Planeamiento de TI

8/10/2019 Planeamiento de TI

1/36

Developing theIT Audit Plan

IPPF Practice Guide


2/36

Global Technology Audit Guide (GTAG)

Written in straightforward business language to address a timely issue related to IT management, control, and security, theGTAG series serves as a ready resource for chief audit executives on different technology-associated risks and recommended

practices.

Information Technology Controls:

Topics discussed include IT control

concepts, the importance of IT controls,the organizational roles and

responsibilities for ensuring effective ITcontrols, and risk analysis and

monitoring techniques.

Change and PatchManagement Controls:

Critical forOrganizational

Success

Change and Patch Management

Controls: Describes sources of changeand their likely impact on business

objectives, as well as how change andpatch management controls helpmanage IT risks and costs and what

works and doesnt work in practice.

Continuous Auditing:Implications for Assurance,

Monitoring, andRisk Assessment

Continuous Auditing: Addresses therole of continuous auditing in todays

internal audit environment; therelationship of continuous auditing,

continuous monitoring, and continuousassurance; and the application and

implementation of continuous auditing.

Management of IT Auditing

Management of IT Auditing:Discusses

IT-related risks and defines the IT audituniverse, as well as how to execute andmanage the IT audit process.

Managingand Auditing

Privacy Risks

Managing and Auditing Privacy Risks:

Discusses global privacy principles andframeworks, privacy risk models andcontrols, the role of internal auditors, top

10 privacy questions to ask during thecourse of the audit, and more.

Managing and AuditingIT Vulnerabilities

Managing and Auditing ITVulnerabilities:Among other topics,

discusses the vulnerability managementlife cycle, the scope of a vulnerability

management audit, and metrics tomeasure vulnerability management

practices.

Information Technology Outsourcing:

Discusses how to choose the right IToutsourcing vendor and key outsourcing

control considerations from the clientsand service providers operation.

AuditingApplication

Controls

Auditing Application Controls:Addresses the concept of application

control and its relationship with generalcontrols, as well as how to scope a risk-based application control review.

Identity and AccessManagement

Identity and Access Management:Covers key concepts surrounding identity

and access management (IAM), risks

associated with IAM process, detailedguidance on how to audit IAM processes,

and a sample checklist for auditors.

Business ContinuityManagement

Business Continuity Management:Defines business continuity management

(BCM), discusses business risk, andincludes a detailed discussion of BCM

program requirements.

For more information and resources regarding technology-related audit guidance, visitwww.theiia.org/technology.


3/36

Authors

Kirk Rehage, Chevron Corporation

Steve Hunt, Crowe Horwath LLP

Fernando Nikitin, Inter-American Development Bank

Deveoping the IT Audit Pan

July 2008

Copyright 2008 by The Institute of Internal Auditors, 247 Maitland Avenue, Altamonte Springs, Fla.,

32701-4201. All rights reserved. Printed in the United States of America. No part of this publication may be

reproduced, stored in a retrieval system, or transmitted in any form by any means electronic, mechanical,

photocopying, recording, or otherwise without prior written permission from the publisher.

The IIA publishes this document for informational and educational purposes. This document is intended

to provide information, but is not a substitute for legal or accounting advice. The IIA does not provide such

advice and makes no warranty as to any legal or accounting results through its publication of this docu-

ment. When legal or accounting issues arise, professional assistance should be sought and retained.


4/36

GTAG Tabe of Contents

Tabe of Contents

1. EXECUTIVE SUMMARY ............................................................................................................................................ 1

2. INTRODUCTION......................................................................................................................................................... 22.1 IT Audit Plan Development Process .................................................................................................................... 3

3. UNDERSTANDING THE BUSINESS ...................................................................................................................... 43.1 Organizational Uniqueness ..................................................................................................................................43.2 Operating Environment........................................................................................................................................ 43.3 IT Environment Factors ....................................................................................................................................... 4

4. DEFINING THE IT AUDIT UNIVERSE .................................................................................................................94.1 Examining the Business Model ............................................................................................................................. 94.2 Role of Supporting Technologies .........................................................................................................................94.3 Annual Business Plans .......................................................................................................................................... 9

4.4 Centralized and Decentralized IT Functions ........................................................................................................ 94.5 IT Support Processes ........................................................................................................................................... 104.6 Regulatory Compliance ......................................................................................................................................104.7 Define Audit Subject Areas ................................................................................................................................ 104.8 Business Applications ......................................................................................................................................... 114.9 Assessing Risk ..................................................................................................................................................... 11

5. PERFORMING A RISK ASSESSMENT .................................................................................................................. 125.1 Risk Assessment Process .....................................................................................................................................12

5.1.1 Identify and Understand Business Objectives ........................................................................................125.1.2 Identify and Understand IT Strategy .....................................................................................................125.1.3 IT Universe ............................................................................................................................................. 12

5.2 Ranking Risk .......................................................................................................................................................13

5.3 Leading IT Governance Frameworks .................................................................................................................14

6. FORMALIZING THE IT AUDIT PLAN ................................................................................................................166.1 Audit Plan Context ............................................................................................................................................166.2 Stakeholder Requests .......................................................................................................................................... 176.3 Audit Frequency .................................................................................................................................................176.4 Audit Plan Principles .......................................................................................................................................... 186.5 The IT Audit Plan Content ............................................................................................................................... 186.6 Integration of the IT Audit Plan ........................................................................................................................196.7 Validating the Audit Plan ..................................................................................................................................196.8 The Dynamic Nature of the IT Audit Plan........................................................................................................ 206.9 Communicating, Gaining Executive Support, and Obtaining Plan Approval..................................................21

7. APPENDIX: HYPOTHETICAL COMPANY EXAMPLE ..................................................................................... 227.1 The Company ..................................................................................................................................................... 227.2 The IT Audit Plan ..............................................................................................................................................22

8. GLOSSARY OF TERMS .............................................................................................................................................27

9. GLOSSARY OF ACRONYMS ...................................................................................................................................28

10. ABOUT THE AUTHORS .......................................................................................................................................... 29


5/361

GTAG Executive Summary

and low-risk areas through quantitative and qualitativeanalyses.

IT is in a perpetual state of innovation and change.Unfortunately, IT changes may hinder the IT auditors effortsto identify and understand the impact of risks. To help ITauditors, CAEs can:

Perform independent IT risk assessments every yearto identify the new technologies that are impactingthe organization.Become familiar with the IT departments yearlyshort-term plans and analyze how plan initiativesimpact the IT risk assessment.Begin each IT audit by reviewing its risk assessmentcomponent.Be flexible with the IT audit universe monitor theorganizations IT-related risk profile and adopt audit

procedures as it evolves.3

Several IT governance frameworks exist that can helpCAEs and internal audit teams develop the most appro-priate risk assessment approach for their organization. Theseframeworks can help auditors identify where risks reside inthe environment and provide guidance on how to managerisks. Some of the most common IT governance frameworksinclude COBIT, the UKs Office of Government CommerceIT Infrastructure Library (ITIL), and the InternationalOrganization for Standardizations (ISOs) 27000 Standardseries.

Mapping business processes, inventorying and under-

standing the IT environment, and performing a companywiderisk assessment will enable CAEs and internal auditors todetermine what needs to be audited and how often. ThisGTAG provides information that can help CAEs andinternal audit teams identify audit areas in the IT environ-ment that are part of the IT audit universe.

Due to the high degree of organizational reliance on IT, itis crucial that CAEs and internal auditors understand howto create the IT audit plan, the frequency of audits, and thebreadth and depth of each audit. To this end, this GTAGcan help CAEs and internal auditors:

Understand the organization and the level of IT support1.

received.Define and understand the IT environment.2.Identify the role of risk assessment in determining the IT3.audit universe.Formalize the annual IT audit plan.4.

Finally, this GTAG provides an example of a hypotheticalorganization to show CAEs and internal auditors how toexecute the steps necessary to define the IT audit universe.

3 GTAG: Management of IT Auditing, pp. 6 and 7.

Executive Summary1.

As technology becomes more integral to the organizationsoperations and activities, a major challenge for internal audi-tors is how to best approach a companywide assessment of ITrisks and controls within the scope of their overall assuranceand consulting services. Therefore, auditors need to under-stand the organizations IT environment; the applicationsand computer operations that are part of the IT infrastructure;how IT applications and operations are managed; and how ITapplications and operations link back to the organization.

Completing an inventory of IT infrastructure compo-nents will provide auditors with information regarding theinfrastructures vulnerabilities. The complete inventory ofthe organizations IT hardware, software, network, and datacomponents forms the foundation for assessing the vulnera-

bilities within the IT infrastructures that may impact internalcontrols.1 For example, business systems and networksconnected to the Internet are exposed to threats that donot exist for self-contained systems and networks.2 Oncean adequate understanding of the IT environment has beenachieved, the chief audit executive (CAE) and the internalaudit team can perform the risk assessment and develop theaudit plan.

Many organizational factors are considered when devel-oping the audit plan, such as the organizations industrysector, revenue size, type, complexity of business processes,and geographic locations of operations. Two factors havinga direct impact on the risk assessment and in determining

what is audited within the IT environment are its compo-nents and role. For example:

What technologies are used to perform daily busi-ness functions?Is the IT environment relatively simple or complex?Is the IT environment centralized or decentralized?To what degree are business applicationscustomized?Are some or all IT maintenance activitiesoutsourced?To what degree does the IT environment changeevery year?

These IT factors are some of the components CAEs andinternal auditors need to understand to adequately assessrisks relative to the organization and the creation of theannual audit plan.

In addition to factors impacting the risk assessment, it isimportant for CAEs and internal auditors to use an approachthat ascertains the impact and likelihood of risk occurrence;links back to the business; and defines the high-, medium-,

1 GTAG: Information Technology Controls, p. 15.2 GTAG: Information Technology Controls, p. 15.


6/362

GTAG Introduction

management has heightened expectations regarding ITdelivery functions: Management requires increased quality,functionality and ease of use; decreased delivery time; andcontinuously improving service levels while demanding thatthis be accomplished at lower costs.4

Regardless of the methodology or frequency of auditplanning activities, the CAE and the internal audit teamshould first gain an understanding of the organizations ITenvironment before performing the audit. The use of tech-nology is an essential part of an organizations activities.From the collection, processing, and reporting of accountinginformation to the manufacturing, sales, and distributionof products, virtually every business activity relies on theuse of technology to some extent. The use of technologyalso has evolved to where it is not only supporting a busi-ness process but, in many cases, it is integral to controlling

the process. As a result, internal controls in processes andactivities are becoming more technology-based, while defi-ciencies and lack of integrity in supporting technologies areimpacting the organizations operations and business objec-tives significantly.

However, the development of an effective, risk-based ITaudit plan has been a difficult task for internal auditors, espe-cially when auditors do not have sufficient background in IT.

4 IT Governance Institutes Control Objectives for Informationand Related Technology (COBIT), Third Edition, p. 5.

Introduction2.

One of the main responsibilities and more difficult tasksof CAEs is to create the organizations audit plan. As TheInstitute of Internal Auditors (IIAs) Standard 2010:Planning explains, CAEs should establish risk-based planson at least an annual basis to determine the priorities of theinternal audit activity, which, in turn, should be consistentwith the organizations goals and strategies. Furthermore,CAEs should consider consulting engagements based ontheir potential to add value and improve the organizationsoperations and risk management activities. These activitieshave been documented by The IIA Research FoundationsCommon Body of Knowledge 2006 study, which found thatnearly all CAEs interviewed plan their audit activities atleast annually, including 36.4 percent who update their audit

plan multiple times per year. (Figure 1)To develop a risk-based audit plan, CAEs should firstperform a companywide risk assessment. The proper execu-tion of an appropriate IT risk assessment that is part ofthe overall risk assessment is a vital component of compa-nywide risk management practices and a critical element fordeveloping an effective audit plan. For many organizations,information and the technology that supports it representthe organizations most valuable assets. Moreover, in todayscompetitive and rapidly changing business environment,

60%

Every year

3%

No audit plan

1%

Every two years

0%

More than every

two years

Figure 1.Frequency of audit plan updates

CQ25a(Q30): How frequenty do you update the audit pan?

Mutipe times per year

Every year

Every two years

More than every two years

No audit pan

36%

Multiple times per year

(Source:A Global Summary of the Common Body

of Knowledge 2006, The IIA Research Foundation.

Reprinted with permission.)


7/363

GTAG Introduction

Next, auditors need to define the IT universe. This can bedone through a top-down approach that identifies key busi-ness objectives and processes, significant applications thatsupport the business processes, the infrastructure needed forthe business applications, the organizations service supportmodel for IT, and the role of common supporting tech-nologies such as network devices. By using these technicalcomponents, along with an understanding of service supportprocesses and system implementation projects, auditorswill be able to create a comprehensive inventory of the ITenvironment. This inventory, in turn, forms the foundationfor assessing the vulnerabilities that may impact internalcontrols.

After auditors have a clear picture of the organizationsIT environment, the third step is to perform the risk assess-ment a methodology for determining the likelihood of an

event that could hinder the organization from attaining itsbusiness goals and objectives in an effective, efficient, andcontrolled manner.

The information and analysis gained by understandingthe organization, inventorying the IT environment, andassessing risks feeds into the final step, formalizing the auditplan. The objective of the audit plan is to determine whereto focus the auditors assurance and consulting work toprovide management with objective information to managethe organizations risks and control environment.

The remainder of this guide follows these four steps anddiscusses how to define an effective IT audit plan.

Results from several IIA external quality assessment reviews(QARs) reveal that developing an appropriate IT audit planis one of the weakest links in internal audit activities. Manytimes, instead of doing risk-based auditing, internal auditorsreview what they know or outsource to other companies,letting them decide what to audit.

This guide offers techniques in how to address this chal-lenge how to determine what should be included in theIT audit scope and how these audit areas could be organizedinto manageable audit units to create an effective IT auditplan for the organization.

IT Audit Plan Development Process2.1Defining the annual audit plan should follow a system-atic process to ensure all fundamental business aspects and

IT-service support activities are understood and considered.Therefore, it is essential that the foundation for the plan berooted in the organizationsobjectives, strategies, and busi-ness model. Figure 2 depicts a logical work-flow progressionusing a top-down approach to define the IT audit plan thatwill be used in this guide.

The first step in defining the annual IT audit plan is tounderstand the business. As part of this step, auditors needto identify the strategies, company objectives, and businessmodels that will enable them to understand the organizationsunique business risks. The audit team also must understandhow existing business operations and IT service functionssupport the organization.

Figure 2. The IT audit plan process

Understand

the Business

Define IT

Universe

Perform

Risk Assessment

Formaize

Audit Pan

Identify the

organizations strategies

& business objectives

Understand the

high risk profie for

the organization

Identify how the

organization structures

their business operations

Understand the IT

service support mode

Dissect the business

fundamentas

Identify significant

appications that support

the business operations

Identify critica

infrastructure for the

significant appications

Understand the roe of

supporting technoogies

Identify major projects

and initiatives

Determine reaistic

audit subjects

Deveop processes

to identify risks

Assess risk and rank

audit subjects using

IT risk factors

Assess risk and

rank subjects using

business risk factors

Seect audit subjects

and bunde into distinct

audit engagements

Determine audit cyce

and frequency

Add appropriate

engagements based on

management requests

or opportunities

for consuting

Vaidate the pan with

business management


8/364

GTAG Understanding the Business

Auditors can use different internal resources to identifyand understand the organizations goals and objectives,including:

Mission, vision, and value statements.Strategic plans.Annual business plans.Management performance scorecards.Stockholder annual reports and supplements.Regulatory filings, such as those submitted to theU.S. Securities and Exchange Commission (SEC).

After becoming familiar with the organizations entity-level strategic objectives, the next step is to identify the keyprocesses that are critical to the objectives success. Whendoing so, auditors need to understand how each businessprocess differs within operating units, support functions, and

major organizationwide projects, as well as how the processrelates and links to entity objectives.Project processes are unique, but equally important, in

ensuring initiatives that add value to the organization aremanaged and commercialized appropriately. A process isconsidered key if its failure prevents the organization fromfully achieving the strategic objective to which it is tied.Operating units include core processes through which theorganization achieves primary objectives, such as manufac-turing, sales, and distribution activities. Support functionsinclude management processes that oversee and support coreoperational functions, such as governance and complianceactivities, finance, human resources, treasury, cash manage-

ment, and procurement activities.Once processes are identified, auditors need to outline

the significant applications and critical IT infrastructure(e.g., databases, operating systems, networks, and physicalenvironments) supporting these applications. Underlyingthese applications and IT infrastructure are supporting ITprocesses, such as systems development life cycles, changemanagement, operations, and security activities. Auditorsshould note that applications require periodic assessmentsbased on their significance to financial reporting activities,regulatory compliance, or operational requirements.

Examining the operating environment this way (i.e.,starting from the top of the organization) will help audi-

tors understand and inventory each critical component. Tofully understand the operating environment and its risksalso requires a comprehensive understanding of differenttechnology factors that influence and help categorize orga-nizational risks.

IT Environment Factors3.3Different factors and analysis techniques should be consid-ered to understand the operational environment and itsunique risks. This is because an organizations control envi-ronment complexity will have a direct effect on its overall

Understanding the Business3.

Getting started with the right perspective is paramount todefining an effective IT audit plan. An appropriate perspec-tive to keep in mind is that technology only exists to supportand further the organizations objectives and is a risk to theorganization if its failure results in the inability to achieve abusiness objective. Hence, it is important to first understandthe organizations objectives, strategies, business model, andthe role that technology has in supporting the business. Thiscan be done by identifying the risks found in the technolo-gies used and how each risk might prevent the organizationfrom achieving a business objective. Doing so will result inmore meaningful and useful assessments for management.

Furthermore, auditors need to become familiar with theorganizations business model. Because each organization has

a distinct mission and set of business goals and objectives,business models help auditors to identify the products orservices the organization provides, as well as its market base,supply channels, manufacturing and product generationprocesses, and delivery mechanisms. Having a fundamentalknowledge of this information will help auditors understandunique business risks and how technology supports existingbusiness models and mitigates the organizations overall riskprofile.

Organizational Uniqueness3.1Every organization is different. Even companies operating

in the same industry will have different business models,objectives, organizational structures, IT environments, anddelivery models. Therefore, audit plans should be defineduniquely for each organization. In addition, the impor-tance of technology might differ within industry segments.Consider the companies that assemble and sell personalcomputers. Besides using a variety of business models, thesecompanies rely on technology differently to meet businessobjectives. For instance, the traditional sale distributionmodel of channeling products through physical stores andresellers require the use of technology to manage operationand accounting activities, while technology reliance is muchgreater for companies that sell products over the Internet. As

a result, the online marketers revenue stream depends moreon the availability of critical IT functionality, which alsoincreases the level of IT risks. As this example illustrates,the way an organization deploys its technology resources andsystems creates a unique set of business risks.

Operating Environment3.2To become familiar with the organization, auditors first needto understand its objectives and how business processes arestructured to achieve objectives (refer to figure 3).


9/365


Figure 3.Understanding the IT environment in a business context

BUSINESS PROCESSES

OPERATING PROCESSES SUPPORT PROCESSES PROJECTS PROCESSES

THE VAlUE CHAIN OF THE BUSINESS ACTIVITIES

OPERATING SUPPORT PROJECTS

. . .. . .

IT INFRASTRUCTURE SERVICES

APPlICATIONCONTROlS

Authorization

Integrity

Avaiabiity

Confidentiaity

Segregation

of duties

APPlICATIONS

APPlICATION A

DATABASE

OPERATING SYSTEM

NETWORK/PHYSICAl

APPlICATION B APPlICATION C

IT GENERAlCONTROlS

Systems

Deveopment

Change

Management

logica Access

Physica

contros

Service &Support

Processes

Backup &

Restore

Security

Manufac-

SaesDistribu-

Financia IT Payro Cash

Design Economics turing tion Reporting Mgmt

Figure adapted and revised from: IT Control Objectives for Sarbanes-

Oxley, 2nd Ed., used by permission of the IT Governance Institute

(ITGI). 2006 ITGI. All rights reserved.


10/366


Finally, networks link computers and enable them tocommunicate with each other. They consist of physicalcomponents, such as switches, routers, firewalls, wiring,and programs that control the routing of data packets.

Networks also can be deployed using radio frequencytechnology, commonly called wireless networks.

All four layers of the stack are essential to enablingautomated business functionality and introduce avail-ability, integrity, and confidentiality risks. The degreeof risk is based on the criticality of the business activitythe technology supports and enables, and on the tech-nologys configuration and deployment. Therefore, themore variety in each of these layers, the higher theorganizations risk profile. For instance, it is simpler forIT departments to manage a homogeneous environ-ment of Windows 2003 servers running a SQL Server

database for a single enterprise resource planning (ERP)application than a variety of operating systems and data-base platforms underlying different applications. Whileideal, the first scenario might not be practical for a largeorganization with diverse operations or a decentralizedbusiness model. In creating the audit universe, critical ITelements should be identified and assessed as part of thetop-down analysis techniques described in this guide.

The degree of customization.3. Generally, customizedimplementations add complexity to the management ofIT assets. Off-the-shelf software relies primarily on thesupport of vendors who have a high degree of knowledge

and expertise on their products. When vendor software whether applications, operating systems, or othersupporting software is modified to fit an organizationsbusiness need or process, a large amount of ownership isassumed and more risk is introduced into the equation.Generally, organizations should perform a cost-benefitanalysis when making the decision to customize third-party software. However, control aspects might not beconsidered fully in this analysis. In addition, audits ofcustomized implementations also require greater tech-nical knowledge on the part of the auditors.

The degree of formalized company policies and standards4.

(i.e., IT governance). The purpose of an IT governanceprogram is to enable the organization to better manageits day-to-day IT activities and risks through the use ofpolicies and standards. For example, organizations withformalized policies and standards that guide managementoversight and help to establish the IT control environ-ment have a better chance of implementing an effectiveIT governance program. These programs, in turn, areeffective when policies and standards are communi-cated, understood, monitored, enforced, and updated bymanagement.

risk profile and system of internal control. Important factorsto consider include:

The degree of system and geographic centralization1.(i.e., distribution of IT resources). The organiza-tions business model may determine the IT functionsstructure and delivery model. For instance, companiesoperating with decentralized business units that have theautonomy to make operating decisions may have decen-tralized IT operations, more diversity of applications, anda larger variety of deployed products. On the other hand,in more centralized companies auditors might find enter-prise-based applications and centralized IT infrastructuresupport. Because risks vary as companies approach eitherend of the centralization continuum, audit responsesshould vary accordingly.

When establishing the IT audit universe, consider-ation should be given to aligning individual audits withthe management function that has accountability forthat area. A centralized IT delivery model may allowfor fewer, but possibly larger, individual audits that areconcentrated on core technologies and enterprise appli-cations. Conversely, a decentralized delivery model couldrequire more audit engagements to achieve a properalignment with management accountability.

The technologies deployed.2. The organizations systemarchitecture diversity will determine the breadth oftechnical knowledge required within the internal

audit function and the number of areas that need to bereviewed. Diversity could be in any and all levels of theIT stack the key components of an applications tech-nical infrastructure, including its program code, database,operating system, and network infrastructure.

For instance, application program code includes thesets of computer programs, control files, tables, and userinterfaces that provide functionality for specific businessoperations such as accounting, payroll, and procurement.Other applications could manage critical business infor-mation, such as engineering and design project data, legal,and personal medical information. The organizationalso may have applications that control manufacturing

processes commonly called process control systems.On the other hand, database systemsenable the storage,

modification, and extraction of data (e.g., Oracle,Microsoft SQL Server, and DB2), while operating systemsperform a computers basic tasks, such as handling oper-ator input; managing internal computer memory; andproviding disk drive, display, and peripheral device func-tions. Examples of operating systems include variations ofWindows and UNIX installed in computers and servers.Handheld devices such as personal digital assistants andcell phones also require operating systems.


11/367


management oversight to ensure ongoing compliance,which results in a lower residual risk profile. The orga-nizations regulatory requirements, therefore, should beappropriately considered in the risk profile and IT audituniverse. For example, all organizations registered withthe SEC are required by the U.S. Sarbanes-Oxley Actof 2002 to report on the effectiveness of their internalcontrols over financial reporting. The legislation alsocreated the U.S. Public Company Accounting OversightBoard (PCAOB) to guide public accounting firms onhow to conduct an audit of internal controls over finan-cial reporting. Other regulations include the Basel IIAccord in the finance sector and a growing number ofprivacy and data protection laws and regulations, suchas the European Unions Directive on Data Protection,U.S. Gramm-Leach-Bliley (GLBA) Act, the U.S. Health

Insurance Portability and Accountability Act (HIPAA),and the Payment Card Industry Data Security Standard(PCI DSS).

The degree and method of outsourcing.6. IT outsourcingis becoming more prevalent in many organizations due tothe high cost and expertise required to deliver noncoreservices. (The IIAs Information Technology OutsourcingGTAG provides a detailed discussion on the types ofIT outsourcing arrangements and their degree of risk.6)In terms of outsourcing, it is important for auditors toconsider the different risks stemming from the outsourcingarrangement when drafting the IT audit plan. Key

factors include how management views its oversight andmonitoring role, the maturity of the arrangement (e.g.,transitioning versus an established working process),country-specific risks, and the completeness of thevendors and organizations business continuity plans.

The degree of operational standardization.7. Operationalprocesses and procedures include the entire systemdevelopment life cycle as well as configuration, change,incident, operations, and security management activities.Similar to the degree of centralization and the diversityof deployed technologies, the level of operational stan-dardization can impact the reliability and integrity of the

IT infrastructure and its assets. Consequently, organiza-tions that adopt standardized processes throughout theirservice delivery functions increase their ability to operateas a high-performing organization.

An example of a standardized practice is ITIL, a setof concepts and techniques for managing IT infrastruc-tures, as well as the development and installation of newcomputer systems and IT operations. Its books on servicesupport and service delivery are the most widely usedand understood ITIL publications. One of the primary

6 GTAG: Information Technology Outsourcing.

Policies are general, long-term statements of prin-ciple that address managements operational goals; areintended to have a long-term effect in guiding the devel-opment of business rules for specific situations; and canbe interpreted and supported by standards, controls, andguidelines. In terms of IT, policies can provide high-level management directives in areas such as intellectualproperty rights, data protection, retention, and privacyto ensure compliance with laws and regulations and theeffective safeguard of data assets.

On the other hand, standards describe a mandatorybusiness process or procedure and provide further direc-tion on how to comply with the policy statement to whichthey are linked. IT standards are generally technology-neutral and can be further defined by technology-specificcontrols and guidelines (i.e., configuration settings or

procedures) that define how the standard should beimplemented.As a general rule, organizations should establish an

ongoing maintenance process for all policies and stan-dards that addresses the latest regulatory mandates. Forexample, recent changes to the U.S. Federal Rules ofCivil Procedure governing the production of evidence incourt cases address the discovery and production of elec-tronically stored information. Because of these changes,an organizations level of risk partly depends on its adher-ence to updated record retention policies and standardsthat consider the management of electronically storedinformation.

Different IT governance frameworks and method-ologies are available, including COBIT, ISOs 27002Standard on information security management, theCanadian Institute of Chartered Accountants ITControl Guidelines, and the Information SecurityForums Standard of Good Practice for InformationSecurity. These frameworks provide a structured way ofcategorizing control objectives and control areas acrossthe entire control environment. (For additional informa-tion on these and other compliance frameworks, auditorscan refer to The IIAs Information Technology ControlsGTAG.5) Organizations can adopt one of these frame-works or use them as a reference when developing their

own. Section 5.3 provides information on leading ITgovernance best practices to help organizations assess thecontent and effectiveness of these frameworks.

The degree of regulation and compliance.5. Organizationsin highly regulated industries generally will have ahigh-risk profile due to the potential consequences ofnoncompliance with regulatory mandates. However,successful organizations in highly regulated industriesalso have disciplined control environments and effective

5 GTAG: Information Technology Controls, p. 18.


12/368


benefits of ITIL is that it establishes a common vocabu-lary of defined and widely used terms. Organizations thatimplement ITIL concepts have claimed a higher degreeof reliability and lower delivery costs.

The level of reliance on technology.8. Some organiza-tions are intensive technology users or use technology todifferentiate themselves from their peers and competitors.While technology can improve overall internal controlswith the use of automated application controls, stronggovernance and internal operational processes becomemore important as reliance on IT increases. In addition,as organizations depend more on the availability andintegrity of IT functionality to enable business opera-tions and meet their objectives, the significance of ITrisks in the organizations overall risk profile increases.

Hence, the nature and extent to which the organizationrelies on technology should be evident in the risk assess-ment used to develop the IT audit plan.

These eight IT environment factors, along with thetop-down approach used to understand the organizationsoperations and IT infrastructure, provide auditors with theinformation needed to move to the next step of the auditplanning process defining the IT audit universe andperforming a risk assessment.


13/369

GTAG Defining the IT Audit Universe

the IT support structure for these business processes is differentand may require separate assurance reviews.

Role of Supporting Technologies4.2Identifying supporting IT infrastructure technologies can bea simple process when detecting business activities that relyon key applications. However, it is much harder to associatethe use of supporting technologies, such as the companysnetwork, e-mail application, and encryption software, tobusiness objectives and risk. Yet, these supporting technolo-gies exist because the business requires them, and a failurein these services and products can hinder the organizationsability to accomplish its mission. Therefore, key supportingtechnologies, while not directly associated with an applica-tion or business process, must be identified and represented

in the universe of auditable areas.

Annual Business Plans4.3Another important element is to take into consideration theorganizations annual business plans and strategies. Operatingplans can provide auditors with information on importantchanges and projects that may be pursued in the upcomingyear, which might require audit involvement and becomesubjects in the IT audit universe. Projects might be directlyIT-related, such as the implementation of a new ERP system, orbusiness projects that manage major engineering or construc-tion initiatives. For example, energy companies form major

capital projects when developing new facilities to bring oiland gas discoveries into production. These business projectscan benefit from the use of critical IT components that meritIT audit attention, such as access controls over documentmanagement systems and external network connections forpartners and contractors. Because companies can be partnerson one project and competitors on another, it is important tolimit their access to required IT resources only.

Centralized and Decentralized IT Functions4.4Auditors need to identify centrally managed IT functionsthat support the entire or a large portion of the organiza-

tion. Centralized functions are good candidates for individualaudits in the IT audit universe and include network designand security administration, server administration, databasemanagement, service or help desk activities, and mainframeoperations. For example, the organization may have a serveradministration group that is responsible for all Windowsservers. Because this group might use common configurationsand administrative processes across the entire server popu-lation, it represents an ideal candidate for an individual ITaudit that is part of the IT audit universe. The homogeneousnature of the environment also lends itself to sampling for theaudits execution.

Defining the IT Audit Universe4.

Determining what to audit is one of the most importantinternal audit activities, as performing the annual IT auditplan will have a profound impact on the overall success ofthe internal audit department. Consequently, the ultimategoal of the IT audit plan is to provide adequate coverage onthe areas that have the greatest risk and where internal audi-tors can add the most value to the organization.

One of the first steps to an effective IT audit plan is to definethe IT universe, a finite and all-encompassing collection ofaudit areas, organizational entities, and locations identifyingbusiness functions that could be audited to provide adequateassurance on the organizations risk management level. Atthis initial phase, identifying potential audit areas within theIT universe is done independently from the risk assessment

process. Auditors need to be aware of what audits could beperformed before they can assess and rank risks to create theannual audit plan. Defining the IT audit universe requiresin-depth knowledge of the organizations objectives, businessmodel, and the IT service support model.

Examining the Business Model4.1Organizations can have different operational units and supportfunctions to accomplish its objectives, which, in turn, havebusiness processes that link activities to achieve their goals.Referring back to the example of companies that assembleand sell personal computers, a traditional company in this

industry sector consists of several assembly plants locatedin different countries, sales, and marketing units, as well asdifferent corporate management and support functions. Thesales and marketing units, for instance, have establishedprocesses for accepting, fulfilling, and invoicing customerorders, while other operating units and support functions havetheir own processes. Underlying these processes will be crit-ical IT applications and supporting infrastructure. Therefore,it is important for auditors to understand the companys ITenvironment when defining the IT universe and identifyingthe processes critical to the success of each unit.

Using a top-down approach to understand the organiza-tions structure and activities can help auditors identify critical

IT functionality processes that sustain the organizationsoperating units and support functions. However, variationin how similar business units perform their processes canadd complexity to this analysis. For instance, manufacturingplants in different locations might use different procurementprocesses. In decentralized organizations, business units mightuse different applications for similar business processes, or acommon application might be configured differently to theextent it functions like an entirely different application. Forexample, one business unit uses SAP R/3 on a UNIX andOracle platform, while another business unit uses SAP R/3on a Windows and SQL Server platform. Although similar,


14/3610


chain of events including incident, problem, change, andrelease management activities.

Again, one of the leading sources for IT service best prac-tices is ITIL. Many organizations are implementing ITILpractices or other standardized processes to attain betterefficiency and higher performance in managing their ITfunctions. Internal audit groups should become involved inefforts to implement standardized support processes whereappropriate and consider new ways to provide assuranceon their effectiveness. One approach could be to reviewthe deployment and governance of standardized processesat the enterprise level within the audit plan. These top-level reviews could assess the effectiveness of the processesthemselves, the effectiveness of deployed processes, and theeffectiveness of the governance model to ensure standardizedsupport processes are used as intended. Once standardized

processes are audited, site audits should concentrate on howthey are followed rather than on their effectiveness.

Regulatory Compliance4.6Different laws and regulations around the world aremandating the use of internal controls and risk managementpractices and the privacy of personally identifiable informa-tion, including the Sarbanes-Oxley Act and Basel II Accord.As discussed earlier, some of these regulations mandate theprotection of customer information in the credit card industry(e.g., GLBA and the PCI DSS) and the safeguarding ofpersonal medical information (e.g., HIPAA). Although most

of these regulations do not address IT controls directly, theyimply the need for an adequately controlled IT environment.Therefore, these regulatory areas are potential subjects in theIT audit universe, as auditors need to determine whether theorganization has rigorous processes in place and whetherthey are operating effectively to ensure compliance.

Define Audit Subject Areas4.7The way the IT environment is divided into individual auditsubjects could be somewhat influenced by personal prefer-ence or staffing considerations. However, the ultimate goalis to figure out how to divide the environment in a manner

that provides the most efficient and effective audits. Thepreceding discussions on centralized IT functions and stan-dardized support processes stated how audit subjects can begrouped in the audit universe to define an audit approach thatis more efficient. Although auditors should not be assessingbusiness risks at this phase of the audit planning process, thegoal is to have an audit plan that focuses on the highest-riskareas where auditors can add the most value.

Although there is no single right way to define IT auditsubjects, there are incorrect or inappropriate ways to do this.7

7 GTAG: Management of IT Auditing, p. 10.

There are several benefits to identifying centralized auditsubjects. The main benefit is the effective use of limited ITaudit resources, which can enable the audit team to focus onone area, use sampling techniques, and gain a large amount ofcoverage in a single audit. Another benefit is the transfer ofinternal audit efficiencies to other audits because centralizedareas have already been covered and may be excluded fromthe scope of other audits. The benefit of referencing central-ized audit coverage is particularly applicable to applicationauditing. For example, there could be hundreds of applica-tions residing within a Windows server administration groupenvironment. Since the general controls for the infrastructureare reviewed in a more centralized audit, the IT audit shouldbe limited to application-specific technical areas rather thanthe entire infrastructure platform hosting the application.The organization also benefits as it is audited thoroughly only

once and is not impacted when applications are reviewedindividually during each business process audit.Furthermore, organizations may centralize their IT func-

tions differently. A common practice of many organizationsis to create a single network support function that managesits network design and security administration. This networksupport function could be divided into firewall, router,and switch configuration activities, as well as Internetconnectivity, wireless, digital voice, and external networkconnection management. As a result, each of these areasmay be an independent audit subject in the IT universe.Furthermore, because centralized IT functions can changeover time, they should be reviewed and refreshed in the audit

universe at least annually.A similar approach can be taken for decentralized IT

functions, where each physical location might representa separate audit subject. Depending on the locations size,the sites audit may review general and technical controlsfor each infrastructure stack layer. The review should onlyinclude the IT controls for which the local site is responsible,while controls handled by centralized IT functions shouldbe excluded. If the site is large and supports a wide numberof technologies, auditors might need to perform multiplereviews for that location as part of the IT audit universe.

IT Support Processes4.5Even if the organization has a decentralized IT function, itmay have standardized support processes. Organizations thatare striving to be high-performing organizations understandthe importance of having standardized support processesacross their operating units regardless of the business model.Examples of standardized support processes include servicedesk activities as well as change, configuration, release, inci-dent, and problem management procedures. The service deskis generally the first point of contact for customers to registeran IT service or issue resolution request, thus initiating therequests life cycle management process and triggering a


15/3611


For this reason, many organizations review security based ontheir platform type, thus enabling a more detailed review.Unfortunately, this activity could result in redundancy asaudit steps are duplicated. Hence, auditors could establishseparate audit areas for each platform type and a generalcontrols subject audit that is performed across all platforms.

A key consideration in identifying IT environment compo-nents and in grouping distinct audit subjects is managementaccountability. A worst-case scenario would be to defineaudit subjects crossing reporting lines and involving manage-ment from different reporting units, as this might create aconflict over who eventually owns the resolution of issuespresented in the audit. As a result, it should be clear who willreceive the audit report and who is responsible for the reme-diation of identified control deficiencies. Finally, the scopeof each audit subject should be described clearly so that orga-

nizational accountability is determined properly.

Business Applications4.8CAEs need to determine which audit group will be respon-sible for the planning and oversight of business applicationaudits. Depending on how the audit function operates, busi-ness applications can be included as part of the IT audituniverse, business audit universe, or both. There is a growingconsensus among internal audit functions that businessapplications should be audited with the business processesthey support. This provides assurance over the entire suiteof controls automated and manual for the processes

under review, helps to minimize gaps and overlaps of auditefforts, and minimizes confusion over what was included inthe scope of the engagement.

Because of their expertise, the business audit function isprobably best suited to determine when applications shouldbe reviewed. If business applications are maintained as partof the IT audit universe, the business audit universe shouldbe linked to the IT audit universe to work together duringthe audit. Even if business applications are maintained sepa-rately from the IT audit universe, individual audit subjectscan be created within the IT audit universe for large-scaleapplications that are used by multiple functions for multipleprocesses, such as ERP systems. This is because it might make

sense to review the applications general controls in a stand-alone audit rather than arbitrarily including this area in oneof the many business audits.

Assessing Risk4.9After the IT universe is defined, a systematic and uniformassessment of risk across all subjects should be the next step indetermining the annual audit plan. The next section presentsrisk and risk assessment fundamentals that can help CAEsand internal auditors create an effective IT audit plan.

Pitfalls include improper sizing of subjects, basing a plan solelyon staffing capabilities, and creating a focus imbalance.

In addition, audit subjects should be divided into appro-priately sized areas to define a reasonable allocation of auditresources. When doing so, auditors should keep in mindthat defining small or large audit subject areas might hinderaudit efforts. This is because a certain amount of overhead isrequired for each audit engagement, including administrativeefforts for audit planning, management reviews, sign-offs ofcompleted work, and reporting and communicating results. Ifthe audit universe and plan contains numerous small audits,for example, internal auditors could spend as much timeadministrating the audits as performing them. Conversely,if the audit subject area is defined broadly, audits could runfor an extended period of time, be disruptive to the client,or be reviewed insufficiently. Depending on the organiza-

tions culture, overly broad definitions might even result inan unplanned increase in scope (i.e., scope creep).8Finding the right audit size depends on the organizations

audit practices and culture. As a general rule for most orga-nizations, defining audit subjects that require two to threetechnical auditors for a three- to four-week duration is areasonable target, as this provides different auditor perspec-tives and experiences. In addition, the three- to four-weekduration is a reasonable request for most organizations.

The audit size also should be consistent with company-accepted historical audit practices. However, the IT audituniverse should not be defined solely on audit staffing capa-bility, as this might result in a focus imbalance. For instance,

some IT audit functions do not have any technicians orIT professionals, but consist of business auditors who haveknowledge of currently used business applications. Becausethese auditors tend to focus on the application layer andmight ignore the underpinning infrastructure layers, itsimportant to have a well-balanced coverage of all layers aspart of the audit.

Ideally, the internal audit function should consist of highlytechnical personnel and general auditors who have a goodunderstanding of application controls. The technical audi-tors, for example, would help ensure the IT infrastructure hasproper security controls in place and review general applica-tion controls. The proper balance of audit subjects covering

all environment layers should be the cornerstone of the ITaudit plan even if the IT audit constraint is an issue. If that isthe case, alternative resource staffing for these audits wouldbe required to supplement the expertise of the internal auditstaff.

Auditors should consider that the audit technique usedduring the security review could be ineffective when used in anonhomogeneous server environment consisting of multipleserver platforms. This is because the general server admin-istration subject area might be too large or unmanageable.

8 GTAG: Management of IT Auditing, p. 10.


16/36


17/3613

GTAG Performing a Risk Assessment

Weighted or sorted matrices or the use of threats3.versus component matrices to evaluate consequences

and controls. This method is superior for most micro-riskassessments.

This GTAG will focus exclusively on the weighted orsorted matrices approach to measure risk and impact. Asshown in table 1, this approach uses a simplistic method torate risk that is based on the risks high (i.e., three), medium(i.e., two), or low (i.e., one) likelihood of occurrence.

likeihood Scae

H 3 High probability that the risk will occur.

M 2 Medium probability that the risk will occur.

L 1 Low probability that the risk will occur.

Table 1.Risk likelihood scale

While the likelihood of risk occurrence is relatively simpleto determine, determining the impact of risk occurrence isanother matter entirely. This is because there can be severaldifferent qualitative and quantitative aspects of risk impact.Furthermore, not every qualitative and quantitative aspectis treated equally (i.e., some risks are more important thanothers). According to Assessing Risk, three types of risk

factors are commonly in use subjective risk factors, objec-tive or historical risk factors, and calculated risk factors.

Subjective risk factors.1. Measuring risk and its impactrequires a combination of expertise, skills, imagination,and creativity. This emphasis on subjective measurementsis borne out in practice many auditable units change somuch between audits that prior audit history is of little use.Therefore, an experienced practitioners sound subjectivejudgment is just as valid as any other method.

Objective or historical risk factors.2. Measuring riskfactor trends can be useful in organizations with stable

operations. In all cases, current objective information ishelpful in measuring risk.

Calculated risk factors.3. A subset of objective risk factordata is the class of factors calculated from historical orobjective information. These are often the weakest of allfactors to use because they are derivative factors of riskthat is further upstream.10

10 The IIA Research FoundationsAssessing Risk, 2ndEdition, 2004.

into three major sub-categories: infrastructure, computeroperations, and applications.

The infrastructure area consists of all computing compo-nents that support the flow and processing of information,such as servers, routers, bridges, mainframes, communicationlines, printers, datacenters, networking equipment, antivirussoftware, and desktops. Computer operations, on the otherhand, consist of the processes and controls that manage thecomputing environment. Examples include physical andlogical security administration, backup and recovery, busi-ness continuity and disaster recovery planning, service-levelagreements (SLAs), program change controls, and compli-ance with laws and regulations. Finally, applications consistof the software used by the organization to process, store, andreport business transactions. Examples include ERP systemsand stand-alone applications, such as Microsoft Excel or

Access.

Ranking Risk5.2Once an inventory of the IT universe is completed, the nextstep is to assign a risk rating to all sub-categories infra-structure, computer operations, and applications. Thesesub-categories need to be ranked based on the impact theirrisks will have on the organization and their likelihood ofoccurrence. In other words, auditors need to determine whatcould go wrong in each area and how the organization willbe affected if controls to manage or mitigate risk are notdesigned and operating effectively.

In addition, auditors need to keep in mind that each riskmight not be equally significant or weighed the same wayacross the IT audit universe. (Weight differentiates the rela-tive importance of a risk over the others). For example, if anarea has a direct tie to the accuracy of financial reporting, itwould carry a higher weight relative to an area that does notdirectly affect the accuracy of financial reporting. Accordingto The Research FoundationsAssessing Risk, there are threeapproaches to measuring risk and impact:10

Direct probability estimates and expected loss func-1.tions or the application of probabilities to asset valuesto determine exposure for loss. This process is the oldest

and not considered a best practice. The insurance industrystill uses this method, but internal auditing does not.

Risk factors or the use of observable or measurable2.factors to measure a specific risk or class of risks. Thisprocess is favored for macro-risk assessments, but is notefficient or particularly effective for micro-risk assess-ments, except when auditable units are homogeneousthroughout the audit universe as in branch, location, orplant audits.


18/3614


Leading IT Governance Frameworks5.3Up to this point, the guide has focused on the steps necessaryto define the IT audit universe and to perform a risk assess-ment that determines what should be audited and how often.This discussion is not based on any particular IT governanceframework, such as COBIT, the ISO 27002 Standard, orITIL. As a result, it is the CAEs responsibility to determinethe components of these and other frameworks that bestserve the organization.

It is important to keep in mind that none of these frame-works is a one-size-fits-all. Rather, they are frameworksorganizations can use to manage and improve their IT func-tions. While it is not within the scope of this GTAG toprovide guidance on the pros and cons of these and otherIT governance models, an overview of COBIT will beprovided.

Since its release in 1996, COBIT has been a leading ITgovernance framework. Its mission is to research, develop,publicize, and promote an authoritative, up-to-date, inter-national set of generally accepted information technologycontrol objectives for day-to-day use by business managersand auditors.11 As a framework and supporting tool set,COBIT allows organizations to bridge the gap with respect tocontrol requirements, technical issues, and business risks, andcommunicate that level of control to stakeholders. COBITalso enables the development of clear IT control policies andpractices.12

In addition, COBIT provides a set of tools CAEs andinternal auditors can use to help guide the IT risk assessment

process. Some of its tools are a set of clearly stated controlobjectives, ideas on how to test controls, and a scale forranking the maturity of the IT control environment. TheCOBIT framework consists of four domains with a total of 34IT processes: plan and organize (PO), acquire and implement(AI), deliver and support (DS), and monitor and evaluate(ME).

As with any best practice control framework, auditorsshould proceed with caution when using this framework.CAEs and internal auditors must understand and apply theframeworks concepts and guidance in their proper context.In other words, COBIT has been developed and refined overthe last decade with the assistance of practitioners, academia,

and different industries from around the globe. As a result,COBIT tends to have the look and feel of a framework thatmight work beautifully in a large organization with a sizableIT function, but may be equally challenging to work with inmid-size and small organizations.

Furthermore, the CAE and internal audit team mustrealize that simply because the IT function does not follow oradhere to the COBIT framework, this does not mean the ITfunction, its processes, or data is not controlled or managed

11 COBIT 3rdEdition, p. 1.12 COBIT 4.1, p. 8.

Due to these risk factors, CAEs and internal auditors mustdesign and use a risk impact model that fits their organiza-tion. The model should be similar to the one used for theenterprisewide risk assessment. However, the models scaleand rank methodology needs to be changed for each IT risk.As shown in table 2, and for the purposes of this GTAG, asimplistic ranking method that uses high, medium, and lowcategories is used for the impact of each component that isbased on the same likelihood concepts presented in table 1.

Impact Scae (Financia)

H 3 The potential for material impact on theorganizations earnings, assets, reputation,or stakeholders is high.

M 2 The potential for material impact on theorganizations earnings, assets, reputation,or stakeholders may be significant to theaudit unit, but moderate in terms of thetotal organization.

L 1 The potential impact on the organization isminor in size or limited in scope.

Table 2. Risk impact model scale

Table 3 on page 15 shows an example of a completed risk

assessment that is based on the scales used for likelihood andimpact across the risk categories of financial impact, qualityof internal controls, changes in the audit unit, availability,integrity, and confidentiality. The score for each area iscalculated by multiplying risks likelihood and impact valuesacross each category. For example, on the risk category forERP application and general controls, the sum of the likeli-hood and impact values is 42. The same logic is used acrossthe other risk categories for each possible audit area.

Based on this scoring approach, the lowest possible scoreis six and the highest possible score is 54. Table 4 showsthe scoring ranges and their corresponding audit or reviewfrequencies based on the organizations resource availability.

leveComposite Risk

Score Range

Recommended

Annua Cyce

H 3554 Every 1 to 2 years

M 2034 Every 2 to 3 years

L 619 Every 3 to 5 years

Table 4. Scoring ranges and correspondingaudit or review frequencies


19/3615


Area

Financia

Impact

IT Risks

Score

and

leve

Quaity ofInternaContros

Changes inAudit Unit

Avaiabiity IntegrityConfiden-

tiaity

l I l I l I l I l I l I

ERP Appication & Genera Contros 3 3 2 3 3 3 2 3 2 3 2 3 42 H

Treasury EFT Systems 3 3 3 3 3 3 2 2 3 2 2 2 41 H

HR/Payro Appication 3 3 3 2 3 3 2 2 2 3 2 3 40 H

Empoyee Benefits Apps (Outsourced) 2 3 2 2 3 3 3 2 2 3 3 3 40 H

IT Infrastructure 2 2 3 2 3 3 3 3 3 2 2 2 38 H

Process Contro Systems 1 1 2 2 2 2 2 2 1 1 1 1 15 L

Database Administration and Security 2 2 2 2 2 2 3 3 2 2 2 1 27 M

UNIX Administration and Security 2 2 2 3 2 2 3 1 1 1 3 2 24 M

Corp. Privacy Compiance 2 2 3 2 3 3 2 1 2 2 3 3 34 M

Windows Server Admin and Security 2 2 1 2 2 2 2 3 3 2 2 2 26 M

Environment Reporting Systems 2 2 3 2 2 2 2 3 1 1 3 1 24 M

SOX Sustainabiity Review 2 2 2 2 2 2 1 1 2 2 1 2 19 L

Network Administration and Security 2 2 1 1 1 2 2 1 2 2 2 2 17 L

ITIl Depoyment Practices 1 1 1 3 2 1 3 1 1 3 3 3 21 M

IT Governance Practices 1 1 2 2 1 1 3 1 1 1 1 2 12 L

Remote Connectivity 1 1 1 2 2 1 1 1 1 2 2 2 12 L

Appication Program Change Contro 2 3 1 3 1 1 1 1 1 3 1 2 16 L

lowest possibe score 6

Highest possibe score 54

Mid point 30

l = likeihood

I = Impact

Table 3.Example of an IT risk-ranking score model

properly. At a minimum, CAEs and internal auditors can useCOBIT as a helpful guide during the IT risk assessment andaudit process. In a best case scenario, the CAE and internalaudit team should integrate the use of COBIT under theumbrella of risk and control-related frameworks and guid-ance, as well as to help the IT function with implementingpart or all of the framework.


20/3616

GTAG Formaizing the IT Audit Pan

For most companies, these two steps are merged to someextent, as depicted in the overlap area of the two spheresrepresenting each process in figure 4. For example, certainrisks or auditable areas may be excluded from the risk assess-ment based on the level of resources that may be required toexecute the audit. However, it is important to perform thesesteps in an objective manner considering each steps statedobjective and driver forces.

In addition, the IT audit plan should be created as part ofthe internal audit functions strategic planning process. Thisplanning process should be cyclical and can be understoodunder the classical management cycle of plan, do, check,and act. Thus, while the plan is the key enabler to imple-ment the process, it delineates how to reach audit objectivesand goals. As a result, it should include a list of audit activitiesas well as the timing, dependencies, and resource allocation

needed to reach audit goals.Certain IIA standards describe the nature of internalaudit services and provide quality criteria against which theperformance of these services can be measured. More specifi-cally, the 2000 series, Performance Standards for Managingthe Internal Audit Activity, are relevant to the audit plan-ning process:

Formaizing the IT Audit Pan6.

Defining the IT audit universe and performing a risk assess-ment are precursor steps to selecting what to include in theIT audit plan. While everything in the IT audit universecould be reviewed on a recurring basis if the availability ofresources is unlimited, this is not the reality for most internalaudit functions. Consequently, CAEs must create an IT auditplan within the constraints of the audit functions operatingbudget and available resources.

Audit Plan Context6.1Figure 4 depicts the differences and challenges of movingfrom the risk assessment step to identifying the audits thatwill be included as part of the audit plan. In theory, each of

these steps should be a separate and distinct effort becausethe objectives and focus are different. In the risk assessment,the objective is to understand risks in a relative context.Therefore, the major focus or driver of this effort is risk,while a major influencer may be resources. In defining theaudit plan, the objective is to review high-risk areas throughthe allocation of available resources. As such, the driver isthe resources and the influencer is the risks.

Figure 4.Objectives for risk assessment and audit plan (Source: Ernst & Young 2007)

OBJECTIVES FOR RISK ASSESSMENTS AND AUDIT PlANS

Understand Risks Aocate Resources

Risk Assessment

Driver = Risks

Infuencer = Resources

Audit Pan

Driver = Resources

Infuencer = Risks

Key Activities

Obtain expicit input from stakehoders.

Identify reevant risks.

Assess risks.

Prioritize risks.

Key Activities

Understand universe of potentia

audits subjects.

Aocate and rationaize resources.

Reconcie and finaize the audit pan.


21/3617


what audits will be performed and when, ensure adequateaudit coverage is provided over this period of time, and iden-tify audits that may require specialized external resources oradditional internal resources. In addition, most organizationscreate a one-year plan, as a derivative of the multiyear planthat outlines planned audit activities for the upcoming year.

Auditors can use one of two strategies to arrive at the idealfrequency of planned audit activities:13

The audit frequency is established in an initial riskassessment to take place every three to five years andis proportional to the risk level.The audit plan is based on a continuous risk assess-ment without a predefined audit frequency. Someorganizations use this approach, which is especiallyappropriate within the context of the IT audit plan,given the higher rate of IT change as compared to

changes in non-IT activities.

Table 5 shows criteria that can be used to determinefrequency and resource allocation based on the results ofthe risk assessment. This process should be understood as acyclical, repetitive, and iterative sequence of activities, inte-grating a top-down approach through at least three layers:

Layer 1: The audit universe where all the inputs areintegrated.Layer 2: The individual business processes whereengagements should be identified and preliminarilyplanned.Layer 3: The audit engagements where fine-tuning

and plan optimization can be conducted.

Priority FrequencyResource

Aocation

H Immediateaction,usually withinthe first year

Annual reviews ormultiple actionswithin the cycle

Highallocation

M Mid-termaction withinthe auditcycle

One or severalaudit engagementswithin the cycle;could be postponed

Baseallocation

L Audit engage-ments usuallynot plannedwithin thecycle

At most oneaudit engagementplanned within thecycle

Limitedallocation

Table 5.Frequency and resourceallocation of audit activities

13 Brinks Modern Internal Auditing, 6th Ed, 2005, p. 292.

IIA Standard 2010: Planning. The CAE shouldestablish risk-based plans to determine the prioritiesof internal audit activities consistent with the orga-nizations goals.IIA Standard 2020: Communication and Approval.

The CAE should communicate the internal auditactivitys plans and resource requirements, includingsignificant interim changes, to senior manage-ment and board for review and approval. The CAEalso should communicate the impact of resourcelimitations.IIA Standard 2030: Resource Management. TheCAE should ensure that internal audit resources areappropriate, sufficient, and deployed effectively toachieve the approved plan.

Stakeholder Requests6.2Internal auditors should have ongoing discussions throughoutthe IT audit plans development with key stakeholders tobetter understand the business and risks the organizationfaces. Through these discussions, insights on the businesswill be gathered along with concerns key stakeholders mighthave. This is also an opportunity to learn about special auditassurance and consulting services requests, referred to in thisdocument as stakeholder requests.

Stakeholder requests may come from the board of directors,audit committee, senior managers, and operating managers.They should be considered during the audit planning phase

based on the engagements potential to improve the overallmanagement of risks and the organizations control environ-ment. These requests may be specific enough to determinethe required resource allocation, or the allocation may bebased on previous audit work. These engagements also caninclude fraud investigations that come up throughout theyear and requests to review service providers. (The IIAStandard 2010.C1 provides information on consultingengagements.) CAEs, therefore, should consider acceptingproposed consulting engagements based on their potentialto improve risk management activities and add value to andimprove the organizations operations. Accepted engage-ments should be included in the IT audit plan.

Audit Frequency6.3Depending on the risk assessments results, not all auditareas can nor should be reviewed in every audit cycle. Aspresented in section 5, audit frequency is based on an evalu-ation of the likelihood and impact of risk occurrence inrelationship to the organizations objectives. Since auditsoccur on a cyclical basis, multiyear audit plans are developedand presented to management and the audit committee forreview and approval. The multiyear plan, usually three tofive years in terms of its timeframe, is created to document


22/3618


well as estimated efforts in terms of their timeframe forcompletion and resources.The plan should be prioritized based on:4.

Dates and results of the last audit engagement.a.Updated assessments of risks and effectiveness of riskb.management and control processes.Requests by the board and senior management.c.Current issues relating to organizational governance.d.Major changes in the business, operations, programs,e.systems, and controls.Opportunities to achieve operating benefits.f.Changes to and capabilities of the audit staff. (Workg.schedules should be sufficiently flexible to cover unan-ticipated demands on the internal audit activity.)

The IT Audit Plan Content6.5The content of the IT audit plan should be a direct reflec-tion of the risk assessment described in previous sections.The plan also should have different types of IT audits, forexample:

Integrated business process audits.Audits of IT processes (e.g., IT governance andstrategy audits, as well as audits of the organizationsproject management efforts, software developmentactivities, policies and procedures, COBIT/ISO/ITILprocesses, and information security, incident manage-ment, change management, patch management, andhelp desk activities).

Business projects and IT initiative audits, includingsoftware development life cycle (SDLC) reviews.Application control reviews.Technical infrastructure audits (e.g., demandmanagement reviews, performance reviews, databaseassessments, operating systems audits, and operationanalyses).

Network reviews (e.g., network architecture reviews,penetration testing, vulnerabilities assessments, andperformance reviews).

To verify each audit provides appropriate coverage, audi-tors can incorporate the following elements as part of the

audit:IT general controls, application controls, and infra-structure controls.Contributions to operational reviews, financialreviews, and compliance reviews.Main control objectives (i.e., segregation of duties,concentration of duties, and security, amongothers).

New IT trends and their threats, innovations, andimpact.All IT layers of the stack.

In addition to frequency, other factors should be consid-ered when defining the audit plan:

Internal audit sourcing strategies. Differentsourcing or staff augmentation strategies are commonpractices in the industry, including hiring internalstaff, outsourcing, and co-sourcing, which should beconsidered during the annual planning process.Estimated available IT audit resources. This consistsof a technical skills inventory of current staff that ismapped to IT audit plan needs. The availability ofresources usually is established on an annual basisand is based on the number of full-time equivalentauditors and skills required. Available audit days arethe net of possible audit days minus nonaudit activi-ties and exception time, such as training, vacation,

and holidays.Board and management requests included in theplan and related to control assurance or consulting

services.The organizations regulatory and compliance

requirements. These should be included in the audituniverse and risk assessment.External audits that should be synchronized withthe audit plan. The IIA Performance Standard 2050establishes that the CAE should share informa-tion and coordinate activities with other internaland external providers of relevant assurance andconsulting services to ensure proper coverage and

minimize duplication of efforts.Internal initiatives and efforts to improve the auditfunction. Any effort beyond audit engagements thatrepresents an investment of effort should be planned,budgeted, and reflected in the audit plan. Examplesinclude quality assurance reviews, integrated riskassessments, audit committee reporting tasks, andaudit recommendation follow-ups.A contingency IT audit budget and plan for reason-able coverage of unplanned situations.

Audit Plan Principles6.4Internal auditors should consider The IIAs Practice Advisory2010-1: Planning for the IT Audit Plan when identifyingaudit plan principles:

Planning should be consistent with the charter of the1.internal audit function and involve establishing goals,schedules, staffing, budgeting, and reporting.Internal audit activities should be capable of accom-2.plishing the goals within a specific time and budget andbe measured in terms of, at least, targeted dates and levelsof accomplishment.The plan should include the work schedule with activi-3.ties to be performed and their key planned dates, as


23/3619


A highly integrated audit plan, where IT auditactivities are incorporated as part of business

process engagements. Often, IT audit activities areplanned under the responsibility of a multidisci-plinary team that has a balanced skill set, includingIT audit expertise.

Given that a system of internal control typically includesmanual and automated controls, with more reliance on appli-cation controls, the ability to scope an audit that covers allcontrols is essential in providing a holistic assessment of thecontrol environment. A complete business audit, includinga review of all IT components, provides the opportunity toevaluate whether there is an appropriate combination ofcontrols to mitigate business risks.

Validating the Audit Plan6.7Unfortunately, there is no direct test that can be performedto validate whether the right and most effective audit planexists. Therefore, auditors need to establish criteria to eval-uate the plans effectiveness in meeting its objectives. Asdiscussed earlier, the plan should consist of risk-based audits,mandated audit areas, and management requests for assur-ance and consulting services. Because one of the objectivesof the planning phase is to allocate resources to areas wherethe department can add the most value to the organizationand highest risk IT areas, auditors should determine how theplan reflects this objective.

The chart in figure 5 depicts the plans target. Accordingto this chart, if all audit subjects and engagements areplotted based on their risk likelihood and impact, auditsshould be reflected in all chart quadrants. The bolded boxrepresents the ideal selection of audits and engagements, so

Integration of the IT Audit Plan6.6One key aspect of the planning process is to determine theintegration level of the IT audit plan with non-IT audit activ-ities in the audit department. As explained in section 4.7,auditors need to determine which audit group will be respon-sible for the planning and oversight of business applicationaudits. This discussion could be extended to include all ITcomponents. For instance, will the IT audit plan be presentedand executed on a stand-alone basis or will IT audit subjectsbe integrated with business areas? Answers to these questionsshould be based on the internal audit departments functionas well as its staff, size, geographical distribution, and manage-ment approach. A range of integration scenarios could beconsidered from a low integration scenario where the IT auditfunction is well-defined and established within the internalaudit department (i.e., with their own IT audit universe

and scope) to a fully integrated audit approach where all ITcomponents are understood under each business segment.Table 6 illustrates scenarios based on different options to

integrate the IT audit plan. These scenarios are:A low-integrated plan. This is a stand-alone IT auditplan under the responsibility of the IT audit team.A low-integrated plan is organized by IT subjectareas, is generally isolated from non-IT audit activi-ties, and includes the review of applications. Non-ITaudit activities generally do not include any of the ITcomponents within their scope.A partially integrated audit plan, which outlines IT

audit engagements that are established by a core IT

audit team. These plans provide an additional set ofplanned engagements, generally referred to as appli-cation reviews, which are distributed across othernon-IT audit teams and coordinated with other busi-ness process reviews.

Audit Universelow-integrated

Audit Pan

Partiay Integrated

Audit Pan

Highy Integrated

Audit Pan

Business ProcessesOperationalFinancial

Compliance

Non-IT audit Non-IT audit Integrated approach

Applications SystemsApplication controlsIT general controls

IT audit Integrated approach Integrated approach

IT Infrastructure ControlsDatabasesOperating systems

Network

IT audit IT audit Integrated approach

Table 6.IT auditing and integrated auditing


24/3620


In addition, auditors need to consider the specific sourceof the change. For instance, frequent changes in the IT auditplan could be the result of:

Changes in strategic, organizational, or humanresources.

New business process initiatives involving the use ofhigh-risk technology, such as e-commerce.Major changes in applications, such as the use of anew Web application ver

Planeamiento de TI

Documents

Transcript of Planeamiento de TI