Developing The IT Audit Plan
Developing theIT Audit Plan
Global Technology Audit Guide (GTAG)Written in straightforward business language to address a timely issue related to IT management, control, and security, theGTAG series serves as a ready resource for chief audit executives on different technology-associated risks and recommendedpractices.Information Technology Controls:Topics discussed include IT controlconcepts, the importance of IT controls,the organizational roles andresponsibilities for ensuring effective ITcontrols, and risk analysis andmonitoring techniques.Change and PatchManagement Controls:Critical forOrganizationalSuccessContinuous Auditing:Implications for Assurance,Monitoring, andRisk AssessmentManagement of IT AuditingManagingand AuditingPrivacy RisksChange and Patch ManagementControls: Describes sources of changeand their likely impact on businessobjectives, as well as how change andpatch management controls helpmanage IT risks and costs and whatworks and doesn’t work in practice.Continuous Auditing: Addresses therole of continuous auditing in today’sinternal audit environment; therelationship of continuous auditing,continuous monitoring, and continuousassurance; and the application andimplementation of continuous auditing.Management of IT Auditing: DiscussesIT-related risks and defines the IT audituniverse, as well as how to execute andmanage the IT audit process.Managing and Auditing Privacy Risks:Discusses global privacy principles andframeworks, privacy risk models andcontrols, the role of internal auditors, top10 privacy questions to ask during thecourse of the audit, and more.Managing and AuditingIT itingApplicationControlsIdentity and AccessManagementBusiness ContinuityManagementManaging and Auditing ITVulnerabilities: Among other topics,discusses the vulnerability managementlife cycle, the scope of a vulnerabilitymanagement audit, and metrics tomeasure vulnerability managementpractices.Information Technology Outsourcing:Discusses how to choose the right IToutsourcing vendor and key outsourcingcontrol considerations from the client’sand service provider’s operation.Auditing Application Controls:Addresses the concept of applicationcontrol and its relationship with generalcontrols, as well as how to scope a riskbased application control review.Identity and Access Management:Covers key concepts surrounding identityand access management (IAM), risksassociated with IAM process, detailedguidance on how to audit IAM processes,and a sample checklist for auditors.Business Continuity Management:Defines business continuity management(BCM), discusses business risk, andincludes a detailed discussion of BCMprogram requirements.Visit The IIA’s Web site at www.theiia.org/technology to download the entire series.
Developing the IT Audit PlanAuthorsKirk Rehage, Chevron CorporationSteve Hunt, Crowe Chizek and Company LLCFernando Nikitin, Inter-American Development BankJuly 2008Copyright 2008 by The Institute of Internal Auditors, 247 Maitland Avenue, Altamonte Springs, Fla.,32701-4201. All rights reserved. Printed in the United States of America. No part of this publication may bereproduced, stored in a retrieval system, or transmitted in any form by any means — electronic, mechanical,photocopying, recording, or otherwise — without prior written permission from the publisher.The IIA publishes this document for informational and educational purposes. This document is intendedto provide information, but is not a substitute for legal or accounting advice. The IIA does not provide suchadvice and makes no warranty as to any legal or accounting results through its publication of this document. When legal or accounting issues arise, professional assistance should be sought and retained.
GTAG — T able of ContentsTable of Contents1.Executive Summary. 12. Introduction. 22.1IT Audit Plan Development Process. 33. Understanding the Business. 43.1Organizational Uniqueness . 43.2Operating Environment. 43.3IT Environment Factors. 44. Defining the IT Audit Universe. 94.1Examining the Business Model. 94.2Role of Supporting Technologies. 94.3Annual Business Plans. 94.4Centralized and Decentralized IT Functions. 94.5IT Support Processes. 104.6Regulatory Compliance. 104.7Define Audit Subject Areas. 104.8Business Applications. 114.9Assessing Risk. 115.Performing a Risk Assessment. 125.1Risk Assessment Process. 125.1.1 Identify and Understand Business Objectives. 125.1.2 Identify and Understand IT Strategy. 125.1.3 IT Universe. 125.2Ranking Risk. 135.3Leading IT Governance Frameworks. 146. Formalizing the IT Audit Plan. 166.1Audit Plan Context. 166.2Stakeholder Requests. 176.3Audit Frequency. 176.4Audit Plan Principles. 186.5The IT Audit Plan Content. 186.6Integration of the IT Audit Plan. 196.7Validating the Audit Plan. 196.8The Dynamic Nature of the IT Audit Plan. 206.9Communicating, Gaining Executive Support, and Obtaining Plan Approval. 217.Appendix: Hypothetical Company Example. 227.1The Company. 227.2The IT Audit Plan. 228. Glossary of Terms. 279. Glossary of Acronyms. 2810.About the Authors. 29
GTAG — Executive Summary1. Executive Summaryand low-risk areas through quantitative and qualitativeanalyses.IT is in a perpetual state of innovation and change.Unfortunately, IT changes may hinder the IT auditor’s effortsto identify and understand the impact of risks. To help ITauditors, CAEs can: Perform independent IT risk assessments every yearto identify the new technologies that are impactingthe organization. Become familiar with the IT department’s yearlyshort-term plans and analyze how plan initiativesimpact the IT risk assessment. Begin each IT audit by reviewing its risk assessmentcomponent. Be flexible with the IT audit universe — monitor theorganization’s IT-related risk profile and adopt auditprocedures as it evolves.3As technology becomes more integral to the organization’soperations and activities, a major challenge for internal auditors is how to best approach a companywide assessment of ITrisks and controls within the scope of their overall assuranceand consulting services. Therefore, auditors need to understand the organization’s IT environment; the applicationsand computer operations that are part of the IT infrastructure;how IT applications and operations are managed; and how ITapplications and operations link back to the organization.Completing an inventory of IT infrastructure components will provide auditors with information regarding theinfrastructure’s vulnerabilities. “The complete inventory ofthe organization’s IT hardware, software, network, and datacomponents forms the foundation for assessing the vulnerabilities within the IT infrastructures that may impact internalcontrols.”1 For example, business systems and networksconnected to the Internet are exposed to threats that donot exist for self-contained systems and networks.2 Oncean adequate understanding of the IT environment has beenachieved, the chief audit executive (CAE) and the internalaudit team can perform the risk assessment and develop theaudit plan.Many organizational factors are considered when developing the audit plan, such as the organization’s industrysector, revenue size, type, complexity of business processes,and geographic locations of operations. Two factors havinga direct impact on the risk assessment and in determiningwhat is audited within the IT environment are its components and role. For example: What technologies are used to perform daily business functions? Is the IT environment relatively simple or complex? Is the IT environment centralized or decentralized? To what degree are business applicationscustomized? Are some or all IT maintenance activitiesoutsourced? To what degree does the IT environment changeevery year?Several IT governance frameworks exist that can helpCAEs and internal audit teams develop the most appropriate risk assessment approach for their organization. Theseframeworks can help auditors identify where risks reside inthe environment and provide guidance on how to managerisks. Some of the most common IT governance frameworksinclude COBIT, the UK’s Office of Government CommerceIT Infrastructure Library (ITIL), and the InternationalOrganization for Standardization’s (ISO’s) 27000 Standardseries.Mapping business processes, inventorying and understanding the IT environment, and performing a companywiderisk assessment will enable CAEs and internal auditors todetermine what needs to be audited and how often. ThisGTAG provides information that can help CAEs andinternal audit teams identify audit areas in the IT environment that are part of the IT audit universe.Due to the high degree of organizational reliance on IT, itis crucial that CAEs and internal auditors understand howto create the IT audit plan, the frequency of audits, and thebreadth and depth of each audit. To this end, this GTAGcan help CAEs and internal auditors:1. Understand the organization and the level of IT supportreceived.2. Define and understand the IT environment.3. Identify the role of risk assessment in determining the ITaudit universe.4. Formalize the annual IT audit plan.These IT factors are some of the components CAEs andinternal auditors need to understand to adequately assessrisks relative to the organization and the creation of theannual audit plan.In addition to factors impacting the risk assessment, it isimportant for CAEs and internal auditors to use an approachthat ascertains the impact and likelihood of risk occurrence;links back to the business; and defines the high-, medium-,1GTAG: Information Technology Controls, p. 15.2GTAG: Information Technology Controls, p. 15.Finally, this GTAG provides an example of a hypotheticalorganization to show CAEs and internal auditors how toexecute the steps necessary to define the IT audit universe.31GTAG: Management of IT Auditing, pp. 6 and 7.
GTAG — I ntroduction2. Introductionmanagement has heightened expectations regarding ITdelivery functions: Management requires increased quality,functionality and ease of use; decreased delivery time; andcontinuously improving service levels while demanding thatthis be accomplished at lower costs.”4Regardless of the methodology or frequency of auditplanning activities, the CAE and the internal audit teamshould first gain an understanding of the organization’s ITenvironment before performing the audit. The use of technology is an essential part of an organization’s activities.From the collection, processing, and reporting of accountinginformation to the manufacturing, sales, and distributionof products, virtually every business activity relies on theuse of technology to some extent. The use of technologyalso has evolved to where it is not only supporting a business process but, in many cases, it is integral to controllingthe process. As a result, internal controls in processes andactivities are becoming more technology-based, while deficiencies and lack of integrity in supporting technologies areimpacting the organization’s operations and business objectives significantly.However, the development of an effective, risk-based ITaudit plan has been a difficult task for internal auditors, especially when auditors do not have sufficient background in IT.One of the main responsibilities and more difficult tasksof CAEs is to create the organization’s audit plan. As TheInstitute of Internal Auditors’ (IIA’s) Standard 2010:Planning explains, CAEs must establish risk-based planson at least an annual basis to determine the priorities of theinternal audit activity, which, in turn, should be consistentwith the organization’s goals and strategies. Furthermore,CAEs should consider consulting engagements based ontheir potential to add value and improve the organization’soperations and risk management activities. These activitieshave been documented by The IIA Research Foundation’sCommon Body of Knowledge 2006 study, which found thatnearly all CAEs interviewed plan their audit activities atleast annually, including 36.4 percent who update their auditplan multiple times per year. (Figure 1)To develop a risk-based audit plan, CAEs should firstperform a companywide risk assessment. The proper execution of an appropriate IT risk assessment — that is part ofthe overall risk assessment — is a vital component of companywide risk management practices and a critical element fordeveloping an effective audit plan. “For many organizations,information and the technology that supports it representthe organization’s most valuable assets. Moreover, in today’scompetitive and rapidly changing business environment,should4IT Governance Institute’s Control Objectives for Informationand Related Technology (COBIT), Third Edition, p. 5.CQ25a(Q30): How frequently do you update the audit plan?36%3%Multiple times per yearNo audit plan0%More than everytwo years 1%Every two yearsMultiple times per yearEvery yearEvery two yearsMore than every two yearsNo audit plan(Source: A Global Summary of the Common Bodyof Knowledge 2006, The IIA Research Foundation.Reprinted with permission.)60%Every yearFigure 1. Frequency of audit plan updates2
GTAG — IntroductionResults from several IIA external quality assessment reviews(QARs) reveal that developing an appropriate IT audit planis one of the weakest links in internal audit activities. Manytimes, instead of doing risk-based auditing, internal auditorsreview what they know or outsource to other companies,letting them decide what to audit.This guide offers techniques in how to address this challenge — how to determine what should be included in theIT audit scope and how these audit areas could be organizedinto manageable audit units — to create an effective IT auditplan for the organization.Next, auditors need to define the IT universe. This can bedone through a top-down approach that identifies key business objectives and processes, significant applications thatsupport the business processes, the infrastructure needed forthe business applications, the organization’s service supportmodel for IT, and the role of common supporting technologies such as network devices. By using these technicalcomponents, along with an understanding of service supportprocesses and system implementation projects, auditorswill be able to create a comprehensive inventory of the ITenvironment. This inventory, in turn, forms the foundationfor assessing the vulnerabilities that may impact internalcontrols.After auditors have a clear picture of the organization’sIT environment, the third step is to perform the risk assessment — a methodology for determining the likelihood of anevent that could hinder the organization from attaining itsbusiness goals and objectives in an effective, efficient, andcontrolled manner.The information and analysis gained by understandingthe organization, inventorying the IT environment, andassessing risks feeds into the final step, formalizing the au
Change and Patch Management Controls: Critical for Organizational Success Change and Patch Management Controls: Describes sources of change and their likely impact on business objectives, as well as how change and patch management controls help manage IT risks and costs and what
May 02, 2018 · D. Program Evaluation ͟The organization has provided a description of the framework for how each program will be evaluated. The framework should include all the elements below: ͟The evaluation methods are cost-effective for the organization ͟Quantitative and qualitative data is being collected (at Basics tier, data collection must have begun)
Silat is a combative art of self-defense and survival rooted from Matay archipelago. It was traced at thé early of Langkasuka Kingdom (2nd century CE) till thé reign of Melaka (Malaysia) Sultanate era (13th century). Silat has now evolved to become part of social culture and tradition with thé appearance of a fine physical and spiritual .
̶The leading indicator of employee engagement is based on the quality of the relationship between employee and supervisor Empower your managers! ̶Help them understand the impact on the organization ̶Share important changes, plan options, tasks, and deadlines ̶Provide key messages and talking points ̶Prepare them to answer employee questions
On an exceptional basis, Member States may request UNESCO to provide thé candidates with access to thé platform so they can complète thé form by themselves. Thèse requests must be addressed to esd rize unesco. or by 15 A ril 2021 UNESCO will provide thé nomineewith accessto thé platform via their émail address.
Dr. Sunita Bharatwal** Dr. Pawan Garga*** Abstract Customer satisfaction is derived from thè functionalities and values, a product or Service can provide. The current study aims to segregate thè dimensions of ordine Service quality and gather insights on its impact on web shopping. The trends of purchases have
Chính Văn.- Còn đức Thế tôn thì tuệ giác cực kỳ trong sạch 8: hiện hành bất nhị 9, đạt đến vô tướng 10, đứng vào chỗ đứng của các đức Thế tôn 11, thể hiện tính bình đẳng của các Ngài, đến chỗ không còn chướng ngại 12, giáo pháp không thể khuynh đảo, tâm thức không bị cản trở, cái được
The quality audit system is mainly classified in three different categories: i Internal Audit ii. External Audits iii. Regulatory Audit . Types Of Quality Audit. In food industries all three audit system may be used to carry out 1. Product manufacturing audit 2. Plant sanitation/GMP audit 3. Product Quality audit 4. HACCP audit
Le genou de Lucy. Odile Jacob. 1999. Coppens Y. Pré-textes. L’homme préhistorique en morceaux. Eds Odile Jacob. 2011. Costentin J., Delaveau P. Café, thé, chocolat, les bons effets sur le cerveau et pour le corps. Editions Odile Jacob. 2010. Crawford M., Marsh D. The driving force : food in human evolution and the future.
