IIA Presentasjon ISACA

The IIA toolbox
www.theiia.org
Agenda
1. International Professional Practices Framework (IPPF)

2. The Professional Issues Committee (PIC)
3. IIA Guidance
4. The GTAG’s!
5. Questions
www.theiia/guidance/ippf.org
2
Who am I?
Background
• Jobbet med revisjon siden 1997
(Dipl. IR, CIA, CCSA, CISA)
Education
• Master of Management fra BI
(m.m)
Position
• Senior Audit Manager i Group
Internal Audit (GIA) - Nordea
3
International Professional
Practices Framework
International
Professional
Practices
Framework
www.theiia.org
AUTHORITATIVE Guidance
5
The Professional Issues Committee (PIC)
Should:
1. Provide thought leadership and timely

professional guidance to the members
and stakeholders.
2. Comment on or support other matters

that impact the internal audit profession.
Scope
PIC has primary responsibility for:
• Strongly Recommended guidance of the IPPF
• Drafting responses on behalf of the IIA to other

guidance, standard setting, regulatory, and
similar bodies
• Other guidance or tools not included in the IPPF,

but made available to the IIA’s global
membership.
7
IIA Guidance
www.globaliia.org/standards-guidance
8
Practice Guides
1. Practice Guides — General
2. Practice Guides — GTAG®
3. Practice Guides — GAIT
9
Practice Guides — General
1. Quality Assurance and Improvement Program
2. Coordinating Risk Management and Assurance
3. Reliance by Internal Audit on Other Assurance Providers
4. Independence and Objectivity
5. Interaction with the Board
6. Auditing the Control Environment
7. Assisting Small Internal Audit Activities in Implementing the IPPF
8. Assessing the Adequacy of Risk Management Using ISO 31000
9. Measuring Internal Audit Effectiveness and Efficiency
10.Chief Audit Executives — Appointment, Performance, Evaluation,
and Termination
11.Auditing Executive Compensation and Benefits
12.Evaluating Corporate Social Responsibility/Sustainable
Development - Formulating and Expressing Internal Audit Opinions
13.Auditing External Business Relationships
14.Internal Auditing and Fraud
10
Global Technology Audit Guide (GTAG) series
Background:
• Created to provide high-level

technology information from a
business point of view.
• Help internal auditors worldwide

better understand the different
governance, risks and control issues
surrounding technology.
11
Global Technology Audit Guide (GTAG) series
• Written in straightforward business

language
• Address a timely issue related to

information technology (IT)
management, control, and security.
12
Who is GTAG target audience?
Primary target - Chief Audit Executive (CAE)
• Many CAEs face the challenge to understand

technology, which is necessary to plan and conduct
internal audit.
• Given the broad responsibility of CAEs, GTAG series

provide them a high level overview on risk management
and control related to IT.
GTAG is practically immeasurable to busy executives who

need to quickly understand technology issues and
evaluate the impact on their organization.
GTAG-1
Information Technology Risk
and Controls (New edition)
It covers:
• Understanding of IT risks and
controls
• Importance of IT controls
• Organizational roles and
responsibilities for ensuring IT
controls
• Analyzing risks
• Monitoring and techniques
• IT risk and control
assessment
GTAG-2
Change and Patch Management Controls:
Critical for Organizational Success (New edition)
It covers:
Why IT change and patch
management controls are
foundational to a healthy IT
environment
How IT change and patch
management controls help
manage IT risks and costs
What works and doesn’t work in
practice
Describes sources of change and
the likely impact on business
objectives
GTAG-3 (Update Coming Soon)
Continuous Auditing:
Implications for Assurance, Monitoring, and Risk Assessment
It covers:
Role of continuous auditing in
today’s internal audit
environment
Relationship of continuous auditing,
continuous monitoring, and
continuous assurance
The application and implementation
of continuous auditing
Benefits of a continuous, integrated
approach
GTAG-4 (Update Coming Soon)
Management of IT Auditing
It covers:
Defining IT
IT-related Risks
Defining IT Audit Universe
Executing IT Auditing
Managing IT Auditing
Emerging Issues
GTAG-5 (Update coming soon)
Managing and Auditing Privacy Risks
It covers:
What is Privacy
Privacy Principles and Frameworks
Privacy Impacts and Risk Model
Privacy Controls
Good and Bad Performers
Internal Auditing's Role
Auditing Privacy
CAE's Top 10 Privacy Questions
GTAG-6 (To be merged with GTAG 4)
Managing and Auditing IT Vulnerabilities
It covers:
Define the vulnerability
management lifecycle
The scope of a vulnerability
management audit
Organizational maturity
Metrics to measure vulnerability
management practices
Top 10 vulnerability
management questions
GTAG-7 (Update coming soon)
Information Technology Outsourcing
It covers:
How to choose the right IT outsourcing
vendor?
What are the best ways to manage
outsourcing contract agreements?
What are the main outsourcing risks and
how to mitigate them?
What are the key outsourcing control
considerations from the standing points
of both client operations and service
provider operations?
Which is the most effective framework for
establishing outsourcing controls?
GTAG-8
Auditing Application Controls
It covers:
What is application control?
What is the relationship between
application control and general
controls?
Why rely on application controls?
How to scope a risk-based application
control review?
What are the steps to conduct an
application controls review?
A list of key application controls
A sample audit program
GTAG-9
Identity and Access Management
It covers:
Provide insight into what IAM means to
an organization.
Suggest internal audit areas for
investigation
Assist CAEs and other internal auditors
to understand, analyze, and monitor
their organization's IAM processes
Provides a checklist for IAM review
GTAG-10
Business Continuity Management
It covers:
Provide help to the CAE in
communicating business continuity
risk awareness
Support management in its
development and maintenance of a
BCM program.
Disaster recovery planning for
continuity of critical information
technology infrastructure and
business application systems.
GTAG-11
Developing the IT Audit Plan
It covers:
Understanding the organization and
how IT supports it.
Define and understand the IT
environment.
Identify the role of risk assessments in
determining the IT audit universe
Establishing the annual IT audit plan
An example to show how to execute
the steps necessary to define the IT
audit universe.
GTAG-12
Auditing IT projects
It covers:
Key project management risks.
How the internal audit activity can
actively participate in the review of
projects while maintaining
independence.
Five key components of IT projects for
internal auditors to consider when
building an audit approach.
Types of project audits.
A suggested list of questions for use in
the IT project assessment.
GTAG-13
Fraud Prevention and Detection in
an Automated World
It covers:
Guidance to chief audit executives and
internal auditors on how to use
technology to help prevent, detect,
and respond to fraud.
A step-by-step process for auditing a
fraud prevention program.
An explanation of the various types of
data analysis to use in detecting
fraud
A technology fraud risk assessment
template
GTAG-14
Auditing User-developed
Applications (UDAs)
It covers:
Direction on how to scope an internal
audit of UDAs.
Guidance for how the internal auditor’s
role as a consultant can be leveraged to
assist management with developing an
effective UDA control framework.
Considerations that internal auditors
should address when performing UDA
audits.
A sample UDA process flow as well as a
UDA internal audit program and
supporting worksheets to help internal
auditors organize and execute an audit.
GTAG-15
Information Security Governance
(ISG)
It covers:
Defining ISG.
a process to assist the CAE in
incorporating an audit of information
security governance (ISG) into the
audit plan
Helping internal auditors understand
the right questions to ask and know
what documentation is required.
Describing the internal audit activity’s
(IAA) role in ISG.
GTAG-16
Data Analysis Technologies
It covers:
Understand why data analysis is
significant.
Know how to provide assurance more
efficiently with the use of data
analysis technology.
implementing data analysis technology
within your department.
Know how to incorporate data analysis
at your organisation.
Recognize opportunities, trends, and
advantages of making use of data
analysis technology.
How to get GTAG?
• Free download electronic copy

from IIA website (for members)
www.theiia.org
Or purchase from IIA Bookstore
QUESTIONS
31 www.theiia/guidance/ippf.org

IIA Presentasjon ISACA

Uploaded by

Document Information

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

IIA Presentasjon ISACA

Uploaded by

Copyright:

Available Formats

The IIA toolbox

1. International Professional Practices Framework (IPPF)

1. Provide thought leadership and timely

2. Comment on or support other matters

• Strongly Recommended guidance of the IPPF

• Drafting responses on behalf of the IIA to other

• Other guidance or tools not included in the IPPF,

1. Practice Guides — General

2. Practice Guides — GTAG®

3. Practice Guides — GAIT

• Created to provide high-level

• Help internal auditors worldwide

• Written in straightforward business

• Address a timely issue related to

Primary target - Chief Audit Executive (CAE)

• Many CAEs face the challenge to understand

• Given the broad responsibility of CAEs, GTAG series

GTAG is practically immeasurable to busy executives who

establishing outsourcing controls?

• Free download electronic copy

Or purchase from IIA Bookstore

You might also like