management must decide based on risk appetite, tolerance and mandatory regulations. Controls are not the objective; controls exist to help meet business objectives. Controls are a cost of doing business and can be expensive, but not nearly as expensive as the possible consequences of inadequate controls. IT controls are essential to protect assets, customers, partners, and sensitive information; demonstrate safe, efficient, and ethical behavior; and preserve brand, reputation, and trust. In today s global market and regulatory environment, these things are too easy to lose. A CAE can use this guide as a foundation to assess an organization s framework and internal audit practices for IT risk and control, compliance, and assurance. It also can be used to meet the challenges of constant change, increasing complexity, rapidly evolving threats, and the need to improve efficiency. IT controls do not exist in isolation. They form an interdependent continuum of protection, but they also may be subject to compromise due to weak links. IT controls are subject to error and management override, range from simple to highly technical, and exist in a dynamic environment. IT controls have two significant elements: the automation of business controls (which support business management and governance) and control of the IT environment and operations (which support the IT applications and infrastructures). The CAE needs to consider and assess both elements. The CAE may view the automated business controls as those controls where both business and IT audit skills work together in an integrated audit capacity. The CAE may want to separate the general IT controls or general computer controls (GCCs) based on the technical skills and competencies necessary to assess more technical applications, infrastructure, and operations. For example, an enterprise resource planning (ERP) application requires more technical knowledge to understand and assess controls over the ERP database structures, user access, system configuration, and financial reporting. The CAE will find that assessing infrastructure, such as networks, routers, firewalls, and wireless and mobile devices requires specialized skills and experience. The internal auditor s role in IT controls 3

35 GTAG Introduction begins with a sound conceptual understanding and culminates in providing the results of risk and control assessments. Internal auditing involves significant interaction with the people in positions of responsibility for controls and requires continuous learning and reassessment as new technologies emerge and as the organization s opportunities, uses, dependencies, strategies, risks, and requirements change. IT controls provide for assurance related to the reliability of information and information services. IT controls help mitigate the risks associated with an organization s use of technology. They range from corporate policies to their physical implementation within coded instructions; from physical access protection through the ability to trace actions and transactions to responsible individuals; and from automatic edits to reasonability analyses for large bodies of data. The following are examples of key control concepts: Assurance is provided by the IT controls within the system of internal controls. This assurance should be continuous and provide a reliable trail of evidence. The internal auditor s assurance is an independent and objective assessment that the IT-related controls are operating as intended. This assurance is based on understanding, examining, and assessing the key controls related to the risks they manage and performing sufficient testing to ensure the controls are designed appropriately and functioning effectively and continuously. Many frameworks exist for categorizing IT controls and their objectives. This guide recommends that each organization use the applicable components of existing frameworks to categorize and assess IT risks and controls. 4

36 GTAG Introduction to the Basis of IT-related Business Risks and Controls 2. Introduction to the Basis of IT-related Business Risks and Controls 2.1 Key Concepts Organizations continue to leverage the ever-changing capabilities of technology to advance their offerings and services in ways that challenge the internal audit profession. The IIA s International Standards for the Professional Practice of Internal Auditing (Standards) specifically notes that internal auditors must assess and evaluate the risks and controls for information systems that operate within the organization. The IIA has provided further perspective on assessing IT risks and controls through additional GTAGs. GTAG 4: Management of IT Auditing discusses IT risks and the resulting IT risk universe, and GTAG 11: Developing the IT Audit Plan helps internal auditors assess the business environment that the technology supports and the potential aspects of the IT audit universe. Additionally, GTAG 8: Auditing Application Controls covers the specific auditing aspects of application controls and the approach internal auditors can take when assessing the controls. The term board is used in this GTAG as defined in the Standards glossary: a board is an organization s governing body, such as a board of directors, supervisory board, head of an agency or legislative body, board of governors or trustees of a nonprofit organization, or any other designated body of the organization, including the audit committee to whom the chief audit executive may functionally report. As this GTAG will explore further, the assessment of IT risks and controls in place to address them must be associated with the established business process environment and the specific organization objectives that need to be met as outlined by organization executives and the Board. IT risks are just one piece of the overall complex interconnectivity of people, processes, infrastructure, and enterprise risk environment that exists and should be managed as a whole by the organization. Internal auditors need to understand the range of controls available for mitigating IT risks. The controls can be thought of as existing within a hierarchy that relies on the operating effectiveness interconnectivity of the controls as well as the realization that failure of a set of controls can lead to increased reliance and necessary examination of other control groups. Within this document, IT controls will be referred to in terms such as governance, management, technical, and application based on who in the organization implements and maintains them. Another view of IT controls is in terms of general and application controls. General IT controls are typically pervasive in nature and are addressed through various audit avenues. Examples include IT operations, application development and maintenance, user management, change management, and backup and recovery. Application controls provide another category of controls and include controls within an application around input, processing, and output. This GTAG also will explore the use of controls for managing and governing the infrastructure, processes, and personnel supporting the business through technology. IT governance continues to evolve within organizations because of the continued use of IT as well as increased oversight by management and the Board. 2.2 IT Governance When addressing the topic of IT controls, an important consideration is IT governance, which provides the framework to ensure that IT can support the organization s overall business needs. It is important for IT management to possess a strong understanding of the organization s business processes used to meet its objectives and achieve the goals outlined by executive management and the Board. IT governance is not only composed of the controls needed to address identified risks but also is an integrated structure of IT practices and personnel that must be aligned closely with and enable achievement of the organization s overall strategies and goals. A CAE needs to be able to evaluate the IT governance structure and its ability to deliver results for the organization and improve the efficiencies of the IT activity. Research efforts have indicated that IT governance does lead to improved business performance as well as better alignment of IT with the business in achieving strategic objectives. IT governance consists of the leadership, organizational structures, and processes that ensure that the organization s IT sustains and supports the organization s strategies and objectives. With the requirement of IIA Standard 2110.A2 stating that the internal audit activity must assess whether the IT governance of the organization supports the organization s strategies and objectives, CAEs need to be prepared to evaluate this key aspect of the overall IT landscape. Proper application of IT governance principles has the ability to influence and impact the entire organization and how IT interacts with the business. Identification and management of IT risks and enablement of improved IT operations: IT governance helps ensure close linkage to an organization s 5

37 GTAG Introduction to the Basis of IT-related Business Risks and Controls risk management activities, including enterprise risk management (ERM). IT governance needs to be an integral part of the overall corporate risk management efforts so that appropriate techniques can be incorporated into IT activities, including communication of risk status to key stakeholders, throughout the organization. A CAE should review the risk management activities being used by the overall organization and make sure linkage exists from IT risk management efforts to corporate risk activities and that appropriate attention is being placed on the IT risk profile. Enhancing the relationship between the business and IT: IT governance provides a mechanism to link the use of IT to an organization s overall strategies and goals. The relationship between the business and IT will make sure that IT resources are focused on doing the right things at the right time. The communication between IT and the business should be free flowing and informative, providing insight into what IT is delivering as well as the status of those efforts. A CAE should review the alignment and ensure that strong portfolio management processes exist, allowing the business and IT organizations to collaborate on resource priorities and initiatives and overall investment decisions. Visibility into IT management s ability to achieve its objectives: IT organizations will define their strategies to support the business, part of which is making sure the day-to-day IT operations are being delivered efficiently and without compromise. Metrics and goals are established not only to help IT execute on a tactical basis but also to guide the activities of the personnel to improve maturity of practices. The results will enable IT to execute its strategy and achieve its objectives established with the approval of organization leaders. A CAE should assess whether the linkage of IT metrics and objectives align with the organization s goals and become a measurement of the progress being made on approved initiatives. Additionally, the CAE can help validate that metrics are being measured effectively and represent realistic views of the IT operations and governance on a tactical and strategic basis. Management of risks and identification of continuous improvement opportunities for business and IT outcomes: Risk management is a key component of an effective IT governance structure within an organization. The identification and management of IT risks will enable the IT activity to run the business of IT more effectively while also identifying potential opportunities to improve its practices. IT risks should have defined owners who methodically communicate the status of the risk management efforts to all levels of management. The CAE provides a valuable role in validating the consistency of the IT risk universe and will use the information to help define the internal audit universe for independent risk assessment and audit planning efforts. The Risk IT Practitioner Guide developed by the IT Governance Institute (ITGI) and ISACA provides a framework for identifying and assessing IT risks while also providing a direct link to the Control Objectives for Information and Related Technology (COBIT) framework. IT governance improving adaptability of IT to changing business and IT environments: IT governance provides a foundation for IT to better manage its responsibilities and support of the business through defined processes and roles and responsibilities of IT personnel. By having such formality in place, IT has the ability to better identify potential anomalies on a daily and trending basis, leading to root cause identification of situations and issues. Additionally, IT has the ability to adapt more flexibly to ad hoc requests for new or enhanced business capabilities. Today s CAE can assess such data sources (e.g., help desk and problem management tickets) to evaluate how IT is addressing unknown issues. The CAE also can review IT portfolio management processes to understand how needs are prioritized and whether flexibility exists to reprioritize needs based on the organization s changing priorities. As internal audit activities assess the organizations IT governance structure and practices, several key components that lead to effective IT governance can be evaluated, including: Leadership. Evaluate the relationship between IT objectives and the organization s current/strategic needs. Assess the involvement of IT leaders in the development and ongoing execution of the organization s strategic goals. Review how roles and responsibilities are assigned within the IT activity and whether personnel perform them as designed. Also, review the role of senior management and the Board in helping establish and maintain strong IT governance. Organization structures. Review how the business and IT personnel are interacting and communicating current and future needs through the existing organizational structure. This should include the existence of necessary roles and reporting relationships to allow IT to adequately meet the needs of the business while giving the business the opportunity to have its requirements addressed through formal evaluation and prioritization. 6

38 GTAG Introduction to the Basis of IT-related Business Risks and Controls IT processes. Evaluate IT process activities and controls in place to manage the needs of the business while providing the necessary assurance over business processes and underlying systems. The IT activity uses the processes to support the IT environment and help with consistent delivery of expected services. Determine how IT will be measured in helping the organization achieve these goals. Risk management. Review the IT actvity s processes to identify, assess, and monitor/mitigate risks within the IT environment. Additionally, determine the accountability personnel have within the risk management process and how well these expectations are being met. Understand what events have occurred and impacted the IT activity to determine whether appropriate risk management practices are in place and whether risk demographics (e.g., risk frequency, impact, mitigation techniques) were appropriately documented and, if needed, updated after the event. Control activities. Assess the IT-defined key control activities to manage its business and the support of the overall organization. Internal audit should review ownership, documentation, and self-validation aspects. Additionally, the control set should be robust enough to address the identified risks. 7

39 GTAG Internal Stakeholders and IT Responsibilities 3. Internal Stakeholders and IT Responsibilities An organization must understand and manage its IT environment. Furthermore, it must understand and recognize the business processes dependence on IT and the need to conform to regulatory compliance demands. Business opportunities are exploited or lost as a consequence of success or failure in managing and using IT. Effective IT governance increases the likelihood that IT enables the business to meet its goals and that resources are prudently managed. The following table 1 outlines a set of possible oversight functions and responsibilities with links to the Board, executive management, senior management, and internal auditors from an IT governance point of view. Role The Board Executive Management Responsibilities The Board should: Understand the strategic value of the IT function. Become informed of role and impact of IT on the enterprise. Set strategic direction and expect return. Consider how management assigns responsibilities. Oversee how transformation happens. Understand constraints within which management operates. Oversee enterprise alignment. Direct management to deliver measurable value through IT. Oversee enterprise risk. Support learning, growth, and management of resources. Oversee how performance is measured. Obtain assurance. Executive management should: Become informed of role and impact of IT on the enterprise. Cascade strategy, policies, and goals down into the enterprise, and align the IT organization with the enterprise goals. Determine required capabilities and investments. Assign accountability. Sustain current operations. Provide needed organizational structures and resources. Embed clear accountabilities for risk management and control over IT. Measure performance. Focus on core business competencies IT must support. Focus on important IT processes that improve business value. Create a flexible and adaptive enterprise that leverages information and knowledge. Strengthen value delivery. Develop strategies to optimize IT costs. Have clear external sourcing strategies. 1 This table contains portions of the ITGI s Board Briefing on IT Governance, 2nd Edition, used with permission from ITGI and ISACA ITGI. All rights reserved 8

40 GTAG Internal Stakeholders and IT Responsibilities Senior Management The Internal Audit Activity Senior management should: Manage business and executive expectations relative to IT. Drive IT strategy development and execute against it. Link IT budgets to strategic aims and objectives. Ensure measurable value is delivered on time and budget. Implement IT standards, policies and control framework as needed. Inform and educate executives on IT issues. Look into ways of increasing IT value contribution. Ensure good management over IT projects. Provide IT infrastructures that facilitate cost-efficient creation and sharing of business intelligence. Ensure the availability of suitable IT resources, skills, and infrastructure to meet objectives and create value. Assess risks, mitigate efficiently, and make risks transparent to the stakeholders. Ensure that roles critical for managing IT risks are appropriately defined and staffed. Ensure the day-to-day management and verification of IT processes and controls. Implement performance measures directly and demonstrably linked to the strategy. Focus on core IT competencies. The internal audit activity should: Ensure a sufficient baseline level of IT audit expertise in the department. Include evaluation of IT in its planning process. Assess whether IT governance in the organization sustains and supports strategies and objectives. Identify and assess the risk exposures relating to the organization s information systems. Assess controls responding to risks within the organization s information systems. Ensure that the audit department has the IT expertise to fulfil its engagements. Consider use technology-based audit techniques as appropriate. In addition to internal stakeholders, it is also important to take into consideration external parties, such as the external auditor, national authorities, public expectations, and international organizations for standardization. 9

41 GTAG Analyzing Risks 4. Analyzing Risks IT controls are selected and implemented on the basis of the risks they are designed to manage. As risks are identified, suitable risk responses are determined and range from doing nothing and accepting the risk as a cost of doing business to applying a wide scope of specific controls. This section explains the concepts of when to apply IT controls. It would be a relatively straightforward task to create a list of recommended IT controls that must be implemented within each organization. However, each control has a specific cost that may not be justified in terms of cost effectiveness when considering the type of organization and industry. Furthermore, no list of controls is universally applicable across all types of organizations. Although there is a lot of good advice available on the choice of suitable controls, strong judgment must be used. Controls must be appropriate for the level of risk the organization faces. The CAE should be able to advise the audit committee that the internal control framework is reliable and provides a level of assurance appropriate to the organization s risk appetite. In this respect, the Committee of Sponsoring Organizations of the Treadway Commission (COSO) 2 defines risk appetite as: the degree of risk, on a broad-based level, that a company or other organization is willing to accept in pursuit of its goals. Management considers the organization s risk appetite first in evaluating strategic alternatives, then in the setting of objectives aligned with the selected strategy, and in developing mechanisms to manage the related risks. In addition to risk appetite, the CAE should consider risk tolerance. COSO defines risk tolerance as: the acceptable level of variation relative to the achievement of objectives. In setting specific risk tolerances, management considers the relative importance of related objectives and aligns risk tolerances with its risk appetite. Therefore, the CAE should consider whether: The organization s IT environment is consistent with the organization s risk appetite. The internal control framework is adequate to ensure the organization s performance remains within the stated risk tolerances. 2 The Committee of Sponsoring Organizations of the Treadway Commission, Committee of Sponsoring Organizations for the Commission on Fraudulent Financial Reporting Risk Considerations in Determining the Adequacy of IT Controls Risk management applies to the entire spectrum of activity within an organization not just to the application of IT. IT cannot be considered in isolation. Rather, IT must be treated as an integral part of all business processes. Choosing IT controls is not a matter of implementing those recommended as best practices; controls must add value to the organization by reducing risk efficiently and increasing effectiveness. When considering the adequacy of IT controls within the organization s internal control framework, the CAE should consider the processes established by management to determine: The use, value, and criticality of information. The organization s risk appetite and tolerance for each business function and process. IT risks faced by the organization and quality of service provided to its users. The complexity of the IT infrastructure. The appropriate IT controls and the benefits they provide. The frequency of risk analysis is important and is influenced greatly by both internal and external changes. The speed of technological change will impact each organization differently. Some organizations will need to respond to the risks associated with technology changes rapidly while others may decide to respond at a more measured pace The IT Environment Analyzing and assessing risk in relation to IT can be complex. The IT infrastructure comprises hardware, software, communications, applications, protocols (i.e., rules), and data, as well as their implementation within physical space, within the organizational structure, and between the organization and its external environment. Infrastructure also includes the people interacting with the physical and logical elements of systems. Other areas to consider include project-related and provider risks. For example, project-related risk includes insufficient budget, resources, project management, and technical skills. For third-party provider and vendor risks, the IT auditor should analyze issues such as stability, financial strength, review of IT controls, and audit rights. The inventory of IT infrastructure components reveals basic information about the environment s vulnerabilities. For example, business systems and networks connected to the Internet are exposed to threats that do not exist for self-contained systems and networks. Because Internet connectivity is an essential element of most business systems 10

42 GTAG Analyzing Risks and networks, organizations must make certain that their systems and network architectures include fundamental controls that ensure basic security. The complete inventory of the organization s IT hardware, software, network, and data components forms the foundation for assessing the vulnerabilities within the IT infrastructure. Systems architecture schematics reveal the implementation of infrastructure components and how they interconnect with other components inside and outside the organization. To the information security expert, the inventory and architecture of IT infrastructure components, including the placement of security controls and technologies, reveal potential vulnerabilities. Unfortunately, information about a system or network also can reveal vulnerabilities to a potential attacker, so access to such information must be restricted to only those people who need it. A properly configured system and network environment will minimize the amount of information it provides to would-be attackers, and an environment that appears secure presents a less attractive target to attackers IT Risks Faced by the Organization The CAE discusses IT risk issues with the CIO and process owners to assess whether all related parties have an appropriate awareness and understanding of the technical risks the organization faces through the use of IT as well as their roles in applying and maintaining effective controls Risk Appetite and Tolerance Armed with the knowledge of IT risks, the auditor can validate the existence of effective controls to meet the organization s established risk appetite and its risk tolerance in relation to IT. The auditor s assessment will involve discussions with many members of management and potentially the Board. The level of detail of these discussions can be determined with input from the CIO, the chief information security officer (CISO), and process owners. An organization s use of ERM must include IT risks as part of this process. ERM includes methods and processes to manage risks and seize opportunities in achieving the organization s objectives. It typically starts with identifying particular events or circumstances relevant to the organization s objectives (e.g., the risks of data breaches), assessing them in terms of likelihood and magnitude of impact (e.g., the inherent risk of a data breach is rated high, and the impact also is rated as high), determining a response (e.g., new policies to better secure the organization s data), and monitoring progress on the implementation of responses (e.g., the IT activity s implementation of new security measures to avoid data breaches). By identifying and proactively addressing risks and opportunities, organizations will be better suited to protect and create value for stakeholders. In this way, ERM assists the CAE in understanding the significant risks for the entire organization. Then, the CAE can use this perspective to set audit priorities, determine audit project activities, and establish risk appetite and tolerance Performing a Risk Analysis A risk analysis should be performed with involvement from various roles and departments within an organization, including the chief risk officer (CRO), CAE, IT activity, and business representatives. Basic questions associated with the risk assessment process include: Which IT assets (this includes both tangible and intangible IT assets, such as information or reputation) are at risk, and what is the value of their confidentiality, integrity, and availability? What could happen to adversely affect that information s asset value (threat event)? Implicit to this question is the vulnerability analysis and mapping of vulnerabilities to threats and potentially impacted information assets. If a threat event happened, how bad could its impact be? How often might the event be expected to occur (frequency of occurrence)? How certain are the answers to the first four questions (uncertainty analysis)? What can be done to reduce the risk? How much will it cost? Is it cost-efficient? Determining the value of the information processed and stored is not an easy task due to the multidimensional nature of value. The CAE will find it helpful to work with the CRO to coordinate and align the IT-related risks. Depending on the organization s size and risks, the CAE and CRO may want to share how they prioritize risk areas, risk coverage, or leverage resources. 3 COSO, Strengthening Enterprise Risk Management for Strategic Advantage, Nov. 4,

43 GTAG Elaboration on Key Technology Concepts 4.2 Risk Mitigation Strategies When risks are identified and analyzed, it is not always appropriate to implement controls to counter them. Some risks may have minor impact if they occur or may be extremely unlikely to occur, and it may not be cost-effective to implement expensive control processes. In general, there are several ways to treat risks. Accept the risk. One of management s primary functions is managing risk. Some risks are minor because their impact and probability of occurrence is low. In this case, consciously accepting the risk as a cost of doing business is appropriate as well as periodically reviewing the risk to ensure its impact remains low. Eliminate the risk. It is possible for a risk to be associated with the use of a particular technology, supplier, or vendor. The risk can be eliminated by replacing the technology with more robust products and by seeking more capable suppliers and vendors. Share the risk. Risk mitigation approaches can be shared with trading partners and suppliers. A good example is outsourcing infrastructure management. In such a case, the supplier mitigates the risks associated with managing the IT infrastructure by being more capable and having access to more highly skilled staff than the primary organization. Risk also may be mitigated by transferring the risk to an insurance provider. Control/mitigate the risk. Instead of or in combination with other options, controls may be devised and implemented to prevent the risk from manifesting itself to limit the likelihood of this manifestation or to minimize its effects. 12

44 GTAG Assessing IT An Overview 5. Assessing IT An Overview IT controls applied when controlling or mitigating the risks is the best option. While IT controls should be applied with due regard to the relevant risks, there is a basic set of controls that should be in place to provide a fundamental level of IT control. IT controls should be part of major IT processes related to planning, organization, acquisitions, changes, delivery of IT services, and IT support and monitoring. IT controls supporting a wide range of these IT processes typically would be the IT infrastructure controls that cover areas such as network controls, database controls, operating system controls, and hardware controls, for example. IT controls that cover applications and, in many cases, important business areas could include input edit controls, process completion or reconciliation controls, and exception report controls. The CAE should gain an overview of the important controls and what business processes they support as a first step in understanding IT risks and controls. Process descriptions and organization charts are some of the tools that can be used to gain an overview. Additionally, the CAE should obtain an understanding of key IT initiatives to comprehend how the IT infrastructure and applications may be changing during a defined period of time. This information will enable the CAE to perform an initial risk assessment that allows for a deeper analysis. Some questions can be considered when evaluating the control environment and selecting a suitable set of controls. Do IT policies including IT controls exist? Have responsibilities for IT and IT controls been defined, assigned, and accepted? Is the control designed effectively? Is the control operating effectively? Does the control achieve the desired result? Is the mix of preventive, detective, and corrective controls effective? Do the controls provide evidence when control parameters are exceeded or when controls fail? How is management alerted to failures, and which steps are expected to be taken? Is evidence retained (e.g., through an audit trail)? Are the IT infrastructure equipment and tools logically and physically secured? Are access and authentication control mechanisms used? Are controls in place to protect the operating environment and data from viruses and other malicious software? Are firewall-related controls implemented? Do firewall polices exist? Are external and internal vulnerability assessments completed, and have risks been identified and resolved appropriately? Are change and configuration management and quality assurance processes in place? Are structured monitoring and service measurement processes in place? Have the risks of outsourced services been taken into consideration? (For details on this, refer to GTAG 7: IT Outsourcing.) The payment card industry publishes one of the more widely and broadly used data security standards PCI Data Security Standards (PCI DSS). Launched in 2006, the PCI Security Standards Council represents an open, global forum that is responsible for the development, management, education, and awareness of the PCI Security Standards, including the PCI DSS, the Payment Application Data Security Standard (PA-DSS), and PIN Transaction Security (PTS) requirements. The CAE can use the PCI DSS at a high level to determine whether certain security activities should be considered for the organization (see the following PCI Data Security Standards High Level Overview). 13

45 GTAG Assessing IT An Overview Introduction and PCI Data Security Standard Overview The Payment Card Industry (PCI) Data Security Standard (DSS) was developed to encourage and enhance cardholder data security and facilitate the broad adoption of consistent data security measures globally. PCI DSS provides a baseline of technical and operational requirements designed to protect cardholder data. PCI DSS applies to all entities involved in payment card processing including merchants, processors, acquirers, issuers, and service providers, as well as all other entities which store, process or transmit cardholder data. PCI DSS comprises a minimum set of requirements for protecting cardholders data, and may be enhanced by additional controls and practices to further mitigate risks. Below is a high-level overview of the 12 PCI DSS requirements PCI Data Security Standard High Level Overview Build and maintain a Secure Network Protect Cardholder Data 1. Install and maintain a firewall configuration to protect cardholder data 2. Do not use vendor-supplied defaults for system passwords and other security parameters 3. Protect stored cardholder data 4. Encrypt transmission of cardholder data across open public networks Maintain a Vulnerability Management Program 5. Use and regularly update anti-virus software or programs 6. Develop and maintain secure systems and applications. Implement Strong Access Control Measures 7. Restrict access to cardholder data by business need to know 8. Assign a unique ID to each person with computer access 9. Restrict physical access to =cardholder data Regularly Monitor and Test Networks 10. Track and monitor all access to network resources and cardholder data 11. Regularly test security systems and processes. Maintain an Information Security Policy 12. Maintain a policy that addresses information security for all personnel 4 Assessing IT controls is a continuous process. Business procedures constantly change as technology continues to evolve, and threats emerge as new vulnerabilities are discovered. Audit methods improve as internal auditors adopt an approach where IT control issues in support of the business objectives are a top priority. Management provides IT control metrics and reporting, and auditors attest to their validity and opine on their value. The internal auditor should liaise with management at all levels to agree on the validity and effectiveness of the metrics and assurances for reporting. The internal audit process provides a formal structure for addressing IT controls within the overall system of internal controls. Figure 1 The Structure of IT Auditing, divides the assessment into a logical series of steps. 4 PCI DSS Requirements and Security Assessment Procedures, V2.0, Copyright 2010 PCI Security Standards Council LLC 14

46 GTAG Assessing IT An Overview Figure 1 The Structure of IT Auditing Governence - Management - Technical Understanding IT Controls General Application Prevention, Detection, Correction Information - Security Assessing It Controls Importance of IT Controls Roles and Responsibilities Based on Risk Reliability and Effectiveness Competitive Advantage Legislation and Regulation Governance Management Audit Risk Analysis Risk Response Monitoring and Techniques Assessment Baseline Controls Control Framework Frequency Methodologies Audit Committee Interface The internal auditor s role in IT controls begins with a sound conceptual understanding and culminates in providing the results of risk and control assessments. The CAE should oversee the pursuit of continuous learning and reassessment as new technologies emerge and as dependencies, strategies, risks, and requirements change. 15

47 GTAG Understanding the Importance of IT Controls 6. Understanding the Importance of IT Controls Although this GTAG deals exclusively with IT risks and controls, the control environment within IT (e.g. tone at the top from the CIO, the ethical climate, management philosophy, and operating style) is critically important and should be evaluated. The IIA s Practice Guide, Auditing the Control Environment, should be consulted in addition to this GTAG when considering the control environment within IT. COSO defines internal control as: A process, effected by an entity s board of directors, management, and other personnel. This process is designed to provide reasonable assurance regarding the achievement of objectives in: Effectiveness and efficiency of operations. Reliability of financial reporting. Compliance with applicable laws and regulations. IT controls encompass those processes that provide assurance for information and information services and help control or mitigate the risks associated with an organization s use of technology. These controls range from written corporate policies to their implementation within coded instructions; from physical access protection to the ability to trace actions and transactions to the individuals who are responsible for them; and from automatic edits to reasonability analyses for large bodies of data. It is not necessary for the CAE to know everything about IT controls, including the full continuum or all the technical intricacies. Many of these controls are the domain of specialists who manage specific risks associated with individual components of the systems and network infrastructure. 6.1 IT General and Application Controls Controls may be classified to help understand their purposes and where they fit into the overall system of internal controls (see Figure 2 Some Control Classifications). By understanding these classifications, the control analyst and auditor are better able to establish their positions in the control framework and answer key questions such as: Are the detective controls adequate to identify errors that may get past the preventive controls? Are corrective controls sufficient to fix the errors once detected? A common classification of IT controls is general versus application. For further definition of IT related controls, refer to GTAG 8: Auditing Application Controls. General Controls Governance Controls Management Controls Technical Controls Application Controls Prevention Controls Figure 2 Some Control Classifications Detective Controls Corrective Controls IT General Controls General controls apply to all systems components, processes, and data for a given organization or systems environment. General controls include, but are not limited to, IT governance, risk management, resource management, IT operations, application development and maintenance, user management, logical security, physical security, change management, backup and recovery, and business continuity. Some general controls are business-related (e.g., segregation of duties or governance arrangements), whereas others are very technical (e.g., system software controls and network software controls) and relate to the underlying infrastructure. General controls are reviewed by internal audit because they form the basis of the IT control environment. If the general controls are weak and unreliable (e.g., change and access control) and cannot be relied on, the auditor may need to alter the testing approach for those areas impacted Application Controls Application controls 5 pertain to the scope of individual business processes or application systems and include controls within an application around input, processing, and output. Application controls also can include data edits, segregation of business functions (e.g., transaction initiation versus authorization), balancing of processing totals, transaction logging, and error reporting. 5 PCI Security Standards Council LLC, Payment Card Industry (PCI) Data Security Standard Requirements and Security Assessment Procedures, Version 2.0., Oct

48 GTAG Understanding the Importance of IT Controls The function of a control is highly relevant to the assessment of its design and effectiveness. Controls usually are classified as preventive, detective, or corrective. Preventive controls prevent errors, omissions, or security incidents from occurring. Examples include simple data entry edits that block alphabetic characters from being entered into numeric fields; access controls that protect sensitive data or system resources from unauthorized people; and complex and dynamic technical controls such as antivirus software, firewalls, and intrusion prevention systems. Detective controls detect errors or incidents that elude preventive controls. For example, a detective control may identify account numbers of inactive accounts or accounts that have been flagged for monitoring of suspicious activities. Detective controls also can include monitoring and analysis to uncover activities or events that exceed authorized limits or violate known patterns in data that may indicate improper manipulation. For sensitive electronic communications, detective controls can indicate that a message has been corrupted or that the sender cannot be authenticated. Corrective controls correct errors, omissions, or incidents once they have been detected. They vary from simple correction of data entry errors to identifying and removing unauthorized users or software from systems or networks to recovery from incidents, disruptions, or disasters. Generally, it is most efficient to prevent errors or detect them as soon as possible to simplify correction. Many other control classifications described in this document may be useful in assessing their effectiveness. For example, automated controls tend to be more reliable than manual controls, and nondiscretionary controls are more likely to be applied consistently than discretionary controls. Other control classifications may exist such as mandatory, voluntary, complementary, compensating, redundant, continuous, on-demand, and event-driven. 6.2 IT Governance, Management, and Technical Controls Another common classification of controls is by the group responsible for ensuring they are implemented and maintained properly. For the purpose of assessing roles and responsibilities, this guide primarily categorizes IT controls as governance, management, technical, and application. The first two levels governance and management are the most applicable to the scope of this guide. However, it also may be useful to understand how higher-level controls specifically are established within the technical and application IT infrastructures. Technical controls and application controls are the subject of GTAG 8: Auditing Application Controls IT Governance Controls The primary responsibility for internal control oversight resides with the Board in its role as keeper of the governance framework. IT control at the governance level involves overseeing effective information management, principles, policies, and processes and ensuring that they are in place and performing correctly. These controls are linked with the concepts of governance, which are driven both by organizational goals and strategies and by outside bodies, such as regulators Management Controls Management responsibility for internal controls typically involves reaching into all areas of the organization with special attention to critical assets, sensitive information, and operational functions. Management must make sure the IT controls needed to achieve the organization s established objectives are applied and ensure reliable and continuous processing. These controls are deployed as a result of deliberate actions by management in response to risks to the organization, its processes, and assets Technical Controls Technical controls often form the backbone of management s control framework. Therefore, if the technical controls are weak, the impact affects the entire control framework. For example, by protecting against unauthorized access and intrusion, technical controls provide the basis for reliance on the integrity of information including evidence of all changes and their authenticity. These controls are specific to the technologies in use within the organization s IT infrastructures. Examples of technical controls are operating system controls, database controls, encryption, and logging Application Controls As already established, application controls pertain to the scope of individual business processes or application systems. They may be technical in nature but are also nontechnical depending on the area of control. They include controls of input, processing, and output. Section of this document discusses application controls in more depth. 6.3 IT Controls What to Expect Individual controls within an organization can be classified within the hierarchy of IT controls from the overall highlevel policy statements issued by management and endorsed by the Board down to the specific control mechanisms incorporated into application systems. 17

49 GTAG Understanding the Importance of IT Controls Figure 3 Hierarchy of IT Controls represents a logical top-down approach both when considering controls to implement and when determining areas on which to focus internal audit resources during reviews of the entire IT operating environment. The different elements of the hierarchy are not mutually exclusive; they connect with each other and often overlap and intermingle. Each of the control types within the hierarchy are described below. Governance Policies Standards Management Organization and Management Physical and Environmental Controls Systems Software Controls Systems Development Controls Application-based Controls Figure 3 Hierarchy of IT Controls Technical Policies All organizations need to define their goals and objectives through strategic plans and policy statements. Without clear statements of policy and standards for direction, organizations can become disoriented and perform ineffectively. Because technology is vital to virtually all organizations, clear policy statements regarding all aspects of IT should be devised and approved by management, endorsed by the Board, and communicated to staff. Many different policy statements can be required depending on the organization s size and the extent to which it deploys IT. For smaller organizations, a single policy statement may be sufficient provided it covers all relevant areas. Larger organizations often will require more detailed and specific policies. For example, IT policy statements may include, but are not restricted to: A general policy on the level of security and privacy throughout the organization. This policy should be consistent with relevant national and international legislation and should specify the level of control and security required depending on the sensitivity of the system and data processed. A statement on the classification of information and the rights of access at each level. The policy also should define any limitations on the use of this information by those approved for access. A definition of the concepts of data and systems ownership, as well as the authority necessary to originate, modify, or delete information. This should be a general policy that defines the extent to which users can create their own applications. Personnel policies that define and enforce conditions for staff in sensitive areas. This includes the positive vetting of new staff prior to joining the organization and requiring employees to sign agreements accepting responsibility for the required levels of control, security, and confidentiality. This policy typically would also detail related disciplinary procedures. Definitions of overall business continuity planning requirements. These policies should ensure that all aspects of the business are considered when an unexpected event or disaster happens Standards The organization should have an IT blueprint that supports its overall strategy and sets the tone for the resultant IT policies and standards. 6 The standards define ways of working to achieve the objectives of the organization. Adopting and enforcing standards promotes efficiency and ensures consistency in the IT operating environment. Large organizations with significant resources are in a position to devise their own standards, but smaller organizations may not have sufficient resources. There are many sources of information on standards and best practice. For example, IT management should consider: Systems development processes: When organizations develop their own applications, standards apply to the processes for designing, developing, testing, implementing, and maintaining systems and programs. If organizations outsource application development or acquire systems from vendors, the CAE should ascertain that agreements require the providers to apply standards consistent with the organization s standards or are acceptable to the organization. Systems software configuration: Because systems software provides a large element of control in the 6 The Institute of Internal Auditors International Standards for the Professional Practice of Internal Auditing ensures that the internal audit activity examines the IT strategy. IIA Standard 2110.A2 states: The internal audit activity must assess whether the information technology governance of the organization sustains and supports the organization s strategies and objectives. 18

50 GTAG Understanding the Importance of IT Controls IT environment, standards related to secure system configurations are beginning to gain wide acceptance by leading organizations and technology providers. The way products such as operating systems, networking software, and database management systems are configured can either enhance security or create weaknesses that can be exploited. Application controls: All applications that support business activities need to be controlled. Standards are necessary for all applications the organization develops or purchases, and the standards should define the types of controls that must be present across the whole range of business activities as well as the specific controls that should apply to sensitive processes and information. Data structures: Having consistent data definitions across the full range of applications ensures that disparate systems can access data seamlessly and security controls for private and other sensitive data can be applied uniformly. Documentation: Standards should specify the minimum level of documentation required for each application system or IT installation, as well as for different classes of applications, processes, and processing centers. As with policies, written standards should be approved by management and made available to everyone who implements them Organization and Management Organization and management play a major role in the whole system of IT control in addition to every aspect of an organization s operations. An appropriate organization structure allows lines of reporting and responsibility to be defined and effective control systems to be implemented. Important controls typically could include segregation of incompatible duties, financial controls, and change management Segregation of Duties Segregation of duties is a vital element of many controls. An organization s structure should not allow responsibility for all aspects of processing data to rest with one individual. The functions of initiating, authorizing, inputting, processing, and checking data should be separated to ensure no individual can create an error, omission, or other irregularity and authorize it and/or obscure the evidence. Segregationof-duties controls for application systems are implemented by granting access privileges in accordance with job requirements for processing functions and accessing information. Traditional segregation of duties within the IT environment is divided between systems development and IT operations. IT operations should be responsible for running production systems except for change deployment and should have little or no responsibility with the development process. This control includes restrictions preventing operators from accessing or modifying production programs, systems, or data. Similarly, systems development personnel should have little contact with production systems. By assigning specific roles during implementation and other change processes, segregation of duties can be enforced. In large organizations, many functions should be considered to ensure appropriate segregation of duties Financial Controls Because organizations make considerable investments in IT, budgetary and other financial controls are necessary to ensure the technology yields the projected return on investment or proposed savings. Management processes should be in place to collect, analyze, and report on these issues. Unfortunately, new IT developments often suffer massive cost overruns and fail to deliver the expected cost savings or income because of wrong estimates or insufficient planning Change Management Change management 7 processes ensure that changes to the IT environment, systems software, application systems, and data are applied in a manner that enforces appropriate segregation of duties; ensures that changes work and are implemented as required; and prevents changes from being exploited for fraudulent purposes. A lack of change management can seriously impact system and service availability Physical and Environmental Controls IT equipment represents a considerable investment for many organizations. It must be protected from accidental or deliberate damage or loss. Physical and environmental controls, originally developed for large data centers that house mainframe computers, are equally important in distributed client-server and Web-based systems. Although the equipment commonly used today is designed for ease of use in a normal office environment, its value to the business and the cost and sensitivity of applications running business processes can be significant. All equipment must be protected, including the servers and workstations that allow staff access to the applications. Some typical physical and environmental controls include: Locating servers in locked rooms to which access is restricted. Restricting server access to specific individuals. 7 Refer to The IIA s GTAG 2: Change and Patch Management Controls: Critical for Organizational Success. 19

51 GTAG Understanding the Importance of IT Controls Providing fire detection and suppression equipment. Housing sensitive equipment, applications, and data away from environmental hazards, such as low-lying flood plains, flight paths, or flammable liquid stores. When considering physical and environmental security, it is also appropriate to consider contingency planning 8. What will the organization do if there is a fire or flood or if any other threat manifests itself? How will the organization continue its operations? This type of planning goes beyond merely providing for alternative IT processing power to be available and routine backup of production data; it must consider the logistics and coordination needed for the full scope of business activity. Finally, history consistently demonstrates that business continuity planning that has not been tested successfully in a realistic simulation is not reliable Systems Software Controls Systems software products enable the IT equipment to be used by the application systems and users. These products include operating systems (e.g., Windows and UNIX), network and communications software, firewalls, antivirus products, and database management systems (DBMS) (e.g., Oracle and DB2). IT audit specialists should assess controls in this area. Small organizations are unlikely to have the resources to employ such specialists and should consider using external resources. Whether IT auditors are employed or outsourced, they require a highly specific set of knowledge. Much of this knowledge can come from experience, but such knowledge must be updated constantly to remain current and useful. Systems software can be highly complex and can apply to components and appliances within the systems and network environment. Software may be configured to accommodate highly specialized needs and normally requires a high degree of specialization to securely maintain it. Configuration techniques can control logical access to the applications, although some application systems contain their own access controls and may provide an opening for unauthorized users to break into a system. Configuration techniques also provide the means to enforce segregation of duties, generate specialized audit trails, and apply data integrity controls through access control lists, filters, and activity logs. Some key technical controls to be expected in a wellmanaged IT environment include: 8 Refer to The IIA s GTAG 10: Business Continuity Management. 9 Refer to The IIA s GTAG 6: Managing and Auditing IT Vulnerabilities. 10 Refer to The IIA s GTAG 2: Change and Patch Management Controls: Critical for Organizational Success. Access rights allocated and controlled according to the organization s stated policy. Division of duties enforced through systems software and other configuration controls. Intrusion and vulnerability assessment 9, prevention, and detection in place and continuously monitored. Intrusion testing performed on a regular basis. Encryption services applied where confidentiality is a stated requirement. Change management processes including patch management in place to ensure a tightly controlled process for applying all changes and patches to software, systems, network components, and data Systems Development and Acquisition Controls Organizations rarely adopt a single methodology for all system acquisitions or development. Methodologies are chosen to suit the particular circumstances. The IT auditor should assess whether the organization uses a controlled method to develop or acquire application systems and whether it delivers effective controls over and within the applications and data they process. By examining application development procedures, the auditor can gain assurance that application controls are adequate. Some basic control issues should be addressed in all systems development and acquisition work. For example: User requirements should be documented, and their achievement should be measured. Systems design should follow a formal process to ensure that user requirements and controls are designed into the system. Systems development should be conducted in a structured manner to ensure that requirements and approved design features are incorporated into the finished product. Testing should ensure that individual system elements work as required, system interfaces operate as expected, and that the system owner has confirmed that the intended functionality has been provided. Application maintenance processes should ensure that changes in application systems follow a consistent pattern of control. Change management should be subject to structured assurance validation processes. Where systems development is outsourced, the outsourcer or provider contracts should require similar controls. Project management techniques and controls should be part of 20

52 GTAG Understanding the Importance of IT Controls the development process whether developments are performed in-house or are outsourced. Management should know whether projects are on time and within budget and that resources are used efficiently. Reporting processes should ensure that management understands the current status of development projects and does not receive any surprises when the end product is delivered. 11 The IIA s GTAG 12: Auditing IT Projects also should be considered when assessing development or acquisition projects Application Controls 12 The objective of controls over application systems is to ensure that: All input data is accurate, complete, authorized, and correct. All data is processed as intended. All data stored is accurate and complete. All output is accurate and complete. A record is maintained to track the process of data from input to storage and to the eventual output. Reviewing application controls traditionally has been the realm of the specialist IT auditor. However, because application controls now represent a large percentage of business controls, they should be a key concern of every internal auditor. There are several types of generic controls that should exist in any application. Input controls: These controls are used mainly to check the integrity of data entered into a business application, whether the source is input directly by staff, remotely by a business partner, or through a Web-enabled application. Input is checked to ensure that it remains within specified parameters. Processing controls: These controls provide automated means to ensure processing is complete, accurate, and authorized. Output controls: These controls address what is done with the data. They should compare results with the intended result and check them against the input. Integrity controls: These controls can monitor data in process and/or storage to ensure that data remains consistent and correct. Management trail: Processing history controls, often referred to as an audit trail, enable management to track transactions from the source to the ultimate result and to trace backward from results to identify the transactions and events they record. These controls should be adequate to monitor the effectiveness of overall controls and identify errors as close as possible to their sources. 6.4 Information Security Information security 13 is an integral part of IT controls. Information security applies to both infrastructure and data and is the foundation for the reliability of most other IT controls. The exceptions are controls relating to the financial aspects of IT (e.g., ROI and budgetary controls) and some project management controls. The generally accepted elements of information security are: Confidentiality: Confidential information must be divulged only as appropriate and must be protected from unauthorized disclosure or interception. Confidentiality includes privacy considerations. Integrity: Information integrity refers to the state of data as being correct and complete. This specifically includes the reliability of financial processing and reporting. Availability: Information must be available to the business, its customers, and partners when, where, and in the manner needed. Availability includes the ability to recover from losses, disruption, or corruption of data and IT services, as well as from a major disaster where the information was located. 6.5 IT Controls Framework For the more than 50 years that organizations have used IT, controls have not always been the default condition of new systems hardware or software. The development and implementation of controls typically lag behind the recognition of emerging risks in systems and the threats that exploit such vulnerabilities. Furthermore, IT controls are not defined in any universally recognized standard applicable to all systems or to the organizations that use them. A control framework is a structured way of categorizing and identifying controls to adequately secure an IT environment. The framework can be informal or formal. A formal approach will more readily satisfy the various regulatory or statutory requirements for organizations subject to them. The process of choosing or constructing a control framework should involve all concerned parties, including the business process owners and the parties responsible for performing the controls. The control framework should apply to, and be used by, the whole organization. 11 Refer to The IIA s GTAG 14: Auditing User-developed Applications. 12 Refer to The IIA s GTAG 8: Auditing Application Controls. 13 Refer to The IIA s GTAG 15: Information Security Governance. 21

53 GTAG IT Audit Competencies and Skills 7. IT Audit Competencies and Skills According to the IPPF, internal auditors are expected to apply and uphold four principles: integrity, objectivity, confidentiality, and competency. The principle of competency requires internal auditors to engage only in those services for which they have the necessary knowledge, skills, and experience. Furthermore, IIA Attribute Standard 1210: Proficiency states: Internal auditors must possess the knowledge, skills, and other competencies needed to perform their individual responsibilities. The internal audit activity collectively must possess or obtain the knowledge, skills, and other competencies needed to perform its responsibilities. The CAE must obtain competent advice and assistance if the internal auditors lack the knowledge, skills, or other competencies needed to perform all or part of the engagement. The IIA provides an Integrated Competency Framework to help identify the necessary competencies to maintain in the internal audit activity. This approach links the identified business risks to the related IT processes. Hence, the CAE should know what kind and level of IT skills and competencies are required for auditing the effectiveness of the controls over the identified business risks. The following table shows a few examples for mapping business risks and required IT controls as well as the skills/competencies needed to perform the audit. Business Risk IT Controls IT Skills and Competencies Information security management A sound, logical security control Security administration; access controls at network, operating system, database, and application levels Critical business disruption Ensuring availability of critical business applications Business continuity and disaster recovery planning for the IT facilities (including network infrastructure, operating systems, databases, and applications) Inaccurate and incomplete financial and management reporting Securing data confidentiality and availability Application controls, change controls, and system development life cycle (SDLC) controls If the required IT skills and competencies are not available within the internal audit activity, the CAE may seek an external service provider to support or complement the internal staff (i.e., out-sourcing or co-sourcing) Refer to IIA Practice Advisory 1210.A1-1: Obtaining External Service Providers to Support or Complement the Internal Audit Activity. 22

54 GTAG Use of Control Framework 8. Use of Control Framework Each organization should examine existing control frameworks to determine which of them or which parts most closely fit its needs. The process of choosing or constructing a control framework should involve all people in the organization with direct responsibility for controls. The internal audit activity will assess the framework s adequacy and use it as a context for planning and performing internal audit work. The CAE needs an overall knowledge of IT risk issues to assess the effectiveness and appropriateness of IT controls. The CAE will base the internal audit plan and allocate resources on the IT areas and issues that merit attention due to their inherent levels of risk. Risk analysis and assessment cannot be viewed as a one-time process, especially when applied to IT. Technology changes constantly and rapidly as do the associated risks and threats. Categorizing IT controls according to their organizational placement, purpose, and functionality is useful in assessing their value and adequacy, as well as the adequacy of the system of internal controls. Knowledge of the range of available IT controls, the driving forces for controls, and organizational roles and responsibilities allows for comprehensive risk analyses and assessments. In assessing control effectiveness, it also is useful to understand whether the controls are mandated or voluntary, discretionary or nondiscretionary, manual or automated, primary or secondary, and subject to management override. Finally, the assessment of IT controls involves selecting key controls for testing, evaluating test results, and determining whether evidence indicates any significant control weaknesses. The checklist included in the appendix can help ensure all relevant issues have been considered when planning and directing internal audit assessments of IT controls. Several existing frameworks and approaches can assist the CAE and other managers when determining IT control requirements. However, organizations should investigate enough frameworks to determine which one best fits their own needs and culture. 8.1 Computer Aided Audit Techniques and the Use of Data Analysis CAEs should consider the use of computer aided audit techniques especially data analysis tools to obtain a more real-time perspective of the IT risk landscape and to potentially identify anomalies. In an environment where organizations and internal audit activities need to do more with less, data analysis provides an opportunity for the CAE to leverage information available throughout the organization and identify potential areas of focus for risk assessment or audit activities. Data analysis also can offer the CAE an approach to constantly assess the operating effectiveness of internal controls and review indicators of emerging risks. Available data analysis tools provide increased functionality for auditing the information and for efficiently processing larger amounts of data. However, there are key challenges: the CAE needs to obtain the technical skills, access the data analysis tools, leverage the reporting/extract tools, access the data sources, and develop a strategy that focuses on the highest organizational risks. Continuous auditing is similar to continuous monitoring, as data is continually analyzed or assessed by the internal auditor. Continuous monitoring represents a management responsibility and function. Internal audit may test, review, or leverage the use of continuous monitoring. For more information, refer to The IIA s GTAG 3: Continuous Auditing: Implications for Assurance, Monitoring, and Risk Assessment. 8.2 Using Automated Risk Assessment The CAE may find that strengthening his or her risk assessment requires numeric scoring or detailed risk assessment. Certain tools are available for automating the risk analysis process. These tools allow for risk scoring, annotating impact, and rating likelihood, among other factors. Automating the risk assessment allows for comparing and prioritizing risks. Collecting inherent and residual risk factors allows the CAE to provide summary information, such as heat maps or risk profiles that meet the organization s risk profile. The automation of internal audit management is a major topic in its How Auditing Contributes to IT Controls During the last few decades, there have been periods of reflection when management and auditors agreed the auditors could add value to the organization by contributing their controls expertise to development processes to ensure appropriate controls were incorporated into new systems, rather than adding controls after an audit revealed a deficiency. These activities coincided with the developments in control and risk self-assessment in the mainstream audit world. Audit consulting and risk-based auditing became widespread. The 1990s and beyond also saw dramatic increases in attention to information security management as cyberattacks increased in number and severity. These events have helped shape the role of the IT auditor as well as the businesses world s recognition of the importance of effective information security management. 23

55 GTAG Use of Control Framework own right, and one area of opportunity is automating the risk assessment process (e.g., using voting tools to allow management to record risk ratings). 8.3 Reporting on IT Controls CAEs need to communicate to key stakeholders such as the audit committee, executive management, regulators, external auditors, or the CIO on the results of the assurance engagements. CAEs can use a number of report formats, and approaches can range from updates to balanced scorecards or to private executive session presentations. One approach is to begin with simple updates on the assessment. The CAE should first determine the inherent level of risk over certain key IT processes. For example, the CAE can provide and verify with the CIO or key IT stakeholders the inherent risk over development, operations, business continuity planning, network, information security, and change management. Often, the inherent risk depends on the IT strategy and organization. Some IT organizations may be outsourced, centralized, or decentralized. The updates may take the form of audit projects in various functional IT areas. The update may include significant findings or issues. Progress on audit recommendations also might be part of the IT update. Another approach is to report in a balanced scorecard. This may align with the CIO s reporting of IT strategy or operations using an IT balanced scorecard. The Balanced Scorecard Institute provides one template that views the IT activity from four perspectives: financial, internal business process, learning and growing, and customer. When the CAE reports on IT as part of the regular audit report to the Board, audit committee, or management, the report typically would include issues related to information security incidents, change management exceptions, project development status, operation incident reporting, capital spending, or other metrics that measure key IT risks and controls. Such an approach should provide an integrated and comprehensive approach of all risks and controls from business to IT in one format. Sometimes the CAE may need to hold a private or executive session. This type of reporting generally covers significant issues. For example, it may include the internal audit team not being able to access requested data after repeated attempts, key IT individuals not providing complete or full disclosure, or IT leaders leaving the internal auditor out of key steering committee discussions (i.e., not having a seat at the table). Another challenging issue for a private session might be the lack of support by the CIO. This tone at the top may set the wrong culture and even block risk remediation or allow key IT controls to go unmonitored. 24

56 GTAG Conclusion 9. Conclusion Assessing IT risks and controls represents for both new and experienced CAEs one of the first steps in gaining an understanding of the IT environment and its significance in business risk management. Reading and applying this GTAG provides guidance for CAEs and internal auditors to sufficiently understand IT risks and applicable controls. The CAE will then be able to guide IT risk and control discussions with key stakeholders. The next step, assessing and understanding IT governance, permits the CAE to identify who is accountable for what in IT and how IT leadership, in cooperation with business leaders, deploys the IT strategy. In this context, CAEs should keep in mind that IIA Standard 2110.A2 calls for assessing IT governance. Section 3 (Internal Stakeholders and IT Responsibilities) in this document provides a useful summary of key roles and responsibilities. Once the CAE assesses IT governance, analyzing IT risks is a logical next step in the process. Unfortunately, there is no universal checklist for analyzing IT risks. Each organization driven by the requirements of its nature and size of business operates different technology infrastructure, applications, interfaces, and uses different policies to achieve IT strategy. The CAE should perform risk analysis by using a structured methodology, such as that outlined in ISO Risk Management Standardization, and leveraging knowledge from key IT leaders (e.g., the CIO and other executives) in the context of the overall enterprise risks. Developing solid and trusted relationships will allow for transparency when analyzing inherent and residual risks. There are many models and approaches to analyzing IT risks, and the CAE should select the models that best fit his or her organization. Several key IT roles and functions are detailed in Section 6 (Understanding the Importance of IT Controls) in this document. The CAE rates the IT risk levels and determines what will be included in the overall audit plan. The CAE must identify and assess what technical skills and competencies are required based on the overall audit plan. The CAE may consider The IIA s GAIT Methodology in using a top-down, risk-based approach. Some specializations, however, may not always be cost-effective to deploy on a full-time basis. CAEs can use internally developed technical skills, hired skills, or external providers. Co-sourcing provides an opportunity for organizations of all sizes to use outside expertise and gain perspective on the latest IT trends and risk impact. Assessing the IT risks and controls requires a thoughtful and organized plan. CAEs should plan sufficient time and skilled resources to do a professional job and create a sustainable process for ongoing analysis. 25

57 GTAG Authors & Reviewers 10. Authors & Reviewers Authors: Steve Mar, CFSA, CISA Rune Johannessen, CIA, CCSA, CISA Stephen Coates, CIA, CGAP, CISA Karine Wegrzynowicz, CIA Thomas Andreesen, CISA, CRISC Reviewers: Steve Hunt, CIA Steve Jameson, CIA, CCSA, CFSA, CRMA Other Contributors: Dragon Tai, CIA, CCSA 26

58 GTAG Appendix: IT Control Framework Checklist 11. Appendix: IT Control Framework Checklist CAEs can use this checklist to examine their IT control framework to ensure the organization has addressed all control elements. The checklist can help the CAE understand the issues and plan for full internal audit coverage of the control areas. ACTIONS 1. Identify the IT control environment of the organization, including: a. Values. b. Philosophy. c. Management style. d. IT awareness. e. Organization. f. Policies. g. Standards. 2. Identify relevant legislation and regulation impacting IT control, such as: a. Governance. b. Reporting. c. Data protection. d. Compliance. 3. Identify the roles and responsibilities for IT control in relation to: a. Board of directors. i. Audit committee. ii. Risk committee. iii. Governance committee. iv. Finance committee. b. Management. i. CEO. ii. CFO and controller. iii. CIO. iv. Chief Security Officer (CSO). v. CISO. vi. CRO. c. Audit. i. Internal audit. ii. External audit. QUESTIONS Do corporate policies and standards that describe the need for IT controls exist? What legislation exists that impacts the need for IT controls? Has management taken steps to ensure compliance with this legislation? Have all relevant responsibilities for IT controls been allocated to individual roles? Is the allocation of responsibilities compatible with the need to apply division of duties? Are IT responsibilities documented? Are IT control responsibilities communicated to the whole organization? Do individuals clearly understand their responsibilities in relation to IT controls? What evidence is there of individuals exercising their responsibilities? Does internal audit employ sufficient IT audit specialists to address the IT control issues? 27

59 GTAG Appendix: IT Control Framework Checklist ACTIONS 4. Identify the risk assessment process. Does it address: a. Risk appetite? b. Risk tolerance? c. Risk analysis? d. Matching risks to IT controls? 5. Identify all monitoring processes, including: a. Regulatory. b. Normal in-house. c. Other than internal auditing. 6. Identify information and communication mechanisms, such as: a. Control information. b. Control failures. QUESTIONS How is the organization s risk appetite and tolerance determined? Is the organization s risk appetite and tolerance authorized at board level? Are risk appetite and tolerance clearly understood by all those with a responsibility for IT control? Does the organization use a formal risk analysis process? Is the process understood by everyone responsible for IT control? Is the process used consistently throughout the organization? What processes exist to monitor compliance with all relevant legislation plus internal policies and standards? Does management carry out monitoring processes outside internal audit? What metrics are provided to the Board, its committees, and management in relation to IT security? What additional reports are provided regularly to the Board and management? Is management always provided with reports when IT control failures occur? Do the Board and its committees receive similar reports of IT control failures? 28

60 About IPPF The International Professional Practices Framework (IPPF) is the conceptual framework that organizes authoritative guidance promulgated by The Institute of Internal Auditors. IPPF guidance includes: Mandatory Guidance Conformance with the principles set forth in mandatory guidance is required and essential for the professional practice of internal auditing. Mandatory guidance is developed following an established due diligence process, which includes a period of public exposure for stakeholder input. The three mandatory elements of the IPPF are the Definition of Internal Auditing, the Code of Ethics, and the International Standards for the Professional Practice of Internal Auditing (Standards). Element Definition Code of Ethics International Standards Definition The Definition of Internal Auditing states the fundamental purpose, nature, and scope of internal auditing. The Code of Ethics states the principles and expectations governing behavior of individuals and organizations in the conduct of internal auditing. It describes the minimum requirements for conduct, and behavioral expectations rather than specific activities. Standards are principle-focused and provide a framework for performing and promoting internal auditing. The Standards are mandatory requirements consisting of: Statements of basic requirements for the professional practice of internal auditing and for evaluating the effectiveness of its performance. The requirements are internationally applicable at organizational and individual levels. Interpretations, which clarify terms or concepts within the statements. It is necessary to consider both the statements and their interpretations to understand and apply the Standards correctly. The Standards employ terms that have been given specific meanings that are included in the Glossary. Strongly Recommended Guidance Strongly recommended guidance is endorsed by The IIA through a formal approval processes. It describes practices for effective implementation of The IIA s Definition of Internal Auditing, Code of Ethics, and Standards. The three strongly recommended elements of the IPPF are Position Papers, Practice Advisories, and Practice Guides. Element Position Papers Practice Advisories Practice Guides Definition Position Papers assist a wide range of interested parties, including those not in the internal audit profession, in understanding significant governance, risk, or control issues and delineating related roles and responsibilities of internal auditing. Practice Advisories assist internal auditors in applying the Definition of Internal Auditing, the Code of Ethics, and the Standards and promoting good practices. Practice Advisories address internal auditing s approach, methodologies, and consideration, but not detail processes or procedures. They include practices relating to: international, country, or industry-specific issues; specific types of engagements; and legal or regulatory issues. Practice Guides provide detailed guidance for conducting internal audit activities. They include detailed processes and procedures, such as tools and techniques, programs, and step-by-step approaches, as well as examples of deliverables. This GTAG is a Practice Guide under IPPF. For other authoritative guidance materials, please visit

61

62 Building on Experience, Shaping the Future of Audit Technology As the world s leading audit management software, TeamMate has revolutionized the audit industry, empowering audit departments of all sizes to do more with less. Introduced in 1994, TeamMate has a long standing commitment to advancing the audit profession. From consistently innovative product updates, to hosted solutions, and now mobile apps, we are dedicated to leveraging the latest technology for our clients. TeamMate s outreach extends beyond our customers to support and enrich the professional community through research projects, educational programs and initiatives such as our Open Audit Innovation Contest. Don t take our word for it... Check out what our customers are saying at TeamMateSuccess.com To learn about TeamMate, visit us on the web at CCHTeamMate.com or call Copyright 2012 Wolters Kluwer Financial Services, Inc. All Rights Reserved ARC-TM-GTAG-AD 12/15/11

63 About the Institute Established in 1941, The Institute of Internal Auditors (IIA) is an international professional association with global headquarters in Altamonte Springs, Fla., USA. The IIA is the internal audit profession s global voice, recognized authority, acknowledged leader, chief advocate, and principal educator. About Practice Guides Practice Guides provide detailed guidance for conducting internal audit activities. They include detailed processes and procedures, such as tools and techniques, programs, and step-by-step approaches, as well as examples of deliverables. Practice Guides are part of The IIA s IPPF. As part of the Strongly Recommended category of guidance, compliance is not mandatory, but it is strongly recommended, and the guidance is endorsed by The IIA through formal review and approval processes. A Global Technologies Audit Guide (GTAG) is a type of Practice Guide that is written in straightforward business language to address a timely issue related to information technology management, control, or security. For other authoritative guidance materials provided by The IIA, please visit our website at standards-guidance. Disclaimer The IIA publishes this document for informational and educational purposes. This guidance material is not intended to provide definitive answers to specific individual circumstances and as such is only intended to be used as a guide. The IIA recommends that you always seek independent expert advice relating directly to any specific situation. The IIA accepts no responsibility for anyone placing sole reliance on this guidance. Copyright Copyright 2012 The Institute of Internal Auditors. For permission to reproduce, please contact The IIA at guidance@theiia.org.

64 Internal Audit Department Audit Program for Cash Audit Scope: Audit Objectives: Risks Cash transactions may not be recorded accurately Cash may not exist Audit Procedures Done by Date W/P Ref 4. Test bank reconciliations Test bank reconciliation in order to obtain a moderate to low level of assurance that the aforementioned audit objectives are achieved by performing the following: a) test the mathematical accuracy of the reconciliation; (accuracy) b) trace book balances on the client's bank reconciliation to the comparative summary; (accuracy) c) trace bank balances on the client's bank reconciliation to the bank statement; (accuracy) d) test reconciling items on the bank reconciliation by performing the following: i) Obtain subsequent month bank statement and supporting documentation. Obtain information directly from the bank; ii) Trace outstanding items listed on the bank reconciliation to the subsequent month's bank statement and for those not traced, trace to the cash disbursements records for the period prior to the balance sheet date; (accuracy and existence/occurrence) iii) Trace deposits in transit listed on the bank reconciliation to the subsequent month's bank statement and for those not traced, trace to the cash receipts records for the period prior to the balance sheet date; (accuracy and existence/occurrence) iv) Obtain explanation for large, unusual reconciling

65 items and trace to supporting documentation and/or entries in the cash records, as appropriate; (accuracy and existence/occurrence) v) Review the date the above items cleared the bank or were recorded in the client's books to ensure appropriate recording period. Trace to supporting documentation as necessary; and (cut- off) vi) Investigate items such as, long outstanding items, dishonored checks and significant adjustments in the subsequent month, and record adjustments as necessary (accuracy and existence/occurrence). e) Review client's bank reconciliation for review and approval by appropriate management and timely completion of reconciliation.

66 Process description: Purchasing and Disbursements. Audit Objective 1) all inventory items exist and owned by the Company (existence, completeness, and ownership); 2) inventories stated at the lower of cost determined by LIFO method, or market (valuation); 3) inventory items are properly classified and disclosed (presentation, and disclosure). Done by and date 1. Perform test of controls of the purchasing and disbursement process. 2. Review a written narratives related to the standard cost accounting system and the control procedures related to the audit objectives. 3. Perform an inventory observation of raw materials, finished goods, and purchased components on December 27. Audit Team Member will then agree the counts into the December inventory detail and reconcile to the December 2008 financial statements 4. Audit Team Member will obtain inventory lead sheet from the client including current and prior year balances and perform a detailed top- side analytical review of the changes which occurred from the prior year 5. After each year- end the Company re- values its inventory to a new standard. This standard is amortized over the 12 months of the new fiscal year. Audit Team Member will review the client s calculation of the revaluation amount and compare it to the prior year. Audit Team Member will investigate and document the reasons for the changes, if significant. 6. Audit Team Member will perform price testing procedures on 25 judgmentally selected raw materials and finished goods. These procedures will include ensuring variances are accounted for properly. 7. Audit Team Member will obtain a documentation of the client method of calculating its LIFO reserve and review for reasonableness 8. Audit Team Member will perform substantive testing to review the client s LIFO calculation for year end and the related adjustments 9. Audit Team Member will determine the appropriateness of the Company s obsolescence/excess reserve based on the specific reserve identified and a general reserve calculated based on historical trends 10. Audit Team Member will review the Inventory Usage Report as of year- end to determine if there are any potential obsolescence issues with the appropriate client personnel Work paper

67 Contents Executive summary X Project objectives and scope X Process background X Observations, findings and recommendations X Report distribution X 0

68 Executive Summary Executive Summary The following is a summary of the significant findings and observations noted during our review of Company 123 s Accounts Receivable, Credit, Collection and Cash Application Processes. These processes occur at the executive office. None of the following findings are significant internal control deficiencies but were noted as control and efficiency enhancement opportunities. Processes: There is a risk that the X plant can release sales orders in excess of customer credit limits. Customer credit limits are not appropriately established, monitored, and updated. Customer information in XXX cannot be traced to source documents. Formal Policies and Procedures do not exist for all processes. Systems: Employees have multiple user ID s within XXX User ID s exist within XXX for employees who have changed departments or have left the Company No formal process for monitoring and/or removing access to permissions in XXX exists This audit was conducted in conformance with the International Standards for the Professional Practice of Internal Auditing. Standards Conformance Statement Defined Managed Optimized NOTE: No Overall Ratings 1

69 Executive Summary (Continued ) For the Accounts Receivable Department, the key performance indicator is Days Sales Outstanding (DSO). This encompasses the sub-processes within Accounts Receivable such as invoicing, issuance of credit limits, collection efforts, cash application and processing of deductions. Internal Audit did not audit the table below but reviewed it for reasonableness. Based on the trends depicted in this table, Company 123 is continuing to improve the processes within the Accounts Receivable Department as evidenced by the improved DSO. Month Company 123 Goal Company 123 Actual Competitor 1 Competitor 2 1 st Quarter X X X X 2 nd Quarter X X X X 3 rd Quarter X X X X 4 th Quarter X X X X * Provided by Company 123 Accounts Receivable Dept. and is unaudited 2

70 Project Objectives and Scope Audit Objectives Project Objectives - Our objective was to gain an understanding of the processes as well as identify risks associated with the processes and determine whether internal controls exist and were operating as intended. Project Scope The following process areas were included in the scope of this project: - Credit issuance and approval (Sample selected for X to X,extracted from XXX) - Input and maintenance of the customer master file data (Sample selected for X through X, from XXX) - Collection process (Sample selected for X, extracted from systems X and XXX) - Application of payments process (Sample selected for X through X, extracted from System X) - Processing of Invoices (Observation of process) - Bad debt, write off review (Sample selected for X through X) - Claims processing (Sample selected for X, extracted from XXX) - Research and processing of deductions (Sample selected for X, extracted from XXX) Excluded from Project Scope The following process areas were excluded in the scope of the project: - X site is excluded in the project scope - X operation ancillary to this process are excluded Audit Scope Procedures Performed - Interviewed the key personnel - Documented the processes through the use of process maps and process narratives - Identified and sourced the key risks and identified existing controls over the processes - Evaluated the adequacy of controls over the processes to the extent they exist - Assessed the extent to which incompatible duties were segregated in the processes, i.e., custody, recording, authorization of transactions - Performed detail testing of selected customer orders, changes to the master file and system access Methodology 3

71 Process Background Background Company 123 currently uses XXX System for credit, collections, deductions, claims, accounts receivable, and cash application module. 123 Operations also utilizes a separate XXX System and XXX System which reside within an XXX system. Multiple times through out the day FTP Batches are sent to XXX from these systems. The plants are using X systems to maintain inventory movements and this system interfaces with the X. The centers use the X system which interfaces with XXX multiple times throughout the day. Data from the lockboxes/ bank activity are uploaded into XXX on a daily basis. Company 123 has approximately X active customers in its master file with an approximate available credit line of $X. The Credit Analysis group is comprised of three employees including one MA, one MBA and one Level 1 Candidate for the Chartered Financial Analyst program. These individuals, hired within the last X months, are responsible for researching the creditworthiness of customers who wish to receive credit, and the issuance of credit lines to those customers. In (insert date), the Credit department implemented a new process for establishing the appropriate credit limits based on a customer s risk profile, size and return on 123 s sales to the customer. This novel process includes a review of customer credit profiles at least annually and requires customers with a higher risk profile to be evaluated quarterly. Over X% of 123 s customers have credit limits of under $X. The Collections team is responsible for releasing orders and collecting past due amounts. On an average day the Collections department will release approximately X orders and X orders as credit availability would warrant. Is this too much background? 4

72 Processes Observations/Findings 5

73 Observations, Findings and Action Matrix Condition Focused Action Plan The X plant releases sales orders for customers who are exceeding their credit limits or have past due balances. Observation As identified to us during fieldwork, the X plant uses an internally developed accounting/order processing system referred to as the X system. The X system is used among many other Plant related processes for the X/transport order entry platform. Since the X plant does not use X/X for their sales order entry process, the collections department at the X plant approves and releases orders. Based on our discussions with relevant Corporate personnel, the X collections department has been releasing sales orders for customers who are exceeding their credit limits. Collections Representatives at corporate are unable to see that an order has been released until an invoice is generated. This results in collection issues with X customers and could lead to potential uncollectible accounts. This observation is based primarily on discussions with corporate personnel as our sample did not include X plant orders. Business Risk/ Impact: There is a risk that the X plant may extend credit beyond appropriate limits increasing the amount of accounts receivable at risk. Management Action Plan: Access to the X system has been completed. As of (insert date) the order release process will be maintained at the X Corporate location. Although this will add an additional platform to monitor, the order release process will afford the necessary controls that were lacking when the sales orders were released at the X facility. The conversion of the X plant to a common order release process is addressed on page X of this document. Responsible Person(s): X Implementation Timing: Completed on (insert date) Internal Criteria Cumulative Effect on the Organization Root Cause ½ Mile High Condition Direct, One Time Effect 6

74 Observations, Findings and Action Matrix The X plant releases sales orders for customers who are exceeding their credit limits or have past due balances. Recommendation Establish a process to ensure that Corporate Collections provides approval of X Plant order release to prevent non-compliance with Company policy. Currently, the Corporate Collections department is responsible for the release of the X orders function yet the control over the function lies at the X Plant. Ensure Corporate credit provides timely information to the X Plant related to credit availability and appropriate payment history. Convert the X Plant to the same order system as Corporate, so that the information can be easily accessible for the Corporate office. The overall cost benefit of the conversion should be considered in connection with this recommendation. Business Risk/ Impact: There is a risk that the X plant may extend credit beyond appropriate limits increasing the amount of accounts receivable at risk. Cause Focused Recommendation Condition Focused Recommendation 7

75 Observations, Findings and Action Matrix Collections representatives are releasing sales orders for customers with past due accounts or who are exceeding their credit limit (Cont.). Based on inquiries with Collections Representatives and system testing, many of 123 s largest customers are setup as Auto Approve in the X. For auto approve customers, the X systematically checks to see if the customer is over their credit limit based on their X sales only. Any orders that the customer may have for X or from the X plant would not be included in the systematic credit limit check. As a result, orders could potentially be released for auto approve customers when they are over their credit limit. Recommendation A policy should be written and implemented which gives Collections Representatives guidelines over various situations that may arise in the sales order release process and the appropriate action to take. The policy should require that Collections Representatives document explanations for the release of an order for a customer with past due accounts or an exceeded credit limit in XXX. The Collections Supervisor should be looking to ensure that if orders are released over the credit limit that they are within X% variance, and that documentation exists for these orders. For systematically approved customers, an alternate process should be put in place for customers who also have X and X orders to ensure that customers are not exceeding their total credit limits. Business Risk/ Impact: A sales order may be released for a customer with past due accounts or an exceeded credit limit. This could result in an increase risk of uncollectible accounts. Proximate Cause Responsible Person(s): X Implementation Timing: Policy: End of P3 Fiscal (insert date) Review of Sales Orders: Implemented Sales order approval: As denoted on Page X. 8

76 Observations, Findings and Action Matrix The credit analysis department has not been reviewing customer credit limits on a regular basis prior to (insert date). The group has not been following a consistent methodology for evaluating customers credit and assignment of credit limits. Observation We selected a sample of X customers from the current customer master file. Of the sample selected, X out of X customer credit limits were being reviewed to comply with the new policy. The credit limits for the above mentioned customers were based off the former X system. In the past few months, the credit analysis department has been reviewing customer files to evaluate customer credit lines. The Credit Policy Guidelines states that customers credit limits should be reviewed on an annual basis. As of this audit, the review has not been completed for all customers. As the Credit Policy Guidelines are new, a consistent method has not been followed for all customers who currently have credit granted. Recommendation Once all customer files have been reviewed using the new policy, a customer file review calendar should be developed to ensure all customer files are reviewed on an annual basis. While reviewing all customer files who were previous customers, credit issuance should be examined to ensure in compliance with the current policy. Business Risk/ Impact: Inadequate monitoring, analysis and creation of credit limits leads to increased risk that credit issued to customers is excessive or inadequate resulting in increased bad debt or lost sales. Management Action Plan: A calendar was created in (insert date) that will serve as a tool to ensure that all customers are reviewed on an annual basis. As the new credit policy was approved in fiscal (insert date), by the end of calendar (insert date) all customers files will have been reviewed and the credit will have been evaluated to ensure it is in line with current policy. Responsible Person(s): X Implementation Timing: End of calendar (insert date). Root Cause High Level, Systematic Effect 9

77 Observations, Findings and Action Matrix Best Practice Criteria In organization of comparable size, formal policies and procedures for the collections, order accommodation and deductions processes. Observation There are no formal policies and procedures for the collections, order accommodation (release authorization) and deduction processes. Recommendation It is recommended that formalized polices and procedures be put into place for the above mentioned processes, this ensures that processes are followed consistently and in accordance with Management s intent. Business Risk/ Impact: Lack of Policies and Procedures can increase risk related credit authorization, inappropriate release of orders and inconsistent treatment of deductions. Mile High Condition Management Action Plan: Will develop formal policies and procedures for the areas of Collections, Order release process and Deductions for domestic and international customer base. Responsible Person(s): X Implementation Timing: End of P3 (insert date) 10

78 Report Distribution (Insert the names, position titles, and company name on this slide to communicate who is on the distribution list for this report.) Distribution 11

79 Report Entity Category Recommendation Action Plan/Management's Response Person Timeline Implemented Notes Responsible NDUS yr end NDUS Prior recom not impl.#3 During the 2009 and subsequent audit we recommended that the NDUS review internal audit staffing levels at UND and NDSU. Current Status: A review was done during fiscal year 2011 and a new internal auditor was hired at the Board Office, however, the review also determined that UND and NDSU were understaffed but no additional staff was hired. The new Director of Internal Audit has been assigned to develop a new audit budget to include additional staff. Due to the many potential risks the NDUS and particularly UND and NDSU face, public image being a significant one, additional internal audit staff could help reduce these risks. EXAMPLE - NDUS Audit recommendation tracking spreadsheet Agree. A staffing report was presented to the SBHE BAFC in November In follow-up to this report, the BAFC Chair directed the NDUS Director of Internal Audit to prepare a plan to address: level of staff resources needed to adequately meet responsibilities, reporting relationship of system and campus internal audit staff to SBHE, and uniformity of audit plan and program. This plan will be presented to the BAFC on February 15, Bill Eggert Completed 5/1/12- Plan approved during the March 2012 BAFC meeting. 1 Internal auditor starting 7/1/12, 1 compliance starting 1/1/13, both allocated to the campuses and 1 fte starting 7/1/13 funded by the state. However, further discussion with Dr. Shirvani indicate a potential change in this proposal. NDUS yr NDUS end Prior recom not impl.#4 In the 2010 audit we recommended the SBHE improve its financial and accounting oversight by ensuring that: An accounting and financial management manual is written and adopted; Internal controls are adequate and reviewed periodically; and Appropriate action is taken to implement audit recommendations. Current Status: The Controllers Group is working on an accounting manual, but it has not been finalized or adopted as of the issuance of this report. While reviewing the segregation of duties grids completed by the schools, we noted many conflicts regarding personnel and their duties, concluding that internal control was not adequate and was not being reviewed. It is not clear based on the number of unimplemented recommendations that appropriate action has been taken to ensure recommendations are implemented. Accounting Manual: Agree. The original targeted completion date was December 31, The update was approximately 85 90% complete by that date, but full completion has been delayed until March 31, 2012, due to an extended healthrelated absence of the Director of Financial Reporting during this period. Segregation of Duties: Agree. Individual campuses agree with and can support some of the proposed changes. However, others will require additional time for review and discussion, in coordination with NDUS Director of Internal Audit. This review will be completed and changes made, as appropriate, by June 30, In addition, segregation of duties review will continue to be a part of the NDUS internal audit plans. Internal Control: Disagree. Although the NDUS has extensive internal controls in place, we will always continue to strive for improvement. Additional personnel resources are needed to ensure the level of SAO desired controls, and also, for appropriate training and compliance oversight. Appropriate internal controls and formal training is an integral part of the NDUS internal audit methodology and the NDUS Director of Internal Audit will explore various platforms (video, presentations, etc.) to conduct training on internal controls and will implement a plan by June 30th, Campus accounting staff participates in annual training, which in part, addresses internal control issues. Implement Audit Recommendations: Agree. The NDUS Office Robin Putnam Completed The update of the accounting manual was completed on March 28, Please be aware that the manual is not a static document and will be updated going forward when it is necessary to do so.

80 NDUS yr end UND Alumni, UND Rsch Found, UND Fellows, NDSU 4- H Found. NDUS yr NDSU, end NDUSO, 11 and UND NDUS yr NDSCS, end NDSU, 11 NDUSO, WSC Prior During the 2010 audit we recommended recom not that all foundation financial statements be impl.#5 presented in their respective reports in compliance with SBHE policy 340.2, paragraph 3. Current Status: All 2011 component unit reports were filed on a timely basis. However, four foundations (UND Alumni, UND Research Foundation, UND Fellows, and NDSU 4-H Foundation) submitted audit reports where current assets/liabilities were not separated from noncurrent assets/liabilities as required by Board Policy NDSU 4-H Foundation and the UND Research Foundation subsequently revised their statements to include current and noncurrent assets Internal auditor 11-3 GASB 40 risk disclosure s NDSU: Agree. NDSU will continue to work with the ND 4H Foundation to have their balance sheet displayed in the classified format in the future, for correct and timely submission. UND: Agree. UND Alumni Foundation, UND Fellows, and UND Research Foundation originally issued audited financial statements that did not separately present current and noncurrent assets and liabilities, but were later revised consistent with policy requirements. UND will send timely reminders to the foundations in the future. All NDUS internal audit staff obtains Agree. While we agree that on-going training is extremely adequate CPE to enhance their audit skills important and helpful, workload demands coupled with staff and professional development and comply and budget resource constraints may not permit CPE of 80 with IIA continuing education standards. hours every two years. All NDUS internal audit shops undergo Agree. NDUS will plan on having an independent review an external assessment of their quality performed in FY 2016, and at least once every 5 years assurance programs, at least once every thereafter. Due to the newness of the System wide internal five years by a qualified, independent audit function, it will take time to ensure all the IIA standards reviewer. are in place and well documented, before an external review We recommend NDSCS, NDSU, NDUSO, and WSC implement proper monitoring procedures to ensure that their deposit and interest risk disclosures are prepared in accordance with GASB 40. would be appropriate or useful. NDSCS: Agree. NDSCS will develop procedures for the FY12 year-end close that ensure that the required disclosures are prepared in accordance with GASB 40. NDSU: Agree. NDSU reported an incorrect amount on NDUSO s Deposit template. We are aware of the error and it won t be repeated on next year s template. NDUSO: Agree. The NDUSO errors were the result in formula errors in the spreadsheets used to prepare the financial statements. Greater care in the future will be taken to ensure formulas are correct. WSC: Agree. WSC will properly monitor procedures to ensure that our deposit and interest risk disclosure are prepared in accordance with GASB 40, effective June 30, Bill Eggert Robin Putnam In process Completed for year 1 8 CPE's earned via Larson Allen training on 5/2/ CPE's earned via NACUBO seminars in Denver May GASB 40 Risk Disclosures The formula errors will be fixed during the update of the FY12 spreadsheets. This will occur prior to submitting the FY12 footnote templates to the auditors. In addition, LarsonAllen is conducting a training session on this topic in the annual CG training that will take place on May 2 nd.

81