INFORMATION TECHNOLOGY SECURITY AUDIT GUIDELINE - Virginia
COV ITRM Guideline SEC512-00Effective Date: 12/20/2007COMMONWEALTH OF VIRGINIAInformation Technology Resource ManagementINFORMATION TECHNOLOGY SECURITY AUDITGUIDELINEVirginia Information Technologies Agency (VITA)
IT Security Audit GuidelineCOV ITRM Guideline SEC512-00Effective Date:12/20/2007ITRM Publication Version ControlITRM Publication Version Control: It is the user’s responsibility to ensure that he or she hasthe latest version of the ITRM publication. Questions should be directed to the AssociateDirector for Policy, Practice and Architecture (PPA) at VITA’s IT Investment and EnterpriseSolutions (ITIES) Directorate. ITIES will issue a Change Notice Alert when the publication isrevised. The Alert will be posted on the VITA Web site. An email announcement of the Alertwill be sent to the Agency Information Technology Resources (AITRs) at all state agencies andinstitutions, as well as other parties PPA considers interested in the publication’s revision.This chart contains a history of this ITRM publication’s revisions:VersionDatePurpose of RevisionOriginal12/20/2007BaseReview ProcessTechnology Strategy and Solutions Directorate ReviewN. Jerry Simonoff, VITA Director of Information Technology Investment and EnterpriseSolutions (ITIES), and Chuck Tyger, Director for Policy, Practices, and Architecture Division,provided the initial review of the report.Agency Online ReviewThe report was posted on VITA’s Online Review and Comment Application (ORCA) for 30days. All agencies, stakeholders, and the public were encouraged to provide their commentsthrough ORCA. All comments were carefully evaluated and the individual commenters werenotified of the action taken.i
IT Security Audit GuidelineCOV ITRM Guideline SEC512-00Effective Date:12/20/2007managing information technology by state agenciesand institutions.”Publication DesignationCOV ITRM IT Security Audit GuidelineAll Executive Branch, Legislative, JudicialBranches and Independent State Agencies andinstitutions of Higher EducationIn accordance with §2.2-2009 of the Code ofVirginia,, To provide for the security of stategovernment electronic information from unauthorizeduses, intrusions or other security threats, the CIO shalldirect the development of policies, procedures andstandards for assessing security risks, determining theappropriate security measures and performing securityaudits of government electronic information. Suchpolicies, procedures, and standards will apply to theCommonwealth's executive, legislative, and judicialbranches, and independent agencies and institutions ofhigher education. The CIO shall work withrepresentatives of the Chief Justice of the SupremeCourt and Joint Rules Committee of the GeneralAssembly to identify their needs.SubjectInformation Technology Security AuditsEffective Date12/20/2007Scheduled ReviewOne (1) year from effective dateAuthorityCode of Virginia, §§ 2.2-2005 – 2.2-2032.(Creation of the Virginia Information TechnologiesAgency; “VITA;” Appointment of Chief InformationOfficer (CIO))ScopeThis Guideline is offered as guidance to all executive,legislative, and judicial branch, and independent Stateagencies and institutions of higher education(collectively referred to as “agency”) that manage,develop, purchase, and use information technology(IT) resources in the Commonwealth.DefinitionsAgency - All executive branch and independent Stateagencies and institutions of higher education thatmanage, develop, purchase, and use IT resources inthe Commonwealth of Virginia (COV).PurposeTo guide agencies in the implementation of theinformation technology security audit requirementsdefined by ITRM Standard SEC502-00.CISO - Chief Information Security Officer – TheCISO is the senior management official designated bythe CIO of the Commonwealth to develop InformationSecurity policies, procedures, and standards to protectthe confidentiality, integrity, and availability of COVIT systems and data.General Responsibilities(Italics indicate quote from the Code of Virginia)Chief Information OfficerIn accordance with Code of Virginia § 2.2-2009, theChief Information Officer (CIO) is assigned thefollowing duties: “the CIO shall direct thedevelopment of policies, procedures and standards forassessing security risks, determining the appropriatesecurity measures and performing security audits ofgovernment electronic information.”Data - An arrangement of numbers, characters, and/orimages that represent concepts symbolically.Data Owner - An agency Manager, designated by theagency Head or Information Security Officer, who isresponsible for the policy and practice decisionsregarding data. For business data, the individual maybe called a business owner of the data.Chief Information Security OfficerThe Chief Information Officer (CIO) has designatedthe Chief Information Security Officer (CISO) todevelop Information Security policies, procedures, andstandards to protect the confidentiality, integrity, andavailability of the Commonwealth of Virginia’s ITsystems and c Information - Any information stored in aformat that enables it to be read, processed,manipulated, or transmitted by and IT system.Government Electronic Information - Electronicinformation owned or held by COV.SolutionsISO – Information Security Officer - The individualdesignated by the agency Head to be responsible forthe development, implementation, oversight, andmaintenance of the agency’s IT security program.In accordance with the Code of Virginia § 2.2-2010,the CIO has assigned the IT Investment and EnterpriseSolutions Directorate the following duties: Developand adopt policies, standards, and guidelines forii
IT Security Audit GuidelineCOV ITRM Guideline SEC512-00Effective Date:12/20/2007IT System - An interconnected set of IT resources anddata under the same direct management control.Information Technology (IT) - Telecommunications,automated data processing, databases, the Internet,management information systems, and relatedinformation, equipment, goods, and services.Information Technology (IT) Security - Theprotection afforded to IT systems and data in order iality.Information Technology (IT) Security Audit - Anindependent review and examination of an IT system'spolicy, records, and activities. The purpose of the ITsecurity audit is to assess the adequacy of IT systemcontrols and compliance with established IT securitypolicy and procedures.Least Privilege - The minimum level of data,functions, and capabilities necessary to perform auser’s duties.Sensitive Data - Any data of which the compromisewith respect to confidentiality, integrity, and/oravailability could adversely affect COV interests, theconduct of agency programs, or the privacy to whichindividuals are entitled.Sensitive IT Systems - COV IT systems that store,process, or transmit sensitive data.Separation of Duties - Assignment of responsibilitiessuch that no one individual or function has control ofan entire process. It is a technique for maintaining andmonitoring accountability and responsibility for ITsystems and dataSystem Owner - An agency Manager, designated bythe agency Head or Information Security Officer, whois responsible for the operation and maintenance of anagency IT system.Related ITRM Policy and StandardsITRM Policy, SEC500-02: Information TechnologySecurity Policy (Revised 07/01/2007)ITRM Standard SEC501-01: Information TechnologySecurity Standard (Revised 07/01/2007)ITRM Standard SEC502-00: Information TechnologySecurity Audit Standard (Revised 09/01/2006)iii
IT Security Audit GuidelineCOV ITRM Guideline SEC512-00Effective Date: 12/20/2007TABLE OF CONTENTSCOMMONWEALTH OF VIRGINIA .11 INTRODUCTION .11.1Information Technology Security.11.2IT Security Audits.11.3Roles and Responsibilities .12 PLANNING .12.1Coordination.12.2IT Security Audit Plan .23 PERFORMANCE .23.13.1.1Scope .3Objectives.33.2Schedule .43.3Preparation for IT Security Audits.43.4Qualifications of IT Security Auditors.43.5Documentation .43.6Audit Process.44 DOCUMENTATION.54.1Work Papers.54.2Reports .54.3Corrective Action Plan .54.4CAP Periodic Reporting.6APPENDICES .7APPENDIX A – IT SECURITY AUDIT PLAN EXAMPLE AND TEMPLATE .8iv
IT Security Audit GuidelineCOV ITRM Guideline SEC512-00Effective Date: 12/20/2007APPENDIX B – IT SECURITY AUDIT ENGAGEMENT LETTER EXAMPLE ANDTEMPLATE .10APPENDIX C – IT SECURITY AUDIT CHECKLIST OF ACCESS REQUIREMENTSEXAMPLE AND TEMPLATE .14APPENDIX D – IT SECURITY AUDIT CORRECTIVE ACTION PLAN EXAMPLEAND TEMPLATE .15APPENDIX E – GENERAL AUDIT PROGRAM EXAMPLE .19v
IT Security Audit Guideline11.1COV ITRM Guideline SEC512-00Effective Date: 12/20/2007IntroductionInformation Technology SecurityThis Guideline presents a methodology for Information Technology (IT) security audits suitablefor supporting the requirements of the Commonwealth of Virginia (COV) InformationTechnology Security Policy (ITRM Policy SEC500-02), the Information Technology SecurityStandard (ITRM Standard SEC501-01), and the Information Technology Security AuditStandard (ITRM Standard SEC502-00). These documents are hereinafter referred to as the“Policy”, “Standard”, and “Audit Standard”, respectively.The function of the Policy is to define the overall COV IT security program, while the Standarddefines high-level COV IT security requirements, and the IT Security Audit Standard definesrequirements for the performance and scope of IT security audits. This Guideline describesmethodologies for agencies to use when meeting the IT security audit requirements of the ITSecurity Policy, Standard, and Audit Standard. Agencies are not required to use thesemethodologies, however, and may use methodologies from other sources or develop their ownmethodologies, if these methodologies meet the requirements of the Policy, Standard, and AuditStandard.1.2IT Security AuditsInformation security audits are a vital tool for governance and control of agency IT assets. ITsecurity audits assist agencies in evaluating the adequacy and effectiveness of controls andprocedures designed to protect COV information and IT systems. This Guideline suggestsactions to make the efforts of auditors and agencies more productive, efficient, and effective.1.3Roles and ResponsibilitiesAgencies should assign an individual to be responsible for managing the IT Security Auditprogram for the agency. While the individual assigned this responsible will vary from agency toagency, it is recommended that this responsibility be assigned either to the agency Internal AuditDirector, where one is available or to the Information Security Officer (ISO).22.1PlanningCoordinationAs stated in the Audit Standard, at a minimum, IT systems that contain sensitive data relative toone or more of the criteria of confidentiality, integrity, or availability, shall be assessed at leastonce every three years.For maximum efficiency, the agency’s IT Security Audit Program should be designed to placereliance on any existing audits being conducted, such as those by the agency’s internal auditorganization, Auditor of Public Accounts, or third party audits of any service provider. When1
IT Security Audit GuidelineCOV ITRM Guideline SEC512-00Effective Date: 12/20/2007contracting for sensitive systems to be hosted at or managed by a private sector third partyservice provider, a contractual term requiring compliance with the COV ITRM IT SecurityPolicy and Standards should be included as well as a requirement that a third party conduct an ITSecurity audit on a frequency relative to risk should be included in the contract terms. Agenciesshould also consider including in contract terms qualifications for the IT Security Auditor suchas those outlined in section 3.4 of this Guideline.If multiple systems share similar characteristics such as use of the same logical access controlmethod, database or infrastructure, the agency may wish to audit that common area once as asystem rather than multiple times for each sensitive system that has a dependency. Similarly, ifthere is a sensitive system deployed at many locations a sampling of those locations may provideadequate assurance. Finally, if an agency has an active and defined control self assessmentprogram in place that includes one or more sensitive systems, the agency may wish to placereliance on those self assessments, limiting the audit to evaluation and testing of key elements ofthe self-assessment(s).2.2IT Security Audit PlanThe IT security audit plan helps the agency schedule the necessary IT Security Audits of thesensitive systems identified in the data and system classification step in the risk managementprocess.The agency uses the IT security audit plan to identify and document the:1. Sequencing of the IT Security Audits relative to both risk and the business cycle of theagency to avoid scheduling during peak periods;2. Frequency of audits commensurate with risk and sensitivity; and3. Resources to be used for the audit such as Internal Auditors, the Auditor of PublicAccounts staff or a private firm that the agency deems to have adequate experience,expertise and independence. To provide adequate objectivity and separation of duties, ITsecurity audits should not be performed by the same group or entity that created the ITsecurity policies, procedures, and controls being audited, or that manage the IToperations.An example of an IT Security Audit Plan is included in Appendix A.3PerformanceAs stated in the Audit Standard, prior to performing each IT Security Audit, the IT SecurityAuditor will contact the agency Head or designee and agree on: A specific scope;A mutually agreeable schedule for the IT Security Audit;A checklist of information and access required for the IT Security Audit.2
IT Security Audit GuidelineCOV ITRM Guideline SEC512-00Effective Date: 12/20/2007The level of access to information granted the auditor should be based on the principle of leastprivilege, as defined in the Definitions section at the beginning of this guideline. The agencyshould designate an agency point-of-contact (POC) for the IT security audit; all auditor requestsfor access to agency information should be directed to the agency POC. An example checklist isincluded in Appendix C.3.1ScopeThe scope of the audit defines boundaries of the project and should be established and agreed toby the agency prior to the conduct of the audit. As stated by the Institute of Internal Auditors:“the scope of the engagement should include consideration of relevant systems, records,personnel, and physical properties, including those under the control of third parties.” The scopedefines what is planned to be assessed and/or tested in the audit for that system or systems andwhat period of time the audit will include as well as the timing of the audit itself. It alsospecifies any other control activity on which the auditor is placing reliance such as other auditsor assessments.The goal in defining the scope of the audit is to include within the audit all elements that are partof the IT system undergoing the audit and excluding those components that are external to the ITsystem being audited. In general, the scope of the audit should correspond to the systemboundary of the IT system undergoing the audit. See the Standard, section 2.5, and the COVITRM Risk Management Guideline (COV ITRM Guideline SEC506-01) for further informationregarding IT system boundaries.At a minimum, the audit scope must assess effectiveness of the controls in place and compliancewith the Policy and Standard, as well as any other applicable Federal and COV laws andregulations such as: Internal Revenue Service (IRS) Regulation 1075; or The Privacy and Security rules of the Health Insurance Portability and Accountability Act(HIPAA).Additionally, facets of controls other than compliance, including reliability and integrity offinancial and operational information, effectiveness and efficiency of operations, andsafeguarding of assets should be considered for inclusion within the scope of the audit dependingon the IT system(s) being audited and relative risk.3.1.1ObjectivesIn addition to defining the Scope or boundaries of the IT Security Audit, the IT Security Auditorshould also define the objectives of the audit. The objectives should define what will bedetermined within the scope of the audit. For example, an audit objective might be to determinewhether access controls are functioning as intended and are adequately documented.3
IT Security Audit Guideline3.2COV ITRM Guideline SEC512-00Effective Date: 12/20/2007ScheduleTo coordinate the impact across the organization, the agency should work with the auditor toestablish an effective and workable schedule. The schedule should enable the audit to proceed ina logical progression and help coordinate the efforts of the auditor and involved agencypersonnel. For example, if an audit will require disruption of an IT system, the schedule can beused to inform personnel and to minimize the impacts of the disruption.3.3Preparation for IT Security AuditsIn preparation for conducting the IT Security Audit, the Auditor should familiarize themselveswith any readily available material applicable to the audit such as laws, available reports, webrelated information, etc.3.4Qualifications of IT Security AuditorsAs stated in the Audit Standard, CISO personnel, Agency Internal Auditors, the Auditor ofPublic Accounts, or a staff of a private firm that, in the judgment of the Agency, has theexperience and expertise required to perform IT security audits. Agencies should consider thefollowing qualifications for the selected IT Security Auditor: Familiarity with the COV IT Security Policy (ITRM Policy SEC500-02), IT SecurityStandard (ITRM Standard SEC501-01), and IT Security Audit Standard (ITRM StandardSEC502-00); Credentials as a Certified Public Accountant (CPA), Certified Internal Auditor (CIA),and/or Certified Information Systems Auditor (CISA); and Experience conducting IT audits within the past three to five years.3.5 DocumentationThe scope and objectives, schedule and information needed to complete the audit should bedocumented by the IT Security Auditor in an Engagement Letter or Memorandum to the agencyhead. An example IT Security Audit Engagement Letter is included in Appendix B.3.6 Audit ProcessAgencies are advised to define an audit process that includes the following phases: Familiarization – initial research and review of laws, policies, procedures and bestpractices Preliminary Survey – detailed information gathering phase which may includereviews of procedures, diagrams, the systems boundary definition, risk assessmentand other existing documentation combined with interviews and/or surveys of keypersonnel, documentation of key controls, walkthroughs and observations, an initialassessment of key controls and design of the audit test plan;4
IT Security Audit GuidelineCOV ITRM Guideline SEC512-00Effective Date: 12/20/2007 Fieldwork – Execution of the audit test plan and conclusions regarding the results.Any potentially negative conclusions should be confirmed with the agency’soperations staff prior to escalation; and Reporting – Documentation of the audit results for management review and use.Because the IT security audits within the Commonwealth span numerous subject areas extendingto the wide variety of hardware platforms, software, integration methods, and businessapplication areas in use, there is no one standard IT Security audit program that is recommended.A general audit program is attached as an example in Appendix E. The general audit programidentifies some sources for specific IT Security Audit technical considerations.44.1DocumentationWork PapersWork papers comprise the notes and other intermediate work products that lead up to theauditor’s final report. The auditor’s work papers must document the audit and include sufficientevidence to support all conclusions. The auditor must protect the work papers in order to preventcompromise of the agency’s security. The agency should support the auditor in the protection ofaudit work papers, which are comprised of notes the auditor has made during the audit, byproviding appropriate protections, including locked files, access controlled facilities, etc.4.2ReportsThe IT Security Audit Report documents the results of the audit. Audit results must be presentedto the agency head or designee in a draft report for their review and comment. The agency headand auditor will collaborate to make mutually agreeable changes, and document the agencyhead’s acceptance or non-acceptance of the findings.4.3Corrective Action PlanAs stated in the Audit Standard, a corrective action plan (CAP) must be prepared to documentfindings of the IT Security Audit. For each finding, the CAP documents whether or not theagency concurs with the finding and Planned corrective actions, completion dates, and responsible individuals for findingswith which the agency concurs; and Agency’s statement of position, mitigating controls, and agency’s acceptance of riskfor findings with which the agency does not concur.Once the CAP is developed, the auditor includes the CAP in the final report. An example CAP isincluded in Appendix D.5
IT Security Audit Guideline4.4COV ITRM Guideline SEC512-00Effective Date: 12/20/2007CAP Periodic ReportingAs stated in the Audit Standard, and at a minimum, once each quarter, each agency head mustsubmit a report to the CISO of any newly completed audits as well as updates on any outstandingcorrective actions. Submission of the CAP listing with the results of all of the IT security auditsconducted by or for the agency during the preceding quarter. In order to assist VITA in carryingout its information assurance responsibilities, agencies are requested to submit to the CISO eachquarter the full audit report for each IT security audit conducted by or for the agency during theprevious quarter. If the report contains sensitive information please do not email it but send anemail to CommonwealthSecurity@VITA.Virginia.Gov requesting assistance on identifying anefficient yet secure manner of transmitting the report.6
IT Security Audit GuidelineCOV ITRM Guideline SEC512-00Effective Date: 12/20/2007AppendicesThese Appendices provide examples and templates that agencies may use to document their useof many of the methodologies described in this Guideline. Each template consists of an exampleof the document, completed with fictional information. A blank version of the template for useby COV agencies can be found on the VITA website x?id 537#securityPSGs.The examples use different fonts for instructions and example information, as follows: Times New Roman text is used for the template itself.Shaded Arial Bold text is example text.Times New Roman Italic text is provided as instructions for completing the template.7
IT Security Audit GuidelineCOV ITRM Guideline SEC512-00Effective Date: 12/20/2007Appendix A – IT Security Audit Plan Example and TemplatePURPOSE: This Plan coordinates the execution of security audits for the IT systems supporting governmentdatabases (as defined by ITRM Standard SEC502-00).IT Security Audit PlanAgencyName andAcronymBudgetFormulationAgency (BFA)DateSubmitted01/02/2008IT Security Audit PlanSubmittedByName & TitlePhone NumberJane Jones, BFAISOIT dgetFormulationSystem tionSystem (BCS)BFA-002APA2quarterBudgetReconciliationSystem (BRS)BFA-003BFAInternalAudit Staff3quarter(804) 979-2461Next Three Planned AuditDatesFiscal Years200820092010stst1quarterndrdE-mail Addressjane.jones@bfa.virginia. govAreas for Special Emphasis andAdditional Audit Requirements‡a) Security procedures for laptop use atemployee homes.b) Policies regarding protection ofmobile storage (flash drives, DVDs,etc.)a) IRS 1075 requirements.b) Requirements for users to completebackground checks before receivingBCS access.rdrd3quarter3quarter‡a) Security controls governing remoteaccess to BRS dataAll IT Security Audits must evaluate overall effectiveness of controls, as well as compliance with the IT Security Policy (ITRMPolicy SEC500-02), Standard (ITRM Standard SEC501-01), and any other applicable laws, regulations, policies, and procedures.Use this column to indicate any audit areas that require special attention or any additional audit requirements.8
IT Security Audit GuidelineAgencyName andAcronymIT ctedAuditorCOV ITRM Guideline SEC512-00Effective Date: 12/20/2007IT Security Audit PlanSubmittedByName & TitlePhone NumberNext Three Planned AuditDatesFiscal Years2008200920109E-mail AddressAreas for Special Emphasis andAdditional Audit Requirements
IT Security Audit GuidelineCOV ITRM Guideline SEC512-00Effective Date: 12/20/2007Appendix B – IT Security Audit Engagement Letter Example andTemplateMarch 30, 2008William C. Williams, DirectorDepartment of Citizen Services1607 Side StreetRichmond, VA 23219The Department of Citizen Services (DCS) Internal Audit Division (IAD) is conducting the regularlyscheduled IT security audit of the DCS Request Processing System (RPS).The examination of RPS will be conducted in accordance with generally accepted internalauditing standards and will also meet the requirements of the Commonwealth of Virginia (COV)Information Technology Resource Management (ITRM) Standard SEC502-00, InformationTechnology Security Audit Standard SEC501-01, and Information Technology Security AuditStandard SEC 502-00.Proposed ScopeThe RPS System Audit will review the functioning of the RPS system for the period October,2007 through April, 2008 and is scheduled to conclude by June 30, 2008 with a total of 300 audithours. The audit will be performed by John Johnson, Managing Auditor and Sam Samuels, StaffAuditor . The RPS system interconnects with system MNO . This audit excludes the MNO systembut will include the RPS system up to the network interface point with the MNO system as wellas the logical access controls between the systems. This audit includes the application layer aswell as the infrastructure layer of the RPS system. The RPS System Audit does not includegeneral end user Security Awareness Training or the incident response plan as these areas arecovered in the regularly scheduled General Controls Audit.Proposed ObjectivesOverall, the RPS Audit will assess the effectiveness of controls over the RPS system andcompliance with COV ITRM SEC500-02, IT Security Policy, COV ITRM SEC501-01, ITSecurity Standard, DCS IT Systems Management Procedures, any legal requirements and bestpractices. Specifically, the objectives of the RPS System Audit are to determine whether the ITsecurity controls for the RPS system are documented and provide reasonable assurance that:1. Physical access to the production environment, stored data, and documentation isrestricted to prevent unauthorized destruction, modification, disclosure, or use.2. Logical access to the production environment, data files, and sensitive systemtransactions, is restricted to authorized user
This Guideline presents a methodology for Information Technology (IT) security audits suitable for supporting the requirements of the Commonwealth of Virginia (COV) Information Technology Security Policy (ITRM Policy SEC500-02), the Information Technology Security Standard (ITRM Standard SEC501-01), and the Information Technology Security Audit
The quality audit system is mainly classified in three different categories: i Internal Audit ii. External Audits iii. Regulatory Audit . Types Of Quality Audit. In food industries all three audit system may be used to carry out 1. Product manufacturing audit 2. Plant sanitation/GMP audit 3. Product Quality audit 4. HACCP audit
Audit guidelines in this group assess the controls in place to protect DFS partici-pants/user's data from unauthorised disclo-sure, including data protection that might be derived from observing network activity. 8 Digital Financial Services security audit guideline The DFS security audit guideline is structured in the format below: Impacted .
AUDIT OF DEKALB COUNTY DATA CENTER PHYSICAL SECURITY AUDIT REPORT NO. 2018-007-IT John Greene Chief Audit Executive FINAL REPORT What We Did In accordance with the Office of Independent Internal Audit's (OIIA) Annual Audit Plan, we conducted a performance audit of the DeKalb County Data Center Physical Security.
INTERNAL AUDIT Example –Internal audit report [Short Client Name] Internal Audit Report Rev. [Rev Number] STEP ONE: Audit Plan Process to Audit (Audit Scope): Audit Date(s): Lead Auditor: Audit #: Auditor(s): Site(s) to Audit: Applicable Clauses of [ISO 9001 or AS9100] S
4.1 Quality management system audit 9.2.2.2 Quality management system audit - except: organization shall audit to verify compliance with MAQMSR, 2nd Ed. 4.2 Manufacturing process audit 9.2.2.3 Manufacturing process audit 4.3 Product audit 9.2.2.4 Product audit 4.4 Internal audit plans 9.2.2.1 Internal audit programme
Information Technology Security Audit Guideline ITRM Guideline SEC512-01 07/01/13 (Revision 1) ITRM Publication Version Control . ITRM Publication Version Control:It is the
CHAPTER 12 Internal Audit Charters and Building the Internal Audit Function 273 12.1 Establishing an Internal Audit Function 274 12.2 Audit Charter: Audit Committee and Management Authority 274 12.3 Building the Internal Audit Staff 275 (a) Role of the CAE 277 (b) Internal Audit Management Responsibilities 278 (c) Internal Audit Staff .
Informational Black Holes in Financial Markets Ulf Axelson Igor Makarov April 2020 ABSTRACT We study how well primary nancial markets allocate capital when information about in-vestment opportunities is dispersed across market participants. Paradoxically, the fact that information is valuable for real investment decisions destroys the e ciency of the market. To add to the paradox, as the .
