Example: bachelor of science

GTAG 1: Information Technology Controls - iiacolombia.com

Information Technology ControlsA uditing Application ControlsAuthorsDavid A. Richards, CIA, President, The IIAAlan S. Oliphant, MIIA, QiCA, MAIR InternationalChristine Bellino, Jefferson Wells Charles H. Le Grand, CIA, CHL GlobalSteve Hunt, Enterprise Controls Consulting LP July 200 March 20057 Copyright 20057 by The Institute of Internal Auditors (IIA), 247 Maitland Ave., Altamonte Springs, FL 32701-4201 USA. All rights reserved. Printed in the United States of America. No part of this publication may be reproduced, stored in a retrieval system, or transmitted in any form by any means electronic, mechanical, photocopying, recording, or otherwise without prior written permission from the IIA publishes this document for informational and educational purposes.

GTAG Information Technology Controls describes the knowl- edge needed by members of governing bodies, executives, IT professionals, and internal auditors to address technology

Tags:

  Professional

Information

Domain:

Source:

Link to this page:

Please notify us if you found a problem with this document:

Other abuse

Transcription of GTAG 1: Information Technology Controls - iiacolombia.com

1 Information Technology ControlsA uditing Application ControlsAuthorsDavid A. Richards, CIA, President, The IIAAlan S. Oliphant, MIIA, QiCA, MAIR InternationalChristine Bellino, Jefferson Wells Charles H. Le Grand, CIA, CHL GlobalSteve Hunt, Enterprise Controls Consulting LP July 200 March 20057 Copyright 20057 by The Institute of Internal Auditors (IIA), 247 Maitland Ave., Altamonte Springs, FL 32701-4201 USA. All rights reserved. Printed in the United States of America. No part of this publication may be reproduced, stored in a retrieval system, or transmitted in any form by any means electronic, mechanical, photocopying, recording, or otherwise without prior written permission from the IIA publishes this document for informational and educational purposes.

2 This document is intended to provide Information , but is not a substitute for legal or accounting advice. The IIA does not provide such advice and makes no warranty as to any legal or accounting results through its publication of this document. When legal or accounting issues arise, professional assistance should be sought and 1 Letter from the 2IT Controls Executive 4 Assessing IT Controls An 5 Understanding IT 6 Importance of IT 7IT Roles in the 8 Analyzing 9 Monitoring and 12 Appendix A Information Security Program 13 Appendix B Compliance With Laws and 14 Appendix C Three Categories of IT Knowledge for Internal 15 Appendix D Compliance 16 Appendix E - Assessing IT ControlsUsing 17 Appendix F - ITGI Control Objectives for Information and Related Technology (CobiT).

3 378 Section 18 Appendix G Example IT Control Metrics to Be Considered by Audit 19 Appendix H CAE 20 Appendix I 21 Appendix J 22 Appendix K About the Global Technology Audit 23 Appendix L GTAG Partners and Global Project Table of Contents:iiGTAG Letter from the President 1In my previous role as a chief audit executive (CAE), I noted a need for guidance on IT management and control written specifically for executives. So one of my first acts as president of The IIA was to initiate a project to produce this ITControls guide. This guide is for the executive, not the technical staff although it will help those personnel better relateto management and governance purpose of this document is to explain IT Controls and audit practice in a format that allows CAEs to understand andcommunicate the need for strong IT Controls .

4 It is organized to enable the reader to move through the framework for assess-ing IT Controls and to address specific topics based on need. This document provides an overview of the key components ofIT control assessment with an emphasis on the roles and responsibilities of key constituents within the organization who candrive governance of IT resources. You may already be familiar with some aspects of this document, while other segments willprovide new perspectives on how to approach this key audit strategy. It is our hope that the components can be used to edu-cate others about what IT Controls are and why management and internal auditing must ensure proper attention is paid tothis fundamental methodology for good Technology provides opportunities for growth and development, it also provides the means and tools for threatssuch as disruption, deception, theft, and fraud.

5 Outside attackers threaten our organizations, yet trusted insiders are a fargreater threat. Fortunately, Technology can also provide protection from threats, as you will see in this guide. Executivesshould know the right questions to ask and what the answers mean. For example: Why should I understand IT Controls ? One word: Assurance. Executives play a key role in assuring Information reliability. Assurance comes primarily from an interdependent set of business Controls , plus the evidence that controlsare continuous and sufficient. Management and governance must weigh the evidence provided by Controls and auditsand conclude that it provides reasonable assurance. This guide will help you understand the evidence.

6 What is to be protected? Let s start with trust. Trust enables business and efficiency. Controls provide the basis for trust,although they are often unseen. Technology provides the foundation for many perhaps most business of financial Information and processes now mandated for many companies is all about trust. Where are IT Controls applied? Everywhere. IT includes Technology components, processes, people, organization, andarchitecture collectively known as infrastructure as well as the Information itself. Many of the infrastructure Controls are technical, and IT supplies the tools for many business Controls . Who is responsible? Everybody. But you must specify control ownership and responsibilities, otherwise no one is respon-sible.

7 This guide addresses specific responsibilities for IT Controls . When do we assess IT Controls ? Always. IT is a rapidly changing environment, fueling business change. New risksemerge at a rapid pace. Controls must present continuous evidence of their effectiveness, and that evidence must beassessed and evaluated constantly. How much control is enough? You must decide. Controls are not the objective; Controls exist to help meet businessobjectives. Controls are a cost of doing business and can be expensive but not nearly as expensive as the probableconsequences of inadequate Controls are essential to protect assets, customers, and partners, and sensitive Information ; demonstrate safe, efficient, andethical behavior; and preserve brand, reputation, and trust.

8 In today s global market and regulatory environment, these are alltoo easy to this guide as a foundation to assess or build your organization s framework and audit practices for IT business control,compliance, and assurance. Use it to help make sense of the conflicting advice you receive. Make sure all the elements are inplace to meet the challenges of constant change, increasing complexity, rapidly evolving threats, and the need to improveefficiency IIA produced this guide, but it is truly a team effort. The principal writers are Charles H. Le Grand, of CHL Global,and Alan S. Oliphant, FIIA, MIIA, QiCA, of Mair International. We owe a great debt of gratitude to our partners, IIA inter-national affiliates, and members of the Global Technology Audit Guide (GTAG) team.

9 We are grateful for their support andencouragement. This guide is a testimony to what The IIA does best: Progress Through Sharing. Sincerely,David A. Richards, CIA, CPAP resident, The Institute of Internal Auditors, Information Technology Controls describes the knowl-edge needed by members of governing bodies, executives, ITprofessionals, and internal auditors to address technologycontrol issues and their impact on business. Other profes-sionals may find the guidance useful and relevant. The guideprovides Information on available frameworks for assessingIT Controls and describes how to establish the right frame-work for an organization. Moreover, it sets the stage forfuture GTAGs that will cover specific IT topics and associ-ated business roles and responsibilities in greater objectives of the IT Controls guide are to: Explain IT Controls from an executive perspective.

10 Explain the importance of IT Controls within the overall system of internal Controls . Describe the organizational roles and responsibilitiesfor ensuring IT Controls are addressed adequatelywithin the overall system of internal Controls . Describe the concepts of risk inherent in the use andmanagement of Technology by any organization. Describe the basic knowledge and understanding of IT Controls needed by the CAE to ensure effectiveinternal audit assessments of IT Controls . Describe the relevant elements of the IT controlsassessment process as provided by the internal Introduction to IT ControlsIT Controls do not exist in isolation. They form an interde-pendent continuum of protection, but they may also be sub-ject to compromise due to a weak link.


Related search queries