565 DB 3

In Module 3, we’ve learned about IT Auditing. Please review all materials posted in this module, and submit a thoughtful discussion post in response to the readings. Specifically, you’ll have to:

(1) summarize and explain the main points of the articles that you choose from the assigned papers

Don't use plagiarized sources. Get Your Custom Essay on
565 DB 3
Just from $13/Page
Order Essay

(2) conclude with your own opinion about the issue being discussed in the article. Your opinion can be supported by personal experience, specialized publications, textbooks, and/or scholarly research.

 Discussion posts should be no shorter than 200 words (approx. 10 lines of text) and cite at least three sources outside the textbook and follow APA Format.



InformationTechnology Auditing

A common mistake people make when trying to design something completely foolproof is to underestimate the ingenuity of complete fools.

Douglas Adams, author of The Hitchhiker’s Guide to the Galaxy

To err is human, but to really foul things up you need a computer.

Attributed to Paul R. Ehrlich, American biologist, author, and technology commentator


©McGraw-Hill Education


Module H Learning Objectives
Identify how the use of an automated transaction processing system affects the audit examination.
Understand the steps that are taken to determine whether an audit team can rely on IT controls.
Provide examples of general controls and understand how these controls relate to transaction processing in an accounting information system.
Provide examples of automated application controls and understand how these controls relate to transaction processing in an accounting information system.
Describe how the audit team assesses control risk in an IT environment.


©McGraw-Hill Education.

Illustration of Automated Processing of Sales Transactions


©McGraw-Hill Education.


Issues Introduced In IT Environments
Input errors
Systematic vs. random processing errors
Lack of an audit trail
Inappropriate access to computer files and programs
Reduced human involvement in processing transactions


©McGraw-Hill Education.


Reliance on IT Controls
Three major phases to determine reliability of controls
Determining the scope of the IT testing plan by carefully identifying each of the IT dependencies
Understanding the IT controls and processes that need to be tested for each IT dependency
Testing the IT controls

©McGraw-Hill Education.


Types of IT Control Activities
General Controls
Apply to all applications of an automated accounting information system
Seen as pervasive across the entire technological infrastructure at an audit client
Automated Application Controls
Applied to specific business activities within an accounting information system
Address relevant assertions about significant accounts in the financial statements


©McGraw-Hill Education.

Categories of General Controls
Access to programs and data controls
Program change controls
Computer operations controls
Program development controls


©McGraw-Hill Education.


Access to Programs and Data Controls
Provides reasonable assurance that access to programs and data is granted only to authorized users
Automatic terminal logoff
Review access rights and compare to usage (through logs)
Report and communicate security breaches


©McGraw-Hill Education.


Timeline of the massive Equifax breach

©McGraw-Hill Education.


Program Change Controls
Implemented by the entity to provide reasonable assurance that requests for modifications to existing programs
Are properly authorized and conducted in accordance with policies
Involve appropriate users participate in process
Are tested and validated prior to use
Have appropriate documentation
Two additional controls: related to “emergency” change requests and the migration of new programs into operations


©McGraw-Hill Education.


Computer Operations Controls
Concerned with providing reasonable assurance that
The processing of transactions is in accordance with the entity’s objectives
Processing failures are resolved on a timely basis
Actions are taken to facilitate the backup and recovery of important data


©McGraw-Hill Education.


Examples of Computer Operations Controls
Important roles in an IT environment
Systems analysts, programmers, computer operators, data conversion operators, librarians, control group
Important general control: separation of the duties performed by the
Systems analysts
Computer operators


©McGraw-Hill Education.


Computer Operations Controls: Files and Data
Three major objectives for files and data used in processing
The files used in automated processing are appropriate
The files are appropriately secured and protected from loss
Files can be reconstructed from earlier versions of information used in processing

©McGraw-Hill Education.


Program Development Controls
Provide reasonable assurance that
Acquisition and development of new programs is properly authorized and conducted in accordance with policies
Appropriate users participate in process
Programs and software are tested and validated prior to use
Programs and software have appropriate documentation


©McGraw-Hill Education.
Testing General IT Controls

©McGraw-Hill Education.


General Controls and Assertions


©McGraw-Hill Education.


General Controls: Category, Examples, and Objectives


©McGraw-Hill Education.
Automated Application Controls
Controls applied to specific business activities within an accounting information system to mitigate the risk of material misstatement
Specific to each cycle (revenue and collection, acquisition and expenditure)
Organized into 3 Categories
Input controls
Processing controls
Output controls

©McGraw-Hill Education.


Input Controls
Designed to provide reasonable assurance that data received for processing by the computer department have been
Properly authorized
Accurately entered or converted for processing


©McGraw-Hill Education.


Processing Controls
Provide reasonable assurance that
Data processing has been performed accurately without any omission or duplicate processing of transactions
Test processing accuracy of programs
File and operator controls
Run-to-run totals
Control total reports
Limit and reasonableness tests
Error correction and resubmission procedures


©McGraw-Hill Education.


Output Controls
Provide reasonable assurance that
Output reflects accurate processing
Only authorized persons receive output or have access to files generated from processing
Review of output for reasonableness
Control total reports
Master file changes
Output distribution limited to appropriate person(s)


©McGraw-Hill Education.


Automated Application Controls


©McGraw-Hill Education.


Assessing Control Risk in an IT Environment
Identify specific types of misstatement that could occur
Identify points in the flow of transactions where misstatements could occur
Identify control procedures designed to prevent or detect misstatements
General controls and automated application controls
Evaluate design of control procedures
Are tests of controls cost-effective?
Does the design suggest a low control risk?


©McGraw-Hill Education.


Points of Potential Misstatement in an IT Environment


©McGraw-Hill Education.


Examples of Controls to Mitigate Risk of Material Misstatement

©McGraw-Hill Education.


Testing Controls in an IT Environment
Testing controls
Inspection of documentation
Characteristics auditors must consider when evaluating
Possibility of temporary transaction trails
Uniform processing of transactions
Potential for errors and frauds
Potential for increased management supervision
Initiation or subsequent execution of transactions by computer
Use of cloud computing applications


©McGraw-Hill Education.


Methods of Testing General Controls


©McGraw-Hill Education.


Methods of Testing Automated Application Controls


©McGraw-Hill Education.
Test Data Approach
Test data: Simulated transactions containing known errors to test the client’s controls

The Test of One
Only one type of each kind of transaction error needs to be tested
Because a client’s IT system processes transactions in the same manner every time, once the audit team is satisfied based on testing performed that an automated internal control activity operates effectively, there is no need to test the control activity again


©McGraw-Hill Education.


Test Approach Data – Test of One

©McGraw-Hill Education.
End-User Computing and other Environments
Control issues
Lack of separation of duties
Lack of physical security
Lack of program documentation and testing
Limited computer knowledge of personnel


©McGraw-Hill Education.


End-User Computing Control Considerations
Computer Operations Controls
Data Entry Controls
restricted access, standard screens and computer prompting, online editing and sight verification
Processing Controls
transaction logs, control totals, data comparisons, audit trail
System Development and Modification Controls


©McGraw-Hill Education.


End-User Computing in Service Organizations
Service Organizations
Limit concentration of functions and increase supervision
Access to program and data controls are critical

©McGraw-Hill Education.


Computer Abuse and Computer Fraud
The use of computer technology by perpetrator to achieve gains at the expense of a victim
Preventative: Stop fraud from entering system
Detective: Identify fraud when it enters system
Damage-limiting: Designed to limit the damage if a fraud does occur
Levels of Controls
Administrative controls
Physical controls
Technical controls


©McGraw-Hill Education.


Protecting the Computer from Fraud
(Selected Controls)


©McGraw-Hill Education.



  • Introduction

    ● Introduction to IT auditing
    ● Purpose and rationale for this book
    ● Intended use
    ● Key audiences
    ● Structure and content of the book
    ● Summary descriptions of each chapter

    Introduction to IT auditing
    An audit is a systematic, objective examination of one or more aspects of an
    organization that compares what the organization does to a defined set of crite-
    ria or requirements. Information technology (IT) auditing examines processes,
    IT assets, and controls at multiple levels within an organization to determine the
    extent to which the organization adheres to applicable standards or requirements.
    Virtually, all organizations use IT to support their operations and the achievement
    of their mission and business objectives. This gives organizations a vested interest
    in ensuring that their use of IT is effective, that IT systems and processes operate as
    intended, and that IT assets and other resources are efficiently allocated and appro-
    priately protected. IT auditing helps organizations understand, assess, and improve
    their use of controls to safeguard IT, measure and correct performance, and achieve
    objectives and intended outcomes. IT auditing consists of the use of formal audit
    methodologies to examine IT-specific processes, capabilities, and assets and their
    role in enabling an organization’s business processes. IT auditing also addresses IT
    components or capabilities that support other domains subject to auditing, such as
    financial management and accounting, operational performance, quality assurance,
    and governance, risk management, and compliance (GRC).

    IT audits are performed both by internal auditors working for the organization
    subject to audit and external auditors hired by the organization. The processes and
    procedures followed in internal and external auditing are often quite similar, but the
    roles of the audited organization and its personnel are markedly different. The audit
    criteria—the standards or requirements against which an organization is compared
    during an audit—also vary between internal and external audits and for audits of
    different types or conducted for different purposes. Organizations often engage in
    IT audits to satisfy legal or regulatory requirements, assess the operational effec-
    tiveness of business processes, achieve certification against specific standards,
    demonstrate compliance with policies, rules, or standards, and identify opportuni-
    ties for improvement in the quality of business processes, products, and services.
    Organizations have different sources of motivation for each type of audit and

    xxii CHAPTER Introduction

    different goals, objectives, and expected outcomes. This book explains all of these
    aspects of IT auditing, describes the establishment of organizational audit programs
    and the process of conducting audits, and identifies the most relevant standards,
    methodologies, frameworks, and sources of guidance for IT auditing.

    Purpose and rationale
    The use of IT auditing is increasingly common in many organizations, to validate
    the effective use of controls to protect IT assets and information or as an element of
    GRC programs. IT auditing is a specialized discipline not only in its own right, with
    corresponding standards, methodologies, and professional certifications and experi-
    ence requirements, but it also intersects significantly with other IT management and
    operational practices. The subject matter overlap between IT auditing and network
    monitoring, systems administration, service management, technical support, and
    information security makes familiarity with IT audit policies, practices, and stand-
    ards essential for IT personnel and managers of IT operations and the business areas
    that IT supports. This book provides information about many aspects of IT audits
    in order to give readers a solid foundation in auditing concepts to help develop an
    understanding of the important role IT auditing plays in contributing to the achieve-
    ment of organizational objectives. Many organizations undergo a variety of IT audits,
    performed by both internal and external auditors, and each often accompanied by
    different procedures, methods, and criteria. This book tries to highlight the common-
    alities among audit types while identifying the IT perspectives and characteristics
    that distinguish financial, operational, compliance, certification, and quality audits.

    Intended use
    This book describes the practice of IT auditing, including why organizations con-
    duct or are subject to IT audits, different types of audits commonly performed in
    different organizations, and ways internal and external auditors approach IT audits.
    It explains many fundamental characteristics of IT audits, the auditors who perform
    them, and the standards, methodologies, frameworks, and sources of guidance that
    inform the practice of auditing. This is not a handbook for conducting IT audits
    nor does it provide detailed instructions for performing any of the audit activities
    mentioned in the book. Auditors or other readers seeking prescriptive guidance on
    auditing will find references to many useful sources in this book, but should look
    elsewhere—potentially including the sources referenced below—for audit check-
    lists, protocols, or procedural guidance on different types of IT audits. This book
    is intended to give organizations and their employees an understanding of what to
    expect when undergoing IT audits and to explain some key points to consider that
    help ensure their audit engagements meet their objectives. By covering all major
    types of IT auditing and describing the primary drivers and contexts for IT audits
    in most organizations, this book complements more detailed but narrowly focused

    xxiiiPurpose and Rationale

    texts intended to guide or instruct auditors in the step-by-step procedural execution
    of audits. The following are among recently published books especially relevant to
    IT auditing:

    ● IT Auditing: Using Controls to Protect Information Assets (2nd edition) by
    Chris Davis and Mike Schiller emphasizes auditing practices applicable to
    different types of technologies and system components.

    ● Auditor’s Guide to IT Auditing (2nd edition) by Richard Cascarino provides broad
    coverage of IT audit concepts and practices applicable to information systems,
    organized and presented in the context of major IT management disciplines.

    ● IT Audit, Control, and Security by Robert Moeller highlights requirements,
    expectations, and considerations for auditors of IT systems stemming from
    prominent laws, frameworks, and standards.

    ● Information Technology Control and Audit (4th edition) by Sandra Senft,
    Frederick Gallegos, and Aleksandra Davis approaches IT auditing drawing
    largely on practice guidance and governance frameworks defined by ISACA,
    particularly including COBIT.

    ● The Operational Auditing Handbook: Auditing Business and IT Processes by
    Andrew Chambers and Graham Rand focuses on operational auditing and
    uses a process-based approach to describe auditing practices for different
    organizational functions.

    ● The ASQ Auditing Handbook (4th edition) edited by J.P. Russell offers
    prescriptive guidance for quality auditors, particularly those following the
    quality auditor body of knowledge defined by the American Society for Quality
    (ASQ) and its Certified Quality Auditor Certification Program.

    Key audiences
    This book provides a treatment of IT auditing that emphasizes breadth rather than
    depth. Audit professionals engaged in performing IT audits have a variety of stand-
    ards, guidance, and prescriptive procedures for thoroughly and effectively con-
    ducting various types of IT audits. Auditors and other consulting or professional
    services practitioners who regularly conduct audits may find the information in this
    book useful as a point of reference, but will likely rely on more detailed, purpose-
    specific sources to assist them in their work. Auditors are important stakeholders
    in IT auditing, but only one of many groups involved in IT auditing or affected by
    how it is carried out. The material in this book is intended primarily to help develop
    an understanding of auditing purposes and practices to nonauditor groups such as
    operational and administrative personnel, managers, and IT program and project
    staff, all of whom may be required to furnish information to or otherwise support
    external or internal audits in their organizations. It also provides an explanation of
    IT auditing suitable for practitioners focused on other aspects of IT management or
    on the performance of functions supported by IT audits such as GRC, quality man-
    agement, continuous improvement, or information assurance.

    xxiv CHAPTER Introduction

    Structure and content
    This book could not hope to provide, and is not intended to be, a substitute for for-
    mal standards, protocols, and practice guidance relevant to IT auditing. What it
    does offer is a thorough introduction to many aspects of IT auditing and the role
    of IT audits within the broader context of other major forms of audits. The book is
    structured in a way that should be equally helpful to readers looking for informa-
    tion on a specific audit-related subject or for those interested in developing a more
    general understanding of the IT audit discipline. The material in the early chap-
    ters focuses on describing why organizations undergo different types of audits and
    what characteristics distinguish those types of audits from each other. References
    provided in each chapter, in addition to the information in the last two chapters in
    the book, should help direct readers to authoritative sources of guidance on vari-
    ous aspects of auditing and to the major standards organizations and professional
    associations shaping the evolution of the field. This book does not recommend a
    particular approach or methodology, but instead highlights the similarities among
    many of the most prominent frameworks, methodologies, processes, and standards
    in the hope that readers will recognize the basic aspects of IT auditing in any real-
    world context.

    A brief summary of each chapter follows.

    Chapter 1: IT Audit Fundamentals
    Chapter 1 establishes a foundation for the rest of the material in the book by defin-
    ing auditing and related key terms and concepts and explaining the nature and
    rationale for IT auditing in different organizations, differentiating internal from
    external audits in terms of the reasons and requirements associated with each per-
    spective. It also identifies organizations and contexts that serve as the subject of IT
    audit activities and describes the individuals and organizations that perform audits.

    Chapter 2: Auditing in Context
    Chapter 2 emphasizes the practical reality that IT auditing often occurs as a compo-
    nent of a wider-scope audit not limited to IT concerns alone, or a means to support
    other organizational processes or functions such as GRC, certification, and quality
    assurance. Audits performed in the context of these broader programs have different
    purposes and areas of focus than stand-alone IT-centric audits, and offer different
    benefits and expected outcomes to organizations.

    Chapter 3: Internal Auditing
    Chapter  3 focuses on internal IT auditing, meaning audits conducted under the
    direction of an organization’s own audit program and typically using auditors who
    are employees of the organization under examination. This chapter highlights the

    xxvStructure and Content

    primary reasons why organizations undergo internal audits, including drivers of
    mandatory and voluntary audit activities. It also describes some of the benefits and
    challenges associated with internal auditing and characterizes the role, experience,
    and career path of internal IT audit personnel.

    Chapter 4: External Auditing
    Chapter  4 provides a direct contrast to Chapter  3 by addressing external auditing,
    which bears many similarities to internal auditing but is, by definition, conducted
    by auditors and audit firms wholly separate from the organization being audited.
    This chapter identifies the key drivers for external audits, explains the role of inter-
    nal staff in preparing for and supporting external audits, and describes benefits
    and challenges often encountered by organizations subject to such audits. Because
    audited organizations often have to choose their external auditors, the chapter also
    discusses the process of selecting an auditor, the registration requirements applica-
    ble to auditors in many countries, and key auditor qualifications.

    Chapter 5: Types of Audits
    Chapter  5 offers an overview of the major types of audits organizations undergo,
    including financial, operational, certification, compliance, and quality audits in
    addition to IT-specific audits. For each type of audit, the chapter explains charac-
    teristics such as audit rationale, areas of focus, suitability for internal and external
    auditing approaches, applicable standards and guidance, and anticipated outcomes.

    Chapter 6: IT Audit Components
    The IT domain is too broad to easily address as a whole, whether the topic is audit-
    ing, governance, operations, or any other key functions that organizations manage
    about their IT resources. Chapter 6 breaks down IT and associated controls into dif-
    ferent categories—reflecting decomposition approaches commonly used in IT audit
    methodologies and standards—to differentiate among IT audit activities focused on
    different IT components. The material in this chapter addresses technical as well as
    nontechnical categories, describing different technologies and architectural layers,
    key processes and functions, and aspects of IT programs and projects that are also
    often subject to audits.

    Chapter 7: IT Audit Drivers
    Chapter 7 describes key types of external and internal drivers influencing organiza-
    tions’ approaches to IT auditing, including major legal and regulatory requirements
    as well as motivating factors such as certification, quality assurance, and opera-
    tional effectiveness. This chapter summarizes the audit-related provisions of major
    U.S. and international laws governing publicly traded firms and organizations in

    xxvi CHAPTER Introduction

    regulated industries such as financial services, health care, energy, and the public
    sector. It also explains the motivation provided by internally developed strategies,
    management objectives, and initiatives on the ways organizations structure their
    internal audit programs and external audit activities.

    Chapter 8: IT Audit Process
    The IT audit process description provided in Chapter 8 explains in detail the steps
    organizations and auditors follow when performing audits. Although there is no
    single accepted standard process applicable in all contexts, most methodologies,
    frameworks, standards, and authoritative guidance on auditing share many common
    activities and process attributes, often traceable to the familiar plan-do-check-act
    (PDCA) model originally developed for quality improvement purposes. Chapter  8
    focuses on the activities falling within the generic process areas of audit plan-
    ning, audit evidence collection and review, analysis and reporting of findings, and
    responding to findings by taking corrective action or capitalizing on opportunities
    for improvement.

    Chapter 9: Methodologies and Frameworks
    Although the high-level process of auditing is very similar across organizations,
    industries, audit purposes, and geographies, there is a wide variety of methodolo-
    gies and control and process frameworks available for organizations and individual
    auditors to apply when performing audits. Almost all external auditors follow one
    or more of these approaches and many organizations choose to adopt established
    methodologies and frameworks as an alternative to developing their own. Chapter 9
    presents the best-known and most widely adopted methodologies and frameworks,
    including those focused explicitly on auditing as well as those intended to support
    IT governance, IT management, information security, and control assessment.

    Chapter 10: Audit-Related Organizations, Standards, and
    There are many standards development bodies and other types of organizations that
    produce and promote standards relevant to IT auditing and that offer professional
    certifications for individuals engaged in auditing or related disciplines. Chapter 10
    identifies the most prominent organizations and summarizes their contributions to
    available standards and certifications.

      Information in this chapter:
      Introduction to IT auditing
      Purpose and rationale
      Intended use
      Key audiences
      Structure and content
      Chapter 1: IT Audit Fundamentals
      Chapter 2: Auditing in Context
      Chapter 3: Internal Auditing
      Chapter 4: External Auditing
      Chapter 5: Types of Audits
      Chapter 6: IT Audit Components
      Chapter 7: IT Audit Drivers
      Chapter 8: IT Audit Process
      Chapter 9: Methodologies and Frameworks
      Chapter 10: Audit-Related Organizations, Standards, and Certifications

    Information Technology

    Risk and Contro


    2nd Editio


    IPPF – Practice Guide

    120366 PRO-GTAG_1_COVER.indd 1 3/28/12 2:18 PM

    Copyright © 2012 Wolters Kluwer Financial Services, Inc. All Rights Reserved. 2119-ARC-TM-GTAG-AD 12/15/1


    As the world’s leading audit management software, TeamMate
    has revolutionized the audit industry, empowering audit
    departments of all sizes to do more with less. Introduced in
    1994, TeamMate has a long standing commitment to advancing
    the audit profession. From consistently innovative product
    updates, to hosted solutions, and now mobile apps, we are
    dedicated to leveraging the latest technology for our clients.
    TeamMate’s outreach extends beyond our customers to support
    and enrich the professional community through research
    projects, educational programs and initiatives such as our Open
    Audit Innovation Contest.

    To learn about TeamMate, visit us on the web at
    CCHTeamMate.com or call 1.888.830.5559.

    Don’t take our word for it…
    Check out what our
    customers are saying at

    Building on Experience, Shaping the Future of Audit Technology

    120366 PRO-GTAG_1_COVER.indd 2 3/28/12 2:18 PM

    Global Technology Audit Guide (GTAG®) 1
    Information Technology

    Risk and Contr


    2nd Edition

    March 2012

    120366 PRO-GTAG_1_TEXT.indd 1 3/28/12 2:17 PM

    120366 PRO-GTAG_1_TEXT.indd 2 3/28/12 2:17 PM


    GTAG — Table of Contents

    ExEcutivE Summary ………………………………………………………………………………………………………………………..2

    1. introduction ………………………………………………………………………………………………………………………………


    2. introduction to thE BaSiS of it-rElatEd BuSinESS riSkS and controlS ………………………


    3. intErnal StakEholdErS and it rESponSiBilitiES …………………………………………………………………8

    4. analyzing riSkS ………………………………………………………………………………………………………………………….10

    5. aSSESSing it — an ovErviEw …………………………………………………………………………………………………….


    6. undErStanding thE importancE of it controlS ………………………………………………………………1


    7. it audit compEtEnciES and SkillS …………………………………………………………………………………………


    8. uSE of control framEwork …………………………………………………………………………………………………….


    9. concluSion …………………………………………………………………………………………………………………………………


    10. authorS & rEviEwErS ……………………………………………………………………………………………………………..


    11. appEndix: it control framEwork chEckliSt ……………………………………………………………………2


    120366 PRO-GTAG_1_TEXT.indd 1 3/28/12 2:17 PM


    GTAG —

    Executive Summary

    Executive Summary

    This GTAG helps chief auditing executives (CAEs) and
    internal auditors keep pace with the ever-changing and
    sometimes complex world of IT by providing resources
    written for business executives — not IT executives. Both
    management and the Board have an expectation that the
    internal audit activity provides assurance around all-impor-
    tant risks, including those introduced or enabled by the
    implementation of IT. The GTAG series helps the CAE
    and internal auditors become more knowledgeable of the
    risk, control, and governance issues surrounding technology.
    The goal of this GTAG is to help internal auditors become
    more comfortable with general IT controls so they can talk
    with their Board and exchange risk and control ideas with
    the chief information officer (CIO) and IT management.
    This GTAG describes how members of governing bodies,
    executives, IT professionals, and internal auditors address
    significant IT-related risk and control issues as well as pres-
    ents relevant frameworks for assessing IT risk and controls.
    Moreover, it sets the stage for other GTAGs that cover in
    greater detail specific IT topics and associated business roles
    and responsibilities.

    This guide is the second edition of the first installment in
    the GTAG series — GTAG 1: Information Technology
    Controls — which was published in March 2005. Its goal
    was, and is, to provide an overview of the topic of IT-related
    risks and controls.

    120366 PRO-GTAG_1_TEXT.indd 2 3/28/12 2:17 PM


    GTAG — Introduction

    1. Introduction

    The purpose of this GTAG is to explain IT risks and controls
    in a format that allows CAEs and internal auditors to under-
    stand and communicate the need for strong IT controls. It is
    organized to enable the reader to move through the frame-
    work for assessing IT controls and to address specific topics
    based on need. This GTAG provides an overview of the
    key components of IT control assessment with an emphasis
    on the roles and responsibilities of key constituents within
    the organization who can drive governance of IT resources.
    Some readers already may be familiar with some aspects of
    this GTAG, but some segments will provide new perspectives
    on how to approach IT risks and controls. One goal of this
    GTAG, and others in the series, is that IT control assess-
    ment components can be used to educate others about what
    IT risk and controls are and why management and internal
    audit should ensure proper attention is paid to fundamental
    IT risks and controls to enable and sustain an effective IT
    control environment.

    Although technology provides opportunities for growth and
    development, it also represents threats, such as disruption,
    deception, theft, and fraud. Research shows that outside
    attackers threaten organizations, yet trusted insiders are a
    far greater threat. Fortunately, technology also can provide
    protection from threats, as this guide will demonstrate.
    Executives should know the right questions to ask and what
    the answers mean. For example:

    • Why should I understand IT risks and controls?
    Two words: assurance and reliability. Executives
    play a key role in assuring information reliability.
    Assurance comes primarily from an interdependent
    set of business controls as well as from evidence that
    controls are continuous and sufficient. Management
    must weigh the evidence provided by controls and
    audits and conclude that it provides reasonable

    • What is to be protected? Trust should be protected
    because it ensures business and efficiency. Controls
    provide the basis for trust, although they often
    are unseen. Technology provides the foundation
    for many — perhaps most — business controls.
    Reliability of financial information and processes —
    now mandated for many organizations— is all about

    • Where are IT controls applied? Everywhere. IT
    includes technology components, processes, people,
    organization, and architecture, as well as the infor-
    mation itself. Many IT controls are technical in
    nature, and IT supplies the tools for many business

    • Who is responsible? Everyone. However, control
    ownership and responsibilities must be defined and
    disseminated by management. Otherwise, no one is
    responsible, and results could be quite severe.

    • When should IT risks and controls be assessed?
    Always. IT is a rapidly changing environment that
    promotes process and organizational change. New
    risks emerge at a rapid pace. Controls must present
    continuous evidence of their effectiveness, and that
    evidence must be assessed and evaluated constantly.

    • How much control is enough? Management must
    decide based on risk appetite, tolerance and manda-
    tory regulations. Controls are not the objective;
    controls exist to help meet business objectives.
    Controls are a cost of doing business and can
    be expensive, but not nearly as expensive as the
    possible consequences of inadequate controls.

    IT controls are essential to protect assets, customers, part-
    ners, and sensitive information; demonstrate safe, efficient,
    and ethical behavior; and preserve brand, reputation, and
    trust. In today’s global market and regulatory environment,
    these things are too easy to lose. A CAE can use this guide
    as a foundation to assess an organization’s framework and
    internal audit practices for IT risk and control, compliance,
    and assurance. It also can be used to meet the challenges
    of constant change, increasing complexity, rapidly evolving
    threats, and the need to improve efficiency.

    IT controls do not exist in isolation. They form an inter-
    dependent continuum of protection, but they also may be
    subject to compromise due to weak links. IT controls are
    subject to error and management override, range from
    simple to highly technical, and exist in a dynamic envi-
    ronment. IT controls have two significant elements: the
    automation of business controls (which support business
    management and governance) and control of the IT envi-
    ronment and operations (which support the IT applications
    and infrastructures). The CAE needs to consider and assess
    both elements. The CAE may view the automated busi-
    ness controls as those controls where both business and IT
    audit skills work together in an integrated audit capacity.
    The CAE may want to separate the general IT controls or
    general computer controls (GCCs) based on the technical
    skills and competencies necessary to assess more technical
    applications, infrastructure, and operations. For example,
    an enterprise resource planning (ERP) application requires
    more technical knowledge to understand and assess controls
    over the ERP database structures, user access, system config-
    uration, and financial reporting. The CAE will find that
    assessing infrastructure, such as networks, routers, firewalls,
    and wireless and mobile devices requires specialized skills
    and experience. The internal auditor’s role in IT controls

    120366 PRO-GTAG_1_TEXT.indd 3 3/28/12 2:17 PM



    GTAG — Introduction

    begins with a sound conceptual understanding and culmi-
    nates in providing the results of risk and control assessments.
    Internal auditing involves significant interaction with the
    people in positions of responsibility for controls and requires
    continuous learning and reassessment as new technologies
    emerge and as the organization’s opportunities, uses, depen-
    dencies, strategies, risks, and requirements change.

    IT controls provide for assurance related to the reliability
    of information and information services. IT controls help
    mitigate the risks associated with an organization’s use of
    technology. They range from corporate policies to their phys-
    ical implementation within coded instructions; from physical
    access protection through the ability to trace actions and
    transactions to responsible individuals; and from automatic
    edits to reasonability analyses for large bodies of data.

    The following are examples of key control concepts:
    • Assurance is provided by the IT controls within the

    system of internal controls. This assurance should be
    continuous and provide a reliable trail of evidence.

    • The internal auditor’s assurance is an independent
    and objective assessment that the IT-related controls
    are operating as intended. This assurance is based
    on understanding, examining, and assessing the
    key controls related to the risks they manage and
    performing sufficient testing to ensure the controls
    are designed appropriately and functioning effec-
    tively and continuously.

    Many frameworks exist for categorizing IT controls and their
    objectives. This guide recommends that each organization
    use the applicable components of existing frameworks to
    categorize and assess IT risks and controls.

    120366 PRO-GTAG_1_TEXT.indd 4 3/28/12 2:17 PM


    GTAG — Introduction to the Basis of IT-related
    Business Risks and Controls

    2. Introduction to the Basis
    of IT-related Business
    Risks and Controls
    2.1 Key Concepts

    Organizations continue to leverage the ever-changing
    capabilities of technology to advance their offerings and
    services in ways that challenge the internal audit profes-
    sion. The IIA’s International Standards for the Professional
    Practice of Internal Auditing (Standards) specifically notes
    that internal auditors must assess and evaluate the risks and
    controls for information systems that operate within the
    organization. The IIA has provided further perspective on
    assessing IT risks and controls through additional GTAGs.
    GTAG 4: Management of IT Auditing discusses IT risks and
    the resulting IT risk universe, and GTAG 11: Developing
    the IT Audit Plan helps internal auditors assess the business
    environment that the technology supports and the poten-
    tial aspects of the IT audit universe. Additionally, GTAG 8:
    Auditing Application Controls covers the specific auditing
    aspects of application controls and the approach internal
    auditors can take when assessing the controls.

    The term board is used in this GTAG as defined in the
    Standards glossary: “a board is an organization’s governing
    body, such as a board of directors, supervisory board, head of
    an agency or legislative body, board of governors or trustees
    of a nonprofit organization, or any other designated body of
    the organization, including the audit committee to whom the
    chief audit executive may functionally report.”

    As this GTAG will explore further, the assessment of IT
    risks and controls in place to address them must be associ-
    ated with the established business process environment and
    the specific organization objectives that need to be met as
    outlined by organization executives and the Board. IT risks
    are just one piece of the overall complex interconnectivity of
    people, processes, infrastructure, and enterprise risk environ-
    ment that exists and should be managed as a whole by the

    Internal auditors need to understand the range of controls
    available for mitigating IT risks. The controls can be thought
    of as existing within a hierarchy that relies on the oper-
    ating effectiveness interconnectivity of the controls as well
    as the realization that failure of a set of controls can lead
    to increased reliance and necessary examination of other
    control groups. Within this document, IT controls will be
    referred to in terms such as governance, management, tech-
    nical, and application based on who in the organization
    implements and maintains them.

    Another view of IT controls is in terms of general and appli-
    cation controls. General IT controls are typically pervasive
    in nature and are addressed through various audit avenues.
    Examples include IT operations, application development
    and maintenance, user management, change management,
    and backup and recovery. Application controls provide
    another category of controls and include controls within an
    application around input, processing, and output.

    This GTAG also will explore the use of controls for managing
    and governing the infrastructure, processes, and personnel
    supporting the business through technology. IT governance
    continues to evolve within organizations because of the
    continued use of IT as well as increased oversight by manage-
    ment and the Board.

    2.2 IT


    When addressing the topic of IT controls, an important
    consideration is IT governance, which provides the frame-
    work to ensure that IT can support the organization’s overall
    business needs. It is important for IT management to possess a
    strong understanding of the organization’s business processes
    used to meet its objectives and achieve the goals outlined by
    executive management and the Board. IT governance is not
    only composed of the controls needed to address identified
    risks but also is an integrated structure of IT practices and
    personnel that must be aligned closely with — and enable
    achievement of — the organization’s overall strategies and

    A CAE needs to be able to evaluate the IT governance struc-
    ture and its ability to deliver results for the organization and
    improve the efficiencies of the IT activity. Research efforts
    have indicated that IT governance does lead to improved
    business performance as well as better alignment of IT with
    the business in achieving strategic objectives.

    IT governance consists of the leadership, organizational
    structures, and processes that ensure that the organization’s
    IT sustains and supports the organization’s strategies and

    With the requirement of IIA Standard 2110.A2 stating
    that the internal audit activity must assess whether the IT
    governance of the organization supports the organization’s
    strategies and objectives, CAEs need to be prepared to eval-
    uate this key aspect of the overall IT landscape.

    Proper application of IT governance principles has the ability
    to influence and impact the entire organization and how IT
    interacts with the business.

    • identification and management of it risks and
    enablement of improved it operations: IT gover-
    nance helps ensure close linkage to an organization’s

    120366 PRO-GTAG_1_TEXT.indd 5 3/28/12 2:17 PM


    GTAG — Introduction to the Basis of IT-related
    Business Risks and Controls

    risk management activities, including enterprise risk
    management (ERM). IT governance needs to be an
    integral part of the overall corporate risk manage-
    ment efforts so that appropriate techniques can be
    incorporated into IT activities, including communi-
    cation of risk status to key stakeholders, throughout
    the organization. A CAE should review the risk
    management activities being used by the overall
    organization and make sure linkage exists from IT
    risk management efforts to corporate risk activities
    and that appropriate attention is being placed on the
    IT risk profile.

    • Enhancing the relationship between the busi-
    ness and it: IT governance provides a mechanism
    to link the use of IT to an organization’s overall
    strategies and goals. The relationship between the
    business and IT will make sure that IT resources are
    focused on doing the right things at the right time.
    The communication between IT and the business
    should be free flowing and informative, providing
    insight into what IT is delivering as well as the
    status of those efforts. A CAE should review the
    alignment and ensure that strong portfolio manage-
    ment processes exist, allowing the business and IT
    organizations to collaborate on resource priorities
    and initiatives and overall investment decisions.

    • visibility into it management’s ability to achieve
    its objectives: IT organizations will define their
    strategies to support the business, part of which
    is making sure the day-to-day IT operations are
    being delivered efficiently and without compromise.
    Metrics and goals are established not only to help
    IT execute on a tactical basis but also to guide the
    activities of the personnel to improve maturity of
    practices. The results will enable IT to execute its
    strategy and achieve its objectives established with
    the approval of organization leaders. A CAE should
    assess whether the linkage of IT metrics and objec-
    tives align with the organization’s goals and become
    a measurement of the progress being made on
    approved initiatives. Additionally, the CAE can help
    validate that metrics are being measured effectively
    and represent realistic views of the IT operations
    and governance on a tactical and strategic basis.

    • management of risks and identification of contin-
    uous improvement opportunities for business and
    it outcomes: Risk management is a key component
    of an effective IT governance structure within an
    organization. The identification and management of
    IT risks will enable the IT activity to run the busi-
    ness of IT more effectively while also identifying
    potential opportunities to improve its practices. IT
    risks should have defined owners who methodically

    communicate the status of the risk management
    efforts to all levels of management. The CAE
    provides a valuable role in validating the consistency
    of the IT risk universe and will use the information
    to help define the internal audit universe for inde-
    pendent risk assessment and audit planning efforts.
    The Risk IT Practitioner Guide developed by the IT
    Governance Institute (ITGI) and ISACA provides
    a framework for identifying and assessing IT risks
    while also providing a direct link to the Control
    Objectives for Information and Related Technology
    (COBIT) framework.

    • it governance improving adaptability of it to
    changing business and it environments: IT gover-
    nance provides a foundation for IT to better manage
    its responsibilities and support of the business
    through defined processes and roles and responsibili-
    ties of IT personnel. By having such formality in
    place, IT has the ability to better identify potential
    anomalies on a daily and trending basis, leading to
    root cause identification of situations and issues.
    Additionally, IT has the ability to adapt more flex-
    ibly to ad hoc requests for new or enhanced business
    capabilities. Today’s CAE can assess such data
    sources (e.g., help desk and problem management
    tickets) to evaluate how IT is addressing unknown
    issues. The CAE also can review IT portfolio
    management processes to understand how needs are
    prioritized and whether flexibility exists to repri-
    oritize needs based on the organization’s changing

    As internal audit activities assess the organizations’ IT gover-
    nance structure and practices, several key components that
    lead to effective IT governance can be evaluated, including:

    • leadership. Evaluate the relationship between IT
    objectives and the organization’s current/strategic
    needs. Assess the involvement of IT leaders in the
    development and ongoing execution of the orga-
    nization’s strategic goals. Review how roles and
    responsibilities are assigned within the IT activity
    and whether personnel perform them as designed.
    Also, review the role of senior management and the
    Board in helping establish and maintain strong IT

    • organization structures. Review how the business
    and IT personnel are interacting and communi-
    cating current and future needs through the existing
    organizational structure. This should include the
    existence of necessary roles and reporting relation-
    ships to allow IT to adequately meet the needs of the
    business while giving the business the opportunity
    to have its requirements addressed through formal
    evaluation and prioritization.

    120366 PRO-GTAG_1_TEXT.indd 6 3/28/12 2:17 PM

    GTAG — Introduction to the Basis of IT-related
    Business Risks and Controls

    • it processes. Evaluate IT process activities and
    controls in place to manage the needs of the busi-
    ness while providing the necessary assurance over
    business processes and underlying systems. The IT
    activity uses the processes to support the IT environ-
    ment and help with consistent delivery of expected
    services. Determine how IT will be measured in
    helping the organization achieve these goals.

    • risk management. Review the IT actvity’s processes
    to identify, assess, and monitor/mitigate risks within
    the IT environment. Additionally, determine the
    accountability personnel have within the risk
    management process and how well these expecta-
    tions are being met. Understand what events have
    occurred and impacted the IT activity to determine
    whether appropriate risk management practices
    are in place and whether risk demographics (e.g.,
    risk frequency, impact, mitigation techniques) were
    appropriately documented and, if needed, updated
    after the event.

    • control activities. Assess the IT-defined key control
    activities to manage its business and the support
    of the overall organization. Internal audit should
    review ownership, documentation, and self-valida-
    tion aspects. Additionally, the control set should be
    robust enough to address the identified risks.

    120366 PRO-GTAG_1_TEXT.indd 7 3/28/12 2:17 PM


    GTAG — Internal Stakeholders and IT


    3. Internal Stakeholders and IT Responsibilities

    An organization must understand and manage its IT environment. Furthermore, it must understand and recognize the business
    processes’ dependence on IT and the need to conform to regulatory compliance demands.
    Business opportunities are exploited or lost as a consequence of success or failure in managing and using IT. Effective IT
    governance increases the likelihood that IT enables the business to meet its goals and that resources are prudently managed.
    The following table1 outlines a set of possible oversight functions and responsibilities with links to the Board, executive manage-
    ment, senior management, and internal auditors from an IT governance point of view.

    Role Responsibilities

    The Board The Board should:

    • Understand the strategic value of the IT function.

    • Become informed of role and impact of IT on the enterprise.

    • Set strategic direction and expect return.

    • Consider how management assigns responsibilities.

    • Oversee how transformation happens.

    • Understand constraints within which management operates.

    • Oversee enterprise alignment.

    • Direct management to deliver measurable value through IT.

    • Oversee enterprise risk.

    • Support learning, growth, and management of resources.

    • Oversee how performance is measured.

    • Obtain assurance.


    Executive management should:

    • Become informed of role and impact of IT on the enterprise.

    • Cascade strategy, policies, and goals down into the enterprise, and align the IT organization with
    the enterprise goals.

    • Determine required capabilities and investments.

    • Assign accountability.

    • Sustain current operations.

    • Provide needed organizational structures and resources.

    • Embed clear accountabilities for risk management and control over IT.

    • Measure performance.

    • Focus on core business competencies IT must support.

    • Focus on important IT processes that improve business value.

    • Create a flexible and adaptive enterprise that leverages information and knowledge.

    • Strengthen value delivery.

    • Develop strategies to optimize IT costs.

    • Have clear external sourcing strategies.

    1 This table contains portions of the ITGI’s Board Briefing on IT
    Governance, 2nd Edition, used with permission from ITGI and
    ISACA. ©2003 ITGI. All rights reserved

    120366 PRO-GTAG_1_TEXT.indd 8 3/28/12 2:17 PM


    GTAG — Internal Stakeholders and IT Responsibilities



    Senior management should:

    • Manage business and executive expectations relative to IT.

    • Drive IT strategy development and execute against it.

    • Link IT budgets to strategic aims and objectives.

    • Ensure measurable value is delivered on time and budget.

    • Implement IT standards, policies and control framework as needed.

    • Inform and educate executives on IT issues.

    • Look into ways of increasing IT value contribution.

    • Ensure good management over IT projects.

    • Provide IT infrastructures that facilitate cost-efficient creation and sharing of business intelli-

    • Ensure the availability of suitable IT resources, skills, and infrastructure to meet objectives and
    create value.

    • Assess risks, mitigate efficiently, and make risks transparent to the stakeholders.

    • Ensure that roles critical for managing IT risks are appropriately defined and staffed.

    • Ensure the day-to-day management and verification of IT processes and controls.

    • Implement performance measures directly and demonstrably linked to the strategy.

    • Focus on core IT competencies.

    The Internal
    Audit Activity

    The internal audit activity should:

    • Ensure a sufficient baseline level of IT audit expertise in the department.

    • Include evaluation of IT in its planning process.

    • Assess whether IT governance in the organization sustains and supports strategies and objec-

    • Identify and assess the risk exposures relating to the organization’s information systems.

    • Assess controls responding to risks within the organization’s information systems.

    • Ensure that the audit department has the IT expertise to fulfil its engagements.

    • Consider use technology-based audit techniques as appropriate.

    In addition to internal stakeholders, it is also important to take into consideration external parties, such as the external
    auditor, national authorities, public expectations, and international organizations for standardization.

    120366 PRO-GTAG_1_TEXT.indd 9 3/28/12 2:17 PM


    GTAG — Analyzing Risks

    4. Analyzing Risks

    IT controls are selected and implemented on the basis of the
    risks they are designed to manage. As risks are identified,
    suitable risk responses are determined and range from doing
    nothing and accepting the risk as a cost of doing business
    to applying a wide scope of specific controls. This section
    explains the concepts of when to apply IT controls.

    It would be a relatively straightforward task to create a list of
    recommended IT controls that must be implemented within
    each organization. However, each control has a specific
    cost that may not be justified in terms of cost effectiveness
    when considering the type of organization and industry.
    Furthermore, no list of controls is universally applicable
    across all types of organizations. Although there is a lot of
    good advice available on the choice of suitable controls,
    strong judgment must be used. Controls must be appropriate
    for the level of risk the organization faces. The CAE should
    be able to advise the audit committee that the internal
    control framework is reliable and provides a level of assur-
    ance appropriate to the organization’s risk appetite. In this
    respect, the Committee of Sponsoring Organizations of the
    Treadway Commission (COSO)2 defines risk appetite as:

    “… the degree of risk, on a broad-based level, that a company or other
    organization is willing to accept in pursuit of its goals. Management
    considers the organization’s risk appetite first in evaluating strategic
    alternatives, then in the setting of objectives aligned with the selected
    strategy, and in developing mechanisms to manage the related risks.”

    In addition to risk appetite, the CAE should consider risk
    tolerance. COSO defines risk tolerance as:

    “… the acceptable level of variation relative to the achievement of
    objectives. In setting specific risk tolerances, management considers
    the relative importance of related objectives and aligns risk tolerances
    with its risk appetite.”

    Therefore, the CAE should consider whether:
    • The organization’s IT environment is consistent

    with the organization’s risk appetite.

    • The internal control framework is adequate to
    ensure the organization’s performance remains
    within the stated risk tolerances.

    4.1 Risk Considerations in Determining
    the Adequacy of

    IT Controls

    Risk management applies to the entire spectrum of activity
    within an organization — not just to the application of IT. IT
    cannot be considered in isolation. Rather, IT must be treated
    as an integral part of all business processes. Choosing IT
    controls is not a matter of implementing those recommended
    as best practices; controls must add value to the organiza-
    tion by reducing risk efficiently and increasing effectiveness.
    When considering the adequacy of IT controls within the
    organization’s internal control framework, the CAE should
    consider the processes established by management to

    • The use, value, and criticality of information.

    • The organization’s risk appetite and tolerance for
    each business function and process.

    • IT risks faced by the organization and quality of
    service provided to its users.

    • The complexity of the IT infrastructure.

    • The appropriate IT controls and the benefits they

    The frequency of risk analysis is important and is influenced
    greatly by both internal and external changes. The speed of
    technological change will impact each organization differ-
    ently. Some organizations will need to respond to the risks
    associated with technology changes rapidly while others may
    decide to respond at a more measured pace.

    4.1.1 The IT Environment

    Analyzing and assessing risk in relation to IT can be complex.
    The IT infrastructure comprises hardware, software, commu-
    nications, applications, protocols (i.e., rules), and data, as
    well as their implementation within physical space, within
    the organizational structure, and between the organization
    and its external environment. Infrastructure also includes
    the people interacting with the physical and logical elements
    of systems.

    Other areas to consider include project-related and provider
    risks. For example, project-related risk includes insufficient
    budget, resources, project management, and technical skills.
    For third-party provider and vendor risks, the IT auditor
    should analyze issues such as stability, financial strength,
    review of IT controls, and audit rights.

    The inventory of IT infrastructure components reveals
    basic information about the environment’s vulnerabilities.
    For example, business systems and networks connected
    to the Internet are exposed to threats that do not exist
    for self-contained systems and networks. Because Internet
    connectivity is an essential element of most business systems

    2 The Committee of Sponsoring Organizations of the Treadway
    Commission, “Committee of Sponsoring Organizations for the
    Commission on Fraudulent Financial Reporting.” www.coso.org.

    120366 PRO-GTAG_1_TEXT.indd 10 3/28/12 2:17 PM


    GTAG — Analyzing Risks

    and networks, organizations must make certain that their
    systems and network architectures include fundamental
    controls that ensure basic security.

    The complete inventory of the organization’s IT hardware,
    software, network, and data components forms the foundation
    for assessing the vulnerabilities within the IT infrastructure.
    Systems architecture schematics reveal the implementation
    of infrastructure components and how they interconnect
    with other components inside and outside the organiza-
    tion. To the information security expert, the inventory and
    architecture of IT infrastructure components, including
    the placement of security controls and technologies, reveal
    potential vulnerabilities. Unfortunately, information about a
    system or network also can reveal vulnerabilities to a poten-
    tial attacker, so access to such information must be restricted
    to only those people who need it. A properly configured
    system and network environment will minimize the amount
    of information it provides to would-be attackers, and an envi-
    ronment that appears secure presents a less attractive target
    to attackers.

    4.1.2 IT Risks Faced by the Organization

    The CAE discusses IT risk issues with the CIO and process
    owners to assess whether all related parties have an appro-
    priate awareness and understanding of the technical risks the
    organization faces through the use of IT as well as their roles
    in applying and maintaining effective controls.

    4.1.3 Risk Appetite and Tolerance

    Armed with the knowledge of IT risks, the auditor can
    validate the existence of effective controls to meet the orga-
    nization’s established risk appetite and its risk tolerance in
    relation to IT. The auditor’s assessment will involve discus-
    sions with many members of management and —potentially
    — the Board. The level of detail of these discussions can be
    determined with input from the CIO, the chief information
    security officer (CISO), and process owners.

    An organization’s use of ERM must include IT risks as part of
    this process. ERM includes methods and processes to manage
    risks and seize opportunities in achieving the organization’s
    objectives. It typically starts with identifying particular
    events or circumstances relevant to the organization’s objec-
    tives (e.g., the risks of data breaches), assessing them in terms
    of likelihood and magnitude of impact (e.g., the inherent risk
    of a data breach is rated high, and the impact also is rated
    as high), determining a response (e.g., new policies to better
    secure the organization’s data), and monitoring progress on
    the implementation of responses (e.g., the IT activity’s imple-
    mentation of new security measures to avoid data breaches).
    By identifying and proactively addressing risks and oppor-
    tunities, organizations will be better suited to protect and
    create value for stakeholders. In this way, ERM assists the

    CAE in understanding the significant risks for the entire
    organization. Then, the CAE can use this perspective to set
    audit priorities, determine audit project activities, and estab-
    lish risk appetite and tolerance.3

    4.1.4 Performing a Risk Analysis

    A risk analysis should be performed with involvement from
    various roles and departments within an organization,
    including the chief risk officer (CRO), CAE, IT activity, and
    business representatives.

    Basic questions associated with the risk assessment process

    • Which IT assets (this includes both tangible and
    intangible IT assets, such as information or repu-
    tation) are at risk, and what is the value of their
    confidentiality, integrity, and availability?

    • What could happen to adversely affect that infor-
    mation’s asset value (threat event)? Implicit to this
    question is the vulnerability analysis and mapping
    of vulnerabilities to threats and potentially impacted
    information assets.

    • If a threat event happened, how bad could its impact

    • How often might the event be expected to occur
    (frequency of occurrence)?

    • How certain are the answers to the first four ques-
    tions (uncertainty analysis)?

    • What can be done to reduce the risk?

    • How much will it cost?

    • Is it cost-efficient?

    Determining the value of the information processed and
    stored is not an easy task due to the multidimensional nature
    of value. The CAE will find it helpful to work with the CRO
    to coordinate and align the IT-related risks. Depending on
    the organization’s size and risks, the CAE and CRO may
    want to share how they prioritize risk areas, risk coverage, or
    leverage resources.

    3 COSO, Strengthening Enterprise Risk Management for Strategic
    Advantage, Nov. 4, 2009.

    120366 PRO-GTAG_1_TEXT.indd 11 3/28/12 2:17 PM


    GTAG — Elaboration on Key Technology Concepts

    4.2 Risk Mitigation Strategies

    When risks are identified and analyzed, it is not always appro-
    priate to implement controls to counter them. Some risks
    may have minor impact if they occur or may be extremely
    unlikely to occur, and it may not be cost-effective to imple-
    ment expensive control processes.

    In general, there are several ways to treat risks.
    • accept the risk. One of management’s primary

    functions is managing risk. Some risks are minor
    because their impact and probability of occurrence
    is low. In this case, consciously accepting the risk
    as a cost of doing business is appropriate as well as
    periodically reviewing the risk to ensure its impact
    remains low.

    • Eliminate the risk. It is possible for a risk to be
    associated with the use of a particular technology,
    supplier, or vendor. The risk can be eliminated by
    replacing the technology with more robust products
    and by seeking more capable suppliers and vendors.

    • Share the risk. Risk mitigation approaches can be
    shared with trading partners and suppliers. A good
    example is outsourcing infrastructure management.
    In such a case, the supplier mitigates the risks associ-
    ated with managing the IT infrastructure by being
    more capable and having access to more highly
    skilled staff than the primary organization. Risk
    also may be mitigated by transferring the risk to an
    insurance provider.

    • control/mitigate the risk. Instead of — or in
    combination with — other options, controls may
    be devised and implemented to prevent the risk
    from manifesting itself to limit the likelihood of this
    manifestation or to minimize its effects.

    120366 PRO-GTAG_1_TEXT.indd 12 3/28/12 2:17 PM


    5. Assessing IT — An Overview

    IT controls applied when controlling or mitigating the risks
    is the best option. While IT controls should be applied with
    due regard to the relevant risks, there is a basic set of controls
    that should be in place to provide a fundamental level of IT

    IT controls should be part of major IT processes related to
    planning, organization, acquisitions, changes, delivery of
    IT services, and IT support and monitoring. IT controls
    supporting a wide range of these IT processes typically
    would be the IT infrastructure controls that cover areas
    such as network controls, database controls, operating
    system controls, and hardware controls, for example. IT
    controls that cover applications and, in many cases, impor-
    tant business areas could include input edit controls, process
    completion or reconciliation controls, and exception report
    controls. The CAE should gain an overview of the important
    controls and what business processes they support as a first
    step in understanding IT risks and controls. Process descrip-
    tions and organization charts are some of the tools that can
    be used to gain an overview. Additionally, the CAE should
    obtain an understanding of key IT initiatives to comprehend
    how the IT infrastructure and applications may be changing
    during a defined period of time. This information will enable
    the CAE to perform an initial risk assessment that allows for
    a deeper analysis.
    Some questions can be considered when evaluating the
    control environment and selecting a suitable set of controls.

    • Do IT policies — including IT controls — exist?

    • Have responsibilities for IT and IT controls been
    defined, assigned, and accepted?

    • Is the control designed effectively?

    • Is the control operating effectively?

    • Does the control achieve the desired result?

    • Is the mix of preventive, detective, and corrective
    controls effective?

    • Do the controls provide evidence when control
    parameters are exceeded or when controls fail? How
    is management alerted to failures, and which steps
    are expected to be taken?

    • Is evidence retained (e.g., through an audit trail)?

    • Are the IT infrastructure equipment and tools logi-
    cally and physically secured?

    • Are access and authentication control mechanisms

    • Are controls in place to protect the operating envi-
    ronment and data from viruses and other malicious

    GTAG — Assessing IT — An Overview

    • Are firewall-related controls implemented?

    • Do firewall polices exist?

    • Are external and internal vulnerability assess-
    ments completed, and have risks been identified and
    resolved appropriately?

    • Are change and configuration management and
    quality assurance processes in place?

    • Are structured monitoring and service measurement
    processes in place?

    • Have the risks of outsourced services been taken
    into consideration? (For details on this, refer to
    GTAG 7: IT Outsourcing.)

    The payment card industry publishes one of the more
    widely and broadly used data security standards — PCI Data
    Security Standards (PCI DSS). Launched in 2006, the PCI
    Security Standards Council represents an open, global forum
    that is responsible for the development, management, educa-
    tion, and awareness of the PCI Security Standards, including
    the PCI DSS, the Payment Application Data Security
    Standard (PA-DSS), and PIN Transaction Security (PTS)

    The CAE can use the PCI DSS at a high level to determine
    whether certain security activities should be considered
    for the organization (see the following PCI Data Security
    Standards High Level Overview).

    120366 PRO-GTAG_1_TEXT.indd 13 3/28/12 2:17 PM


    Introduction and PCI Data Security Standard Overview

    The Payment Card Industry (PCI) Data Security Standard (DSS) was developed to encourage and enhance cardholder data
    security and facilitate the broad adoption of consistent data security measures globally. PCI DSS provides a baseline of technical
    and operational requirements designed to protect cardholder data. PCI DSS applies to all entities involved in payment card
    processing —including merchants, processors, acquirers, issuers, and service providers, as well as all other entities which store,
    process or transmit cardholder data. PCI DSS comprises a minimum set of requirements for protecting cardholders data, and
    may be enhanced by additional controls and practices to further mitigate risks. Below is a high-level overview of the 12 PCI
    DSS requirements

    PCI Data Security Standard – High Level Overview

    Build and maintain a Secure Network
    1. Install and maintain a firewall configuration to protect cardholder data
    2. Do not use vendor-supplied defaults for system passwords and other

    security parameters

    Protect Cardholder Data
    3. Protect stored cardholder data
    4. Encrypt transmission of cardholder data across open public networks

    Maintain a Vulnerability Management

    5. Use and regularly update anti-virus software or programs
    6. Develop and maintain secure systems and applications.

    Implement Strong Access Control

    7. Restrict access to cardholder data by business need to know
    8. Assign a unique ID to each person with computer access
    9. Restrict physical access to =cardholder data

    Regularly Monitor and Test Networks
    10. Track and monitor all access to network resources and cardholder data
    11. Regularly test security systems and processes.

    Maintain an Information Security Policy 12. Maintain a policy that addresses information security for all personnel


    Assessing IT controls is a continuous process. Business
    procedures constantly change as technology continues to
    evolve, and threats emerge as new vulnerabilities are discov-
    ered. Audit methods improve as internal auditors adopt an
    approach where IT control issues in support of the business
    objectives are a top priority. Management provides IT control
    metrics and reporting, and auditors attest to their validity
    and opine on their value. The internal auditor should liaise
    with management at all levels to agree on the validity and
    effectiveness of the metrics and assurances for reporting.

    GTAG — Assessing IT — An Overview

    4 PCI DSS Requirements and Security Assessment Procedures,
    V2.0, Copyright 2010 PCI Security Standards Council LLC

    The internal audit process provides a formal structure for
    addressing IT controls within the overall system of internal
    controls. Figure 1 – The Structure of IT Auditing, divides the
    assessment into a logical series of steps.

    120366 PRO-GTAG_1_TEXT.indd 14 3/28/12 2:17 PM


    GTAG — Assessing IT — An Overview

    Figure 1 – The Structure of IT Auditing









    IT Controls

    Governence – Management – Technical

    General Application

    Prevention, Detection, Correction

    Information – Security

    Importance of

    IT Controls

    Reliability and Effectiveness

    Competitive Advantage

    Legislation and Regulation

    Roles and



    Based on Risk

    Risk Analysis

    Risk Response

    Baseline Controls

    Monitoring and


    Control Framework



    Audit Committee Interface

    The internal auditor’s role in IT controls begins with a sound conceptual understanding and culminates in providing the
    results of risk and control assessments. The CAE should oversee the pursuit of continuous learning and reassessment as new
    technologies emerge and as dependencies, strategies, risks, and requirements change.

    120366 PRO-GTAG_1_TEXT.indd 15 3/28/12 2:17 PM


    GTAG — Understanding the Importance of IT Controls

    6. Understanding the
    Importance of IT Controls

    Although this GTAG deals exclusively with IT risks and
    controls, the control environment within IT (e.g. tone at
    the top from the CIO, the ethical climate, management
    philosophy, and operating style) is critically important and
    should be evaluated. The IIA’s Practice Guide, Auditing
    the Control Environment, should be consulted in addition
    to this GTAG when considering the control environment
    within IT.

    COSO defines internal control as: “A process, effected
    by an entity’s board of directors, management, and other
    personnel. This process is designed to provide reasonable
    assurance regarding the achievement of objectives in:

    • Effectiveness and efficiency of operations.

    • Reliability of financial reporting.

    • Compliance with applicable laws and regulations.”

    IT controls encompass those processes that provide assur-
    ance for information and information services and help
    control or mitigate the risks associated with an organiza-
    tion’s use of technology. These controls range from written
    corporate policies to their implementation within coded
    instructions; from physical access protection to the ability
    to trace actions and transactions to the individuals who
    are responsible for them; and from automatic edits to
    reasonability analyses for large bodies of data.

    It is not necessary for the CAE to know everything
    about IT controls, including the full continuum or all
    the technical intricacies. Many of these controls are the
    domain of specialists who manage specific risks associated
    with individual components of the systems and network

    6.1 IT General and Application Controls

    Controls may be classified to help understand their purposes
    and where they fit into the overall system of internal
    controls (see Figure 2 – Some Control Classifications). By
    understanding these classifications, the control analyst and
    auditor are better able to establish their positions in the
    control framework and answer key questions such as: Are
    the detective controls adequate to identify errors that may
    get past the preventive controls? Are corrective controls
    sufficient to fix the errors once detected? A common clas-
    sification of IT controls is general versus application. For
    further definition of IT related controls, refer to GTAG 8:
    Auditing Application Controls.





















    Governance Controls

    Management Controls

    Technical Controls






    Figure 2 – Some Control Classifications

    6.1.1 IT General Controls

    General controls apply to all systems components, processes,
    and data for a given organization or systems environ-
    ment. General controls include, but are not limited to, IT
    governance, risk management, resource management, IT
    operations, application development and maintenance,
    user management, logical security, physical security, change
    management, backup and recovery, and business continuity.
    Some general controls are business-related (e.g., segregation
    of duties or governance arrangements), whereas others are
    very technical (e.g., system software controls and network
    software controls) and relate to the underlying infrastruc-
    ture. General controls are reviewed by internal audit because
    they form the basis of the IT control environment. If the
    general controls are weak and unreliable (e.g., change and
    access control) and cannot be relied on, the auditor may
    need to alter the testing approach for those areas impacted.

    6.1.2 Application Controls

    Application controls5 pertain to the scope of individual busi-
    ness processes or application systems and include controls
    within an application around input, processing, and output.
    Application controls also can include data edits, segrega-
    tion of business functions (e.g., transaction initiation versus
    authorization), balancing of processing totals, transaction
    logging, and error reporting.

    5 PCI Security Standards Council LLC, Payment Card Industry
    (PCI) Data Security Standard Requirements and Security Assessment
    Procedures, Version 2.0., Oct. 2010.

    120366 PRO-GTAG_1_TEXT.indd 16 3/28/12 2:17 PM


    GTAG — Understanding the Importance of IT Controls

    The function of a control is highly relevant to the assessment
    of its design and effectiveness. Controls usually are classified
    as preventive, detective, or corrective. Preventive controls
    prevent errors, omissions, or security incidents from occur-
    ring. Examples include simple data entry edits that block
    alphabetic characters from being entered into numeric fields;
    access controls that protect sensitive data or system resources
    from unauthorized people; and complex and dynamic tech-
    nical controls such as antivirus software, firewalls, and
    intrusion prevention systems.

    Detective controls detect errors or incidents that elude
    preventive controls. For example, a detective control may
    identify account numbers of inactive accounts or accounts
    that have been flagged for monitoring of suspicious activities.
    Detective controls also can include monitoring and anal-
    ysis to uncover activities or events that exceed authorized
    limits or violate known patterns in data that may indicate
    improper manipulation. For sensitive electronic communica-
    tions, detective controls can indicate that a message has been
    corrupted or that the sender cannot be authenticated.

    Corrective controls correct errors, omissions, or incidents
    once they have been detected. They vary from simple
    correction of data entry errors to identifying and removing
    unauthorized users or software from systems or networks to
    recovery from incidents, disruptions, or disasters.

    Generally, it is most efficient to prevent errors or detect them
    as soon as possible to simplify correction.

    Many other control classifications described in this document
    may be useful in assessing their effectiveness. For example,
    automated controls tend to be more reliable than manual
    controls, and nondiscretionary controls are more likely to
    be applied consistently than discretionary controls. Other
    control classifications may exist such as mandatory, volun-
    tary, complementary, compensating, redundant, continuous,
    on-demand, and event-driven.

    6.2 IT Governance, Management,
    and Technical Controls

    Another common classification of controls is by the group
    responsible for ensuring they are implemented and main-
    tained properly. For the purpose of assessing roles and
    responsibilities, this guide primarily categorizes IT controls
    as governance, management, technical, and application.

    The first two levels — governance and management — are
    the most applicable to the scope of this guide. However, it
    also may be useful to understand how higher-level controls
    specifically are established within the technical and applica-
    tion IT infrastructures. Technical controls and application

    controls are the subject of GTAG 8: Auditing Application

    6.2.1 IT Governance Controls

    The primary responsibility for internal control oversight
    resides with the Board in its role as keeper of the governance
    framework. IT control at the governance level involves
    overseeing effective information management, principles,
    policies, and processes and ensuring that they are in place
    and performing correctly. These controls are linked with the
    concepts of governance, which are driven both by organi-
    zational goals and strategies and by outside bodies, such as

    6.2.2 Management Controls

    Management responsibility for internal controls typically
    involves reaching into all areas of the organization with
    special attention to critical assets, sensitive information, and
    operational functions. Management must make sure the IT
    controls needed to achieve the organization’s established
    objectives are applied and ensure reliable and continuous
    processing. These controls are deployed as a result of delib-
    erate actions by management in response to risks to the
    organization, its processes, and assets.

    6.2.3 Technical Controls

    Technical controls often form the backbone of management’s
    control framework. Therefore, if the technical controls are
    weak, the impact affects the entire control framework. For
    example, by protecting against unauthorized access and
    intrusion, technical controls provide the basis for reliance
    on the integrity of information — including evidence of all
    changes and their authenticity. These controls are specific
    to the technologies in use within the organization’s IT infra-
    structures. Examples of technical controls are operating
    system controls, database controls, encryption, and logging.

    6.2.4 Application Controls

    As already established, application controls pertain to the
    scope of individual business processes or application systems.
    They may be technical in nature but are also nontechnical
    depending on the area of control. They include controls of
    input, processing, and output. Section 6.3.7 of this document
    discusses application controls in more depth.

    6.3 IT Controls — What to Expect

    Individual controls within an organization can be classified
    within the hierarchy of IT controls — from the overall high-
    level policy statements issued by management and endorsed
    by the Board down to the specific control mechanisms incor-
    porated into application systems.

    120366 PRO-GTAG_1_TEXT.indd 17 3/28/12 2:17 PM


    GTAG — Understanding the Importance of IT Controls

    Figure 3 – Hierarchy of IT Controls represents a logical
    “top-down” approach both when considering controls to
    implement and when determining areas on which to focus
    internal audit resources during reviews of the entire IT oper-
    ating environment. The different elements of the hierarchy
    are not mutually exclusive; they connect with each other
    and often overlap and intermingle. Each of the control types
    within the hierarchy are described below.






    and Management
    Physical and

    Environmental Controls
    Systems Software Controls

    Systems Development Controls
    Application-based Controls

    Figure 3 – Hierarchy of IT Controls

    6.3.1 Policies

    All organizations need to define their goals and objectives
    through strategic plans and policy statements. Without clear
    statements of policy and standards for direction, organiza-
    tions can become disoriented and perform ineffectively.

    Because technology is vital to virtually all organizations,
    clear policy statements regarding all aspects of IT should
    be devised and approved by management, endorsed by the
    Board, and communicated to staff. Many different policy
    statements can be required depending on the organiza-
    tion’s size and the extent to which it deploys IT. For smaller
    organizations, a single policy statement may be sufficient —
    provided it covers all relevant areas. Larger organizations
    often will require more detailed and specific policies.

    For example, IT policy statements may include, but are not
    restricted to:

    • A general policy on the level of security and privacy
    throughout the organization. This policy should be
    consistent with relevant national and international
    legislation and should specify the level of control
    and security required depending on the sensitivity of
    the system and data processed.

    • A statement on the classification of information
    and the rights of access at each level. The policy
    also should define any limitations on the use of this
    information by those approved for access.

    • A definition of the concepts of data and systems
    ownership, as well as the authority necessary to
    originate, modify, or delete information. This should
    be a general policy that defines the extent to which
    users can create their own applications.

    • Personnel policies that define and enforce condi-
    tions for staff in sensitive areas. This includes the
    positive vetting of new staff prior to joining the
    organization and requiring employees to sign agree-
    ments accepting responsibility for the required
    levels of control, security, and confidentiality. This
    policy typically would also detail related disciplinary

    • Definitions of overall business continuity planning
    requirements. These policies should ensure that
    all aspects of the business are considered when an
    unexpected event or disaster happens.

    6.3.2 Standards

    The organization should have an IT blueprint that supports
    its overall strategy and sets the tone for the resultant IT poli-
    cies and standards.6

    The standards define ways of working to achieve the objec-
    tives of the organization. Adopting and enforcing standards
    promotes efficiency and ensures consistency in the IT oper-
    ating environment.

    Large organizations with significant resources are in a posi-
    tion to devise their own standards, but smaller organizations
    may not have sufficient resources. There are many sources of
    information on standards and best practice. For example, IT
    management should consider:

    • Systems development processes: When organiza-
    tions develop their own applications, standards
    apply to the processes for designing, developing,
    testing, implementing, and maintaining systems
    and programs. If organizations outsource applica-
    tion development or acquire systems from vendors,
    the CAE should ascertain that agreements require
    the providers to apply standards consistent with the
    organization’s standards or are acceptable to the

    • Systems software configuration: Because systems
    software provides a large element of control in the

    6 The Institute of Internal Auditors International Standards for the
    Professional Practice of Internal Auditing ensures that the internal
    audit activity examines the IT strategy. IIA Standard 2110.A2
    states: “The internal audit activity must assess whether the infor-
    mation technology governance of the organization sustains and
    supports the organization’s strategies and objectives.”

    120366 PRO-GTAG_1_TEXT.indd 18 3/28/12 2:17 PM


    GTAG — Understanding the Importance of IT Controls

    IT environment, standards related to secure system
    configurations are beginning to gain wide accep-
    tance by leading organizations and technology
    providers. The way products — such as operating
    systems, networking software, and database manage-
    ment systems — are configured can either enhance
    security or create weaknesses that can be exploited.

    • application controls: All applications that support
    business activities need to be controlled. Standards
    are necessary for all applications the organization
    develops or purchases, and the standards should
    define the types of controls that must be present
    across the whole range of business activities as well
    as the specific controls that should apply to sensitive
    processes and information.

    • data structures: Having consistent data definitions
    across the full range of applications ensures that
    disparate systems can access data seamlessly and
    security controls for private and other sensitive data
    can be applied uniformly.

    • documentation: Standards should specify the
    minimum level of documentation required for each
    application system or IT installation, as well as
    for different classes of applications, processes, and
    processing centers.

    As with policies, written standards should be approved by
    management and made available to everyone who imple-
    ments them.

    6.3.3 Organization and Management

    Organization and management play a major role in the whole
    system of IT control in addition to every aspect of an orga-
    nization’s operations. An appropriate organization structure
    allows lines of reporting and responsibility to be defined
    and effective control systems to be implemented. Important
    controls typically could include segregation of incompatible
    duties, financial controls, and change management. Segregation of Duties

    Segregation of duties is a vital element of many controls. An
    organization’s structure should not allow responsibility for all
    aspects of processing data to rest with one individual. The
    functions of initiating, authorizing, inputting, processing,
    and checking data should be separated to ensure no indi-
    vidual can create an error, omission, or other irregularity
    and authorize it and/or obscure the evidence. Segregation-
    of-duties controls for application systems are implemented
    by granting access privileges in accordance with job require-
    ments for processing functions and accessing information.

    Traditional segregation of duties within the IT environment
    is divided between systems development and IT operations.

    IT operations should be responsible for running production
    systems — except for change deployment — and should
    have little or no responsibility with the development process.
    This control includes restrictions preventing operators from
    accessing or modifying production programs, systems, or
    data. Similarly, systems development personnel should have
    little contact with production systems. By assigning specific
    roles during implementation and other change processes,
    segregation of duties can be enforced. In large organizations,
    many functions should be considered to ensure appropriate
    segregation of duties. Financial Controls

    Because organizations make considerable investments in
    IT, budgetary and other financial controls are necessary to
    ensure the technology yields the projected return on invest-
    ment or proposed savings. Management processes should
    be in place to collect, analyze, and report on these issues.
    Unfortunately, new IT developments often suffer massive
    cost overruns and fail to deliver the expected cost savings or
    income because of wrong estimates or insufficient planning. Change Management

    Change management7 processes ensure that changes to
    the IT environment, systems software, application systems,
    and data are applied in a manner that enforces appropriate
    segregation of duties; ensures that changes work and are
    implemented as required; and prevents changes from being
    exploited for fraudulent purposes. A lack of change manage-
    ment can seriously impact system and service availability.

    6.3.4 Physical and Environmental Controls

    IT equipment represents a considerable investment for many
    organizations. It must be protected from accidental or delib-
    erate damage or loss. Physical and environmental controls,
    originally developed for large data centers that house main-
    frame computers, are equally important in distributed
    client-server and Web-based systems. Although the equip-
    ment commonly used today is designed for ease of use in
    a normal office environment, its value to the business and
    the cost and sensitivity of applications running business
    processes can be significant.

    All equipment must be protected, including the servers and
    workstations that allow staff access to the applications. Some
    typical physical and environmental controls include:

    • Locating servers in locked rooms to which access is

    • Restricting server access to specific individuals.

    7 Refer to The IIA’s GTAG 2: Change and Patch Management
    Controls: Critical for Organizational Success.

    120366 PRO-GTAG_1_TEXT.indd 19 3/28/12 2:17 PM


    • Providing fire detection and suppression equipment.

    • Housing sensitive equipment, applications, and data
    away from environmental hazards, such as low-lying
    flood plains, flight paths, or flammable liquid stores.

    When considering physical and environmental security, it is
    also appropriate to consider contingency planning8. What
    will the organization do if there is a fire or flood or if any other
    threat manifests itself? How will the organization continue
    its operations? This type of planning goes beyond merely
    providing for alternative IT processing power to be avail-
    able and routine backup of production data; it must consider
    the logistics and coordination needed for the full scope of
    business activity. Finally, history consistently demonstrates
    that business continuity planning that has not been tested
    successfully in a realistic simulation is not reliable.

    6.3.5 Systems Software Controls

    Systems software products enable the IT equipment to
    be used by the application systems and users. These prod-
    ucts include operating systems (e.g., Windows and UNIX),
    network and communications software, firewalls, antivirus
    products, and database management systems (DBMS) (e.g.,
    Oracle and DB2).

    IT audit specialists should assess controls in this area.
    Small organizations are unlikely to have the resources to
    employ such specialists and should consider using external
    resources. Whether IT auditors are employed or outsourced,
    they require a highly specific set of knowledge. Much of this
    knowledge can come from experience, but such knowledge
    must be updated constantly to remain current and useful.

    Systems software can be highly complex and can apply to
    components and appliances within the systems and network
    environment. Software may be configured to accommodate
    highly specialized needs and normally requires a high degree
    of specialization to securely maintain it. Configuration tech-
    niques can control logical access to the applications, although
    some application systems contain their own access controls
    and may provide an opening for unauthorized users to break
    into a system. Configuration techniques also provide the
    means to enforce segregation of duties, generate specialized
    audit trails, and apply data integrity controls through access
    control lists, filters, and activity logs.
    Some key technical controls to be expected in a well-
    managed IT environment include:

    • Access rights allocated and controlled according to
    the organization’s stated policy.

    • Division of duties enforced through systems software
    and other configuration controls.

    • Intrusion and vulnerability assessment9, prevention,
    and detection in place and continuously monitored.

    • Intrusion testing performed on a regular basis.

    • Encryption services applied where confidentiality is
    a stated requirement.

    • Change management processes — including
    patch management — in place to ensure a tightly
    controlled process for applying all changes and
    patches to software, systems, network components,
    and data.10

    6.3.6 Systems Development and Acquisition Controls

    Organizations rarely adopt a single methodology for all
    system acquisitions or development. Methodologies are
    chosen to suit the particular circumstances. The IT auditor
    should assess whether the organization uses a controlled
    method to develop or acquire application systems and
    whether it delivers effective controls over and within the
    applications and data they process. By examining application
    development procedures, the auditor can gain assurance that
    application controls are adequate. Some basic control issues
    should be addressed in all systems development and acquisi-
    tion work. For example:

    • User requirements should be documented, and their
    achievement should be measured.

    • Systems design should follow a formal process to
    ensure that user requirements and controls are
    designed into the system.

    • Systems development should be conducted in a
    structured manner to ensure that requirements and
    approved design features are incorporated into the
    finished product.

    • Testing should ensure that individual system
    elements work as required, system interfaces
    operate as expected, and that the system owner has
    confirmed that the intended functionality has been

    • Application maintenance processes should ensure
    that changes in application systems follow a consis-
    tent pattern of control. Change management
    should be subject to structured assurance validation

    Where systems development is outsourced, the outsourcer
    or provider contracts should require similar controls. Project
    management techniques and controls should be part of

    8 Refer to The IIA’s GTAG 10: Business Continuity Management.
    9 Refer to The IIA’s GTAG 6: Managing and Auditing IT
    10 Refer to The IIA’s GTAG 2: Change and Patch Management
    Controls: Critical for Organizational Success.

    GTAG — Understanding the Importance of IT Controls

    120366 PRO-GTAG_1_TEXT.indd 20 3/28/12 2:17 PM


    the development process — whether developments are
    performed in-house or are outsourced. Management should
    know whether projects are on time and within budget and
    that resources are used efficiently. Reporting processes should
    ensure that management understands the current status of
    development projects and does not receive any surprises when
    the end product is delivered.11 The IIA’s GTAG 12: Auditing
    IT Projects also should be considered when assessing devel-
    opment or acquisition projects.

    6.3.7 Application Controls12

    The objective of controls over application systems is to
    ensure that:

    • All input data is accurate, complete, authorized, and

    • All data is processed as intended.

    • All data stored is accurate and complete.

    • All output is accurate and complete.

    • A record is maintained to track the process of data
    from input to storage and to the eventual output.

    Reviewing application controls traditionally has been the
    realm of the specialist IT auditor. However, because appli-
    cation controls now represent a large percentage of business
    controls, they should be a key concern of every internal

    There are several types of generic controls that should exist
    in any application.

    • input controls: These controls are used mainly to
    check the integrity of data entered into a business
    application, whether the source is input directly by
    staff, remotely by a business partner, or through a
    Web-enabled application. Input is checked to ensure
    that it remains within specified parameters.

    • processing controls: These controls provide auto-
    mated means to ensure processing is complete,
    accurate, and authorized.

    • output controls: These controls address what is
    done with the data. They should compare results
    with the intended result and check them against the

    • integrity controls: These controls can monitor
    data in process and/or storage to ensure that data
    remains consistent and correct.

    • management trail: Processing history controls,
    often referred to as an audit trail, enable manage-
    ment to track transactions from the source to the
    ultimate result and to trace backward from results
    to identify the transactions and events they record.
    These controls should be adequate to monitor the

    effectiveness of overall controls and identify errors as
    close as possible to their sources.

    6.4 Information Security

    Information security13 is an integral part of IT controls.
    Information security applies to both infrastructure and data
    and is the foundation for the reliability of most other IT
    controls. The exceptions are controls relating to the finan-
    cial aspects of IT (e.g., ROI and budgetary controls) and
    some project management controls. The generally accepted
    elements of information security are:

    • confidentiality: Confidential information must be
    divulged only as appropriate and must be protected
    from unauthorized disclosure or interception.
    Confidentiality includes privacy considerations.

    • integrity: Information integrity refers to the state of
    data as being correct and complete. This specifically
    includes the reliability of financial processing and

    • availability: Information must be available to the
    business, its customers, and partners when, where,
    and in the manner needed. Availability includes the
    ability to recover from losses, disruption, or corrup-
    tion of data and IT services, as well as from a major
    disaster where the information was located.

    6.5 IT Controls Framework

    For the more than 50 years that organizations have used IT,
    controls have not always been the default condition of new
    systems hardware or software. The development and imple-
    mentation of controls typically lag behind the recognition of
    emerging risks in systems and the threats that exploit such
    vulnerabilities. Furthermore, IT controls are not defined in
    any universally recognized standard applicable to all systems
    or to the organizations that use them.

    A control framework is a structured way of categorizing and
    identifying controls to adequately secure an IT environ-
    ment. The framework can be informal or formal. A formal
    approach will more readily satisfy the various regulatory or
    statutory requirements for organizations subject to them.
    The process of choosing or constructing a control framework
    should involve all concerned parties, including the business
    process owners and the parties responsible for performing the
    controls. The control framework should apply to, and be used
    by, the whole organization.

    11 Refer to The IIA’s GTAG 14: Auditing User-developed
    12 Refer to The IIA’s GTAG 8: Auditing Application Controls.
    13 Refer to The IIA’s GTAG 15: Information Security Governance.

    GTAG — Understanding the Importance of IT Controls

    120366 PRO-GTAG_1_TEXT.indd 21 3/28/12 2:17 PM


    7. IT Audit Competencies and Skills

    According to the IPPF, internal auditors are expected to apply and uphold four principles: integrity, objectivity, confidenti-
    ality, and competency. The principle of competency requires internal auditors to engage only in those services for which they
    have the necessary knowledge, skills, and experience. Furthermore, IIA Attribute Standard 1210: Proficiency states: “Internal
    auditors must possess the knowledge, skills, and other competencies needed to perform their individual responsibilities. The
    internal audit activity collectively must possess or obtain the knowledge, skills, and other competencies needed to perform its

    The CAE must obtain competent advice and assistance if the internal auditors lack the knowledge, skills, or other competen-
    cies needed to perform all or part of the engagement. The IIA provides an Integrated Competency Framework to help identify
    the necessary competencies to maintain in the internal audit activity. This approach links the identified business risks to the
    related IT processes. Hence, the CAE should know what kind and level of IT skills and competencies are required for auditing
    the effectiveness of the controls over the identified business risks. The following table shows a few examples for mapping busi-
    ness risks and required IT controls as well as the skills/competencies needed to perform the audit.

    Business Risk IT Controls IT Skills and Competencies

    Information security management
    A sound, logical security

    Security administration; access controls at network,
    operating system, database, and application levels

    Critical business disruption
    Ensuring availability of criti-
    cal business applications

    Business continuity and disaster recovery planning
    for the IT facilities (including network infrastructure,
    operating systems, databases, and applications)

    Inaccurate and incomplete finan-
    cial and management reporting

    Securing data confidentiality
    and availability

    Application controls, change controls, and system
    development life cycle (SDLC) controls

    If the required IT skills and competencies are not available within the internal audit activity, the CAE may seek an external
    service provider to support or complement the internal staff (i.e., out-sourcing or co-sourcing).14

    14 Refer to IIA Practice Advisory 1210.A1-1: Obtaining External
    Service Providers to Support or Complement the Internal Audit

    GTAG — IT Audit Competencies and Skills

    120366 PRO-GTAG_1_TEXT.indd 22 3/28/12 2:17 PM


    8. Use of Control Framework

    Each organization should examine existing control frame-
    works to determine which of them — or which parts — most
    closely fit its needs. The process of choosing or constructing
    a control framework should involve all people in the orga-
    nization with direct responsibility for controls. The internal
    audit activity will assess the framework’s adequacy and use
    it as a context for planning and performing internal audit

    The CAE needs an overall knowledge of IT risk issues to
    assess the effectiveness and appropriateness of IT controls.
    The CAE will base the internal audit plan and allocate
    resources on the IT areas and issues that merit attention due
    to their inherent levels of risk. Risk analysis and assessment
    cannot be viewed as a one-time process, especially when
    applied to IT. Technology changes constantly and rapidly as
    do the associated risks and threats. Categorizing IT controls
    according to their organizational placement, purpose, and
    functionality is useful in assessing their value and adequacy,
    as well as the adequacy of the system of internal controls.
    Knowledge of the range of available IT controls, the driving
    forces for controls, and organizational roles and responsibili-
    ties allows for comprehensive risk analyses and assessments.
    In assessing control effectiveness, it also is useful to under-
    stand whether the controls are mandated or voluntary,
    discretionary or nondiscretionary, manual or automated,
    primary or secondary, and subject to management override.

    Finally, the assessment of IT controls involves selecting key
    controls for testing, evaluating test results, and determining
    whether evidence indicates any significant control weak-
    nesses. The checklist included in the appendix can help
    ensure all relevant issues have been considered when plan-
    ning and directing internal audit assessments of IT controls.
    Several existing frameworks and approaches can assist the
    CAE and other managers when determining IT control
    requirements. However, organizations should investigate
    enough frameworks to determine which one best fits their
    own needs and culture.

    8.1 Computer Aided Audit Techniques
    and the Use of Data Analysis

    CAEs should consider the use of computer aided audit
    techniques — especially data analysis tools — to obtain a
    more real-time perspective of the IT risk landscape and to
    potentially identify anomalies. In an environment where
    organizations and internal audit activities need to do more
    with less, data analysis provides an opportunity for the CAE
    to leverage information available throughout the organiza-
    tion and identify potential areas of focus for risk assessment
    or audit activities. Data analysis also can offer the CAE an
    approach to constantly assess the operating effectiveness of
    internal controls and review indicators of emerging risks.
    Available data analysis tools provide increased functionality
    for auditing the information and for efficiently processing
    larger amounts of data. However, there are key challenges:
    the CAE needs to obtain the technical skills, access the data
    analysis tools, leverage the reporting/extract tools, access
    the data sources, and develop a strategy that focuses on the
    highest organizational risks.
    Continuous auditing is similar to continuous monitoring,
    as data is continually analyzed or assessed by the internal
    auditor. Continuous monitoring represents a management
    responsibility and function. Internal audit may test, review,
    or leverage the use of continuous monitoring. For more
    information, refer to The IIA’s GTAG 3: Continuous Auditing:
    Implications for Assurance, Monitoring, and Risk Assessment.

    8.2 Using Automated Risk Assessment

    The CAE may find that strengthening his or her risk assess-
    ment requires numeric scoring or detailed risk assessment.
    Certain tools are available for automating the risk analysis
    process. These tools allow for risk scoring, annotating impact,
    and rating likelihood, among other factors. Automating the
    risk assessment allows for comparing and prioritizing risks.
    Collecting inherent and residual risk factors allows the CAE
    to provide summary information, such as heat maps or risk
    profiles that meet the organization’s risk profile. The auto-
    mation of internal audit management is a major topic in its

    GTAG — Use of Control Framework

    How Auditing Contributes to IT Controls
    During the last few decades, there have been periods of reflection when management and auditors agreed the
    auditors could add value to the organization by contributing their controls expertise to development processes
    to ensure appropriate controls were incorporated into new systems, rather than adding controls after an audit
    revealed a deficiency. These activities coincided with the developments in control and risk self-assessment in the
    mainstream audit world. Audit consulting and risk-based auditing became widespread. The 1990s and beyond
    also saw dramatic increases in attention to information security management as cyberattacks increased in number
    and severity. These events have helped shape the role of the IT auditor as well as the businesses world’s recogni-
    tion of the importance of effective information security management.

    120366 PRO-GTAG_1_TEXT.indd 23 3/28/12 2:17 PM


    own right, and one area of opportunity is automating the risk
    assessment process (e.g., using voting tools to allow manage-
    ment to record risk ratings).

    8.3 Reporting on IT Controls

    CAEs need to communicate to key stakeholders — such
    as the audit committee, executive management, regulators,
    external auditors, or the CIO — on the results of the assur-
    ance engagements. CAEs can use a number of report formats,
    and approaches can range from updates to balanced score-
    cards or to private executive session presentations.
    One approach is to begin with simple updates on the assess-
    ment. The CAE should first determine the inherent level of
    risk over certain key IT processes. For example, the CAE can
    provide and verify with the CIO or key IT stakeholders the
    inherent risk over development, operations, business conti-
    nuity planning, network, information security, and change
    management. Often, the inherent risk depends on the IT
    strategy and organization. Some IT organizations may be
    outsourced, centralized, or decentralized. The updates may
    take the form of audit projects in various functional IT
    areas. The update may include significant findings or issues.
    Progress on audit recommendations also might be part of the
    IT update.

    Another approach is to report in a balanced scorecard.
    This may align with the CIO’s reporting of IT strategy or
    operations using an IT balanced scorecard. The Balanced
    Scorecard Institute provides one template that views the
    IT activity from four perspectives: financial, internal busi-
    ness process, learning and growing, and customer. When
    the CAE reports on IT as part of the regular audit report
    to the Board, audit committee, or management, the report
    typically would include issues related to information security
    incidents, change management exceptions, project develop-
    ment status, operation incident reporting, capital spending,
    or other metrics that measure key IT risks and controls. Such
    an approach should provide an integrated and comprehen-
    sive approach of all risks and controls — from business to
    IT — in one format.

    Sometimes the CAE may need to hold a private or executive
    session. This type of reporting generally covers significant
    issues. For example, it may include the internal audit team not
    being able to access requested data after repeated attempts,
    key IT individuals not providing complete or full disclosure,
    or IT leaders leaving the internal auditor out of key steering
    committee discussions (i.e., not having a seat at the table).
    Another challenging issue for a private session might be the
    lack of support by the CIO. This “tone at the top” may set the
    wrong culture and even block risk remediation or allow key
    IT controls to go unmonitored.

    GTAG — Use of Control Framework

    120366 PRO-GTAG_1_TEXT.indd 24 3/28/12 2:17 PM


    9. Conclusion

    Assessing IT risks and controls represents — for both new
    and experienced CAEs — one of the first steps in gaining an
    understanding of the IT environment and its significance in
    business risk management. Reading and applying this GTAG
    provides guidance for CAEs and internal auditors to suffi-
    ciently understand IT risks and applicable controls. The CAE
    will then be able to guide IT risk and control discussions with
    key stakeholders.

    The next step, assessing and understanding IT governance,
    permits the CAE to identify who is accountable for what
    in IT and how IT leadership, in cooperation with business
    leaders, deploys the IT strategy. In this context, CAEs should
    keep in mind that IIA Standard 2110.A2 calls for “assessing
    IT governance.” Section 3 (Internal Stakeholders and IT
    Responsibilities) in this document provides a useful summary
    of key roles and responsibilities.

    Once the CAE assesses IT governance, analyzing IT risks
    is a logical next step in the process. Unfortunately, there is
    no universal checklist for analyzing IT risks. Each organiza-
    tion — driven by the requirements of its nature and size of
    business — operates different technology infrastructure,
    applications, interfaces, and uses different policies to achieve
    IT strategy. The CAE should perform risk analysis by using a
    structured methodology, such as that outlined in ISO 31000
    Risk Management Standardization, and leveraging knowledge
    from key IT leaders (e.g., the CIO and other executives) in
    the context of the overall enterprise risks. Developing solid
    and trusted relationships will allow for transparency when
    analyzing inherent and residual risks.

    There are many models and approaches to analyzing IT risks,
    and the CAE should select the models that best fit his or her
    organization. Several key IT roles and functions are detailed
    in Section 6 (Understanding the Importance of IT Controls)
    in this document. The CAE rates the IT risk levels and deter-
    mines what will be included in the overall audit plan.
    The CAE must identify and assess what technical skills and
    competencies are required based on the overall audit plan. The
    CAE may consider The IIA’s GAIT Methodology in using a
    top-down, risk-based approach. Some specializations, however,
    may not always be cost-effective to deploy on a full-time basis.
    CAEs can use internally developed technical skills, hired
    skills, or external providers. Co-sourcing provides an oppor-
    tunity for organizations of all sizes to use outside expertise and
    gain perspective on the latest IT trends and risk impact.

    Assessing the IT risks and controls requires a thoughtful and
    organized plan. CAEs should plan sufficient time and skilled
    resources to do a professional job and create a sustainable
    process for ongoing analysis.

    GTAG — Conclusion

    120366 PRO-GTAG_1_TEXT.indd 25 3/28/12 2:17 PM


    GTAG — Authors & Reviewers

    10. Authors & Reviewers


    Steve Mar, CFSA, CISA
    Rune Johannessen, CIA, CCSA, CISA
    Stephen Coates, CIA, CGAP, CISA
    Karine Wegrzynowicz, CIA
    Thomas Andreesen, CISA, CRISC


    Steve Hunt, CIA
    Steve Jameson, CIA, CCSA, CFSA, CRMA

    Other Contributors:

    Dragon Tai, CIA, CCSA

    120366 PRO-GTAG_1_TEXT.indd 26 3/28/12 2:17 PM


    11. Appendix: IT Control Framework Checklist

    CAEs can use this checklist to examine their IT control framework to ensure the organization has addressed all control
    elements. The checklist can help the CAE understand the issues and plan for full internal audit coverage of the control areas.


    1. Identify the IT control environment of the
    organization, including:

    a. Values.

    b. Philosophy.

    c. Management style.

    d. IT awareness.

    e. Organization.

    f. Policies.

    g. Standards.

    • Do corporate policies and standards that describe the need
    for IT controls exist?

    2. Identify relevant legislation and regulation impacting
    IT control, such as:

    a. Governance.

    b. Reporting.

    c. Data protection.

    d. Compliance.

    • What legislation exists that impacts the need for IT controls?

    • Has management taken steps to ensure compliance with this

    3. Identify the roles and responsibilities for IT control in
    relation to:

    a. Board of directors.

    i. Audit committee.

    ii. Risk committee.

    iii. Governance committee.

    iv. Finance committee.

    b. Management.

    i. CEO.

    ii. CFO and controller.

    iii. CIO.

    iv. Chief Security Officer (CSO).

    v. CISO.

    vi. CRO.

    c. Audit.

    i. Internal audit.

    ii. External audit.

    • Have all relevant responsibilities for IT controls been allo-
    cated to individual roles?

    • Is the allocation of responsibilities compatible with the need
    to apply division of duties?

    • Are IT responsibilities documented?

    • Are IT control responsibilities communicated to the whole

    • Do individuals clearly understand their responsibilities in
    relation to IT controls?

    • What evidence is there of individuals exercising their respon-

    • Does internal audit employ sufficient IT audit specialists to
    address the IT control issues?

    GTAG — Appendix: IT Control Framework Checklist

    120366 PRO-GTAG_1_TEXT.indd 27 3/28/12 2:17 PM



    4. Identify the risk assessment process.
    Does it address:

    a. Risk appetite?

    b. Risk tolerance?

    c. Risk analysis?

    d. Matching risks to IT controls?

    • How is the organization’s risk appetite and tolerance deter-

    • Is the organization’s risk appetite and tolerance authorized at
    board level?

    • Are risk appetite and tolerance clearly understood by all
    those with a responsibility for IT control?

    • Does the organization use a formal risk analysis process?

    • Is the process understood by everyone responsible for IT

    • Is the process used consistently throughout the organiza-

    5. Identify all monitoring processes, including:

    a. Regulatory.

    b. Normal in-house.

    c. Other than internal auditing.

    • What processes exist to monitor compliance with all relevant
    legislation plus internal policies and standards?

    • Does management carry out monitoring processes outside
    internal audit?

    6. Identify information and communication
    mechanisms, such as:

    a. Control information.

    b. Control failures.

    • What metrics are provided to the Board, its committees, and
    management in relation to IT security?

    • What additional reports are provided regularly to the Board
    and management?

    • Is management always provided with reports when IT con-
    trol failures occur?

    • Do the Board and its committees receive similar reports of IT
    control failures?

    GTAG — Appendix: IT Control Framework Checklist

    120366 PRO-GTAG_1_TEXT.indd 28 3/28/12 2:17 PM

    About IPPF
    The International Professional Practices Framework (IPPF) is the conceptual framework that organizes authoritative guidance
    promulgated by The Institute of Internal Auditors. IPPF guidance includes:

    Mandatory Guidance

    Conformance with the principles set forth in mandatory guidance is required and essential for the professional practice of internal
    auditing. Mandatory guidance is developed following an established due diligence process, which includes a period of public expo-
    sure for stakeholder input. The three mandatory elements of the IPPF are the Definition of Internal Auditing, the Code of Ethics,
    and the International Standards for the Professional Practice of Internal Auditing (Standards).

    Element Definition

    Definition The Definition of Internal Auditing states the fundamental purpose, nature, and scope of internal

    Code of Ethics The Code of Ethics states the principles and expectations governing behavior of individuals and
    organizations in the conduct of internal auditing. It describes the minimum requirements for
    conduct, and behavioral expectations rather than specific activities.

    International Standards Standards are principle-focused and provide a framework for performing and promoting internal
    auditing. The Standards are mandatory requirements consisting of:

    • Statements of basic requirements for the professional practice of internal auditing and for
    evaluating the effectiveness of its performance. The requirements are internationally appli-
    cable at organizational and individual levels.

    • Interpretations, which clarify terms or concepts within the statements.

    It is necessary to consider both the statements and their interpretations to understand and apply the
    Standards correctly. The Standards employ terms that have been given specific meanings that are
    included in the Glossary.

    Strongly Recommended Guidance

    Strongly recommended guidance is endorsed by The IIA through a formal approval processes. It describes practices for effec-
    tive implementation of The IIA’s Definition of Internal Auditing, Code of Ethics, and Standards. The three strongly recommended
    elements of the IPPF are Position Papers, Practice Advisories, and Practice Guides.

    Element Definition

    Position Papers Position Papers assist a wide range of interested parties, including those not in the internal audit
    profession, in understanding significant governance, risk, or control issues and delineating related
    roles and responsibilities of internal auditing.

    Practice Advisories Practice Advisories assist internal auditors in applying the Definition of Internal Auditing, the Code
    of Ethics, and the Standards and promoting good practices. Practice Advisories address internal
    auditing’s approach, methodologies, and consideration, but not detail processes or procedures. They
    include practices relating to: international, country, or industry-specific issues; specific types of
    engagements; and legal or regulatory issues.

    Practice Guides Practice Guides provide detailed guidance for conducting internal audit activities. They include
    detailed processes and procedures, such as tools and techniques, programs, and step-by-step
    approaches, as well as examples of deliverables.

    This GTAG is a Practice Guide under IPPF.

    For other authoritative guidance materials, please visit www.theiia.org/guidance-standards.

    120366 PRO-GTAG_1_TEXT.indd 29 3/28/12 2:17 PM

    120366 PRO-GTAG_1_TEXT.indd 30 3/28/12 2:17 PM

    Copyright © 2012 Wolters Kluwer Financial Services, Inc. All Rights Reserved. 2119-ARC-TM-GTAG-AD 12/15/11

    As the world’s leading audit management software, TeamMate
    has revolutionized the audit industry, empowering audit
    departments of all sizes to do more with less. Introduced in
    1994, TeamMate has a long standing commitment to advancing
    the audit profession. From consistently innovative product
    updates, to hosted solutions, and now mobile apps, we are
    dedicated to leveraging the latest technology for our clients.
    TeamMate’s outreach extends beyond our customers to support
    and enrich the professional community through research
    projects, educational programs and initiatives such as our Open
    Audit Innovation Contest.
    To learn about TeamMate, visit us on the web at
    CCHTeamMate.com or call 1.888.830.5559.
    Don’t take our word for it…
    Check out what our
    customers are saying at
    Building on Experience, Shaping the Future of Audit Technology

    120366 PRO-GTAG_1_COVER.indd 3 3/28/12 2:18 PM


    About the Institute

    Established in 1941, The Institute of Internal Auditors (IIA) is an international professional association with
    global headquarters in Altamonte Springs, Fla., USA. The IIA is the internal audit profession’s global voice,
    recognized authority, acknowledged leader, chief advocate, and principal educator.

    About Practice Guides

    Practice Guides provide detailed guidance for conducting internal audit activities. They include detailed
    processes and procedures, such as tools and techniques, programs, and step-by-step approaches, as well as
    examples of deliverables. Practice Guides are part of The IIA’s IPPF. As part of the Strongly Recommended
    category of guidance, compliance is not mandatory, but it is strongly recommended, and the guidance is
    endorsed by The IIA through formal review and approval processes.

    A Global Technologies Audit Guide (GTAG) is a type of Practice Guide that is written in straightforward
    business language to address a timely issue related to information technology management, control, or

    For other authoritative guidance materials provided by The IIA, please visit our website at www.globaliia.org/


    The IIA publishes this document for informational and educational purposes. This guidance material is not
    intended to provide definitive answers to specific individual circumstances and as such is only intended to be
    used as a guide. The IIA recommends that you always seek independent expert advice relating directly to any
    specific situation. The IIA accepts no responsibility for anyone placing sole reliance on this guidance.


    Copyright ® 2012 The Institute of Internal Auditors.
    For permission to reproduce, please contact The IIA at guidance@theiia.org.

    120366 PRO-GTAG_1_COVER.indd 4 3/28/12 2:18 PM

    • 120366_GTAG1_TEXT_FNL-Hi
    • 120366_GTAG1-Cover-FNL-Hi

    Calculate the price of your order

    550 words
    We'll send you the first draft for approval by September 11, 2018 at 10:52 AM
    Total price:
    The price is based on these factors:
    Academic level
    Number of pages
    Basic features
    • Free title page and bibliography
    • Unlimited revisions
    • Plagiarism-free guarantee
    • Money-back guarantee
    • 24/7 support
    On-demand options
    • Writer’s samples
    • Part-by-part delivery
    • Overnight delivery
    • Copies of used sources
    • Expert Proofreading
    Paper format
    • 275 words per page
    • 12 pt Arial/Times New Roman
    • Double line spacing
    • Any citation style (APA, MLA, Chicago/Turabian, Harvard)

    Our guarantees

    Delivering a high-quality product at a reasonable price is not enough anymore.
    That’s why we have developed 5 beneficial guarantees that will make your experience with our service enjoyable, easy, and safe.

    Money-back guarantee

    You have to be 100% sure of the quality of your product to give a money-back guarantee. This describes us perfectly. Make sure that this guarantee is totally transparent.

    Read more

    Zero-plagiarism guarantee

    Each paper is composed from scratch, according to your instructions. It is then checked by our plagiarism-detection software. There is no gap where plagiarism could squeeze in.

    Read more

    Free-revision policy

    Thanks to our free revisions, there is no way for you to be unsatisfied. We will work on your paper until you are completely happy with the result.

    Read more

    Confidentiality Guarantee

    Your email is safe, as we store it according to international data protection rules. Your bank details are secure, as we use only reliable payment systems.

    Read more

    Fair-cooperation guarantee

    By sending us your money, you buy the service we provide. Check out our terms and conditions if you prefer business talks to be laid out in official language.

    Read more

    24/7 Support

    Our specialists are always online to help you! We are available 24/7 via live chat, WhatsApp, and phone to answer questions, correct mistakes, or just address your academic fears.

    See our T&Cs
    Live Chat+1(978) 822-0999EmailWhatsApp

    Order your essay today and save 30% with the discount code ESSAYHELP