Prévia do material em texto
License Agreement for The IIA’s CIA Challenge Exam Study Guide STUDENT MATERIALS By opening and using The IIA’s CIA Challenge Exam Study Guide student materials (the “Materials”), the user (“User”) hereby agrees as follows: (i) That The Institute of Internal Auditors is the exclusive copyright owner of the Materials. (ii) Provided that the required fee for use of the Materials by User has been paid to The IIA or its agent, User has the right, by this License, to use the Materials solely for his/her own educational use. (iii) User has no right to print or make any copies, in any media, of the materials, or to sell, or sublicense, loan, or otherwise convey or distribute these materials or any copies thereof in any media. ® ® The IIA’s CIA Challenge Exam Study Guide The IIA’s CIA Challenge Exam Study Guide is based on select portions of the Certified Internal Auditor (CIA ) syllabus developed by The IIA. However, program developers do not have access to the exam questions. Therefore, while the study guide is a good tool for study, reading the text does not guarantee a passing score on the CIA exam. Every effort has been made to ensure that all information is current and correct. However, laws and regulations change, and these materials are not intended to offer legal or professional services or advice. This material is consistent with the revised Standards of the International Professional Practices Framework (IPPF) introduced in July 2015, effective in 2017. Copyright These materials are copyrighted; it is unlawful to copy all or any portion. Sharing your materials with someone else will limit the program’s usefulness. The IIA invests significant resources to create quality professional opportunities for its members. Please do not violate the copyright. Acknowledgments The IIA would like to thank the following dedicated subject matter experts who shared their time, experience, and insights during development and subsequent updates. ® ® ® ® Subject matter experts Farah George Araj, CPA, CIA, CFE, QIAL, Australia Scott Blankenship, CIA, CRMA, CPA, CFE, United States Melissa Clawson, CIA, CRMA, United States Christy Decker-Weber, CIA, CRMA, CPA, CFE, CHIAP Jayson Walter Kwasnik, CIA, CPA, CA, Canada Jessica Minshew, CIA, United States Joanne F. Prakapas, CIA, CRMA, CFE, CPA, CFF, United States James M. Reinhard, CIA, United States Elizabeth Sandwith, CFIIA, United Kingdom Past subject matter experts Pat Adams, CIA Terry Bingham, CIA, CISA, CCSA Raven Catlin, CIA, CPA, CFSA Patrick Copeland, CIA, CRMA, CISA, CPA Don Espersen, CIA Michael J. Fucilli, CIA, QIAL, CRMA, CGAP, CFE James D. Hallinan, CIA, CPA, CFSA, CBA Larry Hubbard, CIA, CCSA, CPA, CISA Al Marcella, PhD, CISA, CCSA Markus Mayer, CIA Vicki A. McIntyre, CIA, CFSA, CRMA, CPA Gary Mitten, CIA, CCSA Lynn Morley, CIA, CGA Lyndon Remias, CIA James Roth, PhD, CIA, CCSA Brad Schwieger, CPA, DBA Doug Ziegenfuss, PhD, CIA, CCSA, CPA, CMA, CFE, CISA, CGFM, CR.FA., CIT Jim Key, CIA David Mancina, CIA, CPA Part 3: Business Knowledge for Internal Auditing This part of The IIA’s CIA Challenge Exam Study Guide focuses on key areas of knowledge that can help internal auditors with audit engagements. Some subjects will be directly applicable to any internal audit activity, such as examining risk and control implications of different organizational structures or project management. Knowledge in subjects such as strategic planning, global business environments, or information security can also help the internal auditor to demonstrate to stakeholders that he or she has a firm understanding of the organization’s business practices and industry environment. Internal auditors who are perceived as having business savvy and organizational familiarity will be in a position to deliver value and insight. Decision makers may place more weight on recommendations that are sensitive to the organization’s strategy and the complexities of its global challenges. In brief, the sections in Part 3 are as follows: Section A: Business Acumen. Strategic planning process, organizational structure, business processes, and project management. Section B: Data Analytics. Data analytics types, governance methods, frameworks, processes, and use in internal auditing. Section C: Information Technology and Security. Information security controls, data privacy laws and their potential impact, emerging technology practices, existing and emerging cybersecurity risks, security-related policies, the systems development life cycle (SDLC) and delivery, change controls, and IT control frameworks. Section A: Business Acumen This section is designed to help you: Describe the strategic planning process and key activities. Define objective setting. Identify globalization and competitive considerations. Explain the process of aligning strategic planning to the organization’s mission and values. Appraise the risk and control implications of different organizational structures and common business processes. Identify project management techniques. According to The IIA The IIA’s guidance referenced in the Challenge Exam Study Guide may be accessed using the links below. Access to specific pages and documents varies for the public and The IIA members. Attribute Standards: www.theiia.org/Attribute-standards Performance Standards: www.theiia.org/Performance- standards Standards and Guidance: www.theiia.org/Guidance Position Papers: www.theiia.org/Position-papers Implementation Guidance: www.theiia.org/Practiceadvisories Practice Guides and GTAGs: www.theiia.org/Practiceguides In a tightly competitive market, customers demand more for less and have access to multiple sources of quality goods and services at https://na.theiia.org/standards-guidance/attribute-standards/Pages/Attribute-Standards.aspx https://na.theiia.org/standards-guidance/performance-standards/Pages/Performance-Standards.aspx https://na.theiia.org/standards-guidance/Pages/Standards-and-Guidance-IPPF.aspx https://na.theiia.org/about-us/about-ia/Pages/Position-Papers.aspx https://na.theiia.org/standards-guidance/recommended-guidance/Pages/Practice-Advisories.aspx https://na.theiia.org/standards-guidance/recommended-guidance/practice-guides/Pages/Practice-Guides.aspx competitive prices. Organizations are examining every business process to improve quality and performance to address these rising customer expectations. Also, a key long-term benefit of investing in quality is that organizations have a strong potential to improve their revenue/profit due to repeat business from loyal customers. This section will examine a number of different techniques and concepts that organizations can use to help them analyze business process performance and be more competitive. Topic 1: Strategy, Globalization, and Audit Alignment This topic addresses an organization’s strategic planning process and setting strategic objectives, globalization and competitive considerations, and aligning audit subjects to the organization’s mission and values. Objective and Strategy Setting An organization’s objectives define what the organization wants to achieve, and its ongoing success depends on the accomplishment of its objectives. For most organizations, a primary blanket objective is to enhance stakeholder value. Objectives also indicate what is expected from a governance, risk management, and internal control perspective. At the highest level, these objectives are reflected in the organization’s mission and vision statements. To get buy-in, a best practice is to get input from people at all organizational levels when developing or updating these statements. The mission statement is a broad expression of what the organization wants to achieve in the present. The mission statement: Needs to clearly indicate the organization’s purpose—its reason for being and how it proposes to add value for its customers and other stakeholders. Serves as a day-to-day charge to thethe end result is supposed to be or accomplish. In addition, defining what is “out of scope” helps limit unwanted work. These constraints often compete with each other. Increased scope or quality typically means increased time and cost. A tight time constraint might mean increased costs and reduced scope. A tight budget can mean increased time and reduced scope. Quality project management is about providing the tools and techniques that enable the entire project team to organize their work and meet these constraints. If the project manager determines that project changes or issues make meeting any of these constraints infeasible, he or she will need to promptly discuss the issue with management or possibly a change control board. Time, Resources, and Cost The following project elements are interrelated, so planning for one area impacts the others. Project Teams Project plans and their execution are only as successful as the manager and the team who implement them. Building effective teams is critical to the success of any project. Projects commonly include the following roles and team members: Project stakeholders are internal and external individuals and organizations who are actively involved in the project or whose interests may be affected as a result of project execution or completion. Key stakeholders include the project manager, the customer or end user (e.g., the board for internal audit projects), and the project team. The project sponsor is the person or group who wants the project to occur, who champions support for the project, and who commits the necessary resources. The project manager is the project leader. He or she is responsible for coordinating and integrating activities and is accountable for project success. A project manager is often a client representative who determines and implements the client’s needs. The project team is the custom team for a specific project. The team members disband when the project is over. The quality level of team members may impact cost and time. Project Time, Cost, and Resources Project managers and their team members can use a variety of tools and techniques to plan, schedule, and manage their projects. Tools commonly associated with project management include Gantt charts and network analysis tools. The concept behind these tools is that during a project, some activities, known as sequential or linear activities, need to be completed in a particular sequence, with each stage being completed before the next activity or task can begin. Other activities are not dependent on the completion of any other tasks and can be completed at any stage during the time line. These are nondependent or parallel tasks that can be scheduled based on resource availability. Other essential project management techniques include the project budget for cost planning and control and change management to control the scope of the project. The project budget is used as a baseline against which variances from intended costs are measured. Gantt Chart The Gantt chart (also known as a horizontal bar chart, a milestone chart, or an activity chart) is a project scheduling technique that divides each project into sequential activities with estimated start and completion times. It allows the decision maker to visually review a schematic presentation of the project time budget and compare it with the actual times. To create a Gantt chart, the project manager plots the steps of the project and their sequence and duration. The list includes the earliest start date for each task, the estimated length of time it will take, and whether it is parallel or sequential. This forms the basis of the scheduling chart shown in Exhibit 3-16. A Gantt chart’s simplicity allows for easy schedule modifications. Exhibit 3-16: Gantt Chart A Gantt chart: Helps plan tasks that need to be completed. Provides a basis for scheduling when tasks will be executed. Helps plan the allocation of resources necessary to complete the project. Helps determine the critical path for a project with a hard deadline. Is appropriate for internal audit scheduling because the audit process does not often require sequence revisions. Network Analysis (PERT/CPM) A project network is the graphical representation of a project’s tasks and schedule. Network analysis involves evaluating the network of tasks and functions that contribute to a project in order to determine the most efficient path for reaching the project goals. Network analysis software can help complete project scheduling, including tracking resource costs and usage. Network analysis can help: Project managers schedule activities in projects with many separate jobs or tasks performed by many departments and individuals. Project managers identify possible ways to revise or shorten the sequence of activities to expedite the project and/or lower costs. Internal auditors understand the risk and control implications of projects, especially in complex industries like construction and aircraft manufacturing. Two common types of network analysis are the program evaluation review technique (PERT) and the critical path method (CPM). Due to their similarity, this type of network analysis is now often referred to as PERT/CPM. These methods are used to schedule, organize, and coordinate tasks, generally for large, complex projects with a high degree of inter-task dependency. Internal auditors may use these tools in evaluating efficiency or may verify their proper use. A PERT/CPM chart illustrates a project flow graphically. Circles or rectangles represent project milestones that are linked by arrows that indicate the sequence of tasks. Constructing a PERT/CPM network requires three inputs: Tasks necessary to complete the project Time required to complete these tasks Task sequence—including which tasks must be sequential and which can be parallel The goal of the PERT/CPM chart is to identify the critical path. The critical path is the sequence of activities that have no slack and will collectively take the longest to complete, which defines the shortest possible total project duration. Slack time is the amount of additional time that an activity start can be delayed or an activity can take to complete without delaying the overall project. Activities on the critical path by definition have no slack, meaning that their start times and durations need to be on schedule or the whole project will be delayed. Tasks that are not on the critical path may have slack and so could be started later or have duration delays without affecting the overall schedule (until their slack is used up). Exhibit 3-17 shows an example of a PERT/CPM chart. Exhibit 3-17: PERT/CPM Chart Source: Sawyer’s Internal Auditing, fifth edition, by Lawrence B. Sawyer, et al. Used with permission. In Exhibit 3-17, there are five possible paths to reach the project endpoint (7) and the longest one is the critical path: 1-2-4-7 (98 days) 1-2-3-5-7 (100 days) 1-2-4-5-7 (108 days)—the critical path because it takes the longest to complete 1-3-5-7 (102 days) 1-6-7 (92 days) The following are benefits and disadvantages of PERT/CPM: They identify and prioritize tasks that must be completed on time for the whole project to be completed on time. They identify sequential and parallel tasks. They identify which tasks can be delayed or accelerated without jeopardizing the project. They form the basis for all planning and predicting. They help in scheduling and managing complex projects. They show the best use of resources to achieve the goal within time and cost limitations. Unknowns can still impact a schedule, such as delays in resource availability. Gantt charts are easier to interpret and are usually still needed. Project Manager Schedule Adjustment or Correction Tools Unexpected delays or resource conflicts can occur, so a project manager needs to be able to shorten or adjusta project’s time line. The project manager can do the following: Use “fast tracking” or add lead time. Lead time or “fast tracking” are methods to begin a scheduled task before its predecessor task is completed (if feasible), which means the tasks are performed simultaneously to some degree. For example, the original time line for an advertising brochure may call for the graphics to be completed after the writer finishes the first draft. If the illustrator gets the list of graphics two weeks earlier, there are two weeks’ lead time to finish the graphics, which can help if the illustrator would otherwise be double-booked. Fast tracking creates the risk of rework if the predecessor task impacts how the successor task should have been done. Use slack time. Activities not in the critical path often have slack. In our brochure example, if marketing activities are not on the critical path, there may be slack in the start date for these activities. Assign additional resources (“crashing”). It may be possible to increase the resources committed to a task on the critical path, which is called “crashing.” Assigning two people to write the first draft of the advertising brochure could cut the writing time in half (assuming no learning curve). Risks include budget overruns, inefficiency (e.g., learning curves), and diminishing returns for each additional resource. Schedule overtime. Tasks may be shortened by scheduling project members for overtime. If the critical path is shortened, a different sequence of tasks could become the new critical path. Change Management (Scope Control) While schedules and budgets can be used as baselines against which to measure variances, another tool is needed to ensure that the project remains on scope. Problems such as scope creep or gold plating not only consume staff time and other resources; they confuse schedules and plans because people are working on things that are not even in the schedule. A disciplined change management process can prevent scope creep/gold plating. All stakeholders need to be informed in advance of the required process for requesting changes to the scope as agreed upon and proven by the signatures on the project charter. Project team members need training on avoiding doing more work than is in the plan and need to keep in mind that: The client may not even appreciate this work. The organization will not appreciate the project going off schedule/budget for unnecessary or avoidable reasons. A formal change management process (also called change control) involves these steps: A project stakeholder submits a change order request, which is a request for a significant project change. Significant change is a change that would impact the scope, schedule, or budget. (The project manager has discretion for changes below this threshold.) The project manager or a change control board for the project perform a change impact assessment, which is a two step-process that reviews: The technical merits of the change (including how it impacts interrelated components). The impact of the change on the schedule, budget, or other constraints such as quality. Approved changes are reflected in budget, schedule, and plan updates, and the new plan version is provided and communicated to the team. Rejected changes and the rationale are communicated. Project managers might create a list or “parking lot” for changes to be considered later or in a future project. Key Point If a change is deemed to have technical merit, the project manager must insist on the project sponsor approving additional resources as needed to make the change. If the additional resources are not provided, the project manager should reject the change. Section B: Data Analytics This section is designed to help you: Describe data analytics, data types, data governance, and the value of using data analytics in internal auditing. Explain the data analytics process (define questions, obtain relevant data, clean/normalize data, analyze data, communicate results). Recognize the application of data analytics methods in internal auditing (anomaly detection, diagnostic analysis, predictive analysis, network analysis, text analysis, etc.). According to The IIA The IIA’s guidance referenced in the Challenge Exam Study Guide may be accessed using the links below. Access to specific pages and documents varies for the public and The IIA members. Attribute Standards: www.theiia.org/Attribute-standards Performance Standards: www.theiia.org/Performance- standards Standards and Guidance: www.theiia.org/Guidance Position Papers: www.theiia.org/Position-papers Implementation Guidance: www.theiia.org/Practiceadvisories Practice Guides and GTAGs: www.theiia.org/Practiceguides This section discusses the importance of data analytics to modern internal auditing. It addresses big data, the data analytics process, https://na.theiia.org/standards-guidance/attribute-standards/Pages/Attribute-Standards.aspx https://na.theiia.org/standards-guidance/performance-standards/Pages/Performance-Standards.aspx https://na.theiia.org/standards-guidance/Pages/Standards-and-Guidance-IPPF.aspx https://na.theiia.org/about-us/about-ia/Pages/Position-Papers.aspx https://na.theiia.org/standards-guidance/recommended-guidance/Pages/Practice-Advisories.aspx https://na.theiia.org/standards-guidance/recommended-guidance/practice-guides/Pages/Practice-Guides.aspx and the application of data analytics methods. Topic 1: Data Analytics, Types, and Governance This topic starts by defining data analytics, data types, and the Vs of data—the qualities of data such as volume and velocity that need to be understood for data to be made into useful information. This discussion will help internal auditors understand why data analytics is becoming increasingly necessary for internal auditing. The topic also addresses the definition and importance of data governance and information security governance. According to The IIA In addition to reviewing the contents of this topic, students can review the following IIA materials: Global Technology Audit Guide (GTAG) 16, “Data Analysis Technologies” Global Technology Audit Guide (GTAG), “Understanding and Auditing Big Data” Global Technology Audit Guide (GTAG) 15, “Information Security Governance” Data Analytics https://na.theiia.org/standards-guidance/recommended-guidance/practice-guides/Pages/GTAG16.aspx https://na.theiia.org/standards-guidance/recommended-guidance/practice-guides/Pages/GTAG-Understanding-and-Auditing-Big-Data.aspx https://bookstore.theiia.org/global-technology-audit-guide-gtag-15-information-security-governance Data analytics is the process of gathering and analyzing data and then using that data and the results gathered to provide business information for making better organizational decisions and implementing more relevant policies and procedures. It can also refer to data mining—gathering information from multiple sources to acquire results that management can use to make better-informed decisions. A definition relevant to CAEs is that data analytics is the process of using analytical techniques and repeatable automated processes (e.g., using scripts) to search for patterns and anomalies and to quantify and highlight potential risks and opportunities using operational, financial, and other data. Developing competency in data analytics starts by understanding the value of data analytics in internal auditing and learning about the qualities and types of data. Value of Using Data Analytics in Internal Auditing Key Point Data analytics is very important to the internal audit activity. For example, Standard 2240, “Engagement Work Program,” indicates that “work programs must include the procedures for identifying, analyzing, evaluating, and documenting information during the engagement.” Similarly, Standard 2320, “Analysis and Evaluation,” states that “internal auditors must base conclusions and engagement resultson appropriate analyses and evaluations.” These procedures and analyses often make significant use of data analytics. Implementation Guidance for Standard 2320 includes the following information related to analytical procedures. Analytical procedures are used to compare information against expectations, based on an independent (i.e., unbiased) source and the premise that certain relationships between information can be reasonably expected in the absence of conditions to the contrary. Analytical procedures may also be used during engagement planning (2200 series of standards). Examples of analytical procedures include: Ratio, trend, or regression analysis. Reasonableness tests. Period-to-period comparisons. Forecasts. Benchmarking information against similar industries or organizational units. https://na.theiia.org/standards-guidance/performance-standards/Pages/Performance-Standards.aspx https://na.theiia.org/standards-guidance/performance-standards/Pages/Performance-Standards.aspx https://na.theiia.org/standards-guidance/recommended-guidance/Pages/Practice-Advisories.aspx https://na.theiia.org/standards-guidance/performance-standards/Pages/Performance-Standards.aspx Internal auditors may further investigate any significant deviations from expectations to determine the cause and/or reasonableness of the variance (e.g., fraud, error, or a change in conditions). Unexplainable results may indicate a need for additional follow-up and may suggest the presence of a significant problem that should be communicated to senior management and the board... Each functional area in an organization needs to justify its own existence by showing that it adds more value than it costs to maintain. This is as true for internal auditing as it is for production, sales, or finance. Ways to add value include: Finding ways to operate more efficiently, or doing more with less. Operating more effectively, or doing the right things in the first place. Identifying cost-saving or revenue-generating opportunities for the organization, or adding consulting value. Data analytics has the potential to assist an audit review by transforming what otherwise might be a surplus of data into useful and actionable information in a timely fashion. Because internal audit has access to data from multiple areas of the organization, the function is uniquely positioned to transform data into information valuable to the organization. Data analytics will only become more common in the future in internal audit activities. The CAE may want to be proactive and sell the organization on making these strategic investments proactively. After all, identifying even a single major area for cost savings could pay for the investment in software and training. Here are some other specific benefits: Spend less time on data preparation, formatting, or calculating and more time on value-added analysis. Fully or partly automate previously manual audit tests and perform them on more (or all) of the items in a population, reducing the need to rely on random or judgmental sampling. Better filter out false positives or false negatives from results. Set rules such as a threshold for an invoice amount. Plan better audits by using analytics to better understand which areas or processes would receive the most benefit from an audit. Identify, categorize, prioritize, monitor, and manage risk more efficiently and effectively. Better detect fraud, errors, inefficiencies, red flags, and anomalies. Better assess the operating effectiveness of internal controls. Rely less on IT or general data analytics staff if internal auditors can run queries or scripts themselves. Key Point Internal audit activities that leverage data analytics better fulfill their responsibilities to evaluate and improve the organization’s governance, risk management, and control processes. They do this by freeing up internal auditor time due to fewer manual, time- consuming procedures. The internal audit activity can broaden the scope of its services when it uses less staff per engagement. The Vs of Data Analytics As stated in Data Analytics: Elevating Internal Audit’s Value, the four Vs of data are volume, velocity, variety, and veracity. The IIA’s Global Technology Audit Guide (GTAG), “Understanding and Auditing Big Data” discusses these and some additional Vs: variability, visualization, and value. Exhibit 3-18 addresses each of these Vs from the perspectives of data analytics or big data. While big data will be defined and discussed shortly, note that it is both a description of the massive amounts of data organizations may need to process and analyze as well as systems capable of making such data into actionable information. Exhibit 3-18: Vs of Data Analytics and Big Data V Why It Is Relevant to Data Analytics or Big Data https://na.theiia.org/standards-guidance/recommended-guidance/practice-guides/Pages/GTAG-Understanding-and-Auditing-Big-Data.aspx V Why It Is Relevant to Data Analytics or Big Data Volume Volume is the vast amount of data, which is significantly greater than it has ever been due to our ever-increasing abilities to capture data from the point of sale, surveys, Internet sources, and so on. This may mean that analysis needs to take place on servers (which could also improve security). Volume also means that internal auditors and other analysts can now test entire sets of data rather than sampling. This can reduce audit risk, save time, and allow unprecedented insight into operations. Velocity Velocity is the increased number of devices online and the large amount of collected data from around the world. Information can be rapidly gathered from anywhere. Variety Variety is the numerous types of data being identified, captured, and stored. This can include categorizations such as data formatted for particular software or for a functional area such as finance. V Why It Is Relevant to Data Analytics or Big Data Veracity Veracity is the truth of the data. Veracity is key, as data analytics is only as good as the underlying data. The adage “garbage in, garbage out” is never more true than in data analytics, yet veracity is often its most overlooked aspect. For example, an erroneous outlier in the source data could skew results and create a false positive or false negative result. In other words, without veracity, organizations risk faulty decisions and auditors risk material errors and erroneous recommendations. Controls can reduce risks of duplicate or incomplete records, entry errors, logic/formula errors, data that violates entry field rules, or otherwise inconsistent data. Investigating outliers is an example of an audit step for data preparation. Variability Variability is the wide range of data results and constant change of data. Variability is especially prevalent in big data. Visualization Visualization is the difficulty in providing easy-to- interpret yet accurate and useful visualizations of data or analytic results, such as in graphics and charts. This is also an issue for big data. Value Value is the opportunity of data analytics or big data to create new insights and translate the insights into actions that create positive outcomes that benefit organizations, consumers, and society. Data Types While there are many data types at the detail level (this speaks to the V for variety of data), a broad way to categorize data types is structured versus unstructured. Structured data is data formatted for ease of use for automated or semi-automated analysis, such as into columns and rows, much like a well-ordered spreadsheet. This will include data from databases such as functional area modules in an enterprise resource planning (ERP) system or an audit software package. The organization of structured data enables analysts to run repeatable queries that can be customized to specific objectives. However, data in different structured formats is often not compatible without being converted, which can be straightforwardor can require additional steps and custom software. Unstructured data is data that has not been formatted for ease of use for automated or semi-automated analysis (i.e., data that is not easy to sort or tabulate). Organizations are storing a vast amount of this type of data from social media, emails, word-processing documents, court proceedings, etc. Big Data Big data describes the exponential growth and availability of data created by people, applications, and smart machines as well as large, complex data sets or unstructured data that is beyond the capabilities of traditional data-processing applications. Organizations that invest in the required data collection, storage, processing power, and analytic tools can leverage big data for competitive advantage if they also bolster their data governance and information security governance (including privacy protection). Here are some examples of sources of big data: Internal systems (e.g., transaction data, customer complaints, email, messaging) Industry sources (e.g., customer adoption rates per product) Society data (e.g., traffic cameras, economic data, social media) Nature and weather (e.g., weather trends, earthquake data) Data available from external sources (e.g., data sets available for free use, data sets for purchase or lease such as market research) Mobile devices, Internet-connected devices, radio frequency ID (RFID) tags, etc. Web searches Key Point The internal audit activity may be able to leverage the acquired, consolidated, and integrated data in the organization’s big data system for use in data analytic efforts for audit projects. Key stakeholders in big data are discussed next, followed by audits of big data systems. Big Data Key Stakeholders Key stakeholders in big data initiatives at organizations include those listed in Exhibit 3-19. Exhibit 3-19: Big Data Key Stakeholders Project sponsor Executive-level resource who drives support and funding for the program Business/data owners Data owners who support data consolidation and integration into one solution that supports organizational goals Business analysts Specialists who maintain knowledge of business needs and technology capabilities to transform business requirements into big data solutions Consumers (e.g., marketing) Any function within the organization that consumes data and/or uses the analytic results, possibly including internal auditing Chief information officer Executive resource responsible for delivering the technology solution or partnering with external vendors when big data is outsourced Chief privacy officer/chief information security officer Executive resources to be consulted on controls related to the security, protection, and use of the data and resulting analytics Chief data officer Executive resource who directs enterprise-level data governance Technical data analytics resources/data analysts Can include database administrators, software developers, technical tools administrators, and script writers Data scientists Advanced analytics professionals who understand the technology and business processes and can develop and support innovative analytics to drive business value (e.g., predictive analytics) Audits of Big Data The internal audit activity’s role in big data involves considering big data as an audit universe element during risk assessment and audit planning and educating the board on the organization’s big data risks, challenges, opportunities, benefits, and initiatives. Internal audit activity coverage of big data is typically addressed using multiple audits rather than a single large audit. A key part of this role is assessing the audit risks for big data. Key Audit Risks for Big Data The primary risk areas impacting big data include: Program governance risks. Technological availability and performance risks. Security and privacy risks. Data quality, management, and reporting risks. Program governance risks relate to lack of appropriate management support, funding, and/or governance over the big data program that can expose the organization to undue risk or failure to meet strategic goals. Controls auditors could suggest may include: Reviewing the program’s strategy and objectives for appropriateness. Measuring performance versus expectations. Requiring a proof of concept before full rollout. Ensuring adequate funding and resources (with clear roles and responsibilities). Overseeing internal and third-party systems. Technological availability and performance risks relate to poor, untimely, or unavailable systems that could create a negative customer experience or fail to realize benefits. Internal auditors may suggest controls such as: Structuring IT operations to support big data service level expectations, including following a maintenance and patch management strategy. Ensuring that systems are flexible and scalable and have measurable performance objectives and a regular method to test actual performance. Ensuring that systems are procured, built, and/or configured in alignment with the complexity and demands documented in the business case. Security and privacy risks relate to the protection of the data from unauthorized access, modification, or theft and noncompliance with regulations such as for privacy. Privacy is especially important in such systems because the data is being compiled from multiple sources. Ensuring that only authorized individuals can view sensitive data is vital. Internal auditors ensure that: Big data systems include data, information security management, and privacy strategies. Third-party access is properly managed. Data quality, management, and reporting risks relate to poor information leading to poor decisions or inaccurate management reporting. Internal auditors can suggest controls such as: Verifying that policies and procedures exist related to internal data quality, third-party data quality, reporting accuracy, role-based access, and vendor business alignment. Ensuring that report controls allow for flexibility, ad hoc reporting, and utility (such as by training report users periodically). Data and Information Security Governance Management and oversight of data and information security are part of the control environment and impact the effectiveness of related risk management and control activities. Data Governance Data governance involves the organization’s policies and procedures, controls, and related information technologies regarding the collection, use, storage, usability (e.g., formatting for ease of use), analysis, deletion, and safeguarding of data. A shorter definition of data governance is that it is a way of ensuring and continually improving data quality. Safeguarding of data includes ensuring: Availability (protection from loss). Integrity (protection from corruption). Access (role-restricted access to sensitive organizational or customer data). Compliance with relevant laws and regulations, such as for data privacy. Management will develop, authorize, direct, manage, and monitor the organization’s data governance policies, procedures, controls, and information systems to ensure alignment with the organization’s strategy, objectives, mission, vision, and ethics statements. Management may be concerned about ensuring that data analytics enables confident and timely decision making, that staff work efficiently and effectively, and data is leveraged to maximize profit potential. As with all types of governance, the board and its relevant committees provide oversight over the organization’s data governance plans and activities. The board has a fiduciary responsibility to the organization’s stakeholders and so must understand their data governance needs. However, data governance is management’s day- to-day responsibility. Internal auditors assess the effectiveness of data governance activities. For big data, data governance activities include: Identifying dataowners and consumers and ensuring that owners take responsibility for the quality and security of their data. Designating critical data elements and special handling requirements. Managing metadata (data about data, such as source information), master data, and authoritative data sources. Ensuring that control processes are at the appropriate level for the sensitivity of the data, include data defect identification and data loss prevention measures. Ensuring that systems maintain agility throughout their life cycles. Information Security Governance According to The IIA Implementation Standard 2110.A2 (Assurance Engagements) The internal audit activity must assess whether the information technology governance of the organization sustains and supports the organization’s strategies and objectives. Information security governance is a component of overall IT governance that relates to both IT operations and IT projects. Information security governance requires that: Management promotes good information security practices with clear direction and understanding at all levels, controls information security risks, and creates an information security activity to manage the related objectives and risk appetite. The board establishes security policy, defines the corporate security culture, communicates the business imperative, and provides oversight over information security activities. Staff and line management help design and implement information security frameworks and activities, define security requirements, and monitor security controls. The internal audit activity may provide assurance or other support (in line with its board-approved charter) in the following areas: Assessing the degree to which governance activities and standards are consistent with the internal audit activity’s understanding of the https://na.theiia.org/standards-guidance/mandatory-guidance/Pages/Standards.aspx organization’s risk appetite Assurance or consulting work that focuses primarily on assurance over and continuous improvement of information security governance practices, policies, roles, responsibilities, risk appetite alignment, effective communication, tone at the top, and accountability Ongoing dialogue with the information security governance activity to ensure that risks are being addressed in a timely manner Auditing information security governance starts with planning to understand the structure, objectives, communications, risk appetite, integration within the organization, and external influences. Audit testing includes evaluating stakeholder concerns, reporting lines, KPIs supporting documents, and risk appetite alignment. Analyzing includes assessments of accountability, design effectiveness, program effectiveness and efficiency, resource levels, the clarity of roles, added value, and continuous improvement. Topic 2: Data Analytics Framework and Process This topic addresses establishing a data analytics framework. It also looks at the steps in the data analytics process—defining the questions, obtaining relevant data, cleaning and normalizing the data, analyzing the data, and communicating the results. According to The IIA In addition to reviewing the contents of this topic, students can review the following IIA materials: Global Technology Audit Guide (GTAG) 16, “Data Analysis Technologies” Data Analytics Framework An effective data analytics framework should answer questions such as “What are the top issues facing the organization?” or “How can the audit add more value?” Answering these questions allows for developing a framework that is achievable, aspirational, and identified by smaller milestones that show the progress to achieving the long- term objective. When building a data analytics framework, an entity: Develops its vision. Determines how to progress in building data analytics capabilities, including what steps should be taken to elevate performance. Evaluates current capabilities and identifies people, processes, and technologies to enhance those capabilities. This can include spending money in two critical areas: Talent, such as training and staffing Technology, such as hardware and software https://na.theiia.org/standards-guidance/recommended-guidance/practice-guides/Pages/GTAG16.aspx Once the data analytics framework is established, the entity should progress to implementing and monitoring this new plan. Implementation should be addressed in stages so as not to overwhelm current resources. Monitoring has a two-part role: to gauge the level of adoption from each impacted department and to act as an independent party to assist other areas in improving their data analytics. As an organization’s data analytics framework matures, the organization’s strategies should also advance to meet those changes. Exhibit 3-20 lists some recommendations for establishing a reliable data analytics framework. Exhibit 3-20: Data Analytics Framework Recommendations Aligning Align data analytics strategy with long-term audit goals and objectives, current audit plans, and the risk management process. Keeping end in mind Manage data analytics as a program, focusing on the desired end state of maturity. Ensuring uniformity Develop a uniform set of analytics practices and procedures across assessment functions. Assigning responsibility Assign responsibility for data management, quality assurance, and other key roles. Annotating Document and/or comment scripted analytics to record the intent and context of the analysis being automated. Testing Review and test analytics being used to ensure that the results being generated are accurate and appropriate for the audit step being run. Reviewing Establish a peer review or supervisory review process to safeguard against the reliance on results generated using incorrect logic or formulas. Standardizing Standardize procedures and tests in a central and secure repository. Safeguarding Safeguard source data from modification or corruption using technology or by analyzing backup or mirrored data for audit purposes. Minimizing impact Address the potential impact of the analysis on production systems, either by scheduling analysis at off-peak times or by using backup or mirrored data. Educating Educate staff on how to interpret the results of the analysis performed. Continuously learning Treat training as a continuous process, measured by ongoing growth and continuous development of capabilities. Evolving Aim for constant improvement with leveraged use of data analysis as it matures. Source: Global Technology Audit Guide (GTAG) 16, “Data Analysis Technologies.” Data Analytics Process Data analytics lets internal auditors focus efforts on areas identified as needing a higher level of assurance due to higher risk. A proven process for data analytics uses the following steps. Define the questions. The first step is to define the potential achievements and the anticipated value the data analyst is trying to attain. One approach to do this is to develop a question that needs to be answered. For example, asking “How can we identify where potential fraud is occurring and what parties are involved?” helps establish a basis from which multiple sources of data can be pulled. The internal audit activity should also consider the use of data analytics for audit planning risk assessment. Obtain the data. The next step is information discovery or obtaining access to the data needed to perform the analysis. It is important that the auditor gain an understanding of the data being analyzed to help avoid making faulty conclusions. For example, data on revenue by division or product line and/or revenue backlogs by value and age can be gathered to identify red flags for revenue- related risks. Getting access to and making the data usable can be difficult and expensive. CAEs have identified obtaining data as the greatest challenge in building data analytics into internal audit activities.An effective data analytics technology solution could take one or more of the following forms: A pull system involves making ad hoc queries and/or writing reusable query scripts. The goal is to narrow or broaden the focus of an analysis to suit the question being asked. Ideally, these tools should be user-friendly to limit the learning curve and enable broad participation or at least limit needing to use IT resources. A push system sends predetermined data (basically reports formatted for computer use) out to a repository for use in queries, scripts, or continuous auditing software. Manually maintained data may exist and need to be gathered. This is the least reliable source of data because it may lack integrity due to ineffective change controls, gaps, or errors. If a manually maintained source of data needs to be used, any automated data that also exists should form the primary basis for the analysis. Cleanse and normalize data. Data cleansing is identifying and removing duplicate data and identifying whether identically named data fields from different systems have identical or different meanings. This is an especially important step when the data is being compiled from more than one source. Data normalization is the process of organizing data in order to reduce the potential for redundancy and to facilitate the use of the data for specific purposes. Normalization also allows for the identification of anomalies, which might represent actual problems or potential opportunities. If IT must be relied upon to do this step, there often can be significant delays before the work is done and, if there are errors, it could require multiple rounds of effort. Having an auditor on the team who is skilled in doing data integrity and validity checks can streamline this process. Analyze the data. After the data has been cleansed and normalized, it should be analyzed. The analysis process used may differ depending on the type of data being analyzed. A preliminary analysis can provide initial results and assist in determining if anomalies reflect errors, violations of company policies, or red flags for fraud. Targeted, detailed analysis can follow. Once analyzed, all data should be interpreted: Have patterns emerged? Are identified anomalies errors in the feature or system or process? Is senior management aware of the feature and its consequence? Communicate the results. The final step is to communicate the results to the board and senior management. Because data analytics results are often heavy in numeric and data tables, providing data visualization and graphical representations are excellent ways to inform leadership and enhance the decision- making processes. Topic 3: Data Analytics in Internal Auditing This topic addresses the application of data analytics methods in internal auditing, including diagnostic, predictive, network, and text analysis, anomaly detection, and other methods. It also addresses internal audit maturity levels for data analytics and some specialized team roles. According to The IIA In addition to reviewing the contents of this topic, students can review the following IIA materials: Global Technology Audit Guide (GTAG) 16, “Data Analysis Technologies” Data Analytics in Internal Auditing Internal audit activities can use data analytics to meet their auditing objectives. By analyzing data in key organizational processes, the internal audit activity can detect changes or vulnerabilities in organizational processes and potential weaknesses that could expose the organization to undue or unplanned risk. The internal audit activity can then target resources to safeguard the organization from excessive risk and improve audit coverage. The discovery power of https://na.theiia.org/standards-guidance/recommended-guidance/practice-guides/Pages/GTAG16.aspx data analytics also helps ensure that the internal audit activity is auditing today’s risks rather than yesterday’s. Internal auditors analyze data from multiple sources against control parameters, business rules, and policies to provide fact-based assessments of how well automated controls are operating. Indicators in the data can also provide evidence of how well semi- automated or manual controls are being followed. Analysis of 100% of relevant transactions can identify fraud, errors, inefficiencies, or noncompliance. Audit-Specific Data Analytics Techniques Three basic techniques of data analytics that internal audit activities can use are shown in Exhibit 3-21. Exhibit 3-21: Data Analytics Techniques Ad Hoc Repetitive Continuous Exploratory and investigative in nature Seeking documented conclusions and recommendations Specific analytic queries performed at a point in time for the Periodic analysis of processes from multiple data sources Seeking to improve the efficiency, consistency, and quality of audits “Always on” scripted auditing and monitoring of key processes Seeking timely notification of trends, patterns, and exceptions Ad Hoc Repetitive Continuouspurpose of generating audit report findings Example—search for suspicious vendors or phantom employees by comparing vendors to employees Managed analytics (scripts) created by specialists and deployed from a centralized, secure environment, accessible to appropriate staff Example—quarterly journal entry analysis of manual and automated control effectiveness looking for invalid users or account postings, duplicate or frequently reversed entries, or journal entries pre- and post-period close Supporting risk assessment and enabling audit efficiency Continual execution of automated audit tests to identify errors, anomalies, patterns, and exceptions as they occur Example—pay cycle review with exceptions and gaps reported automatically to a third-party recovery partner Source: Global Technology Audit Guide (GTAG) 16, “Data Analysis Technologies.” Levels of Maturity in Data Analytics Exhibit 3-22 shows a maturity model for data analytics. Internal auditors can assess where the internal audit activity is currently at versus where it wants to get to, taking care to set realistic goals based in part on available funding and resources. Exhibit 3-22: Maturity Model for Data Analytics Maturity Description 1. Basic Auditors do (usually ad hoc) queries and analyze data to support a specific audit objective. Analysis includes statistical analysis, classifications, and data summarization. Few audit staff have this capability. Use is not fully integrated in the audit cycle. 2. Applied Data analytics are fully integrated into targeted audit processes and the audit cycle, including in planning and audit program design. Auditors develop comprehensive suites of quality-controlled repetitive tests. Analytics starts to add real value to efficiency, assurance, and audit findings. The process is still decentralized. 3. Managed Data analytics is centrally organized and controlled in approach and data security. Data, audit tests, results, audit procedures, and documentation are in a centralized, structured repository subject to audit management review. Even nontechnical audit staff can access test results. Sharing of data, repeatable tests, and results reduces duplication of effort and enables sustainable maturity even if specialists leave. Maturity Description 4. Automated Internal audit activities increase automation of audit tests and use some continuous auditing. Audit processes start to shift to concurrent, ongoing monitoring of multiple areas. Data access protocols exist to authorize automated analytic tests. Findings from continuous auditing may not always be translated into action. 5. Continuous A continuous auditing program is fully established across multiple areas, and the internal audit activity regularly produces reports on control problems and the potential for fraud, error, and noncompliance. Risk management processes gain a clearer picture of risk issues and trends. Management may also sharemonitoring responsibilities. Advancing to higher levels of data analytics maturity often requires investments in software, but it is equally important to invest in training and recruitment. CAEs may want to establish specialist roles in their audit teams to ensure that any tools will be fully leveraged. Specialist roles may include the following: Data specialist. Internal auditor with a detailed understanding of the organization’s information systems and how to access data from disparate systems, prepare the data, and make it available to the team. Data analytics specialist. Internal auditor who is a power user of the data analytics software the organization has provided. Internal audit leadership and staff auditors need training. Leaders need to have visibility into what audit steps have been automated or are dependent on the use of data analytics software to enable their oversight role. They also need to have enough skill to review analytics findings across the team and against audit plan objectives. Staff auditors need a general understanding of data analytics software and sufficient competency to: Interpret the results of automatic analytics routines. Perform simple analyses (sorting, filtering, grouping, and profiling). Document and report on analytical findings. Types of Data Analytics Data analytics exists on a continuum from the most straightforward to the most complex and probabilistic. Descriptive analysis. A descriptive analysis gathers information and uses hindsight to identify “what happened.” This makes it the analysis type with the least information value, but it is still quite useful for internal auditing. Uses include: Data visualization—preparing charts or graphs to ease understanding or visually presenting two or more data files in relationship to one another. Anomaly detection or numeric analysis—identifying the outliers, exceptions, duplicates, or gaps in a set of data that require further review. For example, internal auditors for a utility company used data analytics to generate automated reports on drivers’ fuel use, and an exception report was automatically emailed to the drivers’ managers. This dramatically reduced the number of weekly exceptions. Diagnostic analysis. Diagnostic analysis also uses hindsight and examines specific data or content to uncover the answer to the question “Why did this happen?” It commonly uses techniques such as drill-down, data discovery, data mining, and correlations. Predictive analysis. Predictive analysis uses insight to assess “what will happen?”—the probability of an event or outcome occurring. Prescriptive analysis. Prescriptive analysis involves the highest level of difficulty and results in the greatest value. It uses foresight and optimization to build and test scenarios around different policies, combining data, business rules, and mathematical models to determine what course of action would lead to potential outcomes. Detecting Anomalies with Data Analytics Anomaly detection is a powerful tool that can be leveraged to find areas of control weaknesses or failures. An anomaly is a result that deviates enough from expectations that it warrants further analysis. It can take the form of a result that is not expected or the absence of an expected result. An anomaly could be a red flag for fraud; a sign of an input, processing, or output error; a control failure; or a valid result that could be studied to provide valuable business information. Data analytics uses for anomaly detection included detection and investigation, operational performance, and internal controls. Other types of data analytics include network and text analysis. These data analytics methods are discussed next. Analytical Techniques for Internal Auditors Here are some examples of analytical techniques for audit purposes. Classification and calculation of statistical parameters (e.g., averages, standard deviations, highest and lowest values) to find outliers, patterns, and associations Stratification to find unusually high or low values Benford’s Law (see below) Joining different data sources to identify inappropriately matching values such as names, addresses, and account numbers in disparate systems Duplicate testing to identify simple and/or complex duplications of payments, payroll, claims, expense report items, etc. Gap testing to identify missing numbers in sequential data Summing values to check control totals Validating data entry dates and times to identify inappropriate or suspicious postings Note that Benford’s Law is an observation that the lower numerals, such as 1, 2, and 3, in the leading digit of a set of values occur exponentially more often than the higher numerals, assuming a few things, including that the numbers are not part of an identification system. One use is as a fraud test, such as reviewing payments for an unusually high number starting with 7, 8, or 9. Categories of Internal Audit Uses for Data Analytics Internal audit most commonly uses data analytics to detect anomalies in assessments of compliance and operational performance, fraud detection and investigation, and internal control analysis. Compliance uses. Data analytics helps in assessing whether the data used to determine compliance is sound or contains quality or integrity issues. Another use is when evaluating expense reports, purchasing cards, or vendor invoice line items for trends or anomalies. Data analytics can also be used to assess regulatory requirements such as by doing keyword searches. Fraud detection and investigation uses. Data analytics can detect “ghost” employees by looking for gaps in the various records that should exist. The same can be done to detect fake suppliers or service providers. Data analytics can create exception reports that are prioritized by those most likely to result in financial or reputation risk to the organization. Such systems can also do root cause analysis after fraud has been detected, answering questions or providing short lists related to who, what, where, and when. Operational performance uses. Data analytics may aid in the identification of the following types of errors and/or inefficiencies: Duplicate payments Foregone payment discounts or failure to assess late collection penalties Slow-moving inventory or inventory held in quantities that are too high Cost escalation that is unusual or is not allowed in contract Data analytics could also highlight better KPIs or help areas converge on the best KPIs. Internal control analysis uses. Data analytics can be used to analyze proper user access privileges or proper segregation of duties or whether control performance is effective. Data analytics can be applied to specialty applications such as network and text analysis. Network analysis. Network analysis refers to the mathematical analysis of complex work activities in terms of a network of related activities. This can pertain to the components and dependencies of all factors within the network. Text analysis. Text analysis involves extracting machine-readable facts from the text of various sources and creating sets of structured data out of large compilations of unstructured data. This process dissects the data into small, manageable data pieces. Corporations can use text analysis as a starting point for managing content from a data-driven approach. This assists in automating processes such as decision making, product development, marketing optimization, business intelligence, and more. Data Analysis Software Here are some capabilities that data analysis software should enable for internal auditing: Ability to import, access, join, relate, and compare the organization’s data sources while preserving data integrity Ability to analyze entire populations of data Support for centralized access, processing, and management of data analysis with controls for information security Ability to create comprehensiveaudit trails: Creating context for audit findings by recording all of the commands run by the application, command execution status messages, and results generated Enabling peer or supervisory quality review and capture of forensic evidence by documenting all intermediate steps used to uncover exceptions so the actions can be explained, substantiated, and defended Enabling recall of previous results to see if recommendations were acted upon Ability to create scripts: Enabling intuitive generation of scripts such as by using a macro or task recorder Allowing saving and categorizing of prior scripts of audit tests so the tests can be run again and to ensure comprehensive coverage Ability to perform continuous auditing Ability to scale up to enable specialist use or more mature internal audit analytical procedures In addition to these capabilities, a good system will be user-friendly enough to enable the majority of internal audit staff to use some functions with a reasonable amount of training. It should also require minimal IT support for data access or analysis to ensure auditor independence and to keep custom interface development and maintenance cost reasonable. Section C: Information Technology and Security This section is designed to help you: Understand the goals of information security. Understand the importance and components of IT general controls. Explain the purpose of various information security controls. Define the use of information security controls. Recognize data privacy laws. Define the potential impact data privacy laws have on data security policies and procedures. Identify emerging technology practices. Define the potential impact emerging technology practices have on security. Describe existing and emerging cybersecurity risks. Describe cyber- and information security-related policies. Describe the basic process and considerations for IT auditing. Recognize the core activities in the systems development life cycle and its delivery. Recognize the importance of change and patch management controls. Describe the basic purpose of and tools used in common IT control frameworks. Recognize the purpose and application of IT control frameworks. According to The IIA The IIA’s guidance referenced in the Challenge Exam Study Guide may be accessed using the links below. Access to specific pages and documents varies for the public and The IIA members. Attribute Standards: www.theiia.org/Attribute-standards Performance Standards: www.theiia.org/Performance- standards Standards and Guidance: www.theiia.org/Guidance Position Papers: www.theiia.org/Position-papers Implementation Guidance: www.theiia.org/Practiceadvisories Practice Guides and GTAGs: www.theiia.org/Practiceguides This section addresses establishing a comprehensive set of controls to secure the organization’s information systems, the information within them (including data privacy for customers and other stakeholders), and the physical spaces and resources of the organization. This section also addresses the importance of information technology for today’s organizations in meeting their objectives. It covers the reasons internal auditors need to know, at least at a conceptual level, how systems are developed and maintained and the role of IT control frameworks. Topic 1: Information Security Controls This topic covers information security and explains the purpose and use of various information security controls. https://na.theiia.org/standards-guidance/attribute-standards/Pages/Attribute-Standards.aspx https://na.theiia.org/standards-guidance/performance-standards/Pages/Performance-Standards.aspx https://na.theiia.org/standards-guidance/Pages/Standards-and-Guidance-IPPF.aspx https://na.theiia.org/about-us/about-ia/Pages/Position-Papers.aspx https://na.theiia.org/standards-guidance/recommended-guidance/Pages/Practice-Advisories.aspx https://na.theiia.org/standards-guidance/recommended-guidance/practice-guides/Pages/Practice-Guides.aspx Information Security Information security is the set of policies, processes, and procedures used to protect the organization’s intellectual property by ensuring the confidentiality, integrity, and availability of the organization’s data and information in any format (electronic, print, or other media). Confidentiality is enabling only authorized persons to access or view the information. Integrity is assurance that the data has not been improperly altered, is correct, and is reliable. Availability is ensuring that authorized roles and individuals have access to the information and information systems required to perform their duties without unreasonable outages. In addition to establishing preventive and detective controls, information security involves continuously monitoring and responding to security threats. Information security extends to the data in storage, processing, and transit. Information Security Risk Management Practices It is not possible to mitigate all information security risks. A risk management process is needed to manage exposure to potential information losses. Information security risk management encompasses the processes an organization puts into place so that security controls and expenditures are appropriate and effective at mitigating risk exposures. The security risk management process should be appropriate for the organization and its security objectives and can follow a typical enterprise risk management format such as is described in Part 1 of these materials. The internal audit activity may assess information security risks using the following techniques and tools: Analysis of reported incidents. Records can provide valuable information about potential and actual losses. Review of exposure statistics. Statistics from insurance carriers, industry associations, and regulatory agencies can provide guidance about potential risk exposures. Mapping key processes. Developing process maps and identifying potential risk points provide helpful insights. Periodic inspections. Health and safety inspections can surface compliance lapses and also uncover opportunities to decrease risks. Periodic process and product audits. Such internal audits can incorporate specific questions to identify potential risks. Assessments of management system effectiveness. Beyond internal audits conducted to verify conformance to one or more standards or to assess continual improvement, this technique can identify gaps in management systems that expose the organization to potential losses. Scenario analysis. Tools such as brainstorming and mind mapping are effective to identify all the consequences that could occur in a worst-case scenario. This list could go on. The point is to do whatever is necessary to identify and prioritize risks. Special Information Security Considerations While the primary monitoring role over information security (and other areas) is with management rather than internal audit, internal audit’s role is to periodically monitor the effectiveness of information security management. This includes assessing the organization’s information confidentiality, integrity, and availability practices and recommending, as appropriate, enhancements to, or implementation of, new controls and safeguards. Such assessments can be either conducted as separate stand-alone engagements or integrated into other audits or engagements conducted as part of the annual audit plan. The nature of the engagement will determine the most appropriate process for reporting to senior management and the board. Assessments of information security should start with an overall assessment of the control environment and any control frameworks in use. Implementation Guide 2130 notes that: [The CAE] should first consider the risk appetite, risk tolerance, and risk culture of the organization. It is important for internal auditors to understand the critical risks that could inhibit the organization’s abilityto achieve its objectives, and the controls that have been implemented to mitigate risks to an acceptable level. The CAE determines whether the internal audit activity possesses or has access to competent audit resources to evaluate information security and associated risk exposures. This includes both internal and external risk exposures and exposures relating to the organization’s relationships with outside entities. If specialized knowledge and skills are required, the organization may need to secure external service providers. Guidance recommended by The IIA includes specific responsibilities for the internal audit activity. As Implementation Guide 2130 further states: It is important for internal auditors to obtain a thorough understanding of the control framework(s) adopted either formally or informally by the organization and to become familiar with globally recognized, comprehensive control frameworks. To fulfill this standard, the CAE determines whether information integrity breaches and conditions that might represent a threat to the organization will promptly be made known to senior management, the board, and the internal audit activity. Internal auditors assess the effectiveness of preventive, detective, and mitigation measures against past attacks, as appropriate, and future attempts or incidents deemed likely to occur. They determine whether the board has been appropriately informed of threats, incidents, vulnerabilities exploited, and corrective measures. Determine Disposition of Security Violations It is reasonable to expect that the internal audit activity will monitor whether and how well information security violations are corrected when they are discovered (similar to corrective action plans in response to internal audits). In doing so, the focus of the internal auditor should be to ensure that the root causes of the security violations are addressed. Report on Compliance The internal audit activity can report to management and the board on the level of compliance with security rules, significant violations, and their disposition. With regard to information security, high-level compliance can be achieved through the implementation of codes of practice for information security compliance. An example is ISO/IEC 27002:2013, which: Focuses on information security controls and establishes guidelines and general principles for initiating, implementing, maintaining, and improving information security management in an organization. Contains best practices for control objectives and controls that can be applied by any organization, regardless of size or industry. Organizations adopt ISO/IEC 27002 to develop organizational security standards and effective security management practices, address legal and regulatory concerns, and better manage compliance. IT General Controls In addition to the application-specific controls discussed later in these materials, information security relies on having a comprehensive set of IT general controls. IT general controls (ITGC) are those IT controls that form the basis of the IT control environment (a framework for ensuring comprehensive information security) and apply to all systems, components, processes, and data for a given organization or systems environment. The other broad category of IT controls is application controls, which relate to a specific application and so are not general. Some ITGCs are business-related, such as segregation of duties, and others are technical and relate to the underlying IT infrastructure. Information security needs to be a holistic endeavor so that a strong protection in one area is not simply bypassed in some other way, such as: An outside person bypassing external access security by accessing the network through someone’s computer with weak protections (or stealing a laptop with sensitive data). An unscrupulous programmer adding a backdoor into a computer system during systems development or a system update. To help internal auditors understand the context for ITGCs, Exhibit 3- 23 shows how IT general controls as well as application controls exist to support overall business functions. Note how ITGCs relate to both applications and the IT infrastructure services while application controls relate only to applications. Exhibit 3-23: Understanding the IT Environment in a Business Context The effectiveness of ITGCs is measured by the number of: Incidents that damage the enterprise’s public reputation. Systems that do not meet security criteria. Violations in segregation of duties. ITGCs are classified in the Global Technology Audit Guide (GTAG) 1, “Information Technology Risk and Controls,” 2nd Edition, as follows: https://na.theiia.org/standards-guidance/recommended-guidance/practice-guides/Pages/GTAG1.aspx Logical access controls Systems development life cycle controls Program change management controls Physical security controls Systems data backup and recovery controls IT operational controls Of these ITGCs, logical access controls and physical security controls are not addressed further for The IIA’s Challenge Exam. Systems development life cycle controls and program change management controls are addressed elsewhere. IT operational controls are addressed more next. IT Operational Controls IT operational controls are part of ITGCs and include: IT organizational structure. Segregation of IT duties. Financial and budgetary IT controls. Operational change management. Operational data security controls. Security level management. IT Organizational Structure Examples of controls that can be built into IT organizational structure include: Minimizing the number of users with administrative privileges. Using software tools and direct observation by supervisors to monitor the activities of users with administrative privileges. Setting policy guidelines for all employees to take a certain minimum number of consecutive days off at least annually, with special emphasis and/or required job rotations for persons with sensitive roles or access privileges such as systems controllers. Segregation of IT Duties Segregation of IT duties can occur at the ITGC level or the application level. Segregation of duties at the ITGC level relates primarily to restrictions to the roles of individuals, while application- level segregations are primarily automated controls within systems. Segregation of duties at the ITGC level includes: Following the identity and access management (IAM) principle of allowing access only if the job function requires it. Ensuring that initiation, authorization, input, processing, and validation of data are all done by different individuals and possibly by different departments. Ensuring that employees with physical custody of assets do not have access to the related computer records or have any other related authorization rights or privileges. Separating systems development and operations: Programming and change deployment should be organizationally and physically separate from users with access to production systems, and neither should be able to do the others’ tasks. Neither should have access to file libraries (a function of a system librarian) or input/output controls (a function of the systems controller). Other segregations include systems analysis and data entry. Smaller organizations may not have the luxury of this level of segregation of duties. If this is the case, combined roles require greater scrutiny. Inadequate segregation of duties could heighten the potential for fraud, including misappropriation of assets and fraudulent financial reporting or statements. It could also result in data tampering and loss of data privacy. Financial and Budgetary IT Controls Management needs to ensure that the sizable investments in IT development and support are effective in helping meet organizational objectives and are efficient from a cost-benefit perspective. Relatedcontrols include: Ensuring that there is a process to justify and approve software projects or ongoing operations using measurable metrics such as projected return on investment or savings. Monitoring and controlling software projects and operations against baselines. Evaluating completed software projects or operational results against their projected results or baselines to determine the accuracy of those projections, and reporting on results. Operational Change Management While program change management controls are discussed elsewhere, some IT organization-level change management controls are discussed here. Change management controls at the operations level include: Reviewing exception reporting and transaction logs. Separating testing and production environments by formal data migration processes. Ensuring that adequate audit trails exist. Audit trails log the functions performed and the changes made in a system, including who made the change and when, for example: An audit log could show repeated incorrect password entries to investigate. Comparisons of users to their activities can highlight unusual activities. Use of sensitive or powerful command codes can be reviewed. The audit trail is either kept in a separate file or sent to the system activity log file. It must be secure from as many users as possible, and access restrictions should be reviewed. Preventive maintenance should be performed on hardware and software systems and on their controls, because doing so is almost always less expensive than dealing with problems arising from poor maintenance. An operations control group should also be formed to monitor the results of production, including record keeping and balances of input and output. Operational Data Security Controls In addition to controls for the backup of data, organizations need controls over data as it is being used. In general, data security must be maintained: Data policies are enforced through data standards, which define how things need to be done to meet policy objectives. Enforced standards keep systems functioning efficiently and smoothly. Standards should be set for systems development processes, software configuration, application controls, data structures, and documentation. Some controls over data security have already been mentioned. The following are a few others: End-user training in the proper use of email and the Internet is important. Logical controls should prevent end users from installing new software. Applications should be safeguarded by keeping them in computer program libraries, which should be restricted by physical and logical access controls. There should be a secure process for removing of old IT hardware due to the possibility of sensitive data being on the drives. This basically means ensuring that deleted files are really deleted by using special file deletion software or by physical electromagnetic wiping. This should be done on hard drives or backup tapes being resold or discarded. Security Level Management Not every system needs the highest level of security. The cost of the security measures should be commensurate with the level of risk mitigation required, so this requires customization for the organization. To determine appropriate network security levels, the organization assesses its data repositories and physical security requirements and assigns security risk levels: The highest-security physical area or data in a database defines the area’s security level, for example, key projects such as R&D data would have elevated security. The availability, integrity, and confidentiality requirements for each area are assessed. Once the security level is known, a multi-tiered security system can be designed, including provisions for physical, software, program library, and application security. Information Security Controls An organization’s data can be one of its most important assets. As such, information security is critical. Information security is a management responsibility. This responsibility includes all the important information of the organization, regardless of how the information is stored. The internal audit activity should ensure that: Management recognizes this responsibility. The information security function cannot be breached. Management is aware of any faulty security provisions. Corrective measures are taken to resolve all information security problems. Risk-based and cost-benefit-based preventive, detective, and corrective controls are in place to ensure information security. IT general controls and application controls such as passwords and privileges are the basis for information security. Information security needs to focus on both data and infrastructure. Data security should ensure that only authorized users can access a system, their access is restricted by user role, unauthorized access is denied, and all changes to computer systems are logged to provide an audit trail. Security infrastructure can be part of end-user applications, and/or it can be integral to servers and mainframes, called security software. When the focus on security is primarily at the application level, such as for small environments, user and role-based access controls are generally strong but controls over expert programmers often tend to be weak. Security software resides at the server, client, or mainframe level and provides enhanced security for key applications, such as wire transfer software. Errors introduced into a computer system can be just as costly as malicious attacks. One key control that will help is setting a clear policy on the use of hardware and software and training personnel to address the most common errors. The policy should also address ethics, such as computers being used for personal activities or illegal acts. Encryption Encryption uses a mathematical algorithm to scramble data. The data cannot be unscrambled without a numeric key code, which can be designated as a public key (able to encrypt but not decrypt messages) or a private key (able to both encrypt and decrypt messages). Public keys add a layer of security because the private key does not need to be distributed. Encryption is used on stored data, physically transmitted data (e.g., on a flash drive), and electronically transmitted data. Server access control is the use of internally encrypted passwords to keep technical persons from browsing password files. Wireless data can also be encrypted to prevent compromise if it is intercepted. Key Point While there are various forms and levels of encryption, the key point is that organizations wishing to maintain good encryption may need to avoid the “easy” routes and commit to a level of investment and effort sufficient for the targeted level of security. The relative security of a key is determined by its bit length. When passwords are used to create keys, effective password creation rules must be applied. External aids include cryptographic module testing (CMT) labs and validation programs for cryptographic modules and their algorithms. Digital signatures verify the authenticity of a public key user (including non-repudiation) and the integrity of the message itself. A server certificate can establish the authenticity of a site. Auditing Issues Evaluating encryption includes evaluating physical controls over computers that have password keys, testing policies to see if they are being followed, and implementing and monitoring logic controls. Protection of private keys from disclosure to outside parties is paramount. Each security domain should be able to share its local identity and security data without compromising its internal directories. Firewalls Perpetually available broadband connections need constant monitoring. A firewall is a hardware/software combination through which all communications to or from the outside world are routed. The firewall compares accesspeople in the organization to achieve this purpose. The vision statement conveys what the organization aspires to achieve or become in the future. It represents the highest aspirational view and goals of an organization in the context of serving and adding value to its stakeholders. Mission and vision statements are used to guide the development of strategic objectives and to perform strategic planning, which results in strategic plans. Strategic Objectives, Strategic Planning, and Strategic Plans Because strategic objectives and strategic planning are so critical to an organization’s success and growth, this is a key area to consider as part of the audit universe. Strategic objectives are desired outcomes set by management that specifically relate to stakeholder value enhancement, especially over the long term. They help define how the organization intends to create a competitive advantage. (Examples of competitive advantage are addressed below.) Strategic objectives could relate to innovation, growth, cost control, investment in the organization’s people, social responsibility, and so on. Strategic objectives are reflected in the organization’s strategic planning process and plans. Strategic planning is a disciplined upper management and board- level future-oriented process that determines the direction the organization will take to achieve strategic objectives over the long term given the changing business environment. Strategic planning helps the organization determine what type it wants to be, who it serves, and why. Strategic planning involves: Evaluating changes in the environment, such as the economy or competitor actions, and then determining how to create a competitive advantage in this environment. Gathering input from multiple stakeholders. Innovating and brainstorming, followed by feasibility analysis of ideas. Coming to agreement on priorities and initiatives for the best use of limited resources. Ensuring alignment of strategic objectives with the organization’s mission and vision. Determining the desired end result, how to get there (in broad terms), and how to determine if the strategy is successful (defining specific and measurable results). Documenting the results of this process in the organization’s strategic plans. Strategic plans are high-level, long-term plans for multiple years into the future: They are a valuable communications tool and set the tone for proper governance. They are an important input or subject for many assurance and consulting engagements: Understanding of the strategy, key business objectives, associated risks, and risk management processes is vital for setting the context for most engagements. Assurance engagements often check that plans and objectives for the audit area align with and integrate into top-level plans. Assurance engagements may verify that the organization’s strategy aligns with its risk appetite. Assurance engagements related to strategic plans may need to verify that the plan is effectively communicated. Consulting engagements related to improving the strategy or strategic planning may assess whether the organization has a sound strategy and/or strategic planning process. The chief audit executive (CAE) must consult with the entity’s board and senior management to obtain an understanding of the organization’s strategy and must revise the risk-based annual audit plan as needed to reflect changes in the organization’s business. An organization’s strategic plans need to reflect global and competitive considerations in order to create a competitive advantage. This is discussed more next. Global and Competitive Considerations An organization sets a strategy to determine not only what type of organization it wants to be but also how such an organization will be likely to thrive in its environment. It might, for example, want to be an agile organization that adapts well to changes or a large organization that can offer economies of scale and low prices. The organization’s success in its strategy depends not only on the successful execution of the strategy but also on the opportunities and risks that exist in the organization’s environment. Globalization has expanded most organizations’ environments to include access to larger potential customer bases at relatively low costs (opportunities), but this also results in more potential competitors from around the world (risks). The organization will likely have some competitive advantages, which are relative advantages one organization (or nation) has over its competitors. Here are some potential sources of competitive advantage: Labor market. Access to low-cost labor, high-skill labor, a wide labor pool. Suppliers and raw materials. Access to materials at favorable prices, good or long-term relationships with suppliers, some degree of ownership or control of (or independence from) suppliers, supplier proximity. Customer base. Established customer base/market share, loyal and satisfied customers. Process and methodology maturity. Risk, control, quality, change management, manufacturing, or other frameworks; maturity level and difficulty in achieving that level of maturity. Supply chain and transportation. Relative cost and speed of supply chain, number of options for and level of convenience to customers. Competitor maturity and ease of market entry. Relative number of competitors, competitor sophistication, capital investment needed to become a viable competitor. Technology. Labor-saving or insight-generating technology, proprietary technology. Regional economy and politics; culture, legal, and regulatory environment. Regional economic prosperity, favorable politics and taxation, culture that promotes good values such as hard work or innovation, favorable laws and regulations. Successful strategies leverage the organization’s competitive advantages relative to its competitors. However, competitors’ strategies will likely rely on their own competitive advantages. The organization’s strategy seeks to: Leverage relative strengths and mitigate relative weaknesses in order to access opportunities (e.g., online, locally, or globally). Minimize the likelihood or impact of risks, including competitors taking market share. Internal auditors may be in a position to evaluate if the organization is accurately assessing the current state of its strengths and weaknesses relative to changes in globalization and the competition. This may include assessing whether the organization is altering its strategy fast enough to survive and thrive when such factors are changing quickly. Mission and Value Alignment Part of the organization’s mission will be to provide and add value to stakeholders; another part will be to state and live up to the organization’s values. Organizations may align their mission with their values and ethics by creating corporate social responsibility (CSR) or sustainability programs. The basic concept is that organizations are not responsible for just short-term financial results; they are also responsible to their workers, to communities, and to the environment. Internal auditors may audit sustainability programs. For more information on CSR, review The IIA’s Practice Guide “Evaluating Corporate Social Responsibility/Sustainable Development.” Operations, Reporting, and Compliance Objectives https://na.theiia.org/standards-guidance/recommended-guidance/practice-guides/Pages/Evaluating-Corporate-Social-Responsibility-and-Sustainable-Development-Practice-Guide.aspx Beneath the level of strategic objectives are many more detailed tactical and operational objectives that enable the strategy to succeed. COSO’s Internal Control—Integrated Framework, which is used by organizations to evaluate internal controls, identifies three categories of such objectives: operations, reporting, and compliance. The framework depicts the relationship between these objectives,rules (controlled by network administrators) against the IP addresses, names, files, and applications attempting to enter the system and blocks unauthorized traffic. Firewalls can: Improve security by blocking access from certain servers or applications. Reduce vulnerability to external attacks (e.g., through viruses) and ensure IT system efficiency by limiting user access to certain sites. Provide a means of monitoring communication and detecting external intrusions (through intrusion detection systems, described below) and internal sabotage. Provide encryption internally (within an enterprise). Corporate firewalls are often multi-tiered: A firewall is placed before the web server and any other public access servers. A firewall is placed between the public access servers and the private network areas. Additional firewalls can be used to protect sensitive data such as payroll. An organization’s firewalls should be installed on dedicated hardware that has no unnecessary software. Internal auditors verify that firewalls are located in front of critical systems and are configured to restrict workstation connection to only those authorized. The location of a firewall can create a DMZ. DMZs (from military jargon for “demilitarized zones”) are portions of a network that are not part of either the Internet or the internal network, such as between the Internet access router and the host. If the access router has an access control list, it creates a DMZ that allows only recognized traffic to contact the host. Auditors need to determine if firewalls can be bypassed or the controls overridden by alternative transactions. User prompts for allow/deny communications can be the most risky. Auditors should work with the network administrator to determine the efficacy of a firewall, how specific its rules are, and whether the lists of acceptable users, IP addresses, and applications are kept up-to-date such as by promptly removing terminated employees. Because a firewall is a chokepoint, it can be used to audit controls or trace the source of an incoming attack. Firewall logs could be used as legal audit evidence if the data was collected, processed, and retained properly. A firewall has limitations, for example: Data can still be stolen via USB flash drive or use of a persona modem on a voice line. Employees or visitors could have a conflict of interest (industrial espionage), or they could simply be gullible and “help” someone by providing access. Firewalls can be configured incorrectly. Auditors should assume that firewalls are always being probed for weaknesses and that they cannot prevent all attacks. Intrusion Detection/Prevention Systems Browsers process so much data that firewalls alone may not be sufficient. Intrusion detection/prevention systems monitor systems for intrusions from browsers. Types of these systems include the following: An intrusion detection system (IDS) combined with a firewall is called an intrusion prevention system (IPS). Host IPS (HIPS) software can detect and block abnormal application behavior before it executes by assuming that abnormal behavior is an unknown form of attack. Network IPS (NIPS) are hardware and software systems on a network that analyze incoming packet content, dropping malicious packets. These systems usually are more conservative than other types of firewalls and provide more detailed reports. Antivirus Software Antivirus software exists to block known cybersecurity threats. This type of preventive control is effective only if it is regularly updated to address emerging threats. Topic 2: Data Privacy and Security This topic helps internal auditors recognize the potential impact of data privacy laws on data security policies, practices, and controls. The topic also addresses auditing privacy risks. According to The IIA In addition to reviewing the contents of this topic, students can review the following IIA materials: Practice Guide, “Auditing Privacy Risks,” 2nd Edition Data Privacy https://na.theiia.org/standards-guidance/recommended-guidance/practice-guides/Pages/Auditing-Privacy-Risks-Practice-Guide.aspx Privacy is essentially the right to be left alone and to be free from surveillance by individuals, organizations, or the government. Data privacy is the individual’s right to have a voice in how his or her personally identifiable information is collected, handled, and used, to control who has access to that information, and to amend, change, or delete the information. The “Auditing Smart Devices” Global Technology Audit Guide cites the following U.S. Department of Labor definition of personally identifiable information (PII): Any representation of information that permits the identity of an individual to whom the information applies to be reasonably inferred by either direct or indirect means. Further PII is defined as information: (i) that directly identifies an individual (e.g., name, address, social security number or other identifying number or code, telephone number, email address, etc.) or (ii) by which an agency intends to identify specific individuals in conjunction with other data elements (e.g., indirect information). These data elements may include a combination of gender, race, birth date, geographic indicator, and other descriptors. Additionally, information permitting the physical or online contacting of a specific individual is the same as personally identifiable information. This information can be maintained in either paper, electronic, or other media. Photographs and biometric identifiers are other examples of PII, as is behavioral information, for example, in a customer relationship management system. Adherence to data privacy laws and regulations requires having robust data security policies and practices, because such laws specify the need to properly secure all end-user and customer data. Also, many laws and regulations have specific provisions related to “sensitive information,” and they may define what is meant by this term in different ways. Exhibit 3-24 shows examples of various types of sensitive information. (These are just examples; a review of applicable regulations is needed to determine what each given regulation considers sensitive.) Exhibit 3-24: Sensitive Information Sensitive health information Medical records Health plan beneficiary information Physical or mental health information Provided health services or information collected during visits Sensitive financial information Account numbers (e.g., bank accounts, credit card numbers) Financial history Salary information Other sensitive Racial or ethnic origin Religious or philosophical beliefs information Political opinions Trade union membership Legal proceedings and civil actions Combinations of certain information IT can make invasions of privacy easy and inexpensive. Any transaction entered into an information system, from simple purchases to medical records, can be stored indefinitely and potentially used for marketing or crime fighting as well as for illegal activities such as blackmail. Privacy is an issue for corporate data, employees, and customers. Corporate data must be safeguarded for a business to stay viable. Employees and their employers are in conflict on privacy, because organizations want to both protect their interests and guard against improper activity, while employees want to feel that they have a measure of privacy at work. Software can log websites visited and track every keystroke a user makes. Higher levels of monitoring can provide control but at the possible price of lower morale. Clear communication of the privacy policy will help with morale. The policy should inform employees what is and isn’t monitored as well as what is expected of them, such as using the Internet only for specific activities. Logical controls over possible sites that can be visited can reduce the need to monitor employee activities. Data PrivacyLaws and Frameworks The privacy laws in Europe and in the United States, Canada, and other countries are based in part on fair information practices (FIPs). FIPs acknowledge that the parties in a transaction have obligations to each other. Individuals have rights to privacy but need to prove their identity; organizations have responsibilities over the collection and use of information. FIPs include: Notice. Prior to collecting data, websites must disclose who is collecting the data, its uses, other recipients, what is voluntary, and what will be done to protect the data. Choice. Consumers should be able to choose how the information is used outside of support for the current transaction. Access. Consumers should be able to access and modify their personal information without great expense or hardship. Security. Data collectors must ensure that they have adequate data controls. Enforcement. FIPs must be enforced via self-regulation, legislation giving recourse rights to consumers, and other laws. A number of laws exist to protect privacy against government intrusion, such as the Canadian Privacy Act, which sets rules for the government’s ability to collect and use information about its citizens. Fewer regulations apply to the private sector, and self-regulation is the general tendency. Because many nations have privacy laws that may differ considerably, the Organisation for Economic Cooperation and Development (OECD) and similar organizations are working to create consistency in privacy laws and laws on the transborder flow of information. Key Point While many countries (and even some regions, such as California in the United States) have privacy laws or regulations, the best way to study for the exam is to learn the principles behind these laws since they share many principles. In the European Union (EU), the General Data Protection Regulation (GDPR) is a binding regulation. The GDPR obliges EU member states to protect the fundamental rights and freedoms of persons, in particular their right to personal data privacy. Much like the FIPs described above, the GDPR gives individuals the right to: Be informed of how organizations are using their personal data (i.e., a privacy policy). Access their personal data. Rectify incorrect information. Be forgotten. (Individuals can request deletion of their personal information.) Have data portability. (Individuals can request a copy of their personal information.) Object or opt out of future data collection at any time. While this is an EU regulation, any organization in any part of the world that collects or holds the personal data of persons residing in the EU will need to have policies, procedures, and IT systems in place as appropriate. Many organizations who do business globally have welcomed the GDPR as a gold standard for privacy that may prevent needing to instead comply with a patchwork of national regulations. Organizations should seek advice from legal counsel when developing or adopting a privacy framework. Key Point Organizations with a global footprint often use the most stringent data privacy regulation as a base standard for their operations in all countries to limit risk. Many organizations use the GDPR as this standard because noncompliance could put them out of business. There may be nuances to data privacy depending on the organization’s business sector. Public sector. Governments collect PII in a vast number of areas, for example, real estate, voter registration, taxation, welfare, and law enforcement. Compliance requirements may be specific to different levels of public entities. The risk of files being misused, lost, or stolen is high. There may be rules or laws that prevent (or permit, given an approval process) one agency from comparing PII with others, called data matching (e.g., law enforcement reviewing driver databases). Social services. Government agencies are subject to specific compliance requirements, but other institutions such as churches may be exempt from general legal frameworks, which could lead to lax privacy controls. Financial services. Many regulations and active supervisory bodies exist due to the sensitivity of PII such as credit history. Marketing, retail, and social media. PII includes address lists, consumer profiles, financial information, purchase history, personal preferences, and so on. Such information may be bought or sold. Sector associations offer codes of conduct. Utilities, transportation, and travel. PII is collected at tollways and parking areas and in traffic systems. Health care and research. Sensitive patient information is highly regulated. One example of a private-sector law is the U.S. Health Insurance Portability and Accountability Act (HIPAA), which governs the disclosure of medical records. It applies to health plans, health- care clearinghouses, health-care providers, and employers. International business. Many laws and regulations require that PII not leave the regulated zone of a country. These rules address the concern of loss of control when PII is transferred to another jurisdiction (which may not respect other nations’ laws). Data Privacy Controls Data privacy controls can mitigate the risks of potential misuse, leaks, or loss of PII. Benefits of good data privacy controls include: Public image and brand protection. Customer, employee, donor, and business partner PII protection. Credibility, confidence, and goodwill leading to competitive advantage. Compliance. Fundamental controls for data security include ensuring adequate governance and oversight by the board and management. Another general control example is benchmarking the organization’s privacy compliance and data-handling practices and weaknesses against international policies, laws, regulations, and best practices. Here are some additional elements of an effective privacy program: Clear roles and responsibilities Privacy statement/notice Written policies and procedures for the collection, use, disclosure, retention, and disposal of PII Information security practices, incident response plans, and corrective action plans Training and education of employees Privacy risk assessments and maturity models Monitoring, auditing, and compliance with privacy laws and regulations Inventory of the types and uses of PII Controls over service providers (outsourcing) Ethics in Data Storage Data storage can become an ethical issue. Data needs to be safeguarded per data privacy policies, regulations, etc. However, it may also need to be protected from deletion for audits or evidence of compliance. Electronic data such as emails are considered legal evidence (in the United States, this is covered under the Federal Rules of Evidence), and some companies have received large fines for denying access to or deleting such evidence. Internal auditors need to develop an awareness of these and other ethical implications when providing assurance or consulting on data storage or deletion policies. Data Security Practices Sustaining privacy practices can be challenging. IT advancements and outsourcing trends are making it difficult to determine where data is stored, how it is protected, who has access to it, and whether it is disposed securely. This evolution has outpaced legal frameworks and industry standards. Such inconsistency and uncertainty creates assurance risk. CAEs can ask questions such as the following related to data security practices: Does a board committee exist to consider risk appetite related to privacy risk? What is management’s privacy risk appetite? What are the current or likely forthcoming applicable privacy laws and regulations? What PII does the organization collect, who defines what is private, and are the definitions consistent or appropriate? Does the organization have privacy procedures and programs with defined responsibilities and accountabilities and sufficient resources to be effective?Does the organization know where all personal information is stored and who has access? How is PII protected at the database, network, system platform, application, and business process layers? Is any PII disclosed to or processed by third parties? Do employees receive privacy awareness training specific to their responsibilities? Does management periodically assess program effectiveness and need for meeting new requirements? Auditing Data Privacy Data privacy audits can help with compliance, including measuring and improving compliance with the organization’s data protection system. Audits can also identify potential inconsistencies between policies and actual practices, which can help provide assurance over reputation risks or help ensure that privacy response procedures are effective. An audit can be used as a tool to raise the level of data protection awareness among management and staff. Internal auditors look for data privacy risks in three basic categories, as shown in Exhibit 3-25. Exhibit 3-25: Threats to Organizations, Stakeholders, and Individuals Threats to organizations Privacy breaches can get significant attention from the press, supervisory authorities, and privacy watchdogs. An organization could fail to achieve its objectives and could experience operational disruptions, inefficiency, or reputation damage, with severe financial impacts. Specific control weaknesses when processing PII include: Excessive collection. Incomplete or outdated information. Damaged data. Inadequate access controls. Excessive sharing. Incorrect processing. Inadequate use. Undue disclosure. Undue retention. Threats to stakeholders While excessive privacy practices can hinder efficiency and thus investor returns, risks of damaged reputation and litigation usually outweigh this consideration. Threats to individuals Individuals may be victims of identity theft, bear extra cost, experience discrimination, or have limited control over their PII. For example, data submitted for a job application could be used for intrusive, unfair, unreliable, or adverse purposes. Evaluating the Organization’s Data Privacy Framework Internal audit determines whether a data privacy framework exists and evaluates the framework to ensure that the board has set a risk appetite related to privacy risks and that the framework is effective in identifying and addressing significant risks. Internal auditors may need to work with other parties to understand the context of security policies and guidelines for both internal use and those communicated to customers, including: Legal counsel, to identify other steps that should be performed. Privacy professionals, to help internal auditors develop an understanding of data privacy framework maturity. IT specialists, to help create a process map of information flows, system controls, and the PII life cycle, including incident response programs. Internal auditors also need to determine how the framework and related policies classify organizational data and evaluate whether the levels of classification and related controls are appropriate. Classifications are usually based on the level of harm a data breach or misuse could cause and/or the regulatory penalties for noncompliance. Another area of review is whether the framework has a privacy incident response plan and related templates. Assessing Risk Categories of privacy risk include the following: Legal and organizational risk. Internal auditors ensure that relevant privacy laws and other regulations are communicated to clearly designated responsible parties. Personnel are told what is expected of them and what the individual and organizational penalties are for noncompliance. Auditors assess personnel competency levels and whether they have a process to keep current with new laws, regulations, and technologies (e.g., cloud computing). Proof of compliance is required, not just compliance, so documentation must be addressed. Auditors determine if management is spending too much on privacy controls (e.g., expensive encryption for routine data). Infrastructure risk. PII processing steps may include paper or online forms, data entry, or fully automated steps. Each time PII moves and changes format, new vulnerabilities to confidentiality, integrity, and availability of data occur. Internal auditors should trace PII in operations as well as in backup storage, such as by reviewing encryption in storage and in transit. Controls include: Paper shredders, locked files, or other physical controls. IT general controls and application controls. Each platform or technology should have a data map and inventory of all PII, including transfers to third parties. Application risk. Evaluating software involves reviewing privacy risk assessments and whether there is “privacy by design,” such as use of data classification standards, defaults to least privileges to user access, or external interface authorization limits. Business process risk. PII needs to be used for its legitimate business process purposes, and this creates a risk that it will be at risk at person’s desks in printed form and so on. Discretion should be used in areas open to the public, and basic controls should exist, such as clean desks or timed locking of computers not in use. Topic 3: Emerging Technology This topic helps internal auditors recognize emerging technology practices and their impact on security. Such practices include bring your own device (BYOD), smart devices, and the Internet of things (IoT). According to The IIA In addition to reviewing the contents of this topic, students can review the following IIA materials: Global Technology Audit Guide (GTAG), “Auditing Smart Devices: An Internal Auditor’s Guide to Understanding and Auditing Smart Devices” Emerging Technology Technology is constantly advancing, as is the rate and variety of malicious attacks. How to keep up with new technology and get ahead of threats? A good place to start is to provide assurance regarding IT general controls including physical security, logical access controls, and operational controls. https://na.theiia.org/standards-guidance/recommended-guidance/practice-guides/Pages/GTAG-Auditing-Smart-Devices-An-Internal-Auditors-Guide-to-Understanding-and-Auditing-Smart-Devices.aspx But what other practices can be used? The Internet of things (IoT) refers to a system of interrelated physical devices around the world connected to the Internet, collecting and sharing data. It allows for the transfer of data over a network independently without human action. IoT has emerged to allow machine-generated data to be analyzed for insights to drive improvements. The benefits of IoT to businesses are that it allows more access to data about an organization’s products and internal systems and a greater ability to make changes as a result, such as pushing out new security updates. However, this raises new concerns about data privacy and security. The increase in connected devices gives cybercriminals more entry points and leaves sensitive information vulnerable. Establishing a standardized security protocol to address the scope and diversity of devices is a central challenge. Hardware authentication incorporates authentication into a user’s hardware. An end user may be required to enter a code sent to their mobile device in order to achieve authentication. This can be combined with other forms of authentication. User-behavior analytics operates on the premise that by identifying activity that does not fit within the normal routine of an employee, IT can identify a malicious attacker posing as an employee. Data loss prevention ensures that end users do not send sensitive or critical data outside their corporate network. The key to successful data loss prevention is technology such as encryption and tokenization, which can provide data protection down to a subfield level. Machine learning and artificialintelligence can be used to automate certain protocols or detect trends in big data. Rather than looking at the end user only, these systems can also distinguish between good and bad software and provide an advanced threat detection and elimination solution. Cloud computing security refers to controls, technologies, and policies in place to protect data, applications, and the infrastructure of cloud computing. Cloud security architecture can use numerous controls, such as deterrents, prevention, and detective and corrective controls to safeguard potential system weaknesses. In addition, cloud access security brokers (CASBs) provide software that aligns itself between end users and the cloud applications to monitor activity and enforce security policies. ISO 27017 focuses on the protection of information in cloud-based services. Smart Devices Smart devices enable working in a truly mobile way. Examples include cell phones, tablets, wearable devices (e.g., watches, glasses), and specialized devices such as for warehouse picking. Smart devices have operating systems, data storage, and security mechanisms, and they connect to cellular and/or Wi-Fi networks for data, voice, and/or video. They may include GPS or specialized sensors such as for radio frequency identification (RFID). Internal auditors may need to audit the security impact of smart devices as well as related systems that may be under the control of third parties. Understanding the business context will help internal auditors determine the real business needs for smart devices, which could highlight opportunities for business advantage or a lack of real need (i.e., too much risk, too little reward). A risk assessment will help determine the engagement’s objectives and scope and required resources as well as the relevant risk and controls that the internal audit activity should recommend. A key issue around the security impact of smart devices is a bring- your-own-device (BYOD) policy. A BYOD policy relates to whether or not an employee or contractor can (or is required to) bring their own laptop or mobile device to the workplace and use it for work purposes. Note that prohibitions on laptops or tablets might be enforceable so long as a suitable device is provided to the employee or contractor, but prohibitions on mobile phones would be feasible only in very high security environments. Smart Device Risks Smart devices face risks in a number of categories. Compliance risks. The variety and number of smart devices creates a risk of organizational smart devices failing to be regularly updated per policies and procedures. BYOD update risks are even higher, since the organization may not control updates. For example, a person could avoid updates due to performance concerns. Privacy risks. Personally identifiable information (PII) is stored on smart devices. Also, the organization could use smart devices to monitor its employees. BYOD practices and devices of vendors, guests, or visitors increase the risks to PII compromise. Physical security risks. Small devices are at risk of loss, breakage, or theft. Information security risks. Data on smart devices could be accessed if left unencrypted. Backups may not be performed. Controls built into operating systems (OS) could be bypassed to enable prohibited software to be installed that could contain malware; this is called “jailbreaking” for the Apple OS and “rooting” for the Android OS. Note that either practice can prevent remote wiping of the memory (a control). Persons on organizational or BYOD devices could join untrusted networks and their devices could be hijacked. GPS could be used for tracking or nefarious uses. Smart Device Controls A general smart device control is an acceptable use policy with a clear indication of penalties for noncompliance. This can include a mandate for all organizational and BYOD devices to have up-to-date anti-malware software installed, to keep the OS updated, to use only official app stores, and to not do jailbreaking/rooting. End users need to be educated on weak versus strong passwords or other forms of authentication. Basic security training for organizational or BYOD devices can be provided, such as promptly reporting thefts or ensuring that user devices have user authentication turned on in case the device is stolen. BYOD policies should require an employee signature and may include: What devices are allowed and the individual’s maintenance responsibilities. Policies on downloading, use, and transmission of organizational data, with specific prohibitions for sensitive data. Minimum security requirements. Backup policies, including if home backups are allowed. (Home backups could be prohibited to maintain U.S. HIPAA compliance.) Enabling remote wiping (for stolen devices) or possibly mobile device management (MDM) for remote software updating, monitoring, etc. Selling, discarding, or sending in for maintenance policy (e.g., proper wiping of memory). Requirements to use a virtual private network (VPN) and not use Wi-Fi networks if a VPN exists. Controls also exist at the hardware and software levels. Authentication controls need to be in place. Devices that have hardware encryption (which encrypts all data and apps when not in use) can be selected. Software encryption is a must. Some devices also support encryption in transit. Topic 4: Cybersecurity Risks This topic helps internal auditors recognize existing and emerging cybersecurity risks, including hacking, piracy, tampering, ransomware attacks, phishing attacks, and more. According to The IIA In addition to reviewing the contents of this topic, students can review the following IIA materials: Global Technology Audit Guide (GTAG), “Assessing Cybersecurity Risk: Roles of the Three Lines of Defense” Global Technology Audit Guide, “Auditing Insider Threat Programs” Global Technology Audit Guide (GTAG) 1, “Information Technology Risk and Controls,” 2nd Edition Cybersecurity Risks Cybersecurity, also referred to as computer or IT security, is the protection of computers, networks, programs, and data from attack, unauthorized access, damage, change, or destruction. Cyber risks (or cyber threats) involve persons or entities that seek unauthorized access to a system, network, or device, either remotely or via inside access. A hacker is a person who accesses systems and information, often illegally and without authorization. Unethical organizations employ hackers to perform industrial espionage. Hackers could harm the organization’s employees, contractors, customers, and other stakeholders and its competitive advantage. They could cause direct monetary loss as well as reputation damage if certain information were made public. https://na.theiia.org/standards-guidance/recommended-guidance/practice-guides/Pages/GTAG-Assessing-Cybersecurity-Risk-Roles-of-the-Three-Lines-of-Defense.aspx https://na.theiia.org/standards-guidance/recommended-guidance/practice-guides/Pages/GTAG-Auditing-Insider-Threat-Programs.aspx https://na.theiia.org/standards-guidance/recommended-guidance/practice-guides/Pages/GTAG1.aspx Cybercrime is a growing area of organized crime. Profit is the motive. Organized crime organizations may have large-scale operations in certain nations that suffer from poor enforcement or graft and corruption. There are generally three main types of computer crime: Those where the computer is the target of a crime Those where the computer is used as an instrument of a crime Those where the computer is not necessary to commit the crime, but it is used to make committing the crime faster, to process more information, or make the crime more difficult to identify and trace Two other sources of cybersecurity risks are insiders and service providers, especially service providers who develop substandard offerings that have security vulnerabilities or who do not promptly patch known vulnerabilities.Aside from negligence, insiders and service providers could use their inside knowledge and access to take advantage of inside information to perpetrate or conceal fraud. Malware Malware is malicious software designed to gain access to a computer system without the owner’s permission for the purpose of controlling or damaging the system or stealing data. The types of attacks that are increasing are ransomware (see below), attacks that gain unrestricted access to user systems and data, and attacks that gather network passwords and financial data. Zero-day attacks use malware that is not yet known by the anti-malware software companies. The number and frequency of network attacks is increasing, sometimes with several versions of the same type of malware appearing in one day. Antivirus vendors have resorted to hourly updates. The antivirus industry rapid response system is challenged by criminals who have their own structure to develop new threats and to scan for and infect vulnerable systems. Types of malware include the following: VirWare. VirWare includes viruses, worms, and ransomware. A virus attaches itself to storage media, documents, or executable files and is spread when the files are shared with others. One type is a macro virus, which uses the macro function of software such as Microsoft Word to create executable code. In response, Microsoft created file extensions (e.g., .xlsx—no macros, .xlsm—macros allowed). Worms are self-replicating malware that can disrupt networks or computers. Unlike a virus, a worm does not attach itself to an existing program or to code. It spreads by sending copies of itself throughout a network. Worms may act to open holes in ® network security or trigger a denial-of-service attack (see below). With ransomware, software encrypts all files on a computer or network and the criminal sends the user a demand indicating that the encryption key won’t be released unless a payment is made quickly, usually through a cryptocurrency. Avenues of attack include links or attachments in unsolicited emails as well as malvertising, or malicious advertising on websites that can direct users to criminal servers even if the user never clicks on an ad. Ad-blocking software is a partial defense. Instant message (IM) worms, worms for mobile devices, and net- worms have been increasing because they don’t need to rely on users opening email. Email worms have been decreasing, partly due to the rapid response system and improved antivirus software. Cybercriminals have shifted to using more Trojan horses. Trojan horses. Trojan horses are malicious programs disguised to be innocuous or useful using social engineering. Social engineering is a set of rhetorical techniques used to make fraudulent messages seem inviting; it is initiated through deceptive emails, instant messages, or phone contact. A key control is to educate users to initiate all contact themselves (i.e., don’t click on an email link; go to the site directly). Once installed, Trojan horses can install more harmful software, such as spyware. Spyware is malware installed without the user’s knowledge to surreptitiously transmit data to an unauthorized third party. Trojan horses are smaller and easier to transmit and cheaper to develop because they do not need to be capable of self-delivery. Trojan horses include the following. Trojan-clickers require clicking on a hyperlink. Banker programs steal bank account data. Root kits are tools installed at the root (administrator) level. Trojan-proxies use an infected computer as a proxy. Other malware. Adware is malware intended to provide undesired marketing and advertising, including pop-ups and banners on a user’s screen. A key logger records keystrokes to steal passwords, etc. A dialer automatically dials a 900 number (a high-fee line) to generate huge debts. Other external threats. Phishing is creating a website that appears identical to an organization’s site and then luring the organization’s users to that site through social engineering to capture IDs, passwords, government IDs, etc. An evil twin is a Wi-Fi network operated by a cybercriminal that mirrors a legitimate network. Identity theft is the illegal use of sensitive information to impersonate an individual over computer networks in order to defraud the person or commit a crime without the perpetrator’s true identity being known. The human-to-browser phase of transactions is where most identity theft occurs, not in the space between browser and web server. Most of the problem is due to poor password controls and social engineering. Piggybacking is either physically following someone through a secure door or using someone’s legitimate password to access a network. A denial-of-service attack is designed to take up so much of a shared resource that none of the resource is left for other users. Internal threats: illegal program alterations. Hackers, or more likely, malicious insiders with programming privileges, can alter the code of programs, usually to perpetrate fraud or theft. The following are examples of such data manipulation techniques: Asynchronous attacks cause an initial system action and then a subsequent system reaction. For example, after a system has been shut down and before it restarts automatically, changes may be made to the restart parameters to weaken security. Data diddling is intentionally manipulating data in a system. Data hiding is manipulation of file names or extensions or other tricks to hide a file so that it can be manipulated (e.g., hiding an audit log). Backdoors can bypass normal authentication and be installed by direct code manipulation (or by Trojan horses). Server/mainframe malware. Attacks on mainframes are rare because of the specific knowledge needed for a particular mainframe. Nevertheless, publicly available servers connected to the web are assumed to be under a constant barrage of attacks. Server attacks start by attempting to gain low-security access followed by an attempt to elevate the security level. Once inside, changes include hiding tracks, stealing data, and breaking or taking control of the system. Microsoft servers have security issues that are regularly patched and publicly announced, but hackers will exploit systems that aren’t updated. In addition to system attacks, publicly available servers can be attacked through their applications. For example, an intranet server might use a distributed application to allow employees to check customer data. Hackers find flaws in such applications. Exhibit 3-26 provides a summary of the types of malware just discussed. Exhibit 3-26: Malware Summary Virware Viruses Worms Ransomware Trojan horses Trojan-clickers Banker programs Root kits Trojan-proxies Other malware Adware Key loggers Dialers Other external threats Phishing Evil twins Identity theft Piggybacking Denial-of-service attacks Internal threats: illegal program alterations Asynchronous attacks Data diddling Data hiding Backdoors Server/mainframe malware Protecting Systems from Malicious Software and Computer Crime All operating systems contain bugs that create vulnerabilities and affect overall system performance. The use of homogenous operating systems allows wide-scale exploitation of bugs. Controls include: Frequent updates and patches to operating systems. Running systems with administrative privileges turned off. Operating systems that restrict rights given to code, such as use of a virtual area or sandbox, which fixes a security flaw of over- privileged code (when systems allow any code executed on a system to receive all rights of the system user). Antivirus software maintains lists of known viruses and prevents them from being installed or helps recover a computer once a virus is removed. Such software scans both incoming and outgoing data. Automated downloads and regularly scheduled scans are important controls to keepsuch systems up to date. Some antivirus programs use nature-based models that look for any unusual code and can detect new viruses. Policies can also help, such as allowing downloads only from reputable locations with security seals. Other tools include blockers for spyware, spam, macros, and pop-ups. One method of self-protection from malware in general is to follow a minimum set of agreed-upon controls, called baseline controls. One example is the VISA Cardholder Information Security Program (CISP), which has made a set of security guidance rules available to credit card network users. This advice, called the “Digital Dozen,” can be found in the Global Technology Audit Guide (GTAG) 1, “Information Technology Risk and Controls,” 2nd Edition. Other controls include taking sensitive information offline and performing background checks on new employees and users with security clearance. Browsers contain phishing filters, which send data to the browser manufacturer for validation. ® https://na.theiia.org/standards-guidance/recommended-guidance/practice-guides/Pages/GTAG1.aspx Controls associated with proper user identification and authentication of identity are critical. Authentication mechanisms must be secured and assessed. Users must be aware of the dangers of sharing or not securing passwords or creating weak passwords. Externally Stored Data and Third-Party Cybersecurity Risk When data is stored external to the organization, such as in a third- party cloud, it is vital for the organization to ensure that vendors are properly managing relevant risks. Critical steps for management to take include due diligence and strong contracts that require: Service organization control (SOC) reports. Right-to-audit clauses, including use of cybersecurity engagements. Service level agreements (SLAs), including reporting requirements related to information security protections. Oversight and data and information security governance include monitoring the vendors and the key metrics they report to ensure conformance with the SLAs. Remedies for deficiencies include asking for timely resolution of concerns, enforcing penalties, and enforcing the right to audit. Vendors who do not remediate issues in a timely manner may need to be replaced. Piracy and Device Tampering Software piracy is the illegal copying of software or distribution of software access to more users than is allowed in the organization’s contract. Software organizations may be able to detect illegal use of software remotely or have their own right-to-audit clauses with the purchasing or leasing organization. Financial penalties for noncompliance can be severe. A policy prohibiting piracy is an important control. Risk-based internal audits may be needed to provide assurance that software is not being pirated. Device tampering includes jailbreaking/rooting of smart devices or other hardware manipulations. It may enable piracy or installation of apps that contain malware. Device tampering is dangerous and should also be prohibited by policy. Insider Threat Programs The primary purpose of an insider threat program is to protect critical assets, which include valuable data, people, facilities, and systems. Insider threats cannot be completely eliminated, and trying to do so can be prohibitively expensive. Programs to monitor and control insider threats may be part of the risk universe for internal auditors. Given a risk assessment, the internal audit activity may plan assurance engagements to assess the effectiveness of these programs or consulting engagements to assess insider risks. An important step is to assess the control environment, since poor authentication controls and so on can create a pervasive impact on opportunities for insider threats. Usually audits will focus on a specific subset of insider threats, such as hiring practices or management’s methods to monitor the external and internal environment, rather than having a full scope. The steps related to understanding the engagement context, gathering information, performing a risk assessment, and communicating results to the board are discussed next. These steps will be used to establish the scope, allocate resources (the CAE needs to obtain competent assistance and advice per Standard 1210.A1), and plan the engagement. Understanding the Engagement Context and Gathering Information Understanding the engagement context and purpose may involve determining if changes in the operating environment, such as mergers or acquisitions, have introduced new risks to the environment. Information gathering can include discovery about past fraud allegations, occurrences, and investigations involving insiders. It is also important to review related regulatory compliance requirements. Internal auditors may need to prepare by studying established security frameworks, programs, and recommendations. This culminates in a risk assessment. An insider threat program should have a process map that can be reviewed. Components of the program to review include: Stakeholders involved and their requirements. Senior management and board buy-in and oversight, including governance structure and policy. Management’s insider threat planning process. Management’s insider threat risk management process: How it identifies critical assets. How it identifies threats. How it assesses vulnerabilities. Management’s insider threat operations: Communications, training, and awareness programs (which should be improved using feedback loops from issue resolutions to improve these processes). Preventive and detective controls. Data and tool requirements. Analysis and incident management: Initial and internal investigations. Referrals and reporting. External criminal investigation decisions. Final actions, management reporting, and feedback and lessons learned. Subprocesses may also be reviewed, such as the employee application, screening, hiring, onboarding, reaccreditation (changing access privileges when employees shift to new positions), and termination process for employees. Each step in such a process will have its own risks and a potential set of controls. For example, the employee application process has a risk of hiring employees who are secretly working for major competitors. Employment history evaluation and additional screening for sensitive positions are potential controls. Risk Assessment Exhibit 3-27 reviews common insider threats that are generally based on the use of IT to commit the crimes. Exhibit 3-27: Insider Threats Threat Risk Potential Impact Fraud Identity theft or illegal use of data for personal gain Financial misstatements or reputation damage IT sabotage Use of IT to harm organization or specific individual Denial of service or productivity loss Threat Risk Potential Impact Theft of intellectual property Industrial espionage involving insiders Loss of competitive advantage or revenue Theft or disclosure of sensitive data Theft of confidential, proprietary, or private data for financial gain Restitution payments to customers or loss of customer trust Theft of personal data Theft or disclosure of personally identifiable information Legal expenses, restitution, or loss of trust; data privacy noncompliance penalties Illegal activities Use of digital assets to send spam, gamble, or do other prohibited activities Financial losses and reputation damage Insider Threat Reports and Recommendations To effectively communicate the risks related to insider threats to the board, internal auditors must translate audit findings into terms of financial loss, reputation damage, operational disruption, and other organizational performance indicators. Best practices include referring to existing industry reports and educating the board that only reasonable assurance of security is possible. The Global Technology Audit Guide, “Auditing Insider Threat Programs” cites the CERT InsiderThreat Center’s “Common Sense® https://na.theiia.org/standards-guidance/recommended-guidance/practice-guides/Pages/GTAG-Auditing-Insider-Threat-Programs.aspx Guide to Mitigating Insider Threats, Fifth Edition,” for a set of best practices or control objectives. Internal audit activity recommendations may include one or more of these best practices, as reproduced below, depending on the results of the engagement: Know and protect your critical assets. Develop a formalized insider threat program. Clearly document and consistently enforce policies and controls. Starting at the hiring process, monitor and respond to suspicious or disruptive behavior. Anticipate and manage negative issues in the work environment. Consider threats from insiders and business partners in enterprise- wide risk assessments. Be especially vigilant regarding social media. Structure management and tasks to minimize unintentional insider stress and mistakes. Incorporate malicious and unintentional insider threat awareness into periodic security training for all employees. Implement strict password and account management policies and practices. Institute stringent access controls and monitoring policies for privileged users. Deploy solutions for monitoring employee actions and correlating information from multiple data sources. Monitor and control remote access from all end points, including mobile devices. Establish a baseline of normal behavior for both networks and employees. Enforce separation of duties and least privilege. Define explicit security agreements for any cloud servers, especially access restrictions and monitoring capabilities. Institutionalize system change controls. Implement security backup and recovery processes. Close the doors to unauthorized data exfiltration. Develop a comprehensive employee termination procedure. Topic 5: Cybersecurity Policies This topic describes organizational policies related to cybersecurity, information security, and information security governance. According to The IIA In addition to reviewing the contents of this topic, students can review the following IIA materials: Global Technology Audit Guide (GTAG), “Assessing Cybersecurity Risk: Roles of the Three Lines of Defense” Cybersecurity Policies https://na.theiia.org/standards-guidance/recommended-guidance/practice-guides/Pages/GTAG-Assessing-Cybersecurity-Risk-Roles-of-the-Three-Lines-of-Defense.aspx Cybersecurity policies and related training and testing are designed by IT risk management and IT compliance functions (second line roles) and administered by IT operations management roles (first line roles). Internal audit (third line roles) provides independent ongoing evaluations of cybersecurity policy effectiveness. Since many cybersecurity policies are based on cybersecurity frameworks, a common cybersecurity framework is presented next. NIST Cybersecurity Framework The U.S. National Institute of Standards and Technology (NIST) Cybersecurity Framework, or CSF, provides a risk-based iterative approach to the adoption of a vigilant cybersecurity stance for public and private organizations. It also includes guidance on self- assessment. The NIST CSF Framework Core, shown in Exhibit 3-28, includes cybersecurity activities, desired outcomes, and references from industry standards, guidelines, and practices. The Framework Core has five functions, which are further divided into 23 categories. Exhibit 3-28: NIST CSF Framework Core Function Description Categories Function Description Categories Identify Identify and communicate cybersecurity objectives and goals. Develop organizational understanding to manage cybersecurity risk to systems, assets, data, and capabilities. Asset management Business environment Governance Risk assessment Risk management strategy Supply chain risk management Protect Develop and implement the appropriate safeguards to ensure delivery of critical infrastructure services. Identity management and access control Awareness and training Data security Information protection processes and procedures Maintenance Protective technology Detect Develop and implement the appropriate activities to identify the occurrence of a cybersecurity event. Anomalies and events Security continuous monitoring Detection processes Respond Develop and implement the appropriate activities to take action regarding a cybersecurity event. Response planning Communications Analysis Mitigation Improvements Function Description Categories Recover Maintain plans for resistance and to restore capabilities or services that were impaired due to a cybersecurity event. Recovery planning Improvements Communications Source: “Framework for Improving Critical Infrastructure Cybersecurity,” Version 1.0. NIST (National Institute of Standards and Technology), 2014. Information Security Policies An effective information security policy should provide guidelines for preventive and detective controls to address a variety of information risks. Such risks can include unauthorized access, disclosure, duplication, modification, misappropriation, destruction, loss, misuse, and denial of use. Information security policies guide management, users, and system designers in making information security decisions. The International Organization for Standardization, or ISO, the world’s largest developer and provider of international standards, has established guidelines and general principles for initiating, implementing, maintaining, and improving information security management within organizations. ISO provides the 27000 family of standards for the development of organizational security standards and effective security management practices and to help build confidence in interorganizational activities. The ISO 27001 certification means that the organization will be able to: Improve enterprise security. Plan and manage security effectively. Secure partnerships and e-commerce. Enhance customer confidence. Perform accurate and reliable security audits. Reduce liability. For internal auditors, a key resource is The IIA’s Global Technology Audit Guide (GTAG), “Assessing Cybersecurity Risk: Roles of the Three Lines of Defense.” To design an information security policy, the organization should assess its security needs to gain an understanding of its business needs and security objectives. Common questions that this assessment should ask include: What information is considered business-critical? Who creates that critical information? Who uses that information? What would happen if the critical data were to be lost, stolen, or corrupted? How long can our business operate without access to this critical data? https://na.theiia.org/standards-guidance/recommended-guidance/practice-guides/Pages/GTAG-Assessing-Cybersecurity-Risk-Roles-of-the-Three-Lines-of-Defense.aspx As information crosses multiple lines in an organization, so too does information security. Therefore, an information security policy should be coordinated with multiple departments—including systems development, change control, disaster recovery, compliance, and human resources—to ensure consistency. Additionally, an information security policy should state Internet and email ethics and access limitations and define the confidentiality policy. Good policies also need to provide precise instructions on how to handle security events and escalation procedures (e.g., how to escalate situations where a risk is likely exceeding the organization’s risk appetite). One essential information security policy is to ensure that the organization’s Three Lines roles also cover information security roles and responsibilities, as is discussed more next. Information Security Objectives Auditors not only need to understand information security principles and controls in general; they should also understand the security needs of the particular facet of the business where the controls and informationsecurity systems reside. Both are needed to gain a full appreciation of information security risks and controls. The overall goal of information security is to maintain the integrity of information assets and processing and mitigate and remediate vulnerabilities. COBIT, formerly known as Control Objectives for Information and Related Technology, is an internationally accepted framework created by ISACA that helps enterprises to achieve their objectives for the governance and management of information technology. COBIT systems security objectives reflect the breadth and complexity of the systems security environment: Manage IT security, as aligned with business requirements. Implement an IT security plan that balances organizational goals and risks and compliance requirements with the organization’s IT infrastructure and security culture. Implement identity management processes to ensure that all users are identified and have appropriate access rights. Manage user accounts through appropriate policies and processes for establishing, modifying, and closing them. Ensure security testing, surveillance, and monitoring to achieve a baseline level of system security and to prevent, identify, and report unusual activity. Provide sufficient security incident definition to allow problems to be classified and treated. Protect security technology by preventing tampering and ensuring the confidential nature of security system documentation. Manage cryptographic keys to ensure their protection against modification and unauthorized disclosure. Prevent, detect, and correct malicious software across the organization in both information systems and technology. Implement network security to ensure authorized access and flow of information into and from the enterprise. Ensure that sensitive data is exchanged only over trusted paths or through reliable media with adequate controls to ensure authenticity of content, proof of submission, proof of receipt, and proof of nonrepudiation of origin. Systems security is made up of controls general to the organization and specific to IT and physical security systems. Because a system is only as strong as its weakest link, systems security must start with use of a control framework such as COSO’s Internal Control— Integrated Framework. Other controls such as proper segregation of duties are a prerequisite for IT systems security. Pointing out a deficiency in general or application controls needs to be put in context by explaining to management the risk exposure the deficiency is causing. The auditor should recommend the best system that can address the control given the particulars of the organization. Continual monitoring is required for controls to be effective. For example, a review of a software application for controls should include the security administration procedures, password controls, and user role provisioning methods. When auditing for computer-related fraud, auditors trained in computer controls should try to think like a thief or a hacker in determining areas of greatest vulnerability. While this is not an easy task, it is important to determine what fraud would “look like” in the particular area under review so as to design the audit for maximum impact. This involves considering: How a system could be exploited. How the audit trail might be covered up. What level of authority would be needed to enact the cover-up. What explanations could be used if the issue were detected. Role of the Three Lines Model in Cybersecurity In the Three Lines Model, the first and second line roles for an organization are management (including its support functions) and the third is the internal audit activity. First line management roles deliver products and services to customers and are responsible for managing risk. Second line roles provide complementary expertise, support, monitoring, and challenge to first line roles. Proper board governance is also vital to the model and forms two of its six principles: Governance Governing body roles Management and first and second line roles Third line roles Third line independence Creating and protecting value In terms of cybersecurity, management is accountable for developing, funding, monitoring, and controlling data administration, data processes, data risk management, and data controls. They usually delegate to qualified systems administrators who recruit and train certified and qualified staff. Systems administrators need to: Implement cybersecurity procedures, including training and testing of these procedures. Keep all systems up to date and securely configured, including restriction to least-privilege access roles (i.e., not overprivileged). Use intrusion detection systems. Conduct penetration testing (simulated attacks such as a denial-of- service attack) and internal and external scans for vulnerability management. Manage and protect network traffic and flow. Employ data and loss prevention programs, including encrypting data when feasible. The first and second line roles that include risk, control, and compliance functions help assess whether the controls are functioning adequately and whether they are complete. First and second line roles need qualified, talented, and certified individuals who can conduct cyber risk assessments and gather intelligence on cyber threats. The roles need adequate policies, including for ongoing training. They may be involved in helping to: Design roles to have least-privilege access. Assess external business relationships. Plan and test business continuity and disaster recovery. Internal audit maintains its independence and objectivity in part so that it can properly function as the third line role. In the event that the first two lines fail to provide adequate protection, have an incomplete strategy, or fail to implement recommended remediation, internal auditors will be in a position to make these observations to senior management and/or the board. This might entail evaluating: Cybersecurity preventive and detective controls for adequacy and completeness. The IT assets of privileged users to ensure that they have standard security configurations and are free from malware. External business relationships by conducting cyber risk assessments. The following cybersecurity risk assessment framework can help the internal audit activity ensure that the board and management are fulfilling their roles with regard to cybersecurity. Cybersecurity Risk Assessment Framework The “Assessing Cybersecurity Risk” Practice Guide presents a cybersecurity risk assessment framework, as shown in Exhibit 3-29. Each of the framework’s components are inderdependent and depend on the effectiveness of the other components to enable the organization to be fully prepared to address cybersecurity. Each component is discussed more next. Exhibit 3-29: Cybersecurity Risk Assessment Framework Cybersecurity Governance Cybersecurity governance is evidenced by clearly defined policies, relevant tools, sufficient staffing, and insightful training. Red flags of lack of governance include fragmented governance structures, incomplete strategy, unnecessary delays, budget cuts, attrition, or lack of accountability enforcement. A cybersecurity governance committee with representatives from the board, management, and internal audit can be formed to help: Establish a culture of cybersecurity risk awareness. Set a related risk appetite. Develop cybersecurity business continuity and disaster recovery plans. Collect cybersecurity risk intelligence. Collaborate and share expertise. Such a committee would also oversee prompt management responses to security breaches, including root cause analysis. This committee can help avoid a common pitfall of management in that emerging threats or vulnerabilities are not considered proactively. The committee enlists the right types of expertise, does ongoingresearch, creates metrics, and reviews security defense tests. Inventory of Information Assets Management is responsible for creating an inventory of information assets, technology devices, and related software. This priority- ranked list of information assets can help determine where to apply stronger controls and where IT general controls and periodic evaluations should suffice. The most valuable assets will need preventive and detective controls that are continually monitored for ongoing effectiveness. This inventory will be enhanced if a process map is used or created to show how the information assets interact. A key benefit of having an inventory is that it will enable detection when unknown devices have accessed a network. If these are the employees’ own devices (used under a bring-your-own-device policy), they can be authenticated and inventoried. An inventory will consider data by type (e.g., transactional, unstructured), classification (e.g., health data), and storage environment. A comprehensive inventory will include: A physical inventory of servers and network, storage, and end-user devices. A comprehensive list of all applications. All third-party-hosted environments and data shared with external organizations, including regulatory agencies and vendors. Standard Security Configurations Centralized, automated configuration management software can establish baselines for devices, operating systems, and software. Standardized configurations are more effective and easier to use for global updates than a patchwork. Risk assessments can determine where higher-security configurations are needed. Information Access Management An internal audit activity review of user access can determine if preventive controls, such as review and approval of privileges based on a new or transferred job role, are appropriate and working. An emphasis is placed on preventive controls for privileged administrative access because this is a leading indicator of cybersecurity program effectiveness. Prompt Response and Remediation Mature programs continuously shorten the time to management response. The second line roles communicate important risks to management, enact remediation, track issues to resolution, and create trend reports on resolutions. Ongoing Monitoring The second line role is expected to implement a monitoring strategy designed to generate behavioral change. Successful behavior change can include the following results. Users who do critical processes or access sensitive data are monitored at the access level. A systematic process to find IT vulnerabilities and remediate them is developed, including by regularly scanning systems. For external-facing systems, first and second line roles help define and agree on service level agreements (SLAs), service organization controls (SOCs), and other risk assessment and oversight programs such as technical architecture evaluations and compliance monitoring. The second line roles do announced and unannounced penetration testing. A method of ongoing monitoring and remote updating of smart devices for malware security should be in place. Topic 6: IT Auditing, SDLC, and Change Management This topic starts with an overview of IT objectives. It then looks at IT auditing and reviews its risks. The topic also addresses the core activities in the systems development life cycle (SDLC): requirements definition, design, developing, testing, debugging, deployment (and delivery), and maintenance. The topic also helps internal auditors understand the importance of change controls throughout the SDLC. According to The IIA In addition to reviewing the contents of this topic, students can review the following IIA materials: Global Technology Audit Guide (GTAG) 4, “Management of IT Auditing,” 2nd Edition Global Technology Audit Guide (GTAG) 1, “Information Technology Risk and Controls,” 2nd Edition Global Technology Audit Guide (GTAG) 8, “Auditing Application Controls” Global Technology Audit Guide, “IT Change Management: Critical for Organizational Success,” 3rd Edition Goals of IT Access to relevant and reliable information is key to business decision making. Relevance includes timeliness of information and an appropriate level of detail. Successfully applied information technology speeds the availability of information, automates aggregation and sorting of data, and ensures information accuracy. IT is successfully applied when the organization is able to use it to: Fulfill business objectives. Measure and address risks appropriately. Grow and adapt fluidly. Communicate effectively internally and externally. React quickly to business opportunities as they arise. Management of IT Auditing https://na.theiia.org/standards-guidance/recommended-guidance/practice-guides/Pages/GTAG4.aspx https://na.theiia.org/standards-guidance/recommended-guidance/practice-guides/Pages/GTAG1.aspx https://na.theiia.org/standards-guidance/recommended-guidance/practice-guides/Pages/GTAG8.aspx https://na.theiia.org/standards-guidance/recommended-guidance/practice-guides/Pages/na-Technology-Audit-Guide-IT-Change-Management-Critical-for-Organizational-Success.aspx The IIA’s Global Technology Audit Guide (GTAG) 4, “Management of IT Auditing,” 2nd Edition is summarized in brief here. Internal audits of IT use the same basic process as any audit, per Standard 2200 and the steps in the “Engagement Planning: Establishing Objectives and Scope” Practice Guide (understand context, gather information, assess risks, form objectives, establish scope, allocate resources, and document the plan). Considerations for each step are provided next. Understand Context and Gather Information According to The IIA Implementation Standard 2110.A2 (Assurance Engagements) The internal audit activity must assess whether the information technology governance of the organization supports the organization’s strategies and objectives. Understanding the business context for IT auditing and identifying the IT portions of the audit universe start by understanding the organization’s business strategy. IT strategy, IT processes, and IT projects exist to support and enable this strategy and therefore should be in alignment with organizational strategy. The CAE will need to map the organization’s operations and IT infrastructure to: https://na.theiia.org/standards-guidance/recommended-guidance/practice-guides/Pages/GTAG4.aspx https://na.theiia.org/standards-guidance/performance-standards/Pages/Performance-Standards.aspx https://na.theiia.org/standards-guidance/recommended-guidance/practice-guides/Pages/Engagement-Planning-Establishing-Objectives-and-Scope-Practice-Guide.aspx https://na.theiia.org/standards-guidance/mandatory-guidance/Pages/Standards.aspx Understand the impact of IT on strategy execution as well as the execution of strategies at business process levels. Define the boundaries of IT, such as whether or not the physical security systems or telecommunications systems are part of IT. Highlight previously unidentified risks that should be communicated to senior management and IT management. While IT general controls could be centralized, decentralized, or a mix of the two, cloud computing and other trends continue to make central control less feasible as a pure strategy. Thinking about IT risks and controls as a layered model will help internal auditors better understand the context for audit priority, risk assessment, and control evaluation. Exhibit 3-30 shows a generic model of the layers within IT management. Exhibit 3-30: IT Management Layers Key Point A key point about IT management layers is that the technical infrastructure layer is harder to understand both conceptually and in terms of its risk and control implications than the applications (software) layer. For example, for procurement: The three-way match process at the application level is fairly straightforward to assess for existence and proper functioning.However, at the database level, one insider (or hacker) threat is alteration of bank account routing numbers for Automated Clearinghouse (ACH) payments.A person with the right skills and access could divert funds without triggering security, control, and audit trail mechanisms. If the bank allows payments to unknown account numbers, the problem would not be known until the authorized recipients report not getting the money. Let’s briefly review each of these layers. IT management layer. IT management comprises the set of people, policies, procedures, and processes that manage IT services and facilities. This layer includes IT governance, security management, system monitoring, programming, planning, vendor management, problem and incident management, change management, IT project management, and disaster recovery. Audits will focus on the people and the tasks they perform rather than the technical details. External connections layer. External connections to the Internet (such as for customer account self-management) have different risks and controls than other external connections, such as to third- party business partner networks and cloud services. All communications to and from external networks should be considered a risk and should be tightly controlled and monitored based on the risk level. At a minimum, an inventory of all entry and exit points needs to be maintained. Technical infrastructure layer. Various technologies underlie, support, and enable the primary business applications, including operating systems, databases, networks, and data centers (e.g., server rooms). It is important to understand that technical infrastructure audits focus on a review of technical configuration settings in combination with their associated management processes (such as monitoring of privileged access users). Applications layer. Applications include transactional applications (developed in-house, by vendors, or customized) as well as support applications that facilitate business but do not process transactions (e.g., email, data analytics, data warehouses). The bulk of IT audit attention is on transactional applications, but support applications, such as those that support external reporting or manufacturing machinery, could be high risk as well. Some applications require specialized knowledge for audits. Assess Risks, Form Objectives, and Establish Scope When assessing risks to determine audit objectives and scope (both at the audit plan level and for individual engagements), use of the organization’s normal risk management framework is a best practice. It is better to use one consistent approach for all risk types. Due to the fast pace of IT change, the risk assessment (and audit universe) will need to be updated regularly. Similarly, there should not be a separate IT audit universe; it is part of the overall audit universe. However, there can be a grouping by audit type to facilitate allocation of specialist IT resources. The internal audit activity should also leverage whatever IT control framework the organization has selected, such as COBIT. This can help enable completeness, for example, including offshore service providers or automated business processes. Sharing the audit universe with relevant business partners is also a best practice. While specific IT risks are addressed elsewhere, in general, it is important to assess: Probability and impact using objective data such as IT statistics and error logs (e.g., number of incidents). Subjective data such as interviews with process owners (especially for difficult-to-measure risks). Risks with obvious severe negative consequences (like the loss of a data center) will require a response, so there is no need to quantify the risk. For less obvious risks, internal auditors look at the size (e.g., by budget) and business criticality (e.g., number of business entities the application supports or will support) of the IT project or underlying business function. Allocate Resources According to The IIA Implementation Standard 1210.A3 (Assurance Engagements) Internal auditors must have sufficient knowledge of key information technology risks and controls and available technology-based audit techniques to perform their assigned work. However, not all internal auditors are expected to have the expertise of an internal auditor whose primary responsibility is information technology auditing. When developing the audit universe and audit plan priorities, it is important to call out potential projects that will require IT staff resources and IT audit specialist skills. A frequent issue with allocating resources is that audits of a business area unrelated to IT often still have strong demand for IT specialist resources simply because so many business functions are now deeply dependent upon information systems. To support Standard 1210, “Proficiency,” it is important for the CAE to realize that there is a wide variety of IT competencies and a specialist may be competent in one area but not in others. For example, the skill set needed to audit a firewall configuration is vastly different from the set needed to audit accounts payable configuration database tables. Training, cosourcing, outsourcing, and recruitment efforts will need to focus on knowledge gaps or areas high in demand. Making an overview of the different skill sets that are https://na.theiia.org/standards-guidance/mandatory-guidance/Pages/Standards.aspx https://na.theiia.org/standards-guidance/attribute-standards/Pages/Attribute-Standards.aspx needed and then creating an inventory of current skills will help develop this gap analysis. Document the Plan According to The IIA Implementation Standard 1220.A2 (Assurance Engagements) In exercising due professional care, internal auditors must consider the use of technology-based audit and other data analysis techniques. While most of an IT audit engagement plan will be the same as for any other type of audit, here we focus on some of the differences: Some IT domains will be audited exclusively by specialist IT auditors, but audits of IT-enabled business processes take a view of the whole value chain and require collaboration with non- specialist auditors. Which party leads matters less than collaborating to delivery the optimal audit result. If an IT control framework does not exist at the organization, the CAE should select an appropriate framework based on best fit. (Perfect fit is not needed.) Audit testing tools selected should pass a cost-benefit test and should enable consistency and efficient review of large populations https://na.theiia.org/standards-guidance/mandatory-guidance/Pages/Standards.aspx of data. Such tools are often used by hackers to probe a system. They include: Security analysis tools. An important example of such tools is network analysis tools, which gather information about a network, validate the accuracy of network diagrams, identify network devices needing additional audit attention, and inventory what traffic is permitted across the network. Vulnerability assessment tools. This software automatically checks for known vulnerabilities such as default passwords or settings. Auditors can plug in a range for automated search, and the tool creates a report. Because such tools could impact the integrity of the systems they are checking, it is important to coordinate the tests with a security officer (or use the results of their tests). Application security analysis tools. Large applications such as ERP systems often have vendor-supplied security tools to analyze systems against pre-configured rules (e.g., vendor “best practices” that may need to be evaluated to see if they apply) or segregation of duties. Plans for reporting to management should take into account the level of detail that these parties need rather than burying the actionable information in unnecessary detail. The focus should be on business risk. Inthe control components, and the organization’s layers in the form of a cube, as shown in Exhibit 3-1. Each side of the cube relates to and influences the other sides. Exhibit 3-1: COSO’s Internal Control Framework The entity structure, which represents the overall entity, divisions, subsidiaries, and so on, is depicted as one side of the cube to show how the other sides of the cube apply to various organizational levels and become more granular. The rows represent the five components required for adequate governance, risk management, and internal control: the control environment, risk assessment, control activities, information and communication, and monitoring activities. These components relate to the organization’s strategy. For example: The control environment includes the organization’s values, attitudes, and ethics, which all influence the organization’s strategy. The risk assessment component helps shape strategy by weighing the pros and cons of competing strategies. The columns represent the operations, reporting, and compliance objectives: Operations objectives relate to the effectiveness and efficiency of operations, including but not limited to operational and financial performance goals and safeguarding of assets. Reporting objectives relate to financial and nonfinancial reporting, both internal and external, and may include reliability, timeliness, transparency, completeness, or other terms as identified by the standards setters, regulators, or policies of the entity. Compliance objectives relate to the laws, regulations, policies, and procedures to which the entity is subject and the entity’s adherence to the same. Subcategories may include compliance with contracts, industry standards and best practices, and internal policy. Note that the categories are distinct but often overlap. An objective may address more than one need or responsibility or may relate to different segments of the business or different individuals. Topic 2: Organizational Structure Risk and Control This topic helps internal auditors appraise the risk and control implications of different organizational structures, for example, centralized versus decentralized structures or traditional hierarchical versus flat structures. Organizational Structure and the Control Environment Organizational structure is the organization’s formal decision- making framework and its way of organizing authority, responsibilities, and performance activities. In the context of organizational structure: Chain of command refers to the line of authority in the organization. Span of control refers to the number of employees who report to an individual in the chain of command. Organizational structure is part of an organization’s control environment. The IPPF glossary defines control environment as follows: The attitude and actions of the board and management regarding the importance of control within the organization. The control environment provides the discipline and structure for the achievement of the primary objectives of the system of internal control. The control environment includes the following elements: Integrity and ethical values. Management’s philosophy and operating style. Organizational structure. Assignment of authority and responsibility. Human resource policies and practices. Competence of personnel. When auditing the control environment, internal auditors review organizational structure to see if it effectively fulfills the organization’s governance and business objectives. Key Point Organizational structure plays an important role in how controls may or may not work. The key consideration is what impact the structure would have on an auditable area. What strengths and weaknesses does the structure create? The introduction to The IIA’s International Standards for the Professional Practice of Internal Auditing states, “Internal auditing is performed in diverse environments and within organizations that vary in purpose, size, and structure” and that such “differences may affect the practice of internal auditing in each environment,” before going on to highlight the mandatory nature of the Standards regardless of these differences. Understanding and documenting the structure of an organization or one of its subdivisions is a preparatory step for an audit engagement. Each structure will have different risks and will need specialized controls. For example, a decentralized structure may have higher risks related to synchronizing organizational goals. Controls requiring process approvals may require more creativity to implement—such as by getting buy-in from autonomous managers and using automated control processes to get compliance without undue hardship or delay When internal auditors show sensitivity to the organizational structure in their workpapers, findings, and recommendations, it helps prove that they understand the area being audited and have tailored their engagements and findings to the needs and realities of the area. In short, understanding organizational structures is part of showing competence and adding value. Centralized and Decentralized Structures Organizational structures can be centralized or decentralized or somewhere in between these points along a spectrum. One type is not necessarily better than another. The optimum structure for a given organization depends on its industry, organizational culture and values, organizational management style, national or regional location(s), national culture, and global footprint. Key Point Structure type is important to internal auditors because it has a strong impact on management oversight. A centralized structure (also called a hierarchical, bureaucratic, or traditional structure) is one in which there are several levels of authority, a long chain of command, and a narrower span of control. Decision making is concentrated in the higher levels of the management hierarchy. This structure is more bureaucratic, with a top-down management philosophy. Employees have little autonomy and must gain approval for actions. Strengths: Economies of scale (e.g., shared services) Better control of expenses, preferred vendors, etc. Consistency of decisions such as for information system choices A weakness is that a “silo” mentality can form, where units are optimized but the overall system may be suboptimal and there is poor or slow communication between units. A decentralized structure (also called a flat structure) is one in which there are fewer levels of authority, a shorter chain of command, and a wider span of control. Decision making is dispersed in the lower levels of the organization. The structure is less bureaucratic, with more bottom-up and lateral communication. Employees have more freedom to take action and have more autonomy. Strengths: Better cross-functional teamwork (less of a “silo” mentality) More organizational flexibility and adaptability Easier communication (e.g., an “open door” policy) A weakness can be lack of clear roles and responsibilities. Key Point In geographically dispersed organizations or those that grow by mergers and acquisitions, a decentralized structure can provide timely and responsive decision making that can leverage local expertise and minimize management complexity. Exhibit 3-2 illustrates the differences between centralized and decentralized structures. Exhibit 3-2: Centralized versus Decentralized Organizational Structures Hybrid structures often form in large, diversified organizations. Selected functions are managed in a centralized fashion to provide control and economies of scale, while other functions are decentralized to reduce bureaucratic complexity and improve local accountability and entrepreneurial ability. Each individual business unit could be more or less centralized or decentralized depending on what model works best to achieve its objectives. Departmentalization Departmentalization ismany cases, the results of individual engagements in specific areas can be consolidated to highlight the overall process risks and controls. Risks Specific to IT IT and auditing are primarily concerned with information risk, which includes the risk that inaccurate information is used to make a business decision. However, widespread use of IT for all business processes has led internal auditing away from a focus on assurance regarding historical data at a specific point in time to assurance about the reliability of processes. If the process is wrong, the data will be, too, and vice versa. Therefore, internal auditing can help mitigate information risk. Note that this does not preclude auditing transactions to determine the impact on the business. IT can potentially remove risks from a manual system, but it introduces its own risks. In addition, because of the nature of IT activities, these risks may also affect each other. Physical audit trail replaced by data trail. Many physical documents are eliminated for audits, and controls must be used to compensate. Hardware/software failure. Permanent loss of data, e.g., from environmental damage, outages, civil disruption, ransomware, and disasters, is costly. Systematic errors. IT reduces random errors such as in data entry, but automated systems can uniformly duplicate errors, e.g., via faulty code. Fewer human inputs/less segregation of duties. Many IT systems reduce labor costs through automation. Mitigating controls include reviewing segregation of duties and requiring end users to review their output at a low enough level of aggregation to catch problems. Access authorization. Increased ability to access sensitive information remotely also increases the risk of unauthorized access. Automated transaction authorization. Transactions that formerly required review and authorization, such as credit decisions, can be entirely regulated by an application. Authorization assurance rests on software controls and master file integrity. Deliberate harmful acts. Outside individuals can cause significant harm to an organization. Trusted insiders are a source of significant risk. IT Auditing Challenges To identify and assess the control of IT risks properly, an internal auditor must: Understand the purpose of an IT control, what type of control it is, and what it is meant to accomplish, for example, whether it is preventive or detective. Appreciate the significance of the control to the enterprise: Benefits that accrue through the control (e.g., compliance or competitive advantage). Damage that a weak or nonexistent control can cause. Identify which individuals or positions are responsible for performing what tasks. Balance the risk posed with the requirements of creating a control. Implement an appropriate control framework and auditing plan. Remain current with methodologies and business objectives. Exhibit 3-31 summarizes the challenges internal auditors must master in conducting IT audits. Exhibit 3-31: Challenges of IT Auditing Assessing IT Controls Assessing IT Controls Understanding IT controls Governance, management, technical General, application Preventive, detective Information security Importance of IT controls Reliability and effectiveness Competitive advantage Legislation and regulation Roles and responsibilities Governance Management Audit Risk Risk analysis Risk response Baseline controls Monitoring and techniques Control framework Frequency Assessment Methodologies Audit committee interface Source: Practice Guide “Information Technology Risk and Controls,” second edition. CAE Role in IT Audits The CAE is responsible for ensuring a balance between the enterprise and its IT controls and proper implementation of a control framework. This involves: Understanding the organization’s IT control environment. Being aware of all legal and regulatory requirements. Assessing whether roles related to IT controls are appropriate. Developing and implementing an internal audit activity IT risk assessment process for annual audit planning. (IT management should have its own independent risk assessment process.) Identifying all internal and external monitoring processes. Establishing appropriate metrics for control success and policies for communicating with management. Communicating IT risks and controls to the board and management in an understandable way. Systems Development Life Cycle (SDLC) IT systems have a life cycle, from design through implementation to maintenance. Early systems designs were left largely to IT specialists. A better approach is team design. The purpose of team design is to ensure that the needs of all stakeholders are considered. The steps in the process are: Feasibility study. Request for system design. High-level design. Detailed systems design. Program coding and testing. Conversion (of old data files). Implementation. Maintenance. The internal audit activity can add value to this process. For example, during the feasibility study, internal audit can provide assurance that the team is adequately staffed, control deficiencies are remedied, the system can accommodate growth, budgets are reasonable, and users agree to the change. The use of a formal or normative model for systems development helps developers in much the same way that the use of project management keeps a project progressing toward its goals while handling problems in an orderly fashion rather than as emergencies. Internal auditors can use a normative model to observe where actual practice differs from expected practice in the model. One such normative model is the systems development life cycle (SDLC). SDLC Steps A development methodology is a vital tool because it forces management to be involved rather than relegating IT to specialists. Requiring a feasibility study, policies, objectives and standards, and testing forces IT to be treated as a resource that must be managed. Formal processes help managers understand how they can be involved. In fact, all stakeholders for a system should be involved in the formal process. Indicators of effective IT controls for systems development include the ability to execute new system plans within budget and on time. Resource allocation should be predictable. The traditional SDLC is a sequential process, moving between formal stages, where one step is completed before the next is begun. In this version of the SDLC, end users are not involved in the process other than as interviewees and reviewers of completed work. Systems analysts and programmers design and build the system. Most organizations now use a modified SDLC, because they have found that engaging end users thoroughly from the start results in a better product that is “owned” by its users. Another well-established trend is using agile project management to manage the design, programming, testing, and conversion and implementation phases of the SDLC. Exhibit 3-32 shows the SDLC. Each step is described in detail following the exhibit. Exhibit 3-32: Systems Development Life Cycle SDLC: Requirements and Design Systems Planning In the systems planning phase of the SDLC, executives and IT management establish a long-term technology strategy that measures success by its fulfillment of business strategy. Capital investments are allocated in accordance with business priorities. Systems planning is often conducted by an IT steering committee with members from top management and IT. While management alone may not be able to assess if standards are adequate, the committee should be able to do so collectively. The basic question asked at this level is “What problems exist, and are they worth fixing by use of scarce resources?” The committee: Sets IT policy. Approves both long- and short-term plans, including a master plan to schedule resources for all approved IT projects. Provides monitoring and oversight. Assesses the impactof new IT. Streamlines related business processes. Systems Analysis While systems planning is used to identify problems or challenges that are worth addressing in the design and development of new systems, systems analysis is used to point out deficiencies and opportunities in existing IT systems. Systems analysis could indicate that existing system modification is more cost-effective than a new system, or vice versa. The result of systems analysis is a request for systems design or selection. This is a written request submitted either to the steering committee (for large projects) or to IT management (for smaller projects). If approved, the committee allocates money for a feasibility study. Feasibility studies indicate the benefits to be obtained if a proposed system is purchased, leased as a service, or developed, including its operational impact. Off-the-shelf software and outsourced software development are evaluated against internal development costs and time to market. Feasibility studies: Identify the needs of all related parties—management, IT professionals, users—and develop metrics for future assessment (e.g., time frame, functionality, cost). Analyze the proposed system against: Needs. Defined resources (e.g., budget, personnel). Additional costs and future impacts (e.g., impact on existing systems/hardware, additional training/staffing). Technology trends. Alignment with enterprise strategies and objectives. Perform cost-benefit analysis. Identify the best risk-based alternative (e.g., no change, a new system, reengineering an existing system, buying an off-the-shelf product, customization, or lease of software). Feasibility study conclusions should provide the basis for a go/no go decision. The feasibility study results require written approval of the committee or IT management. Internal auditors should be involved here to ensure that control and auditability requirements are included in the scope of the project. Specific controls are defined in the next step. Systems Design/Selection Systems design occurs in two phases: high-level design and detailed design. In between these steps, sometimes prototyping (rapid creation of an experimental bare-bones system) is performed. Prototyping makes a functioning model for users to interact with; they can then suggest improvements. The prototype may have more than one revision. High-level systems design has four steps: 1. Analyze inputs, processing, and outputs of existing or proposed system. 2. Break down user requirements into specifics, such as support for a particular inventory valuation method or costing technique. 3. Define functional specifications to accomplish business goals, e.g., accounts receivable data updates customer credit. 4. Compare make-or-buy alternatives, including any needed configuration or customization. Flowcharts showing the path of inputs/outputs can help clarify processing tasks and ensure that user needs are being met. Structural design can facilitate development by identifying and organizing sub-processes. At this time, data files and the database structure must also be considered as well as how existing files and databases can be converted to the new system. If the decision is made to buy a system, systems selection begins. Assuming approval, a detailed systems design is created for both internally developed systems and for purchased software that needs modification. This is a blueprint including program specifications and layouts for files, reports, and display screens. Planners flowchart each process, including the method of implementation and testing. Specific areas of customization are authorized (controls need to minimize this), and configuration settings are determined. SDLC: Development Typically organizations purchase off-the-shelf software or a subscription to a cloud-based software service. Purchased software should be configured rather than customized due to cost, time, and licensing considerations as well as the risk of incompatibility with newer versions of the systems. Software that is hosted on a cloud- based service is automatically kept up to date with the latest version. Customization is not an option for cloud-based software, but some degree of configuration may be available. Off-the-shelf and cloud- based systems also incorporate best practices and well-developed controls and have complete documentation. Programmers must get sign-off from superiors at appropriate milestones. Programmers should follow a detailed systems road map when writing or reusing code, debugging code, converting existing data and processes to the new system, reconfiguring and acquiring hardware as needed, and training staff. Source code must be protected during the project by a librarian. Online programming allows programmers to write and compile code using real data. It also speeds development time. However, it does introduce risks that must be controlled: Creation of multiple versions of programs Unauthorized access Overwriting of valid code SDLC: Testing and Debugging Testing involves creating a testing plan, collecting or creating testing scenarios, executing the tests and managing test conditions, collecting and evaluating feedback, and reporting the results. Testing and quality assurance are done in two phases: unit testing and system testing. Unit or performance testing keeps the application in isolation to find internal bugs. (Bugs are errors in software code that can cause aberrant behavior or worse.) It is useful to conduct unit testing as early as possible to prevent errors from affecting ongoing work in other units (often as a required part of the programming step). System testing strings together all programs in the application to find intercommunication bugs. In addition, the new or acquired system’s operation must be tested in an interface with all other systems with which data is transferred. Before implementation, the system faces final acceptance testing for quality assurance purposes and user acceptance. Testing terminology includes the following: Debugging—checking software for bugs Load testing—examining a system’s performance when running under a heavy load (e.g., a large number of simultaneous users) Throughput testing—validating that a system can process transactions within the promised time Alpha testing—conducted by developers Beta testing—conducted by users Pilot testing—a preliminary and focused test of system function Regression testing—confirming that revisions have corrected problems and not introduced new ones and checking for backward compatibility Sociability testing (SOCT)—testing the system in its intended environment, with actual hardware and resources, while running with competing and collaborating applications Security testing—validating the ability to control vulnerabilities In some instances, testing may be conducted automatically, during off-peak use times, thus speeding testing and development. Teams not involved in programming deliberately try to make the system fail. Security applications can be tested by deliberately trying to hack into the system. Auditors should make sure that testing is given sufficient resources, time, and attention. In addition, review of testing results, potential issues identification, and test result follow-up are vital to ensure that testing results in practical improvements. SDLC: Delivery/Deployment Conversion is the process of migrating any data to the new system and going “live.” This area is of particular concern to audits, because errors can be introduced at this point (after testing) and not detected until they cause material harm. Errors include incorrectly converting code, truncating fields, use of the wrong decimal place in calculations, and loss of records. Manual conversion is physical data entry of old records and should be avoided if possible. To reduce data entry errors, hash totals, recordcounts, and visual inspections should be used. Both automated and manual data migration should include a data cleansing step. Adequate preparation and training of staff and end users must be planned and implemented as well. Implementation is turning on the new system. Management must sign off on the conversion review. Different implementation approaches can be used. Big bang or cutover approaches have the entire system go “live” at the same time. Phased approaches are implemented by department or plant. Pilot approaches implement a test version and run it for a given period prior to full implementation. Parallel approaches run the old and new systems simultaneously for a period, requiring double entry of all transactions. This safeguards business continuity and provides independent system verification through comparison of process totals. Regardless of the method, internal auditors should ensure that a backout procedure exists. User support, such as help desks and documentation, must be available at the time of implementation. After implementation, the new/acquired system and project should be reviewed, using the metrics defined at the beginning of the project. Attention should focus on whether: The system has met user requirements (in terms of resource use and performance). Specified controls have been created and are adequate. The development process was conducted in compliance with policy. SDLC: Maintenance Operations and maintenance are ongoing activities that continue for the life of the software. It is important that management schedule and communicate the need for system downtime for routine maintenance. SDLC Documentation The change log is only part of the documentation produced by the SDLC. Large amounts of other documentation and formal specifications—covering, among other things, the software, the related business process, security features, and backup processes— are also produced. Documentation can be a boon to auditors if it is easy to use, so it should be clear and concise and follow a structured and well- communicated methodology. A risk is that programmers could shirk their documentation duties, preferring to move on to the next task. Early auditor involvement and having a designated person review the documentation as it is submitted can help lower this risk. Asking developers for personal notes can help fill in some blanks. Attempting to change a system without documentation can be made even more difficult if turnover occurs. Documentation is also a control for preventing fraud, but it is useful only if all valid changes are recorded. Another problem with documentation and the traditional SDLC appears when a long-duration project needs to be changed due to shifting business requirements, new technologies, or releases of an application. In this case, the documentation needs to be updated. Therefore the urge to fix design flaws discovered later in the process is sometimes suppressed by freezing the specifications, which could result in a less-than-useful tool. Agile software development methods address these risks. Agile Software Development The traditional SDLC can create inefficiencies through its rigidly enforced sequence of events and its assumption that the requirements for the software can be known or frozen early in the project. However, software requirements often cannot be known until significant development work has occurred. The customer often also identifies new requirements even late in development that would be key to competitive advantage. Agile is an umbrella term for a number of project management methodologies for software engineering or other projects that have high requirements and scope uncertainty even late in the project and so need to enable frequent changes in a cost-effective manner. Examples include Scrum, the Kanban method, and eXtreme Programming. Agile uses both increments and iterations: Increments create a new/improved system release by release. A release is a relatively self-contained portion of functionality released into production as soon as it is “done.” The definition of “done” includes the programmer doing all testing and quality steps. Iterations are a series of very short SDLC cycles. Each cycle, or iteration, has its own requirements definition, design, planning, development, testing, and feedback steps. Typical iteration durations are one to six weeks, and many methods have fixed- duration iterations with regular meetings, including brief daily meetings called standups and a meeting called a retrospective for continuous improvement. This allows new requirements to be incorporated quickly and with much lower risk of replanning or rework. Here are a few other qualities of agile development: An agile role is the scrum master, who is like a project manager but is an expert in the chosen agile methodology and helps enforce its use. The scrum master is more of an enabler (removes obstacles) and a coach, since collaboration is extremely important in agile and team members take the lead whenever they have the most expertise. The customer (called the product owner) needs to be involved on a daily basis and serves as the change control owner. The product owner attends all meetings with the software developers and helps set or change priorities. Change control is less formal and more collegiate. The product owner meets with the other stakeholders and represents their interests. In this way, use of the agile methodology can significantly reduce the risk that a project will be outdated before it is finished. While documentation is still necessary, its importance is reduced. The primary measure of success is working software. Many programmers employ reusable code to speed development. The team uses a Kanban board, which is a physical space like a whiteboard or software that empowers team members to pick what they want to work on next from a continually updated, reprioritized list of tasks and their current status. It ensures that the current work is done before new work is started. Auditing Agile Projects Audits of agile methods tend to be more difficult than audits of traditional methodologies, in part because agile is designed to embrace uncertainty and in part because its speed means that changes happen quickly. For example, even when properly implemented, agile methods de-emphasize documentation in priority, and poor documentation can weaken an audit trail. A thorough use of the chosen methodology can reduce risks of failure. If the product owner fails to be involved on a daily basis, information may have been missed, and the system may function but not provide the right functions for business needs. Gold plating (programmers adding unasked-for features) or scope creep (stakeholders adding unnecessary requirements) can also occur if the product owner is ineffective at change management. Risks related to emphasis on speed include that the system could have poor scalability if a minimum viable product (the smallest-scope first release) is chosen that takes shortcuts or prioritizes easier releases and pushes the difficult ones back. If an agile project starts running out of budget or schedule, some high-priority releases may not yet be done. Web Services and SOA In addition to there being many ways to customize how software projects are managed, software development sometimes transcends the traditional boundaries of stand-alone application development. One form this takes is web services along with service-oriented architecture. Web services use open Internet protocols and standards to create stand-alone, modular software services that are capable of describing themselves and integrating with other similar services. Web services work independent of platform, operating system, or computer language, and the offerings of other providers can be leveraged without any middleware. Web services can work with traditionalapplications by creating a universal wrapper around the message content. They speed software development efforts because common services such as a credit check tool can be found on a registry server. Web services are especially good for making automated or one-time connections with business partners. A service-oriented architecture (SOA) is a software system design that allows for sharing of web services as needed. A service consumer sends out requests for services to service providers, which either provide the service or forward the request. SOA has an architecture goal of loose coupling, which means that the data is separated from the application and each service says what it needs another service to do, not how to do it. Advantages include the ability for remote users to access ERP systems using mobile devices and for various applications to work together to synthesize data into information faster. In addition, developers have easier and faster upgrades. What does this all mean for internal auditors? Despite the many advantages of this set-up, control issues abound. Internal governance models that were created for traditional software will need to be reengineered. This is especially true if the organization must comply with the rules of Section 404 of the U.S. Sarbanes-Oxley Act or an international equivalent on internal controls. The openness of SOA creates new risks to internal controls. For example, in a traditional IT system, there would be barriers between the sales, credit, and billing modules that rely on logical access controls and role-based access. Customers would be assigned a customer role and a temporary unique ID. Their access would be restricted, and moving further would require knowledge of the proprietary interface that resides between the Internet portal and the rest of the ERP system. Customers could create a purchase but not change their credit. In SOA architecture, all modules such as sales, credit, billing, and the general ledger are web services connected to the web. The system would still have a firewall and other protections, but the SOA would be like a trunk line to which each set of modules and databases is connected. The entire ERP system would become a web service. Now the customer’s ERP system gets approval for and establishes a direct link to the organization’s ERP system. The two parties can automate their trading. Therefore, some of the segregation of duties will be missing. A compensating control is to designate the system making the interface as a user with its own role-based access. The ID of the user commanding that “user” also needs to be mapped to prove compliance with controls (e.g., nonrepudiation, authentication, segregation of duties). In the worst-case scenario, an organization with this set-up could allow the SOA modules, such as the general ledger, to communicate over port 80, an open channel that bypasses the firewall. Any service anywhere could then modify the general ledger. Auditors may need to seek external assurance that the SOA system can do either of the following: Authenticate the external system, the system user, and the user’s role or deny all service. Place greater emphasis on application-level controls than with a traditional set-up. General audit recommendations include implementing SOA in stages, starting with nonfinancial business functions. The organization can then assess risks and controls. IT Change Management The Global Technology Audit Guide, “IT Change Management: Critical for Organizational Success,” 3rd Edition, defines change management broadly as “the technology changes that affect an organization’s systems, programs, or applications.” Change management is an integral part of the organization’s IT general controls (ITGCs). Change management is no longer just an IT management responsibility: The entire senior management team is accountable for managing change risks. The board is responsible for holding management accountable. The internal audit activity leverages its independence, objectivity, and holistic view of processes to help senior management and the board recognize the importance of IT change management, provide assurance, and help improve programs. Importance of Change Management https://na.theiia.org/standards-guidance/recommended-guidance/practice-guides/Pages/na-Technology-Audit-Guide-IT-Change-Management-Critical-for-Organizational-Success.aspx Changes in the IT environment may be frequent and significant. Change controls can keep numerous noncritical changes from resulting in lost productivity and blown budgets while allowing for necessary changes and problem escalation in emergencies. Change control can also prevent implementation of unauthorized changes. Changes might be unauthorized because they: Are not in the scope of currently planned work. Require thorough design, planning, and testing before being included in updates. Require a technical review as part of an internal control step (e.g., to detect whether changes provide system backdoors or other opportunities for programmer malfeasance. The internal auditor should look for adequate change controls, including governance and security controls, audit trails, quality assurance, provision for emergency changes, source controls, and tracking. Changes must be approved by management, follow development standards, and be tested. The change controls should follow the organization’s or project’s chosen methodology. The process and results should be predictable, defined, and repeatable. In addition, change control involves maintaining thorough documentation in a change log. Types of Change Management Change management includes application code revisions; system upgrades; infrastructure changes such as changes to servers, routers, cabling, or firewalls; and security patches/updates. Security patches/updates have significant risks and so are discussed more next. Security patches/updates, also called patch management, are updates to applications that are already in production. They involve installing a patch—a bundled set of fixes to a software’s code to eliminate bugs or security vulnerabilities. Patches should be handled as their own category. High-performing organizations perform far fewer patches than low- performing organizations. Organizations with poor change management controls have low success for IT changes due to project delays or scope creep. They suffer from unexpected outages and may frequently be in crisis mode, with many emergency or unauthorized changes. Constant crisis creates stress and turnover for IT staff, shows lack of control over escalation, and heightens risks that a change will have unintended consequences. If IT staff has no time for new projects, deteriorating service results. If a change results in downtime or, even worse, a material error in system data (such as in financial reporting data), it could carry a higher risk of loss than even that of a system attack. When a possible patch or change comes up, IT staff and management should perform triage, sorting out the true emergency situations. Criteria should be based on business need and the relative risk of waiting. Changes to security controls or to make a system resume functioning are high- priority. To make the change management process cost-effective, multiple changes are bundled for release on a regular basis (e.g., monthly); these are called blanket changes. The organization should test planned changes using a robust testing plan with a specific movement of changes from environment to environment, called migration. The purpose is to determine if there will be unintended consequences of installing a patch or making another change. Orchestration change tools are used to promote code between environments and deploy patches. An example of a series of environments for IT change migration follows. Development (DEV). The code under developmentresides in this environment. Code that has been created and unit-tested is incorporated here. Testing (TEST). System testing occurs in a sandbox environment, which is a copy of the system that is not the production environment (the live version). User acceptance testing (UAT). This sandbox environment uses the full amount of user traffic and data. Production (PROD). This is the live production environment for end users. Production changes should be performed in off-hours. While the organization can prepare a software update and should notify users of important vulnerability fixes, it may be up to the end users to install patches, and failure to do so could leave them vulnerable. In other cases, software vendors can “push” changes automatically without requiring end-user intervention (called automation “bot-driven” changes), but the end user may need to opt in to such programs. Cloud software, on the other hand, is updated for all users simultaneously, since the software is not on end-user systems. Change Management Process Steps The “IT Change Management” Global Technology Audit Guide lists the following change management process steps: 1. Identify the need for change. 2. Prepare. Document the step-by-step procedure for the change request, the change test plan, and a change rollback plan. 3. Justify the change and request approval. Determine the impact and cost-benefit; review associated risks and regulatory impact. The organization may use ticketing systems for reporting and managing bugs. 4. Request approvals. 5. Authorization. The change approval board rejects, approves, or requests more information. Set priorities relative to the overall schedule. 6. Schedule and coordinate change. Schedule a change implementer and a change tester, test in preproduction, communicate to affected parties, get final approval, and implement change. 7. Test in appropriate environment(s). 8. Implement change. 9. Verify/validate change. Back out change if unsuccessful. 10. Close change request and report to stakeholders. Document the final changes that were made. Measure change success, use of process, variances, and regulatory compliance. Report lessons learned. Revisit the change management process for improvement. Change Management Risks Exhibit 3-33 reviews some examples of change management risks. Exhibit 3-33: Change Management Risks General risks Business objective failure Unauthorized or unrecorded changes Patch-related risks Poor documentation Small configuration change with big impact Downtime or slowdowns Security issues Inefficiencies, inconsistencies, or financial misstatements Disgruntled staff or customers Failure to analyze threats or use change approval process Poor timing of pushes that leaves end users unprepared Poor change success rate Cybersecurity vulnerabilities if changes are not made, are delayed, or are not fully implemented by end users Emerging risks Advanced systems that create new risk categories Cloud third-party risk impact on support infrastructure Mobile and bring-your-own- device (BYOD) changes made by organization versus by end user that create inconsistency End-user computing (e.g., open source) that makes it hard to design controls; lack of organizational time invested that makes it seem like lower audit priority than it is Third-party and compliance risks Vendor reports needed for compliance, but no guarantee that controls are effective Poorly determined division of controls between parties Lack of patch and patch notification clauses in contracts New or expanded regulations improperly change-controlled Poor change documentation that makes it hard to affirm internal controls over financial reporting (ICFR) or data privacy compliance Controls for IT Change Management IT change management starts with proper IT governance. Top management needs to set the proper tone. Segregation of duties and change authorization are key controls. Complex production environments require more controls. Adherence to development methodologies such as the systems development life cycle is critical. Routine maintenance changes are easier to audit, because their results can be objectively determined and management override risk is low. More scrutiny is needed for software-based controls that detect when controls are being overridden due to higher risk of management override and the need for auditors to subjectively judge their effectiveness. Software applications also have detective controls to verify production changes against authorizations. Other supervisory controls include the following: Software development should report to a high enough level of management to keep department heads from improperly scheduling low-priority projects. During outages, controls can be used to enable authorizations and changes to be made quickly to reduce repair time. Preventive controls include enforcing change and patch management policies and having key stakeholders assess change risks. Detective controls include measuring and correcting poor performance, such as by measuring the mean time to repair. Exhibit 3-34 summarizes some risks, controls, and related metrics for IT change management. Exhibit 3-34: Metrics for Determining IT Change Management Success Risk Control Metric Unauthorized changes Policy for zero unplanned changes Proactive management Detective software Number of unplanned changes Number of unplanned outages Number of changes authorized Number of changes implemented Changes fail to be implemented or are late Change management process Greater than x% change success rate (High- performing organizations are near 100% and investigate all deviations.) New work created by change Unplanned work displaces planned work Triage Planned changes bundled Patches treated as a normal process to expect Less than x% of work is unplanned (e.g., 5% or less) Percentage of time on unplanned work Percentage of projects delivered late Percentage of patches installed in a planned software release Source: Global Technology Audit Guide, “IT Change Management: Critical for Organizational Success,” 3rd Edition. Another control is a system librarian, an IT role that provides control over original documentation and maintains and controls the change logs that show how the software has changed at each version. This practice helps track down the root causes of issues and facilitates software rollbacks to prior versions as needed. Even if a librarian position does not exist, the organization will likely have a code repository, which is a securely located repository that requires programmers to check out code they will work on. Topic 7: IT Controls and Control Frameworks This topic describes some IT control objectives and places IT controls in a system of classification, and it then helps internal auditors recognize the purpose and applications of basic IT controls and IT control frameworks such as COBIT, ISO 27000, and ITIL. According to The IIA In addition to reviewing the contents of this topic, students can review the following IIA materials: Global Technology Audit Guide (GTAG) 1, “Information Technology Risk and Controls,” 2nd Edition Basic IT Controls https://na.theiia.org/standards-guidance/recommended-guidance/practice-guides/Pages/GTAG1.aspx Key Point A key concept is that IT controls must provide continuous assurance for internal controls. A related concept is that auditors must provide independent assurance of this coverage. Effective IT controls provide continuous assurance supported by a reliable and continuous trail of evidence. In addition, this assurance is itself assured through the internal auditor’s independent and objective assessment of the control. According to the Global Technology Audit Guide (GTAG) 1, “Information Technology Risk and Controls,” 2nd Edition, the goals of the IT controls and the control framework are to provide and document: Compliance with applicable regulations and legislation.Consistency with the enterprise’s business objectives. Continuity with management’s governance policies and risk appetite. IT Control Objectives IT internal control objectives include: Protecting assets/resources/owners’ equity. Ensuring that information is available, reliable, and appropriately restricted. Holding users accountable for functions performed. https://na.theiia.org/standards-guidance/recommended-guidance/practice-guides/Pages/GTAG1.aspx Protecting customer privacy and identity. Providing support and evidence of employee job performance. (Employees can prove that they did the right things.) Maintaining data and system authenticity and integrity. Assuring management that automated processes are controlled. Providing an audit trail for all automated and user-initiated transactions. Exhibit 3-35 lists some indicators of effective IT controls. Exhibit 3-35: Indicators of Effective IT Controls Ability to execute and plan new work (e.g., IT infrastructure upgrades to support new products/services) Projects that come in on time and within budget, saving the organization time and resources and improving its competitive position Ability to allocate resources predictably Consistent availability of reliable information and IT services across the organization and with customers, partners, and external interfaces Clear communication to management of key indicators of effective IT control Ability to protect against new threats and vulnerabilities and to recover from disruptions quickly and efficiently Efficient use of a customer support center or help desk Heightened security awareness throughout the organization Source: Global Technology Audit Guide (GTAG) 1, “Information Technology Risk and Controls,” 2nd Edition. Control Classification The hierarchy of IT controls in Exhibit 3-36 is discussed next. Note that systems software controls and application-based controls were discussed in more detail elsewhere. Exhibit 3-36: Hierarchy of IT Controls Source: Global Technology Audit Guide (GTAG) 1, “Information Technology Risk and Controls,” 2nd Edition. Policies are IT governance controls. Governance controls are oversight rather than performance controls that rest with the board of directors and their committees, such as the audit committee, in consultation with executives. Policy examples include security policies about the use of IT throughout the organization, data privacy, ownership, level of autonomy to create and use applications, and measures to assure business continuity. Policies must be approved by management (and the board of directors, as appropriate) and communicated throughout the organization to set the “tone at the top” and expectations. Policies need to be monitored and evaluated using metrics. An organization may have a technology steering committee consisting of IT, key business functions, and internal audit. The committee prioritizes user technology requests given limited resources. Management controls occupy the next three levels. They focus on identifying, prioritizing, and mitigating risks to the organization, its processes and operations, its assets, and its sensitive data. Such controls have a broad reach over many organizational areas, requiring collaboration between executives and the board. They include: Standards for systems development processes (both those developed internally and those acquired from vendors), systems software configuration, and applications controls, data structures, and documentation. Organization and management of lines of responsibility and reporting, incorporating separation of duties as appropriate, financial controls for IT investment, IT change management, and personnel controls. Physical and environmental controls to mitigate risks from hazards such as fire or unauthorized access. Technical controls form the remaining three levels and are the foundation of almost all other organizational IT controls. Technical controls are the specific controls that must be in place for management and governance controls to be effective. Automated technical controls implement and demonstrate compliance with policies. Technical controls include: Systems software controls such as those controlling access rights, enforcing segregation of duties, detecting and preventing intrusion, implementing encryption, and managing change. Systems development controls such as documentation of user requirements and confirmation that they have been met, a formal development process that incorporates testing, and proper maintenance. Application-based controls that ensure that all input data is accurate, complete, authorized, and correct and is processed as intended; all stored and output data is accurate and complete; and all data processes are tracked from input, through storage, to eventual output. Controls may be classified in other ways, for example, according to the way they are viewed throughout the organization. Exhibit 3-37 classifies controls by different perspectives. Exhibit 3-37: Control Classifications Source: Global Technology Audit Guide (GTAG) 1, “Information Technology Risk and Controls,” 2nd Edition. Since governance, management, and technical controls were addressed above, the other two sides of the cube are addressed in relation to IT next. IT general controls (ITGC) and application controls An IT general control (ITGC) applies generally to the IT environment or the overall mix of systems, networks, data, people, and processes (the IT infrastructure). The use of an IT control framework requires implementing a general control framework such as the COSO Internal Control—Integrated Framework. An application control is related to the specific functioning (inputs, processing, outputs) of an application system that supports a specific business process. Balancing of process totals is an example. Preventive controls, detective controls, and corrective controls Preventive controls are designed to stop fraud or errors before they occur. Examples include a firewall, a drop-down menu, or assigning access privileges by job role. Detective controls are triggered after an error (an exception condition) occurs, e.g., automated flagging of inactive users or review of exception reports for completed transactions to detect credit limit overrides. Corrective controls are used once errors, fraud, or other control issues have been detected. They need their own preventive and detective controls to ensure that the process isn’t corrupted. Corrective controls range from automated error corrections to business continuity plans. IT Control Frameworks According to “Information Technology Risks and Controls,” a control framework is an outline that identifies the need for controls but does not depict how they are applied. Control frameworks help determine the appropriate level of IT controls within the overall organizational controls and ensure the effectiveness of those controls. IT control frameworks are internal control systems that help managers: Set IT control objectives. Link IT to business processes and overall control frameworks. Identify key IT areas to leverage. Create a process model that logically groups IT processes. Why are control frameworks needed? Managers need assurance that their IT processes are contributing to business objectives and competitive advantage. The organization needs assurance that it is resilient because it can mitigate risks of fraud or cyber attacks. Stakeholders need to know that the organization can be trusted. One way to gain such assurance is for management to increase its understanding of IT operations without getting bogged down in the increasingly complex execution details. Breaking systems down into understandable processes helps managers combine business with IT strategy, align organizational structures, and set performance goals and metrics. Control frameworks provide a methodology for seamlessly linkingobjectives to requirements and requirements to actual performance. A process model breaks IT down into easy-to-understand activities organized around the control objectives to be achieved and identifies resources to be leveraged. Control frameworks provide a foundational structure upon which effective regulatory compliance can be reasonably addressed and assured, such as for the U.S. Health Insurance Portability and Accountability Act [HIPAA]). Use of standardized, well-accepted frameworks means that there is a body of literature available for guidance and that users can benchmark against the standards or against competitors using similar methods. The framework should clearly communicate specific IT control roles—IT controls need to be everyone’s responsibility. IT controls can provide “defense in depth,” meaning that guidance on setting up multiple layers of controls reduces the likelihood of a control failure. Selecting an IT Control Framework Selecting an IT control framework involves deciding which model will benefit the entire organization, since the model will be used by a large number of employees with control responsibilities. Frameworks are generalized for broad use, but no framework encompasses all business types or all IT. The expectation is that they should be tailored to the need. The CAE can assist with this process. Control frameworks can be formal, or they can be informal, meaning that they are not written down but are communicated verbally and through action. Such systems are not appropriate once an organization has moved past the earliest stages of maturity. Satisfying regulatory requirements requires the use of formal approaches. Properly understanding risks is a prerequisite for selecting a control framework. The CAE should determine the organization’s risk appetite, defined in the IPPF glossary as “the degree of risk that an organization is willing to accept.” IIA Practice Guides The IIA’s Practice Guides (formerly GTAGs ) can help in selecting the proper framework for an organization. The Global Technology Audit Guide (GTAG) 1, “Information Technology Risk and Controls,” 2nd Edition, covers IT controls as an executive needs to understand them, including organizational roles and structure and how the IT ® https://na.theiia.org/standards-guidance/recommended-guidance/practice-guides/Pages/GTAG1.aspx controls fit within the overall control framework. The other GTAG documents cover specifics such as IT change management. These guides contain advice for set-up, management, and measurement of application-level controls. The GTAG documents can be used to create a unique framework or to supplement an existing one. One example of a tool that can be used to plan for sufficient audit coverage is the CAE checklist shown in Exhibit 3-38. Studying the questions CAEs should raise for each of the actions listed shows how a general risk-based framework would be customized for each organization. Exhibit 3-38: IT Control Framework Checklist Source: Global Technology Audit Guide (GTAG) 1, “Information Technology Risk and Controls,” 2nd Edition. COBIT Model for IT COBIT , formerly known as Control Objectives for Information and Related Technology, is an internationally accepted framework created by ISACA. ISACA helps enterprises to achieve their objectives for the governance and management of IT. The current version of the framework, COBIT 2019, helps: Users be more satisfied with IT security and outcomes. Management understand the role of IT and its place in organizational strategy. Management create more value from IT resources, meet regulatory compliance, and control IT risks by providing better risk awareness to enable informed risk decisions. COBIT sets clear lines of responsibility. The framework can be adapted for use by any size or type of organization to set and achieve separate governance and management objectives for its information systems. The COBIT 2019 framework includes the following interrelated elements: Governance system components (seven of these) ® ® Governance framework principles (three of these) and governance system principles (six of these) Governance and management objectives (40 of these) Components The components are the aspects or functions of the organization that are needed individually and collectively to create and sustain a governance system. Generally self-explanatory, they are as follows: Processes Organizational structures Principles, policies, and frameworks Information Culture, ethics, and behavior People, skills, and competencies Services, infrastructure, and applications Principles Exhibit 3-39 illustrates the three principles for a governance framework and six principles for a governance system that form the COBIT 2019 framework. Each set of principles is explained next. Exhibit 3-39: COBIT’s Governance System Principles and Framework Principles Source: Adapted from “COBIT 2019 Framework: Introduction and Methodology,” © 2018 ISACA. All rights reserved. Used with permission. COBIT 2019 governance framework principles are as follows: Framework Principle 1: Based on conceptual model. A governance framework (such as COBIT 2019) should be based on a conceptual model that clearly calls out the relationships between its elements so that persons will use the model consistently and the model is capable of being automated in software systems. Framework Principle 2: Open and flexible. A governance framework should be able to be extended with new content without harming the model’s integrity or consistency. This enables the framework to flexibly address innovations, emerging risks, and so on. Framework Principle 3: Aligned to major standards. A governance framework should be compatible with major regulations, other frameworks, or relevant government or industry standards. COBIT 2019 governance system principles are as follows: System Principle 1: Provide stakeholder value. Stakeholder needs drive value creation. Since the objective of governance is the creation of value in an organization, governance must define value creation as the realization of the benefits expected by stakeholders while optimizing the use of resources and the management of risks. The needs of stakeholders often conflict, such as shareholders’ need for profit versus regulators’ or society’s need for environmental sustainability. Therefore, the COBIT 2019 framework promotes governance as a process of negotiating among stakeholders’ value interests and then deciding how to create optimum value for stakeholders overall. Since this is a generic framework, what constitutes value for stakeholders may differ considerably, such as between for-profit and not-for-profit organizations. To help organizations define value based on customized stakeholder needs, the COBIT 2019 framework includes a goals cascade: The cascade starts with stakeholder drivers and needs, which direct the selection of enterprise goals. Enterprise goals direct the selection of alignment goals. (Alignment goals are broad IT efforts that help IT align with business objectives.) Alignment goals direct the selection of governance and management objectives. The goals cascade is basically a set of tables that starts with a set of 13 generic enterprise goals. For example, one goal is a “portfolio of competitive products and services.” Organizations use the knowledge of their stakeholders’ drivers and needs to select from among these generic goals. The enterprise goals then cascade down to 13 IT-related alignment goals, for example, “knowledge, expertise, and initiatives for business innovation.” These in turn cascade down to the set of governance and management objectives (addressed later). The point is to translate stakeholder needs and the derived governance goals into priority- weighted IT goals and from there to easily implementable processes, policies, and procedures. System Principle2: Holistic approach. The seven components listed previously are used to implement each goal determined using the goals cascade. While each component (e.g., organizational structures) may differ considerably between organizations, the set of components as a whole needs to work together. The processes, organizational structures, and culture, ethics, and behavior principles are governance-directed management organizing activities that help ensure successful adoption of the principles, policies, and frameworks. (Governance direction over culture, ethics, and behavior is critical to achieving goals. The influence of these three factors is often underestimated.) The principles, policies, and frameworks component provides practical guidance on how to shape desired behavior by doing specific management activities. The remaining components of information; services, infrastructure, and applications; and people, skills, and competencies are resource management components. These components rely on one another to succeed. For example, processes need proper information, skills, and behavior to make them effective and efficient. System Principle 3: Dynamic governance system. When the organization changes technologies or IT strategies, it is important that the IT governance system consider the impact of these changes and adapt itself to remain useful. System Principle 4: Governance distinct from management. The board needs to see itself as a discipline separate from the management of an organization. The COBIT 2019 framework’s governance and management objectives clearly distinguish between governance objectives and management objectives. System Principle 5: Tailored to enterprise needs. Tailoring is adapting a framework to an organization’s unique needs. The framework contains a set of design factors to help customize it and to determine which governance system components to prioritize or customize. An example of a design factor is to create an enterprise information and technology risk profile. Each design factor contains some useful aids, for example, a set of IT risk categories. System Principle 6: End-to-end governance system. The end- to-end principle is that IT governance must be wholly and completely part of the organization’s overall governance and internal control framework. The COBIT 2019 framework integrates the most current governance models and concepts. It also applies to processes that have been outsourced or are part of an extended enterprise of partners in a supply chain. Because the seven components listed earlier are organization-wide in scope, focusing on each of these components allows governance to be end-to-end. The last part of this principle involves defining governance roles as well as their relationships and activities. Owners or shareholders delegate to a governing body such as the board, which sets the direction for management, which provides instructions to operations so that it aligns to stakeholder goals. Each relationship also includes a feedback process of reporting, monitoring, and accountability. Governance and Management Objectives There are five governance objectives. Governance objectives are all in the same domain: Evaluate, direct, and monitor. Governance objectives include ensuring that the governance framework is in place and maintained, stakeholder benefits are delivered, risk responses are optimized, resource use is optimized, and stakeholders remain engaged. There are 35 management objectives. Management objectives are divided into the following domains that reflect a cyclical set of management roles: Align, plan, and organize. Processes include managing strategy, enterprise architecture, innovation, the portfolio of IT systems, risk, security, HR, and relationships. Build, acquire, and implement. Processes include IT program management, change management, defining requirements, identifying and building solutions, and managing configuration, knowledge, and assets. Deliver, service, and support. Processes include managing operations, incidents and problems, continuity, security, and process controls. Monitor, evaluate, and assess. Processes include monitoring and managing performance and conformance, the system of internal control, compliance with external requirements, and assurance. ISO 27000 IT Control Framework The ISO 27000 series of standards is related to information security management systems (ISMS). An ISMS is a systematic framework for ensuring that sensitive organizational information remains secure. The series applies a risk management process to information security. ISO 27001:2013: Sets requirements for an ISMS to ensure that the system is appropriate for the context of the organization, meets stakeholder needs and expectations, and is scoped, documented, communicated, and maintained appropriately. Provides a code of practice for information security controls to help organizations select and implement those that are relevant to them and also develop customized information security management guidelines. Has a section on leadership and commitment to ensure that objectives trace to the strategy, ISMS requirements are integrated into policy and processes, the ISMS is competently resourced, and the system is monitored and controlled using appropriate metrics to: Achieve information security objectives. Mitigate or prevent undesired effects based on a formal risk assessment process with a consistent set of criteria for comparability among results. Continually improve. Includes control objectives, individual controls, and security control clauses in the areas of: Information security policies (gives management direction and support). Organizational structure (a framework for implementing and controlling information security, including roles, responsibilities, segregation of duties, etc.). Mobile devices and remote workers (to ensure security). HR security (screening, learning responsibilities, training, at termination, etc.). Asset management (inventories of assets, acceptable use, return at termination, how to classify information types, how to control access and changes to media, etc.). Access control (similar to earlier discussion of identity and access management). Cryptography (policies on encryption and storage of keys). Physical and environmental security (from perimeter security down to how to work in secure areas, plus equipment security controls). Operations security (operating procedures, change management capacity management, malware protection, backups, audit trails, etc.). Communication security (networks, information transmittal, etc.). System acquisition, development, and maintenance (information system security requirements, development and support process controls, test data protection, etc.). Supplier relationships (monitoring and managing supplier services and related changes). Incident management (management of incidents and communications on security events and vulnerabilities). Business continuity management. (Information security is an embedded component of such a system.) Compliance (regulations related to contracts, intellectual property, document retention, etc.). The standard requires both management reviews and internal audits at planned intervals to ensure conformance to related organizational requirements and the requirements of ISO 27001. There are numerous other standards in this family that relate to specialized areas such as ISMS auditing (ISO 27007), network security, application security, and so on. ITIL IT Control Framework ITIL 2011 is a five-tiered certification. Formerly called the IT Infrastructure Library, ITIL is a framework for management of IT as a portfolio of outsourced services using service level agreements (SLAs) and ongoing processes for monitoring and controlling availability, capacity, configurations, issues or problems, patches, change management, andso on. It addresses the concept and life cycle of IT service management, from service strategy and design to operations and continuous improvement. Bibliography The following references were used in the development of Part 3 of The IIA’s CIA Challenge Exam Study Guide. Please note that all website references were valid as of April 2020. Accounting Standards Update No. 2016-02, “Leases (Topic 842).” FASB, www.fasb.org/jsp/FASB/Document_C/DocumentPage? cid=1176167901010&acceptedDisclaimer=true, February 2016. “All about Ransomware.” Malwarebytes, www.malwarebytes.com/ransomware/. American Institute of Certified Public Accountants (AICPA). “AU-C Section 240, Consideration of Fraud in a Financial Statement Audit.” www.aicpa.org/research/standards/auditattest/downloadabledocume nts/au-c-00240.pdf, 2017. “Assessing Cybersecurity Risk: Roles of the Three Lines of Defense” (Global Technology Audit Guide [GTAG]). Altamonte Springs, Florida: The Institute of Internal Auditors, 2016. “Auditing Insider Threat Programs” (Global Technology Audit Guide [GTAG]). Lake Mary, Florida: The Institute of Internal Auditors, 2018. Babeni, Sadissa. “Most Popular Databases in 2020: Here’s How They Stack Up.” ormuco.com/blog/most-popular-databases, January 24, 2020. BS ISO/IEC 27001:2013. “Information Technology—Security Techniques—Information Security Management Systems— Requirements,” second edition. The British Standards Institution, 2013. Buccella, Diana. “Five Prevalent Risks for Marketing Departments.” Resolver, www.resolver.com/blog/top-5-risks-marketing-teams/, October 18, 2019. Buccella, Diana. “Five Risks that Keep Sales Leaders Up at Night.” Resolver, www.resolver.com/blog/top-5-risks-sales-teams/, October 23, 2019. “Business Continuity Management” (Global Technology Audit Guide [GTAG] 10). Altamonte Springs, Florida: The Institute of Internal Auditors, 2009. Cau, David. “Governance, Risk and Compliance (GRC) Software: Business Needs and Market Trends.” www2.deloitte.com/content/dam/Deloitte/lu/Documents/risk/governan ce-risk-compliance-software_DCA.pdf. CERT Insider Threat Center. “Common Sense Guide to Mitigating Insider Threats, Fifth Edition.” resources.sei.cmu.edu/asset_files/TechnicalReport/2016_005_001_4 84758.pdf. “Change and Patch Management Controls: Critical for Organizational Success,” 2nd ed. Altamonte Springs, Florida: The Institute of Internal Auditors, 2012. “COBIT 5: Enabling Processes,” www.isaca.org/bookstore/cobit- 5/cb5ep. “COBIT 2019 Framework: Introduction and Methodology.” Schaumburg, Illinois: ISACA, 2018. Committee of Sponsoring Organizations of the Treadway Commission. Enterprise Risk Management—Integrating with Strategy and Performance. Jersey City, New Jersey: American Institute of Certified Public Accountants, 2017. ® Committee of Sponsoring Organizations of the Treadway Commission. Internal Control—Integrated Framework (2013). Jersey City, New Jersey: American Institute of Certified Public Accountants, 2013. Creely, Edel. “Five BYOD Security Implications and How to Overcome Them.” Trilogy Technologies, May 26, 2015. Crowe Horwath LLP. “Enterprise Risk Management for Cloud Computing.” COSO, www.coso.org/Documents/Cloud-Computing- Thought-Paper.pdf, 2012. “Data Analysis Technologies” (Global Technology Audit Guide [GTAG] 16). Altamonte Springs, Florida: The Institute of Internal Auditors, 2011. “Effective Dates of Major Standards.” FASB, www.fasb.org/cs/Satellite? c=Page&cid=1176169222185&pagename=FASB%2FPage%2FSectio nPage. “Evaluating Corporate Social Responsibility/Sustainable Development” (IPPF Practice Guide). Altamonte Springs, Florida: The Institute of Internal Auditors, 2010. “FASB Accounting Standards Codification —About the Codification” (v 4.10). FASB, asc.fasb.org/imageRoot/71/58741171.pdf. “Framework for Improving Critical Infrastructure Cybersecurity,” Version 1.0. NIST (National Institute of Standards and Technology), 2014. ® “Gartner Says 8.4 Billion Connected ‘Things’ Will Be in Use in 2017, Up 31 Percent from 2016.” Gartner, www.gartner.com/en/newsroom/press-releases/2017-02-07-gartner- says-8-billion-connected-things-will-be-in-use-in-2017-up-31-percent- from-2016, February 7, 2017. Grassi, Paul A., Michael E. Garcia, and James L. Fenton. “Digital Identity Guidelines” (NIST Special Publication 800-63-3). NIST (National Institute of Standards and Technology), nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-63-3.pdf. “Identity and Access Management” (Global Technology Audit Guide [GTAG] 9). Altamonte Springs, Florida: The Institute of Internal Auditors, 2007. “Information Technology Risks and Controls,” 2nd ed. (Global Technology Audit Guide [GTAG] 1). Altamonte Springs, Florida: The Institute of Internal Auditors, 2012. “The IoT Rundown for 2020: Stats, Risks, and Solutions.” Security Today, securitytoday.com/Articles/2020/01/13/The-IoT-Rundown-for- 2020.aspx?Page=2, January 13, 2020. ISACA, www.isaca.org. ISO/IEC 27017:2015, “Information Technology—Security Technologies—Code of Practice for Information Security Controls Based on ISO/IEC 27002 for Cloud Services.” www.iso.org/standard/43757.html. “ITIL Certifications.” Axelos, www.axelos.com/certifications/itil- certifications. “The ITIL Foundation Certificate in IT Service Management Syllabus,” Version 5.5. Axelos, www.axelos.com/getmedia/b2d6281d-14aa- 45fc-abb7- 4d228810c328/The_ITIL_Foundation_Certificate_Syllabus_v5-5.aspx, 2013. Kaplan, Robert S., and David P. Norton. “The Balanced Scorecard— Measures That Drive Performance.” Harvard Business Review, January-February 1992, hbr.org/1992/01/the-balanced-scorecard- measures-that-drive-performance-2. “Leases.” FASB, www.fasb.org/cs/Satellite? c=Page&cid=1351027207574& d=Touch&pagename=FASB%2FPage%2FBridgePage#section_2. “Management of IT Auditing,” 2nd ed. (Global Technology Audit Guide [GTAG] 4). Altamonte Springs, Florida: The Institute of Internal Auditors, 2013. “Managing and Auditing IT Vulnerabilities.” Altamonte Springs, Florida: The Institute of Internal Auditors, 2006. “Measuring Internal Audit Effectiveness and Efficiency” (IPPF Practice Guide). Altamonte Springs, Florida: The Institute of Internal Auditors, 2010. “The New Mafia: Gangs and Vigilantes: A Guide to Cybercrime for CEOs.” Malwarebytes, www.malwarebytes.com/pdf/white- papers/Cybercrime_NewMafia.pdf. OECD. “Tool: Indicators of Procurement Risk.” www.oecd.org/governance/procurement/toolbox/search/indicators- procurement-risk.pdf, 2009. “Revenue Recognition: Why Did the FASB Issue a New Standard on Revenue Recognition?” FASB, www.fasb.org/jsp/FASB/Page/ImageBridgePage&cid=117616925735 9. Sawyer, Lawrence B., Mortimer A. Dittenhofer, and James H. Scheiner. Sawyer’s Internal Auditing, fifth edition. Altamonte Springs, Florida: The Institute of Internal Auditors, 2005. “Statement of Comprehensive Income.” Audit IT, www.readyratios.com/reference/accounting/statement_of_comprehen sive_income.html. Stippich, Warren W., Jr., and Bradley J. Preber. Data Analytics: Elevating Internal Audit’s Value. Altamonte Springs, Florida: The IIA Research Foundation, 2016. “Strategic Planning Basics.” Balanced Scorecard Institute, balancedscorecard.org/strategic-planning-basics/. “Supplemental Guidance.” The Institute of Internal Auditors, na.theiia.org/standards-guidance/recommended-guidance/practice- guides/Pages/Practice-Guides.aspx. Taber, David. “The 11-Point Audit for Your Salesforce.com System.” CIO, www.cio.com/article/3146983/the-11-point-audit-for-your- salesforcecom-system.html, December 5, 2016. “Understanding and Auditing Big Data” (Global Technology Audit Guide [GTAG]. Lake Mary, Florida: The Institute of Internal Auditors, 2017. Vito, Kelli. Auditing Human Resource, 2nd ed. Altamonte Springs, Florida: The IIA Research Foundation, 2010. “What Is COBIT 5?” ISACA, support.isaca.org/app/answers/detail/a_id/733/~/what-is-cobit-5%3F. “What Is the Difference Between Differential and Incremental Backups (and Why Should I Care)?”Acronis, www.acronis.com/en- us/articles/incremental-differential-backups. Zamora, Wendy. “Truth in Malvertising: How to Beat Bad Ads.” Malwarebytes, blog.malwarebytes.com/101/2016/06/truth-in- malvertising-how-to-beat-bad-ads/, December 13, 2017. Index A agile project management [1] anomaly detection [1] antivirus software [1] , [2] audit trails [1] B baseline controls [1] big data [1] bring-your-own-device (BYOD) policies [1] BYOD (bring-your-own-device) policies [1] C centralized organizational structure [1] change control [1] change management [1] , [2] COBIT [1] , [2] Committee of Sponsoring Organizations Internal Control—Integrated Framework [1] compliance [1] control(s) baseline [1] control(s):malicious software [1] information technology [1] internal [1] , [2] , [3] , [4] , [5] IT general [1] operational [1] program change management [1] control frameworks ISO 27000 series [1] ITIL [1] COSO Internal Control—Integrated Framework [1] cosourcing [1] CPM (critical path method) [1] critical path method [1] cybersecurity [1] D data analytics [1] , [2] , [3] big [1] cleansing [1] data analysis software [1] governance [1] normalizing [1] privacy [1] , [2] , [3] , [4] security [1] decentralized organizational structure [1] departmentalization [1] descriptive analysis [1] device tampering [1] diagnostic analysis [1] divisional organizational structure [1] E encryption [1] ethics in data storage [1] F fair information practices [1] FIPs (fair information practices) [1] firewalls [1] functional organizational structure [1] G Gantt charts [1] GDPR (General Data Protection Regulation), European Union [1] General Data Protection Regulation, European Union [1] Global Technology Audit Guides “Assessing Cybersecurity Risk, Roles of the Three Lines of Defense” [1] “Information Technology Risks and Controls,” 2nd Edition [1] , [2] “IT Change Management, Critical for Organizational Success,” 3rd Edition [1] “Management of IT Auditing,” 2nd Edition [1] governance data [1] information security [1] GTAGs See: Global Technology Audit Guides H HR (human resources) [1] human resources [1] I identity theft [1] IDSs (intrusion detection systems) [1] information risk [1] information security [1] , [2] , [3] , [4] information technology auditing [1] , [2] , [3] control frameworks [1] controls [1] general controls [1] risks [1] insider threat programs [1] internal controls [1] , [2] , [3] , [4] , [5] International Organization for Standardization ISO 27000 family of standards [1] International Standards for the Professional Practice of Internal Auditing 1210.A3 [1] 1220.A2 [1] 2110.A2 [1] , [2] intrusion detection/prevention systems [1] IPSs (intrusion prevention systems) [1] ITGCs (information technology general controls) [1] ITIL [1] L logistics [1] M malicious software [1] malware [1] marketing and sales [1] matrix organizational structure [1] N network analysis [1] , [2] O objectives [1] operational controls [1] operations objectives [1] organizational structure centralized [1] decentralized [1] departmentalization [1] divisional [1] functional [1] matrix [1] outsourcing [1] P patches [1] PERT (program evaluation review technique) [1] piracy, software [1] Practice Guides “Auditing Third-Party Risk Management” [1] “Engagement Planning, Establishing Objectives and Scope” [1] predictive analysis [1] prescriptive analysis [1] privacy audits [1] procurement [1] program alterations [1] program change management controls [1] program evaluation review technique [1] projects change management [1] constraints [1] life cycle of [1] schedule [1] scope [1] teams [1] R reporting objectives [1] risk assessment [1] information [1] information technology [1] risk and control matrix [1] risk by process matrix [1] S sales and marketing [1] scope control [1] SDLC (systems development life cycle) [1] , [2] , [3] , [4] , [5] , [6] security cybersecurity [1] information [1] , [2] levels of [1] service-oriented architecture [1] smart devices [1] SOA (service-oriented architecture) [1] software antivirus [1] , [2] malicious [1] piracy [1] systems development life cycle [1] , [2] , [3] , [4] , [5] , [6] T text analysis [1] Three Lines Model [1] Trojan horses [1] V VirWare [1] W web services [1] License Agreement for The IIA’s CIA® Challenge Exam Study Guide The IIA’s CIA® Challenge Exam Study Guide Part 3: Business Knowledge for Internal Auditing Section A: Business Acumen Topic 1: Strategy, Globalization, and Audit Alignment Objective and Strategy Setting Operations, Reporting, and Compliance Objectives Topic 2: Organizational Structure Risk and Control Organizational Structure and the Control Environment Centralized and Decentralized Structures Departmentalization Summary of Organizational Structures Topic 3: Business Process Risks and Controls Common Business Processes HR Risk and Control Procurement Risk and Control Sales and Marketing Risk and Control Logistics Risk and Control Outsourcing Risks and Controls Topic 4: Project Management Project Management Project Planning and Scope Time, Resources, and Cost Change Management (Scope Control) Section B: Data Analytics Topic 1: Data Analytics, Types, and Governance Data Analytics Big Data Data and Information Security Governance Topic 2: Data Analytics Framework and Process Data Analytics Framework Data Analytics Process Topic 3: Data Analytics in Internal Auditing Data Analytics in Internal Auditing Types of Data Analytics Detecting Anomalies with Data Analytics Data Analysis Software Section C: Information Technology and Security Topic 1: Information Security Controls Information Security IT General Controls IT Operational Controls Information Security Controls Encryption Firewalls Antivirus Software Topic 2: Data Privacy and Security Data Privacy Data Privacy Laws and Frameworks Data Privacy Controls Data Security Practices Auditing Data Privacy Topic 3: Emerging Technology Emerging Technology Smart Devices Topic 4: Cybersecurity Risks Cybersecurity Risks Malware Piracy and Device Tampering Insider Threat Programs Topic 5: Cybersecurity Policies Cybersecurity Policies Information Security Policies Role of the Three Lines Model in Cybersecurity Topic 6: IT Auditing, SDLC, and Change Management Goals of IT Management of IT Auditing Risks Specific to IT IT Auditing Challenges CAE Role in IT Audits Systems Development Life Cycle (SDLC) SDLC: Requirements and Design SDLC: Development SDLC: Testing and Debugging SDLC: Delivery/Deployment SDLC: Maintenance Agile Software Development Web Services and SOA IT Change Management Topic 7: IT Controls and Control Frameworks Basic IT Controls IT Control Frameworks COBIT ® Model for IT ISO 27000 IT Control Framework ITIL IT Control Framework Bibliography Indexa structure for grouping organizational work into specialized units and jobs. Both centralized and decentralized organizations use departmentalization but in different ways and to different degrees. Grouping classifications may include product, geographic, process, and customer departmentalization as well as functional, divisional, and matrix. In a functional structure, authority and decision making are arranged by functional groups such as finance, marketing, sales, manufacturing, and research. Advantages are the ability to specialize and control business activities. A disadvantage is narrower perspectives in the organization. A divisional structure is one in which divisions are fairly autonomous units within the organization. Divisions are specialized and may not even relate to one another. A division may contain all functions for a distinct group of products or services. Overall support is received from the centralized core of the organization. Advantages and disadvantages are similar to those of the functional structure, with the ability to specialize but narrower organizational perspectives. A matrix structure is a team- and project-based approach between functions and divisions. An employee from a functional department works with a manager from another department on a special team assignment. In essence, the employee reports to two managers for the duration of the project. The matrix structure permits greater flexibility and use of resources. However, there can be accountability and work conflict issues because of the dual reporting relationships. A matrix assignment can be short or long term. Exhibit 3-3 shows an example of a matrix structure. Exhibit 3-3: Matrix Organizational Structure A primary benefit of departmentalization is that efficiencies are gained from grouping common knowledge and skills for a focused effort. Disadvantages may be departmental conflicts and the formation of a “silo” mentality. Summary of Organizational Structures Exhibit 3-4 compares the advantages and disadvantages of the various types of organizational structures. Exhibit 3-4: Organizational Structure Comparisons Structure Advantages Disadvantages Centralized (hierarchical) Economies of scale Control Management consistency Slower decision making/responses Low employee participation Possible “silos,” conflict/inefficiency, and communication barriers between departments Decentralized (flat) Higher employee participation and satisfaction Faster decision making/responses Loss of economies of scale Less control over productivity and efficiencies Functional Specialization by function More employee participation Narrower area perspective Coordination difficult Divisional Autonomy by division Specialization Narrower perspectives Loss of economies of scale Structure Advantages Disadvantages Matrix Blend of technical and market emphasis Efficient use of resources Dual reporting causes employee confusion and possible manager conflict Topic 3: Business Process Risks and Controls The internal audit activity frequently needs to perform assurance and consulting engagements for specific functional areas such as HR, procurement, product development, sales, marketing, logistics, or the management of outsourced processes. Some risk and control implications of each of these business processes are presented in this topic. Note that in the interest of brevity, the HR area is addressed in more detail to illustrate the full process, while the other areas have lighter coverage. According to The IIA In addition to reviewing the contents of this topic, students can review the following IIA materials: Practice Guide, “Engagement Planning: Establishing Objectives and Scope” Practice Guide, “Auditing Third-Party Risk Management” Auditing Human Resources, second edition, by Kelli Vito https://na.theiia.org/standards-guidance/recommended-guidance/practice-guides/Pages/Engagement-Planning-Establishing-Objectives-and-Scope-Practice-Guide.aspx https://na.theiia.org/standards-guidance/recommended-guidance/practice-guides/Pages/Auditing-Third-Party-Risk-Management-Practice-Guide.aspx Common Business Processes Common business processes are often grouped into functional areas or departments such as human resources (HR), procurement, product development, sales, marketing, production, finance, accounting, IT, and logistics. Each business process might be managed in-house and/or outsourced in whole or in part. Management of these processes directly and/or as outsourced functions can carry different risk and control implications. Some business processes are also handled as projects. Business processes may cross between functional areas, requiring close coordination and communication. Functional areas or projects might also be differentiated as core versus non-core activities. Operations (production or service delivery), product development, sales, or perhaps logistics might be core processes, while HR, finance, and other administrative or support functions typically are designated as non-core processes. However, a vendor that provides outsourced HR services would consider these services to be core operations, because HR services is what they are selling. The differentiating factor is usually one of competitive advantage. If a business process can provide a competitive advantage, the organization will typically retain the process in-house because it can provide these functions at lower cost and/or higher quality (i.e., better value) than if they were outsourced. Conversely, the organization may or may not outsource part or all of the non-core processes, depending on the best overall value. Key Point It is important to understand why the sub-processes within a functional area are grouped together in the first place (and whether some other grouping would make more sense). Business processes exist to support achievement of one or more business objectives. The various sub-processes in the overall process are all likely interlinked primarily because it creates economies of scale to plan, direct, monitor, and control them as one unit. Logistics and supply chain management arose because new methods were needed to address a business process that crossed multiple functional areas (procurement, warehousing, shipping and receiving, customer service, supplier relationship management, etc.). The new management model created efficiencies and a better customer experience over maintaining “silos.” Some of the methods discussed next for evaluating business processes or specific functional areas could be used from a big- picture perspective to define engagements in the annual audit plan. Here the focus will be on individual engagement planning and execution. Prior to delving into an audit of an area, internal auditors determine how thorough the audit should be. For example, this could be: A routine checkup as part of an audit rotation. An alignment review to see how well the area aligns with organizational objectives. A compliance review. According to The IIA Performance Standard 2200, “Engagement Planning” Internal auditors must develop and document a plan for each engagement, including the engagement’s objectives, scope, timing, and resource allocations. The plan must consider the organization’s strategies, objectives, and risks relevant to the engagement. As established by Standard 2200 and flushed out in the “Engagement Planning: Establishing Objectives and Scope” Practice Guide, internal auditors use the following steps to determine objectives and the overall scope of an audit engagement: Understand context. Gather information. Assess risks. Form objectives. Establish scope. Allocate resources. https://na.theiia.org/standards-guidance/performance-standards/Pages/Performance-Standards.aspx https://na.theiia.org/standards-guidance/performance-standards/Pages/Performance-Standards.aspx https://na.theiia.org/standards-guidance/recommended-guidance/practice-guides/Pages/Engagement-Planning-Establishing-Objectives-and-Scope-Practice-Guide.aspxDocument plan. Since this overall process was addressed in Part 2, here the focus is on the first three of these steps and on the last step, documenting (and implementing) the plan. The internal audit activity reviews and analyzes the business process to understand context and gather information and then assesses area risks to determine which areas should receive higher priority and more audit resources. The discussion that follows assumes appropriate objectives, scope, and resources are allocated based on this information. (See the Practice Guide mentioned above for more information.) The last part of the discussion for each functional area discusses plan documentation and implementation. This involves assessing whether the area’s internal controls are appropriate and effective given the area’s objectives and risks. Before discussing these steps for each functional area, some general points follow. Understand the Business Process and Gather Information In order to determine the intensity level and areas of focus for an audit engagement of a functional area, internal auditors need to understand the business process and its context. What are the area’s objectives, and how do these trace upward to the organization’s strategy, mission, and vision? What long-term strategy and annual goals were set for this business process? Auditors can start to understand strategic and annual goals by reviewing business process documentation, including: Prior audit workpapers. Process workflows (flowcharts) and area organizational charts. Job descriptions or documents related to consultant work. Customer reviews. Plans and budgets for the area. Policy and procedure manuals. Trends in key performance indicators. Reviewing process workflows and related narratives is especially valuable. If a process flowchart does not exist, creating one or more with the help of the process owner, such as by conducting walkthroughs, can help the auditor understand how various parts of the process interrelate as well as the process inputs and outputs. Key Point Reviewing or creating process workflows is vital because they can reveal where one process or sub-process interacts with or impacts other processes (including processes in other functional areas) from a risk and control standpoint. Process workflows can also help to differentiate between key and support processes. If a key process fails to occur correctly, achievement of a specific objective could be directly and negatively impacted. Even non-core functional areas will likely have key processes that support the achievement of a top-level business objective, such as procurement needing to minimize the cost of goods sold (competitive price) while maintaining agreed-upon quality levels (customer satisfaction). Note that lack of documentation for an area in question may be a risk in itself that needs to be part of engagement observations, because it may negatively impact new employee orientations, leave roles and responsibilities open to interpretation, make it hard to assess area efficiency, and make risk and control assessments more difficult. Documentation review may also include review of external documents. For example, the management’s discussion and analysis section of the organization’s financial statements may discuss the functional area’s objectives and key risks. A regulatory report or finding may have been issued. There could be court cases or settlements. For each process, internal auditors also enlist the help of the process owner to determine: Why the process exists. What functional area objective(s) it supports. Whether it can be linked to achievement of overall organizational objective(s). What policies and procedures exist to direct how people involved are supposed to act. What its inputs and outputs are and whether these result in difficulties due to the need for cooperation and communication with other functional areas. Whether the process provides other important benefits to management. If the process owner is having difficulty describing these elements, one way to get to the important parts of the process is to ask “What part of your job gives you the most satisfaction?” Another question to ask is “What would most endanger organizational success if it were done wrong?” Given an understanding of the business process, its objectives, and its sub-process interactions, the next step is to assess risks affecting the process to guide audit priorities. Map and Weigh the Business Process Risks Assessing risk for a business process involves harnessing the organization’s chosen risk management framework, tools, and techniques. Since the CAE is responsible for ensuring that a risk assessment is done at least annually, an overall assessment will likely exist, and this may have been the reason to include the business process in the annual audit plan. When determining the risk and control implications of a particular business process, after reviewing the applicable risk management reports, internal auditors may need to: Evaluate risk at the detail level to determine which risks are most likely to negatively impact key processes. Update the assessment for any changes in likelihood/impact or to identify new risks. Reassess if new risk information should alter the depth of the engagement or priorities (such as by using a heat map, as discussed in Module 1). After revisiting risk identification and risk prioritization, internal auditors need to determine which risks affect which processes or sub-processes. One way to do this is to use a risk by process matrix as part of HR risks and controls. The results of the detailed risk assessment are used to set audit objectives, establish scope, and assign resources. Documenting and Implementing the Plan: Assess Internal Controls The process of planning, including documenting the plan, is the most important factor in an audit engagement’s success. A key aspect of the plan is to ensure that the plan and the budget for the engagement are properly aligned. Internal auditors document the results of the prior steps such as process maps and interview summaries in workpapers. Supervisors review these workpapers to ensure that they properly reflect the context, risks, scope, resources, budget, and so on. Internal auditors may also develop planning memos that communicate planned work to management. Key Point Because not every risk can—or should—be included in a single engagement, proper planning helps internal auditors focus their efforts on the most significant risks to the area. During the engagement, internal controls are assessed for their efficiency and effectiveness. One way to assess internal controls against identified risks is to create a risk and control matrix. An example of such a matrix is shown below in the discussion of HR risks and controls. In addition to determining if existing controls adequately address the prioritized list of risks, internal auditors may need to determine control effectiveness. A risk control map, with risk significance on one axis and control effectiveness on the other axis, can be created to determine which controls may need improving and in what priority. An example follows in the HR area. Such a map or other analysis might also identify if a business process has too many controls (i.e., too many controls over low-impact or low-probability risks). The process might be made more efficient by eliminating some unnecessary controls. Reviews such as these may be especially needed during times of change for the business process. Outsourcing or cosourcing is one example, but rapid growth or downsizing, implementation of new technology for the area, new regulations, or changes in cultural expectations for the process or area are other examples. HR Risk and Control Human resources is often an important functional area for internal audit review due to the importance of qualityhuman resources in achievement of objectives and the high liability risk many HR violations can entail. Understand the HR Process and Gather Information The HR functional area can be a strategic partner that develops the programs and systems necessary to fulfill the organization’s mission. HR plays a strong role in shaping the organization’s culture and control environment. HR objectives may include: Developing and executing HR strategic planning that is effective in realizing the human potential required to achieve organizational strategy. Ensuring that HR staff are appropriately skilled. Increasing HR productivity through HR technology while securing sensitive data. Accurately determining workforce staffing requirements. Developing and administering effective organizational design. Developing and administering an effective recruitment and recruit selection process. Developing legally defensible contractor management and use policies and processes. Managing employee turnover and retention (churn) appropriately. Ensuring compliance with employment regulations. Accurately assessing training needs and administering effective new employee training, technical area training, and supervisor training. Developing and administering a training effectiveness assessment process. This list could go on, with compensation and benefits, disciplinary processes, retirement, leave, payroll, employee and labor relations, employee engagement, safety and security, and outsourcing or cosourcing. Exhibit 3-5 shows an example of a process workflow (flowchart) for the HR functional area highlighting the sub-process of staffing a new job position and ensuring that appropriate training and performance monitoring occur. This workflow would be supplemented by narrative description, for example, notes indicating who would be responsible for performing the job analysis. Exhibit 3-5: HR Workflow for a New Position This workflow could be analyzed to see if the decision points are appropriate. For example, a new external hire is always on-boarded, a contractor may or may not be on-boarded, and existing employees are never on-boarded again. In addition to discussing with HR professionals whether this process is appropriate, the internal auditor could also work to determine whether the process as implemented aligns with the process as designed. Map and Weigh HR Process Risks HR process risks typically include the following: Nonexistent or deficient HR strategic plans Lack of appropriate skills among HR staff leading to noncompliance with employment law HR technology privacy risks or record keeping that fails to keep up with data regulations Staffing: productivity versus expense risks (Wrong number of workers are identified, risking unnecessary expense, incorrectly balanced roles, or poor productivity.) Organizational structure that harms productivity or communications Recruitment or recruit selection risks such as lawsuits or regulatory noncompliance Contractor overuse that could violate tax laws High churn (employee turnover) that risks talent loss Poor or inadequate employee training that risks loss of competitive advantage New employee training that fails to teach employment law Technical training poor or nonexistent Manager training poor or nonexistent Inaccurate performance appraisals Poor-performing employees not being escalated to higher levels of disciplinary action Discipline that is unrecorded or ineffective Poor workplace culture Ineffective or nonexistent on-boarding strategies Workers’ compensation injury claims, medical costs, and lost productivity Employee benefits liability (e.g., pension obligations) Employee or contractor theft or embezzlement One way to determine which risks affect which processes or sub- processes is to use a risk by process matrix, which lists processes or sub-processes in rows and risks in columns. Such a matrix can differentiate between key (K) and secondary (S) links between the process and the risk. There should be only a limited number of key links for a process, perhaps just one. Secondary links between objectives and risks help show how processes are interrelated. There could be any number of secondary links. Exhibit 3-6 shows an abridged example of a risk by process matrix for the HR functional area. Exhibit 3-6: Risk by Process Matrix for HR Functional Area (Abridged) Planning and Implementation: Assess HR Internal Controls One way to assess internal controls for risk is to use a risk and control matrix. This type of matrix lists each objective and the key risk that might negatively impact achieving that objective. It has columns for probability and impact, the relevant activity that is performed to implement the objective, and related controls. This could be a listing of controls that exist or of typical controls for the objective. Exhibit 3- 7 shows an abridged risk and control matrix for the HR functional area. It lists both existing and needed (recommended) controls. Exhibit 3-7: Risk and Control Matrix (HR Example, Abridged) Objective Key Risk Probability/ Impact Activity Controls Effective HR strategic plans HR strategic plans nonexistent/deficient. Probability: Low, but will grow over time (See needed controls.) Impact: High HR program creation. Existing: Strategy linked to organizational strategy, consistent with culture. HR operational plan outlines programs, staff, and time lines. Needed: Ongoing HR area assessments. Monitor legislative changes and alter plans. Skillful HR staff HR staff lack appropriate skills, risking noncompliance with employment law. Probability: Medium Impact: Medium Recruit and select HR staff. Existing: Clear HR position descriptions, tasks, authorities, and competencies. Education, experience, and continuing education requirements are adhered to. Needed: HR staff encouraged to get HR certification (PHR, SPHR). HR staff compensation matches salary scales. Objective Key Risk Probability/ Impact Activity Controls HR technology that enables productivity while controlling sensitive data HR technology privacy risks or record keeping that fails to keep up with data regulations. Probability: Medium Impact: High HR staff recruitment and recruit selection. Existing: Employee information safeguards exist, including employee master controls. HR IT system security exists. Needed: HR staff training on social engineering scams. Effective staffing needs assessment Staffing: Productivity versus expense risks. (Wrong number of workers are identified, risking unnecessary expense, incorrectly balanced roles, or poor productivity.) Probability: Low now, could grow Impact: Medium Workforce needs identification process. Existing: Workforce plan is linked to strategy and mission. HR forecast of number of workers needed per position. Needed: Gap analysis of current versus future workforce profile. Link staffing forecast to training plans in addition to recruitment. This matrix would continue for each of the many objectives of the area. Note that the above matrix was inspired by the Sample HR Risk Impact and Control Matrix that is an appendix to The IIA Research Foundation’s Auditing Human Resources, second edition, by Kelli Vito. See that publication for more information. Procurement Risk and Control Procurement is a process that often requires internal audit activity attention due to the risk of fraud and corruption. Note that this and the remaining functional area discussions are in less depth than the HR discussion. Many of the concepts and tools discussed in that area can be applied in similar ways to these remaining functional areas. Understand the Procurement Process and Gather Information Exhibit 3-8 shows an example of a process workflow for procurement. This is an example of what is called a swimlane flowchart, in which the processes are divided into “lanes” based on the role or system that is responsible for thatprocess element. For example, the segregation of duties between the purchase requisition and its approval by a superior is obvious in this format. Exhibit 3-8: Procurement Workflow Developing an understanding of your organization’s procurement process is vital, because each procurement process will have its own risks and red flags depending on the procurement workflow step, the process maturity, and the type, materiality, and complexity of the purchases. Map and Weigh the Procurement Process Risks Like the HR risk assessment, mapping and weighing risks in the area of procurement entails using a systematic process, including the use of tools such as a risk by process matrix. The result of this process will reveal key procurement process risks, such as the following: Fraud, collusion, and corruption Kickbacks resulting in padded or non-competitive bids that are accepted Rigged bidding/tender process Nonexistent or falsified due diligence Cost estimates not aligned with market rates Requirements prepared by a service provider that exist solely to reduce competition Bids unsealed before bid opening session Fictitious invoice payments Bias in procurement decisions or conflicts of interest in bid evaluators Inadequate or nonexistent training of procurement professionals and supervisors to recognize, detect, and report fraud and corruption Procurement not aligned to strategy Decentralized procurement lacking supervision Anonymity of bidders/tenderers or confidentiality of bid information not maintained Poor or selective disclosure of selection and award criteria Insufficient distribution/advertisement of requests for proposals/invitations to tender or insufficient time allowed for bidding Suppliers who have falsified certifications, insurance documents, etc., and are not qualified Implementation: Assess Procurement Internal Controls Important procurement internal controls to assess include: Whistleblower hotline and procedures to encourage whistleblowers. Fraud and corruption awareness training. Vendor information system controls. Supplier prequalifications and approved supplier lists. Required approvals and supporting documentation. Normalization of requests for proposals/invitations to tender and response format. Supplier formal complaint or appeal mechanisms for reporting irregularities. Supplier performance evaluation. Due diligence and background/affiliation checks of bid evaluators, procurement professionals, supervisors, and suppliers. Review of winning and non-winning bids for bias, fraud, or corruption. Sales and Marketing Risk and Control Sales and marketing are closely tied to the organization’s success or failure. Understand the Sales and Marketing Process and Gather Information Exhibit 3-9 is an example of a workflow for the sales and marketing process that shows how sales processes generate feedback for marketing at many points, both from positive and negative sales results. Exhibit 3-9: Sales and Marketing Workflow Sales and marketing could also have separate workflows, and many sales processes might look very different depending on what is being sold. Map and Weigh the Sales and Marketing Process Risks Here are some examples of sales process risks: Inadequate sales strategy (e.g., failure to understand customer needs or price sensitivity) Inaccurate, inadequate, or misleading profit and sales metrics (e.g., poor quality data, inaccurate data on profit margins leading to poor profits, treating leads as more likely to buy than they actually are) Sales force unaware of or unaligned with marketing strategy (e.g., ineffective marketing, customers with unrealistic expectations) Sales force uneducated or incorrect about product features (e.g., obvious lack of knowledge, customer misinformed) Missed sales quotas (e.g., too few opportunities in pipeline, lack of direct customer contact, failure to use data-driven analysis) Undue sales incentives (e.g., pressure to commit fraud such as fraudulent procurement activities) Here are some examples of marketing process risks: Inadequate or misaligned marketing strategy (e.g., low conversion rates) Poor or damaged brand (e.g., improperly managed negative events, press, or social media criticism) Marketing affiliations that go awry (e.g., spokesperson gaffes or misconduct, organization partners who behave unethically) Unaligned, incorrect, or poor event branding (e.g., typos in convention space signage) False advertising (e.g., public loss of trust, lawsuits, fines) Violation of anti-spam or data privacy laws and regulations (e.g., fines, lawsuits) Implementation: Assess Sales and Marketing Internal Controls Here are some examples of sales and marketing internal controls: Setting explicit sales and marketing strategies aligned with organizational strategy Reinforcement of ethical culture and control environment regarding acceptable sales and marketing tactics Supervision and required supporting documentation Regular sales and marketing training, both on soft skills and use of data-driven analysis Regular sales and marketing communications and meetings (including discussions of sales leads earlier in the pipeline) Regular product training Logistics Risk and Control Logistics involves coordination of many interconnected processes and entities. Many things could go wrong that could negatively impact profitability or customer satisfaction. Understand the Logistics Process and Gather Information Logistics is a large process area and, while a large workflow of the entire process might be constructed, it could be unwieldy. It is likely that logistics will have many workflows such as inbound logistics, warehousing, and outbound logistics. These various workflows still need to be coordinated with one another to be efficient and effective. Exhibit 3-10 shows a logistics workflow for how goods flow through a warehouse to ensure efficiency, safety, and security. Exhibit 3-10: Logistics Workflow (Warehouse) Map and Weigh the Logistics Process Risks Here are some examples of logistics process risks: Logistics consuming too much of profit margin, or total cost of logistics unknown Carrier hijacking or theft of goods from warehouses, shipping ports, etc. Inadequate security procedures or infrastructure Natural disasters, war, piracy, shipwreck, etc., disrupting supply chain or specific shipments Carrier delays, nonperformance, or bankruptcy Inaccurate inventory recorded Lack of inventory or too much inventory Low inventory turnover or obsolete inventory Accidental or fraudulent discrepancies in shipping: type, quantity, destination, etc. Liability for delays or losses (e.g., contractual requirements, inadequate insurance) Regulatory changes (e.g., security, safety, environmental) impacting logistics profitability Poor resource or equipment utilization Spikes and dips in demand caused by poor communication up the supply chain (called the bullwhip effect) Implementation: Assess Logistics Internal Controls Here are some examples of logistics internal controls: Metrics on utilization, turnover, and the seven “rights” of logistics: right quantity, right product, right time, right place, right condition, right price, and right information Increased focus on actual demand by communicating better with supply chain partners and relying less on forecasting Warehouse safety and security protocols and systems Cost analyses that factor in transportation modes, distances, warehousing, and third-party intermediary costs in addition to product costs from various countries Benchmarking against best-in-class logistics providers Lists of preferred logistics service providers for backup transportation or other services Outsourcing Risks and Controls This part of the topic includes information from the Practice Guide “Auditing Third-Party Risk Management” in addition to other sources. Understand the Organization’s OutsourcingStrategy and Risk Appetite When preparing to audit a business process that is outsourced or cosourced (or is being analyzed for suitability for being outsourced), the first thing to do is to determine whether the organization has a defined third-party risk management program and a related governance structure as part of its enterprise risk management (ERM) framework. If so, this program will provide a starting point for identifying outsourcing risk appetite, policies, processes, defined roles and responsibilities, and tools used to control risks. https://na.theiia.org/standards-guidance/recommended-guidance/practice-guides/Pages/Auditing-Third-Party-Risk-Management-Practice-Guide.aspx The key question to consider is whether the risk exposure the organization is incurring (or may incur) by outsourcing or cosourcing this service, raw material, or component is (or will be) in line with the organization’s risk appetite. Opportunities should also be considered, since keeping an inefficient process in house could have an opportunity cost (i.e., be a larger ongoing cost than necessary). The organization may translate its risk appetite for third parties into a set of minimum standards for the capabilities of the candidates in terms of governance, risk management, and control. Internal auditors can assess specific third-party compliance against these minimum standards. Organizations have formal or informal third-party risk management governance structures: The lowest level of formality can be as simple as a business manager making independent decisions about qualifying third parties. An informal structure can create risks of bias toward certain suppliers or conflicts of interest, but compensating controls could include thresholds requiring approval for contracts above a certain monetary value. Adding a second-line of defense, for example, a contract review and compliance function, would make this a defined governance structure. A third level of formality would be a standardized third-party risk management governance structure, as is shown in Exhibit 3-11. Such models are highly recommended for highly regulated industries or organizations with more outsourcing complexity. Exhibit 3-11: Standardized Third-Party Risk Management Governance Key Point Management must—as the owners of organizational risk—identify, assess, manage, and monitor the risks associated with each third- party relationship on an ongoing basis. The standardized model adds third-party specialists (e.g., supply chain managers) to the first and/or second lines of defense. Some functions, such as third-party sourcing, evaluation, and management, may be centralized for improved control. Internal audit will assess both the first line of defense (line management) and the second line (compliance specialists). Understand the Third-Party Provider Management Process Internal auditors auditing outsourced processes may need to audit the overall third-party risk management program or just one of its process steps. Exhibit 3-12 shows the elements of a generic third- party provider management process. Exhibit 3-12: Third-Party Provider Management Process Sourcing. Management works to understand the business context and drivers of the area to be outsourced, strategic objectives, core competencies, and so on, and then issues a request for proposal (RFP)/invitation to tender (ITT) for contracts that exceed a certain monetary value or risk exposure. Due diligence. Management narrows the list of candidates by assessing each against relevant criteria (e.g., a statement of work), assesses third-party risks (with the help of subject matter experts), does background and business performance checks, assesses ethics, and starts forming a relationship of open communications. Contracting. Contracts communicate risk appetite and minimum standards of internal control to the third party as well as expected service levels. Monitoring. Persons with knowledge of the process should be appointed to manage the third-party relationship. If a business manager owns the relationship, decentralized management can be used. KPIs, risks analyses, required attestations, relationship status, and other areas of compliance are monitored. Issue resolution. The third-party relationship owner is usually responsible for monitoring and addressing issues and risks that exceed the risk appetite. Termination. The contract specifies termination conditions. Thorough and complete termination clauses can address equipment and technology retrieval, separation costs, and so on. Understand the Outsourced Business Process and Gather Information In addition to auditing the overall third-party risk management process, internal auditors may need to audit a specific outsourced business process. The objectives for each such process will be specific to the area being outsourced. For HR outsourcing or cosourcing, for example, the objectives may be to develop and administer appropriate service provider selection and management (this may be called vendor due diligence) and to provide effective change management for the transition period toward the new sourcing model. Map and Weigh the Outsourced Business Process Risks Internal auditors can use tools such as heat maps or the other tools to map and weigh the business process risks of an outsourced process. Key risks for outsourced HR, for example, may include underestimating the time needed for the transition due to the complexity of the process, underestimating organizational resistance to change, HR technology incompatibility, and information security breaches. A few examples of generic outsourcing risks follow: Bids accepted are bad business deals due to incompetence or fraud. Poorly worded contracts create loopholes. Poor contract choice can create liabilities that reduce profitability. Miscommunication occurs due to language or national culture differences. Contract noncompliance or default is expensive to remediate. Contract termination clauses may include auto-renewal windows that, if missed, could entail significant additional costs. Implementation: Assess Internal Controls For the outsourcing or cosourcing of a business process or a functional area, controls may include the following: Statements of work in the RFP/ITT accurately describe scope and scope limitations. The process owner and other stakeholders such as budget analysts are involved in RFP/ITT creation. Bids are evaluated for both best value and service provider competency. Sole-source contracts are justified, if used, and the selected provider is capable of providing the full range of services. Provider selection uses an adequate due diligence process, including reference checks. The process owner reviews future workforce needs to ensure that the service provider is capable of scaling up to meet future demand. Contract negotiations gain agreement on appropriate incentives, penalties, and the definition of specific services to provide in a service level agreement. The service provider contract has appropriate clauses, including a definition of nonperformance, the means of correcting deficiencies, and when and how the contract can be terminated by either party. The organization maintains a vendor master file for each vendor to track performance, document sustainability or ethics agreements, indicate preferred status, ensure proper application of negotiated discounts, etc. Key controls for the outsourcing of HR, for example, may include clearly defined roles and responsibilities or having a dedicated transition team that sets the scope of the services offered and coordinates with any cosourced staff to avoid duplication of efforts. Topic 4: Project Management This topic helps internal auditors identify techniques used to control projects, including a project plan that manages scope, time, cost, teams, and resources as well as a process for project changemanagement. Project Management Project management is the process of planning, organizing, directing, and controlling an organization’s resources (people, equipment, time, and money) for a temporary endeavor so that project objectives can be met within defined scope, time, and cost constraints. Internal auditors typically have excellent project management skills, since both assurance and consulting engagements are examples of projects. It is therefore incumbent upon newer internal auditors to acquire project management skills and for all internal auditors to continue developing these skills. Why use project management techniques? Project management requires much up-front work to define the problem that needs to be solved and then form a plan to achieve it. Exhibit 3-13 shows how more up-front “pain” or effort can reduce total effort, which reduces risks of uncertain achievement of goals or failure. Exhibit 3-13: More Up-Front Planning Effort Reduces Total Effort Required Without such a plan, the budget and the project duration may end up being far exceeded or the project could fail because of problems such as scope creep, gold plating, and/or rework. Scope creep is when project objectives are extended by external influences. Gold plating is when project objectives are extended by team members without authorization. Rework may be needed because the wrong tasks (i.e., audit tests) were performed. Scope creep and gold plating result in unplanned additions to a project’s scope or time, cost, and quality constraints. Serious problems can occur if internal or external stakeholders are allowed to add requirements to a project without also providing additional money and time to get the extra work done. While project change is necessary to keep the project responsive, changes must be controlled using the project objectives and scope as gatekeepers. Project Planning and Scope Projects can vary in duration and complexity, but the majority share the following characteristics: A project is a series of tasks and activities. It fulfills some need or requirement in an organization. It has stated objectives that outline a path for achieving the goal. It has a defined start date, time line, and target completion date. It has funding or budget limits and dedicated resources (which include materials, energy, space, provisions, communication, quality, risk, etc.). The challenges of successful project management include delivering a project: That maintains consistent alignment with project objectives. Within defined constraints. At a desired performance/quality level. That optimizes allocation and integration of the inputs needed to meet the objectives. Project Life Cycle Most projects cycle through similar stages from beginning to end. Although the terms and specifics of the cycles vary from industry to industry, projects generally include these stages: Conception or project initiation is where the project is born and the project goals and objectives are established. Stakeholder expectations must be clearly identified. It is vital to obtain support from senior management at this stage. During this stage, the nature and scope of the project are determined in a project charter and the project manager and project team are selected. A signed charter releases funding and resources. The planning, design, budgeting, and scheduling stage is where the project schedule is outlined, the budget is set, and resources are assigned. The execution and production stage is when the work takes place. During monitoring and control, the project manager is responsible for overseeing the quality of the work, the progress against the schedule, and the proper use of resources. Project control systems keep a project on track, on time, and within budget. Internal auditors can help determine how important specific projects are to an organization’s bottom line, the types of controls that exist, and any additional controls that are necessary. The completion and evaluation stage typically involves some culminating event such as client acceptance and sign-off of deliverables. Evaluation often includes assessing the project’s effectiveness at the end of the process. Administrative activities include archiving files and documenting the lessons learned. Exhibit 3-14 shows the project life cycle and the tasks associated with each phase. Exhibit 3-14: Project Life Cycle Project Phase Project Tasks Project Phase Project Tasks Conception or project initiation Analyze project and spell out organizational needs in measurable goals. Conduct review of current operations. Complete conceptual design of finished project. Prepare financial analysis, costs and benefits, budget. Prepare list of assumptions, risks, and obstacles. Select stakeholders, including users and support personnel, and develop an understanding of their expectations. Develop project charter, including costs, objectives, tasks, deliverables, and schedules. Gain approval for the project charter and acquire funding. Planning, design, budgeting, and scheduling Define work requirements. Determine quantity and quality of work. Determine and allocate resources needed and estimate their cost. Establish major timetable milestones and budget. Define deliverables and documentation (can include feasibility study, scope statement, project plan, communications plan, issue log, resource management plan, project schedule, status report). Establish basis for performance measurement. Generate a project management plan and get formal approval for it, including approval for the required resources. Project Phase Project Tasks Execution and production Launch the project management plan. Confirm availability of adequate and appropriate project resources. Document work teams. Teams do work, provide status updates, and produce deliverables. Project managers lead, direct, and control. Managers and stakeholders receive progress reports and review action plans for correcting differences between plan and actual. Monitoring and control Track progress, especially during execution but also during planning. Compare actual and predicted outcomes. Analyze impact. Make adjustments to meet project objectives and acceptance criteria. Completion and evaluation Obtain client acceptance based on acceptance criteria. Install project deliverables. Complete project documentation such as lessons learned. Complete evaluation (for example, measuring stakeholder satisfaction) and post-implementation audit. Issue final project report and communicate lessons learned. Projects need to be performed and delivered under what has traditionally been known as the “project management triangle,” as shown in Exhibit 3-15. One side of the triangle cannot be changed without impacting the others. Exhibit 3-15: Project Management Triangle Time is the amount of time available to complete the project. It is broken down into the time required to complete each component of the project and further into task times. Cost refers to the budgeted amount available for the project. It depends on variables such as labor rates, material rates, risk management, consultant rates, equipment, and profit. Quality and performance of the final product/service are major components of scope. The amount of time put into individual tasks and the amount of cost expended on resources influence the overall quality. Meeting a defined quality level can have a significant impact on time and cost. If this side of the triangle is fixed, it requires juggling the other constraints to meet this requirement as defined by customer acceptance criteria. Scope means what must be done to produce the project’s end result. It is sometimes represented as the inside of the triangle to show that scope is strongly affected by the time, cost, and quality inputs. This is the overall definition of what the project is supposed to accomplish and a specific description of what
Mais conteúdos dessa disciplina
atividade02_modelo(1) (1)- após a gravação, certifique-se de que sua apresentação atendeu à proposta da atividade Copie e cole o link do seu vídeo no template da atividade Fique atento ao critério da sua avaliação
- como ele ajudaria a organizar a arquitetura da empresa para suportar a estratégia de negócio
- selecionem uma empresa real para o estudo de caso Pode ser uma empresa onde um dos membros da equipe tenha trabalhado ou uma que seja do interesse do grupo
- você e sua equipe são consultores de uma prestigiada consultoria de gestão de TI Foram contratados por uma empresa de médio porte (pode ser uma startup, uma fábrica, uma varejista etc
- Mapa Mental - Gestão Estratégica da Informação
- TECNOLOGIA DA INFORMAÇÃO 1
- Arquitetura de TI e Modelos de Negócios
- Arquitetura de TI e Negócios
- ISO 9004 - NOV-2019 - GESTÃO DA QUALIDADE - QUALIDADE DE UMA ORGANIZAÇÃO-ORIENTAÇÃO PARA ALCANÇAR O SUCESSO SUSTENTADO - Resumo
- Governança Corporativa e Compliance
- Mapa Mental - Governança Corporativa
- TEXTO 1 Em um cenário globalizado e competitivo, organizações buscam na tecnologia da informação uma forma de garantir maior integração e agilidade. U
- se relacionarmos os conceitos de sustentabilidade corporativa com os de governança corporativa, vamos concluir que: a) esses conceitos não estão c...
- O Instituto Brasileiro de Governança Corporativa (IBGC) define 5 princípios. Qual deles se refere à conduta ética e honesta? a) Equidade. b) Transparê
- Quais são os subplanos que compõem um plano de gestão da continuidade de negócios? Questão 2Escolha uma opção: a. Planos de: continuidade, riscos, ope
- cnae manutençao e governança onde a atividade principal e hotelaria
- Entre as ferramentas ordinariamente utilizadas na gestão de projetos pelas organizações, pode-se citar o COBIT, que: A B É uma metodologia para elabor
- s princípios da Governança Corporativa são: Questão 2Escolha uma ou mais: a. Prestação de Contas b. Transparência c. Senso de Justiça d. Au...
- A implementação do COBIT (Control Objectives for Information and Related Technologies) não se resume à adoção de um conjunto de controles técnicos. Tr
- Além de fatores técnicos, condições do próprio paciente podem gerar interferentes analíticos. Qual das condições é considerada um interferente endógen
- Questão 4/5 - Governança Corporativa e Compliance Ler em voz alta A relação entre o CA e a alta administração é evidenciada na definição e monito...
- a importãncia de ia para area de tecnologia da informação
- Métricas de TI são ferramentas essenciais para mensurar desempenho, otimizar recursos e alinhar tecnologia e estratégia. O entendimento preciso des...
- A adoção de recursos tecnológicos em processos internos transforma profundamente a dinâmica operacional de uma empresa. No entanto, nem todo invest...
- Automação Azure Containers
- Prova Eletronica_ Logica de Programacao
