Developing The IT Audit Plan
Developing The IT Audit Plan
Developing The IT Audit Plan
Developing the
IT Audit Plan
Global Technology Audit Guide (GTAG)
Written in straightforward business language to address a timely issue related to IT management, control, and security, the
GTAG series serves as a ready resource for chief audit executives on different technology-associated risks and recommended
practices.
objectives, as well as how change and control considerations from the client’s
Success
For more information and resources regarding technology-related audit guidance, visit
www.theiia.org/technology.
Developing the IT Audit Plan
Authors
July 2008
Copyright © 2008 by The Institute of Internal Auditors, 247 Maitland Avenue, Altamonte Springs, Fla.,
32701-4201. All rights reserved. Printed in the United States of America. No part of this publication may be
reproduced, stored in a retrieval system, or transmitted in any form by any means — electronic, mechanical,
photocopying, recording, or otherwise — without prior written permission from the publisher.
The IIA publishes this document for informational and educational purposes. This document is intended
to provide information, but is not a substitute for legal or accounting advice. The IIA does not provide such
advice and makes no warranty as to any legal or accounting results through its publication of this docu-
ment. When legal or accounting issues arise, professional assistance should be sought and retained.
GTAG — T
able of Contents
Table of Contents
1. Executive Summary............................................................................................................................................. 1
2. Introduction.......................................................................................................................................................... 2
2.1 IT Audit Plan Development Process..................................................................................................................... 3
8. Glossary of Terms.............................................................................................................................................. 27
9. Glossary of Acronyms.................................................................................................................................... 28
1
GTAG: Information Technology Controls, p. 15.
2
GTAG: Information Technology Controls, p. 15. 3
GTAG: Management of IT Auditing, pp. 6 and 7.
1
GTAG — I ntroduction
36%
3% Multiple times per year
No audit plan
0%
More than every
two years Multiple times per year
1% Every year
Every two years
Every two years
More than every two years
No audit plan
2
GTAG — Introduction
Results from several IIA external quality assessment reviews Next, auditors need to define the IT universe. This can be
(QARs) reveal that developing an appropriate IT audit plan done through a top-down approach that identifies key busi-
is one of the weakest links in internal audit activities. Many ness objectives and processes, significant applications that
times, instead of doing risk-based auditing, internal auditors support the business processes, the infrastructure needed for
review what they know or outsource to other companies, the business applications, the organization’s service support
letting them decide what to audit. model for IT, and the role of common supporting tech-
This guide offers techniques in how to address this chal- nologies such as network devices. By using these technical
lenge — how to determine what should be included in the components, along with an understanding of service support
IT audit scope and how these audit areas could be organized processes and system implementation projects, auditors
into manageable audit units — to create an effective IT audit will be able to create a comprehensive inventory of the IT
plan for the organization. environment. This inventory, in turn, forms the foundation
for assessing the vulnerabilities that may impact internal
controls.
2.1 IT Audit Plan Development Process After auditors have a clear picture of the organization’s
Defining the annual audit plan should follow a system- IT environment, the third step is to perform the risk assess-
atic process to ensure all fundamental business aspects and ment — a methodology for determining the likelihood of an
IT-service support activities are understood and considered. event that could hinder the organization from attaining its
Therefore, it is essential that the foundation for the plan be business goals and objectives in an effective, efficient, and
rooted in the organization’s objectives, strategies, and busi- controlled manner.
ness model. Figure 2 depicts a logical work-flow progression The information and analysis gained by understanding
using a top-down approach to define the IT audit plan that the organization, inventorying the IT environment, and
will be used in this guide. assessing risks feeds into the final step, formalizing the audit
The first step in defining the annual IT audit plan is to plan. The objective of the audit plan is to determine where
understand the business. As part of this step, auditors need to focus the auditor’s assurance and consulting work to
to identify the strategies, company objectives, and business provide management with objective information to manage
models that will enable them to understand the organization’s the organization’s risks and control environment.
unique business risks. The audit team also must understand The remainder of this guide follows these four steps and
how existing business operations and IT service functions discusses how to define an effective IT audit plan.
support the organization.
•• Identify the •• Dissect the business •• Develop processes •• Select audit subjects
organization’s strategies fundamentals to identify risks and bundle into distinct
& business objectives •• Identify significant •• Assess risk and rank audit engagements
•• Understand the applications that support audit subjects using •• Determine audit cycle
high risk profile for the business operations IT risk factors and frequency
the organization •• Identify critical •• Assess risk and •• Add appropriate
•• Identify how the infrastructure for the rank subjects using engagements based on
organization structures significant applications business risk factors management requests
their business operations •• Understand the role of or opportunities
•• Understand the IT supporting technologies for consulting
service support model •• Identify major projects •• Validate the plan with
and initiatives business management
•• Determine realistic
audit subjects
3
GTAG — Understanding the Business
3. Understanding the Business Auditors can use different internal resources to identify
and understand the organization’s goals and objectives,
Getting started with the right perspective is paramount to including:
defining an effective IT audit plan. An appropriate perspec- • Mission, vision, and value statements.
tive to keep in mind is that technology only exists to support • Strategic plans.
and further the organization’s objectives and is a risk to the • Annual business plans.
organization if its failure results in the inability to achieve a • Management performance scorecards.
business objective. Hence, it is important to first understand • Stockholder annual reports and supplements.
the organization’s objectives, strategies, business model, and • Regulatory filings, such as those submitted to the
the role that technology has in supporting the business. This U.S. Securities and Exchange Commission (SEC).
can be done by identifying the risks found in the technolo-
gies used and how each risk might prevent the organization After becoming familiar with the organization’s entity-
from achieving a business objective. Doing so will result in level strategic objectives, the next step is to identify the key
more meaningful and useful assessments for management. processes that are critical to the objectives’ success. When
Furthermore, auditors need to become familiar with the doing so, auditors need to understand how each business
organization’s business model. Because each organization has process differs within operating units, support functions, and
a distinct mission and set of business goals and objectives, major organizationwide projects, as well as how the process
business models help auditors to identify the products or relates and links to entity objectives.
services the organization provides, as well as its market base, Project processes are unique, but equally important, in
supply channels, manufacturing and product generation ensuring initiatives that add value to the organization are
processes, and delivery mechanisms. Having a fundamental managed and commercialized appropriately. A process is
knowledge of this information will help auditors understand considered key if its failure prevents the organization from
unique business risks and how technology supports existing fully achieving the strategic objective to which it is tied.
business models and mitigates the organization’s overall risk Operating units include core processes through which the
profile. organization achieves primary objectives, such as manufac-
turing, sales, and distribution activities. Support functions
include management processes that oversee and support core
3.1 Organizational Uniqueness operational functions, such as governance and compliance
Every organization is different. Even companies operating activities, finance, human resources, treasury, cash manage-
in the same industry will have different business models, ment, and procurement activities.
objectives, organizational structures, IT environments, and Once processes are identified, auditors need to outline
delivery models. Therefore, audit plans should be defined the significant applications and critical IT infrastructure
uniquely for each organization. In addition, the impor- (e.g., databases, operating systems, networks, and physical
tance of technology might differ within industry segments. environments) supporting these applications. Underlying
Consider the companies that assemble and sell personal these applications and IT infrastructure are supporting IT
computers. Besides using a variety of business models, these processes, such as systems development life cycles, change
companies rely on technology differently to meet business management, operations, and security activities. Auditors
objectives. For instance, the traditional sale distribution should note that applications require periodic assessments
model of channeling products through physical stores and based on their significance to financial reporting activities,
resellers require the use of technology to manage operation regulatory compliance, or operational requirements.
and accounting activities, while technology reliance is much Examining the operating environment this way (i.e.,
greater for companies that sell products over the Internet. As starting from the top of the organization) will help audi-
a result, the online marketer’s revenue stream depends more tors understand and inventory each critical component. To
on the availability of critical IT functionality, which also fully understand the operating environment and its risks
increases the level of IT risks. As this example illustrates, also requires a comprehensive understanding of different
the way an organization deploys its technology resources and technology factors that influence and help categorize orga-
systems creates a unique set of business risks. nizational risks.
4
GTAG — Understanding the Business
BUSINESS PROCESSES
5
GTAG — U
nderstanding the Business
risk profile and system of internal control. Important factors Finally, networks link computers and enable them to
to consider include: communicate with each other. They consist of physical
components, such as switches, routers, firewalls, wiring,
1. The degree of system and geographic centralization and programs that control the routing of data packets.
(i.e., distribution of IT resources). The organiza- Networks also can be deployed using radio frequency
tion’s business model may determine the IT function’s technology, commonly called wireless networks.
structure and delivery model. For instance, companies All four layers of the stack are essential to enabling
operating with decentralized business units that have the automated business functionality and introduce avail-
autonomy to make operating decisions may have decen- ability, integrity, and confidentiality risks. The degree
tralized IT operations, more diversity of applications, and of risk is based on the criticality of the business activity
a larger variety of deployed products. On the other hand, the technology supports and enables, and on the tech-
in more centralized companies auditors might find enter- nology’s configuration and deployment. Therefore, the
prise-based applications and centralized IT infrastructure more variety in each of these layers, the higher the
support. Because risks vary as companies approach either organization’s risk profile. For instance, it is simpler for
end of the centralization continuum, audit responses IT departments to manage a homogeneous environ-
should vary accordingly. ment of Windows 2003 servers running a SQL Server
When establishing the IT audit universe, consider- database for a single enterprise resource planning (ERP)
ation should be given to aligning individual audits with application than a variety of operating systems and data-
the management function that has accountability for base platforms underlying different applications. While
that area. A centralized IT delivery model may allow ideal, the first scenario might not be practical for a large
for fewer, but possibly larger, individual audits that are organization with diverse operations or a decentralized
concentrated on core technologies and enterprise appli- business model. In creating the audit universe, critical IT
cations. Conversely, a decentralized delivery model could elements should be identified and assessed as part of the
require more audit engagements to achieve a proper top-down analysis techniques described in this guide.
alignment with management accountability.
3. The degree of customization. Generally, customized
2. The technologies deployed. The organization’s system implementations add complexity to the management of
architecture diversity will determine the breadth of IT assets. Off-the-shelf software relies primarily on the
technical knowledge required within the internal support of vendors who have a high degree of knowledge
audit function and the number of areas that need to be and expertise on their products. When vendor software
reviewed. Diversity could be in any and all levels of the — whether applications, operating systems, or other
IT stack — the key components of an application’s tech- supporting software — is modified to fit an organization’s
nical infrastructure, including its program code, database, business need or process, a large amount of ownership is
operating system, and network infrastructure. assumed and more risk is introduced into the equation.
For instance, application program code includes the Generally, organizations should perform a cost-benefit
sets of computer programs, control files, tables, and user analysis when making the decision to customize third-
interfaces that provide functionality for specific business party software. However, control aspects might not be
operations such as accounting, payroll, and procurement. considered fully in this analysis. In addition, audits of
Other applications could manage critical business infor- customized implementations also require greater tech-
mation, such as engineering and design project data, legal, nical knowledge on the part of the auditors.
and personal medical information. The organization
also may have applications that control manufacturing 4. The degree of formalized company policies and standards
processes commonly called process control systems. (i.e., IT governance). The purpose of an IT governance
On the other hand, database systems enable the storage, program is to enable the organization to better manage
modification, and extraction of data (e.g., Oracle, its day-to-day IT activities and risks through the use of
Microsoft SQL Server, and DB2), while operating systems policies and standards. For example, organizations with
perform a computer’s basic tasks, such as handling oper- formalized policies and standards that guide management
ator input; managing internal computer memory; and oversight and help to establish the IT control environ-
providing disk drive, display, and peripheral device func- ment have a better chance of implementing an effective
tions. Examples of operating systems include variations of IT governance program. These programs, in turn, are
Windows and UNIX installed in computers and servers. effective when policies and standards are communi-
Handheld devices such as personal digital assistants and cated, understood, monitored, enforced, and updated by
cell phones also require operating systems. management.
6
GTAG — Understanding the Business
Policies are general, long-term statements of prin- management oversight to ensure ongoing compliance,
ciple that address management’s operational goals; are which results in a lower residual risk profile. The orga-
intended to have a long-term effect in guiding the devel- nization’s regulatory requirements, therefore, should be
opment of business rules for specific situations; and can appropriately considered in the risk profile and IT audit
be interpreted and supported by standards, controls, and universe. For example, all organizations registered with
guidelines. In terms of IT, policies can provide high- the SEC are required by the U.S. Sarbanes-Oxley Act
level management directives in areas such as intellectual of 2002 to report on the effectiveness of their internal
property rights, data protection, retention, and privacy controls over financial reporting. The legislation also
to ensure compliance with laws and regulations and the created the U.S. Public Company Accounting Oversight
effective safeguard of data assets. Board (PCAOB) to guide public accounting firms on
On the other hand, standards describe a mandatory how to conduct an audit of internal controls over finan-
business process or procedure and provide further direc- cial reporting. Other regulations include the Basel II
tion on how to comply with the policy statement to which Accord in the finance sector and a growing number of
they are linked. IT standards are generally technology- privacy and data protection laws and regulations, such
neutral and can be further defined by technology-specific as the European Union’s Directive on Data Protection,
controls and guidelines (i.e., configuration settings or U.S. Gramm-Leach-Bliley (GLBA) Act, the U.S. Health
procedures) that define how the standard should be Insurance Portability and Accountability Act (HIPAA),
implemented. and the Payment Card Industry Data Security Standard
As a general rule, organizations should establish an (PCI DSS).
ongoing maintenance process for all policies and stan-
dards that addresses the latest regulatory mandates. For 6. The degree and method of outsourcing. IT outsourcing
example, recent changes to the U.S. Federal Rules of is becoming more prevalent in many organizations due to
Civil Procedure governing the production of evidence in the high cost and expertise required to deliver noncore
court cases address the discovery and production of elec- services. (The IIA’s Information Technology Outsourcing
tronically stored information. Because of these changes, GTAG provides a detailed discussion on the types of
an organization’s level of risk partly depends on its adher- IT outsourcing arrangements and their degree of risk.6)
ence to updated record retention policies and standards In terms of outsourcing, it is important for auditors to
that consider the management of electronically stored consider the different risks stemming from the outsourcing
information. arrangement when drafting the IT audit plan. Key
Different IT governance frameworks and method- factors include how management views its oversight and
ologies are available, including COBIT, ISO’s 27002 monitoring role, the maturity of the arrangement (e.g.,
Standard on information security management, the transitioning versus an established working process),
Canadian Institute of Chartered Accountants’ IT country-specific risks, and the completeness of the
Control Guidelines, and the Information Security vendor’s and organization’s business continuity plans.
Forum’s Standard of Good Practice for Information
Security. These frameworks provide a structured way of 7. The degree of operational standardization. Operational
categorizing control objectives and control areas across processes and procedures include the entire system
the entire control environment. (For additional informa- development life cycle as well as configuration, change,
tion on these and other compliance frameworks, auditors incident, operations, and security management activities.
can refer to The IIA’s Information Technology Controls Similar to the degree of centralization and the diversity
GTAG.5) Organizations can adopt one of these frame- of deployed technologies, the level of operational stan-
works or use them as a reference when developing their dardization can impact the reliability and integrity of the
own. Section 5.3 provides information on leading IT IT infrastructure and its assets. Consequently, organiza-
governance best practices to help organizations assess the tions that adopt standardized processes throughout their
content and effectiveness of these frameworks. service delivery functions increase their ability to operate
as a high-performing organization.
5. The degree of regulation and compliance. Organizations An example of a standardized practice is ITIL, a set
in highly regulated industries generally will have a of concepts and techniques for managing IT infrastruc-
high-risk profile due to the potential consequences of tures, as well as the development and installation of new
noncompliance with regulatory mandates. However, computer systems and IT operations. Its books on service
successful organizations in highly regulated industries support and service delivery are the most widely used
also have disciplined control environments and effective and understood ITIL publications. One of the primary
5
GTAG: Information Technology Controls, p. 18. 6
GTAG: Information Technology Outsourcing.
7
GTAG — U
nderstanding the Business
8
GTAG — Defining the IT Audit Universe
4. Defining the IT Audit Universe the IT support structure for these business processes is different
and may require separate assurance reviews.
Determining what to audit is one of the most important
internal audit activities, as performing the annual IT audit
plan will have a profound impact on the overall success of 4.2 Role of Supporting Technologies
the internal audit department. Consequently, the ultimate Identifying supporting IT infrastructure technologies can be
goal of the IT audit plan is to provide adequate coverage on a simple process when detecting business activities that rely
the areas that have the greatest risk and where internal audi- on key applications. However, it is much harder to associate
tors can add the most value to the organization. the use of supporting technologies, such as the company’s
One of the first steps to an effective IT audit plan is to define network, e-mail application, and encryption software, to
the IT universe, a finite and all-encompassing collection of business objectives and risk. Yet, these supporting technolo-
audit areas, organizational entities, and locations identifying gies exist because the business requires them, and a failure
business functions that could be audited to provide adequate in these services and products can hinder the organization’s
assurance on the organization’s risk management level. At ability to accomplish its mission. Therefore, key supporting
this initial phase, identifying potential audit areas within the technologies, while not directly associated with an applica-
IT universe is done independently from the risk assessment tion or business process, must be identified and represented
process. Auditors need to be aware of what audits could be in the universe of auditable areas.
performed before they can assess and rank risks to create the
annual audit plan. Defining the IT audit universe requires
in-depth knowledge of the organization’s objectives, business 4.3 Annual Business Plans
model, and the IT service support model. Another important element is to take into consideration the
organization’s annual business plans and strategies. Operating
plans can provide auditors with information on important
4.1 Examining the Business Model changes and projects that may be pursued in the upcoming
Organizations can have different operational units and support year, which might require audit involvement and become
functions to accomplish its objectives, which, in turn, have subjects in the IT audit universe. Projects might be directly
business processes that link activities to achieve their goals. IT-related, such as the implementation of a new ERP system, or
Referring back to the example of companies that assemble business projects that manage major engineering or construc-
and sell personal computers, a traditional company in this tion initiatives. For example, energy companies form major
industry sector consists of several assembly plants located capital projects when developing new facilities to bring oil
in different countries, sales, and marketing units, as well as and gas discoveries into production. These business projects
different corporate management and support functions. The can benefit from the use of critical IT components that merit
sales and marketing units, for instance, have established IT audit attention, such as access controls over document
processes for accepting, fulfilling, and invoicing customer management systems and external network connections for
orders, while other operating units and support functions have partners and contractors. Because companies can be partners
their own processes. Underlying these processes will be crit- on one project and competitors on another, it is important to
ical IT applications and supporting infrastructure. Therefore, limit their access to required IT resources only.
it is important for auditors to understand the company’s IT
environment when defining the IT universe and identifying
the processes critical to the success of each unit. 4.4 Centralized and Decentralized IT Functions
Using a top-down approach to understand the organiza- Auditors need to identify centrally managed IT functions
tion’s structure and activities can help auditors identify critical that support the entire or a large portion of the organiza-
IT functionality processes that sustain the organization’s tion. Centralized functions are good candidates for individual
operating units and support functions. However, variation audits in the IT audit universe and include network design
in how similar business units perform their processes can and security administration, server administration, database
add complexity to this analysis. For instance, manufacturing management, service or help desk activities, and mainframe
plants in different locations might use different procurement operations. For example, the organization may have a server
processes. In decentralized organizations, business units might administration group that is responsible for all Windows
use different applications for similar business processes, or a servers. Because this group might use common configurations
common application might be configured differently to the and administrative processes across the entire server popu-
extent it functions like an entirely different application. For lation, it represents an ideal candidate for an individual IT
example, one business unit uses SAP R/3 on a UNIX and audit that is part of the IT audit universe. The homogeneous
Oracle platform, while another business unit uses SAP R/3 nature of the environment also lends itself to sampling for the
on a Windows and SQL Server platform. Although similar, audit’s execution.
9
GTAG — D
efining the IT Audit Universe
There are several benefits to identifying centralized audit chain of events including incident, problem, change, and
subjects. The main benefit is the effective use of limited IT release management activities.
audit resources, which can enable the audit team to focus on Again, one of the leading sources for IT service best prac-
one area, use sampling techniques, and gain a large amount of tices is ITIL. Many organizations are implementing ITIL
coverage in a single audit. Another benefit is the transfer of practices or other standardized processes to attain better
internal audit efficiencies to other audits because centralized efficiency and higher performance in managing their IT
areas have already been covered and may be excluded from functions. Internal audit groups should become involved in
the scope of other audits. The benefit of referencing central- efforts to implement standardized support processes where
ized audit coverage is particularly applicable to application appropriate and consider new ways to provide assurance
auditing. For example, there could be hundreds of applica- on their effectiveness. One approach could be to review
tions residing within a Windows server administration group the deployment and governance of standardized processes
environment. Since the general controls for the infrastructure at the enterprise level within the audit plan. These top-
are reviewed in a more centralized audit, the IT audit should level reviews could assess the effectiveness of the processes
be limited to application-specific technical areas rather than themselves, the effectiveness of deployed processes, and the
the entire infrastructure platform hosting the application. effectiveness of the governance model to ensure standardized
The organization also benefits as it is audited thoroughly only support processes are used as intended. Once standardized
once and is not impacted when applications are reviewed processes are audited, site audits should concentrate on how
individually during each business process audit. they are followed rather than on their effectiveness.
Furthermore, organizations may centralize their IT func-
tions differently. A common practice of many organizations
is to create a single network support function that manages 4.6 Regulatory Compliance
its network design and security administration. This network Different laws and regulations around the world are
support function could be divided into firewall, router, mandating the use of internal controls and risk management
and switch configuration activities, as well as Internet practices and the privacy of personally identifiable informa-
connectivity, wireless, digital voice, and external network tion, including the Sarbanes-Oxley Act and Basel II Accord.
connection management. As a result, each of these areas As discussed earlier, some of these regulations mandate the
may be an independent audit subject in the IT universe. protection of customer information in the credit card industry
Furthermore, because centralized IT functions can change (e.g., GLBA and the PCI DSS) and the safeguarding of
over time, they should be reviewed and refreshed in the audit personal medical information (e.g., HIPAA). Although most
universe at least annually. of these regulations do not address IT controls directly, they
A similar approach can be taken for decentralized IT imply the need for an adequately controlled IT environment.
functions, where each physical location might represent Therefore, these regulatory areas are potential subjects in the
a separate audit subject. Depending on the location’s size, IT audit universe, as auditors need to determine whether the
the site’s audit may review general and technical controls organization has rigorous processes in place and whether
for each infrastructure stack layer. The review should only they are operating effectively to ensure compliance.
include the IT controls for which the local site is responsible,
while controls handled by centralized IT functions should
be excluded. If the site is large and supports a wide number 4.7 Define Audit Subject Areas
of technologies, auditors might need to perform multiple The way the IT environment is divided into individual audit
reviews for that location as part of the IT audit universe. subjects could be somewhat influenced by personal prefer-
ence or staffing considerations. However, the ultimate goal
is to figure out how to divide the environment in a manner
4.5 IT Support Processes that provides the most efficient and effective audits. The
Even if the organization has a decentralized IT function, it preceding discussions on centralized IT functions and stan-
may have standardized support processes. Organizations that dardized support processes stated how audit subjects can be
are striving to be high-performing organizations understand grouped in the audit universe to define an audit approach that
the importance of having standardized support processes is more efficient. Although auditors should not be assessing
across their operating units regardless of the business model. business risks at this phase of the audit planning process, the
Examples of standardized support processes include service goal is to have an audit plan that focuses on the highest-risk
desk activities as well as change, configuration, release, inci- areas where auditors can add the most value.
dent, and problem management procedures. The service desk Although there is no single right way to define IT audit
is generally the first point of contact for customers to register subjects, there are incorrect or inappropriate ways to do this.7
an IT service or issue resolution request, thus initiating the
request’s life cycle management process and triggering a 7
GTAG: Management of IT Auditing, p. 10.
10
GTAG — Defining the IT Audit Universe
Pitfalls include improper sizing of subjects, basing a plan solely For this reason, many organizations review security based on
on staffing capabilities, and creating a focus imbalance. their platform type, thus enabling a more detailed review.
In addition, audit subjects should be divided into appro- Unfortunately, this activity could result in redundancy as
priately sized areas to define a reasonable allocation of audit audit steps are duplicated. Hence, auditors could establish
resources. When doing so, auditors should keep in mind separate audit areas for each platform type and a general
that defining small or large audit subject areas might hinder controls subject audit that is performed across all platforms.
audit efforts. This is because a certain amount of overhead is A key consideration in identifying IT environment compo-
required for each audit engagement, including administrative nents and in grouping distinct audit subjects is management
efforts for audit planning, management reviews, sign-offs of accountability. A worst-case scenario would be to define
completed work, and reporting and communicating results. If audit subjects crossing reporting lines and involving manage-
the audit universe and plan contains numerous small audits, ment from different reporting units, as this might create a
for example, internal auditors could spend as much time conflict over who eventually owns the resolution of issues
administrating the audits as performing them. Conversely, presented in the audit. As a result, it should be clear who will
if the audit subject area is defined broadly, audits could run receive the audit report and who is responsible for the reme-
for an extended period of time, be disruptive to the client, diation of identified control deficiencies. Finally, the scope
or be reviewed insufficiently. Depending on the organiza- of each audit subject should be described clearly so that orga-
tion’s culture, overly broad definitions might even result in nizational accountability is determined properly.
an unplanned increase in scope (i.e., scope creep).8
Finding the right audit size depends on the organization’s
audit practices and culture. As a general rule for most orga- 4.8 Business Applications
nizations, defining audit subjects that require two to three CAEs need to determine which audit group will be respon-
technical auditors for a three- to four-week duration is a sible for the planning and oversight of business application
reasonable target, as this provides different auditor perspec- audits. Depending on how the audit function operates, busi-
tives and experiences. In addition, the three- to four-week ness applications can be included as part of the IT audit
duration is a reasonable request for most organizations. universe, business audit universe, or both. There is a growing
The audit size also should be consistent with company- consensus among internal audit functions that business
accepted historical audit practices. However, the IT audit applications should be audited with the business processes
universe should not be defined solely on audit staffing capa- they support. This provides assurance over the entire suite
bility, as this might result in a focus imbalance. For instance, of controls — automated and manual — for the processes
some IT audit functions do not have any technicians or under review, helps to minimize gaps and overlaps of audit
IT professionals, but consist of business auditors who have efforts, and minimizes confusion over what was included in
knowledge of currently used business applications. Because the scope of the engagement.
these auditors tend to focus on the application layer and Because of their expertise, the business audit function is
might ignore the underpinning infrastructure layers, it’s probably best suited to determine when applications should
important to have a well-balanced coverage of all layers as be reviewed. If business applications are maintained as part
part of the audit. of the IT audit universe, the business audit universe should
Ideally, the internal audit function should consist of highly be linked to the IT audit universe to work together during
technical personnel and general auditors who have a good the audit. Even if business applications are maintained sepa-
understanding of application controls. The technical audi- rately from the IT audit universe, individual audit subjects
tors, for example, would help ensure the IT infrastructure has can be created within the IT audit universe for large-scale
proper security controls in place and review general applica- applications that are used by multiple functions for multiple
tion controls. The proper balance of audit subjects covering processes, such as ERP systems. This is because it might make
all environment layers should be the cornerstone of the IT sense to review the application’s general controls in a stand-
audit plan even if the IT audit constraint is an issue. If that is alone audit rather than arbitrarily including this area in one
the case, alternative resource staffing for these audits would of the many business audits.
be required to supplement the expertise of the internal audit
staff.
Auditors should consider that the audit technique used 4.9 Assessing Risk
during the security review could be ineffective when used in a After the IT universe is defined, a systematic and uniform
nonhomogeneous server environment consisting of multiple assessment of risk across all subjects should be the next step in
server platforms. This is because the general server admin- determining the annual audit plan. The next section presents
istration subject area might be too large or unmanageable. risk and risk assessment fundamentals that can help CAEs
and internal auditors create an effective IT audit plan.
8
GTAG: Management of IT Auditing, p. 10.
11
GTAG — P
erforming a Risk Assessment
5. Performing a Risk Assessment in nature (e.g., replace legacy IT applications with an ERP
solution).
The IIA defines risk as the possibility that an event will occur Furthermore, according to IIA Practice Advisory 2110-1:
that could affect the achievement of objectives, which is Assessing the Adequacy of Risk Management Processes, risk
measured in terms of impact and likelihood.9 Therefore, it is management processes should have five key objectives:
vitally important for organizations to determine the contents • Risks arising from business strategies and activities
of their risk portfolio periodically and perform activities to need to be identified and prioritized.
manage risks to an acceptable level. As discussed earlier, the • Management and the board need to determine the
risk assessment process should not be conducted until the level of risk acceptable to the organization, including
CAE and internal audit team understand the contents of the the acceptance of risks designed to accomplish the
IT universe and how they link back to or support the organi- organization’s strategic plans.
zation. It is paramount — no matter the risk assessment model • Risk mitigation activities need to be designed and
or approach used — for the risk assessment to determine IT implemented to reduce or otherwise manage risk at
environment areas that can significantly hinder the organi- levels that are acceptable to management and the
zation’s achievement of objectives. In other words, the risk board.
assessment needs to examine the infrastructure, applications, • Ongoing monitoring activities need to be conducted
and computer operations or components that pose the greatest to reassess risk periodically and the effectiveness of
threat to the organization’s ability to ensure system and data controls to manage risk.
availability, reliability, integrity, and confidentiality. • The board and management need to receive periodic
In addition, auditors need to identify the effectiveness and risk management process reports. The organization’s
usefulness of risk assessment results, which should be directly corporate governance processes also should provide
predicated on the methodology employed and its proper periodic communication of risks, risk strategies, and
execution. That is, if the risk assessment’s methodology controls to stakeholders.
input (i.e., the IT universe and its link to the business audit
universe) is deficient or is applied incorrectly, it is likely that Additional guidance from IIA Practice Advisory 2010-2,
the output (i.e., risk assessment results) will be incomplete Linking the Audit Plan to Risk and Exposures, defines
in some capacity. how organizational risk, strategic planning, and changes in
management direction should be reflected in the audit plan.
Auditing, p. 17.
12
GTAG — Performing a Risk Assessment
into three major sub-categories: infrastructure, computer 3. Weighted or sorted matrices or the use of threats
operations, and applications. versus component matrices to evaluate consequences
The infrastructure area consists of all computing compo- and controls. This method is superior for most micro-risk
nents that support the flow and processing of information, assessments.
such as servers, routers, bridges, mainframes, communication
lines, printers, datacenters, networking equipment, antivirus This GTAG will focus exclusively on the weighted or
software, and desktops. Computer operations, on the other sorted matrices approach to measure risk and impact. As
hand, consist of the processes and controls that manage the shown in table 1, this approach uses a simplistic method to
computing environment. Examples include physical and rate risk that is based on the risk’s high (i.e., three), medium
logical security administration, backup and recovery, busi- (i.e., two), or low (i.e., one) likelihood of occurrence.
ness continuity and disaster recovery planning, service-level
agreements (SLAs), program change controls, and compli-
ance with laws and regulations. Finally, applications consist Likelihood Scale
of the software used by the organization to process, store, and
report business transactions. Examples include ERP systems H 3 High probability that the risk will occur.
and stand-alone applications, such as Microsoft Excel or
Access. M 2 Medium probability that the risk will occur.
2. Risk factors or the use of observable or measurable 3. Calculated risk factors. A subset of objective risk factor
factors to measure a specific risk or class of risks. This data is the class of factors calculated from historical or
process is favored for macro-risk assessments, but is not objective information. These are often the weakest of all
efficient or particularly effective for micro-risk assess- factors to use because they are derivative factors of risk
ments, except when auditable units are homogeneous that is further upstream.10
throughout the audit universe as in branch, location, or
plant audits.
10
The IIA Research Foundation’s Assessing Risk, 2nd Edition, 2004.
13
GTAG — P
erforming a Risk Assessment
Due to these risk factors, CAEs and internal auditors must 5.3 Leading IT Governance Frameworks
design and use a risk impact model that fits their organiza- Up to this point, the guide has focused on the steps necessary
tion. The model should be similar to the one used for the to define the IT audit universe and to perform a risk assess-
enterprisewide risk assessment. However, the model’s scale ment that determines what should be audited and how often.
and rank methodology needs to be changed for each IT risk. This discussion is not based on any particular IT governance
As shown in table 2, and for the purposes of this GTAG, a framework, such as COBIT, the ISO 27002 Standard, or
simplistic ranking method that uses high, medium, and low ITIL. As a result, it is the CAE’s responsibility to determine
categories is used for the impact of each component that is the components of these and other frameworks that best
based on the same likelihood concepts presented in table 1. serve the organization.
It is important to keep in mind that none of these frame-
works is a “one-size-fits-all.” Rather, they are frameworks
Impact Scale (Financial) organizations can use to manage and improve their IT func-
tions. While it is not within the scope of this GTAG to
H 3 The potential for material impact on the provide guidance on the pros and cons of these and other
organization’s earnings, assets, reputation, IT governance models, an overview of COBIT will be
or stakeholders is high. provided.
Since its release in 1996, COBIT has been a leading IT
M 2 The potential for material impact on the governance framework. Its mission is “to research, develop,
organization’s earnings, assets, reputation, publicize, and promote an authoritative, up-to-date, inter-
or stakeholders may be significant to the national set of generally accepted information technology
audit unit, but moderate in terms of the control objectives for day-to-day use by business managers
total organization. and auditors.”11 As a framework and supporting tool set,
COBIT allows organizations to bridge the gap with respect to
L 1 The potential impact on the organization is
control requirements, technical issues, and business risks, and
minor in size or limited in scope.
communicate that level of control to stakeholders. COBIT
also enables the development of clear IT control policies and
Table 2. Risk impact model scale
practices.12
In addition, COBIT provides a set of tools CAEs and
Table 3 on page 15 shows an example of a completed risk internal auditors can use to help guide the IT risk assessment
assessment that is based on the scales used for likelihood and process. Some of its tools are a set of clearly stated control
impact across the risk categories of financial impact, quality objectives, ideas on how to test controls, and a scale for
of internal controls, changes in the audit unit, availability, ranking the maturity of the IT control environment. The
integrity, and confidentiality. The score for each area is COBIT framework consists of four domains with a total of 34
calculated by multiplying risk’s likelihood and impact values IT processes: plan and organize (PO), acquire and implement
across each category. For example, on the risk category for (AI), deliver and support (DS), and monitor and evaluate
ERP application and general controls, the sum of the likeli- (ME).
hood and impact values is 42. The same logic is used across As with any best practice control framework, auditors
the other risk categories for each possible audit area. should proceed with caution when using this framework.
Based on this scoring approach, the lowest possible score CAEs and internal auditors must understand and apply the
is six and the highest possible score is 54. Table 4 shows framework’s concepts and guidance in their proper context.
the scoring ranges and their corresponding audit or review In other words, COBIT has been developed and refined over
frequencies based on the organization’s resource availability. the last decade with the assistance of practitioners, academia,
and different industries from around the globe. As a result,
COBIT tends to have the look and feel of a framework that
Composite Risk Recommended might work beautifully in a large organization with a sizable
Level
Score Range Annual Cycle IT function, but may be equally challenging to work with in
mid-size and small organizations.
H 35–54 Every 1 to 2 years
Furthermore, the CAE and internal audit team must
M 20–34 Every 2 to 3 years realize that simply because the IT function does not follow or
adhere to the COBIT framework, this does not mean the IT
L 6–19 Every 3 to 5 years function, its processes, or data is not controlled or managed
Table 4. Scoring ranges and corresponding
audit or review frequencies
11
COBIT 3rd Edition, p. 1.
12
COBIT 4.1, p. 8.
14
GTAG — Performing a Risk Assessment
IT Risks
Financial
Quality of
Impact Internal
Changes in
Availability Integrity
Confiden- Score
Audit Unit tiality
Area Controls and
Level
L I L I L I L I L I L I
HR/Payroll Application 3 3 3 2 3 3 2 2 2 3 2 3 40 H
IT Infrastructure 2 2 3 2 3 3 3 3 3 2 2 2 38 H
IT Governance Practices 1 1 2 2 1 1 3 1 1 1 1 2 12 L
Remote Connectivity 1 1 1 2 2 1 1 1 1 2 2 2 12 L
Mid point 30
L = Likelihood
I = Impact
15
GTAG — F
ormalizing the IT Audit Plan
6. Formalizing the IT Audit Plan For most companies, these two steps are merged to some
extent, as depicted in the overlap area of the two spheres
Defining the IT audit universe and performing a risk assess- representing each process in figure 4. For example, certain
ment are precursor steps to selecting what to include in the risks or auditable areas may be excluded from the risk assess-
IT audit plan. While everything in the IT audit universe ment based on the level of resources that may be required to
could be reviewed on a recurring basis if the availability of execute the audit. However, it is important to perform these
resources is unlimited, this is not the reality for most internal steps in an objective manner considering each step’s stated
audit functions. Consequently, CAEs must create an IT audit objective and driver forces.
plan within the constraints of the audit function’s operating In addition, the IT audit plan should be created as part of
budget and available resources. the internal audit function’s strategic planning process. This
planning process should be cyclical and can be understood
under the classical management cycle of “plan, do, check,
6.1 Audit Plan Context and act.” Thus, while the plan is the key enabler to imple-
Figure 4 depicts the differences and challenges of moving ment the process, it delineates how to reach audit objectives
from the risk assessment step to identifying the audits that and goals. As a result, it should include a list of audit activities
will be included as part of the audit plan. In theory, each of as well as the timing, dependencies, and resource allocation
these steps should be a separate and distinct effort because needed to reach audit goals.
the objectives and focus are different. In the risk assessment, Certain IIA standards describe the nature of internal
the objective is to understand risks in a relative context. audit services and provide quality criteria against which the
Therefore, the major focus or driver of this effort is risk, performance of these services can be measured. More specifi-
while a major influencer may be resources. In defining the cally, the 2000 series, Performance Standards for Managing
audit plan, the objective is to review high-risk areas through the Internal Audit Activity, are relevant to the audit plan-
the allocation of available resources. As such, the driver is ning process:
the resources and the influencer is the risks.
Figure 4. Objectives for risk assessment and audit plan (Source: Ernst & Young 2007)
16
GTAG — Formalizing the IT Audit Plan
• IIA Standard 2010: Planning. The CAE should what audits will be performed and when, ensure adequate
establish risk-based plans to determine the priorities audit coverage is provided over this period of time, and iden-
of internal audit activities consistent with the orga- tify audits that may require specialized external resources or
nization’s goals. additional internal resources. In addition, most organizations
• IIA Standard 2020: Communication and Approval. create a one-year plan, as a derivative of the multiyear plan
The CAE should communicate the internal audit that outlines planned audit activities for the upcoming year.
activity’s plans and resource requirements, including Auditors can use one of two strategies to arrive at the ideal
significant interim changes, to senior manage- frequency of planned audit activities:13
ment and board for review and approval. The CAE • The audit frequency is established in an initial risk
also should communicate the impact of resource assessment to take place every three to five years and
limitations. is proportional to the risk level.
• IIA Standard 2030: Resource Management. The • The audit plan is based on a continuous risk assess-
CAE should ensure that internal audit resources are ment without a predefined audit frequency. Some
appropriate, sufficient, and deployed effectively to organizations use this approach, which is especially
achieve the approved plan. appropriate within the context of the IT audit plan,
given the higher rate of IT change as compared to
changes in non-IT activities.
6.2 Stakeholder Requests
Internal auditors should have ongoing discussions throughout Table 5 shows criteria that can be used to determine
the IT audit plan’s development with key stakeholders to frequency and resource allocation based on the results of
better understand the business and risks the organization the risk assessment. This process should be understood as a
faces. Through these discussions, insights on the business cyclical, repetitive, and iterative sequence of activities, inte-
will be gathered along with concerns key stakeholders might grating a top-down approach through at least three layers:
have. This is also an opportunity to learn about special audit • Layer 1: The audit universe where all the inputs are
assurance and consulting services requests, referred to in this integrated.
document as stakeholder requests. • Layer 2: The individual business processes where
Stakeholder requests may come from the board of directors, engagements should be identified and preliminarily
audit committee, senior managers, and operating managers. planned.
They should be considered during the audit planning phase • Layer 3: The audit engagements where fine-tuning
based on the engagement’s potential to improve the overall and plan optimization can be conducted.
management of risks and the organization’s control environ-
ment. These requests may be specific enough to determine
the required resource allocation, or the allocation may be Resource
Priority Frequency
based on previous audit work. These engagements also can Allocation
include fraud investigations that come up throughout the
H Immediate Annual reviews or High
year and requests to review service providers. (The IIA
action, multiple actions allocation
Standard 2010.C1 provides information on consulting
usually within within the cycle
engagements.) CAEs, therefore, should consider accepting
the first year
proposed consulting engagements based on their potential
to improve risk management activities and add value to and M Mid-term One or several Base
improve the organization’s operations. Accepted engage- action within audit engagements allocation
ments should be included in the IT audit plan. the audit within the cycle;
cycle could be postponed
17
GTAG — F
ormalizing the IT Audit Plan
In addition to frequency, other factors should be consid- well as estimated efforts in terms of their timeframe for
ered when defining the audit plan: completion and resources.
4. The plan should be prioritized based on:
• Internal audit sourcing strategies. Different a. Dates and results of the last audit engagement.
sourcing or staff augmentation strategies are common b. Updated assessments of risks and effectiveness of risk
practices in the industry, including hiring internal management and control processes.
staff, outsourcing, and co-sourcing, which should be c. Requests by the board and senior management.
considered during the annual planning process. d. Current issues relating to organizational governance.
• Estimated available IT audit resources. This consists e. Major changes in the business, operations, programs,
of a technical skills inventory of current staff that is systems, and controls.
mapped to IT audit plan needs. The availability of f. Opportunities to achieve operating benefits.
resources usually is established on an annual basis g. Changes to and capabilities of the audit staff. (Work
and is based on the number of full-time equivalent schedules should be sufficiently flexible to cover unan-
auditors and skills required. Available audit days are ticipated demands on the internal audit activity.)
the net of possible audit days minus nonaudit activi-
ties and exception time, such as training, vacation,
and holidays. 6.5 The IT Audit Plan Content
• Board and management requests included in the The content of the IT audit plan should be a direct reflec-
plan and related to control assurance or consulting tion of the risk assessment described in previous sections.
services. The plan also should have different types of IT audits, for
• The organization’s regulatory and compliance example:
requirements. These should be included in the audit • Integrated business process audits.
universe and risk assessment. • Audits of IT processes (e.g., IT governance and
• External audits that should be synchronized with strategy audits, as well as audits of the organization’s
the audit plan. The IIA Performance Standard 2050 project management efforts, software development
establishes that the CAE should share informa- activities, policies and procedures, COBIT/ISO/ITIL
tion and coordinate activities with other internal processes, and information security, incident manage-
and external providers of relevant assurance and ment, change management, patch management, and
consulting services to ensure proper coverage and help desk activities).
minimize duplication of efforts. • Business projects and IT initiative audits, including
• Internal initiatives and efforts to improve the audit software development life cycle (SDLC) reviews.
function. Any effort beyond audit engagements that • Application control reviews.
represents an investment of effort should be planned, • Technical infrastructure audits (e.g., demand
budgeted, and reflected in the audit plan. Examples management reviews, performance reviews, database
include quality assurance reviews, integrated risk assessments, operating systems audits, and operation
assessments, audit committee reporting tasks, and analyses).
audit recommendation follow-ups. • Network reviews (e.g., network architecture reviews,
• A contingency IT audit budget and plan for reason- penetration testing, vulnerabilities assessments, and
able coverage of unplanned situations. performance reviews).
18
GTAG — Formalizing the IT Audit Plan
6.6 Integration of the IT Audit Plan • A highly integrated audit plan, where IT audit
One key aspect of the planning process is to determine the activities are incorporated as part of business
integration level of the IT audit plan with non-IT audit activ- process engagements. Often, IT audit activities are
ities in the audit department. As explained in section 4.7, planned under the responsibility of a multidisci-
auditors need to determine which audit group will be respon- plinary team that has a balanced skill set, including
sible for the planning and oversight of business application IT audit expertise.
audits. This discussion could be extended to include all IT
components. For instance, will the IT audit plan be presented Given that a system of internal control typically includes
and executed on a stand-alone basis or will IT audit subjects manual and automated controls, with more reliance on appli-
be integrated with business areas? Answers to these questions cation controls, the ability to scope an audit that covers all
should be based on the internal audit department’s function controls is essential in providing a holistic assessment of the
as well as its staff, size, geographical distribution, and manage- control environment. A complete business audit, including
ment approach. A range of integration scenarios could be a review of all IT components, provides the opportunity to
considered from a low integration scenario where the IT audit evaluate whether there is an appropriate combination of
function is well-defined and established within the internal controls to mitigate business risks.
audit department (i.e., with their own IT audit universe
and scope) to a fully integrated audit approach where all IT
components are understood under each business segment. 6.7 Validating the Audit Plan
Table 6 illustrates scenarios based on different options to Unfortunately, there is no direct test that can be performed
integrate the IT audit plan. These scenarios are: to validate whether the right and most effective audit plan
• A low-integrated plan. This is a stand-alone IT audit exists. Therefore, auditors need to establish criteria to eval-
plan under the responsibility of the IT audit team. uate the plan’s effectiveness in meeting its objectives. As
A low-integrated plan is organized by IT subject discussed earlier, the plan should consist of risk-based audits,
areas, is generally isolated from non-IT audit activi- mandated audit areas, and management requests for assur-
ties, and includes the review of applications. Non-IT ance and consulting services. Because one of the objectives
audit activities generally do not include any of the IT of the planning phase is to allocate resources to areas where
components within their scope. the department can add the most value to the organization
• A partially integrated audit plan, which outlines IT and highest risk IT areas, auditors should determine how the
audit engagements that are established by a core IT plan reflects this objective.
audit team. These plans provide an additional set of The chart in figure 5 depicts the plan’s target. According
planned engagements, generally referred to as appli- to this chart, if all audit subjects and engagements are
cation reviews, which are distributed across other plotted based on their risk likelihood and impact, audits
non-IT audit teams and coordinated with other busi- should be reflected in all chart quadrants. The bolded box
ness process reviews. represents the ideal selection of audits and engagements, so
19
GTAG — Formalizing the IT Audit Plan
that the largest majority of the plan consists of audits from In addition, auditors need to consider the specific source
the highest-risk quadrant with the balance proportionally of the change. For instance, frequent changes in the IT audit
selected from medium- and low-risk quadrants. Furthermore, plan could be the result of:
some of the audits in the plan should deal with compliance • Changes in strategic, organizational, or human
and mandated areas. Consequently, auditors should note that resources.
while there are valid reasons for including low-risk audits • New business process initiatives involving the use of
in the plan, alternative audit approaches such as control high-risk technology, such as e-commerce.
self-assessments should be considered to limit the resources • Major changes in applications, such as the use of a
required to complete the review. new Web application version.
• Critical administration and support software
packages.
6.8 The Dynamic Nature of the IT Audit Plan • Network and infrastructure threats and vulnerabili-
As technology continues to change, so does the arrival of ties that lead to a reassessment of information security
new and potential risks, vulnerabilities, and threats to the management activities.
company. In addition, technological changes may prompt a
new set of IT goals and objectives, which in turn leads to As a consequence, periodic reassessments of IT audit plan
the creation of new IT initiatives, acquisitions, or changes priorities should be conducted and, if needed, reported to the
to meet the organization’s needs. An important point to board and senior management on a more frequent basis as
consider when drafting the audit plan, therefore, is the orga- compared with other more traditional and static audit topics.
nization’s dynamic nature and its ongoing changes. More The IT audit function also must analyze changes in the IT
specifically, auditors need to consider the higher rate of IT audit universe and have the flexibility to adjust the plan to
change compared to changes in non-IT activities, the appro- the new conditions. Furthermore, the plan should be reas-
priate timing of a system’s SDLC phases, and the results of sessed periodically, and greater flexibility is needed to react
SDLC audits. to changes in the business and IT environments by adjusting
the ranking and prioritization of planned audits. Finally, it is
Targeted Result
Mandated Risk Assessed
H
Audit Resources
High
Risk Impact
Total
Audit
Universe
Consider alternative
audit approach
Low
L Likelihood H
20
GTAG — Formalizing the IT Audit Plan
important for the plan to link each element of the IT audit It is also important for the IT component of the internal
universe to one of the following SDLC phases: feasibility audit plan or the IT audit plan to be discussed with senior
study, analysis, design, implementation, testing, evaluation, management and the board as well as key IT stakeholders,
and maintenance and production. such as the chief information officer, the chief technology
The value added provided by an internal audit function officer, IT managers, business applications owners, and other
depends highly on the quality of its recommendations and employees with similar roles. The input received from these
the benefit that the company obtains from their imple- stakeholders is paramount to the success of the audit plan-
mentation. Often there are direct benefits from addressing ning exercise and will enable CAEs and internal auditors to
monetary compliance issues. However, there may be an indi- better understand the business environment, identify risks
rect benefit to help enhance the organization’s reputation, and concerns, and select audit areas. Furthermore, dialogue
competitive advantage, maturity of business processes, and on the final plan will help to validate the stakeholders’ input
innovation. throughout the process and provide a preview of upcoming
One of the main attributes of audit recommendations that activities.
affect their value added is timing. This attribute is especially When discussing the IT audit plan, internal auditors should
relevant during the entire life cycle of IT applications. In do so in a manner that is supported by key IT executives,
general, the earlier in the software’s life cycle a weakness managers, and staff. Gaining the IT team’s understanding,
or risk is identified, the higher the added value of audit coordination, and support will make the audit process more
recommendations. For example, the cost of implementing effective and efficient. In addition, understanding the plan
a structural change to address a critical application weak- facilitates an open and continuing dialogue where evolving
ness is substantially greater once the system is in production risks and changes to the operating environment can be
compared to addressing the same weakness at the design discussed throughout the plan’s life cycle and adjustments are
phase. made on an ongoing basis. Interaction with the clients when
Besides the added value stemming from audit recommen- conducting the risk assessment and prior to the final plan’s
dations, the internal auditor’s reputation is improved in approval is critical to ensure the plan’s overall quality.
terms of his or her professionalism. The challenge for the IT
audit function then becomes how to plan activities to deliver
the appropriate type of audit recommendations within the
optimal life cycle timeframe. As a rule, the planning strategy
must be performed prior to the beginning of the entire cycle,
so that appropriate activities are planned in terms of time
and resources.
It is critical for the IT audit plan to balance audit activities
throughout the entire life cycle, such as avoiding a concen-
tration of audit efforts on the maintenance and production
phase and having adequate coverage during the early stages.
By following these recommendations, organizations will be
able to move from a traditional and post-mortem planning
strategy (i.e., one that is based mostly from an operational,
compliance, and financial approach) to one that is more
innovative, adds value, and is more consultative in nature.
14
Internal Auditing: Assurance & Consulting Services (2007) by
Kurt F. Reding, et al, ISBN 978-0-89413-610-8, pp. 8–11.
21
GTAG — A
ppendix: Hypothetical Company Example
22
GTAG — Appendix: Hypothetical Company Example
Corporate Corporate privacy compliance To aid in the analysis, a range is selected that indicates a
relative risk ranking of high, medium, and low, as follows:
Corporate Database administration and security
23
GTAG — A
ppendix: Hypothetical Company Example
IT Risks
Financial
Quality of
Impact Internal
Changes in
Availability Integrity
Confiden-
Score and
Audit Unit tiality
Area Controls
Level
L I L I L I L I L I L I
L = Likelihood
I = Impact
24
GTAG — Appendix: Hypothetical Company Example
Once risk assessment results are available, the next step be added automatically to the audit plan. Furthermore, there
is to formalize the audit plan. As discussed in section 6, the was a significant segregation of duties issue identified in the
audit plan consists of risk-driven audit projects, mandatory previous year’s procurement process audit, so a follow-up
compliance reviews, stakeholder requests, and follow-up review will be added to the plan to ensure agreed upon reme-
audits of previously identified significant issues. Because diation efforts are progressing as planned. In the compliance
these tasks need to be completed using available internal area, compliance with the new corporate policy on protecting
audit resources, some risk-driven audit projects might not be personal data for privacy will be included because there are
incorporated in the plan. plans to transmit personal data between non-U.S. facilities
Continuing with the hypothetical company example, the and the U.S. corporate headquarters.
board has asked the IT department to be involved in the The company has an IT audit staff of five auditors or
coordination of an external infrastructure penetration test, approximately 1,000 available days for engagements after
and operating management has requested assurance that considering exception time and training. Based on the risk
Sarbanes-Oxley management testing is sustained throughout assessment of available audit subjects, mandatory activi-
the organization. In addition, the IT function asked the ties, and stakeholder requests, the most effective audit plan
internal audit department to be involved with an ITIL is shown in table 11. Several high-risk subjects were not
deployment project to identify whether service delivery included in the plan (e.g., treasury electronic funds transfer
processes are effective and cover all risks. (EFT) systems, process control systems, and database admin-
These stakeholder requests are accepted because they fit istration and security) because they were reviewed in the last
with the mission of the internal audit department and will 12 months.
25
GTAG — A
ppendix: Hypothetical Company Example
26
GTAG — Glossary of Terms
Networks: Physical devices, such as switches, routers, fire- Third party: An entity that is not affiliated with the
walls, wiring, and programs, which control the routing of organization.
data packets to link computers and enable them to commu-
nicate with each other.
27
GTAG — G
lossary of Acronyms
9. Glossary of Acronyms
CAE: Chief audit executive
28
GTAG — About the Authors
10. About the Authors Nikitin is a member of The IIA’s Advanced Technology
Committee, a board member of ISACA’s Government and
Kirk Rehage Regulatory Agencies Board, and a contributor of the National
Kirk Rehage is the group manager of Institute of Technology of India. He is also a former presi-
IT auditing for Chevron Corp., a member dent of ISACA Montevideo’s Uruguay Chapter, co-founder
of The IIA’s Advanced Technology of the Project Management Institute’s Uruguay Chapter, and
Committee and ISACA, and term a member of the International Information Systems Security
governor for the North California East Certification Consortium. Nikitin earned his MBA degree
Bay IIA Chapter. As IT audit group from EOI Business School in Madrid, Spain.
manager, Rehage is responsible for the
Internal Audit Department’s IT assur-
ance and controls consulting activities in more than 180 Reviewers
countries.
Rehage has more than 30 years of energy industry experi- The IIA thanks the following individuals and organizations
ence and has held a variety of roles delivering IT services, that provided valuable comments and added great value to
such as building computing infrastructure and network envi- this guide:
ronments, managing application delivery organizations, and • Professional Practices Committee:
technical programming of engineering and earth science oo Advanced Technology Committee
analytical software and database solutions. oo Board of Regents
oo Committee on Quality
Steve Hunt, CIA, CISA, CBM oo Internal Auditing Standards Board
Steve Hunt is a senior manager in the oo Professional Issues Committee
risk consulting group of Crowe Horwath oo Ethics Committee
LLP , vice chair of The IIA’s Advanced • Urton Anderson, McCombs School of Business,
Technology Committee, and a member The University of Texas at Austin, USA
of ISACA and the Association of • Lily Bi, The IIA, USA
Professionals in Business Management. • Larry Brown, The Options Clearing Corp., USA
At Crowe Horwath, Hunt works with • Faisal R. Danka, London, UK
Fortune 1000 mid-sized, and small- • Christopher Fox, ASA, eDelta, New York, USA
market companies in different industries, directing the • Nelson Gibbs, Deloitte & Touche LLP, USA
delivery of financial, operational, and IT risk management • Frank Hallinan, Chevron Phillips Chemical Co. LP,
engagements. USA
Hunt has more than 20 years of experience working in • Greg Kent, SecureIT, USA
different industries, including accounting, internal auditing, • Lemuel Longwe, Ernst & Young Chartered
and management consulting. More specifically, he has Accountants, Zimbabwe
performed in-depth Sarbanes-Oxley compliance audits and • Steve Mar, Resources Global, USA
other internal and external audits, and participated in busi- • Tom Margosian, Ford Motor Company, USA
ness process reengineering projects and business development • James Reinhard, Simon Property Group Inc., USA
initiatives. He also has several years of experience configuring
SAP R/3 applications and application security and business
process controls and has been a featured speaker at several
universities and organizations in the United States.
29
The Unique Alternative
to the Big Four
Crowe is a top 10 public accounting and consulting firm. We provide innovative solutions in the areas of
assurance, financial advisory, performance, risk consulting, and tax. Differentiating ourself from many others,
Crowe has a specific focus on serving a broad array of organizations’ risk consulting needs. Service areas include:
With clients throughout the United States and internationally, Crowe’s practice brings together independent,
objective, and cost-effective experts in internal auditing from Big Four and large corporate internal audit
backgrounds to provide innovative solutions to their clients. Learn why companies are turning to Crowe Chizek
and Company LLC as The Unique Alternative to the Big Four.
For more information, contact Vicky Ludema at 800.599.2304 or [email protected].
Crowe Chizek and Company LLC is a member of Horwath International Association, a Swiss association (Horwath). Each member firm of Horwath is a separate and independent legal
entity. Accountancy services in the state of California are rendered by Crowe Chizek and Company LLP, which is not a member of Horwath. © 2008 Crowe Chizek and Company LLC RISK8068
Crowe provides a consultative
and practical approach to IT audit.
Do you need an IT audit department or are you looking Crowe’s services are delivered by highly trained
to augment your existing IT audit department with some specialists with practical technology solutions and
specialized skills? Whatever your IT audit needs are, Crowe innovative processes to help meet your IT audit needs.
Chizek and Company LLC can tailor a solution for you. Our risk assessment and audit methodologies and
tools provide a structured and optimized approach
Crowe’s IT audit outsourcing/cosourcing comes with a
to help evaluate and address technology risks.
comprehensive portfolio of IT audit services to help you:
Our audit professionals have a strong mix of industry
O Assess the technology components that are
and internal audit experience in various technologies
critical to your business processes;
such as SAP, PeopleSoft®, Oracle®, JD Edwards,
O Determine technology risks that your VMWare, UNIX®, Microsoft® Windows, mainframe,
organization may be exposed to; and AS/400. Our professional certifications include
O Develop custom IT audit plans based on the results of CISA, CCP, CIA, CISSP, MCSE, and CCSE.
our technology risk analysis; Crowe has served more than 100 clients in the
O Evaluate the adequacy of existing controls internal audit outsourcing or cosourcing capacity
to manage your specific risks; across the United States. Whether you need full-time
or on-demand IT audit experts, count on Crowe.
O Design and implement control
solutions and improvements;
O Comply with regulatory requirements
such as SOX 404, GLBA, and HIPAA.
Crowe Chizek and Company LLC is a member of Horwath International Association, a Swiss association (Horwath). Each member firm of Horwath is a separate and independent legal
entity. Accountancy services in the state of California are rendered by Crowe Chizek and Company LLP, which is not a member of Horwath. © 2008 Crowe Chizek and Company LLC RISK8068
GTAG 11: Developing the IT Audit Plan
Due to the high degree of organizational reliance on IT, it is crucial that chief audit executives (CAEs)
understand how to create an IT audit plan as well as determine the frequency of audits and the breadth
and depth of each audit. However, results from several Institute of Internal Auditors (IIA) external quality
assessment reviews reveal that developing an appropriate IT audit plan is one of the weakest links in internal
audit activities. Many times, internal auditors simply review what they know or outsource to other companies,
letting them decide what to audit.
To this end, Developing the IT Audit Plan can help CAEs and internal auditors:
• Understand the organization and how IT supports it.
• Define and understand the IT environment.
• Identify the role of risk assessments in determining the IT audit universe.
• Formalize the annual IT audit plan.
This GTAG also provides an example of a hypothetical organization to show CAEs and internal auditors how
to execute the steps necessary to define the IT audit universe.
We’d like your feedback! Visit the GTAG 11 page under www.theiia.org/gtags to rate this Practice Guide and
submit your comments.
978-0-89413-624-5
www.theiia.org