Professional Documents
Culture Documents
In 1995, the British Standard Institute (BSI) published British Standard (BS) 7799, a widely adopted set of
best practices that help organizations implement effective information security management systems (ISMSs)
and establish security controls for specific business areas. In October 2005, the standard was adopted by the
International Organization for Standardization (ISO). As a result, implementing BS 7799 — now ISO 27001:
2005 — has become a major focus of attention for European-based companies and those working in the
region.
Depending on the organization's size, the nature of its business, and the maturity of its processes,
implementing ISO 27001 can involve a substantial investment of resources that requires the commitment of
senior management. In addition, because of its emphasis on data security, many internal auditors perceive the
standard to be focused solely on technology and often recommend that IT departments comply with the
standard's requirements without understanding the amount of time and resources required for compliance. To
ensure across-the-board acceptance and success, initial analyses and planning are vital. Because internal
auditors are in the perfect position to add value to an organization's IT processes, they can help IT
departments prepare the groundwork for an effective and efficient ISO 27001 implementation strategy during
the initial planning phase. This will help companies ensure their IT processes are better aligned with the
standard's requirements and ensure long-term compliance.
Implementing ISO 27001 can take time and consume unforeseen resources, especially if companies don't have
an implementation plan early in the compliance process. To enhance compliance efforts, internal auditors can
help companies identify their primary business objectives and implementation scope. Auditors should work
with IT departments to determine current compliance maturity levels and analyze the compliance process'
return on investment. These steps can be conducted by a team of staff members or external consultants who
have prior experience implementing the standard. External consultants should work in collaboration with an
internal team of representatives from the company's major business units. Below is a description of each
recommendation.
Plans to adopt ISO 27001 must be supported by a concrete business analysis that involves listing the primary
business objectives and ensuring a consensus is reached with key stakeholders. Business objectives can be
derived from the company's mission, strategic plan, and existing IT goals and may include:
• Ensuring effective risk management, such as identifying information assets and conducting accurate
risk assessments.
• Maintaining the company's competitive advantage, if the industry as a whole deals with sensitive
information.
• Preserving the organization's reputation and standing among industry leaders.
• Providing assurance to customers and partners about the organization’s commitment to protecting
data.
• Increasing the company's revenue, profitability, and savings in areas where protective controls operate
well.
The standard also emphasizes compliance with contractual obligations, which might be considered another
key business objective. For instance, for an online banking division, implementing the standard would provide
customers and partners greater assurance that risks stemming from the use of information systems are
managed properly.
Identifying the scope of implementation can save the organization thousands of dollars and time. In many
instances, it is not necessary for an organization to adopt companywide implementation of a standard. The
scope of compliance can be restricted to a specific division, business unit, type of service, or physical
location. In addition, once successful compliance has been achieved for a limited, but relevant scope, it can be
expanded to other divisions or locations.
Choosing the right scope is one of the most important factors throughout the compliance cycle, because it
affects the feasibility and cost of the standard's implementation and the organization's return on investment.
As a result, it is important for the selected scope to help achieve the identified business objectives. To do this,
the organization may evaluate different scope options and rank them based on how well they fit with each
objective.
Organizations also may want to sign memorandums of understanding (MOU) or service level agreements
(SLAs) with vendors and partners to implement a form of indirect compliance to the standard. For example, a
garment manufacturing company may have a contract with a software provider for application maintenance
and upgrades. Therefore, the manufacturing company will not be responsible for the application’s system
development life cycle compliance with the standard, as long as it has a relevant MOU or SLA signed with
the software vendor.
Finally, the organization's overall scale of operations is an integral parameter needed to determine the
compliance process' complexity level. To find out the appropriate scale of operations, organizations need to
consider their number of employees, business processes, work locations, and products or services offered.
When assessing the organization’s compliance maturity level, auditors should determine whether or not the
implementation team is able to answer the following questions:
Is there a management review of the risk assessment and risk treatment plans?
Risk assessments and risk treatment plans must be reviewed at planned intervals at least annually as part of
the organization's ISMS management review.
The Summit County Internal Audit Department (IAD) consists of auditors and staff who are
County employees, who all report to the Summit County Audit Committee as mandated by Article
X of the Summit County Charter.
Anyone within the County can request an audit, especially if you suspect fraudulent or
questionable activity is occurring in your area. All requests will be evaluated, and Summit County
Internal Audit Department will determine whether an investigation or review is warranted. To
request an audit, please contact Internal Audit at 330-643-2504 or by email at
tfretz@summitoh.net
Tests are carried out to check that controls are adequate and are operating effectively. This may
require sampling, observing work being performed, reviewing notes of meetings and holding
discussions.
We will then meet again with the designated management lead assigned to oversee the audit to
discuss our findings and any recommendations we wish to make in the report.
After this meeting, a draft report is produced. The report includes an action plan that summarizes
the recommendations, the agreed actions and timeframes for implementation.
Management will be asked to comment on the factual accuracy of the report before it is finalized.
As all the findings will have been discussed before the report was produced, there should not be
any surprises in what it says.
11) What are internal controls?
Internal controls are processes within a department or organization, which are designed to provide
reasonable assurance regarding the achievement of the following objectives:
Internal controls help assure that operations are conducted according to plan. They are tools used
every day by managers, from the unit levels to the Officeholders, Judges, Executive Director’s, and
Superintendent’s of the County, which include written policies and procedures, organizational design,
and physical barriers.
Through careful design, internal controls can help your department operate efficiently and effectively
and provide a reasonable level of assurance that the processes, services, or products for which you
are responsible are adequately protected.
In short, a control is any action taken by the administration/management to enhance the likelihood
that established objectives and goals will be achieved. Implementation of internal controls is the
prime responsibility of County administrators and supervisors.
12) What is managements responsibility regarding internal controls?
Management is responsible for ensuring that internal controls are established and functioning to
achieve the missions and objectives of their department. Management must respond to any changes
that may cause the effectiveness of a control to deteriorate by creating additional controls or altering
existing controls to protect against loss.
15) What is the difference between an internal audit and the annual external audit?
External audit is a statutory requirement which checks that the County’s accounts present a true and
fair view of the financial position. The internal auditors report to the Audit Committee on the control
systems used within the County. They should have a more detailed knowledge of systems than is
required for external audit. Sometimes, the differences between the internal and external auditors
can be confusing. In Summit County, internal and external auditors have an agreed understanding of
how to work together and this is detailed below. This approach includes:
>Regular meetings
>Sharing planning information
>Consulting each other on risk assessments
>Where appropriate, consulting on audit testing programs
>Sharing audit findings
16) What is Audit Committee's role with respect to its Internal Audit Department and the
external financial audit?
The County’s Audit Committee has a role in measuring our effectiveness. This includes:
>Approving our plans;
>Approving our budget;
>The provision of internal audit resources;
>The appointment of the Director of Internal Audit;
>Approving audit reports
>Following up previous audit recommendations.
External audit’s report to the Audit Committee includes a management letter and A-133 audit report
of findings. External audit may also attend the meetings of the Audit Committee so that the
Committee can take a broad view of audit activity in the County
17) Does Internal Audit have any role producing the County's financial statements?
We have no statutory role in auditing financial statements. External audit is required to give an
opinion on the County’s audited financial statements.
18) What are the roles of external audit and Internal audit regarding compliance with
laws and regulations?
Through our risk-based approach, we consider controls in respect of legal requirements, as well as
requirements by other bodies and the County’s own rules and regulations.
19) What information should the County's government units provide to internal audit
regarding any new systems development?
We should be advised of all significant new systems being developed and will select those which we
wish to be involved with in order to assist with a successful implementation.
20) What safeguards does internal audit provide regarding fraud an how does external
audit utilize them?
Our work is designed and conducted to consider how well the controls prevent and detect fraud. In
addition, fraud is considered as a routine risk when planning audit work. We may also be involved in
any specific fraud investigations. External auditors consider our work in relation to fraud when
assessing the risk of material misstatement in the financial statements.